The controller within the meaning of the General Data Protection Regulation (“GDPR”) is:
Paul Böcher
Im Burggarten 1
36287 Breitenbach am Herzberg
Germany
Email: info@oceanic-energy.com
oilrig-jobs.com
The controller is the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 No. 7 GDPR).
The above information is also provided in order to fulfill the information obligations pursuant to Art. 13(1)(a) GDPR (name and contact details of the controller).
If a data protection officer is required to be appointed for this website / company or has been voluntarily appointed, their contact details will be provided here or at an appropriate place in this Privacy Policy (Art. 13(1)(b) GDPR). Otherwise, no such appointment has been made.
This Privacy Policy is designed to be precise, transparent, intelligible, and easily accessible, and is provided in clear and plain language (Art. 12 GDPR; Recital 58 GDPR).
Personal data is processed in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), each in its applicable version. In particular, the principles relating to processing of personal data under Art. 5 GDPR apply, according to which personal data must be processed lawfully, fairly, and in a transparent manner (Art. 5(1)(a) GDPR), collected for specified, explicit, and legitimate purposes (Art. 5(1)(b) GDPR), adequate, relevant, and limited to what is necessary for the purposes (Art. 5(1)(c) GDPR), accurate and, where necessary, kept up to date (Art. 5(1)(d) GDPR), stored only as long as necessary for the purposes (Art. 5(1)(e) GDPR), and protected against unauthorized or unlawful processing and against accidental loss by appropriate technical and organizational measures (Art. 5(1)(f) GDPR).
For the purposes of this Privacy Policy, personal data means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific characteristics. According to Art. 4 No. 2 GDPR, the processing of personal data includes any operation or set of operations performed on personal data, whether or not by automated means, in particular collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Personal data is processed when you access this website, contact the controller, purchase digital products, subscribe to a newsletter, or otherwise interact with the services offered. In particular, identification and contact data, communication content, contract and billing data, usage data, and technical connection data may be processed where necessary in the individual case.
Personal data is processed only if there is a legal basis within the meaning of Art. 6(1) GDPR. Where the data subject has given consent, processing is based on Art. 6(1)(a) GDPR. If processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, processing is based on Art. 6(1)(b) GDPR. Where processing is necessary for compliance with a legal obligation to which the controller is subject, it is based on Art. 6(1)(c) GDPR. Where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, processing is based on Art. 6(1)(f) GDPR; in this context, in particular the standards for balancing interests set out in Recital 47 GDPR must be observed.
The information obligations towards data subjects arise from Arts. 13 and 14 GDPR. This Privacy Policy serves to fulfill these statutory transparency requirements. In accordance with Art. 12(1) GDPR, it is drafted in a precise, transparent, intelligible, and easily accessible form and uses clear and plain language without reducing the legally required content.
Pursuant to Art. 24(1) GDPR, the controller implements appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing of personal data is performed in accordance with the GDPR. In doing so, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, are taken into account. Where necessary, these measures are implemented in accordance with Art. 25 GDPR, taking into account the principles of “data protection by design” and “data protection by default.”
This website is provided through an external hosting service provider. Personal data processed in connection with the use of this website is processed on the servers of the hosting provider. This may include, in particular, IP addresses, metadata and communication data, contract data, contact data, content data, and other data generated via a website.
The use of a hosting service provider constitutes processing of personal data on behalf of the controller, provided that the service provider does not process personal data for its own purposes but exclusively on the instructions of the controller. The decisive provision in this regard is Art. 4 No. 8 GDPR, according to which a “processor” is a natural or legal person which processes personal data on behalf of the controller. The legal requirements for such processing are set out in Art. 28 GDPR. According to this provision, a controller may only use processors that provide sufficient guarantees that appropriate technical and organizational measures are implemented in such a manner that processing meets the requirements of the GDPR and ensures the protection of the rights of the data subjects.
A data processing agreement pursuant to Art. 28(3) GDPR has been concluded with the hosting provider. This agreement governs, in particular, the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, and the obligations and rights of the controller. In particular, the processor is obliged to process personal data only on documented instructions (Art. 28(3)(a) GDPR), to implement appropriate technical and organizational measures in accordance with Art. 32 GDPR (Art. 28(3)(c) GDPR), and to ensure confidentiality (Art. 28(3)(b) GDPR).
The processing of personal data arising in the context of hosting is carried out for the purpose of technically providing the website and ensuring the stability and security of the information technology systems. Ensuring network and information security constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. Recital 49 GDPR clarifies that the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security may constitute a legitimate interest, in particular to prevent unauthorized access and to defend against attacks on electronic communications networks and systems.
Where the processing of personal data in the context of hosting is necessary for the performance of pre-contractual measures or for the performance of a contract with the data subject, it is additionally based on Art. 6(1)(b) GDPR.
Data is stored only for the period necessary to achieve the respective purpose, in compliance with the principle of storage limitation pursuant to Art. 5(1)(e) GDPR. Log and protocol data is regularly deleted or anonymized as soon as it is no longer required to ensure operation and security and no statutory retention obligations prevent deletion.
As a rule, no transfer of personal data to a third country takes place in connection with hosting, provided that the hosting provider renders its services exclusively within the European Union or the European Economic Area. Should a transfer to a third country take place, it shall be governed by the requirements of Arts. 44 et seq. GDPR.
