Transparency declaration

General part

Audience Addressed.

(1) This privacy policy is addressed to all persons,

  1. whose personal data we had already stored in the past and which we now process pursuant to Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. Article 13(3) DSGVO about a change of purpose (see also at the very bottom of the statement: “Supplements for persons we inform about a change of purpose”).
  2. who declare to us that they consent to being contacted for advertising purposes as described in this declaration.

(2) The persons who visit our website, please inform themselves in our privacy policy there.

(3) All personal designations refer to both male and female and diverse persons and language forms and are always to be understood with the addition “(m/f/d)”.

 

Person in charge.

The person responsible within the meaning of Article 4 number 7 DSGVO for the processing of personal data of visitors to this website is: LECARE Gesellschaft für Softwareentwicklung mbH, Goernestraße 27, 20249 Hamburg-Eppendorf, telephone: +49 40 48 00 17 – 0 (switchboard), e-mail: contact@lecare.com, Managing Director: Ms Zoë Andreae. As far as “we” or “us” are mentioned, this refers to the responsible person presented here. You can reach our data protection officer at datenschutz@lecare.com or our postal address with the addition of “the data protection officer”.

 

Rights of data subjects.

Data subjects have several rights with regard to personal data processed about them under the General Data Protection Regulation. In particular

  • the right to information about the stored personal data,
  • the right to have inaccurately stored personal data corrected,
  • the right to erasure of personal data for the further storage of which there is no legal basis,
  • the right to restrict the processing of stored personal data,
  • the right to data portability,
  • the right to complain to the supervisory authority for data protection responsible for us.

As far as the factual prerequisites of the respective claims are given and we can identify you, we will fulfil your claims promptly.

 

processing operations involving automated decision-making (including profiling, where applicable)

(1) Insofar as we list the reference “Automated decision-making takes place here” in the following communications on tools/processing constellations, this means that we carry out a special form of data processing for these tools/processing constellations by way of exception. In this context, we draw your attention to the following:

  1. The special form of processing is the so-called automated decision-making. These are decisions which are based solely on automated processing and which have a significant effect on you, either legally or otherwise (e.g. a decision to enter into a contract). Such processing also includes ‘profiling’, which consists in any form of automated processing of personal data evaluating personal aspects relating to a natural person, in particular for the purpose of analysing or forecasting aspects relating to the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or change of location, insofar as it produces legal effects concerning the data subject or similarly significantly affects him or her.
  2. In principle, such processing operations are prohibited (cf. Article 22(1) GDPR), although there are also exceptions to this prohibition. Where we rely on exceptions, we explain these in our data protection information for persons to whom we make contractual decisions, i.e. usually customers and/or suppliers. We refer to this statement.

(2) As far as the above-mentioned reference does not take place, we also do not use this technology in the context.

 

Transfer of data to bodies outside the European Union

(1) There is the possibility that we transfer personal data to bodies which are located outside the European Union or at least cannot exclude this (henceforth: third country body). In these cases, we must guarantee in accordance with Article 44 of the GDPR that this does not fall below the level of protection of the GDPR. As a precautionary measure, we would like to point out that the third country body can be both a controller and a processor.

(2) Where we refer to a so-called adequacy decision in the following statement, this means that the third country office is located in a country, territory or specific sector for which the Commission has decided that it offers an adequate level of protection. This guarantee then follows from Article 45 GDPR.

(3) Insofar as we refer to the so-called standard contractual clauses in the following declaration, this means that the third country agency has accepted the so-called EU standard contractual clauses and has thus contractually committed itself to respecting the level of protection of the General Data Protection Regulation. This guarantee then follows from Article 46(1) and (5) GDPR.

(4) Where we refer in the following statement to the fact that you have consented to the transfer to the third country body, this means that you have been informed of all existing possible risks of such transfers, for which there is no adequacy decision or other safeguards, and have nevertheless consented to the data transfer. This guarantee then follows from Article 49(1) lit. a GDPR. For reasons of transparency, we describe the corresponding risks in a separate section.

