Privacy statement

Preamble

The goal of this privacy statement is to explain which types of your personal data (also abbreviated “data”) we process for which purposes and in what scope. This privacy statement applies to all processing of personal data performed by us, both within the scope of providing our services and, in particular, on our websites, in mobile applications, and within external online sites such as our social media profiles (collectively “Online Presence“).

The terms used are not gender specific.

Last updated April 24, 2023

Overview of content

Controller

Steffen C. Schmid
Holiday Inn Munich – City Centre
Hochstrasse 3
81669 Munich

Authorized representatives:

Steffen C. Schmid

e-mail address:

reservation@himunich.com

Legal notice:

https://www.meet-inn-munich.com/impressum/

Data protection officer contact details

Frank Schiffer, frank.schiffer@himunich.com

Overview of processing operations

The overview below summarizes the types of data processed and the purposes of processing and indicates the data subjects.

Types of data processed

  • Inventory data.
  • Payment data.
  • Location data.
  • Contact details.
  • Content data.
  • Contract data.
  • Use data.
  • Metadata, communication data, and procedural data.

Special categories of data

  • Health data.
  • Religious or philosophical beliefs.

Categories of data subjects

  • Customers.
  • Potential customers.
  • Communication partners.
  • Users.
  • Business partners and parties to contracts.
  • Persons depicted.

Purposes of processing

  • Provision of contractual services and customer service.
  • Contact inquiries and communication.
  • Direct marketing.
  • Office and organizational procedures.
  • Administering and responding to inquiries.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Providing our online presence and user friendliness.
  • IT infrastructure.

Key legal bases

This section presents an overview of the legal bases as outlined in the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection specifications may apply in the country where your or our residence, domicile, or registered office is located. Should more specific legal bases be the operative factor in the individual case, we disclose these in the privacy statement.

  • Consent (point (a) of Article 6(1) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Performance of a contract and requests prior to entering into a contract (point (b) of Article 6(1) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (point (c) of Article 6(1) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (point (f) of Article 6(1) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the data protection provisions of the GDPR, national regulations on data protection apply in Germany. These include but are not limited to the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). In particular, the BDSG contains specific provisions relating to the right of access to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and data transfers, along with automated individual decision-making, including profiling. This law also governs data processing for employment-related purposes (Sec. 26 BDSG), particularly with an eye to hiring decisions, carrying out or terminating the employment contract, and employee consent. Furthermore, state data protection laws at the level of the individual federal states may apply.

Security measures

In accordance with the statutory provisions and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include but are not limited to ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data and the data access concerning them, along with the entry, communication, and separation thereof and ensuring the availability of the data. We have also established procedures that ensure that the rights of data subjects are upheld, data are erased, and there is a response to any risk to the data. Furthermore, we factor protection of personal data into the early stages of development and/or selection of hardware, software, and procedures in keeping with the principle of data protection by design and by default.

TLS encryption (https): We use TLS encryption to protect those of your data that are transferred via our online presence. You can recognize connections encrypted in this way from the prefix https://, which appears in the address bar of your browser.

Transfers of personal data

In the context of our processing of personal data, it is possible that the data will be transferred or disclosed to other bodies, companies, legally independent organizational units, or persons. Recipients of these data may include service providers commissioned to perform IT tasks or providers of services and content integrated into a website. In cases like these, we observe the statutory provisions and, in particular, enter into relevant contracts and agreements that serve to protect your data with the recipients of your data.

Transfers of data within the group of companies: We may transfer personal data to other companies within our group of companies or grant them access to these data. Where this disclosure takes place for administrative purposes, the disclosure of the data is based on our legitimate entrepreneurial and business-related interests or takes place where necessary in order to fulfill our contractual obligations or if the data subject has given consent or the disclosure is permitted by law.

