The protection of your private rights and freedoms is important to us; we only use your data for the purposes intended. Since it is important to us that you know at all times to what extent we collect, use and, if necessary, transfer your data to third parties, we will inform you in detail below about the processing of your personal data collected by us or stored by us. When processing personal data, we strictly adhere to the provisions of the EU General Data Protection Regulation (GDPR) and, if applicable, other data protection-relevant provisions.
Name and address of the controller
QuestionPro GmbH
Vivek Bhaskharan
Friedrichstraße 171
10117 Berlin
Germany
Phone: +49 30 91607401
E-mail: service@questionpro.de
Name and address of the data protection officer
We protect your personal data processed by us against loss, destruction, access, alteration or distribution by unauthorized persons by means of appropriate technical and organizational measures. However, despite regular checks, complete protection against all risks is not possible.
We protect your personal data processed by us against loss, destruction, access, alteration or distribution by unauthorized persons by means of appropriate technical and organizational measures. However, despite regular checks, complete protection against all risks is not possible.
We protect your personal data processed by us against loss, destruction, access, alteration or distribution by unauthorized persons by means of appropriate technical and organizational measures. However, despite regular checks, complete protection against all risks is not possible.
Jörg ter Beek
Cortina Consult GmbH
Hafenweg 24
48155 Münster
Data protection team for general data protection inquiries:Team e-mail:
dsb.questionpro@cortina-consult.deWebsite:
https://cortina-consult.com/Depending on the processing, purposes, legal basis and other information may vary; you will find the exact allocation of information in the following chapter.
General network protection
Purpose of processing | Protection against unauthorized access and attacks as well as protection against electronic bulk mail and unwanted data inflow and outflow (DLP). Firewall / Antivirus / Spam Filter / Endpoint Security |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | IT service provider (if required) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is required to ensure security. The data must be processed for authentication of authorized access to the network. |
Consequences of non-compliance (in case of failure to provide the required data) | The data already exists and is required to ensure security. The data must be processed for authentication of authorized access to the network. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Username, IP addresses, timestamps, email addresses |
Change of purpose if necessary | none |
Backup
Purpose of processing | Data backup of company data to prevent data loss (encryption Trojans, etc.) Ensuring recovery of company processes in the event of system failures, system errors and emergencies |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | IT service provider (if required) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is processed to ensure IT security processes. |
Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is processed to ensure IT security processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use purely automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | All company data (billing data, address data, bank account/credit card data, credit rating data, date of birth, IT usage data/log data/log files, IP address, interests/preferences, contact data, resume, name/first name/address/title, social security data, contract and contract master data, payment data, timekeeping data, wage/salary data, correspondence; miscellaneous). |
Change of purpose if necessary | none |
User management
Purpose of processing | Management of user accounts and administrative groups to provide authentication and support for authorization concepts in various systems |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | IT service provider (if required) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is only managed to ensure IT security processes. |
Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is only managed to ensure IT security processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Surname, first name, e-mail address, telephone number, department affiliation if applicable |
Change of purpose if necessary | none |
CRM
Purpose of processing | Maintaining customer data and customer relationships; qualifying customers |
Legal basis (according to Art. 6 / 9 GDPR) | Implementation of pre-contractual measures (Art. 6 para. 1 b)Fulfillment of a contract (Art. 6 para. 1 b)Safeguarding legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | IT service provider (if required) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, communication data, contract master data, customer history, other data if applicable. |
Change of purpose if necessary | none |
Data carrier disposal
Purpose of processing | Destruction of data carriers that are no longer required (e.g. after expiry of the retention period), on which or in which personal data are located (hard disks, SSD, CD/DVD, USB stick, ...). |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c)Fulfillment of a contract (Art. 6 para. 1 b)Implementation of pre-contractual measures (Art. 6 para. 1 b)Safeguarding legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | If necessary, external disposal service provider |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No personal data is collected. The data is already available. |
Consequences of non-compliance (in case of failure to provide the required data) | No personal data is collected. The data is already available. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | All company data (billing data, address data, bank account/credit card data, credit rating data, date of birth, IT usage data/log data/log files, IP address, interests/preferences, contact data, curriculum vitae, name/first name/address/title, social security data, contract data, contract master data, payment data, time recording data). |
Change of purpose if necessary | none |
DMS - Document Management System
Purpose of processing | Operation of the DMS for audit-proof archiving of business documents |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c)Fulfillment of a contract (Art. 6 para. 1 b)Implementation of pre-contractual measures (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | IT service provider (if required) Tax advisor, authorities, if applicable |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is processed to ensure IT security processes and legal requirements. |
Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is processed to ensure IT security processes and legal requirements. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Address data, bank data, contact data, payment data, wage and salary data, contract data, time recording data, correspondence; various |
