Protecting your privacy while you use our website is particularly important to us. Therefore, we provide the following information regarding the personal data we collect.
1. Provider / Controller Regarding Data Security
This website is a service of
Tel.: +49 (0)40 80 80 700
represented by Mathias Hüske and Babette Roeder(Managing Directors)
registered in the Commercial Register of the Local Court of Hamburg under Commercial Register B (HRB) No. 79328
2. Data Security Officer
KSB INTAX Datenschutz GmbH
Represented by lawyer Christopher Gerling
Hindenburgstr. 40, 30175 Hannover
T +49 (0) 511 854 04 276
F +49 (0) 511 854 04 19
registered in the partnership register at the AG Hannover under PR 200672
3. Competent Supervisory Authority
The Hamburg Commissioner for Data Protection and Freedom of Information (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, HmbBfDI), Ludwig-Erhard-Str 22, 7. OG [7th upper floor], 20459 Hamburg, tel.: 040/42854-4040, fax: 040/42854-4000, e-mail: firstname.lastname@example.org
4. Basic Information
We store and process your personal data (e.g. title, name, address, e-mail address, telephone number, bank information, credit card number) in compliance with the relevant statutory data protection provisions, in particular REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and on the repeal of Directive 95/46/EC (the General Data Protection Regulation – GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and other data-related laws [e.g. the Telemedia Act (Telemediengesetz – TMG)].
According to the GDPR and other regulations, data processing and use is only permitted if the GDPR or another legal provision explicitly allows it or if the data subject consents (prohibition with reservation of permission). In particular, data processing and use is only permitted according to these legal bases if
- the data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;
- processing is necessary for performing a contract to which the data subject is party or for implementing pre-contractual measures taken at the data subject’s request;
- processing is necessary to comply with a legal obligation to which the controller is subject;
- processing is necessary to protect the vital interests of the data subject or another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for protecting the legitimate interests of the controller or of a third party, except where overridden by the interests or the fundamental rights and freedoms of the data subject which require the protection of personal data, particularly if the data subject is a child.
Accordingly, we will only use and process your personal data within the permissible scope of processing the contract or if you have given your informed consent.
As a rule, we do not share your personal data – including your mailing and e-mail address – with third parties, except for our service partners who require data to be transmitted for fulfilling the contract or if we have expressly pointed this out. In such cases, however, the scope of the transmitted data will always be limited to the necessary minimum.
5. Anonymous Data Collection
You can always visit our website without telling us who you are. We only learn the following:
- Name of your internet service provider
- Website from which you are visiting us (referrer URL)
- Pages of our website that you visit
- Date and time of data retrieval and the amount of data transferred
- Successful retrieval message
- Browser type and version of the requesting computer / end device
- Operating system of the requesting computer / end device
- IP addresses of the requesting computer / end device
This information is only evaluated for statistical purposes. As an individual user, you will always remain anonymous. As a matter of course, you will not be linked with your personal data unless you have expressly consented to this or if one of the cases listed below applies.
- Storage of the IP Address
We store the IP address transmitted by your web browser for a period of seven days and strictly for the purpose of detecting, limiting and eliminating attacks on our websites and servers. After this period elapses, we will delete or anonymise the IP address. Article 6(1)(f) GDPR is the legal basis for this.
6. General Collection of Personal Data During Visits to Our Website and Use of Our Services
Personal data will only be collected by us if you provide them voluntarily and of your own accord. For example, this may be the case within the context of an existing or prospective contractual relationship, during the application process or when contacting us. In such cases, we generally only collect the data that we are legally authorised to collect and that is absolutely necessary for rendering the services you have requested. Whenever we collect personal data from you, you will only ever be required to provide the necessary data. The mandatory data fields are always labelled as such. All other data provided by you are purely voluntary and do not need to be disclosed by you. If you provide them anyway, then, by disclosing them, you are giving us your consent that we may also store and process these data from you for the purpose stated in each instance; in some cases, we will also ask your express consent for purposes pursuant to data protection law that require express consent, which you can of course give voluntarily, which is not tied to any further requirements and can be revoked at any time for the future.
