Information on the handling of personal data

The protection of your private rights and freedoms is important to us; we only use your data for the purposes intended. Since it is important to us that you know at all times to what extent we collect, use and, if necessary, transfer your data to third parties, we will inform you in detail below about the processing of your personal data collected by us or stored by us. When processing personal data, we strictly adhere to the provisions of the EU General Data Protection Regulation (GDPR) and, if applicable, other data protection-relevant provisions.

Name and address of the controller

QuestionPro GmbH
Vivek Bhaskharan
Friedrichstraße 171
10117 Berlin
Germany

Phone: +49 30 91607401
E-mail: service@questionpro.de

Name and address of the data protection officer

We protect your personal data processed by us against loss, destruction, access, alteration or distribution by unauthorized persons by means of appropriate technical and organizational measures. However, despite regular checks, complete protection against all risks is not possible.

If you have any questions regarding the processing of your personal data, if you wish to exercise your rights as a data subject (such as the right to information, correction, blocking or deletion of data) or if you wish to withdraw your consent, please contact our data protection officer directly.

Rights of data subjects

The EU General Data Protection Regulation (GDPR) provides for extensive rights for data subjects in Chapter III, which we explain to you accordingly below with regard to the processing of your personal data:

Right to information
This requirement concerns in particular information on the following details of data processing:
- Processing purposes
- Data categories
- Recipients or categories of recipients, if applicable
- If applicable, the planned storage duration or the criteria for determining this duration.
- Note on the respective right of correction, deletion, restriction or objection
- Existence of the right to complain to a supervisory authority
- If applicable, origin of the data (if not collected from you)
- If applicable, existence of automated decision-making including profiling, including meaningful information about the logic involved, the scope and the effects to be expected
- If applicable, (planned) transfer to a third country or international organization
Right to rectification
We will correct any erroneous data immediately, provided that you inform us of the circumstance accordingly.
Right to erasure (right to be forgotten)
Provided that the processing is no longer necessary and one of the following conditions is met:
- Discontinuation of the purpose of processing
- Withdrawal of their consent and absence of any other legal basis for processing
- Objection to processing without an important reason to the contrary
- Unlawful processing
- Required to fulfill a legal obligation
- Data collection was carried out in accordance with Art. 8 (1) GDPR
Within the scope of the deletion request, we will, if necessary, pass on your request to those third parties to whom a transfer of your data had previously taken place.
Right to restriction of processing
Provided that one of the following conditions is met:
- You dispute the accuracy of your data (restriction can be made for the duration of the review on our side)
- In the event of unlawful processing and if the data is not to be deleted, restriction of processing shall take the place of deletion
- If the processing purposes cease to apply, at the same time you need your data for the assertion, exercise or defense of legal claims
- After you have lodged an objection pursuant to Art. 21 (1) GDPR and for the duration of the examination as to whether our legitimate reasons outweigh yours.
Right to data portability
If it is technically possible and does not affect the rights and freedoms of other persons, we will - at your request - transfer your data to another recipient (responsible party).
Right of appeal
If we collect or have collected and process personal data from you (on the basis of Art. 6 (1) e or f or Art. 9 (2) a GDPR), you have the right to object to the data processing (including profiling) at any time (with effect for the future). In exceptional cases, the objection may be ineffective, e.g. if we can demonstrate compelling interests worthy of protection for the processing that outweigh your interests or processing serves the assertion, exercise or defense of legal claims. If we process your personal data for the purpose of direct marketing, you have the right to object to such processing at any time. This also applies to profiling, insofar as it is related to such direct advertising. You also have the right to object to processing of your data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
Automated decisions in individual cases including profiling
If we collect or have collected and process personal data from you, you have the right not to be subject to any decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. Exceptions to this requirement apply if the decision is necessary for the conclusion or performance of a contract between you and us or you have expressly consented to the processing. In any case, we will take reasonable steps to safeguard your rights and freedoms and legitimate interests, including at least the right to obtain the intervention of a person on our part, to express our own point of view and to contest the decision.
Right to revoke consent under data protection law
You have the right to revoke consent to the processing of personal data at any time.
Right to complain to a supervisory authority
A list of the supervisory authorities responsible in Germany can be found on the website of the Federal Commissioner for Data Protection or at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/AufsBehoerdFuerDenNichtOeffBereich/AufsichtsbehoerdenNichtOeffBereich_liste.html.

