The use of the website and its functions regularly requires the processing of personal data. Unless otherwise indicated, the following statements refer to all websites that we operate and that refer to this data protection information.
Please note that links on our website may take you to other websites that are not operated by us, but by third parties. Such links are either clearly labelled by us or are recognisable by a change in the address line of your browser. We are not responsible for compliance with data protection regulations and the secure handling of your personal data on these websites operated by third parties.

Provision of the website
Purpose of processing: Advertising and personalised marketing measures, information security
Legal basis: Art. 6 para. 1 sentence 1 letter f GDPR
Legitimate interests: Design, operation and availability of digital products; promotion of sales activities; operation, integrity and security of digital products
Data categories: Connection data, usage data
Recipient of the data: IT service provider
Intended transfer to third countries: None

User account / registration for the login area 
Purpose of processing: Advertising and personalised marketing measures, order fulfilment and contract management (setting up access to the login area, provision of user account, allocation of future usage processes)
Legal basis: Art. 6 para. 1 sentence 1 letter b GDPR
Data categories: Master data, contact data, connection data, content data
Recipients of the data: (IT) service providers
Intended transfer to third countries: None

Newsletter registration
Purpose of processing: Advertising and personalised marketing measures, user, prospect and/or customer support, optimisation of products and/or services
Legal basis: Art. 6 para. 1 letter a, letter f GDPR
Legitimate interests: Customer acquisition, customer loyalty, customer recovery, promotion of sales activities, advertising and image improvement, market and opinion research
Data categories: Master data, contact data and connection data
Recipient of the data: IT service provider
Intended third country transfer: None

Making contact
Purpose of processing: User, prospective customer and/or customer support
Legal basis: Art. 6 para. 1 sentence 1 letter f GDPR, Art. 6 para. 1 sentence 1 letter b GDPR (if the enquiry leads to a subsequent conclusion of a contract or concerns an existing contract)
Legitimate interests: Integration of desired or required functionalities, analysis and optimisation of own offers, services and advertising measures
Data categories: Connection data, content data, master data if applicable and contact data if applicable
Recipient of the data: IT service provider
Intended transfer to third countries: Third countries in individual cases (standard data protection clauses and adequacy decisions)

Integration of external content (photos, videos and posts)
Purpose of processing: General advertising and personalised marketing measures
Legal basis: Art. 6 para. 1 sentence 1 letter f GDPR
Legitimate interests: Integration of desired or required functionalities, design, operation and availability of digital products, customer acquisition, customer loyalty, customer recovery
Data categories: Connection data, possibly usage data
Recipients of the data: IT service providers, social networks
Intended third country transfer: In individual cases, USA and other third countries (standard data protection clauses and adequacy decisions)

1. From the GDPR

This privacy policy uses the terms used in the legal text of the GDPR. You can view the definitions (Art. 4 GDPR), for example, at eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679. The definition of health data can be found in Art. 4 No. 15 GDPR. If other special categories of personal data are processed, you will find the explanations in Art. 4, 9 para. 1 GDPR.

2. Additional definitions

2.1 Data categories
When we specify the categories of data processed, this refers in particular to the following data
• Master data (e.g. name, address, date of birth)
•  Contact data (e.g. email addresses, telephone number, messenger services)
• Content data (e.g. text entries, photographs, videos, contents of documents/files)
• Contract data (e.g. subject matter of the contract, terms, customer category)
• Payment data (e.g. bank details, payment history, use of other payment service providers)
• Usage data (e.g. history on our website, use of certain content, access times, contact or order history)
• Connection data (e.g. device information, IP addresses, URL referrer)
• Location data (e.g. GPS data, IP geolocalisation, access points)
• Diagnostic data (e.g. crash logs, website/app performance data, other technical data for analysing malfunctions and errors)
• Applicant and employee data (e.g. employment history, working hours, holiday periods, periods of incapacity for work, appraisals, training and further training, social data, bank details, national insurance number, health insurance/health insurance number, salary expectations and salary data as well as tax identification number, evidence and documents, working hours, public offices held, social security data, data on occupational integration management)

