Privacy: Data protection declaration
This data protection declaration provides you with clarification concerning the scope and purpose of the processing of personal data ("data" in the following) within our online offering and the related websites, functions, and content, as well as external online presences, such as our social media profile. (Designated collectively as "online offering" in the following). With regard to the terminology used, such as "personal data" or its "processing," we refer to the definitions in Art. 4 of the German Data Protection Regulation (GDPR).
Name/company: SKC Beratungsgesellschaft mbH
Street address: Pelikanplatz 21
Postal code, city, country: 30177 Hannover, Germany
Commercial Register No.: District Court of Hannover Comm. Reg. B 206524
Managing directors: Dipl.-Kauffrau Heike Kielhorn-Schönermark, Prof. Matthias P. Schönermark, M.D., Ph.D.
Telephone number: +49 511 64 68 14 – 0
E-mail address: firstname.lastname@example.org
Data protection officer:
Name: Andreas Wellmann
E-mail address: email@example.com
Types of data processed:
- Inventory data
- Contact data
- Applicant data
- Content data
- Usage data
- Meta/communication data
Processing of special categories of data (Art. 9, Par. 1, GDPR):
- No special categories of data are principally processed, unless these are added provided for processing by the user, e.g. in online forms or with direct e-mail transmission.
Categories of persons affected by processing:
- Clients / interested parties / suppliers.
- Visitors to and users of the online offering.
In the following, we also designate affected persons collectively as "users."
Purpose of processing:
- Making available of the online offering, its content, and functions.
- Responding to contact inquiries and communication with users.
- Acquisition of new employees/transmission of application documents
- Marketing, advertising, and market research.
Status: February 1, 2019
1. Relevant legal bases
In accordance with Art. 13, GDPR, we hereby inform you of the legal bases of our data processing. The following applies when the legal basis is not stipulated in the data protection declaration: The legal basis for the obtaining of consent is Art. 6, Par. 1 lit. a and Art. 7, GDPR. The legal basis for processing in order to provide our services and implement contractual measures is Art. 6, Par. 1 lit. b, GDPR. The legal basis for processing in order to fulfill our legal obligations is Art. 6, Par. 1 lit. c, GDPR, and the legal basis for processing in order to safeguard our justifiable interests is Art. 6, Pat. 1 lit. f, GDPR. In the event that the existential interests of the affected person or another natural person make the processing of personal data necessary, Art. 6, Par. 1 lit. d, GDPR serves as the legal basis.
2. Amendments and updates of the data protection declaration
We ask you to inform yourself regularly concerning the content of our data protection declaration. We adapt the data protection declaration as soon as changes to data processing we implement make this necessary. We shall inform you as soon as a need for cooperation on your part (e.g. consent) or any other individual notification is made necessary by these changes.
3. Security measures
- We undertake suitable technical and organizational measures to ensure a level of protection suited to the risk in accordance with Art. 32 GDPR, taking the state of technology, the costs of implementation, and the type, scope, circumstances, and purposes of processing, as well as the various probabilities of occurrence and seriousness of the risk for the rights and freedoms of natural persons into account. These measures particularly include the ensuring of the confidentiality, integrity, and availability of data through control of physical access to the data, as well as of the access, input, forwarding, securing of availability, and the separation of said data. We have also established procedures that ensure the exercising of data subject rights, the deletion of data, and the reaction to the endangering of data. We also already take the protection of personal data into account for the development or selection of hardware and software, as well as of processes pursuant to the principle of data protection through the design of technology and through data protection-friendly pre-settings (Art. 25, GDPR).
- The security measures particularly include the encoded transfer of data between your browser and our server.
4. Cooperation with order processors and third parties
- When we disclose data to other persons and companies (order processors or third parties) in the context of our processing, transfer data to them, or otherwise allow them access to the data, this takes place exclusively on the basis of legal consent (e.g. when transfer of the data to third parties, for example, to payment service providers, pursuant to Art. 6, Par. 1 lit. b, GDPR is necessary for contractual fulfillment), you have provided your consent, a legal obligation calls for this, or on the basis of our justified interests (e.g. when deploying representatives, web hosters, etc.).
- When we commission third parties with the processing of data on the basis of a so-called "order processing agreement," this takes place pursuant to Art. 28, GDPR.