Data security information

Legal basis of processing

We process personal data in accordance with the requirements of the GDPR, depending on the type and purpose of the processing as follows:

Permitted use	Specification of the GDPR
Informed consent	Art. 6 para. 1 a
Performance of a contract	Art. 6 para. 1 b
Implementation of pre-contractual measures	Art. 6 para. 1 b
Fulfillment of legal obligations	Art. 6 para. 1 c
Protection of vital interests	Art. 6 para. 1 d
Safeguarding our legitimate interest	Art. 6 para. 1 f

Our legitimate interest

Our legitimate interest, as defined in Article 6 (1) f GDPR, is based on the performance of our business activities in order to maintain our ability to operate and secure the employment of our employees.

General deadlines for data deletion

After the purpose of storage has ceased, the retention periods are generally at least six or ten years. As a rule, data is deleted immediately in accordance with our deletion concept, provided that this does not conflict with any retention obligation, necessity for contract fulfillment or a legitimate interest.

Individual information by type of processing

Depending on the processing, purposes, legal basis and other information may vary; you will find the exact allocation of information in the following chapter.

General network protection

Purpose of processing	Protection against unauthorized access and attacks as well as protection against electronic bulk mail and unwanted data inflow and outflow (DLP). Firewall / Antivirus / Spam Filter / Endpoint Security
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	IT service provider (if required)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The data already exists and is required to ensure security. The data must be processed for authentication of authorized access to the network.
Consequences of non-compliance (in case of failure to provide the required data)	The data already exists and is required to ensure security. The data must be processed for authentication of authorized access to the network.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Username, IP addresses, timestamps, email addresses
Change of purpose if necessary	none

Backup

Purpose of processing	Data backup of company data to prevent data loss (encryption Trojans, etc.) Ensuring recovery of company processes in the event of system failures, system errors and emergencies
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	IT service provider (if required)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The personal data has already been collected and is processed to ensure IT security processes.
Consequences of non-compliance (in case of failure to provide the required data)	The personal data has already been collected and is processed to ensure IT security processes.
If applicable, existence of an automated decision-making process	In this context, we do not use purely automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	All company data (billing data, address data, bank account/credit card data, credit rating data, date of birth, IT usage data/log data/log files, IP address, interests/preferences, contact data, resume, name/first name/address/title, social security data, contract and contract master data, payment data, timekeeping data, wage/salary data, correspondence; miscellaneous).
Change of purpose if necessary	none

User management

Purpose of processing	Management of user accounts and administrative groups to provide authentication and support for authorization concepts in various systems
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	IT service provider (if required)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The personal data has already been collected and is only managed to ensure IT security processes.
Consequences of non-compliance (in case of failure to provide the required data)	The personal data has already been collected and is only managed to ensure IT security processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	Surname, first name, e-mail address, telephone number, department affiliation if applicable
Change of purpose if necessary	none

CRM

Purpose of processing	Maintaining customer data and customer relationships; qualifying customers
Legal basis (according to Art. 6 / 9 GDPR)	Implementation of pre-contractual measures (Art. 6 para. 1 b) Fulfillment of a contract (Art. 6 para. 1 b) Safeguarding legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	IT service provider (if required)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
Consequences of non-compliance (in case of failure to provide the required data)	Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Personal master data, communication data, contract master data, customer history, other data if applicable.
Change of purpose if necessary	none

Data carrier disposal

Purpose of processing	Destruction of data carriers that are no longer required (e.g. after expiry of the retention period), on which or in which personal data are located (hard disks, SSD, CD/DVD, USB stick, ...).
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of legal obligations (Art. 6 para. 1 c) Fulfillment of a contract (Art. 6 para. 1 b) Implementation of pre-contractual measures (Art. 6 para. 1 b) Safeguarding legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	If necessary, external disposal service provider
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	No personal data is collected. The data is already available.
Consequences of non-compliance (in case of failure to provide the required data)	No personal data is collected. The data is already available.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	All company data (billing data, address data, bank account/credit card data, credit rating data, date of birth, IT usage data/log data/log files, IP address, interests/preferences, contact data, curriculum vitae, name/first name/address/title, social security data, contract data, contract master data, payment data, time recording data).
Change of purpose if necessary	none

