Data protection declaration

Preamble

With the following data protection declaration, we would like to inform you about the types of your personal data (hereinafter also referred to shortly as "data") that we process, for what purposes, and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both in the context of providing our services and especially on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

As of: May 11, 2023

Table of Contents

• Preamble

• Responsible person

• Overview of processing

• Relevant legal bases

• Security measures

• Transfer of personal data

• Data processing in third countries

• Deletion of data

• Use of cookies

• Business services

• Online offerings and web hosting

• Special notes on applications

• Registration, login and user account

• Contact and inquiry management

• Application process

• Web analysis, monitoring and optimization

• Changes and updates to the data protection declaration

• Rights of data subjects

• Definitions of terms

Responsible person

we connect work GmbH
Römerstr. 28
56130 Bad Ems

Authorized Representatives:

Radenko Markovic, Dirk Wiedenhues

Email Address:

info@we-connect.work

Imprint:

https://we-connect.work/imprint

Overview of Processing

The following overview summarizes the types of processed data and the purposes of their processing, and refers to the data subjects.

Types of Processed Data

• Master data.
• Payment data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication, and procedural data.
• Applicant data.

Categories of Data Subjects

• Prospects.
• Communication partners.
• Users.
• Applicants.
• Business and contractual partners.

Purposes of Processing

• Provision of contractual services and customer service.
• Contact inquiries and communication.
• Security measures.
• Reach measurement.
• Office and organizational procedures.
• Management and response to inquiries.
• Application procedures.
• Feedback.
• Profiles with user-related information.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure.

Relevant Legal Bases

Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Furthermore, if more specific legal bases are applicable in individual cases, we will inform you of these in the data protection declaration.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• Application procedure as pre-contractual or contractual relationship (Art. 6 para. 1 lit. b) GDPR) - Where special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g., health data, such as severe disability status or ethnic origin) are requested from applicants as part of the application process, their processing is carried out in accordance with Art. 9 para. 2 lit. b. GDPR, in the case of protection of vital interests of applicants or other persons pursuant to Art. 9 para. 2 lit. c. GDPR or for purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, care or treatment in the health or social sector, or for the management of systems and services in the health or social sector pursuant to Art. 9 para. 2 lit. h. GDPR. In the case of a voluntary provision of special categories of data based on consent, their processing is carried out on the basis of Art. 9 para. 2 lit. a. GDPR.

In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). The BDSG contains special regulations concerning the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for employment purposes (§ 26 BDSG), in particular with regard to the establishment, implementation, or termination of employment relationships, as well as the consent of employees. In addition, state data protection laws of the individual federal states may apply.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the access, input, transmission, security of availability, and their separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. We also consider data protection during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

TLS encryption (https): To protect your data transmitted via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.

Transmission of Personal Data

In the course of our processing of personal data, it may happen that the data is transmitted to other entities, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and conclude appropriate contracts or agreements with the recipients of your data, particularly those that serve to protect your data.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing takes place in the context of the use of third-party services or the disclosure or transmission of data to other individuals, entities, or companies, this will only be done in accordance with legal requirements.

Subject to explicit consent or contractually or legally required transmission, we will only process or have the data processed in third countries with an acknowledged level of data protection, contractual obligations through so-called standard data protection clauses of the EU Commission, in the presence of certifications, or binding internal data protection regulations (Articles 44 to 49 GDPR, information page of the EU Commission:https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Deletion of data

The data processed by us will be deleted in accordance with legal requirements as soon as their processing consents permitted are revoked or other permissions expire (e.g., if the purpose of processing this data no longer exists or they are not necessary for the purpose). If the data are not deleted because they are necessary for other legally permissible purposes, their processing will be restricted to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or to protect the rights of another natural or legal person.

Furthermore, our privacy policy may contain additional information on the storage and deletion of data that primarily apply to the respective processing.

Use of Cookies

Cookies are small text files or other storage notes that store information on end devices and retrieve information from end devices. For example, to store the login status in a user account, a shopping cart content in an e-shop, the accessed contents, or used functions of an online offer. Cookies can also be used for various purposes, e.g., for the functionality, security, and comfort of online offers as well as for creating analyses of visitor flows.

