Skip to main content

Data protection

Preamble

With the following privacy policy, we would like to inform you about the types of personal data (hereinafter also referred to as "data") we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

As of 05 January 2026

Table of contents

  • Preamble
  • Responsible
  • Contact Data protection officer
  • Overview of processing
  • Relevant legal bases
  • Security measures
  • Transfer of personal data
  • International data transfers
  • General information on data storage and deletion
  • Rights of data subjects
  • Business services
  • Business processes and procedures
  • Providers and services used in the course of business activities
  • Provision of online services and web hosting
  • Use of cookies
  • Contact and enquiry management
  • Atrtificial intelligence (AI)
  • Video conferencing, online meetings, webinars and screen sharing
  • Cloud services
  • Advertising communication via email, post, fax or telephone
  • Surveys and questionaries
  • Presence on social networks
  • Plug-ins and embedded functions and content
  • Management, organisation and support tools
  • Processing of data in the context of employment relationships
  • Application procedures
  • Data protection information for whistleblowers
  • Amendments and updates
  • Definition of terms

Responsible

KOHL-Gruppe AG
Wankelstraße 7
50996 Köln

Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Legal notice: https://kohl-gruppe-ag.de/de/impressum

Contact Data Protection Officer

Kompass Datenschutz GmbH
Jan Besold
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Telephone: 02233 / 6290596
Mobile: 01575 / 2623224

Overview of processing

The following overview summarises the types of data processed and the purposes for which they are processed, and refers to the data subjects.

Types of data processed

  • Inventory data.
  • Employee data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication and procedural data.
  • Applicant data.
  • Image and/or video recordings.
  • Audio recordings.
  • Log data.

Categories of data subjects

  • Service recipients and clients.
  • Employees.
  • Prospective customers.
  • Communication partners.
  • Users.
  • Applicants.
  • Business and contractual partners.
  • Participants.
  • People depicted.
  • Third parties.
  • Whistleblowers.
  • Customers.

Purposes of processing

  • Provision of contractual services and fulfilment of contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Office and organisational procedures.
  • Organisational and administrative procedures.
  • Application procedures.
  • Feedback.
  • Surveys and questionnaires.
  • Marketing.
  • Provision of our online services and user-friendliness.
  • Establishment and implementation of employment relationships.
  • Information technology infrastructure.
  • Whistleblower protection.
  • Financial and payment management.
  • Public relations.
  • Sales promotion.
  • Business processes and management procedures.
  • Artificial intelligence (AI).

Relevant legal basis

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or registered office. If more specific legal bases are relevant in individual cases, we will inform you of this in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  • Application process as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR) – Insofar as special categories of personal data within the meaning of Art. 9(1) GDPR (e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants so that the controller or the data subject can exercise their rights under labour law and social security and social protection law and fulfil their obligations in this regard, their processing is carried out in accordance with Art. 9 (2) lit. b. GDPR, in the case of the protection of vital interests of applicants or other persons pursuant to Art. 9(2)(c) GDPR, or for the purposes of health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnosis, care or treatment in the health or social sector, or for the management of systems and services in the health or social sector pursuant to Art. 9(2)(h) GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Art. 9(2)(a) GDPR.
  • Processing of special categories of personal data relating to health, employment and social security (Art. 9(2)(h) GDPR) - Processing is necessary for the purposes of health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnosis, care or treatment in the health or social sector, or for the management of systems and services in the health or social sector on the basis of Union law or the law of a Member State or on the basis of a contract with a health professional.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. These include, in particular, the Act on the Protection against Misuse of Personal Data in Data Processing ( schutzgesetz – BDSG). The BDSG contains, in particular, special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transfer, as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

National data protection regulations in Poland: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Poland. These include, in particular, the "Data Protection Act" (Ustawa z dnia 10 maja 2018 r. ochronie danych osobowych).

Reference to the applicability of the GDPR and the Swiss DSG: This privacy policy serves to provide information in accordance with both the Swiss DSG and the General Data Protection Regulation (GDPR). For this reason, please note that the terms used in the GDPR are used due to their broader geographical application and comprehensibility. In particular, instead of the terms "processing" of "personal data", "overriding interest" and "sensitive personal data" used in the Swiss FADP, the terms "processing" of "personal data", "legitimate interest" and "special categories of data" used in the GDPR are used. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss DSG within the scope of its applicability.

Security measures

In accordance with legal requirements, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, transfer, availability and separation relating to it. Furthermore, we have established procedures to ensure that the rights of data subjects are exercised, data is deleted and responses are made to data threats. Furthermore, we take the protection of personal data into account during the development and selection of hardware, software and procedures in accordance with the principle of data protection, through technical design and data protection-friendly default settings.

Truncation of the IP address: If IP addresses are processed by us or by the service providers and technologies we use and the processing of a complete IP address is not necessary, the IP address is truncated (also known as "IP masking"). In this process, the last two digits or the last part of the IP address after a dot are removed or replaced by placeholders. The truncation of the IP address is intended to prevent or significantly impede the identification of a person based on their IP address.

Securing online connections with TLS/SSL encryption technology (HTTPS): We use TLS/SSL encryption technology to protect user data transmitted via our online services from unauthorised access. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), protecting the data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Transfer of personal data

In the course of our processing of personal data, it may happen that this data is transferred to or disclosed to other bodies, companies, legally independent organisational units or persons. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data.