The involvement of a hosting service provider is therefore carried out in compliance with the requirements of Art. 4 No. 8, Art. 6(1), Art. 24, Art. 28, Art. 32, and Arts. 44 et seq. GDPR, taking into account Recital 49 GDPR.
When this website is accessed, information is automatically collected by the hosting system commissioned by the controller and stored in so-called server log files. This data is transmitted by the browser of the respective end device. In particular, this includes the IP address of the requesting end device, date and time of access, the page or file accessed, the HTTP status code, the amount of data transferred in each case, the referrer URL (previously visited page), information about the browser type and browser version used, and the user’s operating system.
IP addresses constitute personal data within the meaning of Art. 4 No. 1 GDPR insofar as they relate to an identified or identifiable natural person. In its judgment of 19 October 2016 (Case C-582/14 – Breyer), the Court of Justice of the European Union clarified that dynamic IP addresses may constitute personal data for a website operator if legal means exist that make it possible to identify the data subject with the aid of additional information. Against this background, IP addresses are processed in compliance with the requirements of the GDPR.
The processing of server log files is carried out for the purpose of ensuring the functionality and stability of the website, ensuring the security of the information technology systems, detecting and defending against attacks on the network infrastructure, and preventing misuse. These purposes are consistent with the principle of integrity and confidentiality pursuant to Art. 5(1)(f) GDPR.
The legal basis for processing this data is Art. 6(1)(f) GDPR. The controller’s legitimate interest lies in ensuring the security and functionality of the website and in defending against unauthorized access and other unlawful acts. Recital 49 GDPR expressly states that the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security may constitute a legitimate interest, including the prevention of unauthorized access to electronic communications networks and the prevention of damage to computer systems.
As a rule, this data is not merged with other data sources. The log file data is processed exclusively for the aforementioned purposes and is not used to create personal user profiles.
Server log files are stored only for the period necessary to achieve the aforementioned purposes. Thereafter, the data is deleted or anonymized, provided that no statutory retention obligations prevent deletion. This is in accordance with the principle of storage limitation pursuant to Art. 5(1)(e) GDPR.
The processing of server log files is carried out in compliance with Art. 4 No. 1 and No. 2, Art. 5(1)(a), (e), and (f), Art. 6(1)(f) GDPR, taking into account Recital 49 GDPR and the case law of the Court of Justice of the European Union regarding the classification of IP addresses as personal data.
For reasons of data security and to protect the transmission of confidential content, this website uses SSL or TLS encryption (Secure Sockets Layer / Transport Layer Security). An encrypted connection can be recognized by the fact that the browser’s address line begins with “https://” and by the lock symbol in the browser line.
By activating SSL/TLS encryption, the data transmitted between the user’s end device and this website’s server is protected against unauthorized access by third parties. This applies in particular to personal data transmitted in the context of contact inquiries, ordering processes, or other entries.
The implementation of transport encryption serves to ensure the integrity and confidentiality of personal data within the meaning of Art. 5(1)(f) GDPR. According to this provision, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.
Art. 32(1) GDPR obliges the controller, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Art. 32(1)(a) GDPR expressly mentions the pseudonymization and encryption of personal data as examples. The use of SSL/TLS encryption corresponds to the recognized state of the art for securing data transmissions on the internet and constitutes such an appropriate measure.
The specific configuration of the technical and organizational measures is carried out taking into account the risk assessment under Art. 32(2) GDPR, according to which, when assessing the appropriate level of security, account must be taken in particular of the risks presented by processing, especially from destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data.
The use of SSL/TLS encryption therefore complies with the statutory requirements of Art. 5(1)(f) GDPR and Art. 32 GDPR.
This website uses cookies and, where applicable, comparable technologies to store and retrieve information on the user’s end device. Cookies are small text files that are stored on the end device and contain certain information. In addition to the GDPR, the use of such technologies is subject in particular to Section 25 of the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TTDSG).
Under Section 25(1) TTDSG, the storage of information in the end user’s terminal equipment or access to information already stored is generally permitted only if the end user has given consent on the basis of clear and comprehensive information. An exception pursuant to Section 25(2) TTDSG exists only where storage or access is strictly necessary in order for the provider of a telemedia service to provide a service expressly requested by the user, or where storage or access serves solely the purpose of carrying out the transmission of a message over a public telecommunications network.
Where cookies or comparable technologies are technically strictly necessary to ensure the functionality and security of the website, their use is based on Section 25(2) TTDSG. The subsequent processing of personal data in this context is based on Art. 6(1)(f) GDPR. The legitimate interest lies in the technically error-free and secure provision of the online service and in ensuring IT security. In doing so, the principles of data minimization and purpose limitation pursuant to Art. 5(1)(b) and (c) GDPR are observed.
Where cookies are used for analytics, marketing, or other non-essential purposes, the storage of or access to information on the end device is based exclusively on prior consent pursuant to Section 25(1) TTDSG. In these cases, the subsequent processing of personal data is based on Art. 6(1)(a) GDPR. Consent is given voluntarily, for a specific case, in an informed and unambiguous manner within the meaning of Art. 4 No. 11 GDPR, and may be withdrawn at any time with effect for the future, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal (Art. 7(3) GDPR).
