Privacy Policy
You can find our cookie policy here.
1 Introduction to Data Protection
We are delighted that you are interested in our services.
The protection of your personal data when you visit our website is of great importance to us.
We protect your privacy and your personal data. We collect, process and use your personal data in accordance with the provisions of this privacy policy and the applicable data protection regulations, in particular the General Data Protection Regulation, the Federal Data Protection Act and the Telemedia Act.
This privacy policy sets out what personal data we collect, process and use about you. We therefore ask you to read the following information carefully.
2 Contact
The data controller for this data processing is:
bbg bitbase group GmbH
Am Heilbrunnen 47
72766 Reutlingen
Authorised representatives: José Enrique Gómez Asbeck, Volker Baisch
https://www.bitbasegroup.com/impressum
You can contact our Data Protection Officer, Mr Markus Vatter, at the postal address given above, adding the words ‘Data Protection Officer’ at the beginning of your correspondence, or at: Datenschutz@bitbasegroup.com
3 Data collection on this website – Summary
3.1 Introduction
The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.
When you use these pages, various personal data is collected. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.
Please note that data transmission over the internet (e.g. when communicating by email) may be subject to security vulnerabilities. It is not possible to guarantee complete protection of data against access by third parties.
The specific legal bases, purposes, additional recipients, transfers to third countries, retention periods and other specific details are set out in the relevant processing notice following this summary.
3.2 Anonymous data processing
In principle, any visitor can access this website without revealing their identity. The only information collected automatically is the name of their internet service provider, the website from which they were linked to us, and their IP address. This information is collected and analysed solely for the purpose of combating misuse. An anonymised and truncated version of the IP address may be analysed for statistical purposes.
3.3 Collection and processing of personal data
Further personal data will only be collected if you provide and transmit it to us of your own accord. All data is treated as confidential by us and used solely for the purpose for which it was provided.
The data you provide to us in connection with an enquiry, an order or a business relationship is stored and processed exclusively for the purpose for which it was provided. We will not pass on any personal data provided to third parties unless you have expressly authorised this or it is absolutely necessary for the performance of a service.
Please note that data transmission over the internet (e.g. when communicating via email) may be subject to security vulnerabilities. It is not possible to provide complete protection of data against access by third parties.
We hereby expressly object to any use of the contact details published here by third parties for the purpose of sending unsolicited advertising or information material. We expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as via spam emails.
3.4 How do we collect your data?
Your data is collected, on the one hand, when you provide it to us. This may include, for example, data that you enter into a contact form.
Other data is collected automatically or with your consent by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of page view). This data is collected automatically as soon as you access this page.
3.5 What do we use your data for?
Some of the data is collected to ensure that the website functions correctly. Other data may be used to analyse your user behaviour.
3.6 What rights do you have regarding your data?
You have the right at any time to obtain, free of charge, information about the source, recipients and purpose of your stored personal data. You also have the right to request the rectification or erasure of this data. If you have given your consent to data processing, you may withdraw this consent at any time with effect for the future. Furthermore, you have the right, under certain circumstances, to request the restriction of the processing of your personal data. You also have the right to lodge a complaint with the relevant supervisory authority. You may contact us at any time regarding this matter or any other questions you may have about data protection.
3.7 Analytics tools and services provided by third-party providers
When you visit this website, your usage behaviour may be analysed for statistical purposes. This is primarily done using so-called analytics tools. Where we engage third-party providers, we enter into data processing agreements with them to ensure that your data is subject to special protection. Where we use cookies for this purpose or your consent is otherwise required, this is described below.
4 General information and data subject rights
4.1 Legal basis for data processing on this website
Where you have consented to the processing of your data, we process your personal data on the basis of Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, where special categories of data as defined in Article 9(1) of the GDPR are processed. In the event of explicit consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Article 49(1)(a) of the GDPR. Where you have consented to the storage of cookies or to access to information on your device (e.g. via device fingerprinting), data processing is additionally carried out on the basis of Section 25(1) of the German Telecommunications Digital Services Data Protection Act (TDDDG). Consent may be withdrawn at any time. If your data is required for the performance of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Article 6(1)(b) of the GDPR. Furthermore, we process your data where this is necessary to comply with a legal obligation on the basis of Article 6(1)(c) of the GDPR.
Data processing may also be carried out on the basis of our legitimate interest pursuant to Article 6(1)(f) of the GDPR. The additional legal bases applicable in each individual case are set out in the following paragraphs of this privacy policy. Where we process your data using the service providers described below in accordance with our instructions, we have concluded a data processing agreement (DPA) with each of them; in cases of joint controllership, we have concluded an agreement on this, which essentially safeguards your data subject rights.
4.2 Note on processing in “unsafe third countries”
Among other things, we use services provided by companies based in the United States or other third countries outside the EEA where data protection standards are not adequate. When these tools are active, your personal data may be transferred to and processed in these third countries. Please note that these countries cannot guarantee a level of data protection comparable to that in the EU.
For example, US companies are obliged to disclose personal data to security authorities without you, as the data subject, being able to take legal action against this. It cannot therefore be ruled out that US authorities (e.g. intelligence services) may process, analyse and permanently store your data held on US servers for surveillance purposes.
We have no direct influence over these processing activities; however, the risk can be minimised through appropriate contractual arrangements (EU Standard Contractual Clauses). The Standard Contractual Clauses have been established by the EU and can be found here: eur-lex.europa.eu/eli/dec_impl/2021/914/oj. As part of a data protection impact assessment for third countries (Transfer Impact Assessment, TIA), we regularly review whether the risk is adequately managed. If you have any questions regarding the technical and organisational measures, please contact our Data Protection Officer.
Since 11 July 2023, there has also been an adequacy decision by the European Commission pursuant to Article 45 of the GDPR, the EU-US Data Protection Framework (TADPF). Only if a US company self-certifies in the relevant database and joins this network has the EU determined that the US is considered a safe third country for these companies. We will record any transfers to unsafe third countries with the relevant processor. You can check for yourself at www.dataprivacyframework.gov whether the company is still registered there.
4.3 Retention period
Unless a more specific retention period is stated in this privacy policy, we will retain your personal data until the purpose for which it is processed no longer applies. If you submit a valid request for erasure or withdraw your consent to data processing, your data will be erased, provided we have no other legally permissible grounds for storing your personal data (e.g. retention periods under tax or commercial law); in such cases, erasure will take place once these grounds no longer apply.
4.4 Withdrawal of your consent to data processing
Many data processing operations are only possible with your explicit consent under Article 7 of the GDPR. You may withdraw any consent you have already given at any time in accordance with paragraph 3 of that Article. The lawfulness of the data processing carried out prior to the withdrawal remains unaffected by the withdrawal.
4.5 Right to object to data collection in specific cases and to direct marketing under Article 21 of GDPR
Where data processing is carried out on the basis of Article 6(1)(e) or (f) of the GDPR, you have the right at any time to object to the processing of your personal data on grounds relating to your particular situation; this also applies to profiling based on these provisions. The specific legal basis on which processing is based can be found in this privacy policy. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims (objection under Article 21(1) of the GDPR).
If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing. This also applies to profiling insofar as it is related to such direct marketing. If you object, your personal data will no longer be used for the purposes of direct marketing (objection under Article 21(2) of the GDPR).
4.6 Right to lodge a complaint with the relevant supervisory authority pursuant to Article 57(1)(f) of the GDPR
In the event of infringements of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place where the alleged infringement occurred. This right to lodge a complaint is without prejudice to any other administrative or judicial remedies.
4.7 Right to data portability under Article 20 of the GDPR
You have the right to receive data that we process automatically on the basis of your consent or in performance of a contract, and to have it transferred to you or to a third party in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place to the extent that it is technically feasible.
4.8 SSL or TLS encryption
This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the website operator. You can recognise an encrypted connection by the fact that the address bar of your browser changes from “http://” to “https://” and by the padlock symbol in your browser bar.
When SSL or TLS encryption is enabled, the data you transmit to us cannot be read by third parties.