Change of purpose if necessary | none |
Print and copy jobs
Purpose of processing | Duplicate information |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c)Implementation of pre-contractual measures (Art. 6 para. 1 b)Fulfillment of a contract (Art. 6 para. 1 b) |
Recipient (if applicable) | IT service provider (if required) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is processed to ensure business processes as well as legal requirements. |
Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is processed to ensure business processes as well as legal requirements. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, IP address, print template with the information to be reproduced. |
Change of purpose if necessary | none |
E-mail archiving
Purpose of processing | Audit-proof archiving of business communication as well as accounting-relevant documents |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | IT service provider (if required) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is processed to ensure IT security processes and legal requirements. |
Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is processed to ensure IT security processes and legal requirements. |
If applicable, existence of an automated decision-making process | In this context, we do not use purely automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | All company data (billing data, address data, bank account/credit card data, credit rating data, date of birth, IT usage data/log data/log files, IP address, interests/preferences, contact data, resume, name/first name/address/title, social security data, contract and contract master data, payment data, timekeeping data, wage/salary data, correspondence; miscellaneous). |
Change of purpose if necessary | none |
ERP
Purpose of processing | Operation of the enterprise resource planning |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c)Implementation of pre-contractual measures (Art. 6 para. 1 b)Safeguarding legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b) |
Recipient (if applicable) | IT service provider (if required) Tax advisor, authorities, if applicable |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, communication data, customer history, contract billing data, payment data, planning and control data, and other data as required. |
Change of purpose if necessary | none |
Groupware system
Purpose of processing | Execution of internal and external correspondence including documentation, office communication, especially team / collaboration across spatial distances (e-mail, contacts, tasks, calendar) |
Legal basis (according to Art. 6 / 9 GDPR) | Implementation of pre-contractual measures (Art. 6 para. 1 b)Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | If applicable: interested parties, suppliers, craftsmen, authorities, service providers, as well as their contact persons, management, employees, trainees, applicants |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, it may not be possible to fulfill the tasks or contracts, in particular across spatial distances. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, it may not be possible to fulfill the tasks or contracts, in particular across spatial distances. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data, e-mail addresses, appointment data |
Change of purpose if necessary | none |
Hosting
Purpose of processing | Provision of IT systems |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Implementation of pre-contractual measures (Art. 6 para. 1 b)Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | If applicable, external service providers, if necessary for the processing |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, it may not be possible to fulfill the tasks or contracts; this data is also required to ensure security. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, it may not be possible to fulfill the tasks or contracts; this data is also required to ensure security. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, title, address, e-mail address, telephone number, contract data, contact history, IT usage data, traffic data, log data, telecommunications data |
Change of purpose if necessary | none |
Internet and telephone use
Purpose of processing | (Office) communication and task management for human resources, employee management, customer management, financial accounting, controlling, marketing, etc. |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b) |
Recipient (if applicable) | Applicants, customers, interested parties, suppliers, craftsmen, authorities, service providers, as well as their contact persons, management and employees |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, extension, address data, contact data, e-mail addresses, appointment data, traffic data (as defined by §96 TKG), IP addresses, web addresses, website retrieval data |
Change of purpose if necessary | none |
IT support (remote)
Purpose of processing | Maintenance / servicing of software / data by IT service providers, software development |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | external service providers |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data in question, it may not be possible to fulfill the tasks or contracts (support and maintenance of the IT systems), especially across spatial distances. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, it may not be possible to fulfill the tasks or contracts (support and maintenance of the IT systems), especially across spatial distances. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | planned no processing of pb data, however, due to the service, access to pb data cannot be excluded Also access to special categories cannot be excluded; these include: racial and ethnic origin, religious or philosophical beliefs, health |
Change of purpose if necessary | none |
Communication systems (such as telephone system)
Purpose of processing | Provision and performance of telecommunications services for own (internal) purposes (corporate communications internally and externally) Ensuring proper telecommunications operations within the company and for customers. Provision of log files, evaluations and statistics. |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | Traffic data is not passed on as a matter of principle, but is only used on an ad hoc basis to rectify faults or for billing audits |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | Traffic data is stored for a maximum of 6 months. Aggregated data may be stored and used beyond this period, provided that it is ensured that no personal reference can be derived from the data. See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for communication, the implementation and management of telecommunications is not possible. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the data required for communication, the implementation and management of telecommunications is not possible. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Extension, telephone number, surname, first name, telephone number of the communication partner, duration of the call, date, time; traffic data (as defined in § 96 TKG), contact data |
