Data Privacy

1. Preface

Data protection is of great importance to DSC Software AG.

This data privacy statement explains the method, extent, and aim of the processing of personal data in our online services and related websites, functions, and content (in the following referred to jointly as “online services” or “website”). The data privacy statement applies independently of domains, systems, platforms, and devices (e.g. desktop or mobile) on which the online services are executed.

2. Data Controller

The data controller in the sense of the General Data Protection Regulation (GDPR), or other data protection laws applicable in the member states of the European Union and other regulations regarding data protection is:

DSC Software AG
Am Sandfeld 17
76149 Karlsruhe
Germany

Tel.: +49 721 9774 100
E-Mail: info@dscsag.com
Website: www.dscsag.com

3. Data Protection Officer

The data protection officer of the data controller is:

ah-consulting GmbH
Am Sandfeld 17 a
76149 Karlsruhe
Germany

+49 721 75408840
privacy@ah-consulting.gmbh

For questions and suggestions on data protection, any data subject can refer to our data protection officer anytime.

4. Definition

Our data privacy statement is based on the terminology used by the European Regulatory Body in adoption of the General Data Protection Regulation (GDPR). Our data privacy statement is intended to be easy to read and to understand by the public, our customers, and our business partners.

In order to ensure this, we will explain the terminology used in advance. Terms used, such as “personal data” or its “processing” are defined in Art. 4 of the General Data Protection Regulation (GDPR).

In this data privacy statement, we use, among others, the following terms:

4.1. Personal Data

Personal data is defined as all information referring to an identified or identifiable natural person (in the following referred to as the “data subject”). An identifiable person is a natural person who can be identified directly or indirectly, in particular by means of an assignment to a label such as a name, an ID number, location data, an online ID or one or more special features that is an expression of the physical, physiological, genetic, psychic, economic, cultural, or social identity of this natural person.

4.2. Data Subject

The data subject is any identified or identifiable natural person whose personal data is processed by the data controller.

4.3. Processing

Processing is any process or operation carried out with or without the help of automated procedures or any such series of operations in connection with personal data, for example: collecting, recording, organizing, ordering, storing, adapting, or changing, reading, retrieving, using, disclosing through transmission, dissemination or other form of provision, comparing or linking, restricting, deleting, or destroying.

4.4. Restriction of Processing

Restriction of processing is the marking of stored personal data with the aim of limiting its future processing.

4.5. Profiling

Profiling is any kind of automated processing of personal data that consists in using such personal data in order to evaluate personal aspects referring to a natural person, in particular to analyze, or predict aspects regarding job performance, economic situation, health, personal preference, interests, reliability, conduct, place of residence, or change of locality of this natural person.

4.6. Pseudonymization

Pseudonymization is the processing of personal data in a way that the personal data can no longer be assigned to a specific data subject without additional information, provided that this additional information is stored separately and is subject to technical and organizational measures that ensure that the personal data cannot be assigned to an identified or identifiable natural person.

4.7. Data Controller

The data controller is the natural or legal person, authority, institution, or other entity that determines, either alone or jointly with others, the purposes and means of the processing of personal data. If the purposes and means of this processing are controlled by EU law or the laws of EU member states, the data controller – or the specific criteria of his or her nomination – can be determined according to EU law or the laws of EU member states.

4.8. Processor

The processor is a natural or legal person, authority, institution, or other entity that processes personal data on behalf of the data controller.

4.9. Recipient

The recipient is a natural or legal person, authority, institution, or other entity to whom personal data is disclosed, regardless of whether this is a third party or not. However, authorities that may receive personal data in the course of a particular inquiry in accordance with EU law or the laws of EU member states are not considered recipients.

4.10. Third Party

A third party is a natural or legal person, authority, institution, or other entity (other than the data subject, the data controller, the processor, and the persons who are authorized to process the personal data under the direct responsibility of the data controller or the processor) that is authorized to process the personal data.

4.11. Consent

Consent is any expression of willingness issued freely for the specific case in an informed manner and unambiguously by the data subject in the form of a declaration or any other clearly affirmative act, with which the data subject makes it clear that they agree with the processing of the personal data.

5. General Notes on Data Processing

5.1. Extent of Processing of Personal Data

We generally collect and use the personal data of our users only insofar as it is necessary for maintaining a well-functioning website as well as for our contents and services. The collection and use of personal data of our users takes place regularly only with the prior consent of the users. An exception applies in cases where it is impossible to obtain consent in advance and the processing of the data is permitted by legal regulations.

5.2. Legal Framework for Processing Personal Data

If we obtain the consent of the data subject for the processing of personal data, Art. 6 Sec. 1 lit. a EU General Data Protection Regulation serves as the legal basis.

In the processing of personal data that is required for fulfilling a contract of which the data subject is a contractual party, Art. 6 Sec. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations required for the implementation of pre-contractual measures.

If the processing of personal data is required for meeting a legal obligation, to which our company is subject, Art. 6 Sec. 1 lit. c GDPR serves as the legal basis.

In the event that vital interests of the data subject or of another natural person require the processing of personal data, Art. 6 Abs. 1 lit. d GDPR serves as the legal basis.

If processing is required for safeguarding a justified interest of our company or a third party, and if the interests, basic rights, and fundamental freedoms of the data subject do not outweigh the first-named interest, Art. 6 Abs. 1 lit. f GDPR serves as the legal basis for the processing.

5.3. Data Deletion and Storage Duration

The personal data of the data subject is deleted or blocked as soon as the purpose of storage is no longer valid. Storage can also happen if stipulated by European or national legislation in EU regulations, laws, or other rules to which the data controller is subject.

