Информация о конфиденциальности

Privacy Information

1. Contact person The responsible person for the purposes of the General Data Protection Regulation (GDPR) is: Roman Lingert You can also contact our Data Protection Officer directly with questions about data protection at info@megagroup.ee

2. Note on Gender-Sensitive Language We strive to use gender-sensitive language. In some cases we use only the masculine form of terms such as user instead of user, user, to make it easier to read. If we only use the masculine form, the term is still intended to be inclusive of all genders.

3. Your rights in general At this point we summarize the general rights you have under the GDPR in relation to your personal data processed by us. For an explanation of legal terms, we refer to the applicable definitions in the GDPR (see Article 4). If anything is unclear, please don't hesitate to ask us.

(1) You can withdraw your consent to the processing or disclosure of your data at any time in the future (Article 7 (3) GDPR).

(2) If the legal basis for the processing of your data is legitimate interest in accordance with Article 6 paragraph 1 letter f GDPR, you can object to the processing of your data in accordance with Article 21 GDPR. Since the respective data processing is direct advertising, you do not need to justify your objection in any way; in all other cases, you will be required to state the reasons for your objection that arise from your particular situation.

(3) If we have stored incorrect information about you, you can ask us to correct your data (Article 16 GDPR).

(4) You can request information from us about which of your data we process (Article 15 GDPR, Section 34 BDSG).

(5) You can ask us to delete your data or restrict its processing, as long as your request does not conflict with higher storage obligations (Article 17 or 18 GDPR, Section 35 BDSG).

(6) You can request that we provide you with data that you yourself have provided to us in a machine-readable format for transmission to third parties (Article 20 GDPR).

(7) You can lodge a complaint with a data protection supervisory authority, for example the Data Protection Officer in Hamburg, about data protection problems with us.

4. Data processing by us in general Any form of processing of personal data requires a legal basis that allows us such processing. The legal basis arises primarily from the purpose for which the data is processed. Legality on a legal basis is regularly measured according to the specific scope of data processing and the measures we have taken to protect your data. The legal basis for data processing follows from Article 6 paragraph 1 GDPR and, for particularly sensitive data such as health data, from Article 9 paragraph 2 GDPR. These two rules identify the preparation or fulfillment of contractual, legal or social obligations as the most important legal basis for data processing. In addition, most data processing is carried out in our legitimate interests, unless the interests of the individuals concerned override the particular circumstances. If one of the above-mentioned types of legal basis is relevant, the processing does not require any additional consent from you. In addition, data processing may be based on your consent (Article 7 GDPR) or, for persons under 16 years of age, the use of information society services (e.g. websites, online games, social networking platforms) by children or young people. due to the consent of the legal guardian (Article 8 GDPR). At this time, we explicitly state that none of our offerings are intended for anyone under 16 years of age. In some cases, our obligation to seek your consent does not arise from the GDPR or not only from the GDPR, but also from the Telecommunications Data Protection Act (TTDSG) or the Unfair Competition Act (UWG). We have taken into account the obligations arising from these laws without expressly referring to them further. If data is transferred to a country outside the European Economic Area (EEA), we ensure data protection in accordance with Articles 44 to 49 of the General Data Protection Regulation. Such a transfer outside the EEA is called a transfer to a third country in data protection law.

 

5. General information about cookies Cookies are a form of text records that are stored on your device by your browser when you visit a website. A cookie can store a variety of information. In some cases, the cookie stores only a yes or no (“true” or “false”) or a country code, such as “de” for German; In some cases, a string of characters is stored that allows the browser to be clearly identified when the website is called up again (the so-called cookie identifier). The right to set cookies is measured not only in accordance with the GDPR, but primarily in accordance with § 25 TTDSG. The standard distinguishes between cookies that are absolutely necessary for the operation of the online offer and those that are not. Essential cookies can also be set without consent, but optional cookies always require consent, even if this is not required under the GDPR (for example, if there is a legitimate interest as a legal basis or the data is not personal). Before we store non-essential cookies on your device, we ask for your consent in accordance with the provisions of Section 25 TTDSG. The purpose of each cookie and the legal basis for its use under the GDPR can be found in the following description of individual data processing. There are several ways to prevent your device from accepting cookies:

a) The standard case should be that when you call up one of our websites, you use our consent manager to decide which cookies you allow and which you do not. Sometimes we can only offer you full acceptance or rejection of all cookies or groups of cookies.

b) Basically, you can set your browser to never accept cookies. With such a complete exclusion, you will likely lose features that rely on cookies and that you would actually like to allow, or that do not require consent at all.

c) You can access websites in the private mode of your browser. Private mode also blocks the installation of cookies in your browser's memory or automatically deletes all cookies at the end of your session(s).

d) Some browsers or browser plug-ins offer you the opportunity to make various pre-settings regarding which cookies you want to accept by default and which you do not want to accept.

e) Special case: Google offers a browser plug-in that prevents the installation of various Google cookies. The corresponding plugin can be found here: https://tools.google.com/dlpage/gaoptout?hl=de.