Guidance on Consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless it is not legally required. Consent is particularly not necessary when storing and retrieving information, including cookies, is strictly necessary to provide users with an explicitly requested telemedia service (i.e., our online offering). Essential cookies typically include functions necessary for the display and operation of the online service, load balancing, security, storing user preferences and choices, or similar purposes related to providing the main and ancillary functions of the requested online service by users. the revocable consent is clearly communicated to users and includes information on the respective cookie usage.

Notes on Data Protection Legal Bases: The legal basis on which we process users' personal data with the help of cookies depends on whether we ask users for consent. If users consent, the legal basis for processing your data is the declared consent. Otherwise, the data processed using cookies are processed based on our legitimate interests (e.g., in the commercial operation of our online offering and improving its usability) or, if this is done in the performance of our contractual obligations, if the use of cookies is necessary to fulfil our contractual obligations. We clarify the purposes for which cookies are processed by us in the course of this privacy policy or as part of our consent and processing processes.

Storage Duration: Regarding the storage duration, the following types of cookies are distinguished:

• Temporary Cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
• Persistent Cookies: Persistent cookies remain stored even after the device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user revisits a website. Likewise, the data collected with the help of cookies can be used for audience measurement. If we do not provide users with explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and the storage duration can be up to two years.

General Information on Revocation and Objection (Opt-Out): Users can revoke the consents they have given at any time and also object to the processing in accordance with the legal requirements of Art. 21 GDPR. Users can also declare their objection via the settings of their browser, for example, by deactivating the use of cookies (although this may also restrict the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be made via the websites.https://optout.aboutads.infoandhttps://www.youronlinechoices.com/

• Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Additional Information on Processing Processes, Procedures, and Services:

• Processing of Cookie Data based on Consent: We implement a procedure for Cookie Consent Management, within which users' consents to the use of cookies, or the processing and providers mentioned within the Cookie Consent Management process, can be obtained, managed, and revoked by users. The consent declaration is stored to avoid the need for repeated queries and to be able to prove consent in accordance with legal obligations. Storage can be server-side and/or in a cookie (so-called opt-in cookie or similar technologies) to assign consent to a user or their device. Subject to individual information about the providers of cookie management services, the following information applies: The duration of consent storage can be up to two years. A pseudonymous user identifier is created and stored with the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and device used; Legal Basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• Klaro!: Cookie Consent Management; Service Provider: KIProtect GmbH, Bismarckstr. 10-12, 10625 Berlin, Germany; Website: https://kiprotect.com/klaro; Privacy Policy: https://kiprotect.com/de/ressourcen/datenschutz.

Business Services

We process data of our contractual and business partners, e.g., customers and prospects (collectively referred to as "contractual partners") within the framework of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractually), e.g., to respond to inquiries.

We process this data to fulfill our contractual obligations. This includes, in particular, the obligations to provide the agreed services, any updating obligations, and remedying warranty and other service disruptions. Furthermore, we process the data to safeguard our rights and for the purpose of the administrative tasks associated with these obligations and the organization of our business. Additionally, we process the data based on our legitimate interests in proper and businesslike business management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information, and rights (e.g., involving telecommunications, transportation, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). In accordance with applicable law, we only disclose the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about further forms of processing, e.g., for marketing purposes, within the scope of this privacy policy.

We inform contractual partners about which data is required for the aforementioned purposes before or as part of data collection, e.g., in online forms, through special labeling (e.g., colors) or symbols (e.g., asterisks or similar), or personally.

We delete the data after the expiration of statutory warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be kept for legal reasons of archiving. The statutory retention period is ten years for tax-relevant documents as well as for commercial books, inventories, opening balance sheets, annual financial statements, the instructions for keeping records necessary for understanding these documents, and other organizational documents and booking vouchers, and six years for received commercial and business letters and copies of sent commercial and business letters. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statement, or the management report was prepared, the commercial or business letter was received or sent, or the booking voucher was created, and the recording was made or the other documents were created.

