Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also briefly referred to as "data") that we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Date of last update: June 27, 2025

Legal text by Dr. Schwenke – click for more information.

Table of Contents

Controller

Sebastian Enger

CountR GmbH
Fahrenheitstrasse 6
D-14532 Kleinmachnow
Germany

Authorized representatives: Thomas Schulze (CFO)
Email: sebastian.enger@countr.de
Phone: +49 33203 87999 19
Imprint: www.countr.de/legal/imprint

Data Protection Officer Contact

Sebastian Enger
sebastian.enger@countr.de

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of Data Processed

  • Master data
  • Employee data
  • Payment data
  • Location data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Meta, communication, and procedural data
  • Social data
  • Applicant data
  • Image and/or video recordings
  • Log data
  • Performance and behavior data
  • Working time data
  • Salary data

Special Categories of Data

  • Health data
  • Religious or philosophical beliefs
  • Trade union membership

Categories of Data Subjects

  • Service recipients and clients
  • Employees
  • Interested parties
  • Communication partners
  • Users
  • Applicants
  • Business and contractual partners
  • Third parties
  • Whistleblowers

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations
  • Communication
  • Security measures
  • Direct marketing
  • Reach measurement
  • Tracking
  • Office and organizational procedures
  • Conversion measurement
  • Target group formation
  • Organizational and administrative procedures
  • Application procedures
  • Feedback
  • Marketing
  • Profiling with user-related information
  • Provision of our online offering and user friendliness
  • Establishment and execution of employment relationships
  • IT infrastructure
  • Whistleblower protection
  • Financial and payment management
  • Public relations
  • Sales promotion
  • Business processes and economic procedures

Relevant Legal Bases

Relevant legal bases under the GDPR: Below is an overview of the GDPR legal bases on which we process personal data. Please note that in addition to the GDPR, national data protection regulations in your or our country of residence or headquarters may apply. If more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.

  • [object Object]
  • Consent (Art. 6 (1) lit. a GDPR) – The data subject has given consent to the processing of personal data for one or more specific purposes.
  • [object Object]
  • Performance of contract and pre-contractual inquiries (Art. 6 (1) lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
  • [object Object]
  • Legal obligation (Art. 6 (1) lit. c GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • [object Object]
  • Legitimate interests (Art. 6 (1) lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data.
  • [object Object]
  • Application procedures as pre-contractual or contractual relationship (Art. 6 (1) lit. b GDPR) – To the extent that special categories of personal data (Art. 9 (1) GDPR) are collected during the application process (e.g., health data such as disability status or ethnic origin), processing is carried out under Art. 9 (2) lit. b GDPR for the establishment, exercise, or defense of legal claims in the field of employment law or social security and social protection law, or under Art. 9 (2) lit. c GDPR in case of vital interests, or under Art. 9 (2) lit. h GDPR for health care or occupational medicine purposes. If special categories of data are provided on the basis of consent, processing is based on Art. 9 (2) lit. a GDPR.
  • [object Object]
  • <strong>Processing of special categories of personal data relating to health care, employment, and social security (Art. 9 (2) lit. h GDPR) – Processing is necessary for health care, occupational medicine, assessing work capacity, medical diagnosis, care or treatment in health or social care, or management of systems and services in health or social care under Union or Member State law or a contract with a health professional.

National data protection regulations in Germany: In addition to the GDPR, national data protection laws such as the Federal Data Protection Act (BDSG) apply. The BDSG contains special rules on the right of access, right to erasure, right to object, processing of special categories, processing for other purposes, transfer, and automated decision-making including profiling. Furthermore, state data protection laws may apply.

Note on applicability of the GDPR and Swiss FADP: These privacy notes serve both the Swiss Federal Act on Data Protection (FADP) and the GDPR. For clarity and broader applicability, we use GDPR terminology (“processing” instead of “handling” of “personal data,” “legitimate interest” instead of “overriding interest,” and “special categories of data” instead of “particularly sensitive personal data”). The legal meaning of terms under Swiss law remains subject to the FADP.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, and the varied likelihood and severity of risks to the rights and freedoms of natural persons to ensure a level of security appropriate to the risk.

