jump to main content

Privacy policy

Data protection overview

 

General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data with which you could be personally identified. Detailed information on the subject of data protection can be found in our Privacy Policy set out below this text.

Data Collection on this Website

Who is responsible for the data collection on this website?

Data processing on this website is carried out by the website operator. You can find their contact details in the "Information on the Controller" section of this Privacy Policy.

How do we collect your data?

On the one hand, your data is collected when you communicate it to us. This could, for example, be data you enter into a contact form.

 

Other data is collected automatically or after you have given your consent by our IT systems when you visit the website. This data is primarily technical data (e.g., internet browser, operating system, or time of the page access). The collection of this data takes place automatically as soon as you enter this website.

What do we use your data for?

A portion of the data is collected to ensure the error-free provision of the website. Other data can be used to analyze your user behavior. If contracts can be concluded or initiated via the website, the transmitted data will also be processed for contract offers, orders, or other order inquiries.

What rights do you have regarding your data?

You have the right to receive information about the origin, recipients, and purpose of your stored personal data free of charge at any time. You also have a right to request the rectification or erasure of this data. If you have given your consent to data processing, you can withdraw this consent at any time with effect for the future. In addition, you have the right, under certain circumstances, to request the restriction of the processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

You can contact us at any time regarding this and other questions on the subject of data protection.

Hosting

We host the content of our website with the following provider:

External Hosting

This website is hosted externally. The personal data collected on this website is stored on the servers of the host(s). This may primarily include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses, and other data generated via a website.

The external hosting is carried out for the purpose of the performance of a contract with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast, and efficient provision of our online offering by a professional provider (Art. 6(1)(f) GDPR). If corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be withdrawn at any time.

Our host(s) will only process your data to the extent necessary to fulfill its performance obligations and will follow our instructions with respect to such data.

We use the following host(s):

VHUG Technologies OÜ, Lõõtsa tn 5, 11415 Tallinn, Estonia hello@vhug.tech | https://www.vhug.tech/

For details, please refer to the Privacy Policy of VHUG: https://www.vhug.tech/de/datenschutz.html.

Data Processing

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

General Information and Mandatory Information

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations as well as this Privacy Policy.

When you use this website, various personal data are collected. Personal data is data with which you can be personally identified. This Privacy Policy explains what data we collect and what we use it for. It also explains how and for what purpose this happens.

We point out that data transmission over the Internet (e.g., when communicating by e-mail) can have security gaps. A complete protection of data against access by third parties is not possible.

Information on the Controller

The controller responsible for data processing on this website is:

PKF Wulf Gruppe KG      
Wirtschaftsprüfungsgesellschaft
Steuerberatungsgesellschaft

Tegernaustraße 7            
72336 Balingen

Represented by the general partners (Komplementäre):

Christoph Albrecht, WP, StB | Florian Egermann, RA | Philipp Gottschick, StB | Dominik Huth, StB | André Jänichen, WP, StB | Christoph Kalmbach, WP, StB | Martin Krebs, WP, StB | Benjamin Küstermann, StB | Kevin Kuß, WP, StB | Thomas Niemann, StB | Ulf Rager, StB | Simon Schmid, WP, StB | Ralph Setzer, WP, StB | André Simmack, WP, eidg. WP | Ines Thorwart, WPin, StBin | Julian Wenninger, WP, StB | Martin Wulf, WP, StB.

Phone: +49 7433 1609-0               
E-Mail: balingen(a)pkf-wulf.de

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data (e.g., names, e-mail addresses, etc.).

Storage Period

Unless a more specific storage period has been specified within this Privacy Policy, your personal data will remain with us until the purpose for which it was collected no longer applies. If you assert a justified request for erasure or withdraw your consent to data processing, your data will be deleted, provided we have no other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods); in the latter case, the deletion will take place after these reasons cease to apply.

General Information on the Legal Basis for Data Processing on this Website

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, if special categories of data are processed in accordance with Art. 9(1) GDPR. In the event of explicit consent to the transfer of personal data to third countries, data processing is also based on Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or to access to information in your terminal device (e.g., via device fingerprinting), the data processing is additionally based on Sec. 25(1) TDDDG. Consent can be withdrawn at any time. If your data is necessary for the performance of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, if your data is required to fulfill a legal obligation, we process it on the basis of Art. 6(1)(c) GDPR. Data processing may also be carried out on the basis of our legitimate interest in accordance with Art. 6(1)(f) GDPR. Information on the relevant legal basis in each individual case is provided in the following paragraphs of this Privacy Policy.

Data Protection Officer

We have appointed a data protection officer. Contact details of our data protection officer:

E-Mail: datenschutz(a)pkf-wulf.de

Phone: +49 151 730 44 032

Recipients of Personal Data

In the course of our business activities, we cooperate with various external entities. In some cases, it is also necessary to transfer personal data to these external entities. We only disclose personal data to external entities if this is necessary for the performance of a contract, if we are legally obligated to do so (e.g., passing on data to tax authorities), if we have a legitimate interest in the disclosure pursuant to Art. 6(1)(f) GDPR, or if another legal basis permits the data disclosure. When using processors, we only disclose the personal data of our customers on the basis of a valid data processing agreement (DPA). In the case of joint processing, a joint controllership agreement is concluded.