Data transfer within the organisation: We may transfer personal data to other departments or units within our organisation or grant them access to it. If the data is transferred for administrative purposes, this is based on our legitimate business and economic interests or is necessary to fulfil our contractual obligations or if the consent of the data subjects or legal permission has been obtained.

International data transfers

Data processing in third countries: If we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosing or transferring data to other persons, agencies or companies (which can be identified by the postal address of the respective provider or if the data protection declaration expressly refers to the transfer of data to third countries), this is always done in accordance with the legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by an adequacy decision of the EU Commission on 10 July 2023. In addition, we have concluded standard contractual clauses with the respective providers that comply with the requirements of the EU Commission and stipulate contractual obligations for the protection of your data.

This dual safeguard ensures comprehensive protection for your data: the DPF forms the primary level of protection, while the standard contractual clauses serve as additional security. Should changes arise within the framework of the DPF, the standard contractual clauses serve as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

We will inform you whether individual service providers are certified under the DPF and whether standard contractual clauses are in place. Further information on the DPF and a list of certified companies can be found on the US Department of Commerce website at https://www.dataprivacyframework.gov/ (in English).

Appropriate security measures apply to data transfers to other third countries, in particular standard contractual clauses, explicit consent or transfers required by law. Information on third country transfers and applicable adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de

General information on data storage and deletion

We delete personal data that we process in accordance with the statutory provisions as soon as the underlying consents are revoked or there are no further legal grounds for processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our data protection information contains additional information on the storage and deletion of data that applies specifically to certain processing operations.

If there are several specifications regarding the retention period or deletion deadlines for a piece of data, the longest period shall always apply. We process data that is no longer required for its original purpose but is retained due to legal requirements or other reasons exclusively for the reasons that justify its retention.

Storage and deletion of data: The following general periods apply to storage and archiving under German law:

  • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets and the work instructions and other organisational documents necessary for their understanding (Section 147 (1) No. 1 in conjunction with (3) AO, Section 14b (1) UStG, Section 257 (1) No. 1 in conjunction with (4) HGB).
  • 8 years - Accounting documents, such as invoices and expense receipts (Section 147 (1) No. 4 and 4a in conjunction with (3) sentence 1 AO and Section 257 (1) No. 4 in conjunction with (4) HGB).
  • 6 years – Other business documents: commercial or business letters received, copies of commercial or business letters sent, other documents relevant to taxation, e.g. hourly wage slips, operating accounting sheets, calculation documents, price labels, but also payroll accounting documents, insofar as they are not already accounting documents, and cash register receipts (Section 147 (1) No. 2, 3, 5 in conjunction with para. 3 AO, Section 257 (1) No. 2 and 3 in conjunction with para. 4 HGB).
  • 3 years - Data that is necessary to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related enquiries, based on previous business experience and customary industry practices, is stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 BGB).

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing ; this also applies to profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right to information: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with the legal requirements.
  • Right to rectification: In accordance with legal requirements, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
  • Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased immediately or, alternatively, in accordance with legal requirements, to request a restriction on the processing of the data.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with legal requirements, or to request that it be transferred to another controller.
  • Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you usually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you believe that the processing of personal data relating to you violates the GDPR.

Business services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners"), within the framework of contractual and comparable legal relationships and related measures and with regard to communication with contractual partners (or pre-contractually), for example to respond to enquiries.

We use this data to fulfil our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions. In addition, we use the data to protect our rights and for the purposes of administrative tasks associated with these obligations and for company organisation. We also process the data on the basis of our legitimate interests in both proper and economic business management and in security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. 's involvement in telecommunications, transport and other auxiliary services, as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfil legal obligations. Contractual partners will be informed about other forms of processing, such as for marketing purposes, within the framework of this privacy policy.

We inform contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by means of special markings (e.g. colours) or symbols (e.g. asterisks or similar), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, e.g. as long as it must be retained for archiving for legal reasons (e.g. for tax purposes, usually ten years). We delete data disclosed to us by the contractual partner within the scope of an order in accordance with the specifications and, as a rule, after the end of the order.

  • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact details (e.g. postal and email addresses or telephone numbers). Contract data (e.g. subject matter of the contract, term, customer category).
  • Data subjects: Service recipients and clients; interested parties. Business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures; organisational and administrative procedures. Business processes and business management procedures.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, processes and services:

  • Technical services: We process the data of our customers and clients (hereinafter referred to collectively as "customers") in order to enable them to select, purchase or commission the selected services or works and related activities, as well as to pay for and make available or execute or provide them.

    The required information is marked as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for service provision and billing, as well as contact information for the purpose of any necessary consultations. Insofar as we obtain access to information from end customers, employees or other persons, we process this information in accordance with the statutory and contractual requirements; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6 (1) (b) GDPR).

Business processes and procedures

Personal data of service recipients and clients – including customers, clients or, in special cases, patients or business partners and other third parties – are processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting and project management.

The data collected is used to fulfil contractual obligations and to make operational processes efficient. This includes the processing of business transactions, the management of customer relationships, the optimisation of sales strategies and the safeguarding of internal invoicing and financial processes. In addition, the data supports the protection of the rights of the controller and facilitates administrative tasks and the organisation of the company.

Personal data may be passed on to third parties if this is necessary to fulfil the aforementioned purposes or legal obligations. The data is deleted after the expiry of the statutory retention periods or when the purpose of the processing no longer applies. This also includes data that must be stored for longer periods due to tax and legal documentation requirements.

  • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Contract data (e.g. subject matter of the contract, term, customer category); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved); Log data (e.g. log files relating to logins or the retrieval of data or access times). Employee data (information about employees and other persons in an employment relationship).
  • Data subjects: Service recipients and clients; interested parties; communication partners; business and contractual partners; customers; third parties. Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; business processes and business management procedures; communication; marketing; sales promotion; public relations; financial and payment management; security measures. Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR). Legal obligation (Art. 6(1)(c) GDPR).

Further information on processing procedures, processes and services:

  • Customer management and customer relationship management (CRM): Procedures required in the context of customer management and customer relationship management (CRM) (e.g. customer acquisition in compliance with data protection requirements, measures to promote customer retention and loyalty, effective customer communication, complaint management and customer service with consideration for data protection, data management and analysis to support customer relations, administration of CRM systems, secure account management, customer segmentation and target group formation) Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
  • Contact management and maintenance: Procedures necessary for the organisation, maintenance and securing of contact information (e.g. setting up and maintaining a central contact database, regularly updating contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restores of contact data, training employees in the effective use of contact management software, regularly reviewing communication history and adjusting contact strategies); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
  • Customer loyalty programme/customer card: As part of the customer loyalty programme, the controller processes the data of participating customers for the purpose of providing the services offered under this programme. For this purpose, the controller stores the information provided by customers in a customer profile, insofar as this is necessary and marked as such. This profile also processes information about the use of the customer loyalty programme and the use of the associated services and benefits. This information is only passed on to third parties (e.g. service providers) if it is necessary for the purposes mentioned. Customer profiles are deleted after participation in the programme has ended. The respective data is only archived to the extent that this may be necessary for statutory retention purposes or for the fulfilment of statutory (up to eleven years for tax information from the end of the year in which it was created) or contractual claims (up to three years from the end of the year of termination). This is recorded in the directory of processing activities; Legal basis: contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR).
  • General payment transactions: Procedures necessary for the execution of payment transactions, the monitoring of bank accounts and the control of payment flows (e.g. creation and verification of transfers, processing of direct debits, checking of account statements, monitoring of incoming and outgoing payments, return debit management, account reconciliation, cash management); Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
  • Accounting, accounts payable, accounts receivable: Procedures necessary for recording, processing and checking business transactions in the area of accounts payable and accounts receivable (e.g. creation and verification of incoming and outgoing invoices, monitoring and management of open items, execution of payment transactions, processing of reminders, account reconciliation in the context of receivables and payables, accounts payable and accounts receivable); Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
  • Financial accounting and taces: Procedures required for recording, managing and controlling finance-related business transactions and for calculating, reporting and paying taxes (e.g. account assignment and posting of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, processing of dunning procedures, account reconciliation, tax advice, preparation and submission of tax returns, processing of tax matters); Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
  • Purchasing: Procedures required for the procurement of goods, raw materials or services (e.g. supplier selection and evaluation, price negotiations, order placement and monitoring, delivery verification and control, invoice verification, order management, warehouse management, creation and maintenance of purchasing guidelines); Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
  • Sales: Procedures necessary for the planning, implementation and control of measures for the marketing and sale of products or services (e.g. customer acquisition, quotation preparation and follow-up, order processing, customer advice and support, sales promotion, product training, sales controlling and analysis, management of sales channels); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
  • Marketing, advertising and salex promotion: Procedures necessary in the context of marketing, advertising and sales promotion (e.g. market analysis and target group identification, development of marketing strategies, planning and implementation of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programmes, sales promotion measures, performance measurement and optimisation of marketing activities, budget management and cost control); Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
  • Economic analyses and market research: The available data on business transactions, contracts, enquiries, etc. is analysed for business purposes and to identify market trends and the wishes of contractual partners and users. The group of data subjects may include contractual partners, interested parties, customers, visitors and users of the controller's online offering. The analyses are carried out for the purposes of business evaluation, marketing and market research (e.g. to determine customer groups with different characteristics). Where available, profiles of registered users, including their details on the services used, are taken into account. The analyses are used exclusively by the controller and are not disclosed externally, unless they are anonymous analyses with summarised, i.e. anonymised, values. In addition, the privacy of users is taken into account; for analysis purposes, the data is pseudonymised as far as possible and, where feasible, processed anonymously (e.g. as aggregated data); Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
  • Public relations: Procedures required in the context of public relations and communications (e.g. development and implementation of communication strategies, planning and execution of PR campaigns, creation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media response, organisation of press conferences and public events, crisis communication, creation of content for social media and company websites, management of corporate branding); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • Guest Wi-Fi: Procedures necessary for the setup, operation, maintenance and monitoring of a wireless network for guests (e.g. installation and configuration of Wi-Fi access points, creation and management of guest access, monitoring of network connection, ensuring network security, troubleshooting connection problems, updating network software, compliance with data protection regulations); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Providers and services used in the course of business

In the course of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers (hereinafter referred to as "services") in compliance with legal requirements. Their use is based on our interests in the proper, lawful and economical management of our business operations and our internal organisation.

  • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or pictorial messages and posts, as well as information relating to them, such as details of authorship or time of creation). Contract data (e.g. subject matter of the contract, term, customer category).
  • Data subjects: Service recipients and clients; interested parties; business and contractual partners. Employees (e.g. employees, applicants, temporary staff and other staff).
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures. Business processes and business management procedures.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, processes and services:

Provision of the online offer and web hosting

We process user data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device.

  • Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and process data (e.g. IP addresses, time stamps, identification numbers, persons involved). Log data (e.g. log files relating to logins or the retrieval of data or access times).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures. Provision of contractual services and fulfilment of contractual obligations.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, processes and services:

  • Provision of online services on rented storage space: To provide our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also known as a "web host"); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the websites and files accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to prevent server overload (especially in the case of malicious attacks, known as DDoS attacks), and to ensure server utilisation and stability ( ). Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data that must be retained for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
  • 1&1 IONOS: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.ionos.de Privacy policy: https://www.ionos.de/terms-gtc/terms-privacy Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/vereinbarung-zur-auftragsverarbeitung-avv-mit-ionos-abschliessen/

Use of cookies

The term "cookies" refers to functions that store and read information on users' end devices. Cookies can also be used for various purposes, such as to ensure the functionality, security and convenience of online services and to analyse visitor traffic. We use cookies in accordance with legal requirements. To this end, we obtain the consent of users in advance where necessary. If consent is not necessary, we rely on our legitimate interests. This applies if the storage and retrieval of information is essential in order to provide expressly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online offering. Consent can be revoked at any time. We provide clear information about the scope of cookies and which cookies are used.

Information on the legal basis for data protection: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage period: With regard to the storage period, a distinction is made between the following types of cookies:

  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g. browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the log-in status can be stored and preferred content can be displayed directly when the user visits a website again. The user data collected with the help of cookies can also be used to measure reach. Unless we provide users with explicit information about the type and storage period of cookies (e.g. when obtaining consent), they should assume that these are permanent and that the storage period can be up to two years.

General information on revocation and objection (opt-out): Users can revoke their consent at any time and also object to the processing in accordance with the legal requirements, including by means of their browser's privacy settings.

  • Types of data processed: Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Contact and enquiry management

  • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or pictorial messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).
  • Data subjects: Communication partners.
  • Purposes of processing: Communication; organisational and administrative procedures; feedback (e.g. collecting feedback via online form). Provision of our online offering and user-friendliness.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Further information on processing procedures, processes and services:

  • Contact form: When you contact us via our contact form, by email or other means of communication, we process the personal data you provide in order to respond to and process your enquiry. This usually includes information such as your name, contact details and, where applicable, other information that you provide and that is necessary for us to process your enquiry appropriately. We use this data exclusively for the stated purpose of contacting and communicating with you; Legal bases: fulfilment of contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Artificial intelligence (AI)

We use artificial intelligence (AI), which involves the processing of personal data. The specific purposes and our interest in the use of AI are listed below. In accordance with the term "AI system" as defined in Article 3(1) of the AI Regulation, we understand AI to mean a machine-based system that is designed for varying degrees of autonomous operation, can be adaptable after its introduction, and produces results such as predictions, content, recommendations or decisions from the inputs received that can influence physical or virtual environments.

Our AI systems are used in strict compliance with legal requirements. These include both specific regulations for artificial intelligence and data protection requirements. In particular, we adhere to the principles of lawfulness, transparency, fairness, human control, purpose limitation, data minimisation, integrity and confidentiality. We ensure that the processing of personal data is always carried out on a legal basis. This can be either the consent of the persons concerned or a legal permission.

When using external AI systems, we carefully select their providers (hereinafter referred to as "AI providers"). In accordance with our legal obligations, we ensure that AI providers comply with the applicable regulations. We also observe our obligations when using or operating the AI services we purchase. The processing of personal data by us and the AI providers is carried out exclusively on the basis of consent or legal authorisation. In doing so, we attach particular importance to transparency, fairness and maintaining human control over AI-supported decision-making processes.

We implement appropriate and robust technical and organisational measures to protect the data processed. These ensure the integrity and confidentiality of the data processed and minimise potential risks. We ensure ongoing compliance with current legal and ethical standards by regularly reviewing AI providers and their services.

  • Types of data processed: Content data (e.g. textual or image-based messages and posts, as well as information relating to them, such as details of authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
  • Data subjects: Users (e.g. website visitors, users of online services). Third parties.
  • Purposes of processing: Artificial intelligence (AI); office and organisational procedures; provision of our online offering and user-friendliness. Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods and services:

Video conferences, online meetings, webinars and screen sharing

We use platforms and applications from other providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "conferences"). We comply with legal requirements when selecting conference platforms and their services.

Data processed by conference platforms: When participants take part in a conference, the conference platforms process the personal data of the participants as specified below. The scope of processing depends, on the one hand, on what data is required for a specific conference (e.g. access data or real names) and, on the other hand, on what optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, the conference platforms may also process participant data for security purposes or service optimisation. The data processed includes personal data (first name, surname), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the Internet access, information on the participants' end devices, their operating system, the browser and its technical and language settings, information on the content of communication processes, i.e. inputs in chats and audio and video data, as well as the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If participants are registered as users on the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.

Logging and recordings: If text entries, participation results (e.g. from surveys) and video or audio recordings are logged, participants will be informed of this in advance in a transparent manner and, where necessary, asked for their consent.

Data protection measures taken by participants: For details on how your data is processed by the conference platforms, please refer to their privacy policies and select the security and privacy settings that are best for you in the conference platform settings. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by informing housemates, locking doors and, where technically possible, using the function to blur the background). Links to the conference rooms and access data must not be passed on to unauthorised third parties.

