Privacy policy

    Affected parties

    This statement is aimed at all persons who are visitors to the website of the controller to which this data protection information is linked. All personal designations refer to all genders and the associated language forms, in particular diverse, female, male. Each personal designation is to be understood with the addition “(m/f/d)”.

    Responsible persons

    The controller for the processing described here is: Choice AG, Thomas-Mann-Straße 16 – 20, 90471 Nuremberg, Germany, telephone: +49 911 480499-0, e-mail: info@choice.de, internet: www.choice.de, represented by the Management Board: Antonio Pardo (Chairman), Bego Jasenac, Hannes Beyer. The external data protection officer is STANHOPE Rechtsanwaltsgesellschaft mbH, there attorneys Ulf Castelle, LL.M. and Dr. Stephan Gärtner.

    Rights of data subjects and other information

    (1) Data subjects have the following rights with regard to the personal data stored about them: the right of access, the right to rectification of inaccurate data, the right to erasure of data for which there is no longer a reason for storage, the right to restriction of processing and the right to data portability. They also have the right to lodge a complaint with the supervisory authority responsible for the controller.

    (2) Insofar as the processing is based on the consent of the data subjects, the data subjects may withdraw their consent at any time and with effect for the future, for example by sending an informal message to one of the above-mentioned contact channels (controller).

    (3) Insofar as the processing is based on the fulfillment of a legitimate interest, i.e. on Article 6 paragraph 1 sentence 1 lit. f GDPR, the data subjects can object to the processing at any time; for example, by sending an informal message to one of the above-mentioned contact channels (controller). If the objection is justified, processing will be terminated. If the legitimate interest lies in direct marketing, the objection is always justified.

    (4) Automated decision-making, including profiling, does not take place.

    Transmission to countries outside the European Union

    (1) If personal data is transferred to bodies outside the European Union, the controller must provide additional safeguards in accordance with Article 44 et seq. GDPR.

    (2) If the controller refers to a so-called adequacy decision in the following data protection declaration, this means that the receiving body is located in a country, territory or specific sector for which the EU Commission has decided that it offers an adequate level of data protection. The guarantee then follows from Article 45 GDPR.

    (3) If the controller refers to the so-called EU standard contractual clauses in the following data protection declaration, this means that the receiving body has contractually undertaken to respect the EU data protection principles and this on the basis of the so-called EU standard contractual clauses, the guarantee then follows from Article 46 GDPR.

    (4) If the controller refers to so-called binding, internal data protection regulations in the following privacy policy, this means that the competent supervisory authority has approved the transfer. The guarantee then follows from Article 47 GDPR.

    (5) Insofar as the controller refers in the following privacy policy to the fact that the data subjects have expressly consented to the transfer to a country outside the European Union, this means that they nevertheless consent to the transfer in full knowledge of all associated risks. The guarantee then follows from Article 49(1)(a) GDPR.

    The following risk warnings are issued as a precautionary measure:

    In principle, the European Commission has certified that the USA is a safe third country. Therefore, as a precautionary measure and only in the event that consent for data transfer to the USA is obtained in exceptional cases, the following information is provided: The principles of the rule of law in the USA are not comparable with those from the European Union. In particular, the investigative authorities and intelligence services have far-reaching access rights that are not linked to the principle of proportionality that applies in the European Union. Furthermore, data subjects can only assert their rights to a limited extent.

    (6) The information above is only provided as a precaution. They only apply if and insofar as reference is made to them in the following data protection declaration.

    Disclaimer

    Despite careful control of the content, we assume no liability for the content of external links. The operators of the linked pages are solely responsible for their content.

    Further information

    (1) Automated decision-making, including profiling, does not take place.

    (2) There is only a legal obligation for processing if reference is made below to Article 6 (1) sentence 1 lit. c GDPR.

    Data processing

    Informational use:

    Presentation of the website

    The data subjects initially use the website for information purposes, i.e. they access the website without actively interacting with it. The data controller collects the following data of the data subjects, inasmuch as this is technically necessary to display the website: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request originates, browser, operating system and its interface, language and version of the browser software. The purpose is to display the website. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR, whereby the legitimate interest arises from the aforementioned purpose.

