DATA PROTECTION

Dermapharm Data Protection Policy

Introduction

The purpose of this Data Protection Policy is to tell you which of your personal data (hereinafter also referred to as "data") we process, for what purpose and to what extent. The Data Protection Policy applies to all personal data processed by us, both during the course of providing our services and, in particular, on our websites and our mobile service and in our external online presences, such as our social media profiles (hereinafter collectively referred to as the "online service").

Controller

ANTON HÜBNER GmbH & Co KG
Schlossstrasse 11-17
79238 Ehrenkirchen, Germany

Authorised representatives: Dr Hans-Georg Feldmeier, Dr Andreas Ebernhorn

Email address: shop@huebner-vital.de

Data Protection Officer contact details:

The website www.huebner-vital.de/en is a service provided by ANTON HÜBNER GmbH & Co. KG. Therefore, ANTON HÜBNER GmbH & Co KG is the controller for the purposes of Article 5 (2) of the General Data Protection Regulation (GDPR). You can contact our Data Protection Officer at datenschutz@dermapharm.com or the address given in the Legal Notice.

Definitions

This Data Protection Policy uses the terminology of the GDPR.
"Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations which is performed on personal data, or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Restriction of processing" means the marking of stored personal data with the aim of limiting their processing in the future.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

"Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

"Filing system" means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

"Controller" means the natural or legal person, public authority, agency or other body, which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

"Recipient" means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

"Third-party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or order processor, are authorised to process personal data.

"Consent" means the freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.

Types of data processed

We gather and process the following personal data about you:

User data (e.g. names, addresses).
Content data (e.g. data entered in online forms).
Contact details (e.g. email, telephone numbers).
Metadata/communication data (e.g. device information, IP addresses).
Usage data (e.g. websites visited, interest in content, access times).
Location data (information on the geographical location of a device or person).
Contract data (e.g. subject matter of the contract, term, customer category).
Payment data (e.g. bank details, invoices, payment history).

Data sources

We obtain the data from you (including via the devices you use). If we do not collect the personal data directly from you, we will also tell you the source of the personal data and, if applicable, whether it originates from publicly accessible sources.

Requirement or obligation to provide data

Unless expressly stated at the time of collection, the provision of data is not required or obligatory. Such an obligation may result from legal requirements or contractual provisions.

Purpose of the processing

We process your data for the following purposes:

to make contact requested by you,
for the execution of contracts, in particular, to process orders and for invoicing,
to provide our service,
to measure reach (e.g. access statistics, recognition of returning visitors),
for remarketing,
for advertising purposes,
for sending the email newsletter, if you have subscribed,
for quality assurance and statistics.

Lawfulness of Processing under the GDPR

The processing is only lawful if at least one of the following conditions is met. If a more specific legal basis applies in each individual instance, we will inform you of this in the Data Protection Policy.

Consent (Article 6 (1)(1a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
Contract performance and pre-contractual enquiries (Article 6 (1)(1b) GDPR) – The processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering into a contract.
Legal obligation (Article 6 (1)(1c)– The processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Article 6 (1)(1f) GDPR) – The processing is necessary to safeguard the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Legitimate interests

If we base the processing of your personal data on legitimate interests as defined by Article 6 (1) (1f) GDPR, those interests are:

improving our service,
protecting against misuse and
managing our statistics.

Automated decisions in individual cases

Automated decision-making is performed in individual cases for the following purpose:

Creditworthiness report (decision based on a credit check).

Security measures

We take suitable technical and organisational measures to ensure a level of protection that is reasonable in light of the risk in accordance with the legal regulations, taking into account the latest technology, the implementation costs and the nature, scope, circumstances and purpose of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling access to the facilities and systems holding the data, as well as access to the data itself, its entry and disclosure, and ensuring its availability and segregation. We also have procedures in place to safeguard the rights of data subjects and ensure the deletion of data and our responses when there is a risk to the data. Furthermore, we take personal data protection into account when developing or selecting hardware, software, and procedures in accordance with the principle of data protection through technology design and privacy-friendly default settings.

