Privacy Policy

Responsible Party

1Compliance GmbH Tramstraße 11 CH-9444 Diepoldsau

Phone: +41 43 508 27 22

E-mail: [email protected]

Authorized Representatives:

Manuel Köhler & Tina Köhler

Imprint: https://www.1compliance.ch

Contact Data Protection Officer

[email protected]

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of their processing, and refers to the affected individuals.

​

Types of Processed Data

· Inventory data

· Payment data

· Contact data

· Content data

· Contract data

· Usage data

· Meta, communication, and procedural data

· Applicant data

​

Categories of Affected Persons

· Customers

· Employees

· Prospects

· Communication partners

· Users

· Applicants

· Business and contract partners

· Participants

· Depicted persons

​

Purposes of Processing

· Provision of contractual services and customer service

· Contact requests and communication

· Direct marketing

· Reach measurement

· Office and organizational procedures

· Administration and response to inquiries

· Application process

· Feedback

· Marketing

· Profiles with user-related information

· Providing our online service and user-friendliness

· Information technology infrastructure

​

Relevant Legal Bases

Below, you will find an overview of the legal bases of the revised Federal Data Protection Act (revDSG), which applies to national data protection regulations in Switzerland. This includes, in particular, the new Federal Act on Data Protection (revDSG). The revDSG is especially applicable when EU/EEA citizens are not involved and, for example, only data pertaining to Swiss citizens are processed. The processing of personal data is carried out based on the principle of legality according to Art. 6 revDSG, unless there is a justification under Art. 6 and 8 revDSG, or the data subject has objected to the processing (Art. 30 Para. 2 letter b revDSG), or if particularly sensitive personal data are to be disclosed to a third party (Art. 30 Para. 2 letter c revDSG).

In addition to the data protection regulations of the revDSG, an overview of the legal bases of the GDPR is provided, under which we process personal data of EU/EEA citizens. Please be aware that, alongside the provisions of the GDPR, national data protection requirements in your or our country of residence or establishment within the EU/EEA may also apply. Should more specific legal bases be relevant in an individual case, we will inform you in the privacy policy.

Besides the data protection provisions of the revDSG, data protection provisions of the GDPR may apply. With national reference points within the EU/EEA, respective national data protection regulations can also apply, which we likewise adhere to.

Consent (Art. 6 Para. 1 S. 1 lit. a GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.

Contract performance and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR) – The processing is necessary for the performance of a contract to which the data subject is a party or for carrying out pre-contractual actions at the request of the data subject.

Legal obligation (Art. 6 Para. 1 S. 1 lit. c GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.

Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR) – The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Application procedures as a pre-contractual or contractual relationship (Art. 6 Para. 1 lit. b GDPR) – Insofar as special categories of personal data as defined in Art. 9 Para. 1 GDPR (e.g., health data, such as a severe disability status or ethnic origin) are requested from applicants during the application process, so that the controller or the data subject can exercise the rights and comply with their duties in employment, social security and social protection law, their processing is carried out according to Art. 9 Para. 2 lit. b GDPR, in the case of protecting vital interests of applicants or other persons according to Art. 9 Para. 2 lit. c GDPR, or for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, for medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services according to Art. 9 Para. 2 lit. h GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is based on Art. 9 Para. 2 lit. a GDPR.

In addition to the data protection regulations of the GDPR, national regulations on data protection in Switzerland apply. This includes, in particular, the Federal Act on Data Protection (DSG). The DSG is particularly applicable when no EU/EEA citizens are affected and, for example, only data concerning Swiss citizens are processed.

Relevant Legal Bases Below, you will find an overview of the legal bases of the revised Federal Data Protection Act (revDSG), which applies to national data protection regulations in Switzerland. This includes, in particular, the new Federal Act on Data Protection (revDSG). The revDSG is especially applicable when EU/EEA citizens are not involved and, for example, only data pertaining to Swiss citizens are processed. The processing of personal data is carried out based on the principle of legality according to Art. 6 revDSG, unless there is a justification under Art. 6 and 8 revDSG, or the data subject has objected to the processing (Art. 30 Para. 2 letter b revDSG), or if particularly sensitive personal data are to be disclosed to a third party (Art. 30 Para. 2 letter c revDSG).