Withdrawal of your Consent to Data Processing

Many data processing operations are only possible with your explicit consent. You can withdraw consent you have already given at any time. The lawfulness of the data processing carried out prior to the withdrawal remains unaffected by the withdrawal.

Right to Object to the Collection of Data in Special Cases and to Direct Marketing (Art. 21 GDPR)

IF DATA PROCESSING IS CARRIED OUT ON THE BASIS OF ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR CONCERNED PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21(1) GDPR).

IF YOUR PERSONAL DATA IS PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT MARKETING (OBJECTION PURSUANT TO ART. 21(2) GDPR). 

Right to Lodge a Complaint with the Competent Supervisory Authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work, or the place of the alleged violation. The right to lodge a complaint is without prejudice to any other administrative or judicial remedies.

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg)

P.O. Box (Postfach) 10 29 32

70025 Stuttgart

Phone: 0711/615541-0

FAX: 0711/615541-15

E-Mail: poststelle@lfd.bwl.de

Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done if it is technically feasible.

Right of Access, Rectification, and Erasure

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of the data processing and, if applicable, a right to the rectification or erasure of this data. You can contact us at any time regarding this and other questions on the subject of personal data.

Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose. The right to restriction of processing applies in the following cases:

  • If you contest the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the verification, you have the right to request the restriction of the processing of your personal data.

  • If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of erasure.

  • If we no longer need your personal data, but you need it to exercise, defend, or establish legal claims, you have the right to request the restriction of the processing of your personal data instead of erasure.

  • If you have lodged an objection pursuant to Art. 21(1) GDPR, an assessment must be made balancing your interests against ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State.

SSL and/or TLS Encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Objection to Promotional E-mails

The use of contact data published within the scope of the imprint obligation for the transmission of not expressly requested advertising and informational materials is hereby objected to. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

Data Collection on this Website

Cookies

Our websites use so-called "cookies". Cookies are small data packets and do not cause any damage to your terminal device. They are stored on your terminal device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your terminal device until you delete them yourself or they are automatically deleted by your web browser.

Cookies can originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services of third-party companies within websites (e.g., cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g., the shopping cart function or the display of videos). Other cookies can be used to analyze user behavior or for promotional purposes.

Cookies that are required to carry out the electronic communication process, to provide certain functions you have requested (e.g., for the shopping cart function), or to optimize the website (e.g., cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimized provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, processing is carried out exclusively on the basis of this consent (Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG); this consent can be withdrawn at any time. 

You can configure your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. Deactivating cookies may restrict the functionality of this website.

You can find out which cookies and services are used on this website in this Privacy Policy.

Consent with Usercentrics

This website uses the consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your terminal device or for the use of certain technologies and to document this in compliance with data protection regulations. The provider of this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, Website: usercentrics.com (hereinafter "Usercentrics").

When you visit our website, the following personal data is transmitted to Usercentrics:

  • Your consent(s) or the withdrawal of your consent(s)

  • Your IP address

  • Information about your browser

  • Information about your terminal device

  • Time of your visit to the website

  • Geolocation

Furthermore, Usercentrics stores a cookie in your browser in order to be able to allocate the consents given or their withdrawal to you. The data collected in this way will be stored until you request us to delete it, delete the Usercentrics cookie yourself, or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected.

The use of Usercentrics takes place to obtain the legally required consents for the use of certain technologies. The legal basis for this is Art. 6(1)(c) GDPR.

Data Processing

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

  • Browser type and browser version

  • Operating system used

  • Referrer URL

  • Host name of the accessing computer

  • Time of the server request

  • IP address

These data are not merged with other data sources.

The collection of this data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and the optimization of its website – for this purpose, the server log files must be recorded. The server log files are stored for 14 days and then deleted.

Contact Form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not share this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR, provided your inquiry is related to the fulfillment of a contract or is necessary to carry out pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if this was requested; consent can be withdrawn at any time.

The data you entered in the contact form will remain with us until you request us to delete it, withdraw your consent to its storage, or the purpose for data storage no longer applies (e.g., after your inquiry has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.

Inquiry by E-mail, Post, Telephone, or Fax

If you contact us by e-mail, post, telephone, or fax, your inquiry, including all resulting personal data (name, inquiry), will be stored and processed by us for the purpose of processing your request. We do not share this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR, provided your inquiry is related to the fulfillment of a contract or is necessary to carry out pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if this was requested; consent can be withdrawn at any time.

The data sent to us via contact inquiries will remain with us until you request us to delete it, withdraw your consent to its storage, or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

Social Media

Instagram

Icons (an image of the social media platform's logo with an embedded link to our social media presence there) of the social network Instagram are integrated on this website. When you click on the icon, you will be redirected to the Instagram page. This is not a Like or Share button. The provider of the Instagram website is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook or Instagram, the data collected when accessing the Instagram page is also transferred to the USA and other third countries.