SSL encryption (https): We use SSL encryption to protect your data transmitted via our online service. You can recognise these encrypted connections from the prefix https:// in your browser's address bar.

Personal data recipients or categories of recipients

When processing your data, we work with the following service providers who have access to your data:

Web analytics tool provider,
Web hosting provider,
Payment service provider,
Transport service provider.

Data processing in third countries

If we process data in a third country (in other words, outside the European Union (EU) or the European Economic Area (EEA)), if such processing takes place within the framework of the use of third-party services or if data is disclosed to other persons, bodies or companies, this will only take place in accordance with the statutory regulations.

Subject to express consent or a contractually or legally required transfer, we will only process data, or arrange data processing, in third countries with a recognised level of data protection, a contractual obligation through so-called EU Commission standard protection clauses, with the presence of certifications or binding internal data protection regulations (Articles 44 to 49 GDPR).

Storage period

We will only store your personal data for as long as necessary to achieve the purpose of the processing or comply with a relevant statutory retention period.

We will store your data

if you have consented to the processing, but only until you revoke your consent,
if we need the data to fulfil a contract, but only for as long as the contractual relationship with you exists or for the relevant statutory retention periods,
if the data is necessary for compliance with a legal obligation, for as long as the legal obligation exists,
if we use the data on the basis of a legitimate interest, only providing your interest in its deletion or anonymisation does not outweigh this.

Your rights

You have the following rights, partly under certain conditions

You may request information about the processing of your data and receive a copy of your personal data free of charge. You may also request information about the purpose of the processing, the categories of personal data being processed, the data recipients (if the data is passed on), how long it will be stored for or the criteria for determining the same;
You may have your data rectified. If your personal data is incomplete, you have the right to have the data completed, taking into account the purpose of the processing;
You may have your data erased or blocked. Reasons for the existence of a right of erasure/blocking may include: withdrawal of consent on which the processing is based, the data subject objecting to the processing, or where the personal data has been processed unlawfully;
You may restrict the processing of your data;
You may object to the processing of your data;
You may withdraw your consent to the processing of your data with effect for the future; and
You may complain to the relevant supervisory authority about unlawful data processing.

Use of cookies

Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user's computer. A cookie is primarily used to store information about a user during or after visiting an online service. Saved information may include, for example, language settings on a website, the login status, a shopping basket or the location where a video was viewed. The term "cookies" also includes other technologies that perform the same functions as cookies (for example, when user details are stored using pseudonymous online identifiers, also known as "user IDs").

It is necessary to distinguish between the following cookie types and functions:

Temporary cookies (also: session cookies): Temporary cookies are deleted after a user has left an online service and closed their browser at the latest.
Permanent cookies: Permanent cookies remain saved even after the browser is closed. For example, the login status can be saved, or preferred content can be displayed when the user returns to a website. Similarly, user interests used for reach measurement or marketing purposes can be saved in a cookie of this type.
First-party cookies: First-party cookies are set by us.
Third-party cookies (also: third-party provider cookies): Third-party provider cookies are mainly used by advertisers (so-called third parties) to process user information.
Mandatory (also: essential or strictly necessary) cookies: Cookies may be strictly necessary for the operation of a website (for example, to save logins or other user input or for security reasons).
Statistics, marketing and personalisation cookies: Cookies are also usually used within the framework of reach measurement and when a user's interests or behaviour (for example, viewing certain content, using functions, etc.) on individual websites are stored in a user profile. Such profiles are used, for example, to display content to users that matches their potential interests. This procedure is also referred to as "tracking", i.e. tracking the potential interests of users. Where we use cookies or "tracking" technologies, we will inform you separately in our Data Protection Policy or during the course of obtaining consent.

Information about the legal basis: The legal basis for processing your data in the context of cookies is usually your declared consent. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests (for example, the commercial operation of our online service and its improvement) or if the use of cookies is necessary to fulfil our contractual obligations.

Storage period: If we do not provide you with specific information about the storage period of permanent cookies (for example, in a so-called cookie opt-in), please assume that the storage period will be up to two years.