These measures include safeguarding confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as input, transmission, availability, and separation of data. We have established procedures to ensure data subject rights, data deletion, and responses to data threats. We also take data protection into account during the development or selection of hardware, software, and procedures according to the principles of privacy by design and by default.

Securing online connections using TLS/SSL encryption (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. SSL and TLS are the cornerstones of secure data transmission on the Internet. These technologies encrypt information exchanged between the website or app and the user’s browser (or between two servers), protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that data transmissions meet the highest security standards. A website secured by an SSL/TLS certificate is indicated by “HTTPS” in the URL, signaling to users that their data is transmitted securely and encrypted.

General Information on Data Storage and Deletion

We delete personal data processed by us in accordance with legal requirements as soon as the underlying consent is withdrawn or no other legal basis for processing exists. This applies when the original purpose no longer exists or the data is no longer needed. Exceptions exist if legal obligations or specific interests require longer retention or archiving.

In particular, data that must be retained for commercial or tax law reasons or for legal claims or protection of rights of others is archived accordingly.

Our privacy notes contain additional information on retention and deletion periods specifically applicable to certain processing activities.

If multiple retention or deletion periods are given, the longest period applies. Data retained for other reasons is processed solely for those reasons justifying retention.

Retention and Deletion of Data: The following general periods apply under German law:

  • 10 years – Retention of books, records, annual financial statements, inventories, management reports, opening balance sheets, and related documents (§ 147 (1) No. 1 in conjunction with (3) AO; § 14b (1) UStG; § 257 (1) No. 1 in conjunction with (4) HGB).
  • 8 years – Retention of booking records, such as invoices and receipts (§ 147 (1) No. 4 and 4a in conjunction with (3) AO; § 257 (1) No. 4 in conjunction with (4) HGB).
  • 6 years – Other business documents: received and sent business letters, other tax-relevant documents (e.g., timesheets, cost accounting records, price lists, payroll records, cash register receipts) (§ 147 (1) No. 2, 3, 5 in conjunction with (3) AO; § 257 (1) No. 2 and 3 in conjunction with (4) HGB).
  • 3 years – Data required for potential warranty and similar claims or rights, based on regular statutory limitation periods (§§ 195, 199 BGB).

Start of period at end of the year: If a period of at least one year does not start on a specific date, it starts at the end of the calendar year in which the triggering event occurred. For ongoing contractual relationships, the triggering event is termination or expiration of the relationship.

Rights of Data Subjects

Rights of data subjects under the GDPR: Under Articles 15 to 21 GDPR, data subjects have the following rights:

  • Right to object: You have the right to object at any time to processing of personal data based on Art. 6 (1) lit. e or f GDPR, including profiling; this also applies to direct marketing.
  • Right to withdraw consent: You may withdraw consent at any time.
  • Right of access: You may request confirmation of whether data concerning you is processed and access to that data, along with information and copies.
  • Right to rectification: You may request completion or correction of inaccurate or incomplete personal data.
  • Right to erasure and restriction: You may request deletion of data or restriction of processing under conditions set by law.
  • Right to data portability: You have the right to receive data you provided in a structured, commonly used, machine-readable format, or request its transfer to another controller.
  • Complaint to supervisory authority: You may lodge a complaint with a supervisory authority, especially in the Member State of your habitual residence, your workplace, or the alleged infringement.

Business Services

We process data of our contractual and business partners, such as customers and prospects (collectively "contractual partners"), in the context of contractual and similar relationships and related measures, and for communication (including pre-contractual inquiries).

We use this data to fulfill our contractual obligations, such as providing agreed services, updates, and remedying defects. We also use the data to safeguard our rights and for administrative tasks and corporate organization. Furthermore, we process data based on our legitimate interests in proper business management and security measures to protect our contractual partners and business operations from abuse and threats (e.g., involving telecom, transport and other service providers, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Under applicable law, we share partner data with third parties only as necessary for these purposes or to fulfill legal obligations. Further processing, such as marketing, is described separately in this privacy policy.