As far as we use third-party providers or platforms to provide our services, the terms and privacy policies of the respective third-party providers or platforms apply in the relationship between users and providers.

• Processed Data Types: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, telephone numbers); Contract data (e.g., subject matter of the contract, duration, customer category); Applicant data (e.g., personal information, postal and contact addresses, application documents, and the information contained therein, such as cover letters, resumes, certificates, as well as other information voluntarily provided by applicants regarding their person or qualifications).
• Data Subjects: Interested parties; Business and contractual partners; Applicants.
• Purposes of Processing: Provision of contractual services and customer service; Handling of contact inquiries and communication; Office and organizational procedures; Management and response to inquiries.
• Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Additional Information on Processing Processes, Procedures, and Services:

• Brokerage and Mediation Services: We process the data of our customers, clients, and prospects (collectively referred to as "customers") in accordance with the underlying order of the customers. We may also process information about the characteristics and circumstances of individuals or property belonging to them if this is part of our order. This may include information about personal circumstances, movable or immovable property, and financial situations. If necessary for contract performance or legally required or approved by customers or based on our legitimate interests, we disclose or transmit customer data as part of coverage requests, contracts, and contract processing to providers of mediated services/objects, insurers, reinsurers, broker pools, technical service providers, other service providers, such as cooperating associations, as well as financial service providers, credit institutions, and investment companies, as well as social security institutions, tax authorities, tax advisors, legal advisors, auditors, insurance ombudsmen, and the Federal Financial Supervisory Authority (BaFin). Furthermore, subject to other agreements, we may engage subcontractors, such as sub-brokers; Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
• Recruiting Services: We process the data of job candidates and the personal data of potential employers or their employees as part of our services, which include searching for potential job candidates, contacting them, and their placement. We process the information provided by job candidates and their contact details for the purpose of establishing, carrying out, and, if necessary, terminating a contract for job placement. Furthermore, we may, in accordance with legal requirements, ask candidates about the success of our placement service at a later date. We process the data of job candidates and employers to fulfill our contractual obligations, enabling us to process the inquiries submitted for the placement of positions to the satisfaction of the parties involved. We may record the placement processes to demonstrate the existence of the contractual relationship and the consent of the candidates in accordance with legal accountability obligations (Art. 5 para. 2 GDPR). This information is stored for a period of three to four years if we need to demonstrate the original request (e.g., to prove the legitimacy of contacting job candidates); Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Provision of the Online Offering and Web Hosting

We process user data in order to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the contents and functions of our online services to the user's browser or end device.

• Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected Persons: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); Security measures.
• Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Additional information on processing procedures, methods, and services:

• Provision of online services on rented storage space: We use storage space, computing capacity, and software provided by a server provider (also called "web hoster") to provide our online services; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files." Server log files may include the address and name of the accessed websites and files, date and time of access, transmitted data volumes, message about successful retrieval, browser type and version, user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used for security purposes, such as avoiding server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the load and stability of the servers; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
• Microsoft cloud services: Cloud storage, cloud infrastructure services, and cloud-based application software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://microsoft.com/de-de; Privacy Statement: https://privacy.microsoft.com/de-de/privacystatement, Security Notices: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; Standard Contractual Clauses (Ensuring Data Protection Level for Processing in Third Countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.

Special notes on applications (apps)

We process user data of our application users to the extent necessary to provide users with the application and its functionalities, monitor their security, and further develop them. We may also contact users in compliance with legal requirements if communication is necessary for the administration or use of the application. In all other respects, with regard to the processing of user data, we refer to the data protection notices in this data protection declaration.

Legal basis: The processing of data necessary for the provision of the application's functionalities serves the fulfilment of contractual obligations. This also applies if the provision of functions requires authorization from users (e.g., device function permissions). If the processing of data for the provision of the application's functionalities is not necessary but serves the security of the application or our business interests (e.g., collection of data for the purpose of optimizing the application or security purposes), it is based on our legitimate interests. If users are expressly asked for their consent to the processing of their data, the processing of the data covered by the consent is based on consent.