6. Specific data processing

6.1 Visiting our websites

6.1.1 Providing our websites Description: In order for the web server to make our website available to your browser, the server must collect technical data about the device you are using, your browser and your Internet access. This is called what is called a log file or web log. This is the same data you should leave on every website you visit. The focus is on the IP address from which you access our website. The web server sends you the data you want to see or the applications you want to run in your browser (usually in the PHP or Javascript programming languages) to this Internet address. If our pages or our web server are attacked, we may turn over the blog to forensic investigators who can use it to reconstruct the origin and course of the attack. Categories of data: IP address from which our site was accessed; date and time of access; Items on our website are accessible in a browser; Internet browser type and version; Operating system type and version Recipient of the data (transfer to third countries is possible): Our hosting provider, who is obliged to protect the data through an order processing agreement. In the event of an attack on our website, it will be transferred to our authorized forensic experts and investigative authorities. Transfer to third countries is not carried out. Purpose + legal basis: Providing our website and investigating in case of illegal access to our website (e.g. hacker attack). The legal basis is legitimate interest, since it is impossible to operate a website without blogging. In the specific case of an attack on our website, we have a legitimate interest in providing investigators with evidence of how the attack occurred. Shelf life: 7 days

6.1.2 Managing Cookies Description: For all cookies that require consent, we request your consent before storing them in your browser's cache. The decisions you make are in turn saved in a cookie on your device, so we do not need to ask for your consent again when you visit our website again. You can review your decision at any time by deleting the corresponding cookie (named CookieConsent) from your device through your browser settings. You can also withdraw your consent by clicking the appropriate button at the end of this description of processing. Or you can contact us personally; please enter your consent ID and consent date (see below). Data categories: consent status Recipient of data (possible transfer to a third country): none Purpose + legal basis: management of consent to the use of cookies. The legal basis is legitimate interest, since saving the cookie decision only slightly restricts the rights of the visitor and at the same time makes the pages easier to use when visiting again. In accordance with § 25 TTDSG, this cookie can also be set without your consent, since the selection of the cookie should be considered an important function. Duration of storage: until the corresponding cookie is deleted from your browser cache or until the cookie expires after 12 months. View and change your consent: by clicking the bracket icon in the bottom left

6.1.3 Contact Form Description: Our website has a contact form that you can use to send us messages. Technically, your entries will be sent to us via email (even if you haven't specified an email address as the sender). As soon as you send your message, the data processing corresponds to sending an email to our central contact address. While you are on the website and entering your data into the form, the data processing corresponds to calling up any of our websites. Data Categories: See "Website Provision" and "Email Inbox" processing. Recipient of the data (transfer to a third country is possible): See processing "Website provision" and "Incoming email messages". Purpose + legal basis: Providing a contact form as an additional way to contact us. Depending on the content of your contact, the legal basis is preparation for the execution of a contract or legitimate interest. Retention period: See "Site Provision" and "Mailbox" processing.

