Privacy policy

Status December 2022

Contents

I. Identity and contact details of the data controller
II. Contact details of the data protection officer
III. General information on data processing
IV. Rights of the data subject
V. Use of cookies
VI. Newsletter
VII. Contact form
VIII. Corporate presences
IX. Use of corporate presences on professionally oriented networks
X. Hosting
XI. Content delivery networks
XII. Usage of plug-ins

I. Identity and contact details of the data controller

The data controller in accordance with the purposes of the General Data Protection Regulation (GDPR) and other data protection regulations is:

HPF Innovations gGmbH
Seestr. 35–37
14467 Potsdam
Germany
+49-331-27975640
support@navigating.art
www.navigating.art

II. Contact details of the data protection officer

The data protection officer for the data controller is:

DataCo GmbH
Dachauer Straße 65
80335 Munich
Germany
+49-89-7400-45840
www.dataguard.de

III. General information on data processing

1. Scope of the processing of personal data

In general, we process the personal data of our users only insofar as necessary for the provision of a functioning website as well as our content and services. The processing of personal data regularly only takes place with the consent of the user. Exceptions includes cases where actual reasons make it technically impossible to obtain prior consent and where data processing is required by law.

2. Legal basis for the processing of personal data

Art. 6 (1) (1) (a) GDPR serves as the legal basis to obtain the consent of the data subject for the processing of their data.
As for the processing of personal data required for the performance of a contract of which the data subject is party, Art. 6 (1) (1) (b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual activities.
When it is necessary to process personal data in order to fulfil a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.
Where vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (1) (d) GDPR serves as the legal basis.
Where the processing of data is necessary to safeguard the legitimate interests of our company or that of a third party, and the fundamental rights and freedoms of the data subject do not outweigh the interest of the former, Art. 6 (1) (1) (f) GDPR serves as the legal basis for the processing of data.

3. Data erasure and storage period

The personal data of the data subject will be erased or restricted as soon as the purpose of its storage has been accomplished. Additional storage may occur if it was provided for by the European or national legislator within the EU regulations, law or other relevant regulations to which the data controller is subject. Data is also restricted or erased when the storage period stipulated by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.

IV. Rights of the data subject

When your personal data is processed, you are a data subject in the sense of the GDPR and have the following rights vis-à-vis the data controller:

1. Right of access (Art. 15 GPDR)

You may request from the data controller to confirm whether your personal data is processed by them.
If your data is being processed, you can request access to the following information from the data controller:

o Purpose for which your personal data is processed
o Categories of personal data being processed
o Recipients or categories of recipients
o Intended storage period or the criteria for determining this period
o Existence of the rights of rectification, erasure or restriction of your personal data as well as a right to object to processing
o Existence of a right of appeal to a supervisory authority
o All available information on the source of the data (if personal data was obtained from a third party)
o Existence of automated decision-making including profiling with meaningful
information about the data processing system involved, and the scope and the expectable effects of such processing
o Right to request information on whether your personal data will be transmitted to a third country or an international organisation

2. Right to rectification (Art. 16 GPDR)

If your personal data is inaccurate or incomplete, you have the right to request that the personal data be rectified or completed without delay.

3. Right to restriction of processing (Art. 18 GDPR)

You may request the restriction of the processing of your personal data if one the following conditions is met:

o You challenge the correctness of your personal data for a period of time that enables the data controller to verify the accuracy of your personal data.
o The processing is unlawful, and you oppose the erasure of the personal data and instead demand the restriction of its use instead.
o The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
o Or: You have objected to the processing and it is not yet certain whether the legitimate reasons of the data controller outweigh your reasons.

4. Right to erasure (‘right to be forgotten’) (Art. 17 GDPR)

You may request the immediate erasure of your personal data if one the following conditions is met:

o Your personal data is no longer necessary for the purposes for which they were collected or processed.
o You revoke your consent, and there is no other legal basis for processing the data.
o You object to the processing of your data, and there are no overriding legitimate grounds for the processing, or you object pursuant to Art. 21 (2) GDPR.
o Your personal data are being processed unlawfully.
o Erasure is required for compliance with a legal obligation in Union or Member
State law to which the data controller is subject.
o Your personal data was collected in relation to the offer of information
business services offered pursuant to Art. 8 (1) GDPR.