We inform partners which data are required for the above purposes before or during data collection, e.g., in online forms with special markings (e.g., colors or symbols) or personally.

We delete data after legal warranty and comparable obligations expire, typically after four years, unless data remain in a customer account or must be retained for legal reasons (e.g., tax purposes for ten years). Data disclosed by partners under contract are deleted according to contractual requirements at end of the engagement.

  • Processed data types: Master data (e.g., full name, address, contact info, customer number); payment data (e.g., bank details, invoices, payment history); contact data (e.g., mailing and email addresses, phone numbers); contract data (e.g., subject matter, term, customer category).
  • Data subjects: Service recipients and clients; prospects; business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; communication; office and organizational procedures; organizational and administrative procedures; business processes and economic procedures.
  • Retention and deletion: Deletion in accordance with "General Information on Data Storage and Deletion".
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 (1) lit. b GDPR); legal obligation (Art. 6 (1) lit. c GDPR); legitimate interests (Art. 6 (1) lit. f GDPR).

Further notes on processing activities, procedures, and services:

  • : :
  • : :
  • : :
  • : :
  • : :

Business Processes and Procedures

Personal data of service recipients and clients – such as customers, clients, or in special cases, principals, patients, or business partners, and other third parties – are processed in the context of contractual and similar legal relationships and pre-contractual measures. This supports and facilitates business operations in customer management, sales, payment transactions, accounting, and project management.

The data collected serve to fulfill contractual obligations and streamline business processes, including transactions, customer relationship management, sales optimization, and internal accounting and finance processes. The data also support the rights of the controller and administrative tasks and corporate organization.

Personal data may be shared with third parties if necessary for these purposes or legal obligations. After statutory retention periods expire or the purpose lapses, data are deleted, including data requiring longer storage for tax and legal compliance.

  • Processed data types: Master data; payment data; contact data; content data; contract data; log data; usage data; meta, communication, and procedural data; employee data.
  • Data subjects: Service recipients and clients; prospects; communication partners; business and contractual partners; third parties; users (e.g., website visitors, online service users); employees.
  • Purposes of processing: Provision of contractual services; office and organizational procedures; business processes and economic procedures; communication; marketing; sales promotion; financial and payment management; IT infrastructure.
  • Retention and deletion: Deletion per "General Information on Data Storage and Deletion".
  • Legal bases:: Contract performance (Art. 6 (1) lit. b GDPR); legitimate interests (Art. 6 (1) lit. f GDPR); legal obligation (Art. 6 (1) lit. c GDPR).

Further notes on processing activities, procedures, and services:

  • Contact management: Processes for organizing, maintaining, and securing contact information (e.g., central database setup, updates, data integrity checks, access controls, backups, employee training, communication history reviews).Legal bases: Contract performance (Art. 6 (1) lit. b GDPR), legitimate interests (Art. 6 (1) lit. f GDPR).
  • General payment transactions: Processes for conducting payments, monitoring accounts, and controlling payment flows (e.g., transfers, direct debits, account reconciliations, cash management).Legal basis:: Contract performance (Art. 6 (1) lit. b GDPR), legitimate interests (Art. 6 (1) lit. f GDPR).
  • Accounts payable/receivable: Processes for recording and controlling business transactions in accounts payables and receivables (e.g., invoices, dunning, account reconciliation). Legal basis:: Contract performance (Art. 6 (1) lit. b GDPR), legal obligation (Art. 6 (1) lit. c GDPR), legitimate interests (Art. 6 (1) lit. f GDPR).
  • Financial accounting and taxes: Processes for financial postings, tax calculations, reporting, and payments (e.g., quarterly/annual financial statements, tax filings).Legal basis:: Contract performance (Art. 6 (1) lit. b GDPR), legal obligation (Art. 6 (1) lit. c GDPR), legitimate interests (Art. 6 (1) lit. f GDPR).
  • Sales: Processes for marketing and selling products/services (e.g., lead generation, offer management, order processing, customer consulting, sales analysis).Legal basis:: Contract performance (Art. 6 (1) lit. b GDPR), legitimate interests (Art. 6 (1) lit. f GDPR).
  • Marketing, advertising, and sales promotion: Marketing, advertising, and sales promotion:</strong> Processes for market analysis, campaign planning and execution, content production, online marketing (SEO, social media), events, loyalty programs, performance measurement.Legal basis:: Legitimate interests (Art. 6 (1) lit. f GDPR).