If you click the Instagram icon provided on this website, a direct connection is established between your browser and the Instagram server. As a result, Instagram receives the information that you have visited this website with your IP address. We point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Instagram.

Insofar as you click on the icon and are redirected to our Instagram page, personal data is collected on our website and forwarded to Facebook or Instagram. In this respect, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR).

The joint controllership is limited exclusively to the collection of the data and its transmission to Facebook or Instagram. The processing by Facebook or Instagram that takes place after the transmission is not part of the joint controllership. The obligations incumbent upon us jointly have been set out in a joint controllership agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum.

According to this agreement, we are responsible for providing the privacy information when using the Facebook or Instagram tool or icon link and for the privacy-compliant implementation of the tool or link on our website. Facebook is responsible for the data security of Facebook and Instagram products. You can assert data subject rights (e.g., requests for access) regarding the data processed by Facebook or Instagram directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.

If you do not wish Instagram to be able to associate the visit to our Instagram website with your Instagram user account, please log out of your Instagram user account beforehand.

The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here:

https://www.facebook.com/legal/EU_data_transfer_addendum,

https://privacycenter.instagram.com/policy/ and

https://de-de.facebook.com/help/566994660333381.

For further information on this, please refer to the Privacy Policy of Instagram:

https://privacycenter.instagram.com/policy/.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF commits to complying with these data protection standards. You can obtain further information on this from the provider under the following link:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

LinkedIn

This website uses elements of the LinkedIn network. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Each time a page of this website containing elements of LinkedIn is accessed, a connection to LinkedIn's servers is established. LinkedIn is informed that you have visited this website with your IP address. If you click the "Recommend" button of LinkedIn and are logged into your LinkedIn account, it is possible for LinkedIn to associate your visit to this website with you and your user account. We point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by LinkedIn.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG. Consent can be withdrawn at any time.

The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here:      https://www.linkedin.com/help/linkedin/answer/a1343190/datenubertragung-aus-der-eu-dem-ewr-und-der-schweiz?lang=de.

For further information on this, please refer to the Privacy Policy of LinkedIn at:               https://www.linkedin.com/legal/privacy-policy.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF commits to complying with these data protection standards. You can obtain further information on this from the provider under the following link: https://www.dataprivacyframework.gov/participant/5448.

XING

Icons (an image of the social media platform's logo with an embedded link to our social media presence there) of the social network Xing are integrated on this website. When you click on the icon, you will be redirected to the Xing page. This is not a Like or Share button. The provider of the Xing website is New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.

If you click the Xing icon provided on this website, a direct connection is established between your browser and the Xing server. As a result, Xing receives the information that you have visited this website with your IP address. We point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Xing. For further information on this, please refer to the Privacy Policy of Xing (https://privacy.xing.com/ de/datenschutzerklaerung).

If you do not wish Xing to be able to associate the visit to our Xing website with your Xing user account, please log out of your Xing user account.

The use of the Xing icon with an embedded link to our Xing page is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in achieving the widest possible visibility on social media.

Xing is responsible for the data security of Xing products. You can assert data subject rights (e.g., requests for access) regarding the data processed by Xing directly with Xing.

TikTok

Icons (an image of the social media platform's logo with an embedded link to our social media presence there) of the social network TikTok are integrated on this website. When you click on the icon, you will be redirected to the TikTok page. This is not a Like or Share button. The provider of the TikTok website is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.

If you click the TikTok icon provided on this website, a direct connection is established between your browser and the TikTok server. As a result, TikTok receives the information that you have visited this website with your IP address. We point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by TikTok. For further information on this, please refer to the Privacy Policy of TikTok (https://www.tiktok.com/legal/page/eea/privacy-policy/de).

If you do not wish TikTok to be able to associate the visit to our TikTok website with your TikTok user account, please log out of your TikTok user account.

The use of the TikTok icon with an embedded link to our TikTok page is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in achieving the widest possible visibility on social media.

TikTok is responsible for the data security of TikTok products. You can assert data subject rights (e.g., requests for access) regarding the data processed by TikTok directly with TikTok.

Our Social Media Presences

This Privacy Policy applies to the following social media presences:

https://www.instagram.com/pkfdeutschland/

https://www.linkedin.com/company/pkf-wulf-gruppe?originalSubdomain=de

https://www.xing.com/pages/pkf-wulf-gruppe

https://www.tiktok.com/@pkfwulfgruppe

https://www.kununu.com/de/pkf-wulf-gruppe

Data Processing by Social Networks

We maintain publicly accessible profiles in social networks. The specific social networks we use can be found below.

Social networks such as Instagram, LinkedIn, etc., can generally analyze your user behavior comprehensively when you visit their website or a website with integrated social media content (e.g., Like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations. Specifically:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can associate this visit with your user account. Under certain circumstances, your personal data may also be collected even if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your terminal device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, interest-based advertising can be displayed on all devices on which you are or were logged in.