6.1.4 Analysis of usage behavior Description: We use the web analytics service Google Analytics. On our behalf, Google uses the collected information to create statistical reports about activities on our website, the regional origin of visitors and the technical parameters of the devices used to visit our website. We use analytics with the extension "anonymizeIP" so that IP addresses are processed only in shortened form to reduce the possibility of personal reference. With IP anonymization, Google replaces the end of your IP address with zeros within the European Union before the data is transferred to the United States. Only in exceptional cases will the full IP address be sent to a Google server in the USA and shortened there. On the one hand, Google Analytics collects web log information in the sense of server-side analytics, which by default is sent to the web server when Internet pages are accessed. If you have agreed to Google's setting of cookies, Google records the data stored in the cookies, such as the cookie ID. In addition, Google recognizes general information about your device, such as installed software or fonts, and uses it to create a so-called digital fingerprint. Unlike simple server-side analytics, a cookie ID or digital fingerprint allows you to assign multiple actions on our pages to the same visitor. In this way, returning visitors can be identified and the usage patterns of our website can be tracked. In particular, usage statements are necessary to be able to draw valuable conclusions from user behavior. Analytical cookies are called _ga (to recognize returning visitors), _gid (to enable statistical groupings) and _gat (to reduce overlap with Google's advanced features). We do not link the data we collect through Google Analytics to any personal information we collect through other means. Google is also prohibited from using the data for its own purposes or combining it with data collected elsewhere. Google only provides us with data in anonymous and statistical form, so we do not have our own access to characteristics of the data that could allow us to identify individuals. You can find comprehensive information about the use of data collected by Google in Google's data protection information (https://policies.google.com/privacy) and Google's cookie information (https://policies.google.com/technologies ). /cookies). Data categories: IP address through which the device accesses the Internet; The city or country associated with the IP address and ISP for Internet access; date and time of access; Objects on our website that are accessed (clicked) in the browser; Internet browser type and version; operating system type and version; Information about the screen resolution and other technical parameters of the end device used; Websites from which the user accessed our website; websites that the user accesses from our website; Google ID stored in the cookie; digital fingerprint of the device used, calculated by Google Recipient of the data (transfer to third countries possible): Google LLC, which we, as a European organization, can contact through Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google is committed to data protection in accordance with the order processing contract. Insofar as Google transfers data to third countries, Google ensures that the data is treated at the EU data protection level by entering into standard data protection clauses. Purpose + legal basis: The purpose of this usage analysis is to enable us to improve our website based on the results of the analysis. The legal basis is a legitimate interest resulting from the fact that the personal link to the recorded data is significantly reduced, for example by anonymizing IP addresses, that we do not combine the data with other data collections and that visitors to our website have various options available at their disposal to prevent the collection of Google Analytics cookies. Regardless of this, we ask for your consent in accordance with § 25 TTDSG for the installation of Google cookies via our cookie manager. Shelf life: 14 months; this raw data storage period allows us to export annual statistics.

6.1.5 Streaming Video Description: Our site displays movies through the video player YouTube, a subsidiary of Google. If you open a page that has a YouTube player installed, a connection will be made to YouTube's servers and Google cookies will be set in your browser. Google receives information about which of our pages you have visited and which movie you have watched. Google sets the following cookies through the YouTube player: CONSENT, GPS, Visitor_Info1_Live, YSC, IDE. Regarding data collection from Google, we do not receive any data about your usage behavior. If you are logged into your YouTube or Google account when visiting our site, you allow Google to assign your usage behavior directly to your personal profile. You can prevent this by logging out of your account. For more information on how your data is processed, please see Google's privacy policy at https://www.google.de/intl/de/policies/privacy. Categories of data: IP address from which our site was accessed; date and time of access; movies watched; sharing functions used to recommend a movie; Internet browser type and version; operating system type and version; The Google ID is stored in cookies Recipient of the data (transfer to a third country is possible): Google LLC, for us as a European organization, which can be contacted through Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Insofar as Google transfers data to third countries, Google ensures that the data is treated at the EU data protection level by entering into standard data protection clauses. Purpose + Legal Basis: We use the YouTube player to offer you powerful video streaming. The legal basis for the transfer of data to Google is your consent to the use of cookies for the YouTube player. Retention Period: Google is responsible for the retention period. We can't remove the data because we don't collect any data from you when you use YouTube.

6.2 Clients

6.2.1 Client Database (Project Management + Billing) Description: We manage our clients and projects for our clients using a cloud-based project management (PM) application. In your personal account, we store your contract and payment information, as well as the history of your relationships with clients, including all details about orders. We use PM for direct customer communication so that comments, information and approvals for individual orders can be communicated and documented between us. We also create our invoices directly from the PM app. Data categories: contact information (name, email address, phone number, address), orders (project communication, information exchange, approvals, terms of payment and service, invoices), meetings, activity history, marketing consent Data recipient (possible transfer to a third country): a cloud project management application provider who is obliged to protect data through an order processing contract. The service provider is based in the USA and guarantees that the data will be processed at the EU level of data protection by entering into standard data protection clauses. Purpose + legal basis: Using a project management system that allows us to provide our clients with comprehensive support from contact to invoicing. The legal basis is legitimate interest, since the use of the application improves the level of service and ensures effective cooperation. Retention Duration: We keep your customer account for ten years after the completion of your last order, as your invoices are generated from accounts and so we can provide information in the event of project inquiries.