    Deletion

    The data will be deleted at the end of the informational use. The purpose is the fulfillment of a legal obligation (Article 5 paragraph 1 lit. a, e GDPR). The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR.

    Active use

    Communication via AI chatbot:

    It is possible for data subjects to make entries that are processed using an application that imitates human abilities such as logical thinking, learning, planning or creativity. In this case, the input data is collected via input fields and other forms of interaction and transmitted via an interface to an external application that collects this data and processes it using artificial intelligence in such a way that it interacts with the data subjects. Specifically, the data controller on this website gives those affected the opportunity to communicate with it via a chatbot. The chatbot is used to facilitate interaction with data subjects and to answer their inquries automatically and efficiently. It is used to improve customer service and process inquiries in real time. This involves gaining insights from the interaction that train the AI system on the one hand and are available to both the person responsible and the operator of the AI system on the other. The following data is processed: Input data, findings from the input, IP address, time period of the request. Insofar as the communication is aimed at the establishment, execution or termination of contracts, the processing is based on Article 6 paragraph 1 sentence 1 lit. b GDPR and in all other cases on Article 6 paragraph 1 sentence 1 lit. f GDPR, whereby the legitimate interest follows from the aforementioned purpose.

    Advertising by e-mail:

    The controller processes the e-mail address and the name of the data subjects in order to send them useful information by e-mail at regular or irregular intervals. It also stores the information that a contractual relationship exists or existed between them and the controller in order to be able to prove the legitimate interest. The legitimate interest here follows from the fact that a contractual relationship exists between the data subjects and the controller, in the context of which the advertising approach by email is part of the usual expectations of the data subjects. This is supported by recital 47, sentence 7, where the following data is processed: (1) e-mail address, (2) name and (3) the status data for the contractual relationship.

    Special note on the right to object:

    Data subjects can object to the use of their data for this purpose at any time, for example by sending an informal message to the controller (data subjects can find the contact channels at the beginning of this statement and in the legal notice). In particular, data subjects can object without incurring any costs other than the transmission costs according to the basic rates. The legal basis is Article 6 (1) sentence 1 lit. f GDPR, whereby the legitimate interest follows from the above-mentioned purpose and Recital 47 GDPR.

    Defense against claims:

    If the data subjects assert claims of any kind against the controller, the data will be processed as follows:

    1. The controller receives the request and stores all associated data.
    2. The controller uses this data to examine the request. If necessary, it will seek external legal advice.
    3. If the request is justified, it will use the data to comply with the request. Otherwise, it uses the data to inform the data subjects.
    4. The controller shall retain the data resulting from the processing referred to in points 1 to 3 for three years, starting on December 31 of the calendar year in which step 3 took place. The legitimate interest in points 1 to 3 follows from the interest of the data subject that the claims are processed and from the interest of the controller to avoid claims and sanctions. The legitimate interest in point 4 arises from the controller’s need to be able to defend itself later against civil law claims and accusations under fine and criminal law. This interest in storage under point 4 ends with the expiry of the limitation period pursuant to Sections 193, 195 BGB. The following data is processed: name, contact details and communication content. The legal basis is Article 6 (1) sentence 1 lit. f GDPR, whereby the legitimate interest follows from the above-mentioned purpose.

    Webhosting:

    The controller uses an external web host that displays the website and processes the data technically required for this. It processes the following data: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request comes, browser, operating system and its interface, language and version of the browser software. The purpose is to display the website. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR, whereby the legitimate interest follows from the purpose mentioned above.

    Cookie Consent:

    The controller gives data subjects the choice of whether they consent to the use of cookies and uses a cookie consent tool for this purpose. It processes the following data: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request originates, browser, operating system and its interface, language and version of the browser software, consent status, date of consent. Purpose is the fulfillment of a legal obligation. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 7 paragraph 1 GDPR. Article 7 paragraph 1 GDPR.