The personal data processed through cookies may in particular include online identifiers within the meaning of Art. 4 No. 1 GDPR, such as IP addresses or unique identifiers that enable recognition of an end device. Recital 30 GDPR clarifies that natural persons may be associated with online identifiers such as IP addresses or cookie identifiers and that these may therefore qualify as personal data where a reference to a person can be established.
The storage period of cookies depends on their respective purpose. Technically necessary cookies are generally deleted at the end of the session or stored only for as long as necessary to provide the respective function. Analytics or marketing cookies may be stored for a defined period beyond that, which is transparently indicated within the consent management system used. Storage takes place in compliance with the principle of storage limitation pursuant to Art. 5(1)(e) GDPR.
Processing in connection with cookies is carried out in compliance with Section 25 TTDSG and Art. 4 No. 1 and No. 11, Art. 5(1), Art. 6(1), Art. 7, and Recital 30 GDPR.
This website uses Google Analytics in the version Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is a subsidiary of Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics enables the analysis of users’ use of this website. In this context, personal data is processed, in particular online identifiers including IP address, device identifiers, client IDs, interaction data, usage data, information about the end device used, approximate location data, and technical information about the browser and operating system. Depending on the configuration used, this data may also be processed server-side or client-side.
Online identifiers such as IP addresses or cookie identifiers may constitute personal data within the meaning of Art. 4 No. 1 GDPR, as they enable or at least indirectly allow the identification of natural persons. Recital 30 GDPR expressly clarifies that natural persons may be associated with online identifiers which may leave traces and, in combination with other information, may be used to identify them.
Google Analytics is used exclusively on the basis of the user’s prior consent. The legal basis for the storage of information on the end device or access to such information is Section 25(1) TTDSG. The subsequent processing of personal data is based on Art. 6(1)(a) GDPR. Consent is obtained via a consent management tool and complies with the requirements of Art. 4 No. 11 GDPR and Art. 7 GDPR. It is voluntary, informed, and may be withdrawn at any time with effect for the future.
The processing serves the purpose of analyzing user behavior, statistically evaluating the use of this website, measuring reach, and optimizing the online offering. These purposes are consistent with the transparency requirement under Art. 12 GDPR and the information obligations under Art. 13 GDPR.
Google Analytics cannot rule out a transfer of personal data to a third country within the meaning of Art. 44 GDPR, in particular to the United States of America. A transfer to a third country is permissible only if the special requirements of Arts. 44 et seq. GDPR are fulfilled. Where data is transferred to the USA, this takes place on the basis of an adequacy decision of the European Commission pursuant to Art. 45 GDPR, provided that the data recipient is certified under the EU-US Data Privacy Framework. Otherwise, the transfer takes place on the basis of appropriate safeguards pursuant to Art. 46 GDPR, in particular through the conclusion of Standard Contractual Clauses of the European Commission. In addition, all provisions of Chapter V GDPR must be observed in accordance with Art. 44 GDPR.
Processing is carried out in compliance with the principles of Art. 5 GDPR, in particular data minimization and purpose limitation. Where possible, the IP address is shortened or otherwise anonymized by Google within the European Union before any further processing takes place. The controller does not combine the data collected in the context of Google Analytics with other data sources.
The data is stored only for as long as is necessary to achieve the aforementioned purposes. The retention period is determined by the retention settings configured in Google Analytics and is subject to the principle of storage limitation pursuant to Art. 5(1)(e) GDPR.
The integration of Google Analytics is therefore carried out in compliance with Section 25 TTDSG and Art. 4 No. 1 and No. 11, Art. 5, Art. 6(1)(a), Art. 7, Art. 12, Art. 13, and Arts. 44 et seq. GDPR.
A security plugin is used to ensure the security and functionality of this website. In particular, it serves to detect, analyze, and defend against unauthorized access attempts, automated attacks (e.g. brute-force attacks), malicious code integrations, and other security-relevant events.
In the context of using a security plugin, personal data may be processed. This includes, in particular, IP addresses, timestamps of access and login attempts, information about the browser and operating system used, accessed URLs, and other technical log data, to the extent necessary for attack detection or the prevention of misuse.
IP addresses constitute personal data within the meaning of Art. 4 No. 1 GDPR insofar as a personal reference can be established. According to the case law of the Court of Justice of the European Union (judgment of 19 October 2016, Case C-582/14 – Breyer), dynamic IP addresses may constitute personal data for the operator of a website if legal means exist to identify the data subject with the aid of additional information. The processing of such data therefore takes place in compliance with data protection requirements.
The purpose of the processing is to ensure the integrity, confidentiality, and availability of the information technology systems. This corresponds to the principle of integrity and confidentiality pursuant to Art. 5(1)(f) GDPR. In addition, pursuant to Art. 32(1) GDPR, the controller is obliged, taking into account the state of the art and the risks to the rights and freedoms of natural persons, to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The use of a security plugin constitutes such a technical measure.
The legal basis for the processing of personal data in the context of the security plugin is Art. 6(1)(f) GDPR. The controller’s legitimate interest lies in defending against attacks on the IT infrastructure, preventing misuse, and protecting personal data against unauthorized access. Recital 49 GDPR expressly clarifies that the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security may constitute a legitimate interest. This includes, in particular, the prevention of unauthorized access to electronic communications networks and the prevention of damage to computer systems.
