Data Protection

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to simply as "data") that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are gender-neutral.
Last updated: April 6, 2022

Controller:
Hubert Langrock
Zum Güterbahnhof 20
99085 Erfurt, Germany

Email address: info@kalifstorch.com
Imprint: www.kalifstorch.com/impressum

Below, you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country of residence or ours. If, in individual cases, more specific legal bases are relevant, we will inform you of these within this privacy policy.

Processing of personal data based on the data subject’s consent for one or more specific purposes.

The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.

The processing is necessary for compliance with a legal obligation to which the controller is subject.

The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

If, within the framework of the application process, special categories of personal data within the meaning of Article 9(1) GDPR (e.g., health data such as disability status or ethnic origin) are requested from applicants so that the controller or the data subject can exercise their rights and fulfill their obligations arising from labor law and social security and social protection law, their processing takes place pursuant to Article 9(2)(b) GDPR. In cases of protecting the vital interests of the applicants or other persons, processing is based on Article 9(2)(c) GDPR, or for purposes of preventive or occupational medicine, assessing the ability to work of the employee, medical diagnosis, health or social care or treatment, or management of health or social care systems and services according to Article 9(2)(h) GDPR. If special categories of data are voluntarily disclosed based on consent, processing is carried out under Article 9(2)(a) GDPR.

In addition to the data protection regulations of the GDPR, national data protection laws in Germany also apply. These include, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains special provisions regarding the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making including profiling. Furthermore, it regulates data processing for purposes related to employment relationships (§ 26 BDSG), especially regarding the establishment, execution, or termination of employment relationships, as well as employee consent. Additionally, state data protection laws of individual federal states may apply.

We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood of occurrence and extent of the threat to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

These measures particularly include securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access related to it, input, transmission, availability assurance, and separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data endangerment. In addition, we take the protection of personal data into account already during the development or selection of hardware, software, and procedures according to the principle of data protection by design and by default.

SSL encryption (https): To protect the data you transmit via our online offering, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in your browser's address bar.

Data processing in third countries
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if the processing occurs in connection with the use of services from third parties or the disclosure or transfer of data to other persons, authorities, or companies, this is done only in compliance with legal requirements.
Subject to explicit consent or contractually or legally required transfers, we process or have the data processed only in third countries with an adequate level of data protection, contractual obligations through so-called standard contractual clauses of the EU Commission, in the presence of certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

The data we process will be deleted in accordance with legal requirements as soon as the consents permitting their processing are revoked or other permissions no longer apply (e.g., when the purpose of processing the data no longer exists or the data is no longer necessary for that purpose).

If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to those purposes. That means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for asserting, exercising, or defending legal claims or protecting the rights of another natural or legal person.

Within our privacy notices, we may provide users with additional information about the deletion and retention of data that specifically applies to the respective processing procedures.

Cookies are small text files or other storage markers that store information on end devices and read information from the end devices. For example, to save the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content, or functions used in an online offering. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online services as well as creating analyses of visitor traffic.

Notes on consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless this is not legally required. Consent is particularly not necessary when storing and reading information, including cookies, is absolutely necessary to provide users with a telemedia service explicitly requested by them (i.e., our online offering). The revocable consent is clearly communicated to users and contains information about the respective cookie usage.

Notes on legal bases for data protection: The legal basis on which we process users' personal data with the help of cookies depends on whether we request consent from users. If users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g., in the economic operation of our online offering and the improvement of its usability) or, if this occurs in the context of fulfilling our contractual obligations, when the use of cookies is necessary to fulfill our contractual obligations. We clarify for what purposes the cookies are processed by us in the course of this privacy policy or within the scope of our consent and processing procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:
Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, data collected with the help of cookies can be used for reach measurement. If we do not provide users with explicit information about the type and storage duration of cookies (e.g., during consent collection), users should assume that cookies are permanent and the storage duration can be up to two years.

General notes on revocation and objection (opt-out): Users can revoke their given consent at any time and also lodge an objection to the processing in accordance with the legal requirements in Art. 21 GDPR (further information on objections is provided within this privacy policy). Users can also express their objection via their browser settings.

Processing of Cookie Data Based on Consent:
We use a cookie consent management procedure, through which users’ consents to the use of cookies and to the processing and providers named within the cookie consent management procedure are obtained, managed, and can be revoked by users. The consent declaration is stored to avoid having to ask again and to be able to prove the consent in accordance with legal requirements. This storage can take place server-side and/or in a cookie (so-called opt-in cookie, or using comparable technologies) to assign the consent to a user or their device.

Subject to individual information about the providers of cookie management services, the following applies: The duration of consent storage can be up to two years. A pseudonymous user identifier is created and stored along with the time of consent, details about the scope of the consent (e.g., which categories of cookies and/or service providers), as well as information about the browser, system, and device used.