Please note that the above grounds do not apply insofar as the processing is necessary:

o To exercise the right to freedom of speech and information;
o To fulfil a legal obligation required by the law of the Union or of the Member
States to which the data controller is subject, or to perform a task of public
interest delegated to the data controller;
o For reasons of public interest in the field of public health;
o For archival purposes of public interest, scientific or historical research
purposes or for statistical purposes;
o Or to enforce, exercise or defend legal claims.

5. Right of data portability (Art. 20 GPDR)

You have the right to receive your personal data in a structured, common and machine-readable format or to request that it be transferred to another data controller.

 6. Right to object to certain data processing (Art. 21 GDPR)

Subjective to your situation, you have, at any time, the right to object to the processing of your personal data pursuant to Art. 6 (1) (1) (e) or (f) GDPR. This also applies to profiling based on these provisions.
Where your personal processes personal data for direct marketing purposes, you as the data subject have the right to object, at any time, to processing of personal data become for such marketing, which includes profiling to the extent that it is related to direct marketing.

7. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, if you believe that the processing of your personal data violates the GDPR. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR. A list of locally competent supervisory authorities in Germany can be found in English on the website of the Federal Commissioner for Data Protection at the following link: https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html
You have the right to complain to a supervisory authority for data protection about our processing your personal data. The Austrian Data Protection Authority Barichgasse 40–42 Vienna Telephone: +43 1 52 152-0 Email: dsb@dsb.gv.at

V. Use of cookies

1. Description and scope of data processing

Various features of our website use technical aids, in particular cookies, which can be stored on your terminal device when you visit our page. When you access our website, and at any subsequent time, you may decide whether to allow cookies to be stored on your device and which individual additional features you would like to activate. You can make changes in your browser settings or via our consent manager. Cookies are text files or information in a database that are stored on your hard drive and associated with the browser you are using; this allows the entity that stores the cookie to collect certain information. Our website uses the following types of cookies:
We use technically necessary cookies, which are required for the technical structure of the website. Without them, our website cannot be displayed completely and correctly; or they might be necessary for the provision of support features. Technically necessary cookies transfer and store the following data:

o Language settings
o Use of website features

We use cookies on our website that are not technically necessary. These cookies are text files that not only make the website function, but also collect other data. The use of technically unnecessary cookies on our website entails the processing of the following data:

o IP address
o Location of internet user
o Date and time of website access
o Tracking of surfing behaviour
o Link to HubSpot contact if user later signs up for newsletter or demo

2. Purpose of data processing

The purpose of using technically necessary cookies is to ensure our website functions properly. Some features of our website require the use of cookies. They make it is necessary that the browser is recognised even after browsing to a new page.
We require technically necessary cookies for the following applications: o Ensuring the functionality of our website
Technically unnecessary cookies are used to improve the quality of our website, its content and thus our reach and profitability. The use of these cookies allows us to learn how our website is used, in turn enabling us to constantly optimise our offering. In particular, we use these cookies for the following purposes:
Improving our website based on user behaviour

3. Legal basis for data processing

The German Telecommunications Telemedia Data Protection Act (TTDSG) is relevant to the storage of information on the end user’s terminal device and/or access to information already stored there. Cookies are set and read where technically necessary to ensure the functionality of our website. In this case, cookies are stored and accessed on your terminal device on the basis of § 25 (2) (2) TTDSG. This serves to facilitate your use of our website and allows us to offer you our services as you have requested. Some features of our website do not work without the use of these cookies and might not be available. Generally, the cookies are deleted after the end of the session (e.g. when you lot out or close your browser) or when a specified duration expires. Information on differing storage periods can be found in the following sections of this privacy policy.
The use of cookies that are not technically necessary requires your express consent, which you can give via the cookie banner. The basis for storing and accessing information in this case is 25 (1) TTDSG in conjunction with Art. 6 (1) (a) / Art. 7 GDPR. By configuring your cookie settings accordingly, you may revoke your consent at any time with effect for the future and subsequently grant it again. Alternatively, you can prevent the storage of cookies by making the appropriate settings in your browser. Please note that your browser settings only affect the browser you are using. The processing of personal data following the storage of and access to information on your terminal device makes the provisions of the GDPR relevant. More information can be found in the following sections of this privacy policy.