DMS - Document Management System

Purpose of processing	Operation of the DMS for audit-proof archiving of business documents
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of legal obligations (Art. 6 para. 1 c) Fulfillment of a contract (Art. 6 para. 1 b) Implementation of pre-contractual measures (Art. 6 para. 1 b) Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	IT service provider (if required) Tax advisor, authorities, if applicable
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The personal data has already been collected and is processed to ensure IT security processes and legal requirements.
Consequences of non-compliance (in case of failure to provide the required data)	The personal data has already been collected and is processed to ensure IT security processes and legal requirements.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Address data, bank data, contact data, payment data, wage and salary data, contract data, time recording data, correspondence; various
Change of purpose if necessary	none

Print and copy jobs

Purpose of processing	Duplicate information
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c) Implementation of pre-contractual measures (Art. 6 para. 1 b) Fulfillment of a contract (Art. 6 para. 1 b)
Recipient (if applicable)	IT service provider (if required)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The personal data has already been collected and is processed to ensure business processes as well as legal requirements.
Consequences of non-compliance (in case of failure to provide the required data)	The personal data has already been collected and is processed to ensure business processes as well as legal requirements.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, IP address, print template with the information to be reproduced.
Change of purpose if necessary	none

E-mail archiving

Purpose of processing	Audit-proof archiving of business communication as well as accounting-relevant documents
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	IT service provider (if required)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The personal data has already been collected and is processed to ensure IT security processes and legal requirements.
Consequences of non-compliance (in case of failure to provide the required data)	The personal data has already been collected and is processed to ensure IT security processes and legal requirements.
If applicable, existence of an automated decision-making process	In this context, we do not use purely automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	All company data (billing data, address data, bank account/credit card data, credit rating data, date of birth, IT usage data/log data/log files, IP address, interests/preferences, contact data, resume, name/first name/address/title, social security data, contract and contract master data, payment data, timekeeping data, wage/salary data, correspondence; miscellaneous).
Change of purpose if necessary	none

ERP

Purpose of processing	Operation of the enterprise resource planning
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of legal obligations (Art. 6 para. 1 c) Implementation of pre-contractual measures (Art. 6 para. 1 b) Safeguarding legitimate interests (Art. 6 para. 1 f) Fulfillment of a contract (Art. 6 para. 1 b)
Recipient (if applicable)	IT service provider (if required) Tax advisor, authorities, if applicable
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
Consequences of non-compliance (in case of failure to provide the required data)	Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Personal master data, communication data, customer history, contract billing data, payment data, planning and control data, and other data as required.
Change of purpose if necessary	none

Groupware system

Purpose of processing	Execution of internal and external correspondence including documentation, office communication, especially team / collaboration across spatial distances (e-mail, contacts, tasks, calendar)
Legal basis (according to Art. 6 / 9 GDPR)	Implementation of pre-contractual measures (Art. 6 para. 1 b) Fulfillment of a contract (Art. 6 para. 1 b) Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	If applicable: interested parties, suppliers, craftsmen, authorities, service providers, as well as their contact persons, management, employees, trainees, applicants
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the relevant data, it may not be possible to fulfill the tasks or contracts, in particular across spatial distances.
Consequences of non-compliance (in case of failure to provide the required data)	Without the relevant data, it may not be possible to fulfill the tasks or contracts, in particular across spatial distances.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, address data, contact data, e-mail addresses, appointment data
Change of purpose if necessary	none

Hosting

Purpose of processing	Provision of IT systems
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Implementation of pre-contractual measures (Art. 6 para. 1 b) Fulfillment of a contract (Art. 6 para. 1 b) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	If applicable, external service providers, if necessary for the processing
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the relevant data, it may not be possible to fulfill the tasks or contracts; this data is also required to ensure security.
Consequences of non-compliance (in case of failure to provide the required data)	Without the relevant data, it may not be possible to fulfill the tasks or contracts; this data is also required to ensure security.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	First name, last name, title, address, e-mail address, telephone number, contract data, contact history, IT usage data, traffic data, log data, telecommunications data
Change of purpose if necessary	none

Internet and telephone use

Purpose of processing	(Office) communication and task management for human resources, employee management, customer management, financial accounting, controlling, marketing, etc.
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of a contract (Art. 6 para. 1 b)
Recipient (if applicable)	Applicants, customers, interested parties, suppliers, craftsmen, authorities, service providers, as well as their contact persons, management and employees
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
Consequences of non-compliance (in case of failure to provide the required data)	Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, extension, address data, contact data, e-mail addresses, appointment data, traffic data (as defined by §96 TKG), IP addresses, web addresses, website retrieval data
Change of purpose if necessary	none

IT support (remote)