General information relating to revocation and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you have the option to revoke your consent or object to the processing of your data through cookie technologies at any time (collectively referred to as "opt-out"). In the first instance, you can declare your objection through your browser settings, for example, by deactivating cookies (this may also restrict the functionality of our online service). You can also object to the use of cookies for online marketing purposes through several services, especially in the case of tracking, via the following websites: https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can obtain further instructions on how to object below in the information about the service providers and cookies used.

Processing of cookie data on the basis of consent: We ask users for their consent before we process data, or arrange for the processing of the same, as part of our use of cookies. This consent may be revoked at any time. Before this consent is granted, cookies will only be used where strictly necessary to operate our online service.

Cookie settings/right to object:

Types of data processed: Usage data (for example, websites visited, interest in content, access times), metadata/communication data (for example, device information, IP addresses).
Data subjects: Users (for example, website visitors, users of online services).
Lawfulness: Consent (Article 6 (1)(1a) GDPR), legitimate interests (Article 6 (1)(1f) GDPR).

Consent management

We use a consent management tool on this website. Our consent management platform collects log file data and consent data using JavaScript. This JavaScript enables us to inform users about their consent to certain tags on our website and obtain, administer and document this consent.

The consent ID, which contains the consent data and consent status with timestamp, is saved locally in your browser and on the cloud servers used. Further processing only takes place if you submit a request for information or revoke your consent. In this case, the relevant information is provided in a compact data format in an easy-to-read text form for the purpose of the data exchange.

No user information is saved for statistics on the use of the consent that has been granted or not granted. Only the frequency and locations of the clicks are saved.

The purpose of the data processing is the analysis, management and proof of the consent that has been issued to comply with our consent management obligation under the GDPR.

The specific purposes for the processing of the personal data are:

obtaining and providing the consent,
providing proof of the device you used to provide consent and at what time and
ensuring access to settings and documenting changes.

The legal basis for managing your consent to the processing of your personal data is Article 6 (1)(1c and f) GDPR. Our legitimate interest lies in the legally secure documentation and traceability of consent, the control of marketing measures on the basis of the consent granted and the optimisation of consent rates.

The data is deleted once it is no longer required for our logging.

You may revoke your consent via the consent management tool. Click the fingerprint icon at the bottom right to re-open the consent tool.

You can permanently prevent the execution of JavaScript at any time via the relevant settings in your browser, which would also prevent Usercentrics from executing the JavaScript.

Types of data processed: Consent data (anonymised logbook data (consent ID, service ID, controller ID), consent status, timestamp); device information (including shortened IP addresses, device information, timestamp); user data (including email, ID, browser information, setting ID, changelog).
Data subjects: Users (for example, website visitors, users of online services).
Purposes of the processing: Administration of consent.
Lawfulness: Legal obligation (Article 6 (1)(1c) GDPR), legitimate interests (Article 6 (1)(1f) GDPR).

Services used and service providers:

Usercentrics: Consent management platform; service provider: Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany; website: usercentrics.com; Privacy Policy: https://usercentrics.com/privacy-policy/.

Data in connection with our business activities

We process data from our contracting and business partners, for example, customers and interested parties (collectively referred to as "contracting partners") within the framework of contractual and comparable legal relationships and related measures and during communication with contracting (or pre-contractual) partners, for example to answer enquiries.

We process this data to fulfil our contractual obligations, safeguard our rights, and for the administrative tasks associated with this information and commercial organisation purposes. We only disclose contracting partners' data to third parties within the scope of applicable laws, where necessary for the aforementioned purposes or to fulfil legal obligations or with the consent of the data subjects (for example, to relevant telecommunications, transport and other auxiliary services, and subcontractors, banks, tax and legal advisers, payment service providers or tax authorities). The contracting partners will be informed about any other forms of processing, for example, for marketing purposes, within the framework of this Data Protection Policy.

In addition, we use your email address after responding to contact requests in the context of contractual or pre-contractual relationships to fulfil our contractual obligations or related obligations arising from the original performance of the contract and to follow up on communications in this regard."In addition, we use your email address after responding to contact requests in the context of contractual or pre-contractual relationships to fulfil our contractual obligations or related obligations arising from the original performance of the contract and to follow up on communications in this regard.