4.9 Access, erasure and rectification
In accordance with the applicable legal provisions, you have the right at any time, pursuant to Article 15 of GDPR to obtain information free of charge regarding your stored personal data, its origin and recipients, and the purpose of the data processing; and, where applicable, pursuant to Article 16 of GDPR the right to rectification or, pursuant to Article 17 of GDPR the right to erasure of this data. You may contact us at any time regarding this matter or any other questions concerning personal data.
4.10 Right to restriction of processing
Under Article 18 of the GDPR, you have the right to request that the processing of your personal data be restricted. You may contact us at any time to exercise this right. The right to restriction of processing applies in the following cases:
- If you dispute the accuracy of your personal data held by us, we will usually need some time to verify this. For the duration of this verification, you have the right to request that the processing of your personal data be restricted.
- If your personal data has been or is being processed unlawfully, you may request that the processing of your data be restricted instead of it being erased.
- If we no longer require your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request that the processing of your personal data be restricted rather than erased.
- If you have lodged an objection under Article 21(1) of the GDPR, a balancing of interests between yours and ours must be carried out. Until it has been determined whose interests prevail, you have the right to request that the processing of your personal data be restricted.
If you have restricted the processing of your personal data, such data may – apart from its storage – only be processed with your consent, or for the purpose of establishing, exercising or defending legal claims, or to protect the rights of another natural or legal person, or for reasons of an important public interest of the European Union or a Member State.
4.11 Objection to promotional emails
We hereby object to the use of contact details published on this website – for example in the legal notice or the privacy policy – for the purpose of sending unsolicited advertising and information material. The website operators expressly reserve the right to take legal action in the event of unsolicited promotional material being sent.
5 Provision of web content and applications (Apps)
Here we describe the provision of web content (Hosting) on the basis of legitimate interest. Where consent has been sought, processing takes place exclusively on the basis of Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG, insofar as the consent covers the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent may be withdrawn at any time. In simple terms, a website is transmitted from a computer in a specific location. To counter certain attacks and to speed up and optimise access, content delivery networks (CDNs) are used. These serve to provide a website efficiently and securely worldwide by directing your page request to the country and computer that can process it most efficiently. Therefore, when using a CDN, we necessarily also process your data in unsafe third countries, such as the USA; please see the note on processing in “unsafe third countries” for further details. Where we offer applications (apps) for smartphones, these generally also access this web content; please see the section on our own services. The data is stored for as long as necessary, generally for a maximum of twelve months.
5.1 External Hosting by Pantheon
This website is hosted by an external service provider (host). The provider is Pantheon Systems, Inc., 717 California Street, Suite 100, San Francisco, CA 94108, USA (“Pantheon”).
The personal data collected on this website is processed on the hoster’s servers. This may include, in particular, IP addresses, contact enquiries, meta and communication data, contractual data, contact details, names, website visits and other data generated via a website.
The use of the hosting provider is for the purpose of fulfilling our contractual obligations towards our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of ensuring the secure, fast and efficient provision of our online services by a professional provider (Art. 6(1)(f) GDPR).
Pantheon will only process your data to the extent necessary to fulfil its service obligations and will follow our instructions regarding this data.
The processing of personal data may also take place in the USA. For data transfers to the USA, we rely on appropriate safeguards within the meaning of Articles 44 et seq. of the GDPR. Where the provider is certified under the EU-US Data Privacy Framework, data transfers are carried out on the basis of this adequacy decision. Where no such certification exists, transfers are carried out on the basis of the European Commission’s standard contractual clauses.
Further information on Pantheon’s handling of personal data can be found in the provider’s privacy policy. https://pantheon.io/pantheon-gdpr-compliance
5.2 Content Delivery Networks (CDNs)
This page uses content delivery networks (so-called Content Delivery Networks, CDNs) on the basis of our legitimate interest in providing popular online libraries and web fonts, thereby improving performance and making the site more secure against attacks. Access is then made directly to the operators’ servers, meaning that data such as the requesting IP address, referrer, browser information, etc., is collected there. The legal basis for this is our legitimate interest in presenting our site in a way that meets user needs and optimising the user experience. You can prevent the collection and processing of your data by CDNs by disabling the execution of script code in your browser or by installing a script blocker in your browser (you can find one, for example, at www.noscript.net). However, the website may then no longer function properly.
5.2.1 Cloudflare CDN
We use the “Cloudflare” service, provided by Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter “Cloudflare”), to display the website and provide fonts.
Cloudflare offers a globally distributed content delivery network with DNS. Technically, this means that the transfer of information between your browser and our website is routed via the Cloudflare network. This enables Cloudflare to analyse the data traffic between your browser and our pages and to act as a filter between our servers and potentially malicious data traffic from the internet. In doing so, Cloudflare may also use cookies or other technologies to recognise internet users, but these are used solely for the purpose described here.
The use of Cloudflare is based on our legitimate interest in providing our website as error-free and secure as possible.
Data transfers to the USA are based on the EU-U.S. Data Privacy Framework and, in the alternative, on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.cloudflare.com/privacypolicy. You can find further information on security and data protection at Cloudflare here: https://www.cloudflare.com/privacypolicy.
5.2.2 jsDelivr CDN
We use the “jsDelivr” service on our website. The provider is ProspectOne, Królewska 65A/1, 30-081 Kraków, Poland, which operates the jsDelivr CDN.
jsDelivr is a content delivery network that provides JavaScript libraries and other technical resources to improve the stability, security and loading speed of our website.
When this content is accessed, a connection is established with jsDelivr’s servers. In particular, the IP address, browser and device information, referrer URL and time of access may be processed.
The use of jsDelivr is based on our legitimate interest in the technically flawless, high-performance and secure provision of our website in accordance with Article 6(1)(f) of the GDPR. Insofar as information technically necessary for the integration is read from or stored on the end device, this is additionally based on Section 25(2) of the TDDDG.
Further information on data processing by jsDelivr can be found in the provider’s privacy policy.
6 Data collection on this website in detail
6.1 Server logs
The website provider (host) automatically collects and records information in so-called server log files, which your browser automatically sends to us with every request. This includes:
- Browser type, language and version,
- the operating system used and its user interface,
- The page from which the request originates (referrer),
- Hostname of the connecting computer,
- Date and time of the request, time zone difference from Coordinated Universal Time (UTC),
- IP address
- Content of the request (specific page),
- Access status/HTTP status code
- the amount of data transferred in each instance
This data is not combined with other data sources.
This data is collected on the basis of a legitimate interest. The website provider has a legitimate interest in ensuring that the website functions correctly and is optimised; server log files must be collected for this purpose.
6.2 Cookies in the browser
Our website uses so-called “cookies”. Cookies are small text files that do not cause any damage to your device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or your browser deletes them automatically. A browser is the application you use to access and view specific websites. Smartphone apps can also use a browser to display websites.
In some cases, cookies from third-party companies may also be stored on your device when you visit our site (third-party cookies). These enable us or you to use certain services provided by the third-party company (e.g. cookies for processing payment services).
Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping basket function or the display of videos). Other cookies are used to analyse user behaviour or display advertising. They are used on the basis of our legitimate interest.
Cookies that are required for specific functions you have requested (e.g. the shopping basket function) or for optimising the website (e.g. cookies for measuring and tracking page views) (necessary cookies) are stored on the basis of legitimate interest, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies to ensure the technically error-free and optimised provision of its services. Where consent has been sought for the storage of cookies and similar recognition technologies, processing takes place exclusively on the basis of this consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG. Consent may be withdrawn at any time. Due to legal requirements, we must process this consent in accordance with Article 6(1)(c) of the GDPR and Section 25(1) of the TDDDG.
You can configure your browser so that you are informed when cookies are set and only allow cookies on a case-by-case basis, exclude the acceptance of cookies in specific cases or generally, and enable the automatic deletion of cookies when you close your browser. If you disable cookies, the functionality of this website may be restricted.
