PRIVACY POLICY
This privacy policy explains the type, scope and purpose of processing of personal data (hereinafter referred to as ‘data’) in the context of provision of our services, as well as within our online offer and the websites, functions and content associated with it, as well as external online presences, e.g. our social media profile (hereinafter jointly referred to as the ‘online offer’). Regarding the terminology used, e.g. ‘processing’ or ‘data controller’, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
DATA CONTROLLER
Otto ID Solutions GmbH
Vilbeler Landstr. 36
60386 Frankfurt
Proprietor:
Karsten Otto
Contact:
Telephone: +49 69 401 486 63
Email: info@otto-id.com
VAT
VAT ID no pursuant to § 27 a of the German VAT Act:
DE316445007
TYPES OF DATA PROCESSED
– Stock data (e.g. personal master data, names or addresses).
– Contact data (e.g. email addresses, telephone numbers).
– Content data (e.g. text input, photographs, videos).
– Usage data (e.g. websites visited, interest in content, times of access).
– Meta/communication data (e.g. device information, IP addresses).
CATEGORIES OF DATA SUBJECTS
Visitors to and users of the online offer (data subjects are hereinafter jointly referred to as ‘users’).
PURPOSE OF PROCESSING
– Provision of the online offer, its functions and content.
– To respond to contact requests and to communicate with users.
– Security measures.
– Measurement of reach/marketing
TERMINOLOGY USED
‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ means any operation or set of operations which is performed in connection with personal data, with or without the use of automated processes. This term is wide-ranging and basically covers any data handling.
‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
‘Profiling’ means any form of automated processing of personal data, consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
RELEVANT LEGAL BASES
In accordance with Art. 13 GDPR, we provide information about the legal bases of our data processing. The following applies to users from the area in which the General Data Protection Regulation (GDPR) is in force, i.e. the EU and the EEC, unless the legal basis is not specified in the privacy policy:
The legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR;
The legal basis for processing in order to be able to perform our services and execute contractual measures, as well as to respond to enquiries, is Art. 6(1)(b) GDPR;
The legal basis for processing in order to be able to fulfil contractual obligations, is Art. 6(1)(c) GDPR;
Art. 6(1)(d) GDPR applies in cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person.
The legal basis where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, is Art. 6(1)(e) GDPR.
The legal basis for processing in order to protect our legitimate interests is Art. 6(1)(f) GDPR;
Personal data is processed, for a purpose other than that for which it has been collected, in accordance with Art. 6(4) GDPR.
Processing of special categories of personal data (in accordance with Art. 9(1) GDPR) is in accordance with Art. 9(2) GDPR.
SECURITY POLICY
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with the legal requirements.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as controlling access, input, transmission, security of availability and separation concerning the data. We have also set up processes to ensure the rights of the data subject can be exercised, data deleted and risks to data responded to. Furthermore, we take into consideration the protection of personal data when developing and/or selecting hardware, software and processes, according to the principle of data protection, by means of technical design and data-protection friendly defaults.
COOPERATION WITH PROCESSORS, JOINT CONTROLLERS AND THIRD PARTIES
If, during the course of processing, we disclose personal data to other persons and businesses (processors, joint controllers or third parties), send personal data to them or otherwise allow them access to personal data, this is only done if this is allowed by law (e.g. if it is necessary to send personal data to a third party, e.g. a payment service provider, in order to perform the contract), if the users have given their consent, if this is provided for by a legal obligation, or on the basis of our legitimate interests (e.g. use of representatives, web hosts, etc.).
If we disclose, transmit or otherwise allow access to personal data from other businesses in our group, this is done, in particular, for administrative purposes as a legitimate interest and, furthermore is based on legal requirements.
TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
If we process personal data in a third country (i.e. outside of the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or if this takes place in the context of using third-party services or disclosure and/or transfer of data to other persons or businesses, this will only be done if it is for fulfilment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or have personal data processed in third countries if the legal prerequisites are present. That is, personal data is processed e.g. on the basis of special guarantees, such as the officially recognized establishment of a level of data protection that corresponds to that of the EU (e.g. ‘Privacy Shield’ for the USA) or the observance of officially recognised, special contractual obligations.