Purpose of processing	Maintenance / servicing of software / data by IT service providers, software development
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	external service providers
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the data in question, it may not be possible to fulfill the tasks or contracts (support and maintenance of the IT systems), especially across spatial distances.
Consequences of non-compliance (in case of failure to provide the required data)	Without the data in question, it may not be possible to fulfill the tasks or contracts (support and maintenance of the IT systems), especially across spatial distances.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	planned no processing of pb data, however, due to the service, access to pb data cannot be excluded Also access to special categories cannot be excluded; these include: racial and ethnic origin, religious or philosophical beliefs, health
Change of purpose if necessary	none

Communication systems (such as telephone system)

Purpose of processing	Provision and performance of telecommunications services for own (internal) purposes (corporate communications internally and externally) Ensuring proper telecommunications operations within the company and for customers. Provision of log files, evaluations and statistics.
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	Traffic data is not passed on as a matter of principle, but is only used on an ad hoc basis to rectify faults or for billing audits
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	Traffic data is stored for a maximum of 6 months. Aggregated data may be stored and used beyond this period, provided that it is ensured that no personal reference can be derived from the data. See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the data required for communication, the implementation and management of telecommunications is not possible.
Consequences of non-compliance (in case of failure to provide the required data)	Without the data required for communication, the implementation and management of telecommunications is not possible.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Extension, telephone number, surname, first name, telephone number of the communication partner, duration of the call, date, time; traffic data (as defined in § 96 TKG), contact data
Change of purpose if necessary	none

Internet usage control

Purpose of processing	Random monitoring of Internet use to check for compliance with the rules on private use.
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	IT service provider (if required), authorities if necessary
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data.
Consequences of non-compliance (in case of failure to provide the required data)	The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	User names, IP addresses, Internet URLs, e-mails, web pages, timestamps
Change of purpose if necessary	none

Emergency concept

Purpose of processing	Ensuring a functional corporate structure, providing a disaster recovery process.
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	IT service provider (if required)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The personal data has already been collected and is processed to ensure IT security processes.
Consequences of non-compliance (in case of failure to provide the required data)	The personal data has already been collected and is processed to ensure IT security processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, address data, contact data
Change of purpose if necessary	none

Logging in IT systems

Purpose of processing	Ensuring legally required and technically necessary logging: ensuring correct functioning of IT systems, error analysis, detection of resource bottlenecks, tracking of hacker attacks.
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	IT service provider (if required), authorities if necessary
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data.
Consequences of non-compliance (in case of failure to provide the required data)	The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	User names, IP addresses, e-mail addresses, Internet urls, e-mails, web pages
Change of purpose if necessary	none

Ticket system

Purpose of processing	Ensuring IT support in own company and for customer systems. Recording of malfunctions, errors and requests, systematic processing of error messages by users.
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	IT service provider (if required)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the data in question, it may not be possible to fulfill the tasks or contracts (internal and external support and maintenance), especially across spatial distances.
Consequences of non-compliance (in case of failure to provide the required data)	Without the data in question, it may not be possible to fulfill the tasks or contracts (internal and external support and maintenance), especially across spatial distances.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Details of the processor (surname, first name, contact details), details of the requester (surname, first name, address details, contact details), error description
Change of purpose if necessary	none

Dealing with passwords

Purpose of processing	Task management for office communication for human resources, employee management, customer management, financial accounting, controlling, marketing. Ensuring administrator access in case of emergency.
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of legal obligations (Art. 6 para. 1 c) Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The personal data has already been collected and is only managed to ensure IT security processes.
Consequences of non-compliance (in case of failure to provide the required data)	The personal data has already been collected and is only managed to ensure IT security processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, user name, password
Change of purpose if necessary	none

WLAN (guests)

Purpose of processing	Provision of WLAN Internet access for guests Logging and control to protect against misuse and for evidence purposes.
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	IT service provider (if required)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The processing of the above data is necessary for the provision and maintenance of the guest WLAN.
Consequences of non-compliance (in case of failure to provide the required data)	The processing of the above data is necessary for the provision and maintenance of the guest WLAN.
If applicable, existence of an automated decision-making process	There is no automated decision making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Surname, first name, company name of the visitor, Internet protocol data, login data, MAC addresses of the respective end device, surfing behavior
Change of purpose if necessary	none