Where cookies are used by third parties or for analytical purposes, we will inform you of this separately within the scope of this privacy policy and, where applicable, seek your consent.
6.3 Consent management with Usercentrics (Cookiebot)
Our website uses the Usercentrics consent tool to obtain your consent to the storage of certain cookies on your device or to the use of certain technologies, and to document this in accordance with data protection regulations. The provider of this technology is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (hereinafter “Cookiebot”).
When you visit our website, a connection is established with Cookiebot’s servers to obtain your consents and other declarations regarding the use of cookies. Cookiebot then stores a cookie in your browser to be able to associate the consents you have given or their withdrawal with you. The data collected in this way is stored until you request its deletion, delete the Cookiebot cookie yourself, or the purpose for storing the data no longer applies. Mandatory statutory retention obligations remain unaffected.
Cookiebot is used to obtain the legally required consent for the use of cookies. The legal basis for this is Article 6(1)(c) of the GDPR.
Cookiebot uses third-party providers, such as BunnyWay d.o.o., to carry out geolocation. For further details, please see their privacy policy at https://www.cookiebot.com/de/privacy-policy.
Our cookie policy can be found in the Usercentrics/Cookiebot window, which will reappear when you click on the icon at the bottom left of the screen.
6.4 Contact form
If you book a meeting via our contact form or get in touch with us by email or telephone, we will process the personal data you provide (e.g. name, company, email address, telephone number, enquiry).
This processing is carried out for the following purposes:
- To process your enquiry
- To arrange an appointment
- To facilitate the requested one-to-one communication
- To provide the requested services or information
- If you give your express consent we will also contact you by email or telephone regarding services and events in the field of compliance.
Legal basis
- Article 6(1)(b) of the GDPR (pre-contractual measures or performance of a contract)
- Article 6(1)(f) of the GDPR (legitimate interest in efficient customer communication)
- Article 6(1)(a) of the GDPR (consent to receive marketing communications)
Voluntary nature and withdrawal
Your consent to receive marketing communications is voluntary. You may withdraw this consent at any time with future effect. Withdrawal may be made in any form, e.g. by emailing us or via an unsubscribe link in an email.
Retention period
Your data will be deleted as soon as it is no longer required to fulfil the relevant purpose and there are no statutory retention obligations.
6.5 Enquiries by email, telephone or fax
If you contact us by email, telephone or fax, your enquiry, including all personal data contained therein (name, enquiry), will be stored and processed by us for the purpose of dealing with your request. We will not disclose this data without your consent.
The processing of this data is based on Article 6(1)(b) of the GDPR, provided that your enquiry relates to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of enquiries addressed to us or on your consent (Article 6(1)(a) of the GDPR), provided that this has been requested.
The data you send to us via contact enquiries will remain with us until you request its deletion, withdraw your consent to its storage, or the purpose for storing the data no longer applies (e.g. once your enquiry has been fully processed). Mandatory legal provisions – in particular statutory retention periods – remain unaffected.
6.6 ProvenExpert
We have incorporated ProvenExpert rating badges on this website. The provider is Expert Systems AG, Quedlinburger Str. 1, 10589 Berlin, https://www.provenexpert.com.
The ProvenExpert badge allows us to display customer reviews submitted to ProvenExpert about our company on our website in the form of a badge. When you visit our website, a connection is established with ProvenExpert, enabling ProvenExpert to determine that you have visited our website. ProvenExpert also records your language settings so that the badge is displayed in your chosen language.
The use of ProvenExpert is based on Article 6(1)(f) of the GDPR. The website operator has a legitimate interest in presenting customer reviews in as transparent a manner as possible. Where consent has been sought, processing takes place exclusively on the basis of Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG, insofar as the consent covers the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent may be withdrawn at any time.
Further information on the handling of user data can be found in the data protection policy of ProvenExpert AG at: https://www.provenexpert.com/de-de/datenschutzbestimmungen.
6.7 Appointment booking with Microsoft 365, HubSpot and, where applicable, guests
On our website, you can book appointments with us directly. We use a combination of HubSpot, Microsoft Outlook and Microsoft Teams for appointment booking. The providers are HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany, and Microsoft Ireland Operations Limited, 70 Sir John Rogerson’s Quay, Dublin D02 R296, Ireland.
For details on Microsoft’s data processing practices, please refer to their privacy policy: privacy.microsoft.com/de-de/privacystatement. For more information on HubSpot, see legal.HubSpot.com/privacy-policy. For information on their cookies, see knowledge.HubSpot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser.
To book an appointment with our team, please enter the requested details and your preferred date in the form provided. We require the mandatory information for preparation, delivery and, where necessary, follow-up. Among other things, we will check your email address against an exclusion list. If you add additional guests to the appointment, you are responsible for obtaining their consent in advance. We will inform your guests immediately by email about this privacy policy and that you have provided us with their data. If you also give us permission to send you electronic newsletters, this is described in more detail in Section 7. Newsletters and promotional mailings, including data analysis where applicable.
The data you have entered will remain with us until you request its deletion, withdraw your consent to its storage, or the purpose for storing the data no longer applies. Mandatory legal provisions – in particular retention periods – remain unaffected.
The legal basis for data processing is Article 6(1)(b) of the GDPR for contacting customers and prospective customers. Where consent has been sought, Article 6(1)(a) of the GDPR is the legal basis for data processing; consent may be withdrawn at any time. In all other cases, the legal basis is a legitimate interest in arranging appointments with all other persons as straightforwardly as possible.
7. Newsletters and promotional mailings, including data analysis where applicable
If you subscribe to our newsletters, updates or other informational mailings, we will process the personal data you provide, in particular your name, company and email address. This processing is carried out for the purpose of implementing and fulfilling existing contractual relationships, where applicable, to send information about news, events, offers and services in the field of compliance and related topics, and to analyse and optimise our content and services. The latter may – where applicable and legally permissible – include the statistical analysis of open and click-through rates in order to continuously improve the relevance and quality of our communications.
Purposes of processing and legal bases
The processing of your data is carried out on the basis of Article 6(1)(b) of the GDPR, insofar as it serves the performance of a contract or the initiation of contractual negotiations. Where you have consented to receiving circulars or newsletters, processing is carried out on the basis of Article 6(1)(a) of the GDPR. Furthermore, processing may be based on Article 6(1)(f) of the GDPR, provided that it is necessary to safeguard our legitimate interest in the optimisation, further development and efficient design of our communication and service offerings.
Double opt-in procedure
Subscription to our newsletters is carried out using the double opt-in procedure. After you have subscribed, you will receive a confirmation email to ensure that you are the owner of the email address provided and that you actually wish to receive the information. Your subscription will only become effective once you have confirmed it.
Analysis of usage behaviour and personalisation
Where we expressly and separately indicate this during registration, your consent may also cover the analysis of your usage behaviour within the newsletters. This may be carried out via personalised links or embedded graphics and serves to determine whether and when a message has been opened, whether links contained therein have been clicked, or which content is of particular interest. The aim is to make our newsletters more effective and, where necessary, to remind you to read them if a message has clearly not been opened. Provided you have provided the relevant information, the content may also be personalised according to interest categories such as age, gender or place of residence. Such analysis is carried out exclusively on the basis of separate consent.
Direct marketing without documented consent
Where we send marketing communications to business entities based on our own research or via address service providers, and where no documented consent has been obtained, the processing is carried out on the basis of our legitimate interest in direct marketing in accordance with Article 6(1)(f) of the GDPR in conjunction with Recital 47 of the GDPR. In doing so, we carefully check whether the conditions for implied consent under Section 7 of the German Unfair Competition Act (UWG) are met. In such cases, no additional analysis or tracking measures are carried out due to the lack of consent. You may object to the use of your data for advertising purposes at any time. In the relevant letter, we will inform you of the source of your address and, where applicable, the intended storage period. If an active business relationship is established, your contact details will be stored for the duration of that relationship.