Please also note that we cannot trace all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.

Legal Basis

Our social media presences are intended to ensure the most comprehensive possible presence on the Internet. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. The analysis processes initiated by the social networks may be based on divergent legal bases to be specified by the operators of the social networks (e.g., consent within the meaning of Art. 6(1)(a) GDPR).

Controller and Assertion of Rights

When you visit one of our social media presences (e.g., Instagram), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (access, rectification, erasure, restriction of processing, data portability, and complaint) both against us and against the operator of the respective social media portal (e.g., against Facebook).

Please note that despite the joint controllership with the social media portal operators, we do not have comprehensive influence on the data processing operations of the social media portals. Our capabilities are largely determined by the corporate policy of the respective provider.

Storage Period

The data collected directly by us via the social media presence will be deleted from our systems as soon as you request us to delete it, withdraw your consent to storage, or the purpose for data storage no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

We have no influence on the storage period of your data stored by the operators of the social networks for their own purposes. For details, please obtain information directly from the operators of the social networks (e.g., in their privacy policy, see below).

Your Rights

You have the right at any time to receive information free of charge about the origin, recipients, and purpose of your stored personal data. You also have a right to object, a right to data portability, and a right to lodge a complaint with the competent supervisory authority. Furthermore, you can request the rectification, blocking, erasure, and, under certain circumstances, the restriction of the processing of your personal data.

Social Networks in Detail

Instagram

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here:

https://www.facebook.com/legal/EU_data_transfer_addendum,

https://privacycenter.instagram.com/policy/ and

https://de-de.facebook.com/help/566994660333381.

 

Details on their handling of your personal data can be found in Instagram's Privacy Policy: https://privacycenter.instagram.com/policy/.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF commits to complying with these data protection standards. You can obtain further information on this from the provider under the following link:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

LinkedIn

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you wish to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/ psettings/guest-controls/retargeting-opt-out.

The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here:

https://www.linkedin.com/legal/l/dpa and
https://www.linkedin.com/legal/l/eu-sccs.

Details on their handling of your personal data can be found in LinkedIn's Privacy Policy: https://www.linkedin.com/legal/privacy-policy.

XING

We have a profile on XING. The provider is New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. Details on their handling of your personal data can be found in XING's Privacy Policy: https://privacy.xing.com/ de/datenschutzerklaerung.

Kununu

We have a profile on Kununu. The provider of this service is the Kununu platform as a service of kununu GmbH, Arabellastraße 23, 81925 Munich, Germany. Details on their handling of your personal data can be found in the Kununu Privacy Policy at: https://privacy.xing.com/ de/datenschutzerklaerung.

TikTok

This privacy information applies to the processing of personal data in connection with the visit and use of the profiles of the PKF Wulf Gruppe (hereinafter "PKF") on  and sister sites (hereinafter "TikTok Channel").

The TikTok Channel is provided to PKF by TikTok Technology Limited (hereinafter "TikTok Ireland"), and PKF operates it with a corresponding user account. Via the TikTok Channel, PKF is given the opportunity to present itself to users of TikTok and get in touch with them.

Controllers

In principle, PKF (hereinafter also the Operator) is responsible for the processing of your personal data in connection with the use of the TikTok Channel.

In addition, each time the TikTok services are used, TikTok Ireland jointly processes personal data for its own purposes with TikTok Information Technologies UK Limited (hereinafter "TikTok UK" and for both collectively "TikTok"). PKF has no influence on this data processing, and TikTok acts as an independent controller in this regard.

PKF is jointly responsible with TikTok for the processing of so-called Insights data.

The contact details of TikTok Ireland are:

TikTok Technology Limited          
10 Earlsfort Terrace        
Dublin, D02 T380              
Ireland
E-Mail: dach@tiktok.com

The contact details of TikTok UK are:

TikTok Information Technologies UK Limited      
One London Wall             
London, EC2Y 5EB            
United Kingdom

TikTok has also appointed a Data Protection Officer. You can contact them here.

Interaction with the TikTok Channel

If you are logged in with your personal TikTok account, you can interact with the operator of the TikTok Channel (e.g., like or comment on a post). The associated data is processed by the operator (e.g., your username and your profile picture).

The operator uses this data to optimize the offered content and its presentation and to adapt it to the respective user interests. This data processing is carried out in accordance with Art. 6(1)(f) GDPR (legitimate interest). The legitimate interest derives from the purpose of optimizing our TikTok Channel and the content published there.

General Use of TikTok

When you use the offers of TikTok, TikTok processes your personal data. This includes data such as your IP address, location data, time zone settings, advertising IDs, app and browser versions, as well as data about your device (system, network type, device ID, screen resolution, operating system, audio settings, and connected audio devices). The TikTok profiles and channels you view, likes, messages, and other usage data are also processed. If you are logged in with your own TikTok account, this data will be assigned to your account.

Further information on the processing of your data by TikTok can be found in TikTok's Privacy Policy.