6.2.2 Personal User Account (Project Management) Description: We set up personal user accounts for our client database for our contacts with our clients and our service providers, which we use to organize our clients' projects in exchange with contacts. As a user, you can provide and view information, upload files, comment and change project status, and give approvals. The profile is available to you through a user account, which you may provide with additional data, such as a profile picture, at your own risk. You can also change or delete your profile information at any time. Data categories: login data (name, email address, password encrypted as a hash value), profile data (organization, position, phone number, address, photo), communication data (files and information, comments, shared resources) , activity history (login, logout, time of individual actions), blog data (IP address, browser version, operating system version) Data recipient (possible transfer to a third country): cloud project management application provider, who is obliged protect data through an order processing contract. The service provider guarantees that the data will be processed at the EU data protection level by entering into standard data protection clauses. Purpose + legal basis: The operation of your user account serves to fulfill our relevant user agreement as part of our commissioning. The legal basis is the fulfillment of our contractual obligations to you or your employer. Duration of retention: We delete user accounts when they are no longer required to confirm which project participants have provided information or given approval. The specific retention period depends on your specific role in our joint project.

6.2.3 Contact Directory + Business Cards Description: If we are likely to contact you again in the future, we will store your contact details in our cloud-based contact directory. If you provide us with your business card, we will regularly add your details to this contact directory. Categories of data: name, contact details (address, telephone, fax, email), your company, your company's field of activity, your position, your area of responsibility, place, time and circumstances of contact and, if applicable, specific information about your availability or business topics covered Recipient of the data (possible transfer to a third country): Cloud contact directory provider who is obliged to protect the data in accordance with the order processing contract. The contact directory provider is an EU company owned by a US company. Since the transfer to a third country occurs as a result of group membership, the service provider guarantees that the data will be processed at the EU data protection level by concluding standard data protection clauses. Purpose + legal basis: maintaining contacts. The legal basis is legitimate interest because you have voluntarily provided us with your business card or the nature of our previous contact suggests that we should continue to exchange with each other. Duration of retention: We retain your data until you ask us to delete it, unless we have a business relationship where we have an independent obligation to retain your contact details.

6.3 Marketing communications

6.3.1 Newsletter Subscription Description: You can subscribe to our newsletter by email. All you need to do is provide your email address. Additional information, such as your name, is voluntary and is used to personalize the sending of direct greeting emails. If you register online for the newsletter, you will receive an email sent to the email address you provided asking you to confirm your registration. We want to avoid you being registered to receive our newsletter by someone who does not or should not have access to that address. This two-step process is called double opt-in. By subscribing to our newsletter, you agree, under both data protection and competition law, that we may send you emails on the topics and purposes described on the registration page. You can revoke your registration and therefore your consent at any time for the future. This is possible via the relevant link at the end of every newsletter we send out. We record the use of our newsletter using so-called counting pixels and campaign URLs for Internet links in the newsletter. The tracking pixel calls our mailing server when you open an email. The calling of the Internet links in the newsletter is registered via the campaign assignment in our web analysis. Data categories: email address, email confirmation documentation (double opt-in), time of your registration; Your name (optional), your company/institution (optional); Selecting specific mailing packages; Usage data (opening email + clicking on internet links) Recipient of the data (transfer to a third country is possible): our service provider for sending the newsletter, who is obliged to protect the data according to the order processing contract. There is no transfer to a third country. Purpose + legal basis: Providing an email newsletter and optimizing the content of our newsletter. The legal basis is your consent. Duration of storage: Once you withdraw your consent, your data will be deleted immediately.

6.3.2 Telemarketing (B2B) Description: Since the potential business customer (B2B) has given us implied consent to make promotional calls, we also offer you our services over the telephone (telephone marketing). For business customers, we assume appropriate implied consent if you contact us and provide us with your phone number, for example as part of downloading a white paper or subscribing to a newsletter. Call details follow the processing of “Contact Directory” and “Phone Calls”. Data categories: name, telephone number, company/organization, marketing consent, order of official document, time of contact. Recipient of data (possible transfer to a third country): no Purpose + legal basis: Personal presentation of the portfolio of services and their conditions in a telephone conversation with potential clients whose consent to the call has been given directly or inferred. The legal basis is presumed consent within the meaning of Article 7, paragraph 2, no. 2 UWG. Retention period: see "Customer Database (CRM)" and "Phone Calls" processing.