Withdrawal and objection
You may withdraw your consent at any time with effect for the future. To do so, you may use the unsubscribe link included in every newsletter. Alternatively, you may contact us directly at any time. Upon withdrawal or objection, the sending of such information will cease.
Retention period and Robinson list
Your personal data will be deleted as soon as it is no longer required to fulfil the relevant purpose and there are no legal retention obligations preventing this. Your email address will generally be stored for as long as your subscription remains active. Once you have unsubscribed, your email address will be added to a so-called Robinson list to prevent future mailings. The data in the Robinson list is processed exclusively for this purpose and is not combined with other data. This serves both your interests and our legitimate interest in complying with legal requirements when sending out newsletters. Storage on the Robinson list is generally not time-limited; however, for reasons of data minimisation, we regularly review, at the latest after ten years, whether further storage is necessary. You may also object to this storage; in this case, however, it cannot be ruled out that you may receive promotional correspondence again in the future.
Data processing in third countries
Due to the global transmission of emails, the processing of personal data may also take place in so-called unsafe third countries. In such cases, we ensure that appropriate safeguards within the meaning of Articles 44 et seq. of the GDPR are in place or that an adequate level of data protection is otherwise guaranteed.
7.1 SendGrid (Twilio)
This website uses SendGrid to send newsletters. The provider is Twilio Ireland Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, IRELAND. The data is processed on Twilio’s servers within the EU.
Where necessary, the data is processed by the sub-processor, Twilio Inc., 101 Spear Street, 5th Floor, San Francisco, California, 94105, in the USA, a third country deemed unsafe under data protection law. We have ensured that your data remains secure through technical and organisational measures, Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).
For detailed information on SendGrid’s features, please refer to the following link: send-grid.com/solutions/email-marketing. For further details, please refer to SendGrid’s privacy policy at: sendgrid.com/policies/security and for Twilio at: https://www.twilio.com/legal/privacy.
7.2 Brevo (Sendinblue)
This website uses Brevo to send newsletters. The provider is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. The data you provide for registration purposes is stored on Sendinblue’s servers in Germany.
You can find detailed information about Sendinblue’s features at https://de.sendinblue.com/newsletter-software. For further details, please refer to Sendinblue’s privacy policy at: https://de.sendinblue.com/datenschutz-uebersicht. The data may be processed by Sendinblue’s subcontractors in so-called unsafe third countries, such as the USA or India.
7.3 HubSpot
We use HubSpot CRM, provided by HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany, to send newsletters, one-off emails and information about our offers.
HubSpot uses UTM parameters to track your usage. The parameters are added after the question mark in the link (URL). You can prevent tracking by cutting off the part after the question mark before clicking on a link.
For more information about the service in general, see legal.HubSpot.com/privacy-policy, For information on cookies, see knowledge.HubSpot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser
8 Social Media – collaborative media
8.1 General Information
We maintain publicly accessible profiles on so-called ‘social’ networks. You can find a list of the specific networks we use below.
Networks such as Facebook, Twitter, etc. can generally analyse your user behaviour in detail when you visit their website or a website with integrated social media content (such as ‘like’ buttons or advertising banners). Visiting our social media pages triggers numerous data processing operations relevant to data protection. Specifically: If you are logged into your social media account and visit our social media presence, the operator of the social media portal can link this visit to your user account. However, your personal data may also be collected even if you are not logged in or do not have an account with the relevant social media portal. In this case, data collection takes place, for example, via cookies stored on your device or by recording your IP address.
Using the data collected in this way, the operators of social media platforms can create user profiles that record your preferences and interests. This enables interest-based advertising to be displayed to you both on and off the respective social media platform. If you have an account with the relevant social network, interest-based advertising may be displayed on all devices on which you are currently logged in or have previously been logged in.
Please also note that we cannot track all processing activities on social media platforms. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media platforms. For details, please refer to the terms of use and privacy policies of the respective social media platforms.
Our social media presence is intended to ensure the widest possible online reach. This constitutes a legitimate interest. The analytical processes initiated by social media platforms may be based on different legal grounds, which must be specified by the operators of those platforms, such as consent or a contract pursuant to Article 6(1)(a) or (b) of the GDPR.
When you visit one of our social media pages, we are generally jointly responsible with the operator of the social media platform for the data processing operations triggered by that visit. You may, in principle, exercise your rights (right of access, rectification, erasure, restriction of processing, data portability and right to lodge a complaint) both against us and against the operator of the relevant social media portal.
Please note that, despite our joint responsibility with the social media platform operators, we do not have full control over the data processing activities carried out by these platforms. Our options are largely determined by the corporate policies of the respective provider and the joint controllership agreements.
Data collected directly by us via our social media presence will be deleted from our systems as soon as you request its deletion, withdraw your consent to its storage, or the purpose for storing the data no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal provisions – in particular retention periods – remain unaffected.
We have no influence over the storage period of your data that is stored by the operators of social networks for their own purposes. For further details, please contact the operators of the social networks directly.
8.2 Networks in detail
https://www.instagram.com/bbg.bitbase.group
https://www.xing.com/pages/bbgbitbasegroupgmbh
https://de.linkedin.com/company/bitbase-group
www.youtube.com/@bbgbitbasegroup8896
8.2.1 Meta Services: Facebook and Instagram
We use the services provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Where consent has been obtained, the use of the above-mentioned services is based on Article 6(1)(a) of the GDPR and Section 25 of the TDDDG. Consent may be withdrawn at any time. Where consent has not been obtained, the service is used on the basis of our legitimate interest in achieving the widest possible visibility on social media and in relation to joint responsibility with Meta pursuant to a contract to that effect.
The parent company of Facebook and Instagram, Meta Platforms, Inc., 1601 Willow Rd, Menlo Park, California 94025-1453, United States, is located in a unsafe third country. Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381. Furthermore, the US is considered safe for as long as the European Commission’s adequacy decision remains in force and Meta participates in the TADPF. It is currently doing so: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active.
We have entered into a joint processing agreement (Controller Addendum) with Facebook. This agreement sets out which data processing operations we and Facebook are responsible for when you visit our Facebook page. You can view this agreement via the following link: https://www.facebook.com/legal/terms/page_controller_addendum.
For further details, please refer to Facebook’s privacy policy: https://www.facebook.com/about/privacy/.
8.2.1.1 Instagram page
We have an Instagram profile. You can find details on data processing here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381. For details on how Instagram handles your personal data, please refer to Instagram’s privacy policy: https://help.instagram.com/519522125107875.
8.2.2 XING profile
We have a profile on XING. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. When you post content on XING, this content and your metadata are processed there. We have entered into a joint controller agreement with XING. Your data is therefore processed on the basis of your consent and this agreement. For details on how they handle your personal data, please refer to XING’s privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.
8.2.3 LinkedIn profile
We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies. If you wish to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Data transfers to the USA are based on the European Commission’s standard contractual clauses. Further details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs. As long as the European Commission’s adequacy decision remains in force and LinkedIn continues to be registered with the TADPF, the US is considered a safe third country.
For details on how LinkedIn handles your personal data, please refer to LinkedIn’s privacy policy: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
8.2.4 LinkedIn Insight Tag
This website uses the LinkedIn Insight Tag. The provider of this service is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
With the help of the LinkedIn Insight Tag, we receive information about visitors to our website. If a website visitor is registered with LinkedIn, we can analyse, amongst other things, the key professional details (e.g. career level, company size, country, location, industry and job title) of our website visitors and thus better tailor our site to the respective target groups. Furthermore, with the help of LinkedIn Insight Tags, we can measure whether visitors to our websites make a purchase or take any other action (conversion tracking). Conversion tracking can also be carried out across devices (e.g. from PC to tablet). LinkedIn Insight Tag also offers a retargeting function, which allows us to display targeted advertising to our website visitors outside the website; however, according to LinkedIn, the recipient of the advertising is not identified.
LinkedIn itself also collects so-called log files (URL, referrer URL, IP address, device and browser characteristics, and time of access). IP addresses are truncated or (if used to reach LinkedIn members across devices) hashed (pseudonymised). LinkedIn members’ direct identifiers are deleted by LinkedIn after seven days. The remaining pseudonymised data is then deleted within 180 days.