(5) This notice is given only as a precautionary measure. It shall only apply if we refer to it in the following declaration. There is also the possibility that we do not make use of this.

 

Special constellation: EU standard contractual clauses and third country bodies based in the USA

(1) In addition to the explanations under “Data transmission to bodies outside the European Union” – paragraph 3, we draw your attention to a special constellation. In the case of transfers to third country entities established in the US, the possibility to rely on the EU standard contractual clauses is limited. Therefore, to the extent that we intend to (or already do) rely on the EU standard contractual clauses in this context, please note the following:

(2) We will only base transfers of personal data to US third country entities on the EU Standard Contractual Clauses if we have first conducted a thorough review of the facts involved. In doing so, we first determine a risk level (type and, in particular, sensitivity of the data concerned, scope of data processing, purpose of data processing, susceptibility to misuse). We then check whether the contractual commitments made by the US third-country office and the technical and organisational measures taken there (e.g. processing of data exclusively in EU-based data centres, encryption technology) sufficiently minimise the risks identified in advance. Only if we come to the conclusion in this respect that the EU standard contractual clauses are exceptionally a sufficient guarantee even in the case of a US third country, will we invoke them.

(3) This notice is given only as a precautionary measure. It shall only apply if we refer to it in the following declaration. There is also the possibility that we do not make use of this.

 

Special constellation: Consent to transfer to third-country offices located in the USA, including risk information

(1) In addition to the explanations under “Data transfer to bodies outside the European Union” – paragraph 4, we draw your attention to a further special constellation. In the case of transfers to third country entities established in the US, the possibility to rely on the EU standard contractual clauses is limited. Therefore, in some cases, the only option is to ask for your consent to this transfer. However, before you give this consent, we ask that you take note of the following risks and consider them when deciding whether to consent:

(2) We would like to emphasize that a data transfer to the USA without the protection of an adequacy decision may entail considerable risks. Particular attention should be drawn to the following risks:

  1. There is no uniform data protection law in the US, let alone one comparable to the data protection law applicable in the EU. This means that both U.S. companies and government agencies have more opportunities to process your personal data, especially for promotional targeting, profiling, and conducting (criminal) investigations. Our options for taking action against this are considerably limited.
  2. The U.S. legislature has granted itself numerous access rights to your personal data (see, for example, Section 702 of FISA or E.O. 12333 in conjunction with PPD-28), which are not compatible with our understanding of the law. In particular, no proportionality test comparable to those in the European Union is applied prior to access.
  3. Citizens of the European Union cannot expect effective legal protection in the USA.
  4. We will generally only ask you for such consent if we have concluded that the US third party cannot successfully rely on EU standard contractual clauses.

(3) We make this declaration merely as a precaution. It shall only apply if we refer to it in the following declaration. There is also the possibility that we do not make use of this.

Special constellation: Consent to transfer to third country entities located in the Russian Federation, including risk warnings

(1) In addition to the explanations under “Data transfer to bodies outside the European Union” – paragraph 4, we draw your attention to a further special constellation. In the case of transfers to third country entities established in the Russian Federation, the possibility to invoke the EU standard contractual clauses is limited. Therefore, in some cases, the only option is to ask for your consent to this transfer. However, before you give this consent, we ask that you take note of the following risks and consider them when deciding whether to consent:

(2) We would like to emphasize that a data transfer to the Russian Federation without the protection of an adequacy decision may entail considerable risks. Particular attention should be drawn to the following risks:

  1. Although the legislator of the Russian Federation has ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the so-called European Data Protection Convention), there may be implementation deficits.
  2. The legislator of the Russian Federation and its investigative authorities Access rights to your personal data granted, which are at least not fully compatible with our legal understanding. In particular, no proportionality test comparable to those in the European Union is applied prior to access.
  3. Citizens of the European Union cannot expect the same legal protection in the Russian Federation as in the EU.
  4. As a rule, we will only ask you for such consent if we have come to the conclusion that the third country office in Russia cannot successfully invoke EU standard contractual clauses.