Provision of the Online Offering and Web Hosting

We process user data to provide our online services. We process the user’s IP address to transmit content and functionality to the user's browser or device.

  • Processed data types: Usage data; meta, communication, and procedural data; log data.
  • Data subjects: Users (e.g., website visitors, online service users).
  • Purposes of processing: Provision of our online offering and user friendliness; IT infrastructure.
  • Retention and deletion: Deletion per "General Information on Data Storage and Deletion".
  • Legal bases:: Legitimate interests (Art. 6 (1) lit. f GDPR).

Further notes on processing activities, procedures, and services:

  • Hosting on rented servers:: We use rented or otherwise provided storage, compute capacity, and software from a server provider ("web hoster"). Legal bases: Legitimate interests (Art. 6 (1) lit. f GDPR).
  • STRATO: IT infrastructure services (storage, compute capacity) Provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany; Legal basis: Legitimate interests (Art. 6 (1) lit. f GDPR); Website: https://www.strato.de ; Website: https://www.strato.de . Data processing agreement: Provided by the provider.

Use of Cookies

"Cookies" are functions that store and read information on users’ devices. Cookies serve functional, security, comfort, and analytics purposes. We use cookies according to legal requirements. We obtain user consent where necessary; otherwise, we rely on legitimate interests. This applies when storage and access are essential to provide requested content and functionality, e.g., saving settings and ensuring security. Consent can be withdrawn anytime. We clearly inform about scope and types of cookies used.

Legal bases: Cookie processing depends on consent (Art. 6 (1) lit. a GDPR). Without consent, we rely on legitimate interests as explained above.

Retention periods:

  • Session cookies: Deleted when the user closes the browser or app.
  • Persistent cookies: Remain after closing the browser to retain login status and preferences. If not specified, assume up to two years retention.

Withdrawal and objection (opt-out):Users can withdraw consent and object via browser privacy settings.

Cookie settings/opt-out

https://www.clickskeks.de

  • Processed data types: Meta, communication, and procedural data.
  • Data subjects: Users.
  • Legal bases: Legitimate interests (Art. 6 (1) lit. f GDPR); consent (Art. 6 (1) lit. a GDPR).

Further notes on processing activities, procedures, and services:

Contact and Inquiry Management

When you contact us (e.g., by mail, contact form, email, phone, or social media) and in ongoing user and business relationships, we process provided data to answer inquiries and related measures.

  • Processed data types: Master data; contact data; content data; usage data; meta, communication, and procedural data.
  • Data subjects: Communication partners.
  • Purposes of processing: Communication; organizational procedures; feedback; provision of our online offering and user friendliness.
  • Retention and deletion: Deletion per "General Information on Data Storage and Deletion".
  • Legal bases:: Legitimate interests (Art. 6 (1) lit. f GDPR); contract performance and pre-contractual inquiries (Art. 6 (1) lit. b GDPR).

Further notes on processing activities, procedures, and services:

  • : :
  • : :
  • : :
  • : :
  • : :

Newsletters and Electronic Notifications

We send newsletters and other electronic notifications ("newsletters") only with recipient consent or a legal basis. If subscription content is described, that content forms part of the consent. Usually, your email address suffices for subscription. To personalize service, we may request your name or other information.

Deletion and restriction:Unsubscribed emails may be stored for up to three years for proof of consent purposes, limited to defense against claims. You may request deletion at any time. For permanent obligations to respect objections, unsubscribed addresses may remain on a suppression list.

Subscription logging is based on legitimate interests for proof of valid procedure. If we engage a service provider, this is based on legitimate interests in efficient and secure mailing.