The data can also be blocked or deleted if a storage period prescribed by the mentioned standards expires – unless it is necessary to store the data for the purposes of the conclusion or fulfillment of a contract.

6. Provision of the Website and Creation of Log Files

6.1. Description and Extent of Data Processing

Every time our website is called, our system automatically records data and information of the computer system of the calling computer.

The following data is collected:

  • Information about the browser type and the version used
  • User’s operating system
  • User’s IP address
  • Date and time of access
  • Websites from which the user’s system accesses our website
  • Session cookie for identifying the logged-in user
  • Date and time of the user login
  • Storage of failed login attempts
  • Date and time of the creation of the user
  • Storage of denied accesses (403)
  • Storage of sites not found (404)
  • User’s acceptance of cookie policies
  • Information about whether the user has activated JavaScript

The data is stored in the log files of our system. This data is not stored together with other personal data of the user.

7. Legal Framework for Data Processing

The legal framework for the temporary storage of data and log files is Art. 6 Sec. 1 lit. f GDPR.

8. Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable the website to be sent to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

Data is stored in log files in order to ensure the correct functioning of the website. The data also serves to optimize the website and to ensure the security of our information technology systems. In this context, there is no evaluation of the data for marketing purposes.

These aims also include our justified interest in data processing according to Art. 6 Sec. 1 lit. f GDPR.

9. Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection. In case of a data collection for the provision of the website, this applies when the respective session ends.

If the data is stored in log files, this applies after a maximum of seven days. Longer storage is possible. In this case, the users‘ IP addresses are deleted or distorted so that the calling client can no longer be identified.

10. Possibility of Objection and Disposal

The recording of data for providing the website and the storage of the data in log files is mandatory for the operation of the website. Therefore, the user has no possibility of objection.

11. Use of Cookies

11.1.  Description and Extent of Data Processing

Due to our justified interest, we use so-called cookies on this website. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. If a user calls a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string that enables a unique identification of the browser when the website is called again.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can still be identified following a website change.

The following data is stored and transmitted in the cookies:

  • Technical cookies or system cookies (Session, JavaScript)
  • Cookies for improving usability (status of pop-up menus)
  • Analysis cookies for analyzing and improving site accesses
  • When users are logged in, it contains a session cookie to identify the user. The corresponding information of the user is stored.

When you visit our website, a pop-up window “Privacy Preferences” is displayed containing information concerning the use of cookies and a link to this Privacy Policy. Within this window, the user can object to the use of cookies, except of essential cookies.

11.2.  Legal Framework for Data Processing

The legal framework for the processing of personal data with the use of cookies is Art. 6 Sec. 1 lit. f GDPR.

The legal framework for the processing of personal data using technically necessary cookies is Art. 6 Sec. 1 lit. f GDPR.

11.3.  Purpose of Data Processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some of the functions of our website cannot be offered without the use of cookies. For these functions, it is necessary that the user is recognized after a website change.

User data collected by technically necessary cookies is not used for the creation of user profiles.

We need cookies for the following applications:

  • JavaScript activated
  • Consent to cookie disclaimer
  • Toolbar opened
  • Authentication of user in logged-in state to the website
  • Request limitation
  • Tracker version
  • User identification
  • Toolbar opened

Analysis cookies are used for improving the quality of our website and its contents. The analysis cookies tell us how the website is used, so we can continuously optimize our services.

In the cookie, an ID is stored linking the user with the data sent.

These aims also include our justified interest in the processing of personal data according to Art. 6 Abs. 1 lit. f GDPR.

11.4.  Duration of Storage, Possibility of Objection and Disposal

Cookies are stored on the user’s computer and transferred via that computer to us. As a user, you therefore have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transfer of cookies. Stored cookies can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, it is possible that not all features of the website can be fully used.

12. Reporting Office in the Context of the German Whistleblower Protection Act

12.1. Description and Extent of Data Processing

We have established a reporting system according to the Whistleblower Protection Act (HinSchG), which serves to receive, process, document, and manage reports and information on potential infringements in a safe and confidential manner.

The use of our reporting system for the submission of reports is generally possible without providing any personal data and thus complies with the requirements of the Whistleblower Protection Act regarding the anonymity of the reporting system. Personal data of the reporting person will only be processed if this reporting person deliberately and voluntarily decides to provide their personal data in the report. Furthermore, the personal data of third parties named by the reporting person while submitting the report will be processed (e.g. parties involved in the reported infringement, witnesses, etc.).

If you submit a report via the reporting system, we collect the following personal data and information:

  • Your name (if stated by you)
  • Your e-mail address (if stated by you)
  • Any personal content of the report that you have submitted, as well as the fact that you have submitted such a report (if this fact is attributable to you)
  • The names of persons or other information and personal data of the persons named by you in the report as persons involved or witnesses of the infringement (as far as stated in the report)

Recipient of the Personal Data

Technical Provider of the Reporting System
The reporting system is operated by Preeco GmbH, Magirus-Deutz-Strasse 14, D – 89077 Ulm (“preeco”), a specialized company, on behalf of the controller. The reporting system is provided as Software as a Service | SaaS and complies with the current requirements regarding data privacy and IT security. Data processing exclusively takes place in Germany. Access to this data is only possible for a limited group of employees of the controller, which is defined by the controller. Data security is guaranteed by comprehensive technical and organizational measures, in compliance with a certified process.