You can object to this use of your e-mail address at any time. This will not incur any additional costs to your individual transmission costs, if any. The easiest way to revoke your consent is to send an e-mail with the subject: "Revocation ANTON HÜBNER GmbH & Co. KG" to datenschutz@dermapharm.com

The data will be deleted after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, for example, for as long as it must be retained for legal archiving reasons (for example, for tax purposes, usually ten years). We delete data disclosed to us by our contracting partners within the framework of an order in accordance with the order specifications, generally once the order is complete.

Customer account: Contracting partners can create an account within our online service (for example, a customer or user account, "customer account" for short). If registration of a customer account is required, contracting partners will be informed of this and the information required for registration. Customer accounts are not public and cannot be indexed by search engines. During the registration process and subsequent logins and use of the customer account, we will store customers' IP addresses together with access times so we can prove registration and prevent any misuse of the customer account.

If customers have terminated their customer account, all data relating to the customer account will be deleted, except where the retention of this data is required for legal reasons. Customers are responsible for backing up their data when terminating their account.

Types of data processed: User data (for example, names, addresses), payment data (for example, bank details, invoices, payment history), contact data (for example, email address, telephone numbers), contract data (for example, subject matter of the contract, term, customer category), usage data (for example, websites visited, interest in content, access times), metadata/communication data (for example, device information, IP addresses).
Data subjects: Interested parties, business and contracting partners, customers.
Purposes of the processing: Provision of contractual services and customer service, contact requests and communication, office and organisational procedures, administration of and response to requests, security measures, visitor campaign evaluation, interest-based and behavioural marketing, profiling (creation of user profiles).
Lawfulness: Contract fulfilment and pre-contractual enquiries (Article 6 (1)(1b) GDPR), legal obligation (Article 6 (1)(1c) GDPR), legitimate interests (Article 6 (1)(1f) GDPR).

Side effects form

If you report undesirable side effects or other aspects related to the safety or quality of medicines or medical devices, we are legally obliged to process your report, which may also contain personal data or health data. This results in particular from Section 63 c) of the German Medicinal Products Act (AMG) due to the statutory obligation to document and report adverse reactions to medicines.

Under certain circumstances, we may process your personal data. You can find information about this data processing at https://huebner-vital.de/nwm, depending on the contact channel.

Online seminars

When we invite you to participate in an online seminar for our products, we collect your first and last name and your email address. This enables our seminar leader to get an overview of the number of participants and to send you a certificate of attendance after the seminar. We have a data processing agreement with a data processor for our online training courses to ensure compliance with data protection.

Your data will not be forwarded to any third party in conjunction with our online seminars and will be deleted from our seminar system after six (6) months.

Payment service providers

Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers in addition to banks and credit institutions for this purpose (collectively referred to as the "payment service providers").

The data processed by the payment service providers includes master data (such as names and addresses), bank data (such as account numbers or credit card numbers, passwords, transaction authentication numbers (TANs) and checksums), and information concerning contracts, amounts and recipients. This information is required to carry out the transactions. However, the data entered will only be processed by the payment service providers and stored by them. We do not receive any account or credit card information, only information about whether or not payments have been confirmed. Under certain circumstances, the payment service providers may transmit the data to credit agencies. This is for the purposes of verification of identity and creditworthiness. Please see the payment service providers' terms and conditions and privacy notices for further details.

The respective payment service providers' terms and conditions and privacy notices, accessible via their respective websites or transaction applications, will apply to the payment transactions. Please see these terms and notices for further details and information on exercising your right of withdrawal, right of access, and other data subject rights.

Types of data processed: Master data (for example, names, addresses), payment data (for example, bank details, invoices, payment history), contract data (for example, subject matter of the contract, contract duration, customer category), usage data (for example, websites visited, interest in content, access times), metadata/communications data (for example, device information, IP addresses).
Data subjects: customers, prospective customers.
Purposes of the processing: Provision of contractual services and customer services.
Legal basis: Contract fulfilment and pre-contractual enquiries (Article 6(1)(1b) of the General Data Protection Regulation (GDPR)), legitimate interests (Article 6(1)(1f) GDPR).