In addition to the data protection regulations of the revDSG, an overview of the legal bases of the GDPR is provided, under which we process personal data of EU/EEA citizens. Please be aware that, alongside the provisions of the GDPR, national data protection requirements in your or our country of residence or establishment within the EU/EEA may also apply. Should more specific legal bases be relevant in an individual case, we will inform you in the privacy policy.

Besides the data protection provisions of the revDSG, data protection provisions of the GDPR may apply. With national reference points within the EU/EEA, respective national data protection regulations can also apply, which we likewise adhere to.

• Consent (Art. 6 Para. 1 S. 1 lit. a GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
• Contract performance and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR) – The processing is necessary for the performance of a contract to which the data subject is a party or for carrying out pre-contractual actions at the request of the data subject.
• Legal obligation (Art. 6 Para. 1 S. 1 lit. c GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR) – The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

VApplication procedures as a pre-contractual or contractual relationship (Art. 6 Para. 1 lit. b GDPR) – Insofar as special categories of personal data as defined in Art. 9 Para. 1 GDPR (e.g., health data, such as a severe disability status or ethnic origin) are requested from applicants during the application process, so that the controller or the data subject can exercise the rights and comply with their duties in employment, social security and social protection law, their processing is carried out according to Art. 9 Para. 2 lit. b GDPR, in the case of protecting vital interests of applicants or other persons according to Art. 9 Para. 2 lit. c GDPR, or for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, for medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services according to Art. 9 Para. 2 lit. h GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is based on Art. 9 Para. 2 lit. a GDPR.

In addition to the data protection regulations of the GDPR, national regulations on data protection in Switzerland apply. This includes, in particular, the Federal Act on Data Protection (DSG). The DSG is particularly applicable when no EU/EEA citizens are affected and, for example, only data concerning Swiss citizens are processed.

Security Measures

In accordance with legal requirements and considering the state of technology, the costs of implementation, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement suitable technical and organizational measures to ensure a level of security appropriate to the risk.

These measures particularly include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as related access, entry, transfer, availability, and separation. Moreover, we have established procedures that guarantee the exercise of data subject rights, the deletion of data, and responses to the endangerment of the data. Furthermore, we consider the protection of personal data in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection through technology design and data-protection-friendly default settings.

TLS Encryption (https): To protect your data transmitted via our online service, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.

Transmission of Personal Data In the course of our processing of personal data, it may happen that the data are transmitted to other places, companies, legally independent organizational units, or persons, or that they are disclosed to them. The recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe legal requirements and, in particular, conclude appropriate contracts or agreements that serve the protection of your data with the recipients of your data.

Data Transfer within the Corporate Group: We may transfer personal data to other companies within our corporate group or grant them access to these data. If such transfer is for administrative purposes, it is based on our legitimate business and commercial interests or occurs if it is necessary for the fulfillment of our contractual obligations, or if there is consent from the data subjects or a legal permission.

Data Processing in Third Countries In the course of processing personal data, it may happen that the data is transferred to other places, companies, legally independent organizational units, or persons, or it is disclosed to them. Recipients of this data may include service providers tasked with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements that serve the protection of your data with the recipients of your data.

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if the processing occurs in the context of the use of third-party services or the disclosure or transmission of data to other persons, entities, or companies, this is done only in compliance with legal requirements.

Subject to express consent or transmission required by contract or law, we process or let the data be processed in third countries only with recognized data protection levels, contractual obligations through so-called standard protection clauses of the EU Commission, the presence of certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR, Information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Deletion of Data The data processed by us will be deleted in accordance with legal requirements as soon as the consents permitted for processing are revoked or other permissions lapse (e.g., if the purpose of processing this data has been omitted or they are not necessary for the purpose). If the data is not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. That is, the data are locked and not processed for other purposes. This applies, for example, to data that must be kept for commercial or tax law reasons or whose storage is necessary to assert, exercise, or defend legal claims or to protect the rights of another natural or legal person. Our data protection notices may also contain further details on the retention and deletion of data that predominantly apply to the respective processing activities.

Use of Cookies Cookies are small text files or other storage notations that store information on end devices and read information from the end devices, such as the content accessed or functions used of an online offer. Cookies can also be used for different purposes, e.g., for the purposes of functionality, security, and comfort of online offers as well as the creation of analyses of visitor flows.