Transfers of data within the organization: We may transfer personal data to other bodies within our organization or grant them access to these data. Where this disclosure takes place for administrative purposes, the disclosure of the data is based on our legitimate entrepreneurial and business-related interests or takes place where necessary in order to fulfill our contractual obligations or if the data subject has given consent or the disclosure is permitted by law.

Data processing in third countries

Where we process data in a third country (i.e., outside the European Union (EU) and European Economic Area (EEA)) or the processing takes place within the context of utilization of the services of third parties or the disclosure or transfer of data to other persons, bodies, or companies, this takes place only in compliance with the statutory provisions.

Except in cases of express consent or transfers required by a contract or by law, we process the data or cause them to be processed only in third countries where there is a recognized level of data protection, a contractual obligation has been entered into in the form of the standard clauses established by the European Commission, and/or where there are certifications or binding corporate data protection rules (Articles 44 through 49 GDPR, European Commission info page: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en).

Erasure of data

The data we process are erased in accordance with the statutory specifications as soon as the consent permitting the processing thereof is withdrawn or other permissions cease to apply (e.g., when the purpose of processing of these data has ceased to apply or the data are not necessary for that purpose). If the data are not erased because they are required for other, legally permissible purposes, the processing thereof is restricted to those purposes. This means the data are blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.

Furthermore, our data protection and privacy information may contain additional information on the storage and erasure of data that takes priority in the case of the relevant processing operations.

Use of cookies

Cookies are small text files or other storage notices that store information on devices and read out information from the devices. Examples include storing login status in a user account, the contents of a shopping cart in an online shop, the content accessed, or the features of a website that have been used. Furthermore, cookies can be used for different purposes, such as purposes relating to the functionality, security, and convenience of websites and preparing analysis of visitor traffic.

Notes on consent: We use cookies in accordance with the statutory provisions. For this reason, we obtain advance consent from users except in cases where consent is not required by law. Consent is not required, in particular, if storing and reading out the information, including cookies, is strictly necessary in order to provide users with a telemedia service (meaning our online presence) that has been expressly requested by them. Strictly necessary cookies typically include cookies with functions that serve purposes associated with displaying and ensuring the operability of the online presence, load balancing, security, storage of user preferences and selected options, or similar purposes associated with the provision of the main and secondary functions of the online presence requested by the users. Revocable consent is communicated clearly to users, including information on the relevant use of cookies.

Notes on legal bases under the law of data protection and privacy: The legal basis under the law of data protection and privacy on which we use cookies to process the personal data of users depends on whether we request consent from the users. If users consent, the legal basis for the processing of their data is the consent that has been granted. Otherwise, the data processed using cookies are processed on the basis of our legitimate interests (such as our interest in the economical operation of our online presence and improving the usability thereof) or, where this takes place within the scope of fulfilling our contractual obligations, if the use of cookies is required in order to fulfill our contractual obligations. We provide information on the purposes for which the cookies are processed by us in the course of this privacy statement or within the scope of our consent and processing procedures.

Duration of storage: We distinguish among the following types of cookies with an eye to the duration of storage:

  • Temporary cookies (also known as session cookies): Temporary cookies are erased at the latest after a user has left an online presence and closed that device (such as a browser or mobile app).
  • Permanent cookies: Permanent cookies continue to be stored even after the device is closed. This enables functions such as storing login status or displaying preferred content directly when the same user visits a website again. The user data collected using cookies can also be used to measure reach. Where we do not provide users with explicit information on the nature of the cookies used and the duration of storage thereof (this may take place as part of the process of obtaining consent, for example), users should presume that cookies are permanent and that the duration of storage may be up to two years.

General information on withdrawing consent and objecting (opting out): Users can withdraw the consent they have given at any time and can also object to the processing of their data in keeping with the statutory provisions set down in Article 21 GDPR. Users can also object by using their browser settings, for example by disabling cookies (although this may also restrict the functionality of our online services). Users can also object to the use of cookies for online marketing purposes at the following websites: https://optout.aboutads.info and https://www.youronlinechoices.com/.