Name of the Ombuds Service Provider 
We use a specialized service provider for the operation of the internal reporting office in accordance with the Whistleblower Protection Act:

ah-consulting GmbH
Am Sandfeld 17 a
76149 Karlsruhe

+49 721 75408840
privacy@ah-consulting.gmbh

Authorities 
In addition, your personal data will be submitted to third parties or authorities in individual cases if this is necessary to clarify any unlawful behavior or for legal prosecution. However, this only happens if concrete evidence of an unlawful or abusive behavior exists.

The data is transmitted due to our legitimate interest in the fight against misuse, the prosecution of criminal offences, as well as in securing, asserting, and enforcing claims, provided that your rights and interests regarding the protection of your personal data do not prevail, Art. 6 Sec. 1 lit. f GDPR. If we are legally obliged to pass on the information, we will do so based on Art. 6 Sec. 1 lit. c GDPR (legal obligation).

Persons Affected by the Report
In general, we are legally obliged according to Art. 14 GDPR to inform third parties that we have received information about them. We will comply with this obligation if and as soon as this information no longer compromises the further prosecution of the reported infringement.

Thereby, the identity of the whistleblower will not be disclosed – to the extent permitted by law.

Transmission to Third Countries
The data processing within the framework of the reporting system exclusively takes place on servers located in Germany. A transmission to third countries does not take place and is not intended.

12.2.  Legal Basis for Data Processing

Data of the Reporting Person
The processing of the reporting person’s personal data requires a consent (Art. 6 Sec. 1 lit. a GDPR). Consent is provided by the submission of the report, stating your name and e-mail address. As explained above, both the consent and the statement of personal data are provided voluntarily.

Transmitted Data of Third Parties
If personal data of third parties (persons involved or witnesses of infringements) is transmitted as a part of the reporting procedure, we will process this data based on our company’s legitimate interest in the detection and prevention of grievances and thus, in the prevention of damage to the controller, the controller’s employees, and customers (Art. 6 Sec. 1 lit f GDPR).

Obligation to Provide Data
The submission of reports and therefore the provision of personal data is neither a statutory nor a contractual requirement. The non-submission of reports or failure to provide personal data within the report has no effect on a possible employment of the reporting person by the controller.

Confidential Handling of Information
Any information received will always be treated as strictly confidential. The employees of the internal reporting office and all employees involved in the processing of a report shall be expressly obliged to maintain confidentiality.

12.3.  Purpose of Data Processing

The reporting system according to the Whistleblower Protection Act (HinSchG) serves to receive, process, document, and manage reports and information on potential infringements in a safe and confidential manner.

12.4.  Storage Period

The personal data will be stored for the time that is necessary for the clarification and final assessment of the report or as long as the controller’s legitimate interest exists or for the time period that is required by law.

Once the processing of the report is completed, the data is deleted in accordance with legal requirements.

12.5.  Possibility of Objection and Disposal

You can withdraw your consent at any time and with effect for the future. The withdrawal of consent can be sent informally to the contact data stated above.

Regarding the withdrawal of consent, we expressly point out that, depending on the processing state of the respective case, it may no longer be possible to discontinue the processing of the personal data if we, as the controller of the data processing and reporting system, have involved authorities or courts due to the content or nature of the report. We want to point out already now that in such cases, after the withdrawal of consent, we will continue processing the personal data on the basis of legal requirements; specifically on the basis of a possible legal obligation due to our involvement in criminal, administrative, or legal proceedings (Art. 6 Sec. 1 lit. c GDPR) or due to our legitimate interest (Art. 6 Sec. 1 lit. f GDPR); in these cases, our legitimate interest lies in the detection and prevention of grievances and infringements.

13. Contact Form and E-Mail Contact

13.1.  Description and Extent of Data Processing

On the basis of our justified interests, on this website we use a contact form that can be used for the electronic first contact and for the upload of documents. If a user uses this contact form, the data entered in the input mask is transferred to us and stored.

This data is required for mandatory fields:

  • Title
  • First and last name
  • E-mail address
  • Company
  • City
  • Country

All other entries that are not mandatory but are filled in anyway, are also transmitted and stored.

The following data is also stored at the time of registration:

  • IP address of the calling computer
  • Date and time of registration
  • E-mail address
  • Documents that are uploaded

During this process, your consent is obtained and you are referred to this data privacy statement.

Alternatively, an initial contact is possible by means of the e-mail address provided. In this case, the user’s personal data that is sent with the e-mail is stored.

In this context, no data is passed on to third parties. The data is used exclusively for processing the conversation.

13.2.  Legal Framework for Data Processing

The legal framework for the processing of the data if the user consents is Art. 6 Sec. 1 lit. a GDPR.

The legal framework for processing data transmitted via e-mail is Art. 6 Sec. 1 lit. f GDPR. If the aim of the e-mail contact is to conclude a contract, an additional legal framework for the processing is Art. 6 Sec. 1 lit. b GDPR.

13.3.  Purpose of Data Processing

We need to process personal data from the input mask only for dealing with the initial contact. If this contact is made via e-mail, there is also a justified interest in the processing of the data.

The other data processed during the transmission procedure serves to prevent a misuse of the contact form and to ensure the security of our information technology systems.

13.4.  Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection. For personal data provided via the input mask of the contact form, and the data sent by e-mail, this is the case when the respective conversation with the user ends. The conversation ends when it can be inferred from circumstances that the situation concerned has been clarified finally.

The extra data collected during the sending process is deleted after a maximum period of seven days.

13.5.  Possibility of Objection and Disposal

At all times, users can withdraw their consent to the processing of their personal data. If users contact us by e-mail, they can object to the storage of their personal data at any time. In this case, the conversation cannot be continued.