VII. Newsletter

1. Description and scope of data processing

On our website, you can sign up to receive our free newsletter. When you subscribe to the newsletter, the data you enter in the subscription form is transmitted to us.

o Email address
o Date and time of registration

None of your data that is processed to send newsletters is shared with third parties. The data is used exclusively for sending you our newsletter.

2. Purpose of data processing

We collect your email address so that we can send you our newsletter.
The other personal data that we collect when you subscribe for our newsletter is used to prevent the misuse of our services or the email address in question.

3. Legal basis for data processing

The legal basis for processing personal data after signing up to receive our newsletter is Art. 6 (1) (1) (a) GDPR if the data subject has given their consent.

4. Duration of storage

 The data will be erased as soon as it is no longer necessary to achieve the purpose for which it was collected. This means the data subject’s email address will be stored for as long as the subscription to the newsletter is active.
The other personal data collected during subscription is usually deleted after a period of seven days.

5. Exercising your right to revoke consent

You may unsubscribe from our newsletter at any time. Click the link included in every edition of our newsletter to unsubscribe.
The same link also makes it possible to revoke your consent to the storage of your personal data collected during the subscription process.

VIII. Form for making an appointment

1. Description and scope of data processing

Our website includes a form for making an appointment, which can be used to contact us online. If a website visitor uses the form, the data they enter will be transmitted to us and stored.

We store the following data at the time the message is submitted:
o Email address
o Last name
o First name
o IP address of the accessing device o Date and time of contact

2. Purpose of data processing

The processing of personal data from the form or via the email address provided serves solely to process the contact.
The other personal data processed during submission serves to prevent misuse of the form as well as to ensure the security of our information technology systems.

3. Legal basis for data processing

The legal basis for processing data transmitted when an email is sent is Art. 6 (1) (1) (a) GDPR. Our legitimate interest is to provide you with the best possible response to the enquiry you send us via the contact form. If the aim of email contact is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (1) (b) GDPR.

4. Duration of storage

The data will be erased as soon as it is no longer necessary to achieve the purpose for which it was collected. With respect to personal data from the contact form and any sent by email, this is the case when the exchange with the user has ended. The exchange is considered to have ended when it is clear from the circumstances that the matter in question has been conclusively clarified.The other personal data collected during email correspondence will be deleted after a period of seven days at the latest.

5. Exercising your right to object

If the user uses the contact form to contact us, they may object to the storage of their personal data at any time.
Please email any objections and requests to delete your data to support@navigating.art.
We will then delete all personal data that was stored throughout your contact with us.

VIII. Corporate presences

Use of corporate presences in social networks

Instagram:

Instagram, part of Meta Platforms Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2 Ireland
On our company website we provide information and offer Instagram users the opportunity to engage. If you engage with our corporate Instagram presence (e.g. comment, post, like etc.), it is possible that you will make personal data (e.g. real name or photo of your user profile) public. However, since we generally, or to a large extent, have no influence on the processing of your personal data by Instagram, the company jointly responsible for the HPF Innovations gGmbH corporate presence, we cannot make any binding statements regarding the purpose and scope of the processing of your data.