RIGHTS OF THE DATA SUBJECT
You have the right to request confirmation about whether the relevant personal data is being processed, and to information about this personal data, as well as to further information and a copy of the data according to the legal regulations.
In accordance with the legal regulations, you also have the right to request completion of the personal data concerning you or rectification of inaccurate personal data concerning you.
In accordance with the legal regulations, you have the right to obtain from the controller the erasure of personal data concerning you without undue delay or, alternatively, in accordance with the legal regulations, you have the right to obtain from the controller restriction of processing.
You have the right to receive the personal data concerning you, which you have provided to us, in accordance with the legal regulations, and the right to transmit those data to another controller without hindrance from us.
Furthermore, in accordance with the legal regulations, you also have the right to lodge an objection with the competent supervisory authority.
RIGHT OF WITHDRAWAL
You have the right to withdraw any consent you have given with effect for the future.
RIGHT TO OBJECT
You have the right to object at any time to future processing of personal data concerning you, in accordance with the legal regulations. In particular, you have the right to object to processing for the purposes of direct marketing.
COOKIES AND THE RIGHT TO OBJECT TO DIRECT ADVERTISING
‘Cookies’ are small files that are stored on the user’s computer. Different information can be stored within cookies. Cookies are primarily used to store information about a user (or the device on which the cookie is stored) during or after the user’s visit to a website. ‘Session’ or ‘transient’ cookies are temporary cookies that are deleted when the user leaves a website and closes their browser. For example, the content of a shopping basket in an online shop or a login status can be stored in this type of cookie. ‘Permanent’ or ‘persistent’ cookies are still stored by the browser after it is closed. For example, the login status can be stored if the user looks for it after several days. The user’s interests can also be stored in this type of cookie and used for measuring reach or for marketing purposes. ‘Third-party cookies’ are cookies that are offered by providers other than the controller that operates the website (their cookies are referred to as ‘first-party cookies’).
We can use temporary and permanent cookies, and provide information about this in our privacy policy.
users who do not want cookies to be stored on their computer are asked to deactivate the relevant options in their browser’s system settings. It is possible to delete stored cookies in the browser’s system settings. users might not be able to use all of the functions of this website if they do not accept cookies.
There are a number of services where you can make a general objection to the use of cookies for the purposes of online marketing and, particularly in the case of tracking, via the US American site https://www.aboutads.info/choices/ or the EU site https://www.youronlinechoices.com/. You can also block storage of cookies by making the appropriate settings in your browser. Please note that, if you block cookies, you might not be able to use all of the functions of our website.
COOKIE LIST
DELETION OF DATA
The personal data that we process will be deleted or its processing will be restricted in accordance with the legal regulations. Unless expressly stated otherwise in this privacy policy, the personal data that we have stored will be deleted as soon as it is no longer required for its intended purpose and if no statutory retention obligations conflict with deletion.
If personal data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. That is, the personal data will be blocked and not used for other purposes. That applies, for example, to data that must be stored for commercial or tax law reasons.
AMENDMENTS OR UPDATES TO THE PRIVACY POLICY
Please read our privacy policy regularly. We will amend our privacy policy as soon as changes to our processing of data necessitate this. We will inform you if the amendments require your cooperation (e.g. consent) or if separate individual notification is required.
BUSINESS-RELATED PROCESSING
We also process the
– Contractual data (e.g. subject of the contract, term, customer category).
– Payment data (e.g. bank details, payment history)
of our customers, interested parties and business partners for the purposes of providing contractual services, servicing and customer care, marketing, advertising and market research.
AGENCY SERVICES
We process our customers’ data in the context of our contractual services, which include conceptual and strategic consultation, campaign planning, software and design development/consultation or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consultancy services and training services.