The withdrawal of consent and the objection to storage must be sent in writing to the data protection officer.

In this case, all personal data stored during the contact is deleted.

14. Google Fonts

14.1.  Extent of Processing of Personal Data

​On the basis of our justified interests, we use the Google Fonts service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).

Google Fonts provides an intuitive and robust directory of open-source designer web fonts. With a comprehensive catalog, typography can be integrated seamlessly in any design project.

This service is used to integrate web fonts in our websites. The integration of the Google fonts takes place with a server call to Google, regularly via the URL https://fonts.google.com. The fonts are supplied by various designers and are open-source.

When a user accesses our online services, a request is usually transmitted to a Google server in the USA, where it is stored and processed.

Technically, the fonts embedded in our website are stored on a Google server and loaded from there when the site is being called. By using Google Fonts, the Google server sends a corresponding file to each user, based on the technologies supported by the user’s browser.

The connection to Google Fonts is not authenticated. During a visit of our online services, no cookies or login information is sent to Google. Corresponding queries to Google Fonts servers are sent to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com, so that requirements for fonts are generally separated from login information, which otherwise is sent to Google domains such as google.com or google.de, which can be authenticated.

Google Fonts logs data records of the CSS and the font file requirements. For statistical purposes, Google assigns aggregated usage numbers showing how popular font families are, and publishes these results on an Analytics website (https://fonts.google.com/analytics).

For further information on the Google Fonts service, see https://developers.google.com/fonts/faq.

Google is certified under the Privacy Shield Agreement, which means it offers a guarantee to comply with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

The EU-US Privacy Shield Agreement was declared invalid by the European Court of Justice in August 2020. Since then, for companies of the EU or the EEA it is only possible to collaborate with US companies based on EU standard contract clauses. As far as possible, EU standard contract clauses were concluded with the affected US companies. Additionally, further measures for ensuring the data protection level were agreed upon with US companies to some extent.

14.2.  Legal Framework for Processing Personal Data

The legal framework for the processing of users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

14.3.  Purpose of Data Processing

Data is processed out of interest in the analysis, optimization, and economic operation of the online services in order to integrate content or services of third parties or their contents and services.

We use Google Fonts to make our website independent of the fonts installed by the user, the so-called system fonts, and to ensure a consistent display on different systems.

The purpose and extent of data collection and the processing, as well as the use of the data by Google can be found in Google’s Privacy Policy at https://policies.google.com/privacy?hl=de.

14.4.  Duration of Storage

The data is deleted as soon as it is no longer required for our recording purposes.

14.5.  Possibility of Objection and Disposal

For further information on Google’s use of data, and setting and objection options, see the following Google websites: (“How Google uses information from sites or apps that use our services”), http://www.google.com/policies/technologies/ads (“How Google uses cookies in advertising”), http://www.google.com/policies/technologies/ads (“Use of data for promotional purposes”), http://www.google.de/settings/ads (“Managing information used by Google to display advertising”).

15. YouTube

15.1.  Description and Scope of Data Processing

On the basis of our justified interests, we use components of the YouTube service, operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”).

YouTube is an internet video portal that enables video publishers to post video clips free of charge, and other users to view, rate, and comment on these clips, also free of charge. YouTube permits the publication of all kinds of videos, which is why both whole film and TV programs, but also music videos, trailers, or videos made by the users themselves, can be retrieved via the internet portal.

After every call of one of the individual pages of this website, which is operated by the data controllers and on which a YouTube component (YouTube video) is integrated, the internet browser on the IT system of the data subject is automatically prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. Further information on YouTube can be retrieved under https://www.youtube.com/intl/com/about/. Within the framework of this technical procedure, YouTube and Google receive knowledge about the actual subpage of our website that the data subject visits.

If the data subject is simultaneously logged into YouTube, YouTube can see from the retrieval of a subpage containing a YouTube video the actual subpage of our website that the data subject visits. YouTube and Google collect this information and assign it to the respective YouTube account of the data subject.

Via the YouTube component, YouTube and Google always receive information that the data subject has visited our website if the data subject is simultaneously logged into YouTube at the time our website is retrieved; this takes place irrespective of whether the data subject clicks a YouTube video or not. If the data subject does not desire such transfer of information to YouTube and Google, he or she can prevent the transfer by logging out of the YouTube account before visiting our website.

15.2.  Legal Basis for Data Processing

The legal basis for the processing of the users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

15.3.  Purpose of Data Processing

The data is processed out of interest in the analysis, optimization, and economic operation of the online offer.

For the purpose and scope of data collection, and further processing and use of the data by YouTube, see the YouTube data privacy statement under https://policies.google.com/privacy?hl=en&gl=de

15.4.  Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection.

15.5.  Possibility of Objection and Disposal

If a user is simultaneously a user of YouTube services and wants to prevent YouTube from collecting (via this online offer) data about him or her and linking it to his or her user data stored by YouTube, he or she must log out from YouTube before using our online offer, and delete his or her cookies.

YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. It may therefore be necessary for the user to log out from any possible Google user account and delete all related cookies.

Under https://www.google.com/settings/ads/authenticated, YouTube offers the option of objecting to targeted advertising.  

16. Newsletter

16.1.  Description and scope of data processing

On the basis of our justified interests, we offer our users on this website the possibility of subscribing to a free newsletter.

We send newsletters, e-mails and other electronic notifications with promotional information (referred to in the following as “newsletter”) only with the recipient’s consent or a statutory license. In this case, the data from the input screen is transmitted to us if a user registers for the Newsletter.