6.4 Our social media profiles

6.4.1 Facebook and Instagram Description: We manage company profiles (also called fan pages) on Facebook and Instagram. This fan page allows us to represent our organization on Facebook or Instagram, connect with you on this social network and link to our services and offers through advertising on these platforms. Meta provides us with analytical data about how our fan page is used (called page statistics or page statistics). This gives us an idea of how successful our individual communication efforts are. The data protection information of Meta refers to the details of data processing in Meta: https://www.facebook.com/about/privacy. According to the decision of the European Court of Justice, the use of data from this analysis is the general responsibility of Meta in accordance with Article 26 of the GDPR. Accordingly, Meta has provided a shared liability agreement (https://www.facebook.com/legal/terms/page_controller_addendum). In the agreement, Meta assumes sole responsibility for all data processing matters. If you wish to exercise your rights under the GDPR in relation to data processed in Page Insights, you should contact Meta directly through your Meta account. In accordance with the legal rules of joint liability, you can also contact us with your problems. We will then forward your request to Meta. Data categories: meta username; Comments, likes and page views on Facebook or Instagram and duration Recipient of data (possible transfer to third countries): Meta Platforms Inc., for us as a European organization, which can be contacted through Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Meta guarantees data processing at EU data protection level by entering into standard data protection clauses. Purpose + legal basis: analysis of user behavior on our fan page or on our Instagram profile. The legal basis is the consent you have given as part of your meta-registration. Storage period: Meta is responsible for the storage period.

6.4.2 Twitter Description: We manage the company's Twitter profile. This Twitter profile allows us to represent our organization on Twitter, connect with you on this social network and link to our services and offers through advertising on these platforms. Twitter provides us with analytical data about the use of our profile page (Twitter Analytics). This gives us an idea of how successful our individual communication efforts are. The data protection information of Twitter refers to the details of data processing by Twitter: https://twitter.com/de/privacy Data categories: Twitter username; Comments, likes and page views on Twitter and duration Recipient of data (transfer to third countries possible): Twitter Inc., we, as a European organization, can be contacted via Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. Twitter guarantees data processing at EU data protection level by entering into standard data protection clauses. Purpose + legal basis: Analysis of user behavior on our Twitter profile. The legal basis is the consent you gave when registering on Twitter. Retention Period: Twitter is responsible for the retention period.

6.4.3 LinkedIn Description: We manage a company's LinkedIn profile. This LinkedIn profile allows us to represent our organization on LinkedIn, connect with you on this social network and link to our services and offers through advertising on these platforms. LinkedIn provides us with analytics data about how our profile page is used. This gives us an idea of how successful our individual communication efforts are. The data protection information of LinkedIn refers to the details of data processing within LinkedIn: https://www.linkedin.com/legal/privacy-policy. Data categories: LinkedIn username; Comments, likes and page views on LinkedIn and duration Recipient of data (transfer to third countries is possible): LinkedIn Corp., for us as a European organization, which can be contacted through LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. LinkedIn ensures that data is processed at EU data protection level by entering into standard data protection clauses. Purpose + legal basis: Analysis of user behavior on our LinkedIn profile. The legal basis is the consent you gave when registering on LinkedIn. Retention period: LinkedIn is responsible for the retention period.

6.4.4 Xing Description: We are launching a company profile on Xing. This Xing profile allows us to represent our organization on Xing, connect with you on this social network and link to our services and offers through advertising on these platforms. Xing provides us with analytics data about how our profile page is used. This gives us an idea of how successful our individual communication efforts are. The data protection information of Xing refers to the details of data processing in Xing: https://privacy.xing.com/de/datenschutzerklaerung. Data categories: Xing username; Comments, likes and page views on Xing and duration Recipient of data (transfer to third countries possible): New Work SE (operator of xing.com), Dammtorstraße 30, 20354 Hamburg. There is no transfer to a third country. Purpose + legal basis: Analysis of user behavior in our Xing profile. The legal basis is the consent you gave when registering on Xing. Storage Period: Xing is responsible for the storage period.

6.5 Suppliers and Service Providers Description: As a customer, we process personal data from our suppliers and service providers who are self-employed or in partnership, or our contacts in such organizations, in order to be able to communicate with you regarding order processing. In addition to content-related communications, your data is usually processed within the separately described processing for “Contact Us” (see there). Data categories: contact, contract and payment data Recipients of data (transfer to third countries is possible): Tax consultants, auditors, lawyers in their function as persons subject to professional secrecy. Purpose + legal basis: Good governance. The legal basis is the fulfillment of the contract, as well as legal obligations and legitimate interests. Retention period: In accordance with tax legislation, invoice data must be retained for 10 years; Contract data must be retained for varying periods of time depending on the type of contract. In the case of copyright, such terms are extended to 70 years after the death of the author.