Notes on Consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, except when it is not legally required. Consent is particularly not necessary if the storage and reading of information, including cookies, is absolutely necessary to provide the users with a telemedia service (i.e., our online offer) expressly requested by them. The revocable consent is communicated clearly to the users and contains the information about the respective cookie use.

Information on Legal Bases for Data Protection: The legal basis on which we process personal data of users with the help of cookies depends on whether we ask users for consent. If the users consent, the legal basis for the processing of their data is the declared consent. Otherwise, the data processed with the help of cookies are processed on the basis of our legitimate interests (e.g., in the economic operation of our online offer and its usability improvement) or if it occurs as part of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual duties. The purposes for which the cookies are processed by us are explained in the course of this privacy policy or in the context of our consent and processing procedures.

Duration of Storage: Regarding the duration of storage, the following types of cookies are distinguished: · Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their end device (e.g., browser or mobile application). · Permanent cookies: Permanent cookies remain stored even after the end device is closed. This can save, for example, the login status or display preferred content directly when the user visits a website again. Likewise, user data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information about the type and duration of cookies (e.g., in the context of obtaining consent), users should assume that cookies are permanent and the storage duration can be up to two years.

General Notes on Revocation and Objection (Opt-Out): Users can revoke consents they have given at any time and also object to the processing according to the legal requirements in Art. 21 GDPR. Users can also declare their objection through the settings of their browser, e.g., by disabling the use of cookies (which may also limit the functionality of our online services). · Types of Data Processed: Usage data (e.g., visited websites, interest in content, access times); Meta/communication and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status); Content data (e.g., entries in online forms). · Affected Persons: Users (e.g., website visitors, users of online services). · Purposes of Processing: Provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). · Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further Information on Processing Operations, Procedures, and Services:

• Processing of Cookie Data Based on Consent: We use a cookie consent management procedure in which users’ consents to the use of cookies, or the processing and providers named in the context of the cookie consent management process, can be obtained, managed, and revoked by the users. The declaration of consent is stored to avoid having to repeat the query and to be able to prove the consent according to the legal obligation. The storage can occur server-side and/or in a cookie (so-called opt-in cookie, or by using comparable technologies) to be able to assign the consent to a user or their device. Subject to individual information about the providers of cookie management services, the following applies: The duration of consent storage can be up to two years. Here, a pseudonymous user identifier is created and stored along with the time of consent, details about the scope of the consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and used end device; Legal basis: Consent (Article 6(1)(a) GDPR).
• Google Fonts (Retrieval from Google Server): Retrieval of fonts (and symbols) for the purpose of a technically secure, maintenance-free, and efficient use of fonts and symbols regarding up-to-dateness and loading times, their uniform presentation, and consideration of possible licensing restrictions. The user’s IP address is communicated to the font provider so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, used hardware) are transmitted, which are necessary for the provision of fonts depending on the devices used and the technical environment. These data may be processed on a server of the font provider in the USA – When visiting our online service, users’ browsers send their browser HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving the fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and thereafter the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent that describes the browser and operating system versions of website visitors, as well as the referrer URL (i.e., the webpage where the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and they are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent, and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families that the user wants to load fonts for. This data is logged so that Google can determine how often a particular font family is requested. In the case of the Google Fonts Web API, the user agent must adapt the font that is generated for the respective browser type. The user agent is primarily logged for debugging purposes and used to generate aggregated usage statistics, which measure the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referrer URL is logged so that the data can be used for the maintenance of production and an aggregated report on the top integrations can be generated based on the number of font requests. Google states that it does not use any of the information collected by Google Fonts to create profiles of end-users or to serve targeted advertisements; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate Interests (Article 6(1)(f) GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
• Google Analytics: Web analysis, measurement of reach and tracking of user flows; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms; Standard contractual clauses (ensuring the level of data protection during processing in third countries): https://business.safety.google/adsprocessorterms; Opt-out option: Opt-out plugin: [https://tools.google.com/dl

Business Services

We process data of our contractual and business partners, e.g., customers and prospects (collectively referred to as “contractual partners”), within the scope of contractual and comparable legal relationships as well as related measures and within the context of communication with the contractual partners (or pre-contractual), e.g., to respond to inquiries.

