Data privacy
I. General
-
Scope
This privacy policy relates to the following topics:
- Use of our website/s and all other websites referring to it
- Processing of applications
- Training and certification for B2B partners/customers
- Use of our external pages
The Privacy Policy for the FAZUA App can be found here.
-
Body responsible for data processing (“controller”)
We take the protection of your personal data and the legal obligations to ensure data protection very seriously. The law requires full transparency regarding the processing of personal data. You as a data subject can only understand the details of the processing if you are duly informed about the purpose, nature and scope of the processing.
The body responsible for the data processing, i.e. the controller within the meaning of the General Data Protection Regulation (GDPR) is
Porsche eBike Performance GmbH
Marie-Curie-Straße 6
85521 Ottobrun
Germany
Tel.: +49 (0)89 / 540462-100
Mail: contact@porsche-ep.com
referred to hereinafter as "controller" or “we”.
You can contact our data protection officer at:
dpo@porsche-ep.com
-
Definitions
The terms used in this privacy policy (e.g. data categories, purposes and legitimate interests, as well as terms from the GDPR) are explained in the section "Definition of terms" (IX.).
-
Information on data processing
We only process personal data to the extent permitted by law. We only disclose or transfer personal data to third parties in the cases described below. The personal data are protected by appropriate technical and organisational measures (e.g. pseudonymisation, encryption).
Except where we are obliged by law to store the data or disclose or transfer them to third parties (including but not limited to prosecuting authorities), the decision which personal data we process and for how long and to which extent we may disclose or transfer them to third parties depends on the specific website features you use from time to time.
-
Storage duration
The personal data will be deleted as soon as the purpose of the processing is no longer applicable or another reason for deletion pursuant to Art. 17 para. 1 GDPR applies (e.g. you have revoked your consent given to us). In exceptional cases, we may nevertheless continue to process your personal data if an exception to the deletion obligation applies, in particular pursuant to Art. 17 para. 3 GDPR or another law (e.g. there is a statutory storage obligation).
If we need to provide information about the storage duration of cookies and similar technologies, you will find the relevant details in our consent tool, which you can access here.
Personal data that we process as part of an application (see below) will be stored for a period of DURATION after completion of the application process.
-
Automated individual decision-making, including profiling
Automated individual decision-making including profiling does not take place.
-
Data subjects‘ rights
As a data subject you have the right of access/ right to information under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR.
You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
The supervisory authority responsible for us/our headquarters is:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach
However, you are free to file a complaint with any other data protection supervisory authority
-
Controller’s notification obligations
We will communicate any rectification or erasure of your personal data or restriction of processing carried out in accordance with Art. 16, Art. 17 (1) and Art. 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients if you request it.
-
Obligation to provide or disclose data
Unless stated otherwise in the explanations below regarding the applicable legal basis, you are not obliged to provide or disclose personal data to us. However, in the cases referred to in Art. 6 (1) (b) GDPR, the personal data are necessary for entering into or performing a contract. If you do not provide use with the relevant personal data, it will be impossible for us to enter into, or perform, the contract. If you do not provide us with the data in the cases referred to in Art. 6 (1) (a) and (f) GDPR, you will not be able to use the respective parts of our website.
-
Transfer of data to third countries
Data transfers to third countries outside the European Union (EU) and the European Economic Area (EEA) are only permitted in compliance with the special provisions of Art. 44 et seq. GDPR. If such a third country transfer occurs when processing your personal data, we will inform you below about the third country transfer and the basis for the transfer.
General information on the basis of the transfer:
If the transfer is based on an exception pursuant to Art. 49 GDPR, you will find the details at the relevant point.
If the transfer is based on an adequacy decision within the meaning of Art. 45 GDPR, you will find an overview of the adequacy decisions here:
If If the transfer is based on so-called standard contractual clauses of the EU Commission within the meaning of Art. 46 (2) (c) GDPR, you can find the implementing decision 2021/914 of the EU Commission, which contains the standard contractual clauses, here:
If the transfer is based on binding corporate rules (BCR) within the meaning of Art. 46 (2) (b) GDPR, you can find an overview of the published BCR here:
-
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) (1) (f) GDPR. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing. The objection is not subject to formal requirements and should be sent to the contact data stated above.