    Form:

    The controller provides a form tool on the website. This is used for communication between the data subject and the controller, whereby the data subject’s entries are documented and transmitted to the controller. The following data is processed: Data on the content, manner and scope of the entries in the respective form. The purpose is the initiation and/or execution of contracts. The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.

    Recruiting:

    Data subjects can apply for employment on this website via a recruiting area and/or another contact channel. The controller receives this data and processes it in order to prepare a pre-selection and, if necessary, a job interview and/or trial working day or to communicate for other purposes relevant to the application. In doing so, the controller may

    1. access an internal area and view the application data (including the application documents and the date of receipt of the application).

    There is then the possibility that he

    1. Make notes that are linked to the application data,
    2. Communicate internally about the applications (if necessary with the relevant departments),
    3. document the decision on the further processing of the application,
    4. carry out and document the invitation to one or more job interviews,
    5. carry out and document the invitation to one or more trial working days,
    6. submit the employment contract document,
    7. transmit and document a rejection,
    8. Carry out onboarding measures.

    The following data is processed: all data from the application and other communication content between the data subject and the controller. The purpose is to initiate an employment relationship. The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.

    Automation in contract-related communication

    As part of the establishment, performance and/or termination of contracts, the controller has automated parts of the communication with the data subjects. In doing so, it processes all communication data of the data subjects that trigger automatic responses from the controller, such as the delivery of a product or service. In this respect, it controls

    1. the collection of personal data at the initiation of the respective contract,
    2. the communication required for the establishment, performance and/or termination of the contract (in particular by e-mail) with the data subjects and
    3. the delivery of the products and/or services.

    The following data is processed: (1) all contact and order data entered by the data subject, (2) payment data if applicable, (3) data on delivery and (4) data on the assertion of rights of the data subject and the reaction of the data controller. The purpose is the initiation and/or execution of contracts. The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.

    Analysis of user behavior

    Cookies are used to analyze the user behavior of data subjects on this website. These are text files that are stored on the data subject’s computer and enable the use of the website to be analyzed. The information on user behavior is used to generate reports on activities and interactions. The controller uses this data to regularly improve the user experience on the website. It can also use the statistics obtained to improve its offering in order to direct the interest of data subjects more specifically to products and services that are suitable for them. Further details can be found below in the information on third-party providers. The following data is processed: cookie-based data on interactions (in particular the sequence of interactions, length of stay). Further details can be found below in the information on third-party providers. The purpose is to optimize this website and to improve the advertising approach to data subjects. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.

    Social media / networks

    The controller uses social media and social networks. It has no influence on the data collected and data processing operations, nor is it fully aware of the full scope of data collection, the purposes of processing, the storage periods and the circumstances of the deletion of personal data. If the data subjects visit the company and product pages of those responsible in the social media or advertisements (so-called ads), it is possible that the providers of the social media and networks store the data collected about them as user profiles and use them for the purposes of advertising, market research and/or demand-oriented design of their websites. Further details can be found below in the information on third-party providers. The following applies to responsibility with regard to this data processing: Insofar as the controller analyzes visitor interactions with its company page, both the controller and the respective third-party provider of the social network or medium are jointly responsible under data protection law; this in accordance with Article 26 GDPR. In all other cases, the respective third-party provider of the social network or medium is commissioned in accordance with Article 28 GDPR. The following data is processed: cookie- or pixel-based data on interactions with the website and the company and/or product pages of the controller, e-mail address, name and communication data, if applicable. Further details can be found below in the information on third-party providers. The purpose is to present the controller. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.

    Video playback

    Plugins from a video portal are integrated on the website. Each time a page that offers one or more video clips is accessed, a direct connection is established between the data subject’s browser and a server of the video portal. Further details can be found below in the information on third-party providers. The following data is processed: cookie-based data that transports the following information: (1) information that the data subject has visited this website (including the specific subpage, if applicable), (2) information that a specific video has been clicked on. Further details can be found below in the information on third-party providers. The purpose is the presentation of videos, the optimization of this website and the improved advertising approach to the data subjects. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.