Where the security plugin is provided by an external provider and that provider gains access to personal data, the processing takes place within the framework of processing on behalf pursuant to Art. 4 No. 8 and Art. 28 GDPR. In such case, a data processing agreement exists that fulfills the requirements of Art. 28(3) GDPR. The provider does not carry out independent processing for its own purposes.
Data collected in the context of security measures is stored only for as long as necessary to investigate and defend against specific security-related incidents. Thereafter, the data is deleted or anonymized, unless statutory retention obligations prevent deletion. This takes place in compliance with the principle of storage limitation pursuant to Art. 5(1)(e) GDPR.
Processing in connection with the security plugin is therefore carried out in compliance with Art. 4 No. 1 and No. 8, Art. 5(1)(f), Art. 6(1)(f), Art. 28, and Art. 32 GDPR, taking into account Recital 49 GDPR and the case law of the Court of Justice of the European Union regarding the classification of IP addresses as personal data.
Where digital products are offered and purchased via this website, personal data is processed for the purpose of initiating, concluding, and performing contracts. In particular, this processing includes the collection and processing of identification and contact data such as name and email address, billing and payment data, order and transaction data, and, where applicable, communication data in connection with contract processing.
The processing of personal data is lawful pursuant to Art. 6(1)(b) GDPR where it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The conclusion of a purchase agreement for digital content requires the processing of the data necessary to perform the contract. Without the provision of such data, the conclusion of a contract is generally not possible.
The processing serves, in particular, the following purposes: identification of the contractual partner, execution of the ordering process, provision of the purchased digital content, invoicing, payment processing, communication in connection with the order, and, where applicable, enforcement of contractual claims. These purposes are consistent with the principle of purpose limitation pursuant to Art. 5(1)(b) GDPR.
Where statutory obligations must be fulfilled in the context of contract processing, the processing is additionally based on Art. 6(1)(c) GDPR. This includes, in particular, retention obligations under tax and commercial law pursuant to Section 147 of the German Fiscal Code (Abgabenordnung – AO) and Section 257 of the German Commercial Code (Handelsgesetzbuch – HGB), according to which certain business documents must be retained for a legally prescribed period.
The processing of personal data takes place in compliance with the principles of Art. 5 GDPR, in particular data minimization pursuant to Art. 5(1)(c) GDPR and storage limitation pursuant to Art. 5(1)(e) GDPR. Personal data is stored only for as long as is necessary for the performance of the contract or as long as statutory retention periods apply. After expiry of these periods, the data is deleted unless further statutory or contractual obligations prevent deletion.
Where external service providers, in particular payment service providers or technical platform providers, are involved for the performance of the contract, personal data is disclosed only to the extent necessary for the performance of the contract. Such disclosure takes place in compliance with Art. 28 GDPR where processing on behalf exists, or within the framework of the independent responsibility of the respective service provider.
The processing of personal data in connection with the purchase of digital products is therefore carried out in compliance with Art. 4 No. 1 and No. 2, Art. 5(1), Art. 6(1)(b) and (c) GDPR, as well as the relevant provisions of commercial and tax law.
External payment service providers are integrated for processing payments in connection with the purchase of digital products. Their integration takes place solely for the purpose of proper payment processing.
The service “Stripe” may be used for payment processing. For customers within the European Economic Area, the provider is Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Stripe Payments Europe Ltd. is a regulated payment institution within the meaning of the European Payment Services Directive (Directive (EU) 2015/2366 – PSD2).
If the user selects payment via Stripe, the personal data required for payment processing is transmitted to Stripe. This includes, in particular, name, billing address, email address, payment amount, transaction information, and payment data (e.g. credit card information or bank account details). The transmission takes place exclusively to the extent necessary to process the payment.
The legal basis for the transfer of personal data to Stripe is Art. 6(1)(b) GDPR, as the processing is necessary for the performance of the contract concluded with the data subject. Without the transfer of payment data, the transaction cannot be carried out.
Stripe processes the transmitted data under its own data protection responsibility insofar as this is necessary for the execution of the payment and for compliance with legal obligations, in particular anti-money laundering requirements. To this extent, Stripe is not a processor within the meaning of Art. 4 No. 8 GDPR, but an independent controller.
Where personal data is transferred to a third country within the meaning of Art. 44 GDPR, in particular to Stripe, Inc., located in the United States of America, such transfer takes place only in compliance with Arts. 44 et seq. GDPR. Such transfer may be based on an adequacy decision of the European Commission pursuant to Art. 45 GDPR, provided that the respective recipient is certified under the EU-US Data Privacy Framework. Alternatively, the transfer takes place on the basis of appropriate safeguards pursuant to Art. 46 GDPR, in particular through the conclusion of Standard Contractual Clauses of the European Commission.
Alternatively, payment may be made via PayPal. For users within the European Economic Area, the provider is PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg, Luxembourg. PayPal is a licensed credit institution under Luxembourg law and is supervised by the Commission de Surveillance du Secteur Financier (CSSF).
If the payment method PayPal is selected, personal data required for payment processing is transmitted to PayPal. This includes, in particular, name, email address, billing and delivery data, payment amount, and transaction data. The transmission takes place exclusively for the purpose of carrying out the payment.