 Our corporate presence on social networks is used to communicate and exchange information with (potential) customers. In particular, we use our corporate presence for publishing up-to-date news related to navigating.art and our products.
In this context, publications made via our corporate presence may contain the following content:

o Information about product
o Information about services

Each user is free to publish personal data by engaging with our content.
Processing your personal data in order to analyse your online behaviour, offer you sweepstakes or conduct lead campaigns is based on your express declaration of consent pursuant to Art. 6 (1) (1) (a) / Art. 7 GDPR. The legal basis for processing personal data for the purpose of communicating with customers and interested parties is Art. 6 (1) (1) (f) GDPR. Our legitimate interest here is to answer any enquiry you make in the best possible way or to be able to provide the requested information. If the aim of contacting you is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.
The data generated by our corporate presence is not stored in our own systems.
Insofar as your data is processed in in third countries, we have provided adequate guarantees in the form of standard data protection clauses pursuant to Art. 46 (2) (c) GDPR. You may request a copy of such standard data protection clauses from us.
You may object at any time to the processing of your personal data collected by us in the course of your use of our Instagram corporate presence and assert your rights as a data subject as stated under IV. of this privacy policy. To do so, just email us at support@navigating.art. You can find more information about how Instagram processes your personal data and the opportunities for objection here:
Instagram: https://help.instagram.com/519522125107875

Twitter:

Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland
On our company website we provide information and offer Twitter users the opportunity to engage. If you engage with our Twitter corporate presence (e.g. comment, post, like etc.), it is possible that you will make personal data (e.g. real name or photo of your user profile) public. However, since we generally, or to a large extent, have no influence on the processing of your personal data by Twitter, the company jointly responsible for the HPF Innovations gGmbH corporate presence, we cannot make any binding statements regarding the purpose and scope of the processing of your data.
Our corporate presence on social networks is used to communicate and exchange information with (potential) customers. In particular, we use our corporate presence for publishing up-to-date news related to navigating.art and our products.
In this context, publications made via our corporate presence may contain the following content:
o Information about products o Information about services
Each user is free to publish personal data by engaging with our content.
Processing your personal data in order to analyse your online behaviour, offer you sweepstakes or conduct lead campaigns is based on your express declaration of consent pursuant to Art. 6 (1) (1) (a) / Art. 7 GDPR. The legal basis for processing personal data for the purpose of communicating with customers and interested parties is Art. 6 (1) (1) (f) GDPR. Our legitimate interest here is to answer any enquiry you make in the best possible way or to be able to provide the requested information. If the aim of contacting you is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.
The data generated by our corporate presence is not stored in our own systems.
Insofar as your data is processed in in third countries, we have provided adequate guarantees in the form of standard data protection clauses pursuant to Art. 46 (2) (c) GDPR. You may request a copy of such standard data protection clauses from us.
You may object at any time to the processing of your personal data collected by us in the course of your use of our Twitter corporate presence and assert your rights as a data subject as stated under IV. of this privacy policy. To do so, just email us at support@navigating.art. You can find more information about how Twitter processes your personal data and the opportunities for objection here:
Twitter: https://twitter.com/en/privacy

YouTube:

YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, United States
On our company website we provide information and offer YouTube users the opportunity to engage. If you engage with our YouTube corporate presence (e.g. comment, post, like etc.), it is possible that you will make personal data (e.g. real name or photo of your user profile) public. However, since we generally, or to a large extent, have no influence on the processing of your personal data by YouTube, the company jointly responsible for the HPF Innovations gGmbH corporate presence, we cannot make any binding statements regarding the purpose and scope of the processing of your data.
Our corporate presence on social networks is used to communicate and exchange information with (potential) customers. In particular, we use our corporate presence for publishing up-to-date news related to navigating.art and our products.
In this context, publications made via our corporate presence may contain the following content:

o Information about products
o Information about services

Each user is free to publish personal data by engaging with our content.

Processing your personal data in order to analyse your online behaviour, offer you sweepstakes or conduct lead campaigns is based on your express declaration of consent pursuant to Art. 6 (1) (1) (a) / Art. 7 GDPR. The legal basis for processing personal data for the purpose of communicating with customers and interested parties is Art. 6 (1) (1) (f) GDPR. Our legitimate interest here is to answer any enquiry you make in the best possible way or to be able to provide the requested information. If the aim of contacting you is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

The data generated by our corporate presence is not stored in our own systems.