We process stock data (e.g. customer master data, such as names and addresses), contact details (e.g. email, telephone numbers), content data (e.g. text input, photographs, videos), contractual data (e.g. subject of the contract, term), payment data (e.g. bank details, payment history), and use and meta data (e.g. in the context of evaluating and measuring the success of marketing activities). There are particular categories of personal data that we do not process, unless they are part of commissioned processing. Data subjects include our customers and interested parties, as well as their customers, users, website visitors or employees, as well as third parties. The purpose of processing consists of provision of contractual services, invoicing and our customer service. The legal bases for processing result from Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (analysis, statistics, optimisation, security). We process personal data that is necessary for justification and fulfilment of contractual services, and refer to the necessity of the information. Personal data is only disclosed to third parties if this is necessary in the context of an order. When processing the data transferred to us in the context of an order, we act in accordance with the instructions of the client, as well as the legal requirements of order processing in accordance with Art. 28 GDPR, and do not process data for any purposes other than those in accordance with the order.
We delete data after expiry of statutory warranty obligations and comparable obligations. The necessity of storage of data is reviewed every three years. If there are statutory archiving obligations, personal data is deleted following their expiry (6 years, pursuant to § 257(1) HGB [German commercial code], 10 years, pursuant to. § 147(1) AO [German tax code]). In the case of personal data that the client discloses to us in the context of an order, we delete the data according to the guidelines of the order, essentially when the order ends.
CONTRACTUAL SERVICES
We process the personal data of our contractual partners and interested parties, as well as other clients, customers or contractual partners (jointly referred to as ‘contractual partners’), in accordance with Art. 6(1)(b) GDPR, in order to provide them with our contractual or precontractual services. The personal data processed, the type, scope and purpose and the necessity of processing this personal data are determined in accordance with the underlying contractual relationship.
The personal data to be processed includes the master data of our contractual partners (e.g. names and addresses), contact details (e.g. email addresses and telephone numbers), as well as contractual data (e.g. services used, subject matter of the contract, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).
There are particular categories of personal data that we do not process, unless they are part of commissioned processing, or processing as stipulated in the contract.
We process personal data that is necessary for justification and fulfilment of contractual services, and refer to the necessity of the information, if this is not obvious to the contractual partner. Personal data is only disclosed to third-party persons or businesses if this is necessary as part of the contract. When processing the personal data transferred to us in the context of an order, we act in accordance with the instructions of the client, as well as the legal requirements.
In the context of use of our online services, we can save the IP address and the time of each user action. This data is saved on the basis of our legitimate interests, as well as the users’ interests in protection against misuse of data and other unauthorised use. This personal data is essentially not passed onto third parties, unless it is required for pursuing our claims pursuant to Art. 6(1)(f) GDPR, or if there is a legal obligation to do so pursuant to Art. 6(1)(c) GDPR.
Personal data is deleted if it is no longer necessary for fulfilment of a contractual or statutory duty of care, or for handling any obligations under warranty or comparable obligations, whereby the necessity of retaining the personal data is reviewed every three years; statutory data retention obligations apply.
ADMINISTRATION, FINANCIAL ACCOUNTANCY, OFFICE ORGANISATION, CONTACT MANAGEMENT
We process personal data as part of administrative work, as well as organisation of our business, financial accounting and compliance with legal obligations, e.g. archiving. In the course of this, we process the same data that we process in the context of providing our contractual services. This processing is based on Art. 6(1)(c) GDPR, Art. 6(1)(f) GDPR. This processing affects customers, interested parties, business partners and visitors to the website. The purpose of the processing, and our interest in it, is administration, financial accounting, office organisation and archiving of data, i.e. tasks that serve the purpose of maintaining our business activities, fulfilling our responsibilities and providing our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information specified for these processing activities.
We disclose or transfer data to the tax authorities and consultants, e.g. tax advisors or auditors, as well as other billing centres and payment service providers.
On the basis of our business management interests, we also save information about suppliers, organisers and other business partners, e.g. for the purposes of later making contact with them. We save this mainly business-related information in the long term.
BUSINESS MANAGEMENT ANALYSES AND MARKET RESEARCH
In order to be able to run our business economically, and to be able to recognise market trends, the wishes of contractual partners and users, we analyse the data that we have on business processes, contracts and enquiries, etc. We process master data, communication data, contract data, payment data, usage data, and metadata on the basis of Art. 6(1)(f) GDPR, whereby the affected persons are contractual partners, interested parties, customers, visitors and users of our online offer.
The analyses are done for the purposes of business management analyses, marketing and market research. We can take into consideration the profiles of the registered users with information, e.g. about the services they use. The analyses help us to improve user-friendliness, and optimise our offer and business management. The analyses are only for us and are not disclosed externally, unless they are anonymous analyses with summarised values.