The legal basis for the transfer is Art. 6(1)(b) GDPR, as the processing is necessary for the performance of the contract. PayPal processes the data under its own responsibility for payment processing and for compliance with legal obligations, in particular under anti-money laundering and banking supervisory law.
Where PayPal transfers personal data to affiliated companies or service providers in third countries, this takes place exclusively in compliance with Arts. 44 et seq. GDPR. Such transfer may in particular be based on an adequacy decision pursuant to Art. 45 GDPR or on the use of Standard Contractual Clauses pursuant to Art. 46 GDPR.
The processing of personal data in the context of payment processing is carried out in compliance with the principles of Art. 5 GDPR, in particular lawfulness, purpose limitation, data minimization, and storage limitation. Only such data is transmitted as is necessary to carry out the respective transaction.
The integration of external payment service providers is therefore carried out in compliance with Art. 4 No. 1, Art. 5(1), Art. 6(1)(b), and Arts. 44 et seq. GDPR, as well as the relevant provisions of Union law applicable to payment service providers.
In the context of contract processing and entrepreneurial activity, personal data is processed that is subject to retention obligations under commercial and tax law. This includes, in particular, invoice data, proof of payment, accounting documents, contract documents, and other business correspondence of tax relevance.
The legal basis for the processing of personal data in connection with statutory retention obligations is Art. 6(1)(c) GDPR. According to this provision, processing is lawful where it is necessary for compliance with a legal obligation to which the controller is subject.
The relevant statutory obligations arise in particular from Section 147(1) AO and Section 257(1) HGB. Under Section 147 AO, inter alia, books, records, inventories, annual financial statements, accounting documents, and received and dispatched commercial or business letters must be retained. Pursuant to Section 147(3) AO, the retention period is generally ten years for accounting documents and six years for received or dispatched commercial and business letters. Comparable provisions are contained in Section 257(4) HGB.
Where personal data forms part of such documents, it is stored for the duration of the legally prescribed retention periods. During this period, deletion is generally excluded, since processing remains necessary for compliance with a legal obligation.
After expiry of the statutory retention periods, the personal data concerned is deleted unless further statutory or contractual obligations prevent deletion. Processing takes place in compliance with the principle of storage limitation pursuant to Art. 5(1)(e) GDPR.
Where external service providers, in particular tax advisors or accounting service providers, are involved in accounting or tax advice, personal data is disclosed only to the extent necessary. Depending on the circumstances, this may take place within the framework of processing on behalf pursuant to Art. 28 GDPR or within the framework of the independent responsibility of the respective professional. Professional confidentiality obligations remain unaffected.
The processing of personal data for tax and commercial purposes is therefore carried out in compliance with Art. 5(1), Art. 6(1)(c) GDPR, and Sections 147 AO and 257 HGB.
When contacting the controller, in particular via a contact form provided on this website or by email, the personal data communicated by the requesting person is processed. This regularly includes the name, email address, the content of the message, and, where applicable, other information provided voluntarily.
Pursuant to Art. 4 No. 1 GDPR, personal data means all information relating to an identified or identifiable natural person. According to Art. 4 No. 2 GDPR, processing includes in particular the collection, storage, use, and, where applicable, disclosure of such data.
The processing of personal data transmitted in the context of contacting the controller serves exclusively the purpose of handling and responding to the respective inquiry and, where applicable, initiating or performing a contractual relationship. It takes place in compliance with the principle of purpose limitation pursuant to Art. 5(1)(b) GDPR.
The legal basis for processing is Art. 6(1)(b) GDPR where the contact concerns an existing or intended contractual relationship or is aimed at pre-contractual measures. In all other cases, processing is based on Art. 6(1)(f) GDPR. The controller’s legitimate interest lies in the proper handling of inquiries, maintaining communication with users, and organizing business operations. The balancing of interests is carried out taking into account the legitimate expectations of the data subject pursuant to Recital 47 GDPR.
As a rule, data collected in the context of contact inquiries is not disclosed to third parties unless this is necessary for handling the inquiry or required by law. Where external service providers are used for the technical provision of the contact form or for the management of email communication, processing takes place within the framework of processing on behalf pursuant to Art. 28 GDPR.
Personal data collected in connection with contacting the controller is stored only for as long as is necessary to process the inquiry or as long as statutory retention obligations apply. After the purpose of processing ceases to apply and any statutory retention periods have expired, the data is deleted. This takes place in compliance with the principle of storage limitation pursuant to Art. 5(1)(e) GDPR.
The processing of personal data in the context of contacting the controller is therefore carried out in compliance with Art. 4 No. 1 and No. 2, Art. 5(1), Art. 6(1)(b) and (f), Art. 28 GDPR, taking into account Recital 47 GDPR.
Where a newsletter is offered on this website, electronic newsletters are sent exclusively on the basis of the data subject’s prior express consent.
The processing of personal data collected in the context of newsletter registration – generally email address and, where applicable, name – serves the purpose of regularly sending information about the controller’s own offers, products, or services. Pursuant to Art. 4 No. 1 GDPR, personal data means all information relating to an identified or identifiable natural person.
The legal basis for processing is Art. 6(1)(a) GDPR. According to this provision, processing is lawful where the data subject has given consent to the processing of personal data concerning them for one or more specific purposes. Pursuant to Art. 4 No. 11 GDPR, consent must be freely given, specific, informed, and unambiguous. The requirements for the validity of consent are supplemented by Art. 7 GDPR. In particular, the controller must be able to demonstrate that the data subject has consented to processing (Art. 7(1) GDPR), and consent must be withdrawable at any time (Art. 7(3) GDPR).