Services used and service provider(s)

Adyen: Payment services and solutions; service provider: Adyen N.V. German Branch, Friedrichstraße 63, 10117 Berlin; website: https://www.adyen.com/en_GB/; Privacy policy: https://www.adyen.com/en_GB/policies-and-disclaimer/privacy-policy
PayPal: Payment services and solutions (for example, PayPal, PayPal Plus, Braintree); service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; website: https://www.paypal.com/uk; Privacy policy: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full.

Credit checks

If we make advance payments or enter into similar economic risks (for example, for ordering on account), we reserve the right to obtain identity and creditworthiness information to assess credit risk on the basis of mathematical-statistical procedures from service companies specialising in this area (credit agencies) to protect our legitimate interests.

We process the information received from credit agencies regarding the statistical probability of a payment default as part of an appropriate discretionary decision on the establishment, execution and termination of the contractual relationship. We reserve the right to refuse to offer payment on account or any other advance payment in the event of a negative credit check result.

In accordance with Art. 22 GDPR, the decision on whether or not to provide advance payment services is made on a case-by-case basis solely using an automated decision made by our software based on the information provided by the credit agency.

Where we obtain express consent from contractual partners, the legal basis for the credit check and the transmission of the customer's data to the credit agencies is this consent. If no consent is obtained, the credit information is provided on the basis of our legitimate interests in safeguarding our payment claims from default.

Types of data processed: Master data (for example, names, addresses), payment data (for example, bank details, invoices, payment history), contact data (for example, email, telephone numbers), contract data (for example, subject matter of contract, contract duration, customer category).
Data subjects: customers, prospective customers.
Purposes of the processing: Assessment of credit rating and creditworthiness.
Legal basis: Consent (Article 6(1)(1a) GDPR), legitimate interests (Article 6(1)(1f) GDPR).
Automated decisions in individual cases: Credit report (decision based on a credit check).

Services used and service provider(s):

Adyen: Payment services and solutions; service provider: Adyen N.V. German Branch, Friedrichstraße 63, 10117 Berlin; website: www.adyen.com/en_GB/; Privacy policy: https://www.adyen.com/en_GB/policies-and-disclaimer/privacy-policy

Website and web hosting

To provide access to our website securely and efficiently, we use the services of one or more web hosting providers. Our website can be accessed from their servers (or servers managed by them). We may use infrastructure and platform services, computing capacity, storage space, database services, and security and technical maintenance services for these purposes.

The data processed while providing the hosting service may include all information regarding the users of our website generated during the course of the use and any communications. This routinely includes the IP address, which is necessary for delivering the contents of websites to browsers, and all details entered onto our website or from other websites.

Email sending and hosting: The web hosting services we use also include the sending, receiving and storing of emails. The addresses of the recipients and senders are processed for these purposes, along with further information about sending of the email (for example, the providers involved) and the contents of the respective emails. The aforementioned data may also be processed to identify spam. Please note that sending emails across the internet is generally not encrypted. As a rule, emails are encrypted when in transit but (unless a so-called end-to-end encryption process is used) not on the sending and receiving servers. We, therefore, cannot accept any liability for the transmission path of the emails between the sender and receipt on our server.

Collection of access data and log files: We (or our web hosting provider) collect data each time our server is accessed (so-called server log files). These server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.

The server log files may be used, on the one hand, for security purposes, for example, to prevent server overload (especially in the case of malicious attacks, so-called distributed denial-of-service (DDoS) attacks) and, on the other hand, to manage server load and stability.

Types of data processed: Content (for example, entries into online forms), usage data (for example, websites visited, interest in content, access times), metadata/communications data (for example, device information, IP addresses).
Data subjects: Users (for example, website visitors and users of online services).
Legal basis: Legitimate interests (Art. 6(1)(1f) GDPR).