Applications and application procedure

Purpose of processing	Handling and implementation of application procedures, processing of unsolicited applications; selection of potential employees to fill suitable positions.
Legal basis (according to Art. 6 / 9 GDPR)	Implementation of pre-contractual measures (Art. 6 para. 1 b) Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	If necessary, external service providers (recruitment tests)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	Applications will only be stored for other positions with your consent, otherwise they will be deleted, returned or destroyed after 6 months if employment does not materialize See also General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	For a smooth application process, it is necessary that the requested information is provided truthfully.
Consequences of non-compliance (in case of failure to provide the required data)	Non-compliance (i.e. failure to provide the required data) may result in the inability to conclude an employment contract.
If applicable, existence of an automated decision-making process	In this context, we do not use purely automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Personal data (name, address, date of birth, telephone number, information on religious affiliation, information on marital status / information on children, curriculum vitae, education, qualifications, application data, if applicable, information on severe disability)
Change of purpose if necessary	If we take you on as an employee after completion of the application process, the purpose for processing the relevant data changes: in this case, it will be used in the future to implement and maintain the employment relationship.

E-Learning

Purpose of processing	Web-based learning (IT environment, foreign languages, etc.) for employee training and development. Information transfer and training for external service providers
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	If applicable and if necessary, service providers involved in the processing
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The personal data are necessarily processed for the implementation of the employment relationship.
Consequences of non-compliance (in case of failure to provide the required data)	The personal data are necessarily processed for the implementation of the employment relationship.
If applicable, existence of an automated decision-making process	In this context, we do not use purely automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	First name, last name, email address, department, learning outcomes
Change of purpose if necessary	none

Personnel questionnaire

Purpose of processing	In the application process for easier comparison of the applicant\'s details, in the case of new hires for registering the employee with the authorities, insurance companies and social security institutions.
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of legal obligations (Art. 6 para. 1 c) Implementation of pre-contractual measures (Art. 6 para. 1 b) Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	Government agencies, insofar as there are legal obligations to transmit data (tax office); non-public agencies only if there is a legal basis for doing so (health insurance fund and social insurance carrier).
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The personal data have already been collected and are necessarily processed for the performance of the employment relationship.
Consequences of non-compliance (in case of failure to provide the required data)	The personal data have already been collected and are necessarily processed for the performance of the employment relationship.
If applicable, existence of an automated decision-making process	In this context, we do not use purely automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Surname, first name, address data, contact data, date of birth, religious affiliation (if tax-relevant), marital status, details of children, bank details, details of previous activities, details of education, social security details.
Change of purpose if necessary	none

Invoicing, dunning

Purpose of processing	Preparation and dispatch of invoices; recording of open items and dunning (management and collection of outstanding receivables); recording and documentation of all financial transactions in the company (all sales as well as fixed assets); recording and payment of taxes and levies to the tax authorities and, if applicable, to other public authorities, control and processing of incoming/outgoing invoices, monitoring of payments, processing of account statements
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of a contract (Art. 6 para. 1 b) Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	As far as required by law: tax authorities; tax advisors and auditors Otherwise, if there is a legal basis for the data transfer
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There are legal obligations for the preparation of invoices and reminders.
Consequences of non-compliance (in case of failure to provide the required data)	Resulting from the respective legal regulation, if applicable
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	First name, last name, address, contact data Contract data, insurance data, date of birth, data on purchased goods/DL, bank details, VAT identification number, patient data; invoice data, sales including invoice numbers, purposes of use, etc.; information on fixed assets
Change of purpose if necessary	none

Transfer business

Purpose of processing	Delivery to wholesale
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of a contract (Art. 6 para. 1 b) Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	Wholesale
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the data required for shipping, delivery of goods is not possible.
Consequences of non-compliance (in case of failure to provide the required data)	Without the data required for shipping, delivery of goods is not possible.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	none

Office Communication

Purpose of processing	Task management for office communication for e.g.: Human resources, employee management, customer management, financial accounting, controlling, marketing.
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of a contract (Art. 6 para. 1 b) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	If applicable, applicants, customers, interested parties, suppliers, craftsmen, authorities, service providers, as well as their contacts
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the data required for communication, it is not possible to carry out certain business processes.
Consequences of non-compliance (in case of failure to provide the required data)	Without the data required for communication, it is not possible to carry out certain business processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Only personal data is processed to ensure the corresponding processing operation.
Change of purpose if necessary	none