6.6 Assignments

6.6.1 Applications Description: If you apply for a position with us, we will process your application documents until the end of the application process solely for the purpose of making a decision regarding your employment. We limit access to your records to only those people we reasonably involve in your hiring decisions. If you are hired, your application documents are transferred to your personnel file. If you are not hired, we will either ask you to agree to be placed on our list of candidates or return or destroy your records as soon as the anti-discrimination law no longer provides a basis for challenging our decision. Data categories: name + contact details (email, phone, address), photo, professional network profile URL (e.g. Xing); Information in the application letter, curriculum vitae, certificates and references, proof of training and professional qualifications, employment interview notes (telephone and in person), if applicable, pre-employment test results Recipient of the data (possible transfer to a third country): no Purpose + legal basis: Basis for deciding to fill vacancies. The legal basis is the preparation of the execution of the contract (employment contract) and then the legitimate interest in protecting against objections to negative decisions. Shelf life: 6 months after completion of the initial application process

6.6.2 Applicant Pool Description: If we are unable to offer you a suitable position at this time, but you would like to be considered again in the selection process for positions to be filled in the future, we ask for your consent to retain your application documents after current application process. completed. If we are unable to contact you for more than two years, we will obtain your consent to continue storing or returning or deleting your records. Data categories: name + contact details (email, phone, address), photo, professional network profile URL (e.g. Xing); Information in the application letter, curriculum vitae, certificates and references, proof of training and professional qualifications, employment interview notes (telephone and in person), if applicable, pre-employment test results Recipient of the data (possible transfer to a third country): no Purpose + legal basis: Basis for decisions on future assignments. The legal basis is consent. Storage period: 2 years from last contact or last consent

6.7 General infrastructure

6.7.1 Inbox Email, Contacts Directory, Calendar Description: We use Exchange accounts for Email, Contacts Directory, and Calendar, which collect these groups of data in a bundle. Emails you send or receive from us, your contact details and appointments with you are stored both on our hosting provider's servers and as a local copy on the endpoints we connect to our Exchange accounts. Categories of data: name, contact details (email, telephone, address, fax), your company, your company's area of activity, your position, your area of responsibility, place, time and circumstances of contact and, if applicable, specific information about your availability or business topics covered; the time the email was sent or received; Contents of the email (text, documents, images, other files); other typical email metadata Recipient of the data (possible transfer to a third country): Our Exchange server hosting provider, who is obligated to protect the data through an order processing contract. The service provider is based in the EU and operates data centers in the EU, but is owned by a US company. Since the transfer to a third country occurs as a result of group membership, the service provider guarantees that the data will be processed at the EU data protection level by concluding standard data protection clauses. Purpose + legal basis: Use of a synchronized mailbox, calendar and contact directory. The legal basis is legitimate interest, since without such digital infrastructure participation in modern business life would not be possible in a sufficiently efficient manner. Retention Period: We retain emails and records for as long as necessary to achieve the purpose. Depending on the content of the email, the business relationship with the contact, or the background of the meeting, these could be a variety of purposes; Storage periods vary accordingly. Example: If your email serves to prepare for the conclusion of a contract, the obligation under the German Commercial Code (HGB) to store business emails for six years applies.

6.7.2 Phone Calls Description: If we call each other, our cloud phone system or our mobile phones record your number and the time of the call. If the content of the interview suggests this, we will create a memo and document it in an appropriate location (for example, in a client database or for applicants and HR personnel). We may include your details in our contact directory for further communication. Audio recordings of conversations are made only in exceptional cases and after we have received your express consent to do so. Data categories: phone number; talk time; if necessary, the content of the conversation Recipient of the data (transfer to a third country is possible): the mobile operator and provider of our cloud telephone system, which are subject to telecommunications secrecy in accordance with the TTDSG. Our phone system provider is an EU company owned by a US company. Since the transfer to a third country occurs as a result of group membership, the service provider guarantees that the data will be processed at the EU data protection level by concluding standard data protection clauses. Purpose + legal basis: communication by phone. Depending on the content of the conversation, the legal basis is the preparation or performance of a contract or legitimate interest in the exchange with you. Shelf life: depends on the content of the conversation. Individual memos may be subject to the commercial law requirement to retain business letters for six years.

6.7.3 Letter Mail Description: If you send us a letter, we will respond regularly with a letter that we generate on our computer and save as a file. We scan your email frequently to archive it as part of our digital office management. The specific processing of personal data in our correspondence depends on the subject matter of the letter and the resulting storage requirements. We may include your details in our contact directory for further communication. Data categories: name + address; personal information in the content of the letter, such as additional contact details on the letterhead, requests, orders, offers, complaints or other topics Recipient of the data (possible transfer to a third country): postal service provider. Transfer to third countries is only carried out if the parcel is sent to an address outside the European Economic Area. In these cases, data protection is guaranteed by international mail secrecy agreements. Purpose + legal basis: communication by letter. Depending on the content of the correspondence, the legal basis is the preparation or performance of a contract or a legitimate interest in the exchange with you. Storage period: Depends on the content of correspondence; In principle, commercial law requires that business letters be kept for six years.