As the website operator, we cannot link the data collected by LinkedIn to specific individuals. LinkedIn will store the personal data of website visitors on its servers in the USA and use it for its own advertising purposes. For further details, please refer to LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy#choices-oblig.
Where consent has been obtained, the use of the aforementioned service is based exclusively on Article 6(1)(a) of the GDPR and Section 25 of the TDDDG. Consent may be withdrawn at any time. Where consent has not been obtained, the use of this service is based on Article 6(1)(f) of the GDPR; the website operator has a legitimate interest in effective advertising measures, including on social media.
Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.
You can object to LinkedIn’s analysis of usage behaviour and targeted advertising via the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Furthermore, LinkedIn members can control how their personal data is used for advertising purposes in their account settings. To prevent LinkedIn from linking data collected on our website to your LinkedIn account, you must log out of your LinkedIn account before visiting our website.
8.2.5 YouTube profile
We have a profile on YouTube. The service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on how they handle your personal data, please refer to YouTube’s privacy policy: https://policies.google.com/privacy?hl=de. Data transfers to the US are based on the European Commission’s standard contractual clauses.
9 Analytics tools and advertising
9.1 Matomo (formerly Piwik)
This website uses the open-source web analytics service Matomo. Matomo employs technologies that enable cross-page recognition of users for the purpose of analysing user behaviour (e.g. cookies or device fingerprinting). The information collected by Matomo regarding the use of this website is stored on our server. The IP address is anonymised before storage.
With the help of Matomo, we are able to collect and analyse data on how visitors use our website. This enables us, amongst other things, to determine when specific pages were viewed and from which region the visitors are accessing the site. We also collect various log files (e.g. IP address, referrer, browsers and operating systems used) and can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.).
The use of this analytics tool is based on Article 6(1)(f) of the GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising. Where consent has been sought, processing takes place exclusively on the basis of Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG, insofar as the consent covers the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent may be withdrawn at any time.
We use IP anonymisation when analysing data with Matomo. This involves truncating your IP address prior to analysis, so that it can no longer be uniquely attributed to you.
We host Matomo exclusively on our own servers, meaning that all analysis data remains with us and is not passed on.
9.2 Google General
We use Google services for a variety of purposes, including analytics and advertising. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of Google services is based on our legitimate interest in ensuring that our offerings function and are marketed as effectively as possible.
In rare cases, your data may be processed in so-called unsafe third countries, such as the USA. The transfer of data from Google Ireland Limited to Google’s parent company in the USA, other subcontractors and other unsafe third countries is based on the EU Commission’s Standard Contractual Clauses. The USA is considered adequate as long as the Commission’s current adequacy decision remains in force and Google LLC continues to participate in the EU-US Data Privacy Framework.
Where consent has been sought, processing is carried out exclusively on the basis of Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG, insofar as the consent covers the storage of cookies or access to information on the user’s device (e.g. digital fingerprint) within the meaning of the TDDDG. Consent may be withdrawn at any time.
By adjusting the settings in your browser, you can prevent the aforementioned cookies from being stored on your computer. However, this may mean that you are no longer able to use the content of this site to the same extent. By consenting to processing by Google, you consent to the processing of the data collected about you in the manner described above and for the purpose stated above.
If you have a Google account, you can opt out of personalised advertising via the following link https://www.google.com/settings/ads/onweb/. For further information on how to opt out of the adverts displayed by Google, please refer to the following links: https://policies.google.com/technologies/ads and https://adssettings.google.com/authenticated.
You can prevent Google from collecting and processing your data by downloading and installing the browser extension (plug-in) available via the link below: https://tools.google.com/dlpage/gaoptout?hl=de.
For more information on how Google handles user data, please see Google’s Privacy Policy at: https://policies.google.com/privacy?hl=de, the legal framework for data exports to so-called unsafe third countries: https://policies.google.com/privacy/frameworks and the standard contractual clauses in this context https://privacy.google.com/businesses/controllerterms/mccs.
Data processing terms and conditions specifically for advertising: https://business.safety.google/intl/de/adsprocessorterms.
9.2.1 Tag Manager
We use Google Tag Manager. Tag Manager is a tool that enables us to integrate user tracking or analytics tools and other technologies into our website. Tag Manager itself does not create user profiles, store cookies or carry out any independent analysis. It is used solely to manage and deploy the tools integrated via it. However, Tag Manager does record your IP address, which may also be transferred to Google’s parent company in unsafe third countries.
The website operator has a legitimate interest in the quick and straightforward integration and management of various tools on its website. Tag Manager is necessary for the functionality of the site.
Further information can be found in the provider’s terms of use at: https://www.google.com/intl/de/tagmanager/use-policy.html and for information on data protection at https://support.google.com/analytics/answer/6004245?hl=de.
9.2.2 Analytics
This website uses features of the web analytics service Google Analytics. Analytics enables the website operator to analyse visitor behaviour, thereby optimising the site and making it more interesting for you as a user. In doing so, the website operator receives various usage data, such as page views, time spent on the site, operating systems used and the user’s location. This data is associated with the user’s respective device. It is not linked to a unique device number.
Fundamentally, for example, the ‘test_cookie’ is used to check whether it is even possible to set cookies. This cookie is necessary for the website to function and therefore does not require consent.
Furthermore, we can use Analytics to record, among other things, your mouse and screen scrolling movements as well as clicks. Google Analytics also uses various modelling approaches to supplement the collected data sets and employs machine learning in data analysis.
Analytics uses technologies that enable user recognition for the purpose of analysing user behaviour (e.g. cookies or a digital ‘fingerprint’).
Analytics Terms of Service: https://marketingplatform.google.com/about/analytics/terms/de.
9.2.3 Demographic characteristics
This website uses Google’s ‘demographic characteristics’ feature to display relevant adverts to visitors within the Google advertising network.
This enables the creation of reports containing information on the age, gender and interests of website visitors. This data is derived from Google’s interest-based advertising and from visitor data provided by third parties. This data cannot be attributed to any specific individual. You can disable this feature at any time via the ad settings in your Google Account, or generally prevent Google from collecting your data as described in the section ‘Objecting to data collection’.
9.2.4 Ads
The website operator uses Google Ads. Google Ads enables us to display advertisements in the Google search engine or on third-party websites when users enter specific search terms into Google (keyword targeting). Furthermore, targeted advertisements can be displayed based on user data held by Google (e.g. location data and interests) (audience targeting). As the website operator, we can evaluate this data quantitatively, for example by analysing which search terms led to our advertisements being displayed and how many advertisements resulted in corresponding clicks.
These advertisements are delivered by Google via so-called ‘ad servers’. To this end, we use ad server cookies, which enable certain performance metrics, such as the display of adverts or clicks by users, to be measured. If you arrive at our website via a Google advert, Google AdWords will store a cookie on your computer. These cookies generally expire after 30 days and are not intended to identify you personally. The following data is typically stored in connection with this cookie as analytical metrics: the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions), and opt-out information (an indication that the user no longer wishes to be targeted).
These cookies enable Google to recognise your web browser. If a user visits specific pages on an Ads customer’s website and the cookie stored on their computer has not yet expired, Google and the customer can recognise that the user clicked on the advert and was redirected to that page. Each Ads customer is assigned a different cookie. Cookies cannot therefore be tracked across the websites of Ads customers. We ourselves do not collect or process any personal data in the advertising measures mentioned. We are merely provided with statistical reports by Google. Based on these reports, we can identify which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising materials; in particular, we cannot identify users on the basis of this information.
Due to the marketing tools used, your browser automatically establishes a direct connection to Google’s server. We have no influence over the scope and further use of the data collected by Google through the use of this tool and therefore provide you with the following information to the best of our knowledge: By integrating Ads, Google receives information that you have accessed the relevant part of our website or clicked on one of our advertisements. If you are registered with a Google service, Google may associate the visit with your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider may obtain and store your IP address.