Insofar as the contents of a newsletter are precisely described during a registration for the newsletter, they are relevant for the user’s consent. Our newsletters also contain information on our products, offers, actions, and our company.

The following user data are collected:

  • Title
  • First and last name
  • E-mail address
  • Company
  • City
  • Country

All other entries that are not mandatory but are filled in anyway, are also transmitted and stored.

The following data are collected during registration:

  • IP address of the calling computer
  • Date and time of registration

As part of the logon procedure, the user’s consent is secured and the user is referred to this data privacy statement.

Registration for our newsletter takes place in a so-called double opt-in procedure – i.e., following registration, you receive an e-mail asking you to confirm your registration. This confirmation is necessary so that nobody can register with another e-mail address. The newsletter registrations are logged to provide proof that the registration process took place according to legal requirements. This includes the storage of the registration and confirmation times and also the IP address. Changes to your data stored by the delivery service provider are also logged.

If you order goods or services on our website and enter your e-mail address, this can later be used by us to send you the newsletter. In such a case, only direct advertising for similar goods or services from us is sent via the newsletter.

In connection with data processing for sending newsletters, no data are passed on to third parties. The data are used exclusively for sending the newsletter.

16.2.  Legal basis for data processing

The legal basis for the processing of data following registration for the newsletter by the user and the existence of the user’s consent is Art. 6 Sec. 1 lit. a GDPR.

The legal basis for sending the newsletter following the sale of goods or services is § 7 Sec. 3 UWG (the German Fair Trade Practices Act).

16.3.  Purpose of data processing

To register for the newsletter, you merely have to specify your e-mail address and your first and last names. Your e-mail address is needed so that we can send you the newsletter. We may also ask you to specify other data for the purpose of personal address in the newsletter.

If we ask for other personal data during the registration procedure, this is to prevent a misuse of services or of the e-mail address used.

16.4.  Duration of storage

The data are deleted as soon as it is no longer required for achieving the purpose of its collection. The user’s e-mail address is stored as long as the subscription to the newsletter is active.

Other personal data collected during the registration procedure is normally deleted after seven days.

16.5.  Appeal and disposal possibility

A subscription to the newsletter can be cancelled at any time by the user concerned. A corresponding link is specified for this purpose in every newsletter.

This also enables a withdrawal of consent to the storage of personal data collected during the registration procedure.

If users are registered only for the newsletter and cancel this registration, their personal data are deleted.

17. Yourls

17.1.  Extent of Processing of Personal Data

Due to our legitimate interest, we use the open-source tool Yourls, https://yourls.org/. This tool allows shortening links to create short URLs. Yourls analyses the IP address, browser settings, and browser information to identify where the request comes from.

Yourls is hosted on servers of DSC Software AG. DSC Software AG exclusively carries out the collection and statistical analysis of the data.

17.2.  Legal Framework for the Processing of Personal Data

The legal framework for the processing of the users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

17.3.  Purpose of Data Processing

Data is processed out of interest in the analysis, optimization, and economic operation of the online offer.

17.4.  Duration of Storage

The data is deleted as soon as it is no longer necessary for our recording purposes.

17.5.  Possibility of Objection and Disposal

There is no possibility of objection and disposal.

18. XING

18.1.  Description and Extent of Data Processing

On the basis of our justified interests, we use components of the XING service, which is operated by XING AG, Dammtorstraße 30, 20354 Hamburg, Germany ("XING").

XING is an internet-based social network that enables users to connect with existing business contacts and to create new business contacts. The individual users can create a personal profile of themselves at XING. Companies may, e.g. create company profiles or publish job offers on XING.

Every access to one of the individual pages of this website, which is operated by the data controller and on which a XING component (XING plug-in) is integrated, automatically causes (due to the respective XING component) the internet browser on the IT system of the data subject to download a display of the corresponding XING component from XING. For further information on the XING plug-ins, see https://dev.xing.com/plugins. During this technical procedure, XING receives knowledge about the actual subpage of our website that is visited by the data subject.

If the data subject is simultaneously logged-in on XING, XING recognizes with each access to our website by the data subject – and for the entire duration of their stay on our website – the specific subpage of our website visited by the data subject. This information is collected by the XING component and assigned by XING to the respective XING account of the data subject. If the data subject clicks on one of the XING buttons integrated on our website, e.g. the "Share" button, then XING assigns this information to the personal XING user account of the data subject and stores the personal data.

By means of the XING component, XING always receives information that the data subject has visited our website if the data subject is simultaneously logged in on XING; this takes place independently of whether the data subject clicks a XING component or not. If the data subject does not want this information to be transmitted to XING, they can prevent it by logging off from the XING account before calling our website.

18.2.  Legal Basis for Data Processing

The legal framework for the processing of the users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

18.3.  Purpose of Data Processing

Data is processed out of interest in the analysis, optimization, and economic operation of the online services.

The purpose and extent of data collection and the further processing and use of the data by XING are accessible in the data privacy statement of XING under https://www.xing.com/privacy. Data privacy information on the XING Share button can be found at https://www.xing.com/app/share?op=data_protection.

18.4.  Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection.

18.5.  Possibility of Objection and Disposal

If a user is simultaneously using the services of XING and does not want XING to collect data about these online services and link it to the user data stored with XING, they should log off from XING and delete all related cookies before using our online services.