6.7.4 Video Conferencing Description: The video conferencing we organize takes place through external service providers who, as telecommunications service providers, are subject to the TTDSG and are therefore legally required to protect data. The amount of data processing depends on the individual features of the conference tool you use. You can participate with or without video or audio, with or without a profile picture, background image, hand gestures, or chat actions. In some cases, you can also assign yourself a username of your choice. In particular, access to your camera and microphone is only possible with your consent. Before recording a conference, all participants will be asked for their consent or inaction. If recording occurs, the progress of the conversation can be recorded (transcribed) automatically or manually. It is technically possible for each participant to take screenshots or recordings, in whole or in part, using means outside the conference tool. Such behavior without proper consent from all parties involved constitutes a breach of data protection by the actor and, unless it is one of our employees, is not our responsibility. Secret recording of spoken word may constitute a criminal offense under Section 201 of the Criminal Code. We reserve the right to take legal action of any kind against anyone who uses their participation in a video conference to breach data protection. Data categories: username, email address; visiting time; video or audio signal; Video or audio recording (only with consent); Audio transcript (only after recording); Actions in chat, requesting status for a speech; Profile data (profile photo, contact details, background image), phone number (if participating by phone); Log file (IP address, device IDs, activity history) Recipient of data (possible transfer to a third country): video conferencing system providers who, as telecommunications service providers, are subject to the TTDSG. Since the transfer to third countries is carried out by the supplier, the service provider guarantees that the data will be processed at the EU data protection level by entering into standard data protection clauses. Purpose + legal basis: Use of videoconferencing. The legal basis is legitimate interest, since video conferencing is not possible without minimal data processing. Consent is the legal basis for recording. Retention Duration: If no recording is made, all data will be deleted at the end of the meeting. If the conference was recorded, the recording will be deleted as soon as the last goal for which the recording was made is reached.

6.7.5 Visitor Wi-Fi Description: We provide visitors with access to our Wi-Fi network and thus to the Internet. When you log into the required WLAN access point, your device's unique ID and time of use are recorded. The IP address of our network is logged for all services you call when using our network on the Internet. Because investigations are underway into activities originating from our IP address, we are partially obligated to make usage documentation available in a so-called log file of our access points. Data categories: device MAC address, usage time. Recipients of data (transfer to a third country is possible): usually no recipients; authorities responsible for investigations and, in certain circumstances, private rights holders or forensic experts authorized by us Purpose + legal basis: Such log files serve to ensure and enhance IT security in our company. The legal basis is legitimate interest, since we only access the WiFi log file when security analysis is required. Attribution of WiFi data to specific devices and therefore to their owners is only possible with considerable effort and regularly only through police investigations. Retention Duration: Our WiFi log file is deleted regularly, but at least once a year.

6.7.6 Financial accounting Description: All payments are recorded in accounting. The identity of the payer or payee is documented. In the case of legal entities, this sometimes also includes the names and contact details of the contact persons for the process. In some cases, the reason for payment also results in statements about people or a person's activities (for example, in the case of salary/remuneration payments, travel bookings, expense reimbursements). We use cloud-based software for our accounting. Data categories: name, customer or supplier number, bank or credit card details, reason for payment, travel information (time, destination, accommodation, means of transport, expenses), hospitality (date, location/dining establishment, persons served, reason for hospitality, expenses), information on other expenses (purchases, gifts) Recipient of the data (possible transfer to a third country): Our tax consultant as a financial accounting service provider who, as a professional secretary, is legally obliged to protect the data. Our service provider for cloud accounting software who is committed to data security through an order processing contract. There is no transfer to a third country. Purpose + legal basis: Management of all payment transactions. The legal basis is the fulfillment of a contract or legal obligation (tax and commercial law). Storage period: We store data in the accounting department for 10 years. in accordance with the requirements of tax legislation

6.7.7 Payment Transfers Description: Payments made through a bank account or credit card account from us are documented as appropriate on account statements. Data categories: name, bank details, payment date, payment amount, reason for payment (booking text) Recipient of data (possible transfer to a third country): Our financial record keeping institutions, which are required by law to protect data through bank secrecy and bank supervision. There is no transfer to a third country. Purpose + legal basis: non-cash payment transactions; The legal basis is the fulfillment of the contract. Retention period: We store account statements for 10 years in accordance with tax law requirements.