Note on the legal obligation to process.

Only insofar as we refer in the following data protection declaration to Article 6 Paragraph 1 Sentence 1 lit. c DSGVO, there is a legal obligation to process.

 

Processing operations necessary for the performance of contracts (primary legal basis Article 6(1) sentence 1 lit. b DSGVO).

General information on the purpose and legal basis of the processing operations described below.

(1) The purpose of the processing operations described below is the establishment, performance, termination of contracts as well as the defence against claims on your part which are directly or indirectly related to the respective contract.

(2) Insofar as the purpose of the processing is the establishment, performance or termination of contracts, Article 6 (1) sentence 1 lit. b DSGVO is the legal basis for the processing of your personal data. According to this provision, the processing of your personal data is permitted even without your consent if it is necessary for the performance of a contract to which you are a party or for the performance of pre-contractual measures taken at your request.

(3) Insofar as the purpose of the processing is the defence against claims by you which are directly or indirectly related to the contract in question, the processing shall, in addition to Article 6 (1) sentence 1 lit. b DSGVO also Article 6 paragraph 1 sentence 1 lit. f DSGVO is the legal basis. Our legitimate interest in this respect follows from our right to defend ourselves against claims on their part.

(4) Only insofar as we process your data in your function as an applicant or current or former employee on this website, Article 88 DSGVO in conjunction with. Section 26 (1) BDSG2018 is the legal basis. According to this provision, the processing of your personal employee data (including your applicant data) is also permitted without your consent if it is necessary for the performance of an employment contract to which you are a party or for the performance of pre-contractual measures.

(5) Insofar as we use Article 6 Paragraph 1 Sentence 1 lit. f DSGVO, you have the right to object to the processing, which in cases of justified objection leads to an end of the processing based on this. And insofar as we do not expressly refer to Article 6 Paragraph 1 Sentence 1 lit. c DSGVO, there is no obligation to process.

 

General information on the retention period of data in the context of the processing operations described below.

(1) We store the data as long as this is necessary to establish, execute, possibly terminate the contract and/or to defend ourselves against claims by you that are directly or indirectly related to the respective contract.

(2) If a contractual relationship is established between us, we store the data additionally until the expiry of our statutory retention periods. The legal basis for this is Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. § 147 AO, § 257 HGB. According to these regulations, some of the above-mentioned data must also be retained beyond the time when the purpose has been achieved. So we are obligated if necessary,

  1. personal data relating to you that are derived from books and records, inventories, annual financial statements, individual financial statements pursuant to § 325 para. 2a HGB, consolidated financial statements, management reports and group management reports, opening balances, accounting vouchers, documents pursuant to Article 15 (1) and Article 163 of the Union Customs Code, commercial books as well as the work instructions and other organisational documents required for their comprehension, for ten years, whereby the retention period generally begins with the end of the calendar year in which the relevant document was created (Article 6 (1) sentence 1 lit. c DSGVO in conjunction with § 147 AO or in conjunction with § 147 AO, respectively). § 147 AO resp. i.V.m. § 257 HGB),

to retain data relating to your person resulting from received commercial or business letters, from the reproduction of the received commercial or business letters as well as from other documents which are of significance for taxation for six years, whereby the retention period generally begins with the end of the calendar year in which the relevant document arose (Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. § 147 AO resp. i.V.m. § 257 HGB).

(3) If we process your data in your capacity as an applicant on this website, we will generally store the data until a final decision has been made regarding your application and

  1. in the event of rejection for a further six months after rejection, whereby the legal basis for the six-month storage is Article 6 (1) sentence 1 lit. f DSGVO and our legitimate interest follows from the right to defend ourselves against complaints under the AGG (cf. Section 15 (4) AGG),
  2. in the event that we ask you whether you wish to be included in our applicant pool and you say yes, until the time of revocation of your consent, the legal basis for this storage being your consent pursuant to Article 88 DSGVO in conjunction with. § 26 paragraph 2 BDSG2018.