We process this data to fulfill our contractual obligations. These obligations include, in particular, the provision of the agreed services, any update obligations, and remediation of warranty and other performance disruptions. In addition, we process the data to protect our rights and for the purposes of the administrative tasks associated with these obligations as well as for organizational management. Furthermore, we process the data based on our legitimate interests in proper and economical business management and in security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transportation, and other ancillary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the scope of applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about further forms of processing, e.g., for marketing purposes, within the scope of this privacy policy.

We inform the contractual partners about what data is required for the aforementioned purposes before or during the data collection process, e.g., in online forms, by special marking (e.g., colors) or symbols (e.g., asterisks or similar), or personally.

We delete the data after the expiration of legal warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as they must be retained for legal reasons of archiving. The statutory retention period for tax-relevant documents as well as for commercial books, inventories, opening balance sheets, annual financial statements, the work instructions necessary for understanding these documents, and other organizational documents and booking receipts is ten years, and for received commercial and business letters and copies of sent commercial and business letters is six years. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet was drawn up, the annual financial statement or the management report was established, the commercial or business letter was received or dispatched, or the booking receipt was created, and the record was made or the other documents were generated.

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

• Processed data types: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, telephone numbers); Contract data (e.g., subject matter of the contract, duration, customer category).
• Affected persons: Prospects; Business and contractual partners; Participants; Customers.
• Purposes of processing: Provision of contractual services and customer service; Contact requests and communication; Office and organizational procedures; Administration and answering of inquiries.
• Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 s. 1 lit. b GDPR); Legal obligation (Art. 6 para. 1 s. 1 lit. c GDPR); Legitimate interests (Art. 6 para. 1 s. 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

• Agency Services: We process the data of our clients as part of our contractual services, which may include conceptual and strategic consulting, software deployment, implementation of campaigns and processes, handling, data analysis/consulting services, and training services; Legal basis: Contract performance and pre-contractual inquiries (Article 6 (1) sentence 1 lit. b GDPR).
• Education and Training Services: We process the data of the participants of our education and training programs (uniformly referred to as “trainees”) in order to be able to provide our training services to them. The processed data, the nature, scope, purpose, and necessity of their processing are determined by the underlying contract and training relationship. The forms of processing also include the performance evaluation and the evaluation of our services as well as those of the teachers. In the course of our activity, we may also process special categories of data, in particular information on the health of the trainees as well as data from which ethnic origin, political opinions, religious or philosophical beliefs can be inferred. If required, we obtain the explicit consent of the trainees and otherwise process the special categories of data only if it is necessary for the provision of training services, for purposes of health care, social protection, or the protection of vital interests of the trainees; Legal basis: Contract performance and pre-contractual inquiries (Article 6 (1) sentence 1 lit. b GDPR).
• Consulting: We process the data of our clients, mandates as well as prospects and other contractors or contractual partners (uniformly referred to as “clients”) in order to provide our consulting services to them. The processed data, the nature, scope, purpose, and necessity of their processing are determined by the underlying contract and client relationship. If it is necessary for our contract fulfillment, for the protection of vital interests, or legally required, or if there is a consent of the clients, we disclose or transmit the data of the clients in compliance with professional legal requirements to third parties or agents, such as authorities, subcontractors, or in the field of IT, office or comparable services; Legal basis: Contract performance and pre-contractual inquiries (Article 6 (1) sentence 1 lit. b GDPR).
• Project and Development Services: We process the data of our customers as well as contractors (hereinafter uniformly referred to as “customers”) in order to enable them to select, purchase or commission the chosen services or works and associated activities as well as their payment and provision or execution or performance. The required information is marked as such in the context of the contract, order, or comparable contract conclusion and includes the information needed for the provision of services and billing as well as contact information to hold any necessary consultations. Insofar as we gain access to information of end customers, employees, or other persons, we process these in accordance with legal and contractual requirements; Legal basis: Contract performance and pre-contractual inquiries (Article 6 (1) sentence 1 lit. b GDPR).
• Business Consulting: We process the data of our customers, clients as well as prospects and other contractors or contractual partners (uniformly referred to as “customers”) in order to provide our contractual or pre-contractual services, especially consulting services to them. The processed data, the nature, scope, purpose, and necessity of their processing are determined by the underlying contract and business relationship. If it is necessary for our contract fulfillment or legally required, or if there is a consent of the customers, we disclose or transmit the data of the customers in compliance with professional legal requirements to third parties or agents, such as authorities, courts or in the field of IT, office or comparable services; Legal basis: Contract performance and pre-contractual inquiries (Article 6 (1) sentence 1 lit. b GDPR).
• Events and Events: We process the data of the participants of the events, events, and similar activities offered or organized by us (hereinafter uniformly referred to as “participants” and “events”) in order to enable them to participate in the events and to take advantage of the services or actions associated with the participation. If we process health-related data, religious, political, or other special categories of data in this context, then this is done in the context of manifest (e.g., at thematically oriented events or serves health care, safety, or occurs with the consent of the affected persons). The required information is marked as such in the context of the contract, order, or comparable contract conclusion and includes the information needed for the provision of services and billing as well as contact information to hold any necessary consultations. Insofar as we gain access to information of end customers, employees, or other persons, we process these in accordance with legal and contractual requirements; Legal basis: Contract performance and pre-contractual inquiries (Article 6 (1) sentence 1 lit. b GDPR).