Insights Data

When accessing and using the TikTok Channel, so-called Insights data is additionally processed. This data provides information on how many users accessed the TikTok Channel or posts and at what time. The data is provided to PKF in aggregated form as statistics. It is not possible for PKF to personally identify you or to assign you to your account based on this data.

Further information on the Insights data can be found here.

Please note that Insights data can also be collected from you even if you do not have your own TikTok account.

The lawfulness of this processing is based on Art. 6(1)(f) GDPR (legitimate interest). By analyzing the anonymized Insights data, PKF aims to optimize the content of the channel and thus attract further users. The Insights data contributes to this.

Communications via the Fan Page Functions

Via the TikTok Channel, it is possible to contact the operator via direct messages, the Like function, or comments. In the context of this contact, the name stored in your profile as your username is displayed.

The lawfulness of this processing is based on Art. 6(1)(f) GDPR (legitimate interest). Communication with users is particularly important for PKF in order to answer questions, respond to criticism, build a relationship, and exchange information. Only in this way can the operator improve its services and respond to customer needs. Communication via social media is an important component, especially to reach younger customers. Comments are stored on the channel indefinitely and can be viewed by other users. The same applies to the use of the Like function and direct messages.

Recipients

The data collected when accessing and using the TikTok Channel and the details provided by you when contacting us are transmitted to TikTok and stored there. In addition, your data can also be viewed by PKF employees who are involved in maintaining the TikTok Channel and answering your messages.

Your personal data collected by TikTok is partially transferred to and stored on servers of TikTok in so-called third countries outside the European Union, where a comparable level of data protection cannot be guaranteed. The data transfer to such a third country, such as the USA or China, is permissible under the conditions of Art. 46 GDPR and on the basis of the Standard Contractual Clauses effectively incorporated into the contractual relationship with TikTok. These have been approved by the European Commission and guarantee adequate protection of your personal data. Further information on this can be found here.

Storage Period

The data collected when accessing and using the TikTok Channel is not stored by PKF on its own systems. The data is stored by TikTok in accordance with its own privacy policy. Further information on this can be found directly at TikTok: https://www.tiktok.com/legal/privacy-policy-eea?lang=de.

If you participate in one of the prize draws or product tests conducted by PKF, your data will be deleted after the prize draw or product test has ended, together with the communication that took place in TikTok. The comments under the promotion on the TikTok Channel will not be deleted.

The data relating to your other interactions with the TikTok Channel is not stored by PKF.

Hier ist die rechtlich und terminologisch präzise englische Übersetzung des nächsten Abschnitts.

Auch hier wurden die relevanten DSGVO-Begrifflichkeiten (wie Legitimate Interest, Data Processing Agreement, Joint Controllership, Consent und Standard Contractual Clauses) konsequent angewendet. Den Vermerk [A1] habe ich für Ihre internen Zwecke ebenfalls mit übersetzt.

Analytics Tools and Advertising

Matomo

This website uses the open-source web analytics service Matomo.

With the help of Matomo, we are able to collect and analyze data about the use of our website by website visitors. This enables us to find out, among other things, when which page views occurred and from which region they come. In addition, we collect various log files (e.g., IP address, referrer, browsers and operating systems used) and can measure whether our website visitors perform certain actions (e.g., clicks, purchases, etc.).

The use of this analytics tool is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the analysis of user behavior in order to optimize both its web offering and its advertising. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

IP Anonymization

When analyzing with Matomo, we use IP anonymization. Your IP address is shortened before the analysis so that it can no longer be clearly assigned to you.

Cookie-less Analysis

We have configured Matomo so that Matomo does not store any cookies in your browser.

Hosting

We host Matomo with the following third-party provider:

VHUG Technologies OÜ 
Lõõtsa tn 5, 11415 Tallinn, Estonia

The server locations where Matomo is hosted are located in Germany.

Data Processing

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Microsoft Clarity

This website uses Microsoft Clarity. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, learn.microsoft.com/en-us/clarity/faq (hereinafter "Microsoft Clarity").

Microsoft Clarity is a tool for analyzing user behavior on this website. Microsoft Clarity primarily records mouse movements and creates a graphical representation of which part of the website users scroll to most frequently (heatmaps). Microsoft Clarity can also record sessions so that we can view page usage in the form of videos. Furthermore, we receive information about general user behavior within our website.

Microsoft Clarity uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g., cookies or the use of device fingerprinting). Your personal data is stored on Microsoft's servers (Microsoft Azure Cloud Service) in the USA.

If consent has been obtained, the use of the aforementioned service is based exclusively on Art. 6(1)(a) GDPR and Sec. 25 TDDDG. Consent can be withdrawn at any time. If no consent has been obtained, the use of this service is based on Art. 6(1)(f) GDPR; the website operator has a legitimate interest in an effective user analysis.

Further details on Microsoft Clarity's data protection can be found here: https://docs.microsoft.com/en-us/clarity/faq.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF commits to complying with these data protection standards. You can obtain further information on this from the provider under the following link: https://www.dataprivacyframework.gov/participant/6474.