    After the end of active use:

    After the end of active use, the data will be stored until the end of their respective retention periods and then deleted. The purpose of the deletion is the fulfillment of a legal obligation within the meaning of Article 5 paragraph 1 lit. a, e GDPR. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR.

    The following retention periods apply:

    1. Data from books and records, inventories, annual financial statements, management reports, opening balance sheets, organizational documents, accounting vouchers and documents pursuant to Article 15 (1) and Article 163 of the Union Customs Code shall be retained for ten years. All other data relevant to the taxation of those responsible shall be retained for six years. The respective period begins in the year in which the document was created. The purpose is to fulfill a retention obligation. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with. § SECTION 147 AO.
    2. If the processing of the data is based on consent, the data processed on the basis of the consent will be stored until the consent is withdrawn or until the purpose associated with its processing expires. The purpose is stated in the respective declaration of consent. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.
    3. Data that proves the granting of consent is stored for three years, whereby this period begins on December 31 of the calendar year in which either the consent is revoked or the data is deleted for other reasons. The purpose is to fulfill a retention obligation. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 7 paragraph 1 GDPR. Article 7 paragraph 1 GDPR. The period is determined by the limitation periods under administrative offense law pursuant to Section 31 (2) (1) OWiG in conjunction with Article 83 (4) and (5) GDPR.
    4. Data that arise when the data subjects assert data protection claims against the controller (see “Rights” above), will be stored for three years, starting on December 31 of the calendar year in which the controller responds. The legal basis for this is Article 6 (1) sentence 1 lit. f GDPR. The legitimate interest in the processing results from the controller’s need to be able to defend itself later against civil law claims and accusations under fine and criminal law. This interest in storage ends with the expiry of the limitation period pursuant to Sections 193, 195 BGB or Section 31 (2) (1) in conjunction with Paragraph 3 OWiG in conjunction with. Article 83 (4) and (5) GDPR.
    5. Data that arises when the data subjects assert other claims against the controller will be stored for three years, starting on December 31 of the calendar year in which the controller responds. The legal basis for this is Article 6 paragraph 1 sentence 1 lit. f GDPR. The legitimate interest in the processing results from the controller’s need to be able to defend itself against civil law claims at a later date. This interest in storage ends with the expiry of the limitation period pursuant to Sections 193, 195 BGB.

    Processors and other outsourcing

    The following third-party providers receive personal data:

    Microsoft (Suite):

    Microsoft 365 (cloud, software):

    The cloud and office software tool Microsoft365 is used.

    Tools from Microsoft Corporation (USA) are used, which was commissioned in accordance with Article 28 GDPR.The transfer of data to a third country (in this case the USA), which cannot be ruled out, is justified in accordance with Article 45 GDPR. The following tools are used: 

    Microsoft Bookings:

    The appointment booking tool Microsoft Bookings is used.

    Microsoft Forms:

    The Microsoft Forms tool is used.

    Google (Suite):

    Tools from Google Ireland Ltd. (Ireland – EU) are used, which was commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (in this case to Google LLC in the USA) that cannot be ruled out is justified in accordance with Article 45 GDPR. The following tools are used:

    Google Analytics:

    The analysis tool Google Analytics is used in connection with the analysis of user behavior. Please note: The IP address is shortened beforehand by the third-party provider within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a server of the third-party provider in the USA and shortened there. The IP address transmitted by the browser when using this tool is not merged with other data by the third-party provider. The tool is also used for a cross-device analysis of visitors, which is carried out via a user ID.

    Google Tagmanager:

    The central control tool Google Tag Manager is used in connection with the analysis of user behavior. This tool allows the controller to integrate various codes and services on this website in an organized and simplified manner. This tool implements the tags or triggers the integrated tags. When a tag is triggered, the third-party provider may also process personal data.

    YouTube (own channel):

    The person responsible maintains her own channel on YouTube.

    YouTube (plugin):

    A YouTube plugin is integrated on this website.