Insofar as your data is processed in in third countries, we have provided adequate guarantees in the form of standard data protection clauses pursuant to Art. 46 (2) (c) GDPR. You may request a copy of such standard data protection clauses from us.
 You may object at any time to the processing of your personal data collected by us in the course of your use of our YouTube corporate presence and assert your rights as a data subject as stated under IV. of this privacy policy. To do so, just email us at support@navigating.art. You can find more information about how YouTube processes your personal data and the opportunities for objection here:
YouTube: https://policies.google.com/privacy?gl=EN&hl=en

IX. Use of corporate presences on professionally oriented networks

1. Scope of data processing

We take advantage of corporate presences on professionally oriented networks. We maintain a corporate presence on the following professionally oriented networks:

LinkedIn:

LinkedIn, Unlimited Company Wilton Place, Dublin 2, Ireland

On our company website we provide information and offer users the opportunity to engage.
The corporate presence is used for job applications, information/PR and active sourcing.
We do not have any information on the processing of your personal data by the companies jointly responsible for this corporate presence. For more, please refer to the privacy policy from:
LinkedIn: https://www.linkedin.com/legal/privacy-policy

If you engage with our corporate presence (e.g. comment, post, like etc.), it is possible that you will make personal data (e.g. real name or photo of your user profile) public.

2. Legal basis for data processing

The legal basis for processing personal data for the purpose of communicating with customers and interested parties is Art. 6 (1) (1) (f) GDPR. Our legitimate interest here is to answer any enquiry you make in the best possible way or to be able to provide the requested information. If the aim of contacting you is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

 3. Purpose of data processing

The purpose of our corporate presence is to inform users about our services. Each user is free to publish personal data by engaging with our content.

4. Duration of storage

We store your engagement and personal data published via our corporate presence until you revoke your consent. In addition, we comply with the statutory storage periods.

5. Exercising your right to object

You may object at any time to the processing of your personal data collected by us in the course of your use of our corporate presence and assert your rights as a data subject as stated under IV. of this privacy policy. To do so, just send us an email to the email address in this privacy policy.
Find more information on how to exercise your rights here: LinkedIn: https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv

X. Hosting

Our website is hosted on the servers of a service provider commissioned by us. Our service provider is:
Amazon AWS

The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit our website. Stored information includes:
o Browser type and version
o Operating system used
o Referrer URL
o Host name of the accessing computer o Date and time of server request
o IP address

 This data is not merged with other data sources. We collect this data based on Art. 6 (1) (f) GDPR. Our legitimate interest in processing this data is the error-free presentation and optimisation of our website.
The geographical location of the website’s server is in the United States of America.

XI. Content delivery networks

Amazon CloudFront

1. Description and scope of data processing

Our website uses features from the content delivery network Amazon CloudFront provided by Amazon Web Service Inc., 410 Terry Avenue North, Seattle WA 98109, USA (hereinafter referred to as ‘Amazon CloudFront’). A content delivery network (CDN) is a network of regionally distributed servers that are connected via the internet and are used to deliver content – especially large media files such as videos. Amazon CloudFront provides web optimisation and security services that we use to improve our website load times as well as to protect it from misuse. When you visit our website, a connection is established to Amazon CloudFront’s servers, e.g. in order to access content. This may entail personal data being stored and analysed in server log files, in particular as relates to user activity (especially which pages have been visited) and device and browser information (especially the IP address and the operating system). You can find more information on how Amazon CloudFront collects and stores data here:
https://aws.amazon.com/privacy/
Insofar as your data is processed in in third countries, we have provided adequate guarantees in the form of standard data protection clauses pursuant to Art. 46 (2) (c) GDPR. You may request a copy of such standard data protection clauses from us.

2. Purpose of data processing

We use Amazon CloudFront features in order to deliver and accelerate online applications and content.

3. Legal basis for data processing

We collect this data based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in presenting the website without any technically errors and in website optimisation – the server log files must be recorded to secure this interest.

4. Duration of storage

Your personal data will be stored for as long as necessary to fulfil the purposes described in this privacy policy or as required by law.