If these analyses or profiles are related to persons, they are deleted or anonymised when the user cancels, or two years after conclusion of the contract. Global business management analyses and general identification of trends are done anonymously where possible.
DATA PROTECTION INFORMATION IN APPLICATION PROCEDURES
We only process applicant data for the purpose and in the context of the application process, in accordance with legal regulations. We process applicant data to fulfil our (pre)contractual obligations in the context of the application process within the meaning of Art. 6(1)(b) GDPR, or Art. 6 (1)(f) GDPR if the processing of data is necessary for us e.g. as part of legal processes (§ 26 BDSG [German Federal Data Protection Act] also applies in Germany).
The application process requires applicants to send applicant data to us. The required applicant data is identified if we provide an online form, otherwise it can be found in the job descriptions, and essentially includes information about the person, postal and contact addresses and the documents that form part of the application, such as covering letters, CVs and references. Applicants can also voluntarily provide us with additional information.
By sending the application to us, applicants express their agreement to their data being processed for the purposes of the application process in the manner and to the extent set forth in this privacy policy.
If specific categories of personal data within the meaning of Art. 9(1) GDPR are communicated as part of the application process, they will also be processed pursuant to Art. 9(2)(b) GDPR (e.g. health data, such as severe disability, or ethnic origin). If specific categories of personal data within the meaning of Art. 9(1) GDPR are requested as part of the application process, they will also be processed pursuant to Art. 9(2)(a) GDPR (e.g. health data, if this is necessary for exercise of the occupation).
Applicants can send their applications by means of an online form on our website, if we have provided such a form. Data is encoded in accordance with the state of the art for transfer to us.
Applicants can also send us their applications via email. However, it should be noted that emails are not encoded, and that applicants are responsible for encoding their own emails. We therefore cannot accept any responsibility for the transmission path of the application between the sender and receipt on our server. For that reason, we recommend using an online form or sending documents by post. Applicants can also us their application by post, instead of applying using the online form or by email.
If an application is successful, we may further process the data made available by the applicant, for the purposes of our employer-employee relationship. If the job application is unsuccessful, the applicant’s data will be deleted. The applicant’s data will also be deleted if an application is withdrawn, which the applicant is entitled to do at any time.
If the applicant legitimately withdraws their application, data is deleted following expiry of a period of six months, to enable us to answer any follow-up questions to the application and to fulfil our obligation to provide evidence. Invoices for any reimbursement of travelling expenses are archived pursuant to tax law regulations.
CONTACT
If users make contact with us (e.g. using the contact form, email, telephone or via social media), we will process the users’ information in order to deal with the enquiry pursuant to Art. 6(1)(b) GDPR (in the context of contractual/precontractual relationships) and Art. 6(1)(f) GDPR (other enquiries). The users’ information can be stored in a customer relationship management system (‘CRM system’) or similar means of organising enquiries.
We delete enquiries when they are no longer necessary. We review the necessity of enquiries every two years; statutory archiving obligations also apply.
HOSTING AND SENDING EMAILS
We use hosting services in order to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, sending emails, security services, as well as technical maintenance services that we use for the purpose of operating our online offer.
For this purpose we, or rather, our hosting provider, process master data, contact details, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online offer, on the basis of our legitimate interest in efficiently and securely providing this online offer pursuant to Art. 6(1)(f) GDPR in conjunction with Art. 28 GDPR (conclusion of a processing agreement).
COLLECTION OF ACCESS DATA AND LOG FILES
We, or rather, our hosting provider, collect data about every access to the server on which our service is located (‘server log files’), on the basis of our legitimate interest within the meaning of Art. 6(1)(f) GDPR. Access data includes the name of the website retrieved, file, date and time of retrieval, quantity of data transferred, notification of successful retrieval, browser type and version, users’ operating system, referrer URL (site visited previously), IP address and the provider making the request.
For security reasons (e.g. to resolve improper or fraudulent activity), log file information is stored for a maximum of 7 days before being deleted. Data that is required to be stored for longer for evidence purposes is excluded from deletion until the incident in question has been definitively resolved.