6.7.8 IT Administration Description: We use service providers to administer, maintain and care for our information technology. These service providers do not deal with the content of the personal data we process. But when maintaining databases and other system units, it may happen that personal data is taken into account by service providers. All of our service providers are expressly bound by appropriate confidentiality agreements depending on the sensitivity of the data they may access. Categories of data: any type of data Recipients of data (possible transfer to third countries): IT service providers who are obliged to protect data through an order processing contract or other form of confidentiality obligation. There is no transfer to a third country. Purpose + legal basis: Use of competent service providers for professional IT administration. The legal basis is legitimate interest, since service providers have committed themselves to data protection through appropriate confidentiality obligations. Duration of storage: No independent storage.

6.7.9 File Storage Description: In addition to collecting data in separate databases (described above), we store documents on our media. Typically these include Office documents (Word, Excel, Powerpoint), PDF files, images, movies, layouts, other text formats, spreadsheet and presentation files, and ultimately any type of file used in our business processes is included. Data protection issues regarding the contents of the files depend on the respective purposes of the processing. At the same time, self-processing is the result of storing files and the metadata regularly attached to them (primarily the creator's signature). Office documents contain personal metadata, particularly when they are shared (collaborated) using commenting, annotation, and edit mode. Data categories: any data, but here the focus is on metadata: signature of the file creator, signatures of the file editors (also in comments + notes); Time of creation, editing or storage Recipient of data (transfer to a third country is possible): no Purpose + legal basis: Storing files in a high-performance data center and using modern search functions. The legal basis is legitimate interest, since the processing occurs as part of order processing. Storage duration: depends on the storage time of the individual file

6.7.10 Disposal of data media and documents Description: Deleting or destroying data also constitutes data processing. We dispose of paper documents with associated sensitive personal data in closed bins of a professional document shredder. The level of document destruction agreed upon with the service provider is commensurate with the degree of risk or sensitivity of the documents to be destroyed. Storage media (hard drives, e.g. from servers, computers, smartphones, tablets, USB drives, memory cards) on which sensitive personal data were previously stored are, if they are no longer used to store this data, repeatedly deleted by our IT service . The administration has been completely rewritten and securely deleted. The level of deletion or destruction corresponds to the risk or sensitivity of the data previously stored on the media. Data categories: any type of data Recipient of the data (possible transfer to a third country): Provider of professional document destruction services who are obliged to comply with data protection through an order processing contract. There is no transfer to a third country. Purpose + legal basis: secure destruction or deletion of personal data. The legal basis is the legal obligation to minimize and delete data from the GDPR: Duration of storage: There is no storage after deletion/destruction.

6.7.11 Prosecution Description: In the event that we have a legal dispute with you, we will disclose information about you and the circumstances of the dispute to lawyers and, if necessary, to the authorities or courts. Data categories: name, contact details, information on the subject of the dispute Recipients of data (transfer to third countries is possible): lawyers, authorities, courts, bailiffs. All recipients are required to maintain confidentiality as a government agency or as a person subject to professional secrecy. Transfer to a third country is not carried out in this way. Purpose + legal basis: criminal prosecution. The legal basis is the legitimate interest in seeking legal advice from lawyers and, if necessary, from the authorities or courts if necessary. Duration of storage: The named recipients of your data process them in accordance with their specifications to the extent necessary to perform the respective task. We retain legal dispute data until the dispute is finally concluded, including all relevant statutes of limitations and defenses. If a repetition of a similar dispute with you or other people is possible, we will at least store the documents decisive for the procedure - if necessary in anonymous form - for a correspondingly longer period.

6.7.12 Privacy Management Description: If you assert data protection rights against us, we will document related communications and processes in our data protection management application. Categories of data: name, contact details, information on data protection requests Recipient of data (possible transfer to a third country): Our Data Protection Officer, who is legally bound by confidentiality, is located in the EEA. Our cloud data protection management application service provider, which is obliged to protect data through an order processing contract, is located in the EEA. Transfer to a third country is not carried out in this way. Purpose + legal basis: data protection management. The legal basis is the statutory liability of the GDPR. Duration of retention: We retain data relating to a legal dispute until the dispute is finally resolved, including any relevant limitation and objection periods. If a repetition of a similar dispute with you or other people is possible, we will at least store the documents decisive for the procedure - if necessary in anonymous form - for a correspondingly longer period. Last updated: March 2024