Information on legal bases: If, in addition to the conference platforms, we also process user data and ask users for their consent to the use of the conference platforms or certain functions (e.g. consent to the recording of conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary to fulfil our contractual obligations (e.g. in participant lists, in the case of processing meeting results, etc.). Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Image and/or video recordings (e.g. photographs or video recordings of a person); Audio recordings. Log data (e.g. log files relating to logins or the retrieval of data or access times).
  • Data subjects: Communication partners; users (e.g. website visitors, users of online services). Persons depicted.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; communication. Office and organisational procedures.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, processes and services:

  • Microsoft Teams: Use for conducting online events, conferences and communication with internal and external participants. Voice transmission, direct messaging, group communication and collaboration functions are used; Name, business contact details, work profile, participation and content (audio/video, voice, chat, files, voice transcription) are processed for the purposes and in the interests of increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication, IT security, use of a central platform and Microsoft business processing. Audio signals are not stored unless recording is enabled. Meeting and conference recordings are stored for 90 days by default, unless a different duration is specified. Chat and file content is stored according to the policies set by the administrator or user; automatic deletion is not enabled by default. Channels must be renewed every 180 days, otherwise content will be deleted. In addition, system-generated log, diagnostic and metadata are processed, and diagnostic data on product stability, security and improvement is collected; Service providers: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-teams/ Privacy policy: https://privacy.microsoft.com/de-de/privacystatement Security information: https://www.microsoft.com/de-de/trustcenter Basis for third country transfers: Data Privacy Framework (DPF), https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

Cloud services

We use software services accessible via the Internet and executed on the servers of their providers (so-called "cloud services", also referred to as "software as a service") for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with specific recipients, or publication of content and information).

In this context, personal data may be processed and stored on the providers' servers if it is part of communication processes with us or is otherwise processed by us as set out in this privacy policy. This data may include, in particular, master data and contact details of users, data on transactions, contracts, other processes and their contents. The providers of cloud services also process usage data and metadata, which they use for security purposes and to optimise their services.

If we use cloud services to provide forms or other documents and content for other users or publicly accessible websites, the providers may store cookies on users' devices for web analysis purposes or to remember user settings (e.g. in the case of media control).

  • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
  • Data subjects: Prospective customers; communication partners. Business and contractual partners.
  • Purposes of processing: Office and organisational procedures. Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, processes and services:

  • Microsoft 365 and Microsoft Could Services: Provision of applications, protection of data and IT systems, and use of system-generated log, diagnostic and metadata for contract performance by Microsoft. Contact data (name, email address), content data (files, comments, profiles), software setup and inventory data, device connectivity and configuration data, work interactions (badge swipe), and log and metadata are processed. Processing is carried out for the purposes of increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication, integration of Microsoft services, IT security and business processing by Microsoft. Data retention is based on the respective documents and company guidelines, up to 12 months for Defender (protection of data and IT systems) and 10 days for print management. In addition, diagnostic data is collected for product stability and improvement; Service providers: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://microsoft.com/de-de Privacy policy: https://privacy.microsoft.com/de-de/privacystatement Security information: https://www.microsoft.com/de-de/trustcente Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA Basis for third country transfers: Data Privacy Framework (DPF), standard contractual clauses https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
  • Microsoft EU Data Boundary: Our use of Microsoft cloud services is within the scope of the so-called "EU Data Boundary" (also referred to as the "EU data border"), which ensures that data is stored and processed within the European Union (EU) and the European Free Trade Association (EFTA).

    The EU Data Boundary is a defined region in which Microsoft commits to storing and processing customer data and personal data for certain online services (Microsoft 365, Azure, Dynamics 365 and the Power Platform). Companies using these services can ensure that their data remains within the EU/EFTA region. This includes both general customer data and support data generated in the course of technical services. In many cases, pseudonymised data is also processed within this region.

    The EU Data Boundary covers all EU countries as well as the EFTA countries (Liechtenstein, Iceland, Norway and Switzerland). Microsoft operates data centres in several of these countries, including Germany, France, Ireland, the Netherlands, Sweden, Spain and Switzerland. Additional locations may be added.

    Microsoft automatically creates logs as part of its operations to ensure the security and functionality of its services. These logs mainly contain technical information, but in certain cases may also include personal data, e.g. when user actions are documented.

    To protect this data, Microsoft uses techniques such as encryption, masking and tokenisation (replacing sensitive data with untraceable character strings). This ensures that Microsoft employees only see pseudonymised data and cannot draw any direct conclusions about individual users. There are also strict access rules and deletion periods for this data.

    Microsoft has given assurances that data transfers outside the EU will only take place in a few, precisely defined cases. This may be necessary, for example, to implement global cybersecurity measures or to ensure the functionality of cloud services. These transfers always take place under high security standards such as encryption and pseudonymisation.

    For more information on the EU Data Boundary and Microsoft's data protection measures, visit the Microsoft EU Data Boundary Trust Centre: https://www.microsoft.com/de-de/trust-center/privacy/european-data-boundary-eudb

Advertising communications via email, post, fax or telephone

We process personal data for the purposes of advertising communication, which may take place via various channels, such as email, telephone, post or fax, in accordance with legal requirements.

Recipients have the right to revoke their consent at any time or to object to promotional communications at any time free of charge using the above contact details.