Provision of Online Services and Web Hosting We process users’ data to be able to offer them our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the contents and functions of our online services to the user’s browser or device. · 

Types of data processed: 

• Usage data (e.g., visited websites, interest in content, access times); 
• Meta/communication and procedure data (e.g., IP addresses, time stamps, identification numbers, consent status); 
• Content data (e.g., entries in online forms). 

Affected persons: Users (e.g., website visitors, users of online services). 

Purposes of processing: Provision of our online services and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). · Legal basis: Legitimate interests (Art. 6 para. 1 sent. 1 lit. f) GDPR). Additional information on processing processes, procedures, and services: · Provision of online services on rented storage space: For the provision of our online services, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also known as “web host”); Legal basis: Legitimate interests (Art. 6 para. 1 sent. 1 lit. f) GDPR). · Wix: Hosting and software for creating, providing, and operating websites, blogs, and other online services; Service provider: Wix.com Ltd., Nemal St. 40, 6350671 Tel Aviv, Israel; Legal basis: Legitimate interests (Art. 6 para. 1 sent. 1 lit. f) GDPR); Website: https://de.wix.com/; Privacy Policy: https://de.wix.com/about/privacy; Data Processing Agreement: https://www.wix.com/about/privacy-dpa-users; Additional Information: In the context of the aforementioned services of Wix, data may also be transferred to Wix Inc., 500 Terry A. Francois Boulevard, San Francisco, California 94158, USA based on standard contractual clauses or an equivalent data protection guarantee as part of further processing on behalf of Wix.

Contact and Inquiry Management When contacting us (e.g., by mail, contact form, email, telephone, or via social media) as well as in the context of existing user and business relationships, the details of the inquiring persons are processed as far as necessary to respond to contact inquiries and any requested measures. · Types of data processed: Contact data (e.g., email, telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta/communication and procedure data (e.g., IP addresses, time stamps, identification numbers, consent status). · Affected persons: Communication partners; Users (e.g., website visitors, users of online services). · Purposes of processing: Contact inquiries and communication; Management and answering of inquiries; Feedback (e.g., collection of feedback via online form); Provision of our online services and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). · Legal basis: Legitimate interests (Art. 6 para. 1 sent. 1 lit. f) GDPR); Contract performance and pre-contractual inquiries (Art. 6 para. 1 sent. 1 lit. b) GDPR). Additional information on processing processes, procedures, and services: · Contact form: When users contact us via our contact form, email, or other communication channels, we process the data communicated to us in this context for handling the matter; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sent. 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sent. 1 lit. f) GDPR). · Wix: Hosting and software for creating, providing, and operating websites, blogs, and other online services; Service provider: Wix.com Ltd., Nemal St. 40, 6350671 Tel Aviv, Israel; Legal basis: Legitimate interests (Art. 6 para. 1 sent. 1 lit. f) GDPR); Website: https://de.wix.com/; Privacy Policy: https://de.wix.com/about/privacy; Data Processing Agreement: https://www.wix.com/about/privacy-dpa-users; Additional Information: In the context of the aforementioned services of Wix, data may also be transferred to Wix Inc., 500 Terry A. Francois Boulevard, San Francisco, California 94158, USA based on standard contractual clauses or an equivalent data protection guarantee as part of further processing on behalf of Wix. · Ascend by Wix: Email and online marketing as well as communication platform; Service provider: Wix.com Ltd., Nemal St. 40,

Video Conferences, Online Meetings, Webinars, and Screen Sharing

We use platforms and applications from other providers (hereinafter referred to as “conference platforms”) for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings (hereinafter collectively referred to as “conference”). In selecting the conference platforms and their services, we observe legal requirements.