  • Legal bases: legitimate interests (point (f) of Article 6(1) GDPR); consent (point (a) of Article 6(1) GDPR).

Processing of cookie data on the basis of consent:

  • Verarbeitung von Cookie-Daten auf Grundlage einer Einwilligung: We use a method of managing consent to the use of cookies in which users’ consent to the use of cookies and/or to the processing and providers mentioned within the scope of the cookie consent management process can be obtained and can also be managed and withdrawn by users. In this process, the user’s declaration of consent is stored so that there is no need to request it again and so that the consent can be demonstrated in keeping with the statutory obligations. Storage may take place either on the server side or in a cookie (known as an “opt-in” cookie) or using comparable technologies or both so that it is possible to associate the consent with a particular user or that user’s device. Except where individual information is provided concerning the providers of cookie management services, the following information applies: The duration of storage of consent may be up to two years. A pseudonymous user ID is created for this and stored together with the time of consent, information on the scope of consent (for example, which categories of cookies and/or service providers) and the browser, system, and device used; legal bases: consent (point (a) of Article 6(1) GDPR).

Additional information

If you would like to unsubscribe from marketing e-mails that you receive from IHG / IHG One Rewards, please use the unsubscribe link in the corresponding e-mail. If you would like to unsubscribe from marketing e-mails that you receive from IHG / IHG One Rewards, please use the unsubscribe link in the corresponding e-mail. (unsubscribe@himunich.com)

https://www.ihg.com/content/de/de/customer-care/privacy_statement | https://www.ihg.com/content/gb/en/customer-care/privacy_statement (InterContinental Hotels Group)

In addition to InterContinental Hotels Group, Trimont Hotel Operations 4 GmbH is also a controller of personal data. You can find our privacy statement here: https://files.trimonthotels.com/Trimont4DatenschutzDt.pdf.

In addition to InterContinental Hotels Group, Trimont Hotel Operations 4 GmbH is also a controller of personal data. You can find our Privacy Statement here: https://files.trimonthotels.com/Trimont4ExtPrivNotEng.pdf.

Business services

We process data of the other parties to contracts with us and our business partners, such as customers and potential customers (collectively “Partners”), within the scope of contractual and comparable legal relationships and measures associated therewith and within the scope of communications with the Partners (or prior to entering into a contract), for purposes such as responding to inquiries.

We process these data in order to fulfill our contractual obligations. These include but are not limited to the obligations to perform the agreed services, any updating obligations that may apply, and providing help with warranty disruptions and other disruptions in performance. We also process these data in order to safeguard our rights and for the purposes of the administrative tasks associated with these obligations and company organization purposes. Furthermore, we process the data on the basis of our legitimate interests in the proper and economical conduct of our business and in security measures to protect our Partners and our own business from abuse and risks to their data, secrets, information, and rights (for example, relating to the involvement of telecommunication, transportation, and other assistance services as well as subcontractors, banks, tax and legal advisors, payment service providers, or fiscal authorities). Within the scope of applicable law, we share Partners’ data with third parties only to the extent necessary for the aforementioned purposes or to fulfill statutory obligations. This privacy statement provides Partners with information on further forms of processing, for example for marketing purposes.

We notify Partners of which data are required for the aforementioned purposes either before or during data collection, for example in online forms, through specific markings (such as colors) or symbols (asterisk or similar), or personally.

We erase the data after the statutory warranty and comparable obligations have elapsed, which means in principle after a period of four years except where the data are stored in a customer account, for example, in which case they are stored for as long as they must be retained for statutory reasons relating to archiving. The statutory retention period for tax-related documents, commercial records, inventories, opening balance sheets, annual financial statements, the work instructions required in order to understand these documents, and other organizational documents and posting records is ten years. For incoming commercial and business letters and records of outgoing commercial and business letters, this period is six years. This time limit commences at the end of the calendar year in which the last entry was made in the book in question, the inventory, opening balance sheet, annual financial statement, or management report was prepared, the commercial or business letter was received or sent, or the posting record was created, or moreover the recording was performed or the other documents were created.