In the cases of paragraph 3 clauses 1 and 2, we only reserve the right to store data, but this data protection declaration does not establish an obligation to store data.

(4) Insofar as we use Article 6 Paragraph 1 Sentence 1 lit. f DSGVO, you have the right to object to the processing, which in cases of justified objection leads to an end of the processing based on this. And insofar as we do not expressly refer to Article 6 Paragraph 1 Sentence 1 lit. c DSGVO, there is no obligation to process.

 

Purchase of our free service.

(1) You have the option of concluding a free contract with us for the following free service: free 30-minute strategy discussion, about the digitalisation possibilities of your legal department.

(2) We process all data necessary to establish, perform and/or terminate this contract. These are usually the order date, your e-mail address and information about the delivery status.

 

Other contracts.

(1) You have the possibility to conclude (free and fee-based) contracts with us.

(2) We process all data necessary to establish, perform and/or terminate this contract. These are usually the order date, your e-mail address and information about the delivery status, about maintenance procedures.

(3) Insofar as we are contractually obligated or at our own discretion come to the conclusion that we have to inform you about innovations, maintenance procedures and/or updates, we will inform you by telephone and/or by post and/or by e-mail, as the case may be.

 

Klick-Tipp (to establish, perform and/or terminate the contract).

(1) We use the following provider: KLICK-TIPP LIMITED, 15 Cambridge Court, 210 Shepherd’s Bush Road, London W6 7NJ (United Kingdom). We would like to briefly describe this processing procedure: On our website you have the possibility to buy products from us and/or to book services from us. We control

  1. the collection of your personal data during the initiation of the respective contract,
  2. the communication (in particular by e-mail) with you necessary for the establishment, execution and/or termination of the contract as well as
  3. the delivery of our products and/or services.

We have commissioned this provider with the processing of your personal data required in this respect in accordance with Article 28(3) DSGVO. The privacy policy of this provider can be found here: https://www.klick-tipp.com/datenschutzerklärung.

(2) In doing so, we generally process the following data from you: (1) all contact and order data entered by you, (2) payment data, if applicable, (3) data on delivery and (4) data on the assertion of rights on your part and the reaction on our part. For more information on how the data is processed, please visit: https://www.klick-tipp.com/handbuch.

(3) The fact that this provider is based outside the European Union shall not prevent it from being commissioned. This is because, pursuant to Art. FINPROV 10A of the Brexit Agreement of 31 December 2021 (p. 468 et seq.), the United Kingdom will not be considered a “third country” under Article 44 GDPR for a period of four months from 1 January 2021, i.e. initially and for the time being until 1 May 2021. However, even irrespective of the UK’s third country status, the transfer of data there is justified because with the provider has committed under the EU standard contractual clauses (Article 46 GDPR).

Zapier (to establish, perform and/or terminate the contract).

(1) We use the following provider here: Zapier Inc., 548 Market St #62411, San Francisco, California 94104 (USA), which provides the “Zapir” tool we use. We would like to briefly describe this processing procedure: Zapier allows us to connect web apps so that customer and prospect data can be automatically exchanged between the various applications. In this context, the data is exchanged via Zapier, so that the data may also be processed there. We have commissioned this provider with the processing of your personal data required in this respect in accordance with Article 28(3) DSGVO. You can find the privacy policy of this provider here: https://zapier.com/privacy/.

(2) In this context, we generally process the following data from you: All data that we collect via tools that we use in connection with the establishment, implementation and/or termination of contracts between us and automatically linked via this provider. As a rule, this can be all data from the initiation of the contract (often your contact data), from the execution of the contract (often order and payment data) and from the termination of the contract (status end of contract, status discontinuation of services). For more information on the possible applications, please visit: https://zapier.com/learn/getting-started-guide/what-is-zapier/.