Data processed through conference platforms: In the course of participating in a conference, the conference platforms process the following personal data of the participants. The extent of the processing depends on which data are required for a specific conference (e.g., providing access data or real names) and which optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, participant data may also be processed by the conference platforms for security purposes or service optimization. The processed data include personal details (first name, last name), contact information (email address, phone number), access data (access codes or passwords), profile pictures, professional title/position, the IP address of the internet access, information on the participants’ end devices, their operating system, the browser and its technical and language settings, information on the content of communication processes, i.e., entries in chats as well as audio and video data, as well as the use of other available functions (e.g., polls). The contents of communications are encrypted to the extent technically provided by the conference providers. If participants are registered with the conference platforms as users, additional data may be processed in accordance with the agreement with the respective conference provider.

Logging and recordings: If text entries, participation results (e.g., from polls), as well as video or audio recordings are logged, this will be transparently communicated to the participants in advance, and consent will be requested where necessary.

Data protection measures for participants: Please refer to the privacy notices of the conference platforms for details on the processing of your data and select the optimal security and privacy settings within the conference platform settings. Please also ensure the protection of data and privacy in the background of your recording during the duration of a video conference (e.g., by notifying roommates, locking doors, and using, where technically possible, the function to blur the background). Links to the conference rooms as well as access data must not be passed on to unauthorized third parties.

Notes on legal bases: If, in addition to the conference platforms, we also process users’ data and ask users for their consent to the use of the conference platforms or certain features (e.g., consent to the recording of conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary for the fulfillment of our contractual obligations (e.g., in participant lists, in the case of processing conversation results, etc.). Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners. · Types of data processed: Inventory data (e.g., names, addresses); contact data (e.g., email, telephone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication, and process data (e.g., IP addresses, time stamps, identification numbers, consent status). · Persons affected: Communication partners; users (e.g., website visitors, users of online services); persons depicted. · Purposes of processing: Provision of contractual services and customer service; contact inquiries and communication; office and organizational procedures; direct marketing (e.g., via email or postal mail). · Legal bases: Legitimate interests (Article 6 (1) (f) GDPR).

Further information on processing activities, procedures, and services: · Microsoft Teams: Microsoft Teams – Messenger; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal bases: Legitimate interests (Article 6 (1) (f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Privacy statement: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter; Standard contractual clauses (ensuring the level of data protection when processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.

Application Process The application process requires that applicants provide us with the data necessary for their assessment and selection. The required information is derived from the job description or, in the case of online forms, from the details provided there.

Generally, the required information includes personal details such as name, address, a contact option, and evidence of the qualifications necessary for a position. Upon request, we will also inform about which details are needed.

If available, applicants can submit their applications to us using an online form. The data is transmitted to us encrypted according to the current state of technology. Applicants can also send their applications to us via email. However, please note that emails are generally not sent encrypted over the internet. Usually, emails are encrypted during transit but not on the servers from which they are sent and received. Therefore, we cannot take responsibility for the transmission path of the application between the sender and the reception on our server.

For the purposes of applicant search, submission of applications, and selection of applicants, we may use applicant management software, recruitment software, and services from third-party providers in compliance with legal requirements.

Applicants are welcome to contact us regarding the form of submission of the application or to send the application by mail.

Processing of Special Categories of Data: Insofar as special categories of personal data within the meaning of Art. 9 Para. 1 GDPR (e.g., health data, such as a disability or ethnic origin) are requested from applicants during the application process so that the controller or the person concerned can exercise the rights arising from labor law and the law of social security and social protection and fulfill their respective obligations, their processing is carried out according to Art. 9 Para. 2 lit. b GDPR, in the case of protection of vital interests of applicants or other persons according to Art. 9 Para. 2 lit. c GDPR or for the purposes of health care or occupational health, for the assessment of the employee’s working capacity, for medical diagnostics, for care or treatment in the health or social sector or for the administration of systems and services in the health or social sector according to Art. 9 Para. 2 lit. h GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Art. 9 Para. 2 lit. a GDPR.