Where we use third-party providers or platforms to perform our services, the terms and conditions of business and data protection and privacy information of the relevant third-party providers or platforms apply within the relationship between the users and the providers.

  • Types of data processed: inventory data (such as names, addresses); payment data (such as bank account details, invoices, payment history); contact details (such as e-mail, phone numbers); contract data (such as subject matter of agreement, term, customer category).
  • Special categories of personal data: data concerning health (Article 9(1) GDPR); religious or philosophical beliefs (Article 9(1) GDPR).
  • Data subjects: potential customers; business partners and parties to contracts; customers.
  • Purposes of processing: provision of contractual services and customer service; contact inquiries and communication; office and organizational procedures; administering and responding to inquiries.
  • Legal bases: performance of contracts and requests prior to entering into contracts (point (b) of Article 6(1) GDPR); legal obligation (point (c) of Article 6(1) GDPR); legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

  • Hotel and accommodations services: We process the information provided by our guests, visitors, and potential customers (“Guests”) to provide our accommodation and associated services of a tourist or culinary nature and to settle accounts for services rendered. Within the scope of our commissioning, it may be necessary for us to process special categories of data within the meaning of Article 9(1) GDPR, particularly information relating to a person’s health or religious affiliation. Processing takes place in order to protect the health-related interests of visitors (for example, in the case of information regarding allergies) or otherwise to satisfy their physical, mental, or psychological needs upon request and with their consent. Where required in order to perform a contract or by law, or where Guests have granted consent or this takes place on the basis of our legitimate interests, we disclose or transfer the data of Guests to entities including the service providers involved in fulfilling our services or to government agencies, billing entities, or entities in the fields of IT or of office or similar services; legal bases: performance of contracts and requests prior to entering into contracts (point (b) of Article 6(1) GDPR).
  • Events: We process the data of participants in events and similar activities offered or arranged by us (hereinafter “Participants” and “Events,” respectively) in order to enable them to participate in the Events and utilize the services or promotions associated with participation. Where we process health-related data, religious, political, or other special categories of data in this context, this takes place within the scope of public knowledge (e.g., in the case of Events with specific themes) or serves to protect and preserve health and safety or occurs with the consent of the data subjects. The required information is marked as such within the scope of the order or similar contract that is entered into and encompasses the information needed in order to perform the service and settle accounts, along with contact details in order to be able to follow up as necessary. Where we receive access to information of end customers, employees, or other persons, we process this information in accordance with the statutory and contractual specifications; legal bases: performance of contracts and requests prior to entering into contracts (point (b) of Article 6(1) GDPR).

Provision of the Online Presence and Web hosting

We process the data of users in order to be able to provide our online services to them. For this purpose, we process the user’s IP address, which is necessary in order to transfer the content and functions of our online services to the user’s browser or device.

  • Types of data processed: use data (such as websites visited, interest in content, access times); metadata, communication data, and procedural data (such as IP addresses, time information, identification numbers, consent status); content data (such as entries in online forms).
  • Data subjects: users (such as website visitors, users of online services).
  • Purposes of processing: provision of our online presence and user friendliness; IT infrastructure (operation and provision of information systems and technical devices such as computers, servers, and more).
  • Legal bases: legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