The legal basis for the processing is your consent.
You can prevent participation in this tracking process in various ways:
a) by adjusting your browser settings accordingly; in particular, blocking third-party cookies means you will not receive adverts from third-party providers;
b) by disabling cookies for conversion tracking by setting your browser to block cookies from the domain “www.googleadservices.com”, https://www.google.de/settings/ads, please note that this setting will be deleted when you clear your cookies;
c) by disabling interest-based advertising from providers participating in the “About Ads” self-regulatory campaign via the link http://www.aboutads.info/choices, Note that this setting will be deleted when you clear your cookies;
d) by permanently disabling it in your Firefox, Internet Explorer or Google Chrome browsers via the link http://www.google.com/settings/ads/plugin. Please note that, in this case, you may not be able to make full use of all the features of this service.
9.2.5 Remarketing
This website uses Google Ads Remarketing features. Remarketing analyses your user behaviour on our website (e.g. clicking on specific products) in order to categorise you into specific advertising target groups and subsequently display relevant advertising messages to you when you visit other online sites (remarketing or retargeting).
To do this, Google stores cookies on the devices of users who visit certain Google services or websites on the Google Display Network. These cookies are used to track these users’ visits. The cookies serve to uniquely identify a web browser on a specific device and not to identify a person.
Furthermore, the advertising audiences created using remarketing can be linked to Google’s cross-device functions. In this way, interest-based, personalised advertising messages that have been tailored to you based on your previous usage and browsing behaviour on one device (e.g. mobile phone) can also be displayed on another of your devices (e.g. tablet or PC).
9.2.5.1 Remarketing with customer matching
To create target groups, we use, amongst other things, Google Remarketing’s customer matching. In doing so, we transfer certain customer data (e.g. email addresses) from our customer lists to Google. If the customers in question are Google users and are logged into their Google account, relevant advertising messages will be displayed to them within the Google network (e.g. on YouTube, Gmail or in the search engine).
9.2.6 Conversion-Tracking
This website uses Google Conversion Tracking. Conversion Tracking enables Google and us to determine whether a user has carried out specific actions. For example, we can analyse which buttons on our site are clicked and how often, and which products are viewed or purchased particularly frequently. This information is used to generate conversion statistics. We are informed of the total number of users who have clicked on our adverts and the actions they have taken. We do not receive any information that would allow us to personally identify the user. Google itself uses cookies or similar recognition technologies for identification purposes.
9.2.7 Optimize
This website uses features of Google Optimize in conjunction with Tag Manager and Analytics to optimise the site. This provides statistics on how different versions of the website are used. To this end, Google uses cookies or similar tracking technologies (e.g. digital fingerprinting).
9.3 HubSpot CRM
We use HubSpot CRM for customer relationship management. The provider is HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany.
HubSpot is an integrated application that enables us to manage various aspects of our marketing activities via websites, email or telephone. These include, amongst other things: email marketing, social media, contact management including user segmentation (CRM), measuring user behaviour on our websites, and the provision of contact forms. We obtain this data from your contact enquiries, our own research, or through the purchase of data sets. In the latter case, we also record this source and inform you of it upon first contact. The tool enables our website visitors to find out more about our company, download content and provide us with contact details and further demographic information. This information and the content are stored on servers belonging to our partner HubSpot. We may use this information to contact you and to determine which of our company’s services are of interest to you.
We process our customers’ data in accordance with Article 6(1)(b) of the GDPR. As part of our efforts to optimise our advertising activities, the service may, on the basis of a legitimate interest, process the following data in particular: name, address, occupation, company, industry, and the history of our communications; and, with your additional consent regarding cookies, in accordance with Article 6(1)(a) of the GDPR, Article 7 GDPR: browser data, login details, app data, system and device information, IP address, duration and frequency of use. We store the data of potential customers on the basis of legitimate interest until they are either retained as contractual partners or deleted; otherwise, we store the data for as long as it is necessary.
As part of this global data processing, your data may be transferred to sub-processors in unsafe third countries , such as HubSpot, Inc., 25 Street, Cambridge, MA 02141 USA, on the basis of the Standard Data Protection Clauses.
For further details on the service in general, see legal.HubSpot.com/privacy-policy, For information on cookies, see knowledge.HubSpot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser.
10 Extensions and other services
10.1 Google
10.1.1 We use Google services. For general information on this, please refer to section 9.2.
10.2 Vimeo
This website embeds videos from the Vimeo video portal. The operator of the site is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.
We use Vimeo in the enhanced privacy mode ‘Do Not Track’. This mode ensures that Vimeo does not set any cookies when you play a video via our website. When you visit one of our pages featuring a Vimeo video, a connection is established with Vimeo’s servers. In doing so, the Vimeo server is informed which of our pages you have visited. Vimeo also obtains your IP address. This applies even if you are not logged in to Vimeo or do not have a Vimeo account. The information collected by the provider is transmitted to its servers in the USA. If you are logged in to this provider’s service, you enable it to link your usage behaviour directly to your personal profile. You can prevent this by logging out of the service.
The use of Vimeo is in the interest of presenting our online services in an appealing manner. This constitutes a legitimate interest. Where consent has been sought, processing takes place exclusively on the basis of Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG, insofar as the consent covers the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent may be withdrawn at any time.
Data transfers to the US are based on the European Commission’s Standard Contractual Clauses and, according to Vimeo, on ‘legitimate business interests’. Further information on how user data is handled can be found in Vimeo’s privacy policy at: vimeo.com/privacy.
10.3 WebinarGeek
We use WebinarGeek to create and, with your consent pursuant to Article 6(1)(a) of the GDPR, to provide or make available explanatory videos with live content about our products. The provider is based at Chroomstraat 12, Zoetermeer, Netherlands.
To start the video stream, you must provide your name and an email address so that we can contact you politely and send you a personalised link to the stream. When you access a video stream, you can participate interactively during the broadcast, which may involve the provision of further personal data. The email address will also be used to send you a link to a static version after the stream has ended, in case you wish to watch the video again. If you enter further details in the registration form, such as your company name or telephone number, we will use these to ask for your feedback after viewing and, where appropriate, to introduce our products on the subject.
When using the service, metadata regarding your address, device and system usage is collected, and cookies and similar technologies are used to optimise the service. This includes browser data, login details, system and device information, IP address, duration and frequency of use, and processed files. Viewing a video can be linked to an identifiable individual, meaning you may receive a personalised response. If you enter data whilst watching the video, this will be processed in accordance with the context. If you have consented to third-party cookies, the provider may receive information from these for advertising purposes.
The provider’s privacy policy can be found here: www.webinargeek.com/privacy. You can find the provider’s data protection agreement with us here: www.webinargeek.com/de/allgemeine-geschaftsbedingungen. Its general privacy policy can be found at www.webinargeek.com/de/datenschutzerklarung.
11 Telephone, Audio & Video
11.1 General
We use digital conferencing services, amongst other tools, to communicate with our business partners. The specific services we use are listed below. When you communicate with us via video, chat or audio, your personal data is collected and processed by us and by the provider of the relevant (conferencing) service.
We collect all data that you disclose (email address or telephone number, image, text, audio). We also process the duration, start and end times of your participation, the number of participants and other ‘contextual information’ relating to the communication process (metadata).
We also process all technical data required to facilitate online communication. This includes, in particular, IP addresses, MAC addresses, device number, type, operating system type and version, client version, camera type, microphone or speaker, and the type of connection.
Where content is exchanged, uploaded or otherwise made available within the service, it may be temporarily stored on the service providers’ servers. Such content includes, in particular, cloud recordings, chat or instant messages, call recordings, uploaded photos and videos, files, drawings and other information shared whilst using the service.
Please note that we do not have full control over the data processing operations of the services used. Our options depend largely on the corporate policy of the respective provider. Further information on data processing by the conference services can be found in the individual descriptions listed below this text.