For the highest possible security of your data, they will be transmitted in encrypted form using TLS encryption. This is done to prevent the data from being misused by third parties. Your data will only be stored and processed by us on servers within the European Union. No transfer to third countries will ever take place unless we are entitled and/or obliged to do so on the basis of a statutory provision or if you have expressly consented to this in advance. However, each of these cases will also be clearly marked as such.
7. Data Processing upon Contract Performance
7.1 Purpose of Processing
You provide us with your personal data as part of our contractual relationships or in the context of pre-contractual measures. The mandatory information marked for this is the personal data required for concluding a contract with us. Of course, you are under no obligation to provide your personal data. However, unless you provide us with the data required in each instance, we will not be able to render the service you want. For some payment methods, we need the payment data that we are required to pass on to a payment service provider commissioned by us. The data you enter are therefore always processed in order to perform the contract.
7.2 Legal Basis
The legal basis for this processing is Article 6(1)(b) GDPR.
7.3 Transmission of Personal Data to Third Parties
Your personal data will not be transmitted to third parties for purposes other than those specified below. In particular, your personal data will not be transferred to third parties without your explicit consent, such as for advertising purposes.
We will only share your personal data with third parties if
- you have given your express consent to this pursuant to Article 6(1)(1)(a) GDPR;
- pursuant to Article 6(1)(1)(b) GDPR, this is necessary for processing contractual relationships with you, such as with credit institutions for processing contractually agreed payments or with lawyers and legal services providers for the purposes of law enforcement due to failure to make contractually agreed payments;
- for the case that a legal obligation exists for disclosure pursuant to Article 6(1)(1)(c) GDPR; or
- pursuant to Article 6(1)(1)(f) GDPR, transmitting the data is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest opposing the transmission of your data.
7.4 Storage Period
We will store the data required for performing the contract until the expiry of the statutory warranty periods and any contractual guarantee periods.
We will retain the data required under commercial and tax law for the periods specified by law – normally ten years (cf. Sec. 257 of the Commercial Code (Handelsgesetzbuch – HGB), Sec. 147 of the Tax Code (Abgabenordnung – AO)).
We will immediately delete e-mail addresses that we have only received for sending newsletters as soon as you unsubscribe from the newsletter.
Microsoft Internet Explorer
Although our website does not use any social plugins of the Facebook social network, it does link to our company profile (hereinafter “fan page”) on the Facebook website, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour Dublin 2, Ireland (hereinafter “Facebook”). Whenever you are logged into Facebook with your profile and click on the link to our fan page on Facebook, Facebook will associate your visit to our fan page with your profile. The same is true of other actions, such as when you use the “Share” or “Like” functions. If you do not want this, you will need to log out of your Facebook profile before clicking on the link.
Facebook processes your personal data when you visit our fan page. While we are the owner of the fan page, we have no influence on the data processing performed by Facebook. You can learn which personal data are processed by Facebook and what data protection rights you have vis-à-vis Facebook in Facebook’s data protection notices, which you can view at the following link: https://www.facebook.com/about/privacy
Our website contains a link to our company profile (hereinafter “fan page”) on Twitter. This service is provided by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (hereinafter “Twitter”). No data are transmitted to Twitter if you simply visit our website. When you click on the link to our fan page (Twitter logo), you will automatically be redirected to our company profile on Twitter. If you are logged in with your Twitter profile, Twitter will associate your visit to our Twitter page with your profile. You can prevent this by logging out of your Twitter profile before visiting our site.