    YouTube (Recruiting):

    The person responsible presents herself as a potential employer on YouTube and also makes initial contact with potential employees there.

    YouTube (media recordings):

    If the controller has photo, film and/or sound recordings of the data subjects, it will publish these media recordings on YouTube.

    Google Ads/ Google Remarketing:

    The following should be noted in this regard: If the data subjects interact with the controller online, for example by visiting this website, they can be identified as suitable recipients of advertisements, so-called “ads”, using cookies (so-called ad server cookies). These cookies can also be used to measure and evaluate the success of a campaign. If the data subjects then visit the social medium of the local third-party provider, such as their search engine, they are recognized and shown the ads of the local controller (“remarketing”). This is done by the respective browser of the data subject automatically establishing a direct connection with the server of the local third-party provider. The “ads” are then delivered via so-called Google Ad Servers. The ad server cookies used for this purpose generally lose their validity after 30 days and are not intended to personally identify the data subjects. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie. The data subjects can make tracking more difficult and prevent it, for example (a) by setting their browser software accordingly (in particular, suppressing third-party cookies means that they do not receive any ads from third-party providers) or (b) by deactivating cookies for conversion tracking by setting their browser to block cookies from the domain of the “local third-party provider”, whereby this setting is deleted when the data subjects delete the cookies. The purpose is to present those responsible, to analyze usage behavior in relation to interaction with this website and to communicate with the data subjects via the social medium presented here (possibly for advertising purposes).

    Google Fonts:

    Please note the following: Google Fonts is a directory of external fonts integrated here. IP addresses are not logged, stored or analyzed on Google servers. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent and referrer URL). Access to this data is restricted and strictly controlled. Google does not use any of the information collected by Google Fonts to create profiles of end users. Only the fonts (one year) and the associated CSS files (one tag) are stored on the end device of the data subject.

    Automation, e-mail marketing (user-defined)

    The automation tool “Mailchimp” from Intuit, Inc. (USA), which was commissioned in accordance with Article 28 GDPR, is used. A transfer of data to a third country (here to Intuit Inc., USA) that cannot be ruled out is justified in accordance with Article 45 GDPR.

    Meta (social networks):

    Social networks of Meta Platforms Ireland Limited (Ireland – EU) are used. If the controller and the provider of the social network or medium used are jointly responsible, the agreement can be found here: https://www.facebook.com/legal/terms/page_controller_addendum. All information on the scope of application and distribution of responsibilities can be found there. In all other cases, the provider of the social network or medium was commissioned in accordance with Article 28 GDPR. The transfer of data to a third country (in this case to Meta Platforms Inc. USA), which cannot be ruled out, is justified for employee data in accordance with Article 46 GDPR and for all other data in accordance with Article 45 GDPR. The controller uses this social network as follows

    Facebook (company page):

    A company and/or product page is operated on Facebook.

    Facebook (plugin):

    A Facebook plugin has been implemented on the website(s) of the controller(s).

    Instagram (company page):

    A company and/or product page is operated on Instagram.

    Instagram (plugin):

    An Instagram plugin has been implemented on the website(s) of the controller(s).

    LinkedIn (social network):

    The social network “LinkedIn” of LinkedIn Ireland Unlimited Company (Ireland – EU) is used. However, it cannot be ruled out that data may be transferred to or integrated into the parent company, LinkedIn Corporation (USA).A transfer of data to a third country (in this case the USA) that cannot be ruled out is justified in accordance with Article 46 GDPR. The controller uses this social network as follows

    LinkedIn (company page):

    A company and/or product page is operated on LinkedIn.

    LinkedIn (plugin):

    A LinkedIn plugin has been implemented on the website(s) of the controller(s).

    rexx systems:

    The HR, recruiting and automation tool rexx systems from rexx systems GmbH (Germany – EU) is used.

    noris network:

    The IT support, maintenance and web hosting services of noris network AG (Germany – EU), which was commissioned in accordance with Article 28 GDPR, are used.