  • Provision of the Online Presence using rented storage space: We use storage space, processing capacity, and software that we rent or otherwise procure from a relevant server provider (also known as a Web hosting service) in order to provide our online presence; legal bases: legitimate interests (point (f) of Article 6(1) GDPR).
  • e-mail transmission and hosting: The Web hosting services we use also encompass sending, receiving, and storing e-mail. For these purposes, the addresses of recipients and senders are processed, along with further information concerning the transmission of e-mail (such as the providers involved) and the content of the e-mails in question. The aforementioned data may also be processed for the purpose of identifying spam. Please note that e-mail transmitted via the Internet is not transmitted with encryption in principle. As a general rule, e-mails are encrypted in transit, but not on the servers from which they are sent and received (except in cases where “end-to-end” encryption methods are used). Therefore, we cannot accept any responsibility for the route taken by e-mails in transit between the recipient and when they are received by our server; legal bases: legitimate interests (point (f) of Article 6(1) GDPR).
  • ALL-INKL: Services in the area of provision of IT infrastructure and associated services (such as storage space and/or processing capacity); service provider: ALL-INKL.COM – Neue Medien Münnich, owner: René Münnich, Hauptstrasse 68, 02742 Friedersdorf, Germany; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website: https://all-inkl.com/; privacy policy: https://all-inkl.com/datenschutzinformationen/; processing agreement: to be provided by service provider.

Contact and inquiry management

When users contact us (for example by mail or using our contact form, or via e-mail, phone, or social media) and within the scope of existing user and business relationships, the information of the persons submitting inquiries is processed to the extent necessary to respond to their contact inquiries and take any measures that may be requested.

  • Types of data processed: contact details (such as e-mail, phone numbers); content data (such as entries in online forms); use data (such as websites visited, interest in content, access times); metadata, communication data, and procedural data (such as IP addresses, time information, identification numbers, consent status).
  • Data subjects: communication partners.
  • Purposes of processing: contact inquiries and communication; administering and responding to inquiries; feedback (such as collecting feedback via an online form); providing our online presence and user friendliness.
  • Legal bases: legitimate interests (point (f) of Article 6(1) GDPR); performance of contracts and requests prior to entering into contracts (point (b) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

  • Contact form: When users contact us using our contact form, e-mail, or other communication channels, we process the data communicated to us in this context in order to handle the concern or request communicated to us; legal bases: performance of contracts and requests prior to entering into contracts (point (b) of Article 6(1) GDPR), legitimate interests (point (f) of Article 6(1) GDPR).

Videoconferences, online meetings, webinars, and screen sharing

We use platforms and applications from other providers (“Conference Platforms”) for purposes of holding video and audio conferences, webinars, and other kinds of video and audio meetings (collectively “Conferences”). We abide by the statutory specifications when selecting the Conference Platforms and their services.

Data processed by Conference Platforms: Within the scope of participation in a Conference, the Conference Platforms process the personal data of participants as mentioned hereinafter. The scope of the processing depends on multiple factors, including which data are requested within the scope of a specific Conference (e.g., indication of access details or real names) and which optional information is provided by participants. In addition to processing in order to hold the Conference, participants’ data may also be processed by the Conference Platforms for security purposes or to optimize their services. The data processed include personal data (first and last name), contact information (e-mail address, phone number), access details (access codes or passwords), profile pictures, information on professional position/role, the IP address used to access the Internet, information on participants’ devices and the operating system, browser, and technical and language settings used, information on the content of the communication processes used, meaning chat entries and audio and video data, along with the use of other available functions (such as surveys or polls). The content of the communications is encrypted in the scope provided for technical purposes by the Conference providers. If the participants are registered with the Conference Platforms as users, then further data may be processed in keeping with the agreement with the relevant Conference provider.

Logging and recordings: If text entries, results of participation (in surveys or polls, for example), and/or video or audio recordings are logged, this is transparently communicated to participants in advance, and participants are asked for consent where required.