5. Exercising your right to object

For information on how to exercise your rights against Amazon CloudFront, see: https://aws.amazon.com/privacy/

XII. Usage of plug-in

We use plug-ins for various purposes. The plug-ins we use are listed below:

Use of Google Analytics

1. Scope of the processing of personal data

We use Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and its representative in the EU, Google Ireland Ltd, Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (hereinafter referred to as Google’). Among other things, Google Analytics analyses the origin of visitors, the time they spend on individual pages and the use of search engines, which in turns improves monitoring of the success of marketing campaigns. In the process, Google sets a cookie on your computer. This may result in personal data being stored and analysed, in particular as relates to user activity (especially which pages have been visited and which elements clicked on), device and browser information (especially the IP address and the operating system), data about advertisements displayed (especially which advertisements were displayed and whether the user clicked on them) and also data from advertising partners (especially pseudonymised user IDs).
We use Google Analytics (Universal Analytics) to evaluate your use of our website, to compile reports on your activities and to use other Google services associated with the use of our website and internet usage.
We have requested that IP addresses be anonymised, which means that Google will shorten your IP address as promptly as technically possible. However, it is still possible that your data will be transmitted to the servers of Google LLC, which is based in the USA.
On behalf of the website provider, Google uses this information to evaluate your use of the website, to compile reports on website activity for website operators and to provide other services to the website provider relating to website activity and internet usage.
For further information on how Google processes data, please visit: https://policies.google.com/privacy?gl=EN&hl=en

2. Purpose of data processing

The use of Google Analytics (Universal Analytics) serves to evaluate how our website is used as well as the targeted display of advertising to parties who, by visiting our website, have already demonstrated an initial interest.

3. Legal basis for the processing of personal data

In principle, the legal basis for processing the personal data of users is the user’s consent as per Art. 6 (1) (1) (a) GDPR.

4. Duration of storage

Your personal data will be stored for as long as necessary to fulfil the purposes described in this privacy policy or until you exercise your right to withdraw your consent.

5. Right of withdrawal of consent

You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
You can prevent the collection as well as the processing of your personal data by Google by preventing third-party cookies from being stored on your computer. Do this by using your supporting browser’s ‘do not track’ feature, by deactivating the execution of script code in your browser or by installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.
It is also possible to refuse Google’s collection of cookie-generated data related to your usage of our website (incl. your IP address) as well as the processing of this data by Google by downloading and installing the browser plug-in available here: https://tools.google.com/dlpage/gaoptout?hl=de
You can opt out of having Google use your personal data here: https://adssettings.google.de
Find more information on your options for objection and removal vis-á-vis Google here:
https://policies.google.com/privacy?gl=DE&hl=de

6. Notice of risk

Your personal data will also be transferred to the USA: The European Commission has not reached an adequacy decision for the USA according to Art. 45 (3) GDPR. We would like to inform you that data transfers without an adequacy decision entail certain risks, such as the following:
U.S. intelligence agencies base their monitoring of natural persons on certain online identifiers (such as IP addresses or unique identification numbers). As such, it is a possibility that they have already collected information about you, information they can use to trace data transmitted here back to you.
Providers of electronic communications services headquartered in the United States are subject to surveillance by U.S. intelligence agencies under 50 U.S. Code § 1881a (‘FISA 702’). By extension, this means these same providers are obligated to provide personal data to U.S. authorities under FISA 702, without any possible remedy available to you. Even data encryption that electronic communications service providers employ in their data centres may not provide adequate protection. After all, electronic communications service providers have a direct obligation to provide access to or surrender data within their possession, custody or control. This obligation may also expressly cover the cryptographic keys necessary for reading such data.
The 16 July 2020 decision of the European Court of Justice (Case C 311/18 or ‘Schrems II’) demonstrates that this is not merely a ‘theoretical risk’.
We have concluded guarantees with Google in the form of standard data protection clauses as per Art. 46 (2) (c) GDPR. You may request a copy of such standard data protection clauses from us.