Under https://nats.xing.com/optout.html?popup=1&locale=de_DE, XING offers the option of objecting to web analysis. For further opt-out options, see https://www.xing.com/privacy 

19. LinkedIn

19.1.  Description and Extent of Data Processing

On the basis of our justified interests, we use components of the LinkedIn service, which is operated by LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA ("LinkedIn").

LinkedIn is an internet-based social network that enables users to connect with existing business contacts and to create new business contacts.

With each access to our website, which contains a LinkedIn component (LinkedIn plug-in), this component causes the browser used by the data subject to download a representation of the component from LinkedIn.

For further information on the LinkedIn plug-ins, see https://developer.linkedin.com/plugins. During this technical procedure, LinkedIn receives knowledge about the actual subpage of our website that is visited by the data subject.

If the data subject is simultaneously logged-in on LinkedIn, LinkedIn recognizes with each access to our website by the data subject – and for the entire duration of their stay on our website – the specific subpage of our website visited by the data subject. This information is collected by the LinkedIn component and assigned by LinkedIn to the respective LinkedIn account of the data subject. If the data subject clicks on one of the LinkedIn buttons integrated on our website, then LinkedIn assigns this information to the personal LinkedIn user account of the data subject and stores the personal data.

By means of the LinkedIn component, LinkedIn always receives information that the data subject has visited our website if the data subject is simultaneously logged in on LinkedIn; this takes place independently of whether the data subject clicks a LinkedIn component or not. If the data subject does not want this information to be transmitted to LinkedIn, they can prevent it by logging off from the LinkedIn account before calling our website.

19.2.  Legal Basis for Data Processing

The legal framework for the processing of the users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

19.3.  Purpose of Data Processing

Data is processed out of interest in the analysis, optimization, and economic operation of the online services.

The purpose and extent of data collection and the further processing and use of the data by LinkedIn are accessible in the data privacy statement of LinkedIn under https://www.linkedin.com/legal/privacy-policy. The cookie policy is available under https://www.linkedin.com/legal/cookie-policy.

19.4.  Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection.

19.5.  Possibility of Objection and Disposal

If a user is simultaneously using the services of LinkedIn and does not want LinkedIn to collect data about these online services and link it to the user data stored with LinkedIn, they should log off from LinkedIn and delete all related cookies before using our online services.

Under https://www.linkedin.com/psettings/guest-controls, LinkedIn enables the user to subscribe from receiving e-mails, SMS messages, and personalized offers and to manage their ads settings.

LinkedIn additionally uses partners like Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua, and Lotame, which may set cookies. The user can decline such cookies under https://www.linkedin.com/legal/cookie-policy.

The responsibility for data privacy issues outside the USA lies with LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland. 

20. Optimizely

20.1. Description and Extent of Data Processing

Due to our justified interest, on this website we use Optimizely Content Cloud as the content management system by Episerver GmbH. The Optimizely platform is based on Microsoft standard technology – cloud strategy on the basis of Microsoft Azure (PaaS solution).
Optimizely Content Cloud enables the creation of websites and e-commerce sites. Episerver GmbH has no control over the contents of these websites, e-mails, or other messages, or the type of personal data that is collected or processed by Episerver products or services.
In these cases, the customers of Episerver GmbH control the processing of personal data. Episerver GmbH acts on their behalf as data processor by collecting and processing information under the control of their customers. They do not have a direct relation to the persons whose personal data they process. The conditions of the processing activities are controlled with a data privacy agreement that is concluded between Episerver GmbH and their customers.
Further information on data protection of Episerver GmbH is available at https://www.optimizely.com/legal/privacy-policy/.

20.2. Legal Basis for Data Processing

The legal framework for the processing of personal data is Art. 6 Sec. 1 lit. f GDPR.

20.3. Purpose of Data Processing

The purpose of data processing is the provision of the website. The functions of our website cannot be offered without the use of Optimizely.

This purpose also includes our justified interest in the processing of personal data according to Art. 6 Abs. 1 lit. f GDPR.

20.4. Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection.

20.5. Possibility of Objection and Disposal

There is no possibility of objection and disposal.

21. Matomo

21.1.  Extent of Processing of Personal Data

Based on our justified interests we use the open-source software tool Matomo (former PIWIK) on this website for web analysis with the cookie technology. Matomo is a service of InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769. The software sets a cookie on the user's computer.

  • If single sites of our website are accessed, the following data is stored:
  • One byte of the IP address of the user’s system accessing the site
  • The website accessed
  • The website from which user reaches the accessed site (Referrer)
  • The subsites accessed from the accessed website
  • The duration of stay on the website
  • The frequency of accessing the website

Thereby, the software only runs on the servers of our websites. Personal data is only saved on these servers. The data is not passed on to any third parties.

The software settings ensure, that IP addresses are not saved completely. Instead, three bytes of the IP address are masked (e.g. 168.xxx.xxx.xxx). Thus, an assignment of the shortened IP address to the calling computer is no longer possible.

21.2.  Legal Framework for the Processing of Personal Data

The legal framework for the processing of the users’ personal data is Art. 6 Sec.1 lit. f GDPR.

21.3.  Purpose of Data Processing

The processing of the users’ personal data enables an analysis of the users’ surfing behavior. With the data generated from the analysis, we are able to gain information about the usage of the single components of our website. This helps us to continuously improve our website and to make it more user-friendly.

With the anonymization of IP addresses, the users’ interest in the protection of personal data is sufficiently taken into account.

21.4.  Duration of Storage

The data is deleted as soon as it is no longer necessary for our recording purposes. In this case, this applies after 12 months.