Services used and service provider(s)

UDG Rhein-Main GmbH, Taunusstrasse 59-61, 55120 Mainz, Germany

Contacting us

When contacting us (for example, via contact form, email, telephone or social media), information about the inquiring party will be processed where necessary to respond to the inquiries and perform any requested actions.

Responses to contact requests are made to fulfil our contractual obligations or respond to (pre)contractual inquiries within the framework of contractual or pre-contractual relationships and are otherwise made on the basis of legitimate interests in responding to said inquiries.

Types of data processed: master data (for example, names, addresses), contact data (for example, email, telephone numbers), content data (for example, entries in online forms), usage data (for example, websites visited, interest in content, access times), meta/communications data (for example, device information, IP addresses).
Data subjects: Communications partners, interested parties.
Purposes of the processing: Contact requests and communications, managing and responding to requests.
Legal basis: Contract fulfilment and pre-contractual enquiries (Article 6(1)(1b) of the General Data Protection Regulation (GDPR)), legitimate interests (Article 6(1)(1f) GDPR).

Services used and service provider(s)

Internal email server

Web analytics, monitoring and optimisation

Web analytics (also referred to as "reach measurement") is used to evaluate the flow of visitors to our website. They may also collect behavioural, interest or demographic information for visitors, such as age or gender, in the form of pseudonymous values. Reach analytics can help us, for example, identify the time at which our website or its functions or content are most frequently used or invite re-use. We can also understand which areas require optimisation.

In addition to web analytics, we may also use testing methods, for example, to test and optimise different versions of our website or its components.

So-called user profiles may be created for these purposes and stored in a file (a so-called "cookie"), or similar methods may be used for the same purpose. This information may include, for example, content viewed, web pages visited, and the elements of them used, technical information such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data, this may also be processed, depending on the provider.

Users’ IP addresses are also stored. However, we use an IP masking method (pseudonymisation by shortening the IP address) to protect users. In general, the data stored in the context of web analytics, A/B testing and optimisation is not plain user data (such as email addresses or names) but pseudonyms. This means that we, and the providers of the software used, do not know the actual identity of the users, only the information stored in their profiles for respective procedures.

Information on the legal basis: If we ask users for their consent to the use of third-party providers, the legal basis for the data processing will be this consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. our interest in efficient, profitable and user-friendly services). In this context, please also see the information about the use of cookies in this Privacy Policy.

Types of data processed: Usage data (for example, websites visited, interest in content, access times), metadata/communications data (for example, device information, IP addresses).
Data subjects: Users (for example, website visitors and users of online services).
Purposes of the processing: Reach measurement (for example, access statistics, identification of returning visitors), tracking (for example, interest/behaviour-related profiling, use of cookies), visit action analysis, profiling (creation of user profiles).
Security measures: IP masking (pseudonymisation of the IP address).
Legal basis: Consent (Article 6(1)(1a) GDPR), legitimate interests (Article 6(1)(1f) GDPR).

Services used and service provider(s)

Google Analytics: Online marketing and web analytics; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com/intl/en-gb/about/analytics/; Privacy policy: https://policies.google.com/privacy; Option to object (opt-out):
Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en-GB, ad display settings: https://adssettings.google.com/authenticated.

This service allows analysis of the use of our web pages and employs cookies to do this. The information generated by the cookie, such as your anonymised IP address, is transmitted on our behalf to a Google Inc. server in the USA, where it is stored and analysed for this purpose. This is because, on this website, Google Analytics has been appended with the code "gat._anonymizeIp();". This ensures that IP addresses are recorded anonymously. The anonymisation of your IP address is usually done by Google Inc. shortening your IP address within the European Union or in other contracting states of the European Economic Area (EEA). In exceptional cases, your IP address is transferred to a Google Inc. server in the USA and only anonymised there. Your IP address transmitted in this process will not be merged with other Google Inc. data. As part of the Google Analytics advertising function, remarketing and performance reports according to demographic and interests are used. The purpose of these procedures is to tailor advertising measures more closely to the interests of the respective users with the help of information about user behaviour. If you have consented to having your web and app browsing history linked by Google to your Google Account and having information from your Google Account used to personalise ads, Google will use this data for cross-device remarketing. You can object at any time to the collection of your data by Google Analytics. You have the following options to do this:

Most browsers accept cookies automatically. However, you can prevent the use of cookies by adjusting your browser settings accordingly. However, you may not be able to use all of the website’s functions in this case. You must adjust the settings separately for each browser you use. You can also stop Google Inc. from recording and processing this data by downloading and installing the browser add-on available from the following link:
https://tools.google.com/dlpage/gaoptout?hl=en-GB.