Paper and document destruction

Purpose of processing	Destruction of data carriers and documents no longer required as part of paper and file disposal (e.g. after expiry of the retention period), on which or in which personal data are located during ongoing operations and after expiry of the retention period.
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	Ext disposal service provider
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The personal data have already been collected and are necessarily processed (destroyed) to fulfill legal obligations.
Consequences of non-compliance (in case of failure to provide the required data)	The personal data have already been collected and are necessarily processed (destroyed) to fulfill legal obligations.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Customer data, contact data, billing data, contract data, employee data, payroll data; miscellaneous
Change of purpose if necessary	none

Appointment management

Purpose of processing	Scheduling and management of appointments
Legal basis (according to Art. 6 / 9 GDPR)	Safeguarding legitimate interests (Art. 6 para. 1 f) Informed consent (Art. 6 para. 1 a)
Recipient (if applicable)	If necessary, customers, suppliers / service providers or other third parties for coordination of appointments
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the data required for appointment management, the planning, management and coordination of appointments is not possible.
Consequences of non-compliance (in case of failure to provide the required data)	none
If applicable, existence of an automated decision-making process	In this context, we do not use automatic decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data originates from the data subject himself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	First name, last name, address if applicable, e-mail address, telephone number, position, contact data, appointment data
Change of purpose if necessary	none

Contract management

Purpose of processing	Administration for contracts with customers, affiliated companies, employees, interns, suppliers, service providers (electronic and paper)
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Informed consent (Art. 6 para. 1 a)
Recipient (if applicable)	If necessary, external legal advisors
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Obligation to provide the data due to the contractual relationship between the responsible party and the data subject.Without the data, the performance of the agreed contractual service may not be possible.
Consequences of non-compliance (in case of failure to provide the required data)	none
If applicable, existence of an automated decision-making process	In this context, we do not use automatic decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data originates from the data subject himself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	First name, last name, title, address, e-mail address, telephone number, date of birth, contract data
Change of purpose if necessary	none

Address purchase

Purpose of processing	Acquiring new customers through e-mail marketing
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	There is no obligation to provide personal data.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Address data, contact data
Change of purpose if necessary	none

Order processing

Purpose of processing	Commercial and technical processing of orders
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of a contract (Art. 6 para. 1 b) Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The data already exists and is necessarily processed for the subsequent processes.
Consequences of non-compliance (in case of failure to provide the required data)	The data already exists and is necessarily processed for the subsequent processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, address data, communication data (e-mail, telephone), bank details, tax data (UST-ID)
Change of purpose if necessary	none

Distribution

Purpose of processing	Distribution; order fulfillment
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of a contract (Art. 6 para. 1 b) Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	The data already exists and is necessarily processed for the subsequent processes.
Consequences of non-compliance (in case of failure to provide the required data)	The data already exists and is necessarily processed for the subsequent processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	First name, last name, address, paragraphs, date of sale, order data
Change of purpose if necessary	none

Interest management

Purpose of processing	Creation, maintenance and updating, management of contacts Data is managed in the prospect / customer database
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	Without the data in question, adequate contact management and maintenance is not possible.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, address data, contact data, interest status
Change of purpose if necessary	none

Customer care and CRM

Purpose of processing	Support and care of existing customers, acquisition of new customers, execution of statistical evaluations for internal purposes, contact by telephone, letter, e-mail, personal visit for product presentation and service offer, measures for customer loyalty and customer advice
Legal basis (according to Art. 6 / 9 GDPR)	Safeguarding legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	Without the data in question, adequate contact management and maintenance is not possible.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, address data, contact data (telephone, cell phone, fax, e-mail), appointments, product data, contact reports, sales figures, contact history
Change of purpose if necessary	none

Pictures and videos at events

Purpose of processing	On- and offline marketing
Legal basis (according to Art. 6 / 9 GDPR)	Informed consent (Art. 6 para. 1 a) Safeguarding legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	Photographer, Printer, Social Media
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	There is no obligation to provide personal data.
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	The data originates from the data subject himself; however, it may also originate from third parties.
If applicable, existence of an automated decision-making process	In this context, we do not use automatic decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data originates from the data subject himself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Images, videos, metadata
Change of purpose if necessary	none

Customers - Photo and Film

Purpose of processing	External presentation of the company, online / offline marketing
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	Photographer if necessary, marketing agency if necessary
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	There is no obligation to provide personal data.
If applicable, existence of an automated decision-making process	There is no automated decision making.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	Photo / film recordings; personal master data, contact data if required
Change of purpose if necessary	none