(3) The fact that this provider is based outside the European Union shall not prevent it from being commissioned. This is because we can only offer you contractual services for which we use Zapier if you consent to the associated transfer of data to the USA (cf. Article 49(1)(a) DSGVO). Please be sure to read our risk information beforehand (cf. General part/ Special constellation: consent to transfer to third-country offices located in the USA, including risk information).

 

Form Designer from Hubspot.

(1) We use the following CRM provider to create and manage customer and prospect data: HubSpot, Inc, 25 First Street, Cambridge, MA 02141 (USA), hubspotgermany@hubspot.com. We have contracted this provider to process your data in accordance with Article 28 DSGVO. You can find the agreement here: https://legal.hubspot.com/de/dpa. The privacy policy of this provider can be found here: https://legal.hubspot.com/de/privacy-policy.

(2) In this context, we generally process all data that you provide to us in connection with the establishment, implementation and/or termination of a contractual relationship, regardless of whether this contractual relationship is subject to a charge or free of charge. You can find more details about how we process via this provider here: https://www.hubspot.de/products/get-started?hubs_content=www.hubspot.de/&hubs_content-cta=hsg-nav__box-link.

(3) The fact that this provider is based outside the European Union shall not prevent it from being commissioned. This is because the processing of your personal data via the form will only take place if you consent to the associated data transfer to the USA (cf. Article 49(1)(a) DSGVO). Please be sure to read our risk information beforehand (cf. General part/ Special constellation: consent to transfer to third-country offices located in the USA, including risk information).

 

Processing operations for which your consent is required (legal basis Article 6(1) sentence 1 lit. a DSGVO).

General information on the purpose and legal basis of the processing operations described below.

(1) The purpose of the processing operations described below is described separately for each tool.

(2) The legal basis for the respective data processing is your consent pursuant to Article 6 (1) sentence 1 lit. a GDPR. Under this provision, the processing of your personal data is allowed if you have given your consent to the processing of personal data relating to you for one or more specified purposes.

 

General information on the retention period of data in the context of the processing operations described below.

(1) We store the data until you have revoked your consent.

(2) Should a contractual relationship be established between us following processing based on your consent, we may additionally store some of your data until the expiry of our statutory retention periods. The legal basis for this is Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. § 147 AO, § 257 HGB. According to these regulations, some of the above-mentioned data must also be retained beyond the time when the purpose has been achieved. So we are obligated if necessary,

  1. Data relating to your person derived from books and records, inventories, annual financial statements, individual financial statements under sec. 325 para. 2a HGB, consolidated financial statements, management reports and group management reports, opening balances, accounting vouchers, documents pursuant to Article 15 (1) and Article 163 of the Union Customs Code, commercial books as well as the work instructions and other organisational documents required for their comprehension, for ten years, whereby the retention period generally begins with the end of the calendar year in which the relevant document was created (Article 6 (1) sentence 1 lit. c DSGVO in conjunction with § 147 AO or in conjunction with § 147 AO, respectively). § 147 AO resp. i.V.m. § 257 HGB),
  2. to retain data relating to your person resulting from received commercial or business letters, from the reproduction of the received commercial or business letters as well as from other documents which are of significance for taxation for six years, whereby the retention period generally begins with the end of the calendar year in which the relevant document arose (Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. § 147 AO resp. i.V.m. § 257 HGB).

 

Note for legal basis “consent”.

(1) Insofar as we obtain consent from you for processing, you have the right to revoke this consent at any time with effect for the future. As a rule, this is possible by sending an informal message to us (cf. “Person responsible.” above).

(2) Furthermore, we would like to point out that we process further of your personal data within the scope of obtaining your consent. These are on the one hand identity features (such as your name, your e-mail address, your IP address) and on the other hand protocol data on consent (time of consent, status of consent, scope of consent). We base this data processing on Article 6 paragraph 1 sentence 1 lit. c DSGVO in conjunction with. Article 7(1) DSGVO. The purpose is to have to prove that you have given your consent.

(3) We store the identity features and log data for consent until the end of the third calendar year following the year in which you revoke your consent. The legal basis for this storage is Article 6 (1) sentence 1 lit. f DSGVO, whereby our legitimate interest follows from the fact that we must be able to prove within the relevant, civil law limitation period that you have consented and what you have consented to.