Alternatively, or for browsers on mobile devices, please click on the following link: disable Google Analytics. This will create an opt-out cookie for our websites on your device in your current browser. If you delete your cookies for this browser, you will have to click the link again. The data processing, in particular the storing of cookies, is carried out with your consent on the basis of Art. 6(1)(a) GDPR. You may revoke your consent at any time without affecting the lawfulness of the processing carried out on the basis of that consent prior to its revocation.

For more information on terms of use and privacy, please visit http://www.google.com/analytics/terms/gb.html or https://policies.google.com/?hl=en-gb.

Online marketing

We process personal data for the purposes of online marketing. This may include, in particular, marketing advertising space or displaying promotional and other content (collectively, "content") based on users' potential interests and measuring its effectiveness.

Facebook pixel: The Facebook pixel, on the one hand, enables Facebook to identify the visitors to our website as a target group for displaying advertisements (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those users on Facebook and within the services of partners cooperating with Facebook (the so-called "Audience Network" https://www.facebook.com/audiencenetwork/) who have also shown an interest in our website or who have certain characteristics (for example, interest in certain topics or products that are evident from the websites visited) that we communicate to Facebook (so-called "Custom Audiences"). By using the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interests of users and are not unwelcome. With the help of the Facebook pixel, we can further track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion measurement").

Types of data processed: Usage data (for example, websites visited, interest in content, access times), metadata/communications data (for example, device information, IP addresses), location data (information on the geographical location of a person or device).
Data subjects: Users (for example, website visitors and users of online services), interested parties.
Purposes of the processing: Tracking (for example, interest/behaviour-based profiling, use of cookies), remarketing, visit action analysis, interest-based and behaviour-based marketing, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures), reach measurement (for example, access statistics, identification of returning visitors), targeting (determination of target groups relevant for marketing purposes or other content output), cross-device tracking (cross-device processing of user data for marketing purposes).
Security measures: IP masking (pseudonymisation of the IP address).
Legal basis: Consent (Article 6(1)(1a) GDPR), legitimate interests (Article 6(1)(1f) GDPR).
Option to object (opt-out): Please see the privacy notices and objection options (so-called "opt-outs") for the respective providers. If no explicit opt-out option has been specified, you have the option of disabling cookies in your browser settings. This may, however, restrict the functionality of our website. We therefore also recommend the following opt-out options, offered as summaries directed at the respective areas:

Europe: https://www.youronlinechoices.eu.

Global: https://optout.aboutads.info.

Services used and service provider(s)

Google Tag Manager: Google Tag Manager is a solution we use to manage so-called website tags via an interface and thus integrate other services into our site. The Tag Manager itself (which implements the tags) does not process any personal user data. With regard to the processing of users' personal data, we refer you to the following information on Google services. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy.
Google Ads and conversion measurement: We use the Google Ads online marketing method to place ads on the Google advertising network (for example, in search results, in videos, on web pages, etc.) so that they are displayed to users who have a presumed interest in the ads. We also measure ad conversion. However, we are only given the anonymous total number of users who clicked on our ad and were redirected to a page tagged with a so-called "conversion tracking tag". We do not receive any information that can be used to identify users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy.
Google Ad Manager: We use the Google Marketing Platform (and services such as Google Ad Manager) to place ads on the Google advertising network (for example, in search results, in videos, on web pages, etc.). The Google Marketing Platform displays ads in real time based on presumed user interests. This allows us to display ads for and within our website in a more targeted manner to only present users with ads that potentially match their interests. If, for example, a user is shown ads for products that they were interested in on other websites, this is referred to as "remarketing". Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy.