Deletion of Data: The data provided by the applicants can be further processed by us in the case of a successful application for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants’ data will be deleted. The applicants’ data will also be deleted if an application is withdrawn, which the applicants are entitled to do at any time. Subject to a legitimate withdrawal by the applicants, the deletion takes place after a period of six months at the latest so that we can respond to any follow-up questions about the application and fulfill our proof obligations under the regulations for the equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived according to tax law requirements.

Inclusion in an Applicant Pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to join the talent pool is voluntary, has no effect on the current application process, and that they can revoke their consent at any time for the future.

Duration of Data Retention in the Applicant Pool in Months: 6 months

• Types of Data Processed: Inventory data (e.g., names, addresses); contact data (e.g., email, telephone numbers); content data (e.g., entries in online forms); applicant data (e.g., personal information, postal and contact addresses, the documents belonging to the application, and the information contained therein, such as cover letter, CV, certificates, and further information about the person or qualifications of the applicants in relation to a specific position or voluntarily provided by applicants).
• Affected Persons: Applicants.
• Purposes of Processing: Application process (establishment and possible later execution as well as possible later termination of the employment relationship).
• Legal Bases: Application process as a pre-contractual or contractual relationship (Art. 6 Abs. 1 lit. b GDPR); Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f GDPR).

Cloud Services We utilize software services that are accessible via the internet and executed on the servers of their providers (known as “cloud services,” also referred to as “Software as a Service”) for the storage and management of content (for example, document storage and management, the exchange of documents, content, and information with certain recipients, or the publication of content and information). Within this framework, personal data may be processed and stored on the servers of the providers insofar as they are part of communication processes with us or are processed by us in other ways, as outlined in this privacy policy. This data may particularly include master data and contact details of the users, data concerning transactions, contracts, other processes, and their content. The providers of cloud services also process usage data and metadata, which they use for security purposes and service optimization. In the event that we provide forms or other documents and content for other users or publicly accessible websites via cloud services, the providers may store cookies on the users’ devices for the purposes of web analytics or to remember user settings (e.g., in the case of media controls).​ · Types of data processed: Master data (e.g., names, addresses); contact data (e.g., email, telephone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta/communication and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status). · Categories of affected persons: Customers; employees (e.g., employees, applicants, former staff); interested parties; communication partners; users (e.g., website visitors, users of online services). · Purposes of processing: Office and organizational procedures; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); handling contact inquiries and communication; direct marketing (e.g., via email or postal mail); provision of our online services and user-friendliness. · Legal bases: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Microsoft Cloud Services: Cloud storage, cloud infrastructure services, and cloud-based application software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR); Website: https://microsoft.com/de-de; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; Standard Contractual Clauses (Ensuring the level of data protection during processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
• Microsoft Teams: Microsoft Teams – Messenger; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter; Standard Contractual Clauses (Ensuring the level of data protection during processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
• Google Fonts (retrieved from Google server): Retrieval of fonts (and icons) for the purpose of technically secure, maintenance-free, and efficient use of fonts and icons with regard to their currency and loading times, their uniform presentation, and consideration of possible licensing restrictions. The user’s IP address is communicated to the provider of the fonts so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) are transmitted, which are necessary for the provision of the fonts depending on the devices used and the technical environment. These data may be processed on a server of the font provider in the USA – When visiting our online services, the browsers of the users send their browser HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving the fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and thereafter the fonts specified in the CCS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP header, including the User-Agent that describes the browser and operating system versions of website visitors, as well as the referer URL (i.e., the website on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, User-Agent, and referer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the User-Agent needs to adjust the font that is generated for the respective browser type. The User-Agent is primarily logged for debugging and is used to generate aggregated usage statistics, which measure the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referer URL is logged so that the data can be used for maintenance of production and an aggregated report on the top integrations based on the number of font requests can be generated. According to its own information, Google does not use any of the information collected by Google Fonts to create profiles of end users or to display targeted advertisements; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Further information: https://developers.google.com/fonts/faq/privacy?hl=de.