Change of purpose if necessary | none |
Internet usage control
Purpose of processing | Random monitoring of Internet use to check for compliance with the rules on private use. |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | IT service provider (if required), authorities if necessary |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data. |
Consequences of non-compliance (in case of failure to provide the required data) | The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | User names, IP addresses, Internet URLs, e-mails, web pages, timestamps |
Change of purpose if necessary | none |
Emergency concept
Purpose of processing | Ensuring a functional corporate structure, providing a disaster recovery process. |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | IT service provider (if required) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is processed to ensure IT security processes. |
Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is processed to ensure IT security processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data |
Change of purpose if necessary | none |
Logging in IT systems
Purpose of processing | Ensuring legally required and technically necessary logging: ensuring correct functioning of IT systems, error analysis, detection of resource bottlenecks, tracking of hacker attacks. |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | IT service provider (if required), authorities if necessary |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data. |
Consequences of non-compliance (in case of failure to provide the required data) | The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | User names, IP addresses, e-mail addresses, Internet urls, e-mails, web pages |
Change of purpose if necessary | none |
Ticket system
Purpose of processing | Ensuring IT support in own company and for customer systems. Recording of malfunctions, errors and requests, systematic processing of error messages by users. |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | IT service provider (if required) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data in question, it may not be possible to fulfill the tasks or contracts (internal and external support and maintenance), especially across spatial distances. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, it may not be possible to fulfill the tasks or contracts (internal and external support and maintenance), especially across spatial distances. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Details of the processor (surname, first name, contact details), details of the requester (surname, first name, address details, contact details), error description |
Change of purpose if necessary | none |
Dealing with passwords
Purpose of processing | Task management for office communication for human resources, employee management, customer management, financial accounting, controlling, marketing. Ensuring administrator access in case of emergency. |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c)Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is only managed to ensure IT security processes. |
Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is only managed to ensure IT security processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, user name, password |
Change of purpose if necessary | none |
WLAN (guests)
Purpose of processing | Provision of WLAN Internet access for guests Logging and control to protect against misuse and for evidence purposes. |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | IT service provider (if required) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The processing of the above data is necessary for the provision and maintenance of the guest WLAN. |
Consequences of non-compliance (in case of failure to provide the required data) | The processing of the above data is necessary for the provision and maintenance of the guest WLAN. |
If applicable, existence of an automated decision-making process | There is no automated decision making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Surname, first name, company name of the visitor, Internet protocol data, login data, MAC addresses of the respective end device, surfing behavior |
Change of purpose if necessary | none |
Applications and application procedure
Purpose of processing | Handling and implementation of application procedures, processing of unsolicited applications; selection of potential employees to fill suitable positions. |
Legal basis (according to Art. 6 / 9 GDPR) | Implementation of pre-contractual measures (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | If necessary, external service providers (recruitment tests) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | Applications will only be stored for other positions with your consent, otherwise they will be deleted, returned or destroyed after 6 months if employment does not materialize See also General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | For a smooth application process, it is necessary that the requested information is provided truthfully. |
Consequences of non-compliance (in case of failure to provide the required data) | Non-compliance (i.e. failure to provide the required data) may result in the inability to conclude an employment contract. |
If applicable, existence of an automated decision-making process | In this context, we do not use purely automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Personal data (name, address, date of birth, telephone number, information on religious affiliation, information on marital status / information on children, curriculum vitae, education, qualifications, application data, if applicable, information on severe disability) |
Change of purpose if necessary | If we take you on as an employee after completion of the application process, the purpose for processing the relevant data changes: in this case, it will be used in the future to implement and maintain the employment relationship. |
E-Learning
Purpose of processing | Web-based learning (IT environment, foreign languages, etc.) for employee training and development. Information transfer and training for external service providers |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | If applicable and if necessary, service providers involved in the processing |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data are necessarily processed for the implementation of the employment relationship. |
Consequences of non-compliance (in case of failure to provide the required data) | The personal data are necessarily processed for the implementation of the employment relationship. |