2.2 Purposes of data processing
In the following sections, we indicate the purposes pursued as purpose categories to improve comprehensibility and readability. In some cases, there may be overlaps with our ‘legitimate interests’ (see definitions below). This is in the nature of things.
Unless otherwise stated, the purposes are to be understood as follows:
• Advertising and personalised marketing measures: Includes, for example, the opening of public and possibly access-restricted websites, apps and/or external pages for general information about our products/services (e.g. general website about our company, press pages, social media pages), personalised communication with users, interested parties and/or customers (e.g. newsletters), playout of (personalised) recommendations and advertising measures (e.g. personalised newsletters, playout of advertising measures). e.g. personalised newsletters, display of advertising on other websites, search engines, social media pages and/or apps and generally in advertising networks), merging and linking of data (possibly involving other parties such as publishers in advertising networks) to guarantee commission claims for advertising material.
• Security and emergency management: all processes are recorded that serve to ensure the relevant security requirements and the prevention and/or treatment of accidents and emergencies in the respective context, e.g. access controls, video surveillance, logging, evacuation, personal rescue and damage limitation
• Analysis and performance measurement as well as optimisation of products and/or services: Includes, for example, opinion polls and voting, comparison tests (so-called A/B testing), analysis and (usually aggregated) evaluation of user, prospect and/or customer behaviour in the online and/or offline area (e.g. through click paths, mouse movements and heat maps), analysis and evaluation of the success of general and possibly personalised marketing measures, needs-based design of our (digital) products and services based on the analysed demand and/or usage behaviour.
• Order fulfilment and contract management: This includes all processing operations that are necessary to fulfil the relevant orders/contracts, such as the processing of master and contact data to fulfil customer orders, payment processing including any necessary transfer of data to payment service providers, processing of returns, licence verification.
• Operation and further development of internal IT systems: Includes, among other things, user management, authentication and technical logging, as well as IT support and the further development and customisation of systems and the associated processing of personal data. This applies regardless of whether the IT systems are operated by the controller itself or by a service provider (processor).
• Applicant management: This includes personnel marketing and processes relating to the initiation of employment, such as the processing of applications (digital and analogue), communication with applicants, conducting job interviews, assessment centre procedures and trial work, setting up talent pools and documenting the outcome of applications.
• Business partner maintenance: All processes used to analyse and select suitable business partners and to maintain existing business relationships are recorded.
• Warranty, guarantee, goodwill and general service: Includes in particular the processing of warranty, guarantee and goodwill cases, as well as any information on updates, improvements and recalls.
• Identity and/or credit check: The purpose of the processing is to check the identity of the data subject, if this is necessary for the respective process and/or to check the creditworthiness and/or solvency of an interested party or contractual partner.
• Information security: Processing operations are recorded that serve to protect against dangers and to secure IT systems, as well as to achieve the protection goals of confidentiality, availability and integrity of data, systems and processes (e.g. differentiation between human and bot access, detection and defence against abusive access, security-relevant analysis of the use of digital products and services).
• Logistics and fleet management: Includes, among other things, the planning, management and control of our logistics including external logistics service providers and the management of our vehicle fleet including the fulfilment of legal obligations
• User, prospect and/or customer support: Includes, for example, contact forms, chat systems including chat bots and call-back options as well as the general processing of various enquiries (e.g. advice, service, complaints)
• Human resources and personnel management: Includes all processes for the performance of employment or processes that are closely related to employment, such as onboarding, personnel administration, the fulfilment of employer obligations, personnel development including training and further education, voluntary employer benefits, personnel planning and controlling, company health management, company social counselling, company co-determination, measures to terminate employment, investigative and disciplinary measures and offboarding.
• Project management including collaboration in projects: coordination and implementation of projects, project planning, project schedule management, exchange of information in the context of projects, collaboration in the context of projects
• Legal matters and compliance measures: Includes, for example, the assertion, exercise and enforcement of legal claims and processes for compliance with legal requirements (e.g. in the context of data protection consent management) and for the prevention and/or clarification and prosecution of legal violations.
• Event management: All processes required for the organisation of offline and online events and functions are recorded (e.g. registration, participant management, implementation of the event, processing of personal preferences and needs, data processing in the context of video conferences and/or instant messaging services), photo, audio and/or video documentation of events, issuing of participation certificates.
• Administration: Processes are recorded that include, in particular, basic operational functions such as communication, accounting, invoicing and reporting, documentation and archiving, knowledge and contact management.