-
Revocation of consent
Pursuant to Art. 7 (3) sentence 1 GDPR, you have the right to withdraw your consent by mail or email, without observing any other formal requirements, at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. After you have withdrawn your consent, we will delete the personal data we have processed based on your consent unless there is another legal basis for the processing of these data.
The withdrawal is not subject to formal requirements and should be sent to the contact data stated above.
II. Interaction of the privacy policy and the cookie policy
The privacy policy informs you about data processing on the basis of the provisions of the GDPR. If you are searching for information on storing or reading data on your end device, you will find the relevant information in the consent tool and in the cookie policy.
III. Use of our website(s)
The use of the website(s) and its functions regularly requires the processing of personal data. Unless otherwise indicated, the following statements refer to all websites that we operate and that refer to this privacy policy.
Please note that links on our website may take you to other websites that are not operated by us, but by third parties. Such links are either clearly marked by us or are recognizable by a change in the address line of your browser. We are not responsible for compliance with data protection regulations and the secure handling of your personal data on these websites operated by third parties.
Unless otherwise stated, the information on processing activities applies to all websites. Where sections only apply to certain pages, this is noted in brackets as follows:
Label |
Website |
Porsche eBike Performance |
|
FAZUA |
|
B2C-Shop |
|
B2B-Shop |
|
Dealer Portal |
Use of our website
Purpose of processing: Advertising and personalized marketing measures, Information security
Legal basis: Art. 6 (1) (1) (f) GDPR
Legitimate interests: Design, operation and availability of digital products; customer acquisition, customer retention, customer recovery; promotion of sales activities; operation, integrity and security of digital products
Data categories: Usage data, connection data
Recipients of data: IT service providers
Intended third country transfer: in individual cases third countries (based on adequacy decision of the EU commission, standard contractual clauses)
Online store (B2C store, B2B store)
Purpose of processing: Purchase order execution and contract management, advertising and personalized marketing measures
Legal basis: Art. 6 (1) (1) (b), (f) GDPR
Legitimate interests: Design, operation and availability of digital products; customer acquisition, customer retention, customer recovery; promotion of sales activities; operation, integrity and security of digital products
Data categories: Master data, contact data, content data, contract data, payment data, usage data and connection data
Recipient of data: IT service provider
Intended third country transfer: in individual cases third countries (based on adequacy decision of the EU commission, standard contractual clauses)
Subscription to our personalized newsletter and other mailings (Porsche eBike Performance, FAZUA, B2C store, B2B store)
Purpose of processing: Advertising and personalized marketing measures, user, prospect and/or customer support, analysis and Performance measurement as well as optimization of products and/or services
Legal basis: Art. 6 (1) (1) (a), (f) GDPR
Legitimate interests: Customer acquisition, customer retention, customer recovery, promotion of sales activities, promotion of economic interests, advertising and image improvement, market and opinion research
Data categories: Master data, contact data and connection data
Recipient of data: IT service provider
Intended third country transfer: in individual cases third countries (based on standard contractual clauses)
Customer account (B2C store, B2B store)
Purpose of processing: Advertising and personalized marketing measures, Purchase order execution and contract management
Legal basis: Art. 6 (1) (1) (b), (f) GDPR
Legitimate interests: Design, operation and availability of digital products; customer acquisition, customer retention, customer recovery; promotion of sales activities; operation, integrity and security of digital products
Data categories: Connection data, content data, master data if applicable and contact data if applicable
Recipients of the data: (IT) service providers
Intended third country transfer: In individual cases, third countries (on the basis of standard data protection clauses and on the basis of adequacy decisions)
Use of contact forms and support requests
Purpose of processing: User, prospect and/or customer support