 

Data processing when sending a newsletter and voluntariness requirement.

(1) We may process your data (name, email address, other information you voluntarily provide) to send you a newsletter. A newsletter is an electronic newsletter that is published on a regular basis. At the beginning, you provide us with the data that we ask for in order to subscribe to the newsletter. After carrying out the double opt-in procedure (cf. paragraph 2), we use your data to address you in an advertising manner by means of a newsletter. The consent also includes the evaluation of your reading behaviour, e.g. the fact when you open an e-mail.

(2) To obtain consent, we use the so-called double opt-in procedure. This means that after your registration, we will send you an e-mail to the e-mail address you provided, in which we ask you to confirm your consent. If you do not confirm your registration within 45 days, your information will be blocked and automatically deleted after one month. In addition, we store your IP addresses and the time of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data. The legal basis for this processing is Article 6 (1) sentence 1 lit. c GDPR. According to this regulation, we may process your data if this is necessary for the fulfilment of a legal obligation to which we are subject. The legal obligation to which we are subject follows from Article 7(1) DSGVO or Article 5(1) DSGVO. This is because, under these regulations, we are legally required to document that consent has been obtained. This is only possible if we collect your data for verification purposes. We store the data as long as this is necessary for verification purposes. Provided you confirm your consent, the retention period will not end until you revoke your consent plus. the time until the statute of limitations for any civil claims, i.e. as a rule on 31 December of the 3rd calendar year following the year in which you revoked your consent.

(3) In doing so, we generally process the following data from you: The data that you provide to us for registration to the newsletter and the data that we need in accordance with paragraph 2 to prove the granting of consent (opt-in status data) and, if applicable, data for revoking your consent.

(4) You will receive our free service (cf. “Processing operations necessary for the performance of contracts (cf. “primary legal basis Article 6(1) sentence 1 lit. b DSGVO” / “purchase of our free service.”). only if you give this consent. In this context, we take the requirement of voluntariness prescribed in Article 7(4) of the GDPR and Article 4(11) of the GDPR very seriously. We would like to clarify this: By linking the provision of our free service to the fact that you give the consent described above, we are taking advantage of the possibility that exists in our legal opinion to make the associated data processing itself the subject of the contract; not only in order to fulfil it, but by exchanging your consent to the data processing as consideration for the provision of a free service. On closer inspection, your consent is therefore an integral part of the contract, which otherwise could not be concluded or could only be concluded against payment. Our free service is “paid for” or exchanged for personal data. Since your consent is of central importance to us, the transfer of data for the above-mentioned purposes is the price we pay for our services.

 

Zapier (for promotional speech).

(1) We use the following provider here: Zapier Inc., 548 Market St #62411, San Francisco, California 94104 (USA), which provides the “Zapir” tool we use. We would like to briefly describe this processing procedure: Zapier allows us to connect web apps so that customer and prospect data can be automatically exchanged between the various applications. In this context, the data is exchanged via Zapier, so that the data may also be processed there. We have commissioned this provider with the processing of your personal data required in this respect in accordance with Article 28(3) DSGVO. You can find the privacy policy of this provider here: https://zapier.com/privacy/.

(2) In doing so, we generally process the following data from you: All data that we collect via tools that we use in connection with the advertising approach to you. For more information on the possible applications, please visit: https://zapier.com/learn/getting-started-guide/what-is-zapier/.

(3) The fact that this provider is based outside the European Union shall not prevent it from being commissioned. This is because we can only offer you contractual services for which we use Zapier if you consent to the associated transfer of data to the USA (cf. Article 49(1)(a) DSGVO). Please be sure to read our risk information beforehand (cf. General part/ Special constellation: consent to transfer to third-country offices located in the USA, including risk information).

 

CRM by Hubspot.