We process data of our contractual and business partners, such as customers and prospects (collectively referred to as "contractual partners"), within the scope of contractual and comparable legal relationships as well as related measures and communication with the contractual partners (including pre-contractual communication), for example, to respond to inquiries.

We process this data to fulfill our contractual obligations. This particularly includes obligations to provide agreed services, any update duties, and remedies for warranty and other service disruptions. Furthermore, we process the data to protect our rights and for administrative tasks related to these obligations as well as for business organization purposes. In addition, we process the data based on our legitimate interests in proper and economically sound business management, as well as security measures to protect our contractual partners and business operations from misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Under applicable law, we only share contractual partner data with third parties to the extent necessary for the aforementioned purposes or to comply with legal obligations. Contractual partners are informed about other forms of processing, e.g., for marketing purposes, within this privacy policy.

We inform contractual partners before or during data collection about which data is necessary for the above purposes, e.g., via online forms, special markings (such as colors), symbols (e.g., asterisks), or personally.

We delete data after the expiration of statutory warranty and comparable obligations, generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal reasons such as tax purposes (typically 10 years). Data disclosed to us within the scope of an order by the contractual partner is deleted in accordance with the order’s requirements, generally after the end of the order.

If we use third-party providers or platforms to deliver our services, the terms and privacy notices of those third-party providers or platforms apply in the relationship between the users and those providers.

We process our customers’ data to enable them to select, purchase, or order chosen products, goods, and related services, as well as to facilitate payment, delivery, or execution. If necessary for order fulfillment, we use service providers—especially postal, freight, and shipping companies—to carry out delivery or execution to our customers. For payment processing, we utilize the services of banks and payment service providers. The required information is clearly marked as such during the order or comparable purchase process and includes the details needed for delivery, provision, and billing, as well as contact information to enable any necessary communication.

We process the data of participants in the events, activities, and similar engagements offered or organized by us (hereinafter collectively referred to as "participants" and "events") in order to enable their participation in the events and the use of the services or actions associated with participation.
If we process health-related data, religious, political, or other special categories of data in this context, this is done within the scope of public knowledge (e.g., at thematically focused events or for health care, security) or with the consent of the affected individuals.

The required information is marked as such within the framework of the order, purchase, or comparable contract conclusion and includes the data needed to provide the service and for billing purposes, as well as contact details to allow any necessary follow-up communication. To the extent we gain access to information from end customers, employees, or other persons, we process this data in accordance with legal and contractual requirements.

Types of data processed: master data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email addresses, phone numbers); contract data (e.g., contract subject, duration, customer category); usage data (e.g., visited websites, interest in content, access times); meta-/communication data (e.g., device information, IP addresses).

Data subjects: customers; prospects; business and contractual partners.

Purposes of processing: provision of contractual services and customer service; security measures; handling contact inquiries and communication; office and organizational procedures; administration and response to inquiries.

Legal bases: contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); legal obligation (Art. 6(1) sentence 1 lit. c GDPR).

Use of online platforms for offering and sales purposes
We offer our services on online platforms operated by other service providers. In this context, in addition to our privacy notices, the privacy notices of the respective platforms apply. This is particularly relevant regarding the processing of payments and the procedures used on the platforms for reach measurement and interest-based marketing.

Types of data processed: Master data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email addresses, phone numbers); contract data (e.g., subject of the contract, duration, customer category); usage data (e.g., visited websites, interest in content, access times); meta-/communication data (e.g., device information, IP addresses).
Data subjects: Customers; users (e.g., website visitors, users of online services); business and contractual partners.

Provision of contractual services and customer support; marketing; provision of our online offer and user-friendliness.
Legal bases: performance of a contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing procedures, methods, and services:
Startnext: Internet platform for project financing via crowdfunding as well as the sale of subscriptions and memberships, invoicing, and the provision of access and payment methods, in which cookies are used and IP address, date, time, and other technical data about the used internet browser, operating system, as well as user’s master, contract, and payment data are processed; service provider: Startnext GmbH, Grundstraße 1, 01326 Dresden, Germany; website: https://www.startnext.com/; privacy policy: https://www.startnext.com/info/agb/datenschutz.html.