5. Transmissions to third countries
When we process data in a third country (meaning outside of the European Union (EU) or the European Economic Area (EEA)), or when this takes place in the context of the utilization of the services of third parties or the disclosure or transmission of data to third parties, this only takes place when it is necessary for the fulfillment of our (pre)contractual duties, takes place with your consent, on the basis of a legal obligation, or on the basis of our justified interests. Subject to legal or contractual consent, we only process or allow the data to be processed in a third country when the special prerequisites of Art. 44 ff., GDPR apply. This means that the processing takes place, for example, on the basis of special guarantees, such as the officially recognized observation of one of the data protection levels corresponding with those of the EU (e.g. for the USA through the "Privacy Shield") or the observation of officially recognized, special contractual obligations (so-called "standard contract clauses").
6. Rights of affected persons
- You have the right to demand a confirmation of whether the relevant data will be processed and to information concerning this data, as well as to other information and a copy of the data in accordance with Art. 15, GDPR.
- In accordance with Art. 16, GDPR, you have the right to demand the completion of the data referring to you or the correction of incorrect data referring to you.
- In accordance with Art. 17, GDPR, you have the right to demand that data concerning you be deleted without delay or to demand a limitation of the processing of the data in accordance with Art. 18, GDPR.
- You have the right to demand the right to receive the data referring to you, which you provided to us in accordance with Art. 20, GDPR, or to have it be transferred to other responsible persons.
- You also have the right in accordance with Art. 77, GDPR to submit a complaint to the responsible regulatory authority.
7. Right of withdrawal
You have the right to withdraw provided consent, taking effect for the future, in accordance with Art. 7, Par. 3 GDPR.
8. Right of objection
You can object to the future processing of data referring to you in accordance with Art. 21, GDPR at any time. The objection can take place in particular with reference to processing for purposes of direct advertising.
9. Cookies and right of objection for direct advertising
A general objection to the use of the cookies used for purposes of online marketing can be declared for a number of services, especially in the case of tracking, by way of the US page http://www.aboutads.info/choices/ or the EU side http://www.youronlinechoices.com/. The saving of cookies can also be prevented by switching them off in the settings of the browser. Please note that you may then not be able to use all functions of this online offering.
10. Deletion of data
- The data we process is deleted or the processing is limited in accordance with Art. 17 and 18, GDPR. When not expressly indicated in the context of this data protection declaration, the data we store is deleted as soon as as it is no longer required for its intended purpose, and no legal obligation to preserve records stands in the way of this. When the data is not deleted because it is required for other and legally permitted purposes, its processing is limited. This means that the data is locked and is not processed for other purposes. This applies, for example, to data that must be preserved for reasons of commercial or taxation law.
- According to legal specifications, storage takes place in particular for 6 years pursuant to § 257, Par. 1, German Commercial Code (HGB) (account books, inventories, opening balance sheets, annual reports, business letters, booking receipts, etc.), as well as for 10 years pursuant to § 147, Par. 1 German Fiscal Code (AO) (books, records, progress reports, booking receipts, business letters, documents relevant for taxation, etc.).
11. Establishing contact and applications
- When establishing contact with us (with the contact form or e-mail), the information provided by the user will be used to process the contact inquiry and its handling in accordance with Art. 6, Par. 1 lit. b) GDPR.
- The information provided by users can be saved in our Customer Relationship Management System ("CRM System") or a comparable inquiry organization system.
- We delete the inquiries when these are no longer required. In the event of legal archiving obligations, deletion takes place following their expiration (obligation to preserve records in accordance with commercial (6 years) and taxation law (10 years)).
- Applications are filed centrally on our platform. There, only the business management and the persons responsible for the position to actually be filled have access. The data are deleted on the platform and in the local recipient mailbox of the e-mail program after rejection; printouts are destroyed. In case of recruitment, the data will be transferred to our server.
12. Collection of access data and log files
- We collect data concerning each access to our server, on which this service is found (so-called server log files) on the basis of our justified interests as defined by Art. 6, Par. 1 lit. f., GDPR. The access data includes the name of the called up website, file, date, and time of day of the accessing, the transferred amount of volume, notification of successful accessing, browser type and version, the operating system of the user, referrer URL (the previously visited page), IP address and the inquiring provider.
- Log file information is saved for security reasons (e.g. for the clarification of cases of misuse or fraud) for the duration of the last complete calender year and subsequently anonymized. Data that must be preserved longer for purposes of proof are excepted from deletion until the final clarification of the respective incident.
13. Online presences in social media
- We maintain online presences within social networks and platforms in order to communicate with the customers, interested parties, and users active there and to be able to inform them of our services there.