Legal basis: Art. 6 (1) (1) (f) GDPR; Art. 6 (1) (1) (b) GDPR (if the request leads to the conclusion of a contract at a later date or concerns an existing contract)
Legitimate interests: Integration of desired or required functionalities; promotion of economic interests; analysis and optimization of our own offers, services and advertising measures; customer acquisition, customer retention, customer recovery
Data categories: connection data, content data, in some cases master data and contact data
Recipients of data: IT service providers
Intended third country transfer: in individual cases third countries (based on adequacy decision of the EU commission, standard contractual clauses)
Payment services (B2C store, B2B store)
Purpose of processing: Purchase order execution and contract management, Identity and/or creditworthiness check
Legal basis: Art. 6 (1) (1) (b), (f) GDPR
Legitimate interests: Prevention of criminal offenses, administrative offenses and other detrimental actions
Data categories: contact data, master data, contract data if applicable, payment data, usage data if applicable, connection data if applicable
Recipients of the data: Banks and other financial service providers
Intended third country transfer: None
Consent management
Purpose of processing: Legal affairs and compliance measures, information security
Legal basis: Art. 6 (1) (1) (c), (f) GDPR
Data categories: master data, contact data, usage data, connection data (if applicable)
Legitimate interests: Prevention of criminal offenses, administrative offenses and other detrimental actions, integration of desired or required functionalities
Recipient of the data: IT service provider
Intended third country transfer: None
Marketing measures
Purpose of processing: Advertising and personalized marketing activities.
Legal basis: : Art. 6 (1) (1) (a), (f) GDPR
Legitimate interests: promotion of economic interests; advertising and image improvement, market and opinion research, analysis and optimization of our own offers, services and advertising measures
Data categories: Usage data, connection data
Data recipients: IT service providers, operators of advertising networks and advertising partners
Intended third country transfer: Depending on the services used, for details see Cookie Policy or Consent Tool.
Analysis and performance measurement
Purpose of processing: Analysis and Performance measurement as well as optimization of products and/or services; advertising and personalized marketing activities
Legal basis: Art. 6 (1) (1) (a), (f) GDPR
Legitimate interests: advertising and image improvement, market and opinion research; promotion of economic interests; advertising and image improvement, market and opinion research
Data categories: usage data, connection data, in some cases content data
Recipients of data: IT service providers
Intended third country transfer: depending on the service used, for details see our Cookie Policy.
Integration of external fonts
Purpose of processing: Advertising and personalized marketing activities
Legal basis: Art. 6 (1) (1) (f) GDPR
Legitimate interests: Design, operation and availability of digital products
Data categories: connection data
Recipients of data: IT service providers
Intended third country transfer: in individual cases third countries (based on adequacy decision of the EU commission)
Integration of external contents (photos, videos and other content)
Purpose of processing: Advertising and personalized marketing activities
Legal basis: Art. 6 (1) (1) (f) GDPR
Legitimate interests: Design, operation and availability of digital products; Integration of desired or required functionalities; customer acquisition, customer retention, customer recovery
Data categories: connection data; in some cases usage data
Recipients of data: IT service providers
Intended third country transfer: in individual cases USA (based on adequacy decision of the EU commission)
Download area (Dealer Portal)
Purpose of processing: Purchase order execution and contract management
Legal basis: Art. 6 (1) (1) (b), (f) GDPR
Legitimate interests: Promotion of sales activities, integration of desired or required functionalities
Data categories: Usage data, connection data, possibly content data
Recipient of the data: IT service provider
Intended third country transfer: None
IV. Processing of applications (Jobs and career)
Processing of applicantions
Purpose of processing: Applicant management
Legal basis: Art. 6 para. 1 sentence 1 letter b GDPR in conjunction with § 26 para. 1 sentence 1 BDSG; for the forwarding of your application to affiliated companies Art. 6 para. 1 sentence 1 letter a GDPR in conjunction with § 26 para. 1 sentence 1, para. 2 BDSG.