Newsletter registration takes place using the so-called double opt-in procedure. After registration, the data subject receives a confirmation email in which they must verify their registration by means of a separate confirmation link. Only after this confirmation is the email address added to the mailing list. This procedure serves to prove consent pursuant to Art. 7(1) GDPR and to protect against abusive registrations.
The sending of newsletters by electronic mail is also subject to Section 7(2) No. 3 of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG). According to this provision, sending advertising by electronic mail without the recipient’s prior express consent generally constitutes an unreasonable nuisance. Obtaining valid consent therefore also serves to comply with competition law requirements.
In the context of sending newsletters, usage data may also be processed, in particular information as to whether and when an email was opened and which links were clicked, provided that this is technically envisaged. Such processing also takes place exclusively on the basis of consent pursuant to Art. 6(1)(a) GDPR. The processing serves the statistical evaluation and optimization of the newsletter offering.
Consent may be withdrawn at any time with effect for the future, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal (Art. 7(3) GDPR). Withdrawal may in particular be effected via an unsubscribe link contained in every newsletter email or by notifying the controller.
Personal data is stored for the duration of the newsletter subscription. After unsubscribing from the newsletter, the data is deleted unless statutory retention obligations apply or further processing is permissible on another legal basis. Processing takes place in compliance with the principle of storage limitation pursuant to Art. 5(1)(e) GDPR.
Processing in connection with the newsletter is therefore carried out in compliance with Art. 4 No. 1 and No. 11, Art. 5(1), Art. 6(1)(a), Art. 7 GDPR, and Section 7(2) No. 3 UWG.
Where a customer’s email address has been collected in connection with the sale of goods or services, it may be used for direct advertising of the controller’s own similar goods or services.
The permissibility of using the email address for this purpose is governed by Section 7(3) UWG. According to this provision, unreasonable nuisance within the meaning of Section 7(2) No. 3 UWG is exceptionally not assumed where an undertaking has obtained the customer’s electronic mail address in connection with the sale of goods or services, uses the address for direct advertising of its own similar goods or services, the customer has not objected to such use, and the customer was clearly and explicitly informed, both when the address was collected and each time it is used, that they may object to such use at any time without incurring any costs other than the transmission costs according to the basic rates.
From a data protection perspective, the processing of the email address for the purposes of direct advertising to existing customers is based on Art. 6(1)(f) GDPR. According to this provision, processing is lawful where it is necessary for the purposes of the legitimate interests pursued by the controller and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. Recital 47 GDPR expressly states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
The controller’s legitimate interest lies in the commercial promotion of its own offers and in maintaining existing customer relationships. The balancing of interests takes into account that the data subject is already a customer and provided the email address in connection with a contractual relationship. In addition, the data subject is granted the possibility at any time to object to the use of their email address for advertising purposes.
Objection to the use of the email address for advertising purposes is possible at any time. This is specifically pointed out when the email address is collected and in every advertising email. The objection may be made informally and results in the email address no longer being used for direct advertising purposes. The right to object also follows from Art. 21(2) GDPR, according to which the data subject has the right to object at any time to the processing of personal data concerning them for the purposes of direct marketing.
The processing of the email address for the purposes of advertising to existing customers is therefore carried out in compliance with Section 7(3) UWG and Art. 5(1), Art. 6(1)(f), and Art. 21(2) GDPR, taking into account Recital 47 GDPR.
Personal data is transferred to recipients in states outside the European Union (EU) or the European Economic Area (EEA) – so-called third countries – only where the special requirements of Arts. 44 et seq. GDPR are fulfilled.
Under Art. 44 GDPR, any transfer of personal data to a third country or an international organization is permissible only if the conditions laid down in Chapter V GDPR are complied with. The provisions of Arts. 44 et seq. GDPR ensure that the level of protection guaranteed by the GDPR for natural persons is not undermined when data is transferred to third countries.
A transfer of data to a third country may occur in particular in connection with the use of certain service providers, for example when integrating analytics or payment services with a registered office or parent company in the United States of America.
Pursuant to Art. 45(1) GDPR, a transfer of personal data to a third country is permissible where the European Commission has decided that the third country, a territory, or one or more specified sectors within that third country ensures an adequate level of protection. In such case, no specific authorization is required for the transfer.
For the United States of America, the European Commission, by Implementing Decision (EU) 2023/1795 of 10 July 2023, determined that organizations certified under the EU-US Data Privacy Framework ensure an adequate level of protection. Where recipients of personal data are certified under this framework, the data transfer takes place on the basis of Art. 45 GDPR in conjunction with that adequacy decision.
Where no adequacy decision pursuant to Art. 45 GDPR exists, or where a recipient is not certified under such a decision, personal data is transferred only where appropriate safeguards pursuant to Art. 46 GDPR are provided. These include, in particular, the Standard Contractual Clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR.
The Standard Contractual Clauses contractually oblige the data recipient in the third country to comply with a level of data protection that is essentially equivalent. In addition, where necessary, supplementary measures must be taken to ensure an adequate level of protection, as required by the case law of the Court of Justice of the European Union, in particular its judgment of 16 July 2020 (Case C-311/18 – “Schrems II”).