Content:

Content:

  • Processed data types: Master data; contact data; meta, communication, and procedural data; usage data.
  • Data subjects: Communication partners.
  • Purposes of processing: Direct marketing (via email or post).
  • Legal bases: Consent (Art. 6 (1) lit. a GDPR); legitimate interests (Art. 6 (1) lit. f GDPR).
  • Opt-out: You can unsubscribe via links in each newsletter or contact us (preferably by email).

Further notes on processing activities, procedures, and services:

  • CleverReach: Email delivery and automation Provider: CleverReach GmbH & Co. KG, //CRASH Building, Schafjückenweg 2, 26180 Rastede, Germany; Legal basis: Legitimate interests (Art. 6 (1) lit. f GDPR); Website: https://www.cleverreach.com/de/datenschutz/ ; Data processing agreement: Provided by the provider.

Online Marketing

We process personal data for online marketing, including advertising space marketing and displaying promotional or other content based on potential user interests and measuring effectiveness.

For these purposes, we create user profiles and store them in cookies or use similar methods. Profiles include viewed content, visited sites, networks used, communication partners, browser, system, usage times, and, with consent, location data. IP addresses are stored but pseudonymized. No personal identifiers (e.g., email, name) are stored; providers only see pseudonyms.

Profile data are stored in cookies or similar technologies and can be read by other sites using the same marketing method for content display and analysis, supplemented by additional data on the provider’s server.

In rare cases, clear data may be linked if users are members of a social network used for marketing and the network links profiles with identifiers. Users may conclude additional agreements with providers during registration.

We generally receive only aggregated data on ad performance, but conversion measurements allow us to see which marketing led to conversions (e.g., contract closures). Conversion data are used solely for marketing success analysis.

Unless otherwise stated, cookies used for up to two years are assumed.

Legal bases: Where we obtain user consent, processing is based on consent; otherwise, on legitimate interests in efficient, economical, and user-friendly services. See cookie use section above.

Withdrawal and objection:

See providers’ privacy notices and opt-out options. If none provided, you can disable cookies in your browser settings. This may limit functionality. We recommend the following regional opt-outs:

a) Europe https://www.youronlinechoices.eu

b) Canada https://www.youradchoices.ca/choices

c) USA https://www.aboutads.info/choices

d) Cross-region https://optout.aboutads.info

  • Processed data types: Usage data; meta, communication, and procedural data.
  • Data subjects: Users.
  • Purposes of processing: Reach measurement; tracking; target group formation; marketing; profiling; conversion measurement.
  • Retention and deletion: Deletion per "General Information on Data Storage and Deletion"; cookies up to two years.
  • Security measures: IP masking.
  • Legal bases: Consent (Art. 6 (1) lit. a GDPR); legitimate interests (Art. 6 (1) lit. f GDPR).

Further notes on processing activities, procedures, and services:

Customer Reviews and Rating Procedures

We participate in review and rating procedures to evaluate, optimize, and promote our services. Reviews require registration on platform providers, whose terms and privacy policies apply.

To ensure reviewers are genuine customers, we share necessary data (name, email, order/item number) with platforms with customer consent solely for authenticity verification.

  • Processed data types: Contract data; usage data; meta, communication, and procedural data.
  • Data subjects: Service recipients; users.
  • Purposes of processing: Feedback; marketing.
  • Legal bases: Legitimate interests (Art. 6 (1) lit. f GDPR).

Further notes on processing activities, procedures, and services:

  • Rating widgets: Embedded content from widget providers showing current ratings. This establishes connections to the provider’s servers, transferring access data (including IP) for real-time display and analytics. Provider may store pseudonymous browsing data in cookies for research/marketing Legal bases: Legitimate interests (Art. 6 (1) lit. f GDPR).
  • kununu: Rating platform Provider: XING AG, Dammtorstraße 29–32, 20354 Hamburg, Germany; Legal bases: Legitimate interests (Art. 6 (1) lit. f GDPR); Website: https://www.kununu.com/de ; Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung .

Social Media Presences

We maintain online presences on social networks and process user data to communicate and provide information.

Processing may occur outside the EU, which may limit enforcement of data subject rights.