- We point out that data of users can be processed outside of the territory of the European Union. This can result in risks for users, because this can make it, for example, more difficult to assert the rights of users. With regard to US providers that are certified under the Privacy Shield, we point out that they pledge to observe the data protection standards of the EU.
- The data of users are also processed for market research and advertising purposes as a rule. Thus, for example, usage profiles can be created from the usage behavior and the resulting interests of users. The usage profiles can in turn be used to, for example, place advertisements within and outside of the platforms that allegedly correspond to the interests of users. For these purposes, cookies are generally saved on the computers of users, in which the usage behavior and the interests of the users are saved. Data independent of the devices used by the users can also be saved in the usage profiles (especially when the users are members of the respective platforms and are logged in at these).
- Processing of the personal data of users takes place on the basis of our justified interests in our ability to effectively inform and communicate with users pursuant to Art. 6, Par. 1 lit. f. GDPR. In the event that users are asked for consent to data processing by the respective providers (meaning declaring their consent, for example, by checking a check box or confirming with a button), the legal basis for processing is Art. 6, Par. 1 lit. a., Art. 7, GDPR.
- We refer to the following linked information of the providers for a detailed representation of the respective processing and possibilities for withdrawing consent (opt-out).
- Also in the case of queries for information and the assertion of user rights, we point out that these can be asserted most effectively with the providers themselves. Only the providers have access to the data of users and can directly undertake appropriate measures and provide information. You can nonetheless contact us if you require help.
- Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - Data protection declaration: https://www.facebook.com/about/privacy/, opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
- Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – Data protection declaration: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Data protection declaration/ opt-out: http://instagram.com/about/legal/privacy/.
- Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) - Data protection declaration: https://twitter.com/de/privacy, opt-out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
- Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA) – Data protection declaration/ opt-out: https://about.pinterest.com/de/privacy-policy.
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) - Data protection declaration https://www.linkedin.com/legal/privacy-policy, opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.
- Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) - Data protection declaration/ opt-out: https://privacy.xing.com/de/datenschutzerklaerung.
14. Cookies & reach measurement
- Cookies are information that is transmitted from our web server or the web servers of third parties to the web browsers of users and saved there for subsequent accessing. Cookies can involve small files or other types of information storage.
- We use "session cookies" that are only filed for the duration of the current visit to our online presence (e.g. in order to enable the storage of your login status or the shopping cart function, and thus the usage of our online offering). A randomly generated, dedicated identification number is stored in a session cookie, a so-called session ID. A cookie also contains information concerning the origin and the duration of storage. These cookies can not save any other data. Session cookies are deleted when you have finished using our online offering and, for example, log out or close the browser.
- If users don't wish for cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies can result in functional limitations to this online offering.
15. Reach analysis with Matomo (formerly PIWIK)
- The following data is collected and saved in the context of Matomo: the browser type and version you are using, the operating system you are using, your country of origin, date and time of day of the server query, the number of visits, the dwell time at the website, as well as the external links you have clicked. The IP addresses of users are anonymized before they are saved.
- Users can object to anonymized gathering of data by the Matomo program at any time taking effect for the future by clicking on the link below. In this case, a so-called opt-out cookie is saved in your browser, which means that Matomo no longer collects session data of any kind. When users delete their cookies, however, this has the consequence that the opt-out cookie is also deleted and therefore needs to be reactivated by the user.
16. HubSpot CRM
We use HubSpot CRM on this website. The provider is HubSpot Inc. 25 Street, Cambridge, MA 02141 USA (hereinafter HubSpot CRM). HubSpot CRM allows us, among other things, to manage existing and potential customers as well as customer contacts. Using HubSpot CRM, we are able to capture, sort and analyze customer interactions via email, social media or telephone across different channels. The personal data collected in this way can be evaluated and used for communication with potential customers or for marketing measures (e.g. newsletter mailings).
With HubSpot CRM we are also able to record and analyze the user behavior of our contacts on our website.
The use of HubSpot CRM is based on Art. 6 Para. 1 lit. f GDPR. The website operator has a legitimate interest in customer administration and customer communication being as efficient as possible. If appropriate consent has been requested, processing is carried out exclusively on the basis of Art. 6 Para. 1 lit . B. Device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.
Data transfer to the USA is based on the EU Commission's standard contractual clauses.
Details can be found here: https://www.hubspot.de/data-privacy/privacy-shield.