• Processed data types: Inventory data (e.g., names, addresses); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Purposes of processing: Provision of contractual services and customer service.
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods, and services:

• No location history and no movement profiles: Location data are only used punctually and not processed to create a location history or movement profile of the devices used or their users.

Registration, Sign-in, and User Account

Users can create a user account. During registration, users are provided with the necessary mandatory information and processed for the purpose of providing the user account based on contractual obligations. The processed data includes, in particular, the login information (username, password, and email address).

In the context of using our registration and sign-in functions as well as using the user account, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests as well as those of users in protecting against misuse and unauthorized use. Generally, this data is not disclosed to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users can be informed via email about events relevant to their user account, such as technical changes.

• Processed data types: Inventory data (e.g., names, addresses); Contact details (e.g., email, phone numbers); Content data (e.g., entries in online forms); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Concerned individuals: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of contractual services and customer service; Security measures; Management and response to inquiries; Provision of our online offering and user-friendliness.
• Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods, and services:

• Registration with real names: Due to the nature of our community, we ask users to use our service only with real names. That is, the use of pseudonyms is not allowed; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
• User profiles are not public: User profiles are not publicly visible or accessible.
• Data deletion after termination: When users terminate their user account, their data related to the user account, subject to legal permission, obligation, or user consent, will be deleted; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, telephone, or via social media) and within existing user and business relationships, the information of the requesting individuals is processed as far as necessary to respond to the contact inquiries and any requested measures.

• Processed data types: Contact details (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected individuals: Communication partners.
• Purposes of processing: Contact inquiries and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online form); Provision of our online offering and user-friendliness.
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Job Application Process

The job application process requires applicants to provide us with the data necessary for their assessment and selection. The required information is determined by the job description or, in the case of online forms, by the information provided there.

Generally, the required information includes personal details such as name, address, contact information, and evidence of qualifications necessary for a position. Upon request, we are happy to provide additional information about the required details.

If provided, applicants can submit their applications to us via an online form. The data is encrypted according to the state of the art and transmitted to us. Alternatively, applicants can also submit their applications via email. However, please note that emails on the internet are generally not encrypted when sent. While emails are usually encrypted during transit, they are not encrypted on the servers from which they are sent and received. Therefore, we cannot take responsibility for the transmission path of the application between the sender and the recipient on our server.

For the purpose of applicant search, submission of applications, and selection of applicants, we may use applicant management or recruitment software, platforms, and services from third-party providers, while complying with legal requirements.

Applicants are welcome to contact us regarding the method of submitting their application or to send the application via postal mail.

Processing of special categories of data: If special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g., health data such as severe disability status or ethnic origin) are requested from applicants within the scope of the application process, their processing is carried out according to Art. 9 para. 2 lit. b GDPR, in the case of protecting vital interests of the applicants or other persons according to Art. 9 para. 2 lit. c GDPR, or for the purposes of preventive or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, health or social care or treatment, or management of health or social care systems and services according to Art. 9 para. 2 lit. h GDPR. In the case of voluntary consent-based disclosure of special categories of data, their processing is based on Art. 9 para. 2 lit. a GDPR.

Data deletion: The data provided by applicants can be further processed by us for the purposes of the employment relationship in case of a successful application. Otherwise, if the application for a job offer is unsuccessful, the data of the applicants will be deleted. The data of the applicants will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. The deletion takes place, subject to justified revocation by the applicants, no later than six months after the application process ends, so that we can answer any follow-up questions regarding the application and fulfill our obligations to provide evidence under the equal treatment regulations for applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.

Inclusion in an applicant pool: The inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to inclusion in the talent pool is voluntary, does not affect the ongoing application process, and they can revoke their consent at any time for the future.