We use these services in accordance with Article 6(1)(b) of the GDPR to communicate with prospective or existing contractual partners, to offer specific services to our customers, and generally to simplify and expedite communication with us or our company (legitimate interest). Where consent has been sought, for example to record a conference, the use of the relevant applications is based on this consent; consent may be withdrawn at any time with future effect. In that case, the application can no longer be used.
If and to the extent that you are informed of this prior to the start of the conference, with reference to this statement, your data will be recorded or processed by artificial intelligence for the purposes of transcription or translation. This is generally carried out on the basis of a legitimate interest. You may object to this. If you provide particularly sensitive data within the meaning of Art. 9(2) (f) of the GDPR, we process this data on the basis of your consent. If we process your data, this is done on the basis of your consent. Employees who communicate in a private capacity are hereby informed that this is done on the basis of their consent. Consent to the storage of data may be withdrawn at any time. The data will then be deleted and may no longer be used; this may conflict with the original purpose of the storage.
Data collected directly by us via the video and conference services will be deleted from our systems as soon as you request deletion, withdraw your consent to storage, or the purpose for storing the data no longer applies. Stored cookies remain on your device until you delete them. Mandatory statutory retention periods remain unaffected.
We have no influence over the storage period of your data that may be stored by the operators of the conference services for their own purposes or on your behalf. For further details, please contact the operators of the conference services directly.
We use the following conference applications:
11.2 Microsoft Teams Ireland
We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, The Atrium Building, Block B, Carmanhall Road, Sandyford Business Estate, Dublin 18, registered office: 70 Sir Rogerson's Quay, Dublin 2, Ireland. In rare support cases, the parent company, Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States of America, has access to your data as a sub-processor. The USA is generally considered an unsafe third country. This access is safeguarded by standard data protection clauses. The USA is currently considered a safe third country because there is a valid adequacy decision in place and Microsoft meets the requirement to participate in the TADPF (Trans-Atlantic Data Privacy Framework). Furthermore, we ensure through a data protection impact assessment that data processing in unsafe third countries also complies with the requirements of the GDPR.
For details on data processing, please refer to the Microsoft Teams privacy statement: https://privacy.microsoft.com/de-de/privacystatement.
11.3 TeamViewer
We use TeamViewer to access computers remotely for support services within the framework of existing contractual relationships, in accordance with Article 6(1)(b) of the GDPR and with the consent of the relevant employee. The provider is TeamViewer Germany GmbH, Jahnstr. 30, 73037 Göppingen. For details on data processing, please refer to the service provider’s privacy policy: https://www.teamviewer.com/de/datenschutzerklaerung.
11.4 Vapi AI (KI-Telefonagent)
We use the Vapi AI service for automated telephone communication. The provider is Vapi Inc., 95 3rd Street, 2nd Floor, San Francisco, CA 94103, USA. Vapi AI enables the use of AI-powered telephone agents for the automated handling of calls, appointment scheduling, responding to inquiries, and forwarding call content to the responsible contacts.
As part of the use of the service, the caller’s telephone number, the date, time and duration of the call, call content, voice recordings, automatically generated transcripts, information provided by the caller, and technical connection data may be processed in particular.
Processing is carried out on the basis of Article 6(1)(b) GDPR where the communication serves the performance of pre-contractual measures or the fulfilment of a contract and on the basis of Article 6(1)(f) GDPR for the efficient handling of incoming inquiries and the improvement of our accessibility. Our legitimate interest lies in efficient, fast and customer-friendly communication as well as in the optimisation of internal business processes. When using the AI telephone agent, call content is processed automatically. Where calls are recorded or transcribed, this is done exclusively on the basis of your prior consent pursuant to Article 6(1)(a) GDPR. Consent may be withdrawn at any time with effect for the future.
The automated processing serves in particular to identify and respond to inquiries, schedule appointments, and forward relevant information to responsible employees.
To provide the service, Vapi AI processes the data generated in the course of communication as a processor on its own systems and, where applicable, through engaged subprocessors for speech processing, telephony and AI services. Processing of personal data in the USA cannot be ruled out. Where personal data is transferred to third countries, this is carried out on the basis of appropriate safeguards pursuant to Article 46 GDPR, in particular by concluding the European Commission’s Standard Contractual Clauses.
The data collected in connection with the use of the AI telephone agent will be deleted as soon as the purpose of the processing no longer applies and there are no statutory retention obligations preventing deletion.
Further information on data processing can be found in the service provider’s privacy policy at:
https://vapi.ai/privacy
12 Surveys and competitions
Depending on the survey, we can theoretically collect all kinds of data. As a rule, our surveys are anonymous. This anonymity can be compromised in two ways. Firstly, you may enter very specific information into one or more free-text fields that could be used to identify you. Secondly, we may ask for this information explicitly; for example, we might combine a survey with a competition that requires a feedback channel to notify a winner, for which an email address must be provided. In this case, we will specify in the context of the input field whether we (can) merge the information or process it separately whilst maintaining anonymity.
The surveys are evaluated immediately and the personal data is then deleted, provided there are no further legal retention obligations. Email addresses from prize draws are deleted immediately after the draw and successful notification of the winner.
Data processing is generally carried out on the basis of your consent in accordance with Article 6(1)(a) of the GDPR. This legal basis generally applies regardless of the survey’s other legal basis if you enter particularly sensitive data as defined in Articles 9 and 10 of the GDPR. You may withdraw your consent to the processing of your personal data, object to such processing, or request changes at any time. The lawfulness of data processing operations that have already taken place remains unaffected by the withdrawal. Should the data processing be based on a different legal basis, we will state this in the introduction to the survey. Should surveys be necessary for the initiation or performance of contracts, the processing of personal data takes place in accordance with Article 6(1)(b) of the GDPR. If no contractual relationship exists, surveys may also be necessary to safeguard our legitimate interests in the effective planning and implementation of projects and processes. Insofar as surveys are conducted within the context of an employment relationship and are necessary for the performance of that employment relationship, this is additionally based on Section 26 of the Federal Data Protection Act (BDSG).
If you take part in an anonymous survey, your response does not contain any contact information for us and cannot be traced back to you.
12.1 Surveys using Microsoft Forms
We use Microsoft Forms. The provider is Microsoft Ireland Operations Limited, The Atrium Building, Block B, Carmanhall Road, Sandyford Business Estate, Dublin 18, registered office: 70 Sir Rogerson's Quay, Dublin 2, Ireland. In rare support cases, the parent company, Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States of America, has access to your data as a sub-processor. The USA is generally considered an unsafe third country. This access is safeguarded by standard data protection clauses. The USA is currently considered a safe third country because there is a valid adequacy decision in place and Microsoft meets the requirement to participate in the TADPF. Furthermore, we ensure through a data protection impact assessment that data processing in unsafe third countries also complies with the requirements of the GDPR. For details on data processing, please refer to the Microsoft Teams privacy statement: privacy.microsoft.com/de-de/privacystatement.
In general, Microsoft Forms processes the following personal data: name, email address, profile picture (optional, if stored in Microsoft 365), preferred language, status (optional, if stored in Microsoft 365), date and time the questionnaire was opened, and date and time the response was submitted.
12.2 Surveys with Lamapoll
We use Lamapoll for surveys. Lamapoll is provided by Lamano GmbH & Co. KG, Frankfurter Allee 69, 10247 Berlin. The following personal data is generally processed: name, email address, preferred language, date and time the questionnaire was opened, and date and time the response was submitted.
13 Other services
13.1 Handling of applicant data
We offer you the opportunity to apply for a position with us (e.g. by email, post or via our online application form). Below, we provide information on the scope, purpose and use of the personal data collected from you during the application process. We assure you that the collection, processing and use of your data is carried out in accordance with applicable data protection law and all other legal provisions, and that your data will be treated as strictly confidential.