Twitter processes your personal data when you visit our fan page. While we are the owner of the fan page, we have no influence on the data processing performed by Twitter. You can learn which personal data are processed by Twitter and what data protection rights you have vis-à-vis Twitter in Twitter’s data protection notices, which you can view at the following link: https://twitter.com/de/privacy
Our website contains a link to our company profile (hereinafter “fan page”) on XING. This service is provided by XING SE, Dammtorstraße 30, 20354 Hamburg, Germany (hereinafter “XING”). No data are transmitted to XING if you simply visit our website. When you click on the link to our company profile (XING logo), you will automatically be redirected to our company profile on XING. If you are logged in with your XING profile, XING will associate your visit to our XING page with your profile. You can prevent this by logging out of your XING profile before visiting our XING page.
XING processes your personal data when you visit our company profile. While we are the owner of the company profile, we have no influence on the data processing performed by XING. You can learn which personal data are processed by XING and what data protection rights you have vis-à-vis XING in XING’s data protection notices, which you can view at the following link: https://www.xing.com/privacy
Our website contains a link to our company profile on LinkedIn. This service is provided by the Linkedln Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (hereinafter “LinkedIn”). No data are transmitted to LinkedIn if you simply visit our website. When you click on the link to our company profile (LinkedIn logo), you will automatically be redirected to our company profile on LinkedIn. If you are logged in with your LinkedIn profile, LinkedIn will associate your visit to our LinkedIn page with your profile. You can prevent this by logging out of LinkedIn before visiting our LinkedIn page.
LinkedIn processes your personal data when you visit our company profile. While we are the owner of the company profile, we have no influence on the data processing performed by LinkedIn. You can learn which personal data are processed by LinkedIn: and what data protection rights you have vis-à-vis LinkedIn in LinkedIn’s data protection notices, which you can view at the following link: https://www.linkedin.com/legal/privacy-policy
If you apply for a job with us, we will, of course, treat your application and the personal data it contains confidentially. We will only pass on your application internally and only to those persons for whom knowledge of it is required during the hiring process (e.g., the HR department and the relevant department heads).
Your application documents and the personal data contained therein will be stored and processed on our servers and systems for the purpose of handling your application and carrying out the application process. After the application process is complete, your application documents and personal data will be stored for six months for in-house reasons and then fully erased. The purpose of storing them is to enable your application procedure to be processed properly, among other things. The legal basis for this is our legitimate interest according to Article 6(1)(f) GDPR. We will not provide any further information after the data have been erased. If you have given us your express consent to include you in the applicant pool, we will store your application and the personal data contained therein for up to 24 months after the application process is complete in order to consider you for comparable/similar job offers. The legal basis is in this case is your consent according to Article 6(1)(a) GDPR.
14. Applicant Portal
To simplify the application process for job seekers and ensure that applications are processed quickly, we use the services of Personio GmbH and its identically named software solution for online application data processing and preparation. Personio GmbH, Rundfunkplatz 4, 80335 Munich (hereinafter “Personio”) is responsible for rendering this service and handling the associated data processing. You can find the Personio GmbH data protection policy here: https://www.personio.de/datenschutz/
When an application is submitted via the contact forms in the career section of the website (https://eos-uptrade.jobs.personio.de/), the data from the input screen, such as first name, last name, e-mail address, telephone number, gender, available from, expected salary and the application documents uploaded by the applicant (e.g., CV and other documents), are transmitted to Personio GmbH. As a result, the service provider commissioned receives, processes and prepares the data sent with the submission of an application, including the applicant data and application documents. We have concluded an order processing contract with Personio GmbH.
When an application is submitted via the contact form, your consent (Article 6(1)(a) GDPR) to the processing of the application data is obtained and reference is made to this data protection policy. In this case, we transmit the user’s personal data included in the e-mail to Personio GmbH. According to Personio GmbH, the use of the Personio software solution does not result in personal data being transferred to third countries. Personio affirms that it uses a trusted subcontractor within the EU to provide its cloud-based services. You can find more information in the Personio GmbH data protection policy: https://www.personio.de/datenschutz/.
Alternatively, you can contact us at the e-mail address: email@example.com.