Within the scope of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer the affected persons efficient and secure payment options and use, in addition to banks and credit institutions, other service providers for this purpose (collectively "payment service providers").
The data processed by the payment service providers include master data, such as name and address, banking data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract-, amount- and recipient-related information. The information is required to carry out the transactions. However, the entered data are only processed and stored by the payment service providers. That is, we do not receive account- or credit card-related information, but only information confirming or denying the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit reporting agencies. This transmission is intended for identity and creditworthiness checks. For this purpose, we refer to the terms and conditions and privacy notices of the payment service providers.
The terms and conditions and privacy notices of the respective payment service providers, which can be accessed on the respective websites or transaction applications, apply to the payment transactions. We also refer to these for further information and the assertion of revocation, information, and other data subject rights.
Types of processed data: master data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contract data (e.g., contract subject, duration, customer category); usage data (e.g., visited websites, interest in content, access times); meta-/communication data (e.g., device information, IP addresses).
Affected persons: customers; interested parties.
Purposes of processing: provision of contractual services and customer service.
Legal bases: contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Further information on processing procedures, processes, and services:
Mastercard: payment services (technical connection of online payment methods); service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; website: https://www.mastercard.de/de-de.html; privacy policy: https://www.mastercard.de/de-de/datenschutz.html.
PayPal: payment services (technical connection of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; website: https://www.paypal.com/de; privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
Visa: payment services (technical connection of online payment methods); service provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, GB; website: https://www.visa.de; privacy policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

In order to provide our online offer securely and efficiently, we use the services of one or more web hosting providers, from whose servers (or servers managed by them) the online offer can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.
The data processed within the scope of providing the hosting service may include all information relating to the users of our online offer that arises during usage and communication. This regularly includes the IP address, which is necessary to deliver the content of online offers to browsers, and all inputs made within our online offer or on websites.
Types of processed data: content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta-/communication data (e.g., device information, IP addresses).
Affected persons: users (e.g., website visitors, users of online services).
Purposes of processing: provision of our online offer and user-friendliness; provision of contractual services and customer service.
Legal bases: legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Email sending and hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of recipients and senders, as well as other information concerning the email transmission (e.g., the involved providers), and the contents of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails are generally not sent encrypted over the internet. As a rule, emails are encrypted during transmission, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. Therefore, we cannot assume any responsibility for the transmission path of the emails between the sender and reception on our server.

We ourselves (or our web hosting provider) collect data for every access to the server (so-called server log files). Server log files may include the address and name of the accessed websites and files, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider.
The server log files can be used for security purposes, for example, to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the server load and stability.
Data deletion: log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes are exempt from deletion until the respective incident is finally resolved.

ALL-INKL: services in the field of providing IT infrastructure and related services (e.g., storage space and/or computing capacity); service provider: ALL-INKL.COM - Neue Medien Münnich, owner: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany; website: https://all-inkl.com/; privacy policy: https://all-inkl.com/datenschutzinformationen/; data processing agreement: concluded with provider.

We process the data of users of our application to the extent necessary to provide the users with the application and its functionalities, to monitor its security, and to further develop it. We may also contact users in compliance with legal requirements if communication is necessary for the administration or use of the application. Otherwise, we refer to the privacy notices in this privacy policy regarding the processing of users’ data.
Legal bases: The processing of data necessary to provide the functionalities of the application serves to fulfill contractual obligations. This also applies if the provision of the functions requires user authorization (e.g., permissions for device functions). If the processing of data is not necessary for the provision of the application’s functionalities but serves the security of the application or our business interests (e.g., collection of data for the purpose of optimizing the application or security reasons), it is based on our legitimate interests. If users are explicitly asked for their consent to the processing of their data, the processing of the data covered by the consent is based on that consent.
Types of processed data: master data (e.g., names, addresses); meta-/communication data (e.g., device information, IP addresses); payment data (e.g., bank details, invoices, payment history); contract data (e.g., contract subject, duration, customer category).
Affected persons: users (e.g., website visitors, users of online services).
Purposes of processing: provision of contractual services and customer service.
Legal bases: consent (Art. 6 para. 1 sentence 1 lit. a GDPR); contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Commercial use: We process the data of users of our application, registered and any trial users (hereinafter collectively referred to as "users"), in order to provide them with our contractual services and based on legitimate interests to ensure the security of our application and to further develop it. The required information is marked as such within the framework of the usage, order, purchase, or comparable contract conclusion and may include the information needed for service provision and possible billing, as well as contact information to allow for any necessary communication.
Device permissions for access to functions and data: The use of our application or its functionalities may require permissions from users to access certain functions of the devices used or to access data stored on or accessible through the devices. By default, these permissions must be granted by the users and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions may depend on the user’s device and software. Users can contact us if they need clarification. We point out that denying or revoking the respective permissions may affect the functionality of our application.
Processing of stored contacts: In the course of using our application, the contact information of persons stored in the device’s contact directory (name, email address, phone number) is processed. The use of the contact information requires permission from the users, which can be revoked at any time. The use of the contact information serves only to provide the respective functionality of our application, in accordance with its description to users and its typical and expected operation. Users are advised that permission for processing contact information must be lawful and, in particular for natural persons, requires their consent or a legal authorization.