If you send us an application, we will process your associated personal data (e.g. contact and communication details, application documents, notes taken during interviews, etc.) to the extent necessary to decide on the establishment of an employment relationship. The legal basis for this is Section 26 of the German Federal Data Protection Act (BDSG) (initiation of an employment relationship), Article 6(1)(b) of the GDPR (general pre-contractual processing) and – provided you have given your consent – Article 6(1)(a) of the GDPR. Consent may be withdrawn at any time. Your personal data will only be shared within our company with those individuals involved in processing your application.
If your application is successful, the data you have submitted will be stored in our data processing systems on the basis of Article 6(1)(b) of the GDPR (Article 88 of the GDPR) and Section 26 of the BDSG for the purpose of managing the employment relationship.
If we are unable to offer you a position, you decline a job offer or withdraw your application, we reserve the right to retain the data you have provided for up to 6 months from the end of the application process (rejection or withdrawal of the application) on the basis of our legitimate interests. The data will then be deleted and the physical application documents destroyed. The retention serves, in particular, as evidence in the event of a legal dispute. If it becomes apparent that the data will be required after the expiry of the 6-month period (e.g. due to an impending or pending legal dispute), deletion will only take place once the purpose for continued retention no longer applies.
Your data may also be retained for a longer period if you have given your consent in accordance with Article 6(1)(a) of the GDPR, or if statutory retention obligations prevent its deletion. If we do not offer you a position, there may be the option of adding you to our waiting list. If you are added to the waiting list, all documents and details from your application will be transferred to the waiting list so that we can contact you should suitable vacancies arise. Inclusion on the waiting list is based solely on your explicit consent (Article 6(1)(a) of the GDPR). Consent is voluntary and is unrelated to the current application process. The data subject may withdraw their consent at any time. In this case, the data from the waiting list will be irrevocably deleted, provided there are no legal grounds for retention. The data from the waiting list will be irrevocably deleted no later than two years after consent is given.
13.1.1 Applications via kameon TALENT
The technical management of the kameon TALENT online application process is handled on our behalf by Microsoft Ireland Operations Limited, which acts as the host (Azure Cloud). The company is solely responsible for the technical implementation and has no influence over the application process.
We have, of course, satisfied ourselves that the company has taken all necessary technical and organisational measures to ensure data protection for the online application process. Furthermore, all employees are bound by a duty of confidentiality regarding personal data.
When using the online form, you need only provide your title, name and email address to enable us to contact you. It is up to you which additional documents you upload and whether these contain particularly sensitive data, such as health information.
Your personal data, as well as all processing steps associated with your application, are stored securely on this service provider’s servers exclusively within the EU/EEA. Data transmission is secured using SSL encryption.
The company may engage subcontractors from so-called unsafe third countries and use cookies where necessary, based on legitimate interest, to ensure smooth, global access to the portal and to carry out necessary maintenance work. This is safeguarded by appropriate safeguards and through the EU Standard Data Protection Clauses.
For more information on data protection, please visit www.bitbasegroup.com/datenschutzerklaerungprivacy.microsoft.com/de-de/privacystatement.
Microsoft Ireland Operations Limited is located at: The Atrium Building, Block B, Carmanhall Road, Sandyford Business Estate, Dublin 18. In rare support cases, the parent company, Microsoft Corporation, One Microsoft Way, 98052-6399 Redmond, WA, United States of America, may access the data. This constitutes processing in an unsecured third country, which we safeguard with standard data protection clauses.
13.1.2 Online Applications via Factorial
We use features of the Factorial service to provide our online job portal and handle the technical processing of online applications. The provider is EVERYDAY SOFTWARE, S.L., Carrer de Llacuna 56, Building C, 08005 Barcelona, Spain; in Germany, Factorial also operates through Factorial GmbH, Ganghoferstraße 31, 80339 Munich. When using the application portal, connections may be established to Factorial’s technical endpoints, in particular api.factorialhr.com.
When using the job portal and as part of the application process, the following data in particular may be processed: personal and contact information, application documents, communication content, technical access data such as IP address, timestamps, device and browser information, as well as other data you provide during the application process. The processing is carried out for the purpose of conducting the the application process and the provision of the application portal. The legal basis is Section 26 of the German Federal Data Protection Act (BDSG) and Article 6(1)(b) of the General Data Protection Regulation (GDPR); where consent is provided, Article 6(1)(a) of the GDPR also applies.
To the extent that Factorial processes personal data on our behalf, this constitutes commissioned processing. According to the information published by Factorial, data is processed in a cloud infrastructure; Factorial refers to server locations in Frankfurt am Main and to international data transfers only on the basis of contractual or other legally prescribed mechanisms. To the extent that personal data is transferred to third countries, this is done only in compliance with Art. 44 et seq. of the GDPR. Further information on data processing by Factorial can be found in the Provider's Privacy Policy.
13.2 Reporting Portals
We operate a reporting portal (https://hint.kameon.de/?rp=4f4977f8-6360-4fba-8156-c20eb98dcc44&ln=de) Regarding the HinSchG.
For this purpose, we use a service provided by bbg bitbase group GmbH, Am Heilbrunnen 47, 72766 Reutlingen.
We treat information pursuant to Sections 8 and 9 of the German Whistleblower Protection Act (HinSchG) as strictly confidential.
The reporting portal for the German Whistleblower Protection Act (HinSchG) is designed to review and document reports, conduct internal investigations, and, where necessary, forward them to the appropriate authorities in order to address illegal misconduct in accordance with Section 2 of the German Whistleblower Protection Act (HinSchG) to be submitted to the company.
We operate this reporting portal on a voluntary basis, in accordance with the HinSchG, because we are not legally required to do so. We apply the provisions of the HinSchG accordingly.
Whistleblowers have the option to register on our website to use the whistleblower portal. For registration, login, and contact purposes, we process data that the web browser automatically transmits and personal data that you may provide as a whistleblower: Login credentials, title (if provided), first and last name (if provided), contact information (email address, phone number, or mailing address, if provided), and any personal data included in the report, particularly instances of misconduct with corresponding details.
You have the option to register anonymously. In doing so, you will receive a one-time identification code that grants you access to a secure reporting portal. Here, you can submit your report.
No data will be disclosed to third parties outside your organization without your consent, unless required by law or official order, such as Section 9 of the German Whistleblower Protection Act (HinSchG ). required.
To the extent that we, as an employer, are not required under Section 12 of the German Whistleblower Protection Act (HinSchG) to establish a reporting office but operate it voluntarily, the legal basis for data processing is your consent under Article 6(1)(a) of the GDPR. If you provide our voluntary reporting office with particularly sensitive data concerning other individuals, this is permitted only within the scope of the exceptions to Article 9(2) GDPR is permitted, and you are responsible for ensuring that your communications fall within these exceptions. Primarily, these exceptions under Article 9(2)(b) and (h) will pertain to the employer’s responsibilities under labor and social security law or health care provisions. Confidentiality is limited to the extent that, pursuant to Article 14 of the GDPR, we must determine whether we are required to inform the third party of your report under paragraph 3 within one month, or whether doing so under paragraph 5(b) would render the objectives of this reporting portal impossible or seriously impair them. However, we have the right and the duty to provide special protection for your personal data in the context of such disclosure. By submitting a pseudonymous report, you can largely protect yourself against the disclosure of personal data.
To the extent that these legal bases do not apply, the legal basis is the legitimate interest under Article 6(1)(f) of the GDPR. Our interest lies in managing our company in accordance with the law and in pursuing legal violations, such as fraud under Recital 47 of the GDPR, within our area of responsibility. The legitimacy of this interest is substantiated by the HinSchG and by the fact that Art. 18(2) and 21(1) of the GDPR identify the assertion, exercise, and defense of legal claims, as well as the protection of the rights of another person, as overriding grounds for processing by the controller.
The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. This is after Section 11 of the German Whistleblower Protection Act (HinSchG), This is generally the case after three years. Other retention obligations arising from contractual relationships and processing activities necessary to fulfill contractual or legal obligations—such as six- or ten-year retention requirements under commercial and tax law—remain unaffected.
Please refer to → 4. General Information and DATA SUBJECT RIGHTS.
Last updated: 17.04.2026