If applicable, existence of an automated decision-making process | In this context, we do not use purely automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, email address, department, learning outcomes |
Change of purpose if necessary | none |
Personnel questionnaire
Purpose of processing | In the application process for easier comparison of the applicant\'s details, in the case of new hires for registering the employee with the authorities, insurance companies and social security institutions. |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c)Implementation of pre-contractual measures (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | Government agencies, insofar as there are legal obligations to transmit data (tax office); non-public agencies only if there is a legal basis for doing so (health insurance fund and social insurance carrier). |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data have already been collected and are necessarily processed for the performance of the employment relationship. |
Consequences of non-compliance (in case of failure to provide the required data) | The personal data have already been collected and are necessarily processed for the performance of the employment relationship. |
If applicable, existence of an automated decision-making process | In this context, we do not use purely automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Surname, first name, address data, contact data, date of birth, religious affiliation (if tax-relevant), marital status, details of children, bank details, details of previous activities, details of education, social security details. |
Change of purpose if necessary | none |
Invoicing, dunning
Purpose of processing | Preparation and dispatch of invoices; recording of open items and dunning (management and collection of outstanding receivables); recording and documentation of all financial transactions in the company (all sales as well as fixed assets); recording and payment of taxes and levies to the tax authorities and, if applicable, to other public authorities, control and processing of incoming/outgoing invoices, monitoring of payments, processing of account statements |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | As far as required by law: tax authorities; tax advisors and auditors Otherwise, if there is a legal basis for the data transfer |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There are legal obligations for the preparation of invoices and reminders. |
Consequences of non-compliance (in case of failure to provide the required data) | Resulting from the respective legal regulation, if applicable |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, address, contact data Contract data, insurance data, date of birth, data on purchased goods/DL, bank details, VAT identification number, patient data; invoice data, sales including invoice numbers, purposes of use, etc.; information on fixed assets |
Change of purpose if necessary | none |
Transfer business
Purpose of processing | Delivery to wholesale |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | Wholesale |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for shipping, delivery of goods is not possible. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the data required for shipping, delivery of goods is not possible. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | none |
Office Communication
Purpose of processing | Task management for office communication for e.g.: Human resources, employee management, customer management, financial accounting, controlling, marketing. |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | If applicable, applicants, customers, interested parties, suppliers, craftsmen, authorities, service providers, as well as their contacts |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for communication, it is not possible to carry out certain business processes. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the data required for communication, it is not possible to carry out certain business processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Only personal data is processed to ensure the corresponding processing operation. |
Change of purpose if necessary | none |
Paper and document destruction
Purpose of processing | Destruction of data carriers and documents no longer required as part of paper and file disposal (e.g. after expiry of the retention period), on which or in which personal data are located during ongoing operations and after expiry of the retention period. |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | Ext disposal service provider |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data have already been collected and are necessarily processed (destroyed) to fulfill legal obligations. |
Consequences of non-compliance (in case of failure to provide the required data) | The personal data have already been collected and are necessarily processed (destroyed) to fulfill legal obligations. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Customer data, contact data, billing data, contract data, employee data, payroll data; miscellaneous |
Change of purpose if necessary | none |
Appointment management
Purpose of processing | Scheduling and management of appointments |
Legal basis (according to Art. 6 / 9 GDPR) | Safeguarding legitimate interests (Art. 6 para. 1 f)Informed consent (Art. 6 para. 1 a) |
Recipient (if applicable) | If necessary, customers, suppliers / service providers or other third parties for coordination of appointments |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for appointment management, the planning, management and coordination of appointments is not possible. |
Consequences of non-compliance (in case of failure to provide the required data) | none |
If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data originates from the data subject himself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, address if applicable, e-mail address, telephone number, position, contact data, appointment data |
Change of purpose if necessary | none |
Contract management
Purpose of processing | Administration for contracts with customers, affiliated companies, employees, interns, suppliers, service providers (electronic and paper) |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Informed consent (Art. 6 para. 1 a) |
Recipient (if applicable) | If necessary, external legal advisors |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data due to the contractual relationship between the responsible party and the data subject.Without the data, the performance of the agreed contractual service may not be possible. |
Consequences of non-compliance (in case of failure to provide the required data) | none |
If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data originates from the data subject himself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, title, address, e-mail address, telephone number, date of birth, contract data |