After revocation or objection, we store the data necessary to prove previous authorisation for contact or sending up to three years after the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defence against claims. On the basis of the legitimate interest in permanently observing the revocation or objection of users, we also store the data necessary to avoid renewed contact (e.g. depending on the communication channel, the email address, telephone number, name).

  • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact details (e.g. postal and email addresses or telephone numbers). Content data (e.g. textual or pictorial messages and posts, as well as information relating to them, such as details of authorship or time of creation).
  • Data subjects: Communication partners.
  • Purposes of processing: Direct marketing (e.g. by email or post); marketing. Sales promotion.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Surveys and questionnaires

We conduct surveys and questionnaires to collect information for the purpose communicated in each survey or questionnaire. The surveys and questionnaires we conduct (hereinafter "questionnaires") are evaluated anonymously. Personal data is only processed to the extent necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address to display the survey in the user's browser or to enable the survey to be resumed with the aid of a cookie).

  • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or pictorial messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).
  • Data subjects: Participants. Users (e.g. website visitors, users of online services).
  • Purposes of processing: Feedback (e.g. collecting feedback via online form). Surveys and questionnaires (e.g. surveys with input options, multiple-choice questions).
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods and services:

Presence on social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users, as it could, for example, make it more difficult to enforce user rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behaviour and resulting interests of users. The latter may in turn be used to place advertisements within and outside the networks that are presumed to correspond to the interests of the users. For this reason, cookies are usually stored on users' computers, in which their usage behaviour and interests are stored. In addition, data can also be stored in the usage profiles independently of the devices used by the users (especially if they are members of the respective platforms and are logged in there).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be most effectively asserted with the providers. Only the latter have access to the user data and can take appropriate measures and provide information directly. However, if you still require assistance, please contact us.

  • Types of data processed: Contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Communication; feedback (e.g. collecting feedback via online form). Public relations.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further information on processing procedures, processes and services:

  • Instagram: Social network that allows users to share photos and videos, comment on and like posts, send messages, and subscribe to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com Privacy policy: https://privacycenter.instagram.com/policy Basis for third country transfers: Data Privacy Framework (DPF).
  • Facebook pages: Profiles within the Facebook social network - The controller is jointly responsible with Meta Platforms Ireland Limited for the collection and transmission of data from visitors to our Facebook page ("fan page"). This includes, in particular, information about user behaviour (e.g. content viewed or interacted with, actions performed) and device information (e.g. IP address, operating system, browser type, language settings, cookie data). Further details can be found in the Facebook Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical analyses via the "Page Insights" service, which provide information about how people interact with our page and its content. This is based on an agreement with Facebook ("Information about Page Insights": https://www.facebook.com/legal/terms/page_controller_addendum), which regulates, among other things, security measures and the exercise of data subject rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users can therefore send requests for information or deletion directly to Facebook. The rights of users (in particular information, deletion, objection, complaint to a supervisory authority) remain unaffected by this. Joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including possible transfer to Meta Platforms Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/. Basis for third country transfers: Data Privacy Framework (DPF), https://www.facebook.com/legal/EU_data_transfer_addendum.
  • Facebook groups: We use the "Groups" feature of the Facebook platform to create interest groups within which Facebook users can contact each other or us and exchange information. In doing so, we process the personal data of the users of our groups to the extent necessary for the purpose of group use and moderation. Our guidelines within the groups may contain further specifications and information on the use of the respective group. This data includes first and last names, published or privately communicated content, as well as values relating to group membership status or group-related activities, such as joining or leaving the group, and the time stamps for the aforementioned data. We also refer to the processing of user data by Facebook itself. This data includes information about the types of content users view or interact with, or the actions they take (see "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, known as "Insights", to group operators so that they can gain insights into how people interact with their groups and the content associated with them; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/. Basis for third country transfers: Data Privacy Framework (DPF).
  • Facebook events: Event profiles within the Facebook social network – We use the "Events" function of the Facebook platform to draw attention to events and dates, to get in touch with users (participants and interested parties) and to exchange information. In doing so, we process the personal data of users of our event pages to the extent necessary for the purpose of the event page and its moderation. This data includes first and last names, published or privately communicated content, participation status, and the time of the aforementioned data. We also refer to the processing of user data by Facebook itself. This data includes information about the types of content that users view or interact with, or the actions they take (see "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, known as "Insights", to event organisers so that they can gain insights into how people interact with their event pages and related content; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/. Basis for third country transfers: Data Privacy Framework (DPF).
  • LinkedIn: Social network – Together with LinkedIn Ireland Unlimited Company, we are responsible for collecting (but not further processing) data from visitors, which is used to create "Page Insights" (statistics) for our LinkedIn profiles. This data includes information about the types of content that users view or interact with, as well as the actions they take. Details about the devices used are also collected, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job title, country, industry, hierarchy level, company size and employment status. Information on the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy. We have entered into a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum", https://legal.linkedin.com/pages-joint-controller-addendum), which specifically regulates the security measures LinkedIn must observe ( ) and in which LinkedIn has agreed to fulfil the rights of data subjects (i.e. users can, for example, submit requests for information or deletion directly to LinkedIn). The rights of users (in particular the right to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection and transfer of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transfer of data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Basis for third country transfers: Data Privacy Framework (DPF), https://legal.linkedin.com/dpa. Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • TikTok: Social network that allows users to share photos and videos, comment on and favourite posts, send messages and subscribe to accounts; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: consent (Art. 6(1)(a) GDPR); Website: https://www.tiktok.com; Privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Data processing agreement: provided by the service provider.
  • YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Privacy policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF). Opt-out option: https://myadcenter.google.com/personalizationoff.