Within social networks, user data are used for market research and advertising. Usage profiles based on behavior and interests may be created, stored in cookies, and linked to devices or accounts. Profile data can be used for targeted advertising within and outside networks.

For detailed processing and opt-out options, see the social networks’ privacy policies and notices.

Data subject rights and requests are most effectively pursued directly with the platform providers. If you need assistance, contact us.

  • Processed data types: Contact data; content data; usage data.
  • Data subjects: Users.
  • Purposes of processing: Communication; feedback; public relations.
  • Retention and deletion: Deletion per "General Information on Data Storage and Deletion
  • Legal bases: Legitimate interests (Art. 6 (1) lit. f GDPR).

Further notes on processing activities, procedures, and services:

Plugins and Embedded Functions and Content

We embed functional and content elements (e.g., graphics, videos, maps) from third-party servers. Embedding requires the provider to process user IP addresses to deliver content. We aim to use providers who only use IP addresses for delivery. Third parties may also use pixel tags (web beacons) for analytics or marketing, which can store pseudonymous data in cookies and may be combined with other sources.

Legal bases: If we obtain user consent, processing is based on consent; otherwise, on legitimate interests in efficient, economical, and user-friendly services. See the cookies section.

  • Processed data types: Usage data; meta, communication, and procedural data; location data.
  • Data subjects: Users.
  • Purposes of processing: Provision of our online offering and user friendliness.
  • Retention and deletion: Deletion per "General Information on Data Storage and Deletion"; cookies up to two years.
  • Legal bases: Consent (Art. 6 (1) lit. a GDPR); legitimate interests (Art. 6 (1) lit. f GDPR)

Further notes on processing activities, procedures, and services:

Processing of Data in Employment Relationships

Within employment relationships, we process personal data to establish, manage, and terminate such relationships efficiently. This supports administrative and operational functions necessary for employee management.

Data processing covers contract negotiation to termination, including time tracking, access management, personnel development, payroll, and salary administration. Processing also supports legitimate employer interests such as workplace safety and performance evaluation. Data disclosure in external communications is limited to necessary scenarios.

Processing complies with legal frameworks aiming to create and maintain a fair, efficient work environment, including anonymization or deletion when purposes are fulfilled or retention periods expire.

  • Processed data types: Employee data; payment data; contract data; master data; contact data; content data; social data; log data; performance and behavior data; working time data; salary data; image/video recordings; usage data; meta, communication, and procedural data.
  • Special categories: Health data; religious or philosophical beliefs; trade union membership.
  • Data subjects: Employees (including applicants, temporary staff, and other workers).
  • Purposes of processing: Establishment and performance of employment relationships; business processes; service provision; public relations; security measures; office and organizational procedures.
  • Legal bases: Contract performance (Art. 6 (1) lit. b GDPR); legal obligation (Art. 6 (1) lit. c GDPR); legitimate interests (Art. 6 (1) lit. f GDPR); special categories for health care, employment, and social security (Art. 9 (2) lit. h GDPR).

Further notes on processing activities, procedures, and services:

  • Time tracking: Manual and automated tracking of working hours, breaks, overtime, absences, and validation against schedules. Reports support management and HR. Legal bases: Contract performance (Art. 6 (1) lit. b GDPR); legitimate interests (Art. 6 (1) lit. f GDPR).
  • Access management: Defining and auditing user roles and permissions. Legal bases: Contract performance (Art. 6 (1) lit. b GDPR); legal obligation (Art. 6 (1) lit. c GDPR); legitimate interests (Art. 6 (1) lit. f GDPR).
  • Special categories: Processing of health, trade union, and religious data for legal or contractual obligations. Legal bases: Contract performance; legal obligation; legitimate interests.
  • Data sources: Data from applicants/employees and, where legally required, external organizations (e.g., tax authorities, health insurers). Legal bases: Legal obligation; legitimate interests.
  • Purposes: Employment management; legal compliance; regulatory reporting; internal reporting; defense of claims. Legal bases: Contract performance; legal obligation; legitimate interests.
  • Internal data sharing: Only departments requiring data for duties. External sharing only if legally required or with consent (e.g., banks, insurers, courts, tax and legal advisors). Legal bases: Contract performance; legitimate interests.
  • Data transfers to third countries: Only when necessary, legally required, or with consent; details provided as required. Legal bases: Legitimate interests.
  • Business travel and expenses: Booking, expense management, and reporting. Legal bases: Contract performance; legal obligation; legitimate interests.
  • Payroll: Calculation, payment, and documentation of wages and salaries, tax and social security contributions. Legal bases: Contract performance; legal obligation.
  • Deletion of employee data: Deleted when no longer needed unless retention is required by law or employer interests. The following statutory retention periods apply:
    • General personnel files: up to 3 years post-employment (§ 195 BGB)
    • Tax-relevant personnel documents: 6 years (§ 147 AO; § 257 HGB)
    • Payroll documentation for insurance: 5 years (§ 165 SGB VII)
    • Salary lists and special payments: 10 years (§ 147 AO; § 257 HGB)
    • Payroll accounts: 6 years (§ 41 (9) EStG)
    • Applicant data: up to 6 months after rejection
    • Working time records (>8h/day): 2 years (§ 16 (2) ArbZG)
    • Maternity protection documents: 2 years (§ 27 (5) MuSchG)
    Legal bases: Contract performance; legal obligation; legitimate interests; special categories (Art. 9 (2) lit. h GDPR).
  • Personnel file management: Organization and maintenance of employee records. Legal bases: Contract performance; legal obligation; legitimate interests; special categories.
  • Personnel development: Training and performance evaluations. Legal bases: Contract performance; legal obligation; legitimate interests; special categories.
  • Mandatory data provision: Employees informed of required data collection for contract performance or legal obligations. Legal bases: Contract performance; legal obligation; legitimate interests.
  • Publication of employee data: Only when necessary for job duties or with consent or legitimate interests (e.g., event photos). Legal bases: Contract performance; legitimate interests.

Application Procedures

The application process requires applicants to provide data necessary for evaluation, which follow job descriptions or online form requirements.

Required information includes personal details (name, address, contact), qualifications, and any additional requested data. Upon request, we provide details of required information.

Applicants may submit applications via our encrypted online form or by email (not guaranteed secure). We recommend using the online form.

We may use applicant management or recruitment platforms in compliance with legal requirements.

Applicants can inquire about submission methods or send applications by post.

Processing of special categories of data: If applicants provide special categories of data (Art. 9 (1) GDPR), processing occurs to exercise rights and obligations under employment and social security law, for vital interests, health care, or occupational medicine.

Data deletion: Applicant data for unsuccessful applications are deleted no later than six months after rejection or upon withdrawal. Successful applicant data continue for employment purposes. Travel expense invoices are retained per tax law.

Inclusion in an applicant pool: Based on consent. Applicants are informed that consent is voluntary, does not affect the application process, and can be withdrawn anytime.

  • Processed data types: Master data; contact data; content data; applicant data (application documents and related information).
  • Data subjects: Applicants.
  • Purposes of processing: Application procedures (establishment and possible execution and termination of employment relationship).
  • Retention and deletion: Deletion per "General Information on Data Storage and Deletion".
  • Legal bases: Application procedures as pre-contractual or contractual relationship (Art. 6 (1) lit. b GDPR).

Whistleblower Privacy Information

This section provides information on how we handle data of whistleblowers and involved parties in our whistleblower procedure, ensuring a simple and secure reporting of potential misconduct and appropriate handling.

Processed data types:

In receiving and processing reports, we may collect data provided by whistleblowers, such as:

  • Name, contact details, and location of the whistleblower;
  • Names and data of witnesses or affected persons;
  • Names and data of accused persons;
  • Details of alleged misconduct;
  • Other relevant information provided

For investigation purposes, we also process:

  • Unique report identifier;
  • Contact data of the whistleblower, if provided;
  • Personal data of mentioned persons;
  • Data of persons indirectly affected;
  • Data of persons from other involved entities;
  • Other related data.

Special categories: If provided, we may process health data, racial or ethnic origin, religious or philosophical beliefs, or sexual orientation. Only if relevant and explicitly provided.