Customer survey

Purpose of processing	Measurement of customer satisfaction (responses anonymous; participation (whether) insight possible).
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	Survey service provider, if applicable
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	There is no obligation to provide personal data.
If applicable, existence of an automated decision-making process	No automated decision making takes place.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	Only personal data is processed to ensure the relevant processing operation; personal data is anonymized; additional header data, if applicable; "content data" (content of surveys - "body").
Change of purpose if necessary	none

Fair photos

Purpose of processing	Company presentation to the outside world; reference projects for communication with customers and suppliers
Legal basis (according to Art. 6 / 9 GDPR)	Safeguarding legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	Photographers, customers, suppliers and third parties
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	There is no obligation to provide personal data.
If applicable, existence of an automated decision-making process	There is no automated decision making.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	Photo / film shooting as portrait or group photo
Change of purpose if necessary	none

Trade fair stand support

Purpose of processing	Customer and prospective customer care at trade fairs, and acquisition of new customers at trade fair booths
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Implementation of pre-contractual measures (Art. 6 para. 1 b)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	There is no obligation to provide personal data.
If applicable, existence of an automated decision-making process	No automated decision making takes place.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, address data, contact data, type of interest
Change of purpose if necessary	none

Online marketing

Purpose of processing	External presentation of the company, online marketing; social media, website
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of a contract (Art. 6 para. 1 b) Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	Photographer if necessary, marketing agency if necessary
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data. If applicable, obligation to provide the data due to the contractual relationship between the person responsible and the data subject.
Consequences of non-compliance (in case of failure to provide the required data)	There is no obligation to provide personal data. If applicable, obligation to provide the data due to the contractual relationship between the person responsible and the data subject.
If applicable, existence of an automated decision-making process	No automated decision making takes place.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Depending on the type of processing / interaction; If applicable, personal master data, contact data, photo / film recordings, other
Change of purpose if necessary	none

Press

Purpose of processing	Public relations / corporate presentation
Legal basis (according to Art. 6 / 9 GDPR)	Safeguarding legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	There is no obligation to provide personal data.
If applicable, existence of an automated decision-making process	There is no automated decision making.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	Contact details (name, position, phone, email)
Change of purpose if necessary	none

Print mailings

Purpose of processing	Dispatch of print documents/infomail/invitations for events, presentation of the product and merchandise portfolio, maintaining contact with customers and suppliers, information about new products and discount campaigns, promotional presentation of the company
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Informed consent (Art. 6 para. 1 a)
Recipient (if applicable)	Lettershop, post office, advertising agency, possibly other service providers
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	There is no obligation to provide personal data.
If applicable, existence of an automated decision-making process	No automated decision making takes place.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Personal master data, contact data, supplier master data
Change of purpose if necessary	none

Events and functions

Purpose of processing	Organization and implementation of events for customer retention, new customer acquisition and information
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	Lettershop (invitation and information dispatch)
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	There is no obligation to provide personal data.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	Surname, first name, address data, telephone, e-mail, information on nutrition (choice of meals), bank details
Change of purpose if necessary	none

Website evaluation

Purpose of processing	Optimization of the website and the content presented. Increasing visibility and customer visits, minimizing abandonment rates. Analysis of the number of visitors, page views, etc. to optimize the web presence.
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Informed consent (Art. 6 para. 1 a)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	Analysis service provider
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	none
Consequences of non-compliance (in case of failure to provide the required data)	none
If applicable, existence of an automated decision-making process	In this context, we do not use automatic decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	IP address, user names, click behavior, log data, website usage, IT usage
Change of purpose if necessary	none

Analysis and reporting

Purpose of processing	Reporting of company data to reveal hidden costs, market analysis, preparation of business reports
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of a contract (Art. 6 para. 1 b) Fulfillment of legal obligations (Art. 6 para. 1 c) Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the personal data in question, it is not possible to carry out this and any other business processes.
Consequences of non-compliance (in case of failure to provide the required data)	Without the personal data in question, it is not possible to carry out this and any other business processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Financial data, personnel data, production data
Change of purpose if necessary	none

Controlling

Purpose of processing	Planning, management and control of all corporate divisions
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of a contract (Art. 6 para. 1 b) Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the personal data in question, it is not possible to carry out this and any other business processes.
Consequences of non-compliance (in case of failure to provide the required data)	Without the personal data in question, it is not possible to carry out this and any other business processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	First name, last name, address, e-mail address, telephone number, customer number, customer type, contact data, contract data, inventory data, usage data, sales data
Change of purpose if necessary	none