15. Linking to External Content
16. Revoking Your Consent
If you have given us your consent under data protection law for certain data uses and/or services, you can naturally revoke this consent at any time with future effect. To do so, simply send a message to the following address:
Tel.: +49 (0)40 80 80 700
17. Your Rights as a Data Subject
As a data subject, you have various rights concerning your personal data. As the controller, we have taken appropriate measures here to provide you, the data subject, with all information pursuant to Articles 13 and 14 GDPR and all notices pursuant to Articles 15 to 22 and Article 34 GDPR which relate to the data processing in a precise, transparent, comprehensible and easily accessible form in plain and simple language; this particularly applies to information that is specifically aimed at children. The information will be communicated in writing or in another form, such as electronically. If you so desire, the information can also be disclosed verbally, provided that your identity as the data subject has been verified another way.
Of course, among other things, you have the right to request information in writing or electronically about the personal data stored about you and its origin, the recipient(s) to whom the data is passed on and the purpose for which it is being stored at any time. Moreover, you are entitled to demand that incorrect data be rectified and, if the legal requirements for this are met, that your data be erased or blocked. To do so, simply send a message to the following address:
Tel.: +49 (0)40 80 80 700
Specifically, you have the following rights:
17.1 Right to Confirmation and Information
You can request confirmation from the controller as to whether or not we have processed personal data about you.
If data about you has been processed, you can ask us to inform you of the following:
- the purposes for which the personal data is being processed;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom your personal data was disclosed or will be disclosed;
- the planned duration of the storage of your personal data or, if specific information is not available here, criteria for determining the duration of storage;
- the existence of a right to rectification or erasure of your personal data, a right to the restriction of processing by us or a right to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- all available information on the source of the data if the personal data is not collected from the data subject;
- the existence of automated decision-making, including profiling pursuant to Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved along with the significance and envisaged consequences of such processing for the data subject.
You also have the right to request information on whether or not your personal data are being transmitted to a third country or an international organisation. In this context, you can ask to be informed about suitable guarantees pursuant to Article 46 GDPR in connection with the transmission of the data.
17.2 Right to Rectification
You have a right to demand that we rectify and/or complete any processed personal data of yours that are incorrect or incomplete. Of course, we will be required to rectify the data promptly.
17.3 Right to Restriction of Processing
You can request that the processing of your personal data be restricted under the following conditions:
- if you contest the accuracy of your personal information for a period of time that enables us to verify the accuracy of the personal data;
- if the processing is unlawful and if you oppose the erasure of the personal data and request that the use of your personal data be restricted instead;
- if we no longer need the personal data for processing purposes, but you need them for establishing, exercising or defending against legal claims; or
- if you have objected to the processing pursuant to Article 21(1) GDPR and it has not yet been determined whether the legitimate reasons to which we are entitled outweigh your reasons.
If the processing of your personal data has been restricted, these data can only be processed – with the exception of storing them – by us or authorised third parties with your consent or for the purpose of asserting, exercising or defending against legal claims or protecting the rights of another natural person or legal entity or for reasons of important public interest of the European Union or a Member State.
If processing has been restricted according to the preceding conditions, we will inform you before the restriction is lifted.
17.4 Right to Erasure
- Obligation to Erase
You can request that we immediately erase your personal data, and we will be obligated to immediately erase said data, provided that one of the following reasons applies:
- Your personal data are no longer required for the purposes for which they were collected or otherwise processed.
- You revoke your consent, which was based on processing pursuant to Article 6(1)(a) or Art 9 (2) (a) GDPR, and there is no other legal basis for processing.
- You object to processing pursuant to Article 21(1), and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
- Your personal data have been processed illegally.
- Erasure of your personal data is required in compliance with a legal obligation according to the law of the EU or its Member States to which we are subject.
- Your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
- Information Sent to Third Parties
If we have publicised your personal data and are obligated to erase them pursuant to Article 17(1) GDPR, we will take appropriate measures, taking the available technology and implementation costs into account, including technical means, to inform data controllers in charge of processing personal data that you as the data subject have asked that they erase all links pertaining to these personal data or copies or replications of these personal data.