Use of online forms: You may report anonymously. For security, we recommend using your browser’s incognito mode (Ctrl+Shift+N on Windows, Command+Shift+N on Mac, private mode on mobile).

In normal mode, your browser sends technical data (browser type/version, access time, IP) to our server, stored in log files for up to 30 days and then deleted. Processing IP addresses serves technical and administrative website security and functionality. Legal basis: Legitimate interests (Art. 6 (1) lit. f GDPR).

Disclosure of identity: Anonymous reporting is possible, but providing your name and contact details is recommended for effective follow-up. If you provide them, identity is confidential, except when legally required to protect rights or defend against malicious allegations.

Disclosure to third parties: Only with your explicit consent or legal obligation. Possible recipients include authorities, legal advisors, or selected service providers under data processing agreements.

Data retention and deletion: Personal data are processed only as long as necessary. Data no longer needed are deleted unless required by law.

Technical and organizational measures: We have implemented necessary measures to secure data, processed only by authorized personnel trained in confidentiality and handling of whistleblower reports.

  • Processed data types: Master data; employee data; contact data; content data; usage data.
  • Data subjects: Employees; third parties; whistleblowers.
  • Purposes of processing: Whistleblower protection.
  • Retention and deletion: Deletion per "General Information on Data Storage and Deletion".
  • Legal bases: Consent (Art. 6 (1) lit. a GDPR); legal obligation (Art. 6 (1) lit. c GDPR); legitimate interests (Art. 6 (1) lit. f GDPR).

Changes and Updates

Please regularly review our privacy policy. We will update it when processing changes require it. We will notify you if your action (e.g., consent) or an individual notification is needed due to changes.

If we list contact addresses, please verify them before use, as they may change over time.

Definitions of Terms

This section explains terms used in the privacy policy. Where terms are legally defined, their legal definitions apply. These explanations primarily serve understanding.

  • Employee: A person in an employment relationship, including various phases from establishment to termination. Employee data includes personal identifiers, salary, working hours, health data, and performance evaluations.
  • Master data: Essential information for identifying and managing partners, accounts, and profiles, including personal and demographic data.
  • Content data: Data generated during creation, editing, and publication of content, including text, images, videos, audio, and related metadata.
  • Contact data: Data enabling communication, such as phone numbers, postal addresses, email addresses, and messaging identifiers.
  • Conversion measurement: Techniques to evaluate marketing effectiveness by tracking cookies and user interactions to determine successful conversions (e.g., contract sign-ups).
  • Performance and behavior data: Information on task performance and behaviors in specific contexts, used for evaluations and development.
  • Meta, communication, and procedural data: Data about how data are processed, transmitted, and managed, including metadata, communication logs, and procedural records.
  • Usage data: Information on user interactions with digital offerings, including usage frequency, duration, navigation paths, device, and system info.
  • Personal data: Any information relating to an identified or identifiable natural person, including identifiers, location data, online identifiers, and special characteristics defining physical, physiological, genetic, mental, economic, cultural, or social identity.
  • Profiling: Automated processing of personal data to analyze or predict personal preferences, behaviors, or interests, often using cookies and web beacons.
  • Log data: Records of events or activities in a system, including timestamps, IP addresses, user actions, and errors, used for analysis, security, and reporting.
  • Reach measurement: Web analytics evaluating visitor flows and content interest, using pseudonymous cookies and web beacons to recognize returning visitors.
  • Location data: Data specifying the geographic position of a device, used for maps and location-based services.
  • Tracking: Following user behavior across multiple online offerings via cookies or server-based profiling.
  • Controller: The entity determining purposes and means of processing personal data.
  • Processing: Any operation on personal data, automated or not, including collection, storage, use, transmission, or deletion.
  • Contract data: Information documenting contractual agreements, including parties, terms, pricing, and conditions, serving as the legal basis for relationships.
  • Payment data: Information required for payment transactions, such as bank details, transaction records, verification numbers, and billing information.
  • Target group formation: Determining advertising audiences based on user interests (Custom Audiences) and creating similar audiences (Lookalike Audiences) using cookies and web beacons.