Use of Google Fonts

1. Scope of the processing of personal data

We use Google Fonts provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and its representative in the EU, Google Ireland Ltd, Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (hereinafter referred to as ‘Google’). The web fonts are transferred to your browser's cache when the page in question is accessed so they can be used for the visually improved display of various information. If your browser does not support Google Fonts or prevents access, text is displayed in a standard font. No cookies are stored on the visitor’s computer when the page is accessed. Data transmitted when our page is viewed is sent to resource-specific domains such as https://fonts.googleapis.com or https://fonts.gstatic.com. This may result in personal data being stored and evaluated, in particular as relates to user activity (especially which pages have been visited and which elements clicked on) and device and browser information (especially the IP address and the operating system).
This data will not be associated with data that may be collected or used in connection with the parallel use of authenticated Google services such as Gmail.
For further information on how Google processes data, please visit: https://policies.google.com/privacy?gl=EN&hl=en

 2. Purpose of data processing

We use Google Fonts to make the presentation of our texts visually appealing. If your browser does not support this feature, a standard font from your computer will be used instead.

3. Legal basis for the processing of personal data

In principle, the legal basis for processing the personal data of users is the user’s consent as per Art. 6 (1) (1) (a) GDPR.

4. Duration of storage

Your personal data will be stored for as long as necessary to fulfil the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.

5. Right to object and have your data removed

You can prevent the collection as well as the processing of your personal data by Google by preventing third-party cookies from being stored on your computer. Do this by using your supporting browser’s ‘do not track’ feature, by deactivating the execution of script code in your browser or by installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.
You can opt out of having Google use your personal data here: https://adssettings.google.de
Find more information on your options for objection and removal vis-á-vis Google under: https://policies.google.com/privacy

Use of Google Tag Manager

1. Scope of the processing of personal data

We use Google Tag Manager (https://marketingplatform.google.com/about/tag-manager/) provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and its representative in the EU, Google Ireland Ltd, Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (hereinafter referred to as ‘Google’). Google Tag Manager allows tags from Google and third-party services to be managed and embedded in a bundle on a website. Tags are bits of code on website that measure visitor numbers and behaviour, track the impact of online advertising and social channels, use remarketing and targeting strategies as well as test and optimise websites, among other things. When a user visits a website, the current tag configuration containing instructions on which tags are to be triggered is sent to the user’s browser. Google Tag Manager triggers other tags, which in turn may collect data. Read the sections of this privacy policy about corresponding services for more information. Google Tag Manager does not access this data.
You can find more information about Google Tag Manager at https://marketingplatform.google.com/about/tag-manager/ as well as in Google’s privacy policy (https://policies.google.com/privacy).

2. Purpose of data processing

The purpose of processing your personal data is the bundled, clear management and efficient integration of third-party services.

3. Legal basis for the processing of personal data

In principle, the legal basis for processing the personal data of users is the user’s consent as per Art. 6 (1) (1) (a) GDPR.

4. Duration of storage

Your personal data will be stored for as long as necessary to fulfil the purposes described in this privacy policy or as required by law. Google states that it anonymises advertising data in server logs by deleting parts of the IP address and cookie information after 9 and 18 months respectively.

5. Right of withdrawal of consent

You have the right to withdraw your consent to the processing of your data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
You can prevent the collection as well as the processing of your personal data by Google by preventing third-party cookies from being stored on your computer. Do this by using your supporting browser’s ‘do not track’ feature, by deactivating the execution of script code in your browser or by installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.
It is also possible to refuse Google’s collection of cookie-generated data related to your usage of our website (incl. your IP address) as well as the processing of this data by Google by downloading and installing the browser plug-in available here: https://tools.google.com/dlpage/gaoptout?hl=en-GB
You can opt out of having Google use your personal data here: https://adssettings.google.de/anonymous?hl=en 
Find more information on your options for objection and removal vis-á-vis Google here: https://policies.google.com/privacy

Use of Google Forms

1. Scope of the processing of personal data

Our website uses features from the survey management solution Google Forms provided by Google Ireland Limited, Gordon House, Barrow Street, 4, Dublin, Ireland (hereinafter referred to as ‘Google’).
Google Forms is used to create and organise forms for surveys and polls. It also lets users record responses in real time as well as evaluate statistics.
In the process, cookies from Google are stored on your terminal device. The following personal data in particular are processed by Google:
- Data entered via the form
- Files uploaded via the form
- IP address
- Browser and device version
Data collected through a Google Forms form is processed and stored on Google Drive.
For further information on how Google processes data, please visit: https://policies.google.com/privacy

2. Purpose of data processing

We use Google Forms to create, evaluate and organise questionnaires and surveys. 