21.5.  Possibility of Objection and Disposal

Cookies are stored on the user’s computer and transferred via that computer to us. As user, you therefore have full control over the use of cookies. By changing the settings within your internet browser, the transfer of cookies can be disabled or restricted anytime. Stored cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it is possible that not all features are entirely accessible.

We offer our users an opt-out possibility from the analysis process on our website. Therefore, please follow the respective link. This way, another cookie is set on your system that indicates our system not to save the user's data. If the user deletes the respective cookie from their system in the meantime, the opt-out cookie needs to be set again.

Additional information about the privacy settings of the Matomo software is available here: https://matomo.org/docs/privacy/. 

22. Microsoft Azure

22.1 Extent of Processing of Personal Data

Based on our justified interest for the provision of our websites and further services provided, we use Microsoft Azure Cloud. The service provider is the company Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

Microsoft processes data, among other countries, in the USA. We point out that according to the Court of Justice of the European Union, there is currently no appropriate protection level for data transfer to the USA. This can be accompanied by various risks for the legitimacy and security of data processing.

Microsoft accepted the EU standard contractual clauses of the European Commission regarding the transfer of personal data to third countries.

Information on Microsoft’s standard contractual clauses is available at:

https://learn.microsoft.com/en-us/compliance/regulatory/offering-eu-model-clauses.

Information on Microsoft’s data processing is available at:

https://learn.microsoft.com/de-de/compliance/regulatory/gdpr-dpia-azure.

All personal data processed by Microsoft in relation to online services is received as customer data, diagnostic data, or service-generated data. Personal data that is provided by Microsoft, or in the name of the user by using the online services, is also considered customer data.

22.2 Legal Framework for the Processing of Personal Data

The legal framework for the processing of users’ personal data is Art. 6 Sec.1 lit. f GDPR.

22.3 Purpose of Data Processing

Provision of websites and further services.

Microsoft Azure only processes data for providing customers with online services. This includes the purposes that are compatible with the provision of these online services, e.g. personalization, security, prevention of fraudulent software and malware, troubleshooting, and improvement.

22.4 Duration of Storage

Upon the expiration of the 90-day retention period, Microsoft will deactivate the customer’s account and delete the customer data. Customers can delete personal data upon request by the data subject and by using the capabilities according to GDPR documentation regarding requests for Azure data subjects.

22.5 Possibility of Objection and Disposal

Microsoft allows customers to act upon requests of data subjects for the exercise of the data subjects' rights according GDPR, consistently with the function of the online service and the role of Microsoft as processor of data subjects’ personal data. If Microsoft receives a request of a customer’s data subject for exercising one or several of their rights according to GDPR in relation with an online service, for which Microsoft is the processor or subprocessor, Microsoft refers the data subject to the customer so that the data subject can direct their request directly to said customer. The customer is responsible to answer such a request, including, if necessary, by using the functionalities of the online service. Microsoft fulfills appropriate requests of customers after the support for processing of requests of data subjects.

23. Rights of the Data Subject

If your personal data is being processed, you are the data subject in the sense of the General Data Protection Regulation (GDPR) and you have the following rights against the data controller:

23.1.  Right to Information

From the data controller, you can demand confirmation about whether personal data concerning you is processed by us.

If your data is being processed, you can demand information from the data controller about the following:

  1. The reason why the personal data is being processed;
  2. The categories of personal data that are being processed;
  3. The recipients or categories of recipients to whom your personal data has been or will be disclosed;
  4. The planned duration of storage of your personal data or, if nothing concrete can be specified here, criteria for defining the duration of storage;
  5. A right of rectification or erasure of your personal data, a right to restrict processing by the data controller, or a right of objection to this processing;
  6. The right to complain to a supervisory authority;
  7. All available information about the origin of the data if the personal data is not collected for the data subject;
  8. The existence of an automated decision-making process including profiling in accordance with Art. 22 Sec. 1 and 4 GDPR and – in these cases at least – meaningful information concerning the logic involved as well as the scope and the intended effects of such processing for the data subject.

You have the right to demand information about whether your personal data is transmitted to a third country or an international organization. In this context, you can demand to be informed about suitable guarantees acc. to Art. 46 GDPR in connection with the transmission.

This right to information can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

23.2.  Right to Correction

You have a right to correction and/or completion against the data controller if your processed personal data is incorrect or incomplete. The data controller has to make the correction immediately.

Your right to correction can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

23.3.  Right to Restriction of Processing

You can demand restriction of processing of your personal data under the following conditions:

  1. If you dispute the correctness of your personal data for a duration that enables the data controller to check the correctness of your personal data;
  2. Processing is illegal and you reject the deletion of your personal data and instead demand the restriction of the use of your personal data;
  3. The data controller no longer requires the personal data for purposes of processing, but you require it for the assertion, enforcement or defense of your legal rights;
  4. You have objected to the processing in accordance with Art. 21 Sec. 1 GDPR and it is not yet certain whether the justified reasons of the data controller outweigh your reasons.

If processing of your personal data has been restricted, this data – apart from its storage – may only be processed with your consent or for the assertion, enforcement or defense of your legal rights or to protect the rights of another natural or legal person or for reasons of an important public interest of the EU or a member state.

If restriction of processing is limited to the conditions listed above, you will be informed of this by the data controller before the restriction is lifted.