The data of contacts stored in the device’s contact directory may be used to check whether these contacts also use our application. For this purpose, the contact data of the respective contacts (including phone numbers, email addresses, and names) are uploaded to our server and used solely for the purpose of synchronization.

The acquisition of our application takes place via special online platforms operated by other service providers (so-called "app stores"). In this context, in addition to our privacy notices, the privacy notices of the respective app stores apply. This is especially relevant regarding the procedures used on the platforms for reach measurement and interest-based marketing, as well as any possible fees.
Types of processed data: master data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email addresses, phone numbers); contract data (e.g., contract subject, duration, customer category); usage data (e.g., visited websites, interest in content, access times); meta-/communication data (e.g., device information, IP addresses).
Affected persons: customers.
Purposes of processing: provision of contractual services and customer service.
Legal bases: contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Further information on processing procedures, processes, and services:
Apple App Store: app and software sales platform; service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; website: https://www.apple.com/de/ios/app-store/; privacy policy: https://www.apple.com/legal/privacy/de-ww/.
Google Play: app and software sales platform; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://play.google.com/store/apps?hl=de; privacy policy: https://policies.google.com/privacy.
Microsoft Store: app and software sales platform; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; website: https://www.microsoft.com/de-de/store/b/home; privacy policy: https://privacy.microsoft.com/de-de/privacystatement; security information: https://www.microsoft.com/de-de/trustcenter.

When contacting us (e.g., via contact form, email, telephone, or social media) as well as within existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.
Responding to contact inquiries and managing contact and inquiry data within the framework of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to answer (pre-)contractual inquiries and otherwise based on legitimate interests in responding to inquiries and maintaining user or business relationships.
Types of processed data: master data (e.g., names, addresses); contact data (e.g., email addresses, phone numbers); content data (e.g., inputs in online forms).
Affected persons: communication partners.
Purposes of processing: contact inquiries and communication; provision of contractual services and customer service.
Legal bases: contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR).

Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to handle the communicated request. For this purpose, we process personal data within the framework of pre-contractual and contractual business relationships, to the extent necessary for their fulfillment, and otherwise based on our legitimate interests as well as the interests of the communication partners in responding to requests and our legal retention obligations.

We use hosting and analytics services from service providers to offer our audio content for listening or download and to obtain statistical information about the access to the audio content.
Types of processed data: usage data (e.g., visited websites, interest in content, access times); meta-/communication data (e.g., device information, IP addresses).
Affected persons: users (e.g., website visitors, users of online services).
Purposes of processing: reach measurement (e.g., access statistics, recognition of recurring visitors); conversion measurement (measuring the effectiveness of marketing measures); user-related profiles (creating user profiles).
Further information on processing procedures, processes, and services:
Soundcloud: Soundcloud - music hosting; service provider: SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany; website: https://soundcloud.com; privacy policy: https://soundcloud.com/pages/privacy.
Spotify: Spotify - music hosting and widget; service provider: Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden; website: https://www.spotify.com/de; privacy policy: https://www.spotify.com/de/legal/privacy-policy/.

The application process requires applicants to provide us with the data necessary for their assessment and selection. The required information is specified in the job description or, in the case of online forms, in the respective fields provided.
Generally, the required information includes personal details such as name, address, contact information, and proof of qualifications necessary for the position. Upon request, we are happy to inform applicants about which details are needed.
If available, applicants can submit their applications to us via an online form. The data is transmitted to us encrypted according to the state of the art. Applicants can also submit their applications via email. However, please note that emails are generally not sent encrypted over the internet. Usually, emails are encrypted during transport but not on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the transmission path of the application between the sender and its reception on our server.
For the purposes of applicant search, submission of applications, and selection of candidates, we may use applicant management or recruitment software, platforms, and services from third-party providers, in compliance with legal requirements.
Applicants are welcome to contact us regarding the preferred method of submitting their application or to send their application by postal mail.

If special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g., health data such as disability status or ethnic origin) are requested from applicants as part of the application process, so that the controller or the data subject can exercise their rights arising from labor law and social security and social protection law and fulfill their related obligations, their processing takes place in accordance with Art. 9 para. 2 lit. b GDPR. In cases of protecting the vital interests of the applicants or other persons, processing is based on Art. 9 para. 2 lit. c GDPR, or for purposes of preventive or occupational medicine, assessment of the employee’s ability to work, medical diagnosis, provision or treatment in the health or social care sector, or management of health or social care systems and services pursuant to Art. 9 para. 2 lit. h GDPR.
If special categories of data are voluntarily provided based on consent, their processing is carried out pursuant to Art. 9 para. 2 lit. a GDPR.