There is no right to erasure if processing is required
- to exercise the right to free expression and information;
- to fulfill a legal obligation to perform such processing as required by the law of the European Union or the Member States to which we are subject or to carry out a task in the public interest or to exercise official authority delegated to us;
- for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) along with Article 9 (3) GDPR;
- for archival purposes of public interest, for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, to the extent that the law referred to in section a) is likely to render impossible or have a serious detrimental affect on the achievement of the objectives of such processing; or
- to assert, exercise or defend against legal claims.
17.5 Right to Information
If you have asserted the right to rectification, erasure or restriction of processing vis-á-vis us, we shall be obligated to notify all recipients to which your personal data were disclosed of this rectification or erasure of the data or restriction of processing, unless this proves to be impossible or involves an unreasonable effort or expense.
You have the right to ask us to inform you concerning these recipients.
17.6 Right to Data Portability
You have the right to receive the personal data you have provided to us in a structured, standard and machine-readable format. In addition, you also have the right to transfer these data to another controller without any hindrance, provided that
- the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) GDPR; and
- processing is conducted using automated procedures.
In exercising this right, you also have the right to instigate that your personal data be directly transmitted by us to another controller, insofar as this is technically feasible. The freedoms and rights of other persons may not be affected by this.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or which occurs in the exercising of official authority delegated to us.
17.7 Right to Object
You have the right to object to the processing of your personal data at any time for reasons that arise from your particular situation and which is conducted in accordance with Article 6(1)(e) or (f) GDPR; this also applies to a profiling based on these provisions.
We will then no longer process your personal data unless we can verify compelling grounds for processing which are worthy of protection and override your interests, rights and freedoms or unless processing them serves the process of asserting, exercising or defending against legal claims.
If your personal data are processed to engage in direct advertising, you have the right to object to this processing of your personal data for the purpose of such advertising at any time; this also applies to any profiling associated with such direct advertising.
If you object to your personal data being used for direct advertising, they will no longer be processed for these purposes.
Regardless of Directive 2002/58/EC, you have the option – in connection with the use of information society services – of exercising your right to object using automated procedures for which technical specifications are used.
17.8 Right to Revoke Consent under Data Protection Law
You have the right to revoke your consent under data protection law at any time. Revoking your consent does not affect the legality of processing data based on consent up until the revocation was issued.
17.9 Automated Individual Decision-Making, Including Profiling
You have the right not to be subjected to a decision-making process based solely on automated processing – including profiling – which will have a legal effect on you or a significantly adverse effect on you in a similar manner. This does not apply if the decision
- a) is necessary for the entering into or performance of a contract between you and us,
b.) is permissible based on European Union or Member State legislation to which we are subject and if these statutory provisions contain suitable measures to safeguard your rights and freedoms and your legitimate interests or
c.) is made with your explicit consent.
However, these decisions may not be based on special categories of personal data according to Article 9(1) GDPR, unless Article 9(2)(a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and your legitimate interests are in place.
Regarding the cases referred to in a.) and c.), we will take appropriate measures to uphold your rights and freedoms and your legitimate interests.
17.10 Right to Lodge a Complaint with a Supervisory Authority
Regardless of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your abode, place of work or place of alleged violation if you are of the opinion that the processing of your personal data violates the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.
18. E-Mail Advertising
If you have registered separately for the newsletter, your e-mail address will be used for our own advertising purposes until you unsubscribe from the newsletter. You can unsubscribe at any time without incurring any costs other than the transmission costs according to the base rates of your access provider. You can unsubscribe at any time directly via the newsletter or by sending an e-mail to firstname.lastname@example.org.
19. Further Information
If you have any other questions or suggestions for us on the topic of “data protection” or if you would like information about your data or want to have any data corrected or deleted, please write an e-mail or letter to:
Tel.: +49 (0)40 80 80 700
Hamburg, March 2022