Data protection and privacy measures by participants: With regard to the details of the processing of your data by the Conference Platforms, please note the Conference Platforms’ data protection and privacy information and choose the security and privacy settings that are best for you within the Conference Platform settings. For the duration of any videoconference, please also ensure data protection and privacy with regard to the background of your recording (for example, by notifying other members of the household, closing doors, and using the function for blurring the background where possible in technical terms). Links to the conference rooms and access details must not be shared with unauthorized third parties.
Note on legal bases: Where we process the data of users in addition to the Conference Platforms and ask users for their consent to the use of the Conference Platforms or certain functions (such as consenting to Conferences being recorded), the legal basis of the processing is this consent. Furthermore, our processing may be necessary in order to fulfill our contractual obligations (for example in lists of participants, in the event that discussion results are processed, etc.). In all other respects, the data of users are processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Types of data processed: inventory data (such as names, addresses); contact details (such as e-mail, phone numbers); content data (such as entries in online forms); use data (such as websites visited, interest in content, access times); metadata, communication data, and procedural data (such as IP addresses, time information, identification numbers, consent status).
  • Data subjects: communication partners; users (such as website visitors, users of online services); persons depicted.
  • Purposes of processing: provision of contractual services and customer service; contact inquiries and communication; office and organizational procedures.
  • Legal bases: legitimate interests (point (f) of Article 6(1) GDPR).

Marketing communications via e-mail, mail, fax, or phone

We process personal data for purposes of marketing communication, which may take place through various channels, such as e-mail, phone, mail, or fax, in keeping with the statutory provisions.

Recipients have the right to withdraw consent that has been granted at any time or to object to marketing communications at any time.

After a recipient withdraws consent or objects, we store the data required in order to demonstrate that we were authorized to use the data up until that point for purposes of making contact or sending communications for a period of up to three years after the end of the year in which consent is rejected or the objection is made. This is done on the basis of our legitimate interests. The processing of these data is limited to the purpose of potentially defending against claims. On the basis of our legitimate interest in observing the withdrawal of consent or objections made by users on a long-term basis, we also store the data necessary in order to avoid contacting these people again (e-mail address, phone number, and/or name, for example, depending on the communication channel).

  • Types of data processed: inventory data (such as names, addresses); contact details (such as e-mail, phone numbers).
  • Data subjects: communication partners.
  • Purposes of processing: direct marketing (for example by e-mail or mail).
  • Legal bases: consent (point (a) of Article 6(1) GDPR); legitimate interests (point (f) of Article 6(1) GDPR.

Presence in social networks (social media)

We maintain an online presence on social networks, and in this context, we process data of users in order to communicate with the users active there or offer information about us.

Please note that data of users may be processed outside the European Union in this context. This may give rise to risks to users, as it may render it more difficult for users to enforce their rights.

Furthermore, data of users are typically processed within social networks for market research and marketing purposes. For example, users’ use behavior and their interests as arising from that behavior may be used to create use profiles. These use profiles may in turn be used to do things such as delivering advertisements that are presumed to align with users’ interests within and outside the networks. For these purposes, cookies that store the users’ use behavior and interests are typically stored on the users’ computers. Furthermore, data may also be stored in the use profiles independent of the devices used by the users (especially if the users are members of the platforms in question and are logged in to those platforms).

For a detailed depiction of the relevant forms of processing and options for objecting (opting out), please see the privacy policies and information published by the operators of the relevant networks.

Please note that requests for access to information and assertion of the rights of data subjects are also most effectively addressed to these providers. The providers alone have access to the users’ data in each case, and they can take appropriate action and provide access to information directly. You can contact us afterward if you still require assistance.

  • Types of data processed: contact details (such as e-mail, phone numbers); content data (such as entries in online forms); use data (such as websites visited, interest in content, access times); metadata, communication data, and procedural data (such as IP addresses, time information, identification numbers, consent status).
  • Data subjects: users (such as website visitors, users of online services).
  • Purposes of processing: contact inquiries and communication; feedback (such as collecting feedback via an online form); marketing.
  • Legal bases: legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