By way of exception, a transfer of data may also be permissible under the conditions of Art. 49 GDPR, for example where the data subject has explicitly consented to the proposed transfer or where the transfer is necessary for the performance of a contract between the data subject and the controller. Such transfers take place only in narrowly limited exceptional cases and in compliance with the statutory requirements.
Regardless of the transfer basis chosen, every transfer to a third country takes place in compliance with the principles of Art. 5 GDPR, in particular lawfulness, transparency, purpose limitation, data minimization, integrity, and confidentiality. Only such personal data is transferred as is necessary for the respective purpose.
Transfers to third countries are therefore carried out in compliance with Arts. 44 to 49 GDPR, Implementing Decision (EU) 2023/1795 of the European Commission on the EU-US Data Privacy Framework, and the relevant case law of the Court of Justice of the European Union.
The provision of personal data by the data subject may be required by law or contract, or may be necessary for the conclusion of a contract. The obligation to provide information about this arises from Art. 13(2)(e) GDPR. According to that provision, the controller must inform the data subject whether the provision of personal data is required by law or contract or is necessary for entering into a contract, whether the data subject is obliged to provide the personal data, and what possible consequences the failure to provide such data would have.
Where personal data is required for taking pre-contractual measures or for the performance of a contract, processing is based on Art. 6(1)(b) GDPR. In such cases, the provision of the data marked as mandatory is necessary in order to properly perform the contract. Without the provision of such data, a contract cannot be concluded or a contractual service cannot be provided.
Where personal data is required for compliance with a legal obligation, processing is based on Art. 6(1)(c) GDPR. This applies in particular to obligations under commercial and tax law pursuant to Section 147 AO and Section 257 HGB. In such cases, the controller is legally obliged to collect and store certain personal data.
In all other cases, the provision of personal data is voluntary. However, failure to provide such data may result in certain functions of the website not being usable or inquiries not being processable.
Processing always takes place in compliance with the principles of Art. 5(1) GDPR, in particular data minimization and purpose limitation. Only such personal data is collected as is necessary for the respective purpose.
The above information is provided in order to fulfill the transparency and information obligations pursuant to Art. 13(2)(e) GDPR in conjunction with Art. 12(1) GDPR.
No decision based solely on automated processing – including profiling – within the meaning of Art. 22(1) GDPR takes place.
Art. 22(1) GDPR grants the data subject the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning them or similarly significantly affects them. Such a decision exists in particular where personal data is automatically evaluated and the result, without human intervention, leads to a decision that has significant effects on the data subject.
Pursuant to Art. 4 No. 4 GDPR, profiling means any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Where technical analytics or evaluation procedures are used on this website (e.g. statistical evaluations for the optimization of the offering), these do not lead to decisions producing legal effects or similarly significant effects within the meaning of Art. 22(1) GDPR.
The above information is provided in order to fulfill the information obligation pursuant to Art. 13(2)(f) GDPR. According to that provision, the controller must inform the data subject about the existence of automated decision-making, including profiling, pursuant to Art. 22(1) and (4) GDPR and – at least in those cases – provide meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing.
Should automated decision-making within the meaning of Art. 22 GDPR be introduced in the future, this would take place only in compliance with the statutory requirements. This includes, in particular, the existence of one of the exceptions mentioned in Art. 22(2) GDPR and appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject pursuant to Art. 22(3) GDPR.
Personal data is stored only for as long as is necessary for the purposes for which it was collected or otherwise processed. This corresponds to the principle of storage limitation pursuant to Art. 5(1)(e) GDPR. According to this principle, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
The specific storage period depends on the respective purpose of processing and on any statutory retention obligations. Where personal data is processed for the performance of a contract or for pre-contractual measures, it is generally stored for the duration of the contractual relationship and beyond that to the extent necessary for the establishment, exercise, or defense of legal claims. In this context, the civil-law limitation periods under Sections 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB) must be taken into account in particular.
Where personal data is subject to statutory retention obligations, it is stored for the respective period prescribed by law. Relevant in particular are the retention obligations under commercial and tax law pursuant to Section 147 AO and Section 257 HGB. Pursuant to Section 147(3) AO and Section 257(4) HGB, retention periods are generally six or ten years, depending on the type of documents.
Personal data processed on the basis of consent pursuant to Art. 6(1)(a) GDPR is stored until the data subject withdraws their consent, unless another legal basis justifies further processing. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal (Art. 7(3) GDPR).
Data processed on the basis of a legitimate interest pursuant to Art. 6(1)(f) GDPR is stored for as long as the legitimate interest continues to exist and no overriding interests or fundamental rights and freedoms of the data subject oppose such processing. In the event of an effective objection pursuant to Art. 21 GDPR, the personal data will no longer be processed unless there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or unless the processing serves the establishment, exercise, or defense of legal claims.
After the respective purpose of processing ceases to apply and any statutory retention periods have expired, the personal data is deleted or anonymized unless other statutory obligations prevent deletion. Deletion takes place in compliance with the technical and organizational measures pursuant to Art. 24 and Art. 32 GDPR.
The above provisions serve to fulfill the information obligations pursuant to Art. 13(2)(a) GDPR in conjunction with Art. 5(1)(e) GDPR.