    Make.com:

    The interface tool “Make.com” from Celonis Inc (USA) is used. A transfer of data to a third country (in this case the USA) that cannot be ruled out is justified in accordance with Article 45 GDPR.

    Fontawesome:

    In connection with the provision of an external font or icons, the “Fontawesome” directory of Fonticons, Inc (USA) is used, which was commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (here USA) that cannot be ruled out is justified for employee data in accordance with Article 46 GDPR.

    Twilio:

    The automation and telecommunications tool “Twilio” from Twilio Ireland Limited (EU-Ireland), which was commissioned in accordance with Article 28 GDPR, is used. The transfer of data to a third country (in this case to Twilio Inc., USA), which cannot be ruled out, is justified in accordance with Article 45 GDPR.

    Fluent Forms:

    The Fluent Forms plugin is used in connection with the provision of a contact form. The personal data collected, such as your name, your e-mail address and your message, are used exclusively for the purpose of processing and responding to your inquiry. This data is stored on the servers of our hosting provider.

    Fluent Forms has been commissioned as a processor in accordance with Article 28 GDPR. Any transfer of data to a third country that cannot be ruled out is justified by appropriate guarantees in accordance with Article 46 GDPR.

    The processing takes place on the basis of your consent, which you give by submitting the form.

    We take appropriate security measures to protect your data.

    Use of artificial intelligence

    AI-supported telephone communication:

    As part of our telephone customer service, it is possible for callers to communicate via an automated telephone system that uses artificial intelligence to efficiently pass on information and process inquiries. The input data is collected via a voice-based interaction and transmitted via an interface to an external application that collects this data and processes it using artificial intelligence to interact with the person concerned. Specifically, the data controller gives the data subject the option of communicating with them on the phone via a voice-based assistant.

    The telephone number, date and time of the call as well as the content are recorded and processed in summarized and transcribed form. Calls can also be recorded for training and quality purposes. This information is forwarded to the relevant specialist departments in order to process inquiries and call-back requests. The use of AI technology helps to minimize waiting times on the phone and optimize customer service.

    The processing of the aforementioned data is based on Article 6 (1) sentence 1 lit. b GDPR, insofar as the communication is aimed at the establishment, execution or termination of contracts. In all other cases, processing is based on Article 6(1) sentence 1(f) GDPR, whereby the legitimate interest follows from the aforementioned purpose.

    AI-supported e-mail communication:

    As part of our customer service, emails may be processed by an automated system that uses artificial intelligence to efficiently pass on information and process inquiries. Here, the input data from the emails is collected and transmitted via an interface to an external application, which processes this data using artificial intelligence in such a way that it interacts with the data subjects.

    The content of the e-mails is analyzed and processed in summarized form in order to answer queries quickly and precisely. E-mails can also be saved for training and quality purposes.

    The use of AI technology serves to improve and efficiently carry out email support by processing requests semi-automatically and efficiently. This helps to minimize processing times and optimize customer service.

    The processing of the aforementioned data is based on Article 6 (1) sentence 1 lit. b GDPR, insofar as the communication is aimed at the establishment, execution or termination of contracts. In all other cases, processing is based on Article 6(1) sentence 1(f) GDPR, whereby the legitimate interest follows from the aforementioned purpose.

    Open AI:

    In connection with the use of artificial intelligence, the API tool “OpenAI APO” from OpenAI, LLC (USA) is used, which was commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (in this case the USA) that cannot be ruled out is justified in accordance with Article 46 GDPR.

    Vapi AI:

    In connection with telephone automation, the “VAPI AI” tool from Superpowered Labs Inc. (USA) is used, which was commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (in this case the USA) that cannot be ruled out is justified in accordance with Article 45 GDPR.

    Glossary

    A glossary follows. Not all matters explained in the glossary necessarily play a role in the data processing procedures described here. They only serve the purpose of general understanding and thus transparency.

    Topic: Basic terms

    Personal data: This is all information that directly or indirectly allows conclusions to be drawn about natural persons, i.e. human beings.

    Processing of personal data: Any active or passive handling of personal data, from collection to core processing to deletion.