Plug-ins and embedded functions and content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may be, for example, graphics, videos or city maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process the IP address of the users, as they would not be able to send the content to their browsers without the IP address. The IP address is therefore necessary for the display of this content or these functions. We endeavour to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons" ) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visit time and other information about the use of our online offering, but may also be linked to such information from other sources.

Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time stamps, identification numbers, persons involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing; Provision of our online offering and user-friendliness.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion". Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).
  • Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

  • Clean Talk: CAPTCHA service used to verify whether the data entered within our online offering (e.g. on a login page or contact form) was entered by a human or an automated programme. For this purpose, the service analyses the behaviour of users of our online offering based on various characteristics. This analysis begins automatically as soon as a user uses our online offering. Various information is evaluated for the analysis (IP address, length of time the visitor stays on the website or app, or mouse movements of the user, as well as technical information about the user's device and browser); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Data processing agreement: https://download.cleantalk.org/Signed_CleanTalk_GDPR_Agreement.pdf Basis for third country transfers: Data Privacy Framework (DPF); Service provider: CleanTalk Inc, 711 S Carson Street, Suite 4, Carson City, NV 89701, USA; Website: https://cleantalk.org. Privacy policy: https://cleantalk.org/publicoffer#privacy.

Management, organisation and support tools

We use services, platforms and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organisation, administration, planning and provision of our services. We comply with legal requirements when selecting third-party providers and their services.

In this context, personal data may be processed and stored on the servers of third-party providers. This may affect various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact details of users, data on transactions, contracts, other processes and their contents.

If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimisation or marketing purposes. We therefore ask you to observe the data protection information of the respective third-party providers.

  • Types of data processed: Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).
  • Data subjects: Communication partners. Users (e.g. website visitors, users of online services).
  • Purpose of processing: Provision of contractual services and fulfilment of contractual obligations. Office and organisational procedures.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Processing of data in the context of employment relationships

In the context of employment relationships, personal data is processed with the aim of effectively establishing, implementing and terminating such relationships. This data processing supports various operational and administrative functions that are necessary for the management of employee relationships.

Data processing covers various aspects, ranging from the initiation of contracts to their termination. This includes the organisation and administration of daily working hours, the management of access rights and authorisations, and the handling of personnel development measures and employee appraisals. Processing also serves the purpose of accounting and administering wage and salary payments, which are critical aspects of contract performance.

In addition, data processing takes into account the legitimate interests of the responsible employer, such as ensuring safety in the workplace or collecting performance data for the evaluation and optimisation of operational processes. Furthermore, data processing includes the disclosure of employee data in the context of external communication and publication processes, where this is necessary for operational or legal purposes.

This data is always processed in compliance with the applicable legal framework, with the aim of creating and maintaining a fair and efficient working environment. This also includes taking into account the data protection of the employees concerned, anonymising or deleting data after the processing purpose has been fulfilled or in accordance with statutory retention periods.

  • Types of data processed: Employee data (information about employees and other persons in an employment relationship).
  • Data subjects: Employees (e.g. employees, applicants, temporary staff and other employees).
  • Purposes of processing: Establishment and implementation of employment relationships (processing of employee data in the context of establishing and implementing employment relationships). Business processes and business management procedures.
  • Legal bases: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR). Processing of special categories of personal data relating to health, employment and social security (Art. 9(2)(h) GDPR).

    Application process

    The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required is specified in the job description or, in the case of online forms, in the information provided there.

    As a rule, the required information includes personal details such as name, address, contact details and evidence of the qualifications necessary for a position. Upon request, we will be happy to provide additional information on what details are required.

    If available, applicants are welcome to submit their applications via our online form, which is encrypted using the latest technology. Alternatively, it is also possible to send applications to us by email. However, we would like to point out that emails are generally not encrypted when sent over the internet. Although emails are usually encrypted during transmission, this is not the case on the servers from which they are sent and received. We therefore cannot accept any responsibility for the security of your application during transmission between the sender and our server.

    For the purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management or recruitment software and platforms and services from third-party providers in compliance with legal requirements.

    Applicants are welcome to contact us regarding the method of submitting their application or to send us their application by post.

    Processing of special categories of data: If special categories of personal data (Art. 9 (1) GDPR, e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants or provided by them, these will be processed so that the controller or the data subject can exercise their rights under labour law and social security and social protection law and fulfil their obligations in this regard, in the case of the protection of vital interests of applicants or other persons or for the purposes of preventive healthcare or occupational medicine, for the assessment of the employee's working capacity, for medical diagnosis, for the provision of care or treatment in the health or social sector or for the management of health or social care systems and services.

    Deletion of data: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job vacancy is unsuccessful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicant, the deletion will take place at the latest after a period of six months so that we can answer any follow-up questions regarding the application and fulfil our obligations to provide evidence under the regulations on equal treatment of applicants. Invoices for any travel expense reimbursements will be archived in accordance with tax regulations.

    Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke their consent at any time in the future.

    • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact details (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation). Applicant data (e.g. personal details, postal and contact addresses, documents relating to the application and the information contained therein, such as cover letters, CVs, references and other information relating to a specific position or voluntarily provided by applicants about themselves or their qualifications).
    • Data subjects: Applicants.
    • Purposes of processing: Application process (justification and possible subsequent implementation and possible subsequent termination of the employment relationship).
    • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
    • Legal basis: Application process as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR).