ONLINE PRESENCE IN SOCIAL MEDIA
We maintain an online presence within social networks and platforms, in order to be able to communicate with the customers, interested parties and users on these social networks and platforms, and to inform them about our services.
We refer to the fact that users’ personal data may be processed outside of the European Union. This could result in risks for the users, because it may make enforcement of the users’ rights more difficult. US providers that are certified under Privacy Shield are required to maintain the data protection standards of the EU.
In addition, users’ personal data is, as a rule, used for market research and advertising purposes. For example, usage profiles can be created from usage behaviour and the interests of the users it reveals. In turn, the usage profile can, for example, be used to display advertisements that presumably correspond to the users’ interests, both within and outside of the platforms. For these purposes, cookies are normally stored on the users’ computer, and the users’ usage behaviour and interests stored in them. In addition, personal data can be stored in the usage profiles independently of the devices used by the users (particularly if the users are members of and logged into the relevant platforms).
The users’ personal data is processed on the basis of our legitimate interest in effectively informing users and communicating with users, pursuant to Art. 6(1)(f) GDPR. If the users are asked by the respective providers of the platforms to consent to the data processing described above, the legal basis for processing is Art. 6(1)(a) and Art. 7 GDPR.
For detailed descriptions of processing, as well as opt-outs, please see the information from the providers by following the links below.
For information and for assertion of your rights as a user, it is best to contact the provider in question. Only the providers have access to users’ data and can take measures and provide information. However, please contact us if you need help.
– Facebook, pages and groups, (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) on the basis of an agreement on joint processing of personal data – privacy policy: https://www.facebook.com/about/privacy/, specifically for the pages: https://www.facebook.com/legal/terms/information_about_page_insights_data , opt-out: https://www.facebook.com/settings?tab=ads und https://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
– Google / YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – privacy policy: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
– Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – privacy policy / opt-out: https://instagram.com/about/legal/privacy/.
– Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – privacy policy: https://twitter.com/en/privacy, opt-out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
– Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA) – privacy policy / opt-out: https://about.pinterest.com/de/privacy-policy.
– LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – privacy policy https://www.linkedin.com/legal/privacy-policy , opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.
– Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) – privacy policy / opt-out: https://privacy.xing.com/en/privacy-policy.
– Wakalet (Wakelet Limited, 76 Quay Street, Manchester, M3 4PR, United Kingdom) – privacy policy / opt-out: https://wakelet.com/privacy.html.
– Soundcloud (SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany) – privacy policy / opt-out: https://soundcloud.com/pages/privacy.
INTEGRATION OF THIRD-PARTY SERVICES AND CONTENT
On the basis of our legitimate interest (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6(1)(f) GDPR), we use content or service offers from third party providers, in order to incorporate their content and services, e.g. videos or fonts (hereinafter referred to as ‘content’).
The third-party providers of this content always need to use the users’ IP address as, without the IP address, they could not send the content to the users’ browser. The IP address is therefore necessary for presentation of this content. We endeavour to only use content from providers that only use IP addresses for delivery of content. Third-party providers can also use ‘pixel tags’ (invisible graphics that are also known as ‘web beacons’) for statistical or marketing purposes. ‘Pixel tags’ allow information, such as visitor traffic on pages of this website, to be evaluated. Pseudonymous information may also be stored in cookies on the users’ device, and may contain information including technical information about the browser and operating system, referring websites, time of visit, as well as other information about use of our online offer, and may also be associated with information from other sources.
VIMEO
We may incorporate videos from the platform ‘Vimeo’ from the provider Vimeo Inc., attention: Legal Department, 555 West 18th Street New York, New York 10011, USA. Privacy policy: https://vimeo.com/privacy. Vimeo may use Google Analytics and refer to the privacy policy (https://policies.google.com/privacy) as well as opt-out options for Google Analytics (https://tools.google.com/dlpage/gaoptout?hl=de) or Google’s settings for use of data for marketing purposes (https://adssettings.google.com/).
YOUTUBE
We incorporate videos from the platform ‘YouTube’ from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
GOOGLE FONTS
We use fonts (‘Google Fonts’) from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
This is an English translation. German text generated by Datenschutz-Generator.de by RA Dr. Thomas Schwenke