Change of purpose if necessary | none |
Address purchase
Purpose of processing | Acquiring new customers through e-mail marketing |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Address data, contact data |
Change of purpose if necessary | none |
Order processing
Purpose of processing | Commercial and technical processing of orders |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is necessarily processed for the subsequent processes. |
Consequences of non-compliance (in case of failure to provide the required data) | The data already exists and is necessarily processed for the subsequent processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, communication data (e-mail, telephone), bank details, tax data (UST-ID) |
Change of purpose if necessary | none |
Distribution
Purpose of processing | Distribution; order fulfillment |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is necessarily processed for the subsequent processes. |
Consequences of non-compliance (in case of failure to provide the required data) | The data already exists and is necessarily processed for the subsequent processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, address, paragraphs, date of sale, order data |
Change of purpose if necessary | none |
Interest management
Purpose of processing | Creation, maintenance and updating, management of contacts Data is managed in the prospect / customer database |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, adequate contact management and maintenance is not possible. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data, interest status |
Change of purpose if necessary | none |
Customer care and CRM
Purpose of processing | Support and care of existing customers, acquisition of new customers, execution of statistical evaluations for internal purposes, contact by telephone, letter, e-mail, personal visit for product presentation and service offer, measures for customer loyalty and customer advice |
Legal basis (according to Art. 6 / 9 GDPR) | Safeguarding legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, adequate contact management and maintenance is not possible. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data (telephone, cell phone, fax, e-mail), appointments, product data, contact reports, sales figures, contact history |
Change of purpose if necessary | none |
Pictures and videos at events
Purpose of processing | On- and offline marketing |
Legal basis (according to Art. 6 / 9 GDPR) | Informed consent (Art. 6 para. 1 a)Safeguarding legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | Photographer, Printer, Social Media |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | There is no obligation to provide personal data. |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | The data originates from the data subject himself; however, it may also originate from third parties. |
If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data originates from the data subject himself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Images, videos, metadata |
Change of purpose if necessary | none |
Customers - Photo and Film
Purpose of processing | External presentation of the company, online / offline marketing |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | Photographer if necessary, marketing agency if necessary |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
If applicable, existence of an automated decision-making process | There is no automated decision making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Photo / film recordings; personal master data, contact data if required |
Change of purpose if necessary | none |
Customer survey
Purpose of processing | Measurement of customer satisfaction (responses anonymous; participation (whether) insight possible). |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | Survey service provider, if applicable |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
If applicable, existence of an automated decision-making process | No automated decision making takes place. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Only personal data is processed to ensure the relevant processing operation; personal data is anonymized; additional header data, if applicable; "content data" (content of surveys - "body"). |
Change of purpose if necessary | none |
Fair photos
Purpose of processing | Company presentation to the outside world; reference projects for communication with customers and suppliers |
Legal basis (according to Art. 6 / 9 GDPR) | Safeguarding legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | Photographers, customers, suppliers and third parties |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
If applicable, existence of an automated decision-making process | There is no automated decision making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Photo / film shooting as portrait or group photo |
Change of purpose if necessary | none |
Trade fair stand support
Purpose of processing | Customer and prospective customer care at trade fairs, and acquisition of new customers at trade fair booths |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Implementation of pre-contractual measures (Art. 6 para. 1 b) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
If applicable, existence of an automated decision-making process | No automated decision making takes place. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data, type of interest |
Change of purpose if necessary | none |
Online marketing
Purpose of processing | External presentation of the company, online marketing; social media, website |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | Photographer if necessary, marketing agency if necessary |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. If applicable, obligation to provide the data due to the contractual relationship between the person responsible and the data subject. |
Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. If applicable, obligation to provide the data due to the contractual relationship between the person responsible and the data subject. |
If applicable, existence of an automated decision-making process | No automated decision making takes place. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Depending on the type of processing / interaction; If applicable, personal master data, contact data, photo / film recordings, other |
Change of purpose if necessary | none |
Press
Purpose of processing | Public relations / corporate presentation |
Legal basis (according to Art. 6 / 9 GDPR) | Safeguarding legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
If applicable, existence of an automated decision-making process | There is no automated decision making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Contact details (name, position, phone, email) |
Change of purpose if necessary | none |
Print mailings