The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job offer is unsuccessful, the applicant’s data will be deleted. Applicant data will also be deleted if an application is withdrawn, to which applicants are entitled at any time. The deletion will take place, subject to a justified revocation by the applicant, no later than six months after the application, so that we can answer any follow-up questions regarding the application and fulfill our documentation obligations under the regulations on equal treatment of applicants. Invoices for any travel expense reimbursements will be archived in accordance with tax regulations.
Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, does not affect the ongoing application process, and that they can revoke their consent at any time for the future.
Types of data processed: Applicant data (e.g., personal information, postal and contact addresses, documents related to the application and the information contained therein such as cover letters, resumes, certificates, as well as other information voluntarily provided by applicants regarding their person or qualifications with respect to a specific position).
Data subjects: Applicants.
Purposes of processing: Application process (initiation and possible subsequent execution as well as possible subsequent termination of the employment relationship).
Legal basis: Application process as a pre-contractual or contractual relationship (Art. 9(2)(b) GDPR).

We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described in the context of a subscription, they are decisive for the users’ consent. Otherwise, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for personal addressing in the newsletter, or further information if this is required for the purposes of the newsletter.

Double opt-in procedure: Subscription to our newsletter generally takes place through a so-called double opt-in procedure. This means you will receive an email after signing up, in which you are asked to confirm your subscription. This confirmation is necessary to ensure that no one can register using someone else’s email address. The newsletter subscriptions are logged in order to be able to prove the registration process complies with legal requirements. This includes storing the time of registration and confirmation, as well as the IP address. Changes to your data stored with the email service provider are also logged.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, to be able to prove that consent was previously given. The processing of this data is limited to the purpose of potential defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address in a blocklist solely for this purpose.

The logging of the registration process is based on our legitimate interests in proving that it was carried out in accordance with the law. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure mailing system.

Legal basis information: The newsletters are sent on the basis of the recipients’ consent or, if consent is not required, on the basis of our legitimate interests in direct marketing, if and to the extent legally permitted, e.g., in the case of advertising to existing customers. If we commission a service provider to send emails, this is based on our legitimate interests in an efficient and secure dispatch. The registration procedure is recorded on the basis of our legitimate interests in order to prove that it was conducted in accordance with the law.

Contents:

Types of data processed: Inventory data (e.g., names, addresses); contact data (e.g., email, telephone numbers); meta-/communication data (e.g., device information, IP addresses); usage data (e.g., websites visited, interest in content, access times).
Data subjects: Communication partners.
Purposes of processing: Direct marketing (e.g., via email or postal mail).
Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Right to object (Opt-Out): You can unsubscribe from our newsletter at any time, i.e., withdraw your consent or object to further receipt. A link to unsubscribe from the newsletter can be found at the end of each newsletter or, alternatively, you can use one of the contact options provided above, preferably email.
Further information on processing operations, procedures, and services:
Measurement of open and click rates: The newsletters contain a so-called "web beacon", i.e., a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a mailing service provider, from their server. During this retrieval, technical information such as information about the browser and your system, your IP address, and the time of retrieval are collected. This information is used for the technical improvement of our newsletter based on the technical data or target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether newsletters are opened, when they are opened, and which links are clicked. This information is assigned to individual newsletter recipients and stored in their profiles until they are deleted. The evaluations help us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
The measurement of open and click rates, the storage of the measurement results in the user profiles, and their further processing are based on the users' consent. Unfortunately, a separate withdrawal of performance measurement is not possible; in this case, the entire newsletter subscription must be canceled or objected to. In such a case, the stored profile information will be deleted.
Mailchimp: Email delivery and email marketing platform; Service provider: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; Website: https://mailchimp.com; Privacy Policy: https://mailchimp.com/legal/; Data Processing Agreement: https://mailchimp.com/legal/; Standard Contractual Clauses (ensuring data protection level for processing in third countries): Included in the Data Processing Agreement; Further information: Special security measures: https://mailchimp.com/help/Mailchimp-european-data-transfers/.

Web analysis (also referred to as "audience measurement") serves to evaluate the visitor flows of our online offering and may include behavioral, interest-based, or demographic information about visitors—such as age or gender—as pseudonymous values. Audience measurement helps us, for example, to identify when our online offering, its functions, or content are most frequently used or invite reuse. It also enables us to determine which areas require optimization.

In addition to web analysis, we may also use testing procedures to test and optimize different versions of our online offering or its components.

Unless otherwise specified below, profiles—i.e., data compiled into a usage process—may be created for these purposes, and information may be stored on and read from a browser or end device. The collected information includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the operating system used, and details about usage times. If users have consented to the collection of their location data—either to us or to providers of services we use—location data may also be processed.