(1) We use the following CRM provider to create and manage customer and prospect data: HubSpot, Inc, 25 First Street, Cambridge, MA 02141 (USA), hubspotgermany@hubspot.com. We have contracted this provider to process your data in accordance with Article 28 DSGVO. You can find the agreement here: https://legal.hubspot.com/de/dpa. The privacy policy of this provider can be found here: https://legal.hubspot.com/de/privacy-policy.

(2) In this context, we generally process all the data that you provide to us in connection with the advertising approach to your person. You can find more details about how we process via this provider here: https://www.hubspot.de/products/get-started?hubs_content=www.hubspot.de/&hubs_content-cta=hsg-nav__box-link.

(3) The fact that this provider is based outside the European Union shall not prevent it from being commissioned. This is because the processing of your personal data via the form will only take place if you consent to the associated data transfer to the USA (cf. Article 49(1)(a) DSGVO). Please be sure to read our risk information beforehand (cf. General part/ Special constellation: consent to transfer to third-country offices located in the USA, including risk information).

 

Data processing when using Klick Tipp.

(1) We use the above marketing automation service providers. Its provider is KLICK-TIPP LIMITED, 15 Cambridge Court, 210 Shepherd’s Bush Road, London W6 7NJ (United Kingdom).

(2) We are happy to briefly describe this processing operation: we use Klick-Tipp to apply marketing measures to you, which we have identified and described as such in this privacy policy. We have commissioned this provider with the processing of your personal data required in this respect in accordance with Article 28(3) DSGVO. The privacy policy of this provider can be found here: https://www.klick-tipp.com/datenschutzerklärung.

(3) In doing so, we generally process the following data from you: We process all data that we use for advertising purposes, as already described in this privacy policy. Furthermore, we use the so-called “tags” of Klick-Tipp in our communication with you (e.g. for the processing of the contract or for follow-up e-mails) and for the delivery of newsletters and webinars. A tag is a label of information with additional information, specifications or categories. With tagging, information is linked with suitable keywords, categories or other parameters defined by us in advance. You can find more information about tagging with Klick-Tipp at https://www.klick-tipp.com/handbuch/erste-schritte/tag-erstellen. The important thing is that we use and define these tags so that Klick-Tipp follows our instructions here. With a click on the tip, so-called SmartTags and manual tags are set. SmartTags are used when you register for something (appointment, newsletter, webinar, etc.) via a registration form. In this case, you will automatically receive a tag with the name of the registration form in question. In addition, Klick-Tipp automatically sets the tags “Email received”, “Email opened”, “Email clicked” and “Email viewed in browser” for us. We set manual tags completely independently. For example, we can tag you “customer” or, more specifically, tag you “purchased product B” or “viewed webinar up to this point.” Klick-Tipp collects some of the information that becomes the basis of tagging via additional tracking pixels. The tags are generally used for to enable us to fulfil our obligations in the pre-contractual and contractual relationship. They also enable us to communicate with you automatically, which increases our accessibility and thus our service level. If we use the tags to send advertising, this is part of the legal basis claimed for this. We also use the tags to improve promotional targeting. Therefore, if you do not want any analysis by Klick-Tipp, you must unsubscribe or object to the reason for our communication. For this purpose, we provide a corresponding link in each message that is aimed at this. Furthermore, you can also unsubscribe from the newsletter or webinar directly on the website.

(5) The fact that data may be processed outside the European Union shall not prevent the processing operations. This is because, pursuant to Art. FINPROV 10A of the Brexit Agreement of 31 December 2021 (p. 468 et seq.), the United Kingdom will not be considered a “third country” under Article 44 GDPR for a period of four months from 1 January 2021, i.e. initially and for the time being until 1 May 2021. However, even irrespective of the UK’s third country status, the transfer of data there is justified because with the provider has committed under the EU standard contractual clauses (Article 46 GDPR).

 

Processing operations that are in our legitimate interest (legal basis Article 6(1) sentence 1 lit. f DSGVO).

General information on the purpose and legal basis of the processing operations described below.