Data to management consultant

Purpose of processing	To fulfill the contractually agreed consulting objective.
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of a contract (Art. 6 para. 1 b)
Recipient (if applicable)	External management consultants
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the personal data in question, it is not possible to carry out this and any other business processes.
Consequences of non-compliance (in case of failure to provide the required data)	Without the personal data in question, it is not possible to carry out this and any other business processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, address data, contact data, salary data, age, sales figures
Change of purpose if necessary	none

Audit, Compliance

Purpose of processing	Verification of the legal conformity of business processes in the company
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	Auditor, if applicable
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the personal data in question, it is not possible to carry out this and any other business processes.
Consequences of non-compliance (in case of failure to provide the required data)	Without the personal data in question, it is not possible to carry out this and any other business processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Depending on the case: first name, last name, e-mail address, telephone number, date of birth, marital status, position, contact data, contact history, appointment data, bank details, VAT registration number, contract data, inventory data, usage data, content data, communication data, social security data, working hours, wage/salary data, tax classes.
Change of purpose if necessary	none

Quality assurance

Purpose of processing	Ensuring product quality
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of legal obligations (Art. 6 para. 1 c)
Recipient (if applicable)	If necessary, external QM representative
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See also General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the personal data in question, it is not possible to carry out this and any other business processes.
Consequences of non-compliance (in case of failure to provide the required data)	Without the personal data in question, it is not possible to carry out this and any other business processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Last name, first name, address data, contact data
Change of purpose if necessary	none

Call processing

Purpose of processing	Troubleshooting of customer systems, compilation of statistics for quality control purposes
Legal basis (according to Art. 6 / 9 GDPR)	Safeguarding legitimate interests (Art. 6 para. 1 f) Fulfillment of a contract (Art. 6 para. 1 b)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Without the personal data in question, it is not possible to carry out this and any other business processes.
Consequences of non-compliance (in case of failure to provide the required data)	Without the personal data in question, it is not possible to carry out this and any other business processes.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Name, first name, user name, telecommunication data
Change of purpose if necessary	none

Service

Purpose of processing	Providing versch. DL
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f) Fulfillment of a contract (Art. 6 para. 1 b)
Recipient (if applicable)	Subcontractor if necessary
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	Obligation to provide the data due to the contractual relationship between the person responsible and the data subject.
Consequences of non-compliance (in case of failure to provide the required data)	Without the data in question, the provision of various services is not possible.
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	Personal master data, address data, bank data, contact data, payment data, wage and salary data, contract data, time recording data, correspondence; various
Change of purpose if necessary	none

Customer support

Purpose of processing	Support for customers via remote desktop software
Legal basis (according to Art. 6 / 9 GDPR)	Fulfillment of a contract (Art. 6 para. 1 b) Safeguarding legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	none
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	planned no processing of pb data, but due to the service access to pb data cannot be excluded
Consequences of non-compliance (in case of failure to provide the required data)	planned no processing of pb data, but due to the service access to pb data cannot be excluded
If applicable, existence of an automated decision-making process	In this context, we do not use automated decision-making.
If applicable, origin of the data (if not collected directly from the data subject)	The data usually originates from the data subject, but may also come from third parties.
Where applicable, categories of personal data (if not collected directly from the data subject).	planned no processing of pb data, however, due to the service, access to pb data cannot be excluded Also access to special categories cannot be excluded; these include: racial and ethnic origin, religious or philosophical beliefs, health
Change of purpose if necessary	none

Purpose of processing	Management of social media accounts and social media marketing; external presentation of the company; presentation of reference projects; use of social media for external presentation and communication with customers and suppliers
Legal basis (according to Art. 6 / 9 GDPR)	Protection of legitimate interests (Art. 6 para. 1 f)
Recipient (if applicable)	If applicable, publication online
If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees)	A data transfer to a third country does not take place and is not planned.
If known: Duration of data storage	See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity	There is no obligation to provide personal data.
Consequences of non-compliance (in case of failure to provide the required data)	In case of violation, the use of social media for the external presentation of the company and for communication cannot be used.
If applicable, existence of an automated decision-making process	No automated decision making takes place.
If applicable, origin of the data (if not collected directly from the data subject)	The data comes from the data subject himself.
Where applicable, categories of personal data (if not collected directly from the data subject).	Depending on the type of processing; first name, last name, contact details, image material.
Change of purpose if necessary	none

Information on data handling in accordance with Art. 13 or 14 GDPR

Information on the handling of personal data

Name and address of the controller

Name and address of the data protection officer

Individual information by type of processing