  • Instagram: social network; service provider: Meta Platforms Irland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website: https://www.instagram.com; privacy policy: https://instagram.com/about/legal/privacy.
  • Facebook pages: profiles within the social network Facebook – we share controller status with Meta Platforms Ireland Limited with regard to the collection (but not the further processing) of data of visitors to our Facebook page (“fan page”). These data include information on the types of content that users view or with which they interact or the actions taken by them (see “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/policy), and information about the devices used by users (such as IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under “How do we use this information?,” Facebook also collects and uses information to provide analytical services known as “page insights” for page operators so the operators can gain insight into how people interact with their pages and the associated content. We have entered into a specific agreement with Facebook (“Information about Page Insights,” https://www.facebook.com/legal/terms/page_controller_addendum), which sets out provisions, in particular, on which security measures Facebook is obligated to observe and in which Facebook has declared its willingness to fulfill the rights of data subjects (meaning, for example, that users can address requests for access to information or erasure requests to Facebook directly). The rights of users (particularly the rights of access to information, the right to erasure, and the rights to object and lodge a complaint with the supervisory authority with jurisdiction) are not restricted by the agreements with Facebook. Further information is available in the “Information about Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data); service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website: https://www.facebook.com;

    privacy policy: https://www.facebook.com/about/privacy; standard contractual clauses (ensuring the level of data protection in case of processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; further information: agreement on joint controller status: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint controller status is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The sole entity responsible as the controller for the further processing of these data is Meta Platforms Ireland Limited; this concerns, in particular, the transfer of data to the parent company, Meta Platforms, Inc., in the United States (on the basis of the standard contractual clauses entered into between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

  • LinkedIn: social network; service provider: LinkedIn Irland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Irland; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; agreement on processing of data on another entity’s behalf: https://legal.linkedin.com/dpa; standard contractual clauses (ensuring the level of data protection in case of processing in third countries): https://legal.linkedin.com/dpa; option to object (opt out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • Twitter: social network; service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Irland, Mutterunternehmen: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; legal basis: legitimate interests (point (f) of Article 6(1) GDPR); privacy policy: https://twitter.com/privacy, (Settings: https://twitter.com/personalization).
  • Xing: social network; service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; legal basis: legitimate interests (point (f) of Article 6(1) GDPR); website: https://www.xing.de; privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

Plugins and embedded functions and content

Our Online Presence incorporates functional and content elements obtained from the servers of their respective providers (“Third-Party Providers”). These may include but are not limited to graphics, videos, and maps (collectively “Content”).

Incorporation of these elements always presupposes that the Third-Party Providers of this Content process the IP addresses of users, as without these IP addresses, they would be unable to transmit the Content to the users’ browsers. This means the IP address is required in order to present this Content or these functions. We strive to use only Content whose respective provider uses the IP address solely to deliver the Content. Third-Party Providers may moreover use what are known as pixel tags (invisible graphics also known as Web beacons) for statistical or marketing purposes. These pixel tags allow for analysis of information such as user traffic to the pages of this website. This pseudonymized information can furthermore be stored in cookies on the user’s device and may include items such as technical information on the browser and operating system, referring websites, the time of the visit, and further information on the use of our Online Presence. It may also be associated with such information from other sources.

  • Types of data processed: use data (such as websites visited, interest in content, access times); metadata, communication data, and procedural data (such as IP addresses, time information, identification numbers, consent status); location data (information on the geographic position of a device or person); contact details (such as e-mail, phone numbers); content data (such as entries in online forms).
  • Data subjects: users (such as website visitors, users of online services).
  • Purposes of processing: provision of our online presence and user friendliness; profiles with user-related information (creation of user profiles).
  • Legal bases: legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