    Consent: This is a verifiable declaration of intent that is voluntarily given prior to the processing of personal data and that permits specific processing of the personal data of the declaring data subject.

    Topic: Social media

    Company and/or product page: This formulation means that the controller maintains a company or product page on a social medium, which is also linked on the website. If the data subjects click on this link (i.e. the link to the company or product page), they will be taken to the controller’s profile.

    Plugin: This formulation means that the controller has integrated a plugin from a third-party provider of a social network or medium on the website. If the data subject clicks on this plugin, they will be taken to the profile of the controller. The controller uses the so-called two-click solution. This means that after the click, no personal data is initially passed on to the respective third-party provider of the plug-in. The third-party provider can be recognized by the design of the plugin (e.g. by the logo). The controller enables data subjects to communicate directly with the third-party provider of the plug-in via the button. Only if they click on the marked field and thereby activate it does the third-party provider receive the information that the data subject has accessed this website. Only then will the data be transmitted. By activating the plug-in, personal data of the data subjects is therefore transmitted to the respective third-party provider. This data transfer takes place regardless of whether the data subjects have an account with the respective third-party provider and are logged in there. If they are logged in to the third-party provider, the data collected by the controller here will be assigned directly to the account that the data subjects have with the respective third-party provider.

    Ads: This formulation means that the controller uses so-called “ads” in a social medium. With the help of the “ads”, the controller can draw attention to its offers within the respective social network or medium. It can determine how successful the individual advertising measures are in relation to the data of the advertising campaigns. This is in the interest of displaying ads to data subjects that are of interest to them, making this website more interesting for them and calculating advertising costs fairly. These ads are delivered by the respective third-party provider. If the data subjects access the website of the data controller via “ads” presented to them by the respective third-party provider, a cookie is stored on the data subject’s computer. As a rule, these cookies are not intended to identify the data subjects personally.

    Pixel: This wording means that the controller uses so-called pixels. This is an analysis tool with which the controller can measure the effectiveness of advertising. It is generally used to understand and track the actions of people on a website. The controller has implemented the pixel on its website by placing the pixel code in the header. If the data subject then visits the website and performs an action (e.g. completes a purchase), the pixel is triggered and the action is reported. In this way, the controller learns when the data subject takes an action and can evaluate this.

    Upload to the Custom Audience: This formulation means that the controller uploads the data of the data subject (usually the email address) to a third-party provider of a social network or medium; naturally only after consent has been granted. This allows the data controller to display interest-based advertisements (“ads”) to the data subject when they visit a social network or medium. This is done as follows: It uploads the contact details (usually the email address) to the respective third-party provider. The third-party provider then checks whether the data subjects are registered with them using this contact data. If not, the contact details are not entered into the custom audience (a type of database that the controller maintains with the respective third-party provider). If the answer is yes, the data will be entered into the controller’s Custom Audience. If the data subjects then visit the social network or medium provided by the respective third-party provider, the controller here has the opportunity to show the data subjects advertising that is of interest to them.

    Publication of media recordings: This formulation means that the controller uploads media recordings of the data subject (photo, sound and/or film recordings) to the respective social medium or network and publishes them there.

    Topic: Video embeddings

    Plugin: This term means that plugins of a video portal are integrated on the website of the controller. Each time a page offering one or more video clips is accessed, a direct connection is established between the data subject’s browser and a server of the respective third-party provider. The respective third-party provider stores the data of the data subjects as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (even for data subjects who are not logged in) to provide needs-based advertising and to inform other users about the activities of the data subjects on the website of the controller. Data subjects have the right to object to the creation of these user profiles, whereby they must contact the respective third-party provider to exercise this right. Further information on the purpose and scope of data collection and its processing by the respective third-party provider can be found in the privacy policy.   

    Own channel: This designation means that the person responsible offers their own channel on the video portal. 

    Publication of media recordings: This formulation means that the controller uploads media recordings of the data subjects (photo, sound and/or film recordings) to the respective video portal and publishes them there.