Social network (social media) presence

We maintain an online presence on social networks and process user data within this context to communicate with users active on them or provide information about us.

Please note that user data may be processed outside the European Union area during this process. This may give rise to risks for users because, for example, it could make it more difficult to enforce users' rights.

Furthermore, user data on social networks is usually processed for market research and advertising purposes. Usage profiles may be created based on usage behaviour and the user interests these demonstrate, for example. The usage profiles may, in turn, be used, for example, to display advertisements that are presumed to correspond to users' interests, both within and outside the networks. For these purposes, cookies recording users' behaviour and interests are generally stored on users' computers. Furthermore, data may also be stored in these usage profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed explanation of the respective forms of processing and the options for objecting (opting-out), please see the privacy policies of and information provided by the operators of the respective networks.

Requests for information and the assertion of data subject rights would also be best directed to these providers. Only the providers in each case have access to users' data and can take appropriate measures and provide information directly. You can then contact us if you still need help.

Types of data processed: Master data (for example, names, addresses), contact data (for example, email, telephone numbers), content data (for example, entries in online forms), usage data (for example, websites visited, interest in content, access times), meta/communications data (for example, device information, IP addresses).
Data subjects: Users (for example, website visitors and users of online services).
Purposes of the processing: Contact requests and communications, tracking (for example, interest/behavioural profiling, use of cookies), remarketing, reach measurement (for example, access statistics, identification of returning visitors).
Legal basis: Legitimate interests (Art. 6(1)(1f) GDPR).

Services used and service provider(s)

LinkedIn: Social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; website: www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Option to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
YouTube: Social network; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Privacy Policy: https://policies.google.com/privacy; Option to object (opt-out): https://adssettings.google.com/authenticated.
Xing: Social network; service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; website: https://www.xing.com; Privacy policy: https://privacy.xing.com/en/privacy-policy.

Plugins and embedded functions and content

Our website contains functional elements and content obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include graphics, videos, social media buttons and posts, for example (hereinafter simply referred to as "content").

Integrating this content requires the third-party providers of said content to always process the user’s IP address since they cannot deliver the content to the user's browser without the IP address. The IP address is therefore required to display this content or functionality. We endeavour only to use content whose respective providers use the IP address for the sole purpose of delivering the content. Third-party providers may also use so-called “pixel tags” (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit, and other information about the use of our website, and may be linked to similar information from other sources.

Types of data processed: Usage data (for example, websites visited, interest in content, access times), meta/communications data (for example, device information, IP addresses), location data (information on the geographical location of a device or person), content data (for example, entries in online forms), master data (for example, names, addresses), contact data (for example, email, telephone numbers).
Data subjects: Users (for example, website visitors and users of online services), communications partners.
Purposes of the processing: Provision of our website and user experience, provision of contractual and customer services, contact requests and communications, tracking (for example, interest/behavioural profiling, use of cookies), interest-based and behavioural marketing, profiling (creation of user profiles), security measures, inquiry management and responses.
Legal basis: Legitimate interests (Article 6 (1)(f) GDPR), consent (Article 6 (1)(a) GDPR), contract performance and pre-contractual requests (Article 6 (1)(1b) GDPR).

Services used and service provider(s)

Google Fonts: We integrate fonts provided by Google ("Google Fonts"), where the user's data is employed solely to display the fonts in the user's browser. This integration is based on our legitimate interests in a technologically secure, maintenance-free and efficient use of fonts in their uniform display and taking into account possible licensing restrictions for their integration. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://fonts.google.com/;
YouTube videos: Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: www.youtube.com; Privacy policy: https://policies.google.com/privacy; Option to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en-GB, ad display settings: https://adssettings.google.com/authenticated.

Changes and updates to the Privacy Policy

Please check the content of our Privacy Policy regularly. We will adapt the Privacy Policy whenever changes in our data processing make this necessary. We will inform you if the changes require any action on your part (for example, consent) or other personalised notification.

Where we provide addresses and contact information for companies and organisations in this Privacy Policy, please note that these addresses may change over time. Please check this information before contacting us.

Last updated: 03/07/2023