Data categories: Master data, contact data, content data, contract data, applicant and employee data, possibly connection data, in some cases also usage data and possibly special categories of personal data within the meaning of Art. 9 (1) GDPR (depending on the specific job advertisement; we will only store the data relating to your application that you provide to us and that we are permitted to process for the purpose of processing an application))
Recipient of the data: IT service providers; if relevant affiliated companies (depending on the consent)
Intended transfer to third countries: None
Management of a talent pool
Purpose of processing: Applicant management
Legal basis: Art. 6 para. 1 sentence 1 letter a GDPR in conjunction with § 26 para. 1 sentence 1, para. 2 BDSG
Data categories: Master data, contact data, content data, contract data, applicant and employee data, possibly connection data, in some cases also usage data and possibly special categories of personal data within the meaning of Art. 9 (1) GDPR (we will only store the data relating to possible future job openings that you provide to us and that we are permitted to process for the purpose of processing an application))
Recipient of the data: IT service providers
Intended third country transfer: None
V. Trainings and other events (online and offline)
Data processing for events
Purpose of processing: Event management, Purchase order execution and contract management, User, prospect and/or customer support, information security.
Legal basis: Art. 6 (1) (1) (c), (f) GDPR
Legitimate interests: Promotion of sales activities, advertising and image improvement, market and opinion research, design, operation and availability of digital products, operation, integrity and security of digital products, integration of desired or required functionalities
Data categories: master data, contact data, content data, usage data, connection data, payment data, location data
Recipients of the data: (IT) service providers.
Intended third country transfer: In individual cases USA and other third countries (on the basis of adequacy decisions)
VI. Application and certification for service partners (B2B)
Application and certification
Purpose of processing: Purchase order execution and contract management, user, prospect and/or customer support
Legal basis: Art. 6 (1) (1) (b), (f) GDPR
Permitted interests: Promotion of sales activities, advertising and image improvement, market and opinion research, design, operation and availability of digital products, operation, integrity and security of digital products, integration of desired or required functionalities
Data categories: Master data, contact data, content data, usage data, connection data, payment data, location data
Recipients of the data: IT service provider
Intended third country transfer: None
VII. Information on external sites
The use of external sites and their functions regularly requires the processing of personal data. Unless otherwise indicated, the following statements refer to all external sites that we operate and which link to this privacy policy.
Facebook
Purpose of processing: Advertising and personalized marketing activities; analysis and Performance measurement as well as optimization of products and/or services
Legal basis: Art. 6 (1) (1) (f) GDPR
Legitimate interests: Design, operation and availability of digital products; advertising and image improvement, market and opinion research; customer acquisition, customer retention, customer recovery
Data categories: Master data, contact data, content data, usage data, connection data, in some cases location data
Recipients of data: Platform operators and media (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland („Meta“)
Intended third country transfer: in individual cases USA and other third countries (based on standard contractual clauses or adequacy decisions of the EU commission)
Instagram
Purpose of processing: Advertising and personalized marketing activities; analysis and Performance measurement as well as optimization of products and/or services
Legal basis: Art. 6 (1) (1) (f) GDPR
Legitimate interests: Design, operation and availability of digital products; advertising and image improvement, market and opinion research; customer acquisition, customer retention, customer recovery
Data categories: Master data, contact data, content data, usage data, connection data, in some cases location data
Recipients of data: Platform operators and media (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland („Meta“)
Intended third country transfer: in individual cases USA and other third countries (based on standard contractual clauses or adequacy decisions of the EU commission)
LinkedIn (Profil)
Purpose of processing: Advertising and personalized marketing activities; analysis and Performance measurement as well as optimization of products and/or services
Legal basis: Art. 6 (1) (1) (f) GDPR
Legitimate interests: Design, operation and availability of digital products; advertising and image improvement, market and opinion research; customer acquisition, customer retention, customer recovery
Data categories: Master data, contact data, content data, usage data, connection data, in some cases location data
Recipients of data: Platform operators and media (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland (“LinkedIn“))
Intended third country transfer: in individual cases USA and other third countries (based on standard contractual clauses or adequacy decisions of the EU commission)
X (Twitter)
Purpose of processing: Advertising and personalized marketing activities; analysis and Performance measurement as well as