3. Legal basis for the processing of personal data

In principle, the legal basis for processing the personal data of users is the user’s consent as per Art. 6 (1) (1) (a) GDPR.

4. Duration of storage

Your personal data will be stored for as long as necessary to fulfil the purposes described in this privacy policy or as required by law, for example for tax and accounting purposes.

5. Right of withdrawal of consent

You have the right to withdraw your consent to the processing of your data at any  time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

You can prevent the collection as well as the processing of your personal data by Google by preventing third-party cookies from being stored on your computer. Do this by using your supporting browser’s ‘do not track’ feature, by deactivating the execution of script code in your browser or by installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

Find more information on your options for objection and removal vis-á-vis Google under: https://policies.google.com/privacy

Use of AdRoll

1. Scope of the processing of personal data

We use functionalities of the e-commerce marketing platform AdRoll of NextRoll, Inc. 2300 Harrison Street, 2nd Floor San Francisco, California 94117, USA (hereinafter referred to as: NextRoll). In the process, AdRoll stores a cookie on your device. AdRoll is used to carry out marketing and advertising campaigns and enables companies to gain better insight into which target groups are interested in certain products and services by placing digital ads. In the process, data is processed on NextRoll servers in the USA. Further recipients of the data are, depending on the service provided and the contractual and legal obligations, subsidiaries, affiliated companies and service providers of NextRoll.

As a result, personal data can be stored and evaluated by NextRoll
- Hash value of the email address
- Information about the user's activities (in particular, which pages have been visited and which elements have been clicked on)
- Device and browser information (especially the IP address and the operating system)
- Location data
- Data about the advertisements displayed (in particular, which advertisements were displayed and whether a product was purchased)
- Other personal data provided by advertising partners

For more information about NextRoll's data processing, click here:
https://www.nextroll.com/de-DE/privacy
https://www.nextroll.com/trust-center

2. Purpose of data processing

We use AdRoll for the purpose of providing personalized and interest-based advertising to our users and analyzing how users interact with those advertisements.

3. Legal basis for the processing of personal data

The legal basis for the processing of the users' personal data is, in principle, the user's consent pursuant to Art. (1) (1) (a) GDPR.

4. Duration of storage

Your personal information will be retained for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law, such as for tax and accounting purposes.

5. Right of withdrawal of consent

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

You can prevent the collection as well as the processing of your personal data by NextRoll by preventing third-party cookies from being stored on your computer, by using the "Do Not Track" function of a supporting browser, by disabling the execution of script code in your browser or by installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

You can also prevent the collection of data generated by the cookie and related to your use of the online presence (including your IP address) by AdRoll, as well as the processing of this data by NextRoll, by following the opt-out process available at the following link: https://app.adroll.com/optout

For more information on objection and removal options vis-à-vis NextRoll, please visit: https://www.nextroll.com/de-DE/privacy

6.  Notice of risk

Your personal data will also be transferred to the USA. There is no adequacy decision for the USA according to Art. 45 (3) GDPR. We would like to point out that data transfer without an adequacy decision entails certain risks, which we would like to inform you about below: 

Intelligence services in the USA take certain online identifiers (such as the IP address or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these intelligence services have already collected information about you, with the help of which the data transmitted here can be traced back to you. 

Electronic communications service providers headquartered in the United States are subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S. Code § 1881a ("FISA 702"). Accordingly, providers of electronic communications services headquartered in the U.S. have an obligation to provide personal information to U.S. authorities pursuant to 50 U.S. Code § 1881a, without any possible recourse available to you. Even encryption of data at the electronic communications service provider's data centers may not provide adequate protection because, with respect to imported data in its possession or custody or under its control, an electronic communications service provider has a direct obligation to provide access to or surrender such data. This obligation may expressly extend to the cryptographic keys without which the data cannot be read. 

The fact that this is not merely a "theoretical risk" is demonstrated by the ECJ's judgment of July 16, 2020,  C311/18.