• Processed data types: Master data (e.g., names, addresses); contact details (e.g., email, telephone numbers); content data (e.g., entries in online forms); applicant data (e.g., personal information, postal and contact addresses, documents belonging to the application, and information contained therein, such as cover letters, resumes, certificates, as well as further information voluntarily provided by applicants regarding their person or qualifications).
• Concerned individuals: Applicants.
• Purposes of processing: Application process (establishment and possible subsequent execution as well as possible later termination of the employment relationship).
• Legal basis: Application process as a pre-contractual or contractual relationship (Art. 6 para. 1 lit. b) GDPR).

Web analysis, monitoring, and optimization

Web analysis (also referred to as "reach measurement") serves to evaluate the visitor traffic of our online offering and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, determine at which time our online offering or its functions or content are most frequently used or invite reuse. Likewise, we can track which areas need optimization.

In addition to web analysis, we can also use test procedures to test and optimize different versions of our online offering or its components, for example.

Unless otherwise stated below, profiles, i.e., data summarized for a usage process, can be created and information can be stored and read from a browser or device for these purposes. The collected information includes in particular visited websites and elements used there, as well as technical information such as the browser used, the operating system used, and information about usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, location data can also be processed.

The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect the users. Generally, no clear data of the users (such as email addresses or names) are stored as part of web analysis, A/B testing, and optimization, but pseudonyms. That is, we as well as the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

• Processed data types: Usage data (e.g., visited websites, interest in content, access times); Meta-, communication, and process data (e.g., IP addresses, time stamps, identification numbers, consent status).
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Range measurement (e.g., access statistics, identification of recurring visitors); Profiles with user-related information (creation of user profiles).
• Security measures: IP masking (pseudonymization of theIP address).
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a)GDPR).

Further information on processing procedures, procedures, and services:

• Matomo: Matomo is software used for purposes of web analysis and range measurement. As part of the use of Matomo, cookies are created and stored on the user's end device. The data of the users collected within the scope of Matomo's use are processed only by us and not shared with third parties. The cookies are stored for a maximum period of 13 months:https://matomo.org/faq/general/faq_146/; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Data deletion: The cookies have a storage period of a maximum of 13 months.

Amendment and updating of the data protection declaration

We ask you to inform yourself regularly about the content of our data protection declaration. We adapt the data protection declaration as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as participation by you (e.g. consent) or other individual notification becomes necessary due to the changes.

If we provide addresses and contact information of companies and organizations in this data protection declaration, please note that the addresses may change over time and we ask you to verify the information before contacting us.

Rights of data subjects

As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and other information as specified by law.
• Right to rectification: You have the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed in accordance with the legal requirements.
• Right to erasure and restriction of processing: You have the right to obtain the erasure of personal data concerning you without undue delay or, alternatively, to obtain the restriction of processing in accordance with the legal requirements.
• Right to data portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format or to request the transmission of those data to another controller in accordance with the legal requirements.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Supervisory authority responsible for us:

The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate
Hintere Bleiche 34
55116 Mainz

Phone: +49 (0) 6131 8920-0
Fax: +49 (0) 6131 8920-299

poststelle@datenschutz.rlp.de

Definitions of terms

In this section, you will find an overview of the terms used in this data protection declaration. Many of the terms are taken from the law and are primarily defined in Article 4 of the GDPR. The legal definitions are binding. The following explanations are intended primarily for understanding. The terms are sorted alphabetically.

• Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles with user-related information: The processing of "profiles with user-related information", or simply "profiles", includes any kind of automated processing of personal data that consists of using such personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, different information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc., may be involved). Cookies and web beacons are often used for profiling purposes.
• Range measurement: Range measurement (also known as web analytics) serves to analyze visitor flows to an online offering and can include the behavior or interests of visitors in certain information, such as content of websites. With the help of range analysis, website owners can, for example, recognize at what time visitors access their website and what content they are interested in. This allows them to better tailor the content of the website to the needs of their visitors. Pseudonymous cookies and web beacons are often used for range analysis purposes to recognize recurring visitors and obtain more precise analyses of the use of an online offering.
• Controller: "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data, whether it involves collecting, analysing, storing, transmitting, or deleting.