Your right to restriction of processing can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

23.4.  Right to Deletion

You can demand from the data controller that your personal data be deleted immediately, and the data controller is obliged to delete this data immediately if one of the following reasons applies:

  1. Your personal data is no longer required for the purposes for which it was collected or otherwise processed.
  2. You withdraw your consent on the basis of which processing was carried out in accordance with Art. 6 Sec. 1 lit. a or Art. 9 Sec. 2 lit. a GDPR, and there exists no other legal basis for processing.
  3. You object to processing in accordance with Art. 21 Sec. 1 GDPR and there exist no overriding justified reasons for processing, or you object to processing in accordance with Art. 21 Sec. 2 GDPR.
  4. Your personal data concerned was unlawfully processed.
  5. The deletion of your personal data is necessary for the fulfillment of a legal obligation according to EU law or the laws of a member state to which the data controller is subject.
  6. Your personal data was collected with regard to services offered by information society in accordance with Art. 8 Sec. 1 GDPR.
23.5.  Information for Third Parties

If the data controller has published your personal data and is legally obliged to delete it in accordance with Art. 17 Sec. 1 GDPR, he or she must take appropriate (including technical) measures with regard to the available technology and the implementation costs to inform the data controller who also process your personal data that you as the data subject have demanded the deletion of all links to this personal data or of copies or replications of this personal data.

23.6.  Exceptions

The right to deletion does not exist if processing is necessary:

  1. For exercising the right to freedom of expression and information
  2. For fulfilling a legal obligation that requires processing according to EU law or the laws of the member states to which the data controller is subject, or performing a task that is in the public interest or in the exercise of official authority that is assigned to the data controller
  3. For reasons of public interest in the area of public health in accordance with Art. 9 Sec. 2 lit. h and i as well as Art. 9 Sec. 3 GDPR
  4. For archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes in accordance with Art. 89 Sec. 1 GDPR, provided the right named under Section 1. will foreseeably make the realization of the aims of processing impossible or extremely difficult
  5. For the assertion, enforcement or defense of legal rights.
23.7.  Right to Information

If you have enforced you right to correction, deletion or restriction against data controller, this person is legally obliged to inform all recipients to whom your personal data was disclosed about this correction or deletion of the data or restriction of processing unless this proves to be impossible or is connected with disproportionate effort.

You have the right against the data controller to be informed about these recipients.

23.8.  Right to Data Portability

You have the right to receive the personal data that you have provided to the data controller in a structured, common, and machine-readable format. You also have the right to transfer this data to another data controller without hindrance by the data controller to whom the personal data was provided, if:

  1. Processing is based on consent in accordance with Art. 6 Sec. 1 lit. a GDPR or Art. 9 Sec. 2 lit. a GDPR or on a contract in accordance with Art. 6 Sec. 1 lit. b GDPR and
  2. Processing takes place with the aid of automated procedures.

In enforcing this right, you also have the right to ensure that your personal data is transferred directly from one data controller to another data controller as far as this is technically possible. The freedom and rights of other persons may not be impaired by this.

The right to data portability does not apply to the processing of personal data that is required for performing a task that is in the public interest or in the exercise of an official authority that was assigned to the data controller.

24. Right of Objection

You have the right for reasons applying to your particular situation, to object at any time to processing of your personal data that takes place on the basis of Art. 6 Sec. 1 lit. e or f GDPR; this also applies to profiling based on these regulations.

The data controller no longer processes your personal data unless he or she can provide compelling legitimate reasons for processing that outweigh your interest, rights and freedoms, or the processing serves the assertion, enforcement, or defense of your legal rights.

If your personal data is processed to pursue direct advertising, you have the right to object at any time to processing of your personal data for the purposes of such advertising; this also applies to profiling, if this is related to such direct advertising.

If you object to processing for the purposes of direct advertising, your personal data is no longer processed for these purposes.

In connection with the use of information society services – irrespective of Regulation 2002/58/EG – you can exercise your right of objection using automated procedures for which technical specifications are used.

You also have the right for reasons applying to your particular situation to object to processing of your personal data conducted for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 Sec. 1 GDPR.

Your right of objection can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

25. Right to Withdraw Declaration of Consent Concerning Data Privacy

You have the right at any time to withdraw your consent concerning data privacy. Through the withdrawal of consent, the legitimacy of the processing carried out on the basis of your consent up to its withdrawal is not affected.

26. Automated Decision for Individual Cases Including Profiling

You have the right not to be subjected to a decision based exclusively on automated processing including profiling, a decision that has a legal effect on you or that considerably adversely affects you. This does not apply if the decision:

  1. is necessary for the conclusion or fulfillment of a contract between you and the data controller
  2. is permissible on the basis of legal regulations of the EU or the member states to which the data controller is subject and these legal regulations include appropriate measures for preserving your rights and freedoms as well as your justified interests, or
  3. is made with your express consent.

However, these decisions may not be based on special categories of personal data in accordance with Art. 9 Sec. 1 GDPR, as long as Art. 9 Sec. 2 lit. a or g GDPR does not apply and appropriate measures have been taken to protect your rights and freedoms as well as your justified interests.

With regard to the cases named in (1) and (3), the data controller takes appropriate measures to protect your rights and freedoms as well as your justified interests, to which at least belongs the right to obtain the intervention of a person on the part of the data controller, to present one’s own position, and to challenge the decision.

27. Right to Complain to a Supervisory Authority

Irrespective of any other regulatory or legal remedy, you have the right to complain to a supervisory authority, in particular in the member state of your place of residence, your workplace, or the place of the alleged violation if you are of the opinion that the processing of your personal data violates the General Data Protection Regulation (GDPR).

The supervisory authority to which the complaint is submitted informs the complainant about the state and results of the complaint including the possibility of a legal remedy in accordance with Art. 78 of the General Data Protection Regulation (GDPR).