Data subjects have the rights described below vis-à-vis the controller with regard to the personal data concerning them. These rights arise in particular from Chapter III of the General Data Protection Regulation (Arts. 12 to 23 GDPR).
Pursuant to Art. 12(1) GDPR, the controller shall provide the data subject with all information referred to in Arts. 13 and 14 GDPR and all communications under Arts. 15 to 22 and Art. 34 GDPR in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Information shall generally be provided free of charge pursuant to Art. 12(5) GDPR, unless requests are manifestly unfounded or excessive.
Pursuant to Art. 15(1) GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed. Where that is the case, the data subject has the right of access to such personal data and to further information, in particular on the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients, the envisaged storage period or the criteria used to determine it, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint with a supervisory authority, and the existence of automated decision-making including profiling.
Pursuant to Art. 15(3) GDPR, the data subject has the right to obtain a copy of the personal data undergoing processing.
Pursuant to Art. 16 GDPR, the data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, they also have the right to have incomplete personal data completed.
Pursuant to Art. 17(1) GDPR, the data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay where one of the grounds listed therein applies, in particular where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject withdraws consent and there is no other legal basis for processing.
The right to erasure does not exist where processing is necessary pursuant to Art. 17(3) GDPR, in particular for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
Pursuant to Art. 18 GDPR, the data subject has the right to obtain restriction of processing where one of the conditions set out therein applies, in particular where the accuracy of the personal data is contested or the processing is unlawful and the data subject opposes erasure.
Pursuant to Art. 20(1) GDPR, the data subject has the right to receive the personal data concerning them which they have provided to the controller in a structured, commonly used, and machine-readable format, where processing is based on consent pursuant to Art. 6(1)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and the processing is carried out by automated means.
Pursuant to Art. 21(1) GDPR, the data subject has the right, on grounds relating to their particular situation, to object at any time to the processing of personal data concerning them where processing is based on Art. 6(1)(e) or (f) GDPR.
Where personal data is processed for direct marketing purposes, the data subject has the right pursuant to Art. 21(2) GDPR to object at any time to the processing of personal data concerning them for such marketing. In the event of an objection to direct marketing, the personal data shall no longer be processed for such purposes.
Where processing is based on consent pursuant to Art. 6(1)(a) GDPR, the data subject has the right to withdraw their consent at any time with effect for the future. The lawfulness of processing carried out on the basis of consent before its withdrawal remains unaffected.
Pursuant to Art. 77(1) GDPR, every data subject has the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of personal data concerning them infringes the GDPR.
The above rights may be exercised informally vis-à-vis the controller.
The above explanations are provided in order to fulfill the information obligations pursuant to Art. 13(2)(b) to (d) GDPR in conjunction with Arts. 15 to 22 and Art. 77 GDPR.
Where personal data is processed on the basis of Art. 6(1)(e) or (f) GDPR, the data subject has the right pursuant to Art. 21(1) GDPR, on grounds relating to their particular situation, to object at any time to the processing of personal data concerning them. This also applies to profiling based on those provisions within the meaning of Art. 4 No. 4 GDPR.
In the event of an objection, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or the processing serves the establishment, exercise, or defense of legal claims. These requirements follow directly from Art. 21(1) sentence 2 GDPR.
Where personal data is processed for direct marketing purposes, the data subject has the right pursuant to Art. 21(2) GDPR to object at any time to the processing of personal data concerning them for such marketing. This also applies to profiling insofar as it is related to such direct marketing. In the event of an objection to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes in accordance with Art. 21(3) GDPR. In this case, no further balancing of interests takes place.
Pursuant to Art. 21(4) GDPR, the controller expressly draws attention to this right to object. The objection may be made informally and should be directed to the contact details stated in Section 1 of this Privacy Policy.
The above explanations are provided in order to fulfill the information obligation pursuant to Art. 13(2)(b) GDPR in conjunction with Art. 21 GDPR.
Pursuant to Art. 24(1) GDPR, the controller implements, taking into account the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing of personal data is performed in accordance with the General Data Protection Regulation.
In addition, pursuant to Art. 32(1) GDPR, the controller is obliged, taking into account the state of the art, the costs of implementation, and the aforementioned risk factors, to ensure a level of security appropriate to the risk. When assessing the appropriate level of security, account must in particular be taken of the risks that are presented by processing, especially accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed (Art. 32(2) GDPR).
The measures taken may in particular include the encryption of personal data, measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, procedures for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures, as well as measures for access control and access restriction. Encryption of data transmissions using SSL/TLS procedures constitutes a measure within the meaning of Art. 32(1)(a) GDPR.
The processing of personal data also takes place in compliance with the principle of “data protection by design and by default” pursuant to Art. 25 GDPR. According to this provision, appropriate technical and organizational measures must be implemented both at the time of determining the means for processing and at the time of the processing itself, which are designed to effectively implement the data protection principles and to integrate the necessary safeguards into the processing.
Where external service providers are used, their involvement takes place in compliance with the requirements of Art. 28 GDPR. The controller ensures that these service providers implement appropriate technical and organizational measures that meet the statutory requirements.
The above measures serve to implement the obligations under Art. 5(1)(f) GDPR, according to which personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
The data security measures are regularly reviewed and adapted to the state of the art and to changing risk situations.