2.3 Legitimate interests
In the following sections, we state our legitimate interests within the meaning of Art. 6 para. 1, sentence 1 letter f GDPR as categories to improve comprehensibility and readability. In some cases, there may be overlaps with our ‘purposes’ (see the definitions above). This is in the nature of things.
Unless otherwise stated, the stated legitimate interests are to be understood as follows
• Promotion of sales activities: e.g. promotion of our sales by evaluating the demand of our customers, analysis of the interests and purchasing and demand behaviour of our prospects, users and/or customers.
• Promotion of economic interests: e.g. measures for cost reduction and cost savings, avoidance/reduction of significant additional costs, general increase in earnings (in particular through outsourcing to service providers) and avoidance of competitive disadvantages.
• Advertising and image improvement, market and opinion research: e.g. opinion polls, voting, product and/or service evaluations and other reviews, as well as the integration of these results.
• Analysis and optimisation of our own offers, services and advertising measures: e.g. analysis of user, prospective customer and/or customer behaviour to optimise processes, services and products, needs-based design of our products, services and marketing measures and direct customer approach, performance measurement of the newsletter (opening and click statistics).
• Design, operation and availability of digital products: includes, for example, the integration of general functions of websites, apps and other digital products
• Operation, integrity and security of digital products: in particular defence against requests that overload the service (denial of service attacks) or excessive use of bots to destabilise a platform, IT security measures such as the storage of log files and in particular IP addresses for a longer period of time in order to detect and prevent misuse, including beyond the extent required by law.
• Direct advertising (personalised marketing): in particular direct approaches to interested parties and customers that are not based on consent, such as product recommendations based on previous demand behaviour, including the processing of data in preparation for direct advertising (e.g. customer segmentation, affinity assessments).
• Integration of desired or required functionalities: Integration of functionalities that are in the interests of the customer, are played out at the customer's request and/or are necessary for the provision of the service (e.g. the integration of contact options on websites or in apps or, for example, the possibility of saving configurations by the user (e.g. language selection)). 

• Assertion, exercise or defence of legal claims: e.g. preservation of evidence, to clarify the facts in the event of a foreseeable legal dispute.
• Customer acquisition, customer loyalty, customer recovery: e.g. operation of a customer relationship management (CRM) system for prospect and customer care.
• Freedom of expression, press and broadcasting: in particular processing that previously fell under the so-called media privilege.
• Protection of the body and health of data subjects
• Promotion of legitimate interests in a group of companies: performance of organisational, procedural or entrepreneurial tasks arising from the cooperation of several affiliated companies (see the explanations in Recital 48 GDPR).
• Prevention of criminal offences, administrative offences and other detrimental actions: in particular fraud prevention, preventive measures as part of an internal control system, measures to clarify risks following suspicious cases or other indications of possible actions to the detriment of the controller or other persons
• Reduction of default risks: Identification of economic, technical, procedural or organisational risks for the company that could lead to the complete or partial failure of the company, parts of the company or the company's products or services
• Employee support: Integration or implementation of services and activities that are in the interests of employees, such as satisfaction surveys, voluntary events and activities, birthday lists, sending greeting cards, etc.
• Other legitimate interests: If relevant, these interests are explained separately at the respective points.

2.4 Categories of recipients
In the following section, we list the categories of recipients that we use in our data protection information:
• Banks and other financial service providers
• Authorities and other public bodies
• Professional secrecy organisations and their companies/institutions
• (IT) service providers
• Opponents in legal disputes
• Group companies and other affiliated companies
• Customers and interested parties
• suppliers
• Personnel service providers
• Platform operators and media
• Associations, organisations and interest groups
• Landlords
• Insurance companies
• Contractual partners (without customers)