    Further information on processing procedures, processes and services:

    • HRlab: Personnel administration, talent management, applicant management, employee development, seminar administration, time management, holiday management and accounting; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Data processing agreement: Provided by the service provider; Service provider: HRlab GmbH, Reinhardtstraße 58, D-10117 Berlin; Website: https://www.hrlab.de/. Privacy policy: https://www.hrlab.de/datenschutzerklaerung.

    Data protection information for whistleblowers

    This section provides information on how we handle data from individuals who submit reports (whistleblowers) and from affected and involved parties as part of our whistleblower procedure. Our goal is to provide a straightforward and secure way to report possible misconduct by us, our employees or service providers, especially for actions that violate laws or ethical guidelines. We also ensure that reports are processed and handled appropriately.

    • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); employee data (information about employees and other persons in an employment relationship); contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
    • Data subjects: Employees (e.g. employees, applicants, temporary staff and other staff); third parties. Whistleblowers.
    • Purposes of processing: Whistleblower protection.
    • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
    • Legal basis: Consent (Art. 6(1)(a) GDPR); legal obligation (Art. 6(1)(c) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

    Changes and updates

    We ask you to regularly review the content of our privacy policy. We will amend the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require action on your part (e.g. consent) or other individual notification.

    If we provide addresses and contact information for companies and organisations in this privacy policy, please note that the addresses may change over time and please check the information before contacting them.

    Definition of terms

    This section provides an overview of the terms used in this privacy policy. Where the terms are defined by law, their legal definitions apply. The following explanations are primarily intended to aid understanding.

    • Employees: Employees are persons who are in an employment relationship, whether as staff, salaried employees or in similar positions. An employment relationship is a legal relationship between an employer and an employee that is established by an employment contract or agreement. It includes the employer's obligation to pay the employee remuneration while the employee performs his or her work. Employment relationships comprise various phases, including the establishment phase, in which the employment contract is concluded, the implementation phase, in which the employee performs their work, and the termination phase, when the employment relationship ends, whether through dismissal, a termination agreement or otherwise. Employee data is all information relating to these individuals and in the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and bank details, working hours, holiday entitlements, health data and performance appraisals.
    • Inventory data: Inventory data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles and similar assignments. This data may include personal and demographic information such as names, contact information (addresses, telephone numbers, email addresses), dates of birth and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, facilities or systems by enabling unique assignment and communication.
    • Content data: Content data includes information generated in the course of creating, editing and publishing content of all kinds. This category of data can include text, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not limited to the actual content, but also includes metadata that provides information about the content itself, such as tags, descriptions, author information and publication dates.
    • Contact data: Contact data is essential information that enables communication with individuals or organisations. It includes telephone numbers, postal addresses and email addresses, as well as communication tools such as social media handles and instant messaging identifiers.
    • Artificial intelligence (AI): The purpose of processing data using artificial intelligence (AI) includes the automated analysis and processing of user data to identify patterns, make predictions and improve the efficiency and quality of our services. This includes the collection, cleansing and structuring of data, the training and application of AI models, and the continuous review and optimisation of results, and is carried out exclusively with the consent of users or on the basis of legal permissions.
    • Meta, communication and procedural data: Meta, communication and procedural data are categories that contain information about the way in which data is processed, transmitted and managed. Meta data, also known as data about data, includes information that describes the context, origin and structure of other data. It may include details such as file size, creation date, document author and change history. Communication data captures the exchange of information between users via various channels, such as email correspondence, call logs, social media messages and chat histories, including the individuals involved, timestamps and transmission routes. Procedural data describes the processes and procedures within systems or organisations, including workflow documentation, transaction and activity logs, and audit logs used to track and verify operations.
    • Usage data: Usage data refers to information that captures how users interact with digital products, services or platforms. This data includes a wide range of information that shows how users use applications, which features they prefer, how long they stay on certain pages and which paths they navigate through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information, and location data. It is particularly valuable for analysing user behaviour, optimising user experiences, personalising content, and improving products or services. In addition, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
    • Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
    • Log data: Log data is information about events or activities that have been logged in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages and other details about the use or operation of a system. Log data is often used to analyse system problems, monitor security or generate performance reports.
    • Controller: The "controller" is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    • Processing: "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, whether it is collection, evaluation, storage, transmission or deletion.
    • Contact data: Contract data is specific information relating to the formalisation of an agreement between two or more parties. It documents the terms and conditions under which services or products are provided, exchanged or sold. This category of data is essential for the management and fulfilment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the type of services or products agreed upon, price agreements, payment terms, termination rights, renewal options, and special conditions or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
    • Payment data: Payment data includes all information required to process payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank details, payment amounts, transaction dates, verification numbers, and billing information. Payment data may also include information about payment status, chargebacks, authorisations and fees.
    ABOUT US
    Whether deep drawing, embossing, laser cutting, welding or assembly - we form sophisticated components from steel, stainless steel and aluminium. For end products from a wide variety of industries. We develop and design the necessary tools and fixtures in-house - 360° service from a single source.
    NEWS
    CONTACT
    KOHL-Gruppe AG
    Wankelstr. 7
    50996 Cologne, Germany
    Phone: +49 (0) 2236 609 - 0
    Fax: +49 (0) 2236 609 - 222
    This email address is being protected from spambots. You need JavaScript enabled to view it.