- With the following notes we inform you about the content of our newsletter, as well as the login, shipping, and statistical evaluation processes, as well as about your right to object. By subscribing to our newsletter, you declare your consent to the reception and the described procedure.
- Content of the newsletter: We only send newsletters, e-mails, and other electronic notifications with advertising information ("newsletter" in the following) with the consent of recipients or with legal permission. When the contents of the newsletter are outlined in concrete terms in the context of registration for the newsletter, this is decisive for the consent of users. Our newsletters also contain information on our products, offerings, promotions, and our company.
- Double opt-in and protocoling: Registration for our newsletter takes place in a so-called double opt-in procedure. This means, following registration you will receive an e-mail, in which you are asked to confirm your registration. This confirmation is necessary in order that no one can register with someone else's e-mail addresses. Registrations for the newsletter are protocoled in order to be able to verify the registration process in accordance with legal requirements. This includes the saving of the point in time of registration and confirmation, as well as the IP address. Changes to your data saved with the sending service provider are also protocoled.
- Registration data: In order to register for the newsletter, it is sufficient to provide your e-mail address. We also offer you the opportunity to provide a form of address, a title, and a last name for purposes of personal address in the newsletter.
- Measurement of success: The newsletters contain a so-called "web beacon," meaning a pixel-sized file that is called up from the server of the sending service provider when you open the newsletter. In the context of this accessing, technical information, such as information concerning the browser and your system, as well as your IP address and the point in time of the accessing is initially gathered. This information is used for the technical improvement of the services on the basis of the technical data or the target groups and their reading behavior on the basis of the accessing locations (which can be determined with the help of the IP address) or the access times. The statistical gathering also includes the determination of whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can in fact be assigned to individual newsletter recipients. However, it is not our intention to monitor individual users. Instead, the analyses serve the purpose of recognizing the reading habits of our users as a whole and of adapting our content to them or sending different content in accordance with the interests of our users.
The "LOOK//one MailMonitor" tool is used to this purpose in the context of local hosting.
- The sending of the newsletter and the measurement of success take place on the basis of the consent of recipients pursuant to Art. 6, Par. 1 lit. a, Art. 7, GDPR in connection with § 7, Par. 2, No. 3 Unfair Competition Act (UWG) or on the basis of legal consent pursuant to § 7, Par. 3 Unfair Competition Act (UWG).
- The protocoling of the registration procedure takes place on the basis of our justified interests pursuant to Art. 6, Par. 1 lit. f GDPR, and serves the purpose of verifying consent to receiving the newsletter.
- Termination/withdrawal: You can terminate the receipt of our newsletter at any time, meaning withdraw your consent. You will find a link for terminating the newsletter at the end of each newsletter. When users have only registered for the newsletter and have terminated this registration, their personal data is deleted.
18. Incorporation of the services and content of third parties
- We utilize the content or service offerings of third party providers within our online offering on the basis of our justified interests (meaning an interest in the analysis, optimization, and economical operation of our online offering as defined by Art. 6, Par. 1 lit. f. GDPR) in order to incorporate their content and services, such as videos or fonts (designated consistently in the following as "content"). This always presupposes that the third party providers of this content recognize the IP address of the users, as they wouldn't be able to send the content to their browser without the IP address. The IP address is thus necessary for the presentation of this content. We endeavor to only use content from providers who use the IP address exclusively for the delivery of the content. Third party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. By way of the "pixel tags," information such as that concerning visitor traffic to the pages of this website can be analyzed. The anonymous information can also be saved in cookies on the device of users and contain, among other things, technical information concerning the browser and operating system, referring websites, and visit time, as well as other information concerning the usage of our online offering, and can also be combined with such information from other sources.
- The following representation provides an overview of third party providers and their content, as well as links to their data protection declarations, containing further instructions concerning the processing of data and, in some cases already named here, possibilities for objection (so-called opt-out):
- External fonts from MyFonts Inc/Monotype, https://www.myfonts.com. The incorporation of MyFonts fonts takes place by way of server accessing under hello.myfonts.com (generally in the USA). Data protection declaration: https://www.adobe.com/de/privacy/policies/typekit.html.
- Maps of the "Google Maps" service of the third party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Sate protection declaration: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/.
- Videos of the "YouTube" platform of the third party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated. When embedding videos through YouTube, cookies are automatically set and tracking via Google's server googleads.g.doubleclick.net activated. This takes place because YouTube videos can also contain advertising elements, for which this external data is necessary. More information here: https://www.doubleclickbygoogle.com