Data Processing

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

LinkedIn Insight Tag

This website uses the Insight Tag from LinkedIn. The provider of this service is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Data Processing by LinkedIn Insight Tag

With the help of the LinkedIn Insight Tag, we receive information about the visitors to our website. If a website visitor is registered with LinkedIn, we can, among other things, analyze the professional core data (e.g., career level, company size, country, location, industry, and job title) of our website visitors and thus better align our site to the respective target groups. Furthermore, we can use LinkedIn Insight Tags to measure whether the visitors to our websites make a purchase or perform another action (conversion measurement). Conversion measurement can also take place across devices (e.g., from PC to tablet). LinkedIn Insight Tag also offers a retargeting function, with the help of which we can display targeted advertising outside the website to visitors of our website, whereby, according to LinkedIn, no identification of the advertising recipient takes place.

LinkedIn itself also collects so-called log files (URL, referrer URL, IP address, device and browser properties, and time of access). The IP addresses are shortened or (if they are used to reach LinkedIn members across devices) hashed (pseudonymized). The direct identifiers of the LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data is then deleted within 180 days.

The data collected by LinkedIn cannot be assigned to specific individuals by us as the website operator. LinkedIn will store the collected personal data of website visitors on its servers in the USA and use it within the scope of its own advertising measures. Details can be found in LinkedIn's Privacy Policy at https://www.linkedin.com/legal/privacy-policy#choices-oblig.

Legal Basis

The processing is based on your explicit consent. Consent can be withdrawn at any time.

The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

Objection to the Use of LinkedIn Insight Tag

You can object to the analysis of user behavior and targeted advertising by LinkedIn at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Furthermore, LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To prevent LinkedIn from linking data collected on our website with your LinkedIn account, you must log out of your LinkedIn account before visiting our website.

Data Processing

We have concluded a Data Processing Agreement (DPA) with the above-mentioned provider. This is a contract mandated by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with data protection regulations.

TikTok Analytics

For our TikTok page, we receive evaluations, so-called "Page Insights", via the "TikTok Analytics" function (https://www.tiktok.com/creator-academy/en/article/tool-analytics-intro) from TikTok, which enable us to analyze reach and interaction, but do not allow the identification of individual users. These are aggregated anonymous data (reports) through which we learn how people interact with our page. Page Insights may be based on personal data collected in connection with a visit or interaction on our TikTok page.

They contain aggregated usage statistics with, for example, the following information, see in detail here:

  • Reach: Number and development of people who view a specific content, post, ad, etc.; number and development of user interactions (likes, shares, etc.) with a specific content, post; from this it can be derived, for example, which content or posts are better received than others.

  • Followers: Number and development of people who follow our page over a certain period of time.

TikTok creates the statistics based on usage data to which we do not have access (https://www.tiktok.com/legal/page/global/information-about-tiktok-analytics/en). We use the statistical information to learn which content is well received by our users and what interests our users have. This enables us to adapt the offers and posts on our page to the needs of our users and to continuously improve our page in a targeted manner.

We cannot assign the statistical usage data to a specific profile or user, nor can we draw any other conclusions about an individual user. Via your TikTok settings, you can decide in what form targeted advertising is displayed to you. Under advertising settings, you can independently adjust your advertising preferences in your user account.

Since TikTok also collects personal data via user interactions with our business account (e.g., views, likes, comments, and shares) in order to provide us with aggregated anonymous reports on the reach of our content on the platform, there is a joint controllership pursuant to Art. 26 GDPR: Information about TikTok Analytics (https://www.tiktok.com/legal/page/global/information-about-tiktok-analytics/en). According to case law, we jointly determine the means and purposes of this processing with TikTok, which is why we have concluded the TikTok Analytics Joint Controller Addendum (https://www.tiktok.com/legal/page/global/tiktok-analytics-joint-controller-addendum/en) with TikTok, see the Commercial Terms of Service (https://www.tiktok.com/legal/page/global/business-terms-eea/de).

Newsletter

Sending Newsletters to Existing Customers

If you order goods or services from us and provide your e-mail address, this e-mail address may subsequently be used by us to send newsletters, provided we inform you of this in advance. In such a case, only direct marketing for our own similar goods or services will be sent via the newsletter. You can cancel the receipt of this newsletter at any time. For this purpose, a corresponding link is provided in every newsletter. The legal basis for sending the newsletter in this case is Art. 6(1)(f) GDPR in conjunction with Sec. 7(3) UWG [German Unfair Competition Act].

After you have unsubscribed from the newsletter distribution list, your e-mail address may be stored by us in a blacklist to prevent future mailings to you. The data from the blacklist is used solely for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6(1)(f) GDPR). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

CleverReach

This website uses CleverReach for sending newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter "CleverReach"). CleverReach is a service with which the sending of newsletters can be organized and analyzed. The data you enter for the purpose of receiving the newsletter (e.g., e-mail address) will be stored on CleverReach's servers in Germany or Ireland.

Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. In this context, it can be analyzed, among other things, how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a predefined action (e.g., purchase of a product on this website) has taken place after clicking the link in the newsletter. For further information on data analysis by CleverReach newsletters, please visit: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/.

The data processing is based on your consent (Art. 6(1)(a) GDPR). You can withdraw this consent at any time by unsubscribing from the newsletter. The lawfulness of the data processing operations already carried out remains unaffected by the withdrawal. 

If you do not want analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message.

The data deposited with us by you for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes remains unaffected by this.

After you have unsubscribed from the newsletter distribution list, your e-mail address may be stored in a blacklist by us or the newsletter service provider, if this is necessary to prevent future mailings. The data from the blacklist is used solely for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6(1)(f) GDPR). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

For more details, please refer to the privacy provisions of CleverReach at: https://www.cleverreach.com/de/datenschutz/.

Data Processing

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Atikon

We offer our clients, external interested parties, and the employees of our office locations in Freudenstadt, Bondorf, and Schenkenzell the opportunity to register for our electronic firm newsletter. This service serves to inform you regularly and in a targeted manner about current tax law developments, significant legal deadlines, and relevant firm news.

For the technical organization, the secure dispatch, and the statistical analysis of our newsletter, we use the specialized "SteuerNewsLetterSystem" from the provider Atikon (Atikon Holding GmbH (as well as affiliated executing companies such as Atikon EDV & Marketing GmbH), Pluskaufstraße 7/BC-4OG 01, 4061 Pasching, Austria - hereinafter briefly referred to as "Atikon").

The physical data processing by Atikon takes place on server structures located exclusively within the European Union or the European Economic Area (primarily in Austria). A data transfer to insecure third countries does not take place within the scope of this service. In order to guarantee the data protection security and integrity of your information, we have concluded a strictly instruction-bound Data Processing Agreement (DPA) pursuant to Art. 28 GDPR with Atikon Holding GmbH. The service provider may not use your data for its own purposes or pass it on to unauthorized third parties.

To ensure your rights, registration for our newsletter takes place via a tamper-proof double opt-in process. After initial registration on our website, you will receive an automated e-mail with an individual confirmation link. Only by actively clicking this link will your e-mail address be verified and finally added to our distribution list. This procedure effectively prevents unauthorized third parties from registering abusively with your e-mail address.

As part of this verification process and for the continuous dispatch of the newsletter, the following categories of data are processed by us and our service provider Atikon:

  • Your e-mail address (mandatory for dispatch).

  • If applicable, your first and last name to enable a personal greeting in the newsletter (provided voluntarily by you in the registration form).

  • For documentation and legal verification purposes: your IP address at the exact time of registration and confirmation, coupled with the date and exact time (timestamp) of the respective action.

In order to continuously improve our information offering, our newsletters contain so-called web beacons or tracking pixels. These are tiny, invisible image files that are automatically retrieved from the server of the provider Atikon when the e-mail is opened. As part of this systemic retrieval, technical information such as details about the browser and operating system you use, your IP address, and the exact time of the retrieval are collected.

Furthermore, the system evaluates whether the newsletter was opened and which specific links within the newsletter were clicked by you and how often (click tracking). We use this analytical information to monitor the technical performance of the system and to optimize the content relevance of our topic selection (e.g., identification of particularly relevant tax topics) based on the reading behavior of our target groups.

Note on technical prevention: You can technically prevent tracking on your terminal device, even if consent has been given, by deactivating the display of external images or HTML content by default in the settings of your e-mail program and reading the newsletter in plain text or offline mode.

You have the right to withdraw your consent to receive the newsletter and/or the associated tracking at any time and without giving reasons, with effect for the future. You can declare your withdrawal simply by clicking on the standardized "unsubscribe" link included at the end of every newsletter sent or by sending an informal message to the contact details provided in the imprint (of the respective location administration in Freudenstadt, Bondorf, or Schenkenzell). The legal permissibility of the data processing carried out until the withdrawal remains unaffected by your withdrawal.

Important note regarding the handling of your data after withdrawal (blocklist): After you have successfully unsubscribed, your e-mail address will not be immediately and completely physically deleted from our systems. Rather, it will be recorded on an internally protected blocklist. This is technically mandatory to ensure on the system side that you will not receive any further newsletter mailings from us in the future. In addition, the temporary storage on this blocklist serves as legal proof of a previously lawfully given and later withdrawn consent to defend against possible competition or data protection claims. Storage on the blocklist takes place within this narrow framework on the basis of our overriding legitimate interest pursuant to Art. 6(1)(f) GDPR. The duration of storage on the blocklist is based on the regular civil law limitation period and is up to three years, beginning at the end of the year in which the withdrawal was effectively declared. Subsequently, the data will be permanently deleted, provided that no other overriding statutory retention obligations (e.g., from the Fiscal Code) preclude deletion.

Further, in-depth information on technical data processing and general data protection at our software service provider can be found in the privacy policy of Atikon Holding GmbH, available at: https://www.atikon.com/datenschutz/.