Users' IP addresses are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data (such as email addresses or names) is stored during web analysis, A/B testing, and optimization. Instead, pseudonyms are used. This means that neither we nor the providers of the software employed know the actual identity of the users, but only the data stored in their respective profiles for the purpose of the procedure.

Notes on Legal Bases:
If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, users' data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to refer to the information regarding the use of cookies in this privacy policy.

Types of data processed:
Usage data (e.g., websites visited, interest in content, access times); meta-/communication data (e.g., device information, IP addresses).

Data subjects:
Users (e.g., website visitors, users of online services).

Purposes of processing:
Audience measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creating user profiles).

Security measures:
IP masking (pseudonymization of the IP address).

Legal bases:
Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

Google Analytics:
Web analysis, audience measurement, and measurement of user flows;
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;
Website: https://marketingplatform.google.com/intl/en/about/analytics/;
Privacy Policy: https://policies.google.com/privacy;
Data Processing Agreement: https://business.safety.google/adsprocessorterms;
Standard Contractual Clauses (ensuring data protection level for processing in third countries): https://business.safety.google/adsprocessorterms;
Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en,
Ad settings: https://adssettings.google.com/authenticated;
Further information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).

We use the web analysis service Matomo on our website to evaluate user behavior and continuously improve our site. Matomo is operated on our own server, so no data is passed on to third parties.

1. Use with Consent (Cookies)

If you have agreed to the use of analytics cookies via our cookie banner, Matomo stores small text files (cookies) on your device. These allow us to recognize your browser upon a return visit. The following data is collected, among others:

• IP address (shortened)
• Pages visited and duration of visit
• Referring page (referrer)
• Information about device, operating system, and browser

The legal basis for this processing is your consent in accordance with Art. 6 (1) lit. a GDPR. You can withdraw your consent at any time via the cookie banner or through the cookie settings in the footer.

2. Use without Cookies (Cookieless Tracking)

If you have not consented to the use of cookies, we use Matomo in a cookieless configuration. In this case, no cookies are stored on your device. The analysis is based solely on anonymous information (e.g., shortened IP address, browser type, approximate location data), which does not allow any conclusions to be drawn about your identity.

The legal basis for this is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in designing our website in a user-friendly and demand-oriented manner.

IP Anonymization

Your IP address is anonymized immediately after collection (e.g., by shortening it) in both configurations, so that it can no longer be attributed to you.

No Disclosure to Third Parties

The data is processed exclusively on our own server and is not shared with third parties.

We maintain online presences within social networks and, in this context, process user data in order to communicate with users active on these platforms or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may pose risks to users, as it could, for example, make it more difficult to enforce users' rights.

Furthermore, user data is generally processed within social networks for market research and advertising purposes. For example, user profiles may be created based on user behavior and resulting interests. These usage profiles may, in turn, be used to place advertisements within and outside the networks that presumably match the users’ interests. Cookies storing the users’ usage behavior and interests are generally stored on users’ devices for these purposes. Additionally, data may be stored in the usage profiles independently of the devices used by the users (especially if users are members of the respective platforms and are logged in).

For a detailed description of the respective processing operations and opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

Even in the case of information requests and the assertion of data subject rights, we point out that these are most effectively addressed to the providers. Only the providers have access to the users' data and can take appropriate measures directly and provide information. If you still require assistance, you can contact us.

Types of data processed: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing: Contact requests and communication; Feedback (e.g., collecting feedback via online form); Marketing.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further Information on Processing, Procedures, and Services:

Instagram: Social network; Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.

Facebook Pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook page ("Fanpage"). This includes information about the types of content users view or interact with, or the actions they take (see "Things you and others do and provide" in Facebook's Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in Facebook's Data Policy: https://www.facebook.com/policy). As explained under "How do we use this information?" in the Facebook Data Policy, Facebook also collects and uses information to provide analytics services, called "Page Insights," to page operators, enabling them to understand how people interact with their pages and related content. We have concluded a special agreement with Facebook ("Page Insights Controller Addendum", https://www.facebook.com/legal/terms/page_controller_addendum), which specifically regulates the security measures Facebook must observe and under which Facebook has agreed to fulfill data subject rights (i.e., users may direct access or deletion requests directly to Facebook). Users' rights (especially to access, erasure, objection, and complaint to a supervisory authority) are not restricted by the agreements with Facebook. More information can be found in the "Information about Page Insights Data" (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Standard Contractual Clauses (ensuring data protection when processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; Further information: Joint Controllership Agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data.