  • Incorporation of third-party software, scripts, or frameworks (such as jQuery): We incorporate into our Online Presence software that we access from the servers of other providers (such as function libraries, which we use for purposes of the depiction or user friendliness of our Online Presence). In the process, the relevant providers collect the IP addresses of users and may process them for purposes of transferring the software to the users’ browsers and for purposes of security and to analyze and optimize what they offer. We incorporate into our Online Presence software that we access from the servers of other providers (such as function libraries, which we use for purposes of the depiction or user friendliness of our Online Presence). In the process, the relevant providers collect the IP addresses of users and may process them for purposes of transferring the software to the users’ browsers and for purposes of security and to analyze and optimize what they offer; legal bases: legitimate interests (point (f) of Article 6(1) GDPR).
  • Google Fonts (provision on own server): provision of electronic font files for the purpose of user-friendly depiction of our Online Presence; service provider: Google Fonts are hosted on our server, and no data are transferred to Google; legal bases: legitimate interests (point (f) of Article 6(1) GDPR).
  • Google Maps: We incorporate maps from the Google Maps service provided by Google. The data processed may include but are not limited to users’ IP addresses and location information; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Irland; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website: https://mapsplatform.google.com/; privacy policy: https://policies.google.com/privacy.
  • YouTube videos: video content; YouTube videos are incorporated via a specific domain (recognizable from the element “youtube-nocookie”) in what is known as Privacy Enhanced Mode, which means that no cookies are collected in relation to user activity in order to personalize video playback. However, information on users’ interaction with the video (such as noting the last playback location) may be stored;service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website: https://www.youtube.com; privacy policy: https://policies.google.com/privacy.
  • Vimeo: video content; service provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website: https://vimeo.com; privacy policy: https://vimeo.com/privacy; option to object (opt out): please note that Vimeo may use Google Analytics; please see the privacy policy (https://policies.google.com/privacy) and opt-out options for Google Analytics (https://tools.google.com/dlpage/gaoptout?hl=de) or the Google settings for the use of data for marketing purposes (https://adssettings.google.com/).

Amendments and updates to the privacy statement

Please check back regularly and note the content of our privacy statement. We adjust our privacy statement as soon as changes in the data processing we perform renders such adjustments necessary. We will notify you if and when these changes necessitate cooperation on your part (consent, for example) or individual notification otherwise becomes necessary.

Where we provide the addresses and contact information of companies and organizations in this privacy statement, please note that these addresses may change over time. Please verify this information before contacting these entities.

Rights of data subjects

As a data subject, you have various rights pursuant to the GDPR, arising in particular from Articles 15 through 21 GDPR.

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right of access to information: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to these data and to further information and a copy of the data in accordance with the statutory provisions.
  • Right to rectification: In accordance with the statutory provisions, you have the right to request that incomplete data concerning you be completed, or that inaccurate data concerning you be rectified.
  • Right to erasure and restriction of processing: In accordance with the statutory provisions, you have the right to request that data concerning you be erased without undue delay or, alternatively, to request the restriction of processing of the data.
  • Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the statutory provisions or to request that those data be transferred to another controller.
  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Definitions

This section contains an overview of the terms used in this privacy statement. Many of the terms are taken directly from the law and are defined in particular in Article 4 GDPR. The statutory definitions are binding. The explanatory information below, by contrast, is intended primarily for ease of understanding. The terms appear in alphabetical order.

  • Personal data: “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Profiles with user-related information: The processing of “profiles with user-related information,” or “profiles” for short, means any form of automated processing of personal data consisting of the use of personal data to evaluate, analyze, or predict certain personal aspects (such as interest in certain content or products, click behavior on a website, or location) relating to a natural person (depending on the type of profiling, this may include different information relating to demographics, behavior, and interests, such as interaction with websites and website content, etc.). Cookies and Web beacons are frequently used for profiling purposes.
  • Location data: Location data arise when a mobile device (or another device that meets the technical prerequisites for position location) connects to a wireless communication cell, Wi-Fi, or similar technical intermediaries and functions used for position location. Location data serve to indicate the geographically determinable position on the earth where the relevant device is located. Location data may be used, for example, to display map functions or other information that depends on a location.
  • Controller: “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This is a broad term, encompassing practically any kind of handling of data, from collection and analysis to storage, transfer, and erasure of data.