Plugins and Tools

Google Maps

This site uses the mapping service Google Maps. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. With the help of this service, we can integrate maps on our website.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transfer. When Google Maps is activated, Google may use Google Fonts for the purpose of a uniform presentation of fonts. When you access Google Maps, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.

The use of Google Maps is in the interest of an appealing presentation of our online offers and to make it easy to find the places we indicate on the website. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. If a corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

For more information on the handling of user data, please refer to Google's Privacy Policy: https://policies.google.com/privacy?hl=de.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF commits to complying with these data protection standards. You can obtain further information on this from the provider under the following link: https://www.dataprivacyframework.gov/participant/5780.

Audio and Video Conferences

Data Processing

For communication with our customers, we use, among other things, online conference tools. The specific tools we use are listed below. If you communicate with us via the internet by video or audio conference, your personal data will be collected and processed by us and the provider of the respective conference tool.

The conference tools collect all data that you provide/use to utilize the tools (e-mail address and/or your telephone number). Furthermore, the conference tools process the duration of the conference, the start and end (time) of participation in the conference, the number of participants, and other "contextual information" related to the communication process (metadata).

 

Furthermore, the provider of the tool processes all technical data required to process the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, and the type of connection.

If content is exchanged, uploaded, or otherwise made available within the tool, this is also stored on the servers of the tool providers. Such content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards, and other information shared while using the service.

Please note that we do not have comprehensive influence on the data processing operations of the tools used. Our capabilities are largely determined by the corporate policy of the respective provider. For further information on data processing by the conference tools, please refer to the privacy policies of the respective tools used, which we have listed below this text.

Purpose and Legal Bases

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6(1)(b) GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our company (legitimate interest within the meaning of Art. 6(1)(f) GDPR). Insofar as consent has been requested, the tools in question will be used on the basis of this consent; consent can be withdrawn at any time with effect for the future.

Storage Period

The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you request us to delete it, withdraw your consent to storage, or the purpose for data storage no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory statutory retention periods remain unaffected.

We have no influence on the storage period of your data stored by the operators of the conference tools for their own purposes. For details, please obtain information directly from the operators of the conference tools.

Conference Tools Used

We use the following conference tools:

Microsoft Teams

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Details on data processing can be found in the Privacy Policy of Microsoft Teams: https://privacy.microsoft.com/de-de/privacystatement.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF commits to complying with these data protection standards. You can obtain further information on this from the provider under the following link: https://www.dataprivacyframework.gov/participant/6474.

Data Processing

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Own Services

Handling of Applicant Data

We offer you the opportunity to apply with us (e.g., via e-mail, post, or online application form). Below, we inform you about the scope, purpose, and use of your personal data collected as part of the application process. We assure you that the collection, processing, and use of your data takes place in accordance with applicable data protection law and all other statutory provisions, and that your data is treated with strict confidentiality.

Scope and Purpose of Data Collection

If you send us an application, we process your associated personal data (e.g., contact and communication data, application documents, notes taken during job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is Sec. 26 BDSG under German law (initiation of an employment relationship), Art. 6(1)(b) GDPR (general contract initiation), and – provided you have given your consent – Art. 6(1)(a) GDPR. Consent can be withdrawn at any time. Within our company, your personal data will only be passed on to persons involved in processing your application.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Sec. 26 BDSG and Art. 6(1)(b) GDPR for the purpose of executing the employment relationship.

Retention Period of the Data

If we are unable to make you a job offer, you reject a job offer, or you withdraw your application, we reserve the right to retain the data submitted by you on the basis of our legitimate interests (Art. 6(1)(f) GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). Subsequently, the data will be deleted and the physical application documents destroyed. This retention serves in particular for evidentiary purposes in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g., due to an impending or pending legal dispute), deletion will only take place when the purpose for further retention no longer applies. A longer retention may also take place if you have given corresponding consent (Art. 6(1)(a) GDPR) or if statutory retention obligations preclude deletion.

Inclusion in the Applicant Pool

If we do not make you a job offer, there may be the possibility of including you in our applicant pool. In the event of inclusion, all documents and information from the application will be transferred to the applicant pool in order to contact you in the event of suitable vacancies.

Inclusion in the applicant pool takes place exclusively on the basis of your explicit consent (Art. 6(1)(a) GDPR). The provision of consent is voluntary and has no relation to the ongoing application process. The data subject can withdraw their consent at any time. In this case, the data from the applicant pool will be irrevocably deleted, provided there are no statutory reasons for retention.

The data from the applicant pool will be irrevocably deleted no later than two years after consent was given.

Handling of Business Cards

As part of the exchange of business cards, we receive access to the personal data provided by you via the business card. We use the information on your business card for the purposes of communication and following up on the contact. If you requested during our conversation (exchange of business cards) that we send you information about our products and services, we will send you the information about our company to the contact details on your business card. Should no further exchange take place, or if you do not respond to our contact and follow-up, we will delete your data (business card) within 1 year. You have the right to request the deletion of your data at any time – please feel free to send us an informal e-mail for this purpose.