Facebook Events: Event profiles within the social network Facebook – We use the “Events” function of the Facebook platform to announce events and dates, to interact with users (participants and interested parties), and to exchange information. We process personal data of users on our event pages as necessary for the purpose of the event page and its moderation. This data includes names, published or privately shared content, participation status, and related time information. Additionally, we refer to Facebook’s own data processing. This includes content types users view or interact with, or actions they take (see "Things you and others do and provide" in Facebook's Data Policy: https://www.facebook.com/policy), and information about the devices used (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in Facebook's Data Policy). As explained in the Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, so-called "Insights," for event providers to understand how people interact with their events and related content; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Standard Contractual Clauses: https://www.facebook.com/legal/EU_data_transfer_addendum.

YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Privacy Policy: https://policies.google.com/privacy; Opt-Out: https://adssettings.google.com/authenticated.Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These can include graphics, videos, or maps (collectively referred to as “content”).

The integration always requires that these third-party providers process the IP address of the users, as they could not send the content to their browsers without the IP address. The IP address is thus necessary to display this content or functions. We strive to use only content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate visitor traffic on the pages of this website. Pseudonymous information may also be stored in cookies on the users’ devices and include technical information about the browser and operating system, referring websites, visit time, and further details on the use of our online offer, and may also be linked with such information from other sources.

Legal basis: If we ask users for consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, please also refer to our Cookie Policy in this privacy statement.

Types of data processed: Usage data (e.g., websites visited, interest in content, access times); Meta/communication data (e.g., device information, IP addresses); Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Event data (Facebook) (“Event Data” refers to data that can be transmitted to Facebook by us via the Facebook Pixel or via apps or other means and relates to individuals or their actions; includes information about visits to websites, interactions with content, app installations, product purchases, etc.; Event Data is processed to create target groups for content and advertising (Custom Audiences); Event Data does not include actual content (such as comments), login information, or contact details like names or email addresses or phone numbers. Facebook deletes Event Data after a maximum of two years; the audiences derived from them will be deleted with the deletion of our Facebook account).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing: Providing our online offering and user-friendliness; Contractual services and customer support; Marketing; Profiles with user-related information (creation of user profiles).

Legal bases: Consent (Art. 6(1)(a) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further Information on Processing, Procedures, and Services:

Facebook Plugins and Content: Facebook social plugins and content – This may include content such as images, videos, texts, and buttons that allow users to share content from this online offering within Facebook. The list and appearance of Facebook social plugins can be viewed here: https://developers.facebook.com/docs/plugins/ – We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt in the course of a transmission (but not the further processing) of "Event Data" collected or received by Facebook using the Facebook social plugins (and embedding functions for content) running on our online offering, for the following purposes: a) displaying content and advertising information likely to match user interests; b) delivering commercial and transactional messages (e.g., contacting users via Facebook Messenger); c) improving ad delivery and personalization of functions and content (e.g., improving recognition of content or advertising that is likely to be of interest to users). We have concluded a specific agreement with Facebook (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum), which governs, in particular, which security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and under which Facebook agrees to fulfill data subject rights (e.g., users can address access or deletion requests directly to Facebook). Note: If Facebook provides us with metrics, analyses, and reports (which are aggregated and do not contain any information about individual users and are anonymous for us), this processing is not part of the joint responsibility but is based on a processing contract (“Data Processing Terms,” https://www.facebook.com/legal/terms/dataprocessing), the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms), and with regard to processing in the USA, based on Standard Contractual Clauses (“Facebook-EU Data Transfer Addendum,” https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (especially to access, erasure, objection, and complaint to the supervisory authority) remain unaffected; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy.

Google Maps: We embed maps from the "Google Maps" service provided by Google. Data processed may include IP addresses and location data of users, which is generally not collected without their consent (typically done within their mobile device settings); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://cloud.google.com/maps-platform; Privacy Policy: https://policies.google.com/privacy; Opt-Out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Ad Settings: https://adssettings.google.com/authenticated.

Instagram Plugins and Content: Instagram plugins and content – This may include content such as images, videos, texts, and buttons that allow users to share content from this online offering within Instagram. – We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt in the course of transmission (but not the further processing) of “Event Data” collected or received by Facebook via Instagram features (e.g., embedding functions), which are run on our online offering, for the following purposes: a) display of content and advertising information likely to match user interests; b) delivery of commercial and transactional messages (e.g., contact via Messenger); c) improvement of ad delivery and personalization of content/functions. We have entered into a specific agreement with Facebook (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum), governing which security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and under which Facebook commits to fulfill data subject rights. Note: If Facebook provides us with metrics or reports (aggregated and anonymous), this does not fall under joint responsibility but is processed on the basis of a data processing agreement ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), including data security terms and standard contractual clauses. Users’ rights remain unaffected; Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.

YouTube Videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Opt-Out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Ad Settings: https://adssettings.google.com/authenticated.