Purpose of processing | Dispatch of print documents/infomail/invitations for events, presentation of the product and merchandise portfolio, maintaining contact with customers and suppliers, information about new products and discount campaigns, promotional presentation of the company |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Informed consent (Art. 6 para. 1 a) |
Recipient (if applicable) | Lettershop, post office, advertising agency, possibly other service providers |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
If applicable, existence of an automated decision-making process | No automated decision making takes place. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, contact data, supplier master data |
Change of purpose if necessary | none |
Social Media Marketing
Purpose of processing | Management of social media accounts and social media marketing; external presentation of the company; presentation of reference projects; use of social media for external presentation and communication with customers and suppliers |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | If applicable, publication online |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | In case of violation, the use of social media for the external presentation of the company and for communication cannot be used. |
If applicable, existence of an automated decision-making process | No automated decision making takes place. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Depending on the type of processing; first name, last name, contact details, image material. |
Change of purpose if necessary | none |
Events and functions
Purpose of processing | Organization and implementation of events for customer retention, new customer acquisition and information |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | Lettershop (invitation and information dispatch) |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Surname, first name, address data, telephone, e-mail, information on nutrition (choice of meals), bank details |
Change of purpose if necessary | none |
Website evaluation
Purpose of processing | Optimization of the website and the content presented. Increasing visibility and customer visits, minimizing abandonment rates. Analysis of the number of visitors, page views, etc. to optimize the web presence. |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Informed consent (Art. 6 para. 1 a) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | Analysis service provider |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | none |
Consequences of non-compliance (in case of failure to provide the required data) | none |
If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | IP address, user names, click behavior, log data, website usage, IT usage |
Change of purpose if necessary | none |
Analysis and reporting
Purpose of processing | Reporting of company data to reveal hidden costs, market analysis, preparation of business reports |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c)Protection of legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Financial data, personnel data, production data |
Change of purpose if necessary | none |
Controlling
Purpose of processing | Planning, management and control of all corporate divisions |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, address, e-mail address, telephone number, customer number, customer type, contact data, contract data, inventory data, usage data, sales data |
Change of purpose if necessary | none |
Data to management consultant
Purpose of processing | To fulfill the contractually agreed consulting objective. |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b) |
Recipient (if applicable) | External management consultants |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data, salary data, age, sales figures |
Change of purpose if necessary | none |
Audit, Compliance
Purpose of processing | Verification of the legal conformity of business processes in the company |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | Auditor, if applicable |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Depending on the case: first name, last name, e-mail address, telephone number, date of birth, marital status, position, contact data, contact history, appointment data, bank details, VAT registration number, contract data, inventory data, usage data, content data, communication data, social security data, working hours, wage/salary data, tax classes. |
Change of purpose if necessary | none |
Quality assurance
Purpose of processing | Ensuring product quality |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
Recipient (if applicable) | If necessary, external QM representative |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See also General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Last name, first name, address data, contact data |
Change of purpose if necessary | none |
Call processing
Purpose of processing | Troubleshooting of customer systems, compilation of statistics for quality control purposes |
Legal basis (according to Art. 6 / 9 GDPR) | Safeguarding legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, user name, telecommunication data |
Change of purpose if necessary | none |
Service
Purpose of processing | Providing versch. DL |
Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b) |
Recipient (if applicable) | Subcontractor if necessary |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data due to the contractual relationship between the person responsible and the data subject. |
Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, the provision of various services is not possible. |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, address data, bank data, contact data, payment data, wage and salary data, contract data, time recording data, correspondence; various |
Change of purpose if necessary | none |
Customer support
Purpose of processing | Support for customers via remote desktop software |
Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Safeguarding legitimate interests (Art. 6 para. 1 f) |
Recipient (if applicable) | none |
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
If known: Duration of data storage | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | planned no processing of pb data, but due to the service access to pb data cannot be excluded |
Consequences of non-compliance (in case of failure to provide the required data) | planned no processing of pb data, but due to the service access to pb data cannot be excluded |
If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
Where applicable, categories of personal data (if not collected directly from the data subject). | planned no processing of pb data, however, due to the service, access to pb data cannot be excluded Also access to special categories cannot be excluded; these include: racial and ethnic origin, religious or philosophical beliefs, health |
Change of purpose if necessary | none |