(1) The purpose of the processing operations described below is described separately for each tool. It is the decisive justification for our legitimate interest in processing.

(2) The legal basis for the respective data processing is Article 6 (1) sentence 1 lit. f GDPR. According to this provision, the processing of your personal data is also permitted without your consent if it is necessary for the protection of our legitimate interests or those of a third party, unless your interests or fundamental rights and freedoms requiring the protection of personal data are overridden.

 

General information on the retention period of data in the context of the processing operations described below.

(1) We store the data until our purpose has ceased to exist, which is always the case if you have raised a justified objection (cf. “Note on the right to object.”).

(2) Should a contractual relationship be established between us following processing based on legitimate interest, we shall store the data on a supplementary basis until the expiry of our statutory retention periods. The legal basis for this is Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. § 147 AO, § 257 HGB. According to these regulations, some of the above-mentioned data must also be retained beyond the time when the purpose has been achieved. So we are obligated if necessary,

  1. Data relating to your person derived from books and records, inventories, annual financial statements, individual financial statements under sec. 325 para. 2a HGB, consolidated financial statements, management reports and group management reports, opening balances, accounting vouchers, documents pursuant to Article 15 (1) and Article 163 of the Union Customs Code, commercial books as well as the work instructions and other organisational documents required for their comprehension, for ten years, whereby the retention period generally begins with the end of the calendar year in which the relevant document was created (Article 6 (1) sentence 1 lit. c DSGVO in conjunction with § 147 AO or in conjunction with § 147 AO, respectively). § 147 AO resp. i.V.m. § 257 HGB),
  2. to retain data relating to your person resulting from received commercial or business letters, from the reproduction of the received commercial or business letters as well as from other documents which are of significance for taxation for six years, whereby the retention period generally begins with the end of the calendar year in which the relevant document arose (Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. § 147 AO resp. i.V.m. § 257 HGB).

 

Note on the right to object.

(1) Insofar as we refer in the following data protection declaration to data processing based on Article 6 Paragraph 1 Sentence 1 lit. f DSGVO, i.e. based on a legitimate interest in the processing, you always have the right to object to the processing. As a rule, this is possible by sending an informal message to us (cf. “Person responsible.” above). If the objection is justified, we will stop the processing.

(2) If the legitimate interest is based on the interest in direct advertising or promotional targeting, your objection is always justified insofar as you are identified.

 

Other promotional speech.

(1) Insofar as we have not already obtained your consent for advertising, we may inform you about our services at regular or irregular intervals (advertising e-mails, customer satisfaction surveys and similar) and use your e-mail address and/or your postal address for this purpose. We derive our legitimate interest from recital 47 to the GDPR, which states, inter alia: The processing of personal data for the purposes of direct marketing can be considered as processing serving a legitimate interest. In view of the fact that there is a business contact between us, the advertising approach is in our legitimate interest.

(2) You have the option of objecting to the use of your data for advertising purposes at any time by sending an informal message, for example to the above-mentioned contact details (“Who are we?”), without incurring any costs other than the transmission costs according to the basic rates. With your objection, the processing for these purposes ends. If there is then no further reason for storage, we will then also delete the data.

 

Supplements for persons we inform of a change of purpose.

Background of addition.

This section is additionally addressed to all persons whose personal data we had already stored in the past and whom we now wish to inform pursuant to Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. Article 13(3) of the GDPR about a change of purpose (see also at the very bottom of the statement: “Supplements for persons we inform about a change of purpose”).

 

Data processing in the context of the change of purpose message.

We process your e-mail address and the status information that we had already stored your data. The purpose of the processing is to comply with our legal obligation to inform you of changes in purpose. The legal basis is Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. Article 13(3) of the GDPR. According to this provision: Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall, prior to such further processing, provide the data subject with information on that other purpose and any other relevant information referred to in paragraph 2. These conditions are fulfilled since the existing purpose of the processing is extended, namely to marketing automation. In particular, we will process your data automatically for advertising purposes and use the above-mentioned marketing automation tools for this purpose.