Amendments and Updates to the Privacy Policy

We kindly ask you to regularly inform yourself about the contents of our privacy policy. We will amend the privacy policy as soon as changes in the data processing activities we perform make this necessary. We will inform you if these changes require any cooperation on your part (e.g., consent) or another form of individual notification.

If we provide addresses and contact details of companies and organizations in this privacy policy, please note that these addresses may change over time. Please check the details before contacting them.

As a data subject, you have various rights under the GDPR, particularly arising from Articles 15 to 21 GDPR:

Right to object:
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.

Right to withdraw consent:
You have the right to withdraw consent you have given at any time.

Right of access:
You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to access that data along with further information and a copy of the data according to the legal requirements.

Right to rectification:
You have the right, in accordance with legal provisions, to request the completion of your data or the correction of inaccurate data concerning you.

Right to erasure and restriction of processing:
You have the right, under the legal conditions, to request that your data be deleted without undue delay or alternatively, under the legal conditions, to request a restriction of the processing of your data.

Right to data portability:
You have the right, under the legal provisions, to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format or to request its transmission to another controller.

Right to lodge a complaint with a supervisory authority:
In accordance with legal provisions and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State where you usually reside, your workplace, or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

In this section, you will find an overview of the terms used in this privacy policy. Many of the terms are taken from the law and are primarily defined in Art. 4 GDPR. The legal definitions are binding. The following explanations are intended primarily to aid understanding. The terms are listed alphabetically.

Conversion Measurement: Conversion measurement (also referred to as "visit action analysis") is a procedure used to determine the effectiveness of marketing measures. Typically, a cookie is stored on the users’ devices within the websites where the marketing measures take place and is then retrieved again on the target website. For example, this allows us to track whether the ads we placed on other websites were successful.

Personal Data: "Personal data" means all information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); a natural person is regarded as identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Profiles with User-Related Information: The processing of "profiles with user-related information," or simply "profiles," includes any kind of automated processing of personal data which consists of using this personal data to analyze or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are frequently used for profiling purposes.

Reach Measurement: Reach measurement (also referred to as web analytics) serves to analyze visitor flows of an online offering and may include the behavior or interests of visitors in certain information, such as content on websites. With the help of reach analysis, website owners can, for example, recognize at what times visitors access their website and which content interests them. This allows them to better adapt the content of the website to the needs of their visitors. For reach analysis purposes, pseudonymous cookies and web beacons are often used to recognize returning visitors and thus obtain more precise analyses of the use of an online offering.

Controller: The "controller" is the natural or legal person, authority, institution, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.

Processing: "Processing" means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers almost any handling of data, such as collecting, evaluating, storing, transmitting, or deleting.

Kalif Storch GmbH
Hubert Langrock
Zum Güterbahnhof 20, 99085 Erfurt
E-Mail: info@kalifstorch.com
Tel.: +39 361 430 40 14

Purposes and Legal Basis:

The video surveillance serves to exercise the right of domicile and to secure evidence in case of criminal offenses. Legal basis: Art. 6 para. 1 lit. f GDPR – legitimate interests pursued:

The video surveillance is carried out for your protection and ours, as well as for the prevention of theft, criminal and violent acts.

Storage duration or criteria for determining the duration:

The recorded footage is regularly overwritten; deletion takes place at the latest after 10 days, unless further storage is necessary for evidence preservation.

Recipients or categories of recipients of the data:

The data is processed internally only at Zughafen Kulturbahnhof GmbH; no transfer takes place.

Information on the rights of the data subjects:

The data subject has the right to request from the controller confirmation as to whether personal data concerning them is being processed; if this is the case, they have the right to obtain information about these personal data and the information listed in detail in Art. 15 GDPR.

The data subject has the right to demand from the controller the immediate correction of inaccurate personal data concerning them and, if necessary, the completion of incomplete personal data (Art. 16 GDPR).

The data subject has the right to demand the deletion of personal data concerning them without undue delay from the controller, provided one of the reasons listed in detail in Art. 17 GDPR applies, e.g., if the data are no longer necessary for the purposes pursued (right to erasure).

The data subject has the right to demand the restriction of processing from the controller if one of the conditions listed in Art. 18 GDPR is met, e.g., if the data subject has objected to the processing, for the duration of the verification by the controller.

The data subject has the right to object at any time, for reasons arising from their particular situation, to the processing of personal data concerning them. The controller will then no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing serves to assert, exercise, or defend legal claims (Art. 21 GDPR).

Every data subject has the right, regardless of any other administrative or judicial remedy, to lodge a complaint with a supervisory authority if they believe that the processing of personal data concerning them violates the GDPR (Art. 77 GDPR). The data subject can exercise this right with a supervisory authority in the member state of their habitual residence, workplace, or the place of the alleged infringement. In (Federal State), the competent supervisory authority is: Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit (TLfDI).