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as “reach measurement”) serves the evaluation of the visitor streams of our online offer and may include behavior, interests, or demographic information about the visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, determine at what time our online offer or its functions or contents are most frequently used or invite reuse. We can also identify which areas are in need of optimization.

In addition to web analysis, we can also use testing procedures to test and optimize different versions of our online offer or its components.

Unless otherwise stated below, for these purposes, profiles, i.e., data compiled into a usage process, may be created and information may be stored and read out in a browser or in an end device. The information collected includes in particular visited websites and the elements used there as well as technical information such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, location data may also be processed.

The IP addresses of the users are also stored. However, we use an IP masking process (i.e., pseudonymization by truncating the IP address) to protect users. In general, no clear data of the users (such as e-mail addresses or names) are stored in the context of web analysis, A/B testing, and optimization, but pseudonyms. That is, neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

• Processed data types: Usage data (e.g., visited websites, interest in content, access times); Meta/communication and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status).
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Profiles with user-related information (creation of user profiles).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: Legitimate interests (Art. 6 para. 1 s. 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Ascend by Wix: Email and online marketing as well as communication platform; Service provider: Wix.com Ltd., Nemal St. 40, 6350671 Tel Aviv, Israel; Legal basis: Legitimate interests (Art. 6 para. 1 s. 1 lit. f) GDPR); Website: https://de.wix.com/ascend/home; Privacy policy: https://de.wix.com/about/privacy; Data processing agreement: https://www.wix.com/about/privacy-dpa-users.

Presences in Social Networks (Social Media)

We maintain online presences within social networks and in this context, we process user data to communicate with active users there or to offer information about ourselves.

We point out that user data can be processed outside of the European Union, which may result in risks for users because, for example, it could complicate the enforcement of users’ rights.

Moreover, user data is typically processed within social networks for market research and advertising purposes. For instance, user profiles can be created based on their behavior and interests arising from that behavior. These profiles can then be used to place advertisements inside and outside the networks that are believed to match the users’ interests. For these purposes, cookies are usually stored on the users’ computers, which save the usage behavior and interests of the users. Additionally, data may also be stored in the usage profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged into them).

For a detailed presentation of the respective processing forms and the opt-out options, we refer to the privacy statements and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we point out that these can be most effectively claimed directly from the providers. Only the providers have access to the user data and can take appropriate measures and provide information. If you still need assistance, you can contact us.

• Types of processed data: Contact data (e.g., email, telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta/communication and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status). · Affected persons: Users (e.g., website visitors, users of online services). · Purposes of processing: Contact inquiries and communication; Feedback (e.g., collecting feedback via online form); Marketing. · Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR).

Further information on processing procedures, procedures, and services: · LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Data Processing Agreement: https://legal.linkedin.com/dpa; Standard Contractual Clauses (Ensuring the level of data protection in third countries): https://legal.linkedin.com/dpa; Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Change and Update of the Privacy Policy We ask you to regularly inform yourself about the content of our privacy policy. We will adapt the privacy policy as soon as the changes in the data processing we perform make it necessary. We will inform you as soon as the changes require an action on your part (e.g., consent) or any other individual notification.

Insofar as we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses can change over time, and we ask you to verify the information before making contact.

Rights of the Data Subject You have the right to request confirmation of whether your data is being processed. If this is the case, you have a right to information about the data specified in Art. 19 ff. revDSG or Arts. 15 to 21 GDPR, provided that the owner of the data collection does not refuse, restrict, or delay the information (see Art. 9 f. DSG or Art. 15 (4) GDPR). We are also happy to provide you with a copy of the data.

• Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data based on Art. 6 (1) lit. e or f GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such advertising; this also applies to profiling to the extent that it is associated with such direct advertising.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right to access: You have the right to request confirmation as to whether relevant data is being processed and to be informed about this data, as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: In accordance with legal requirements, you have the right to request the completion of data concerning you or the correction of incorrect data concerning you.
• Right to erasure and restriction of processing: You have the right, under legal requirements, to demand that data concerning you be deleted immediately or, alternatively, to demand a restriction of the processing of the data according to legal requirements.
• Right to data portability: You have the right to receive data concerning you, which you have provided to us, in a structured, common, and machine-readable format or to request its transmission to another controller.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement if you believe that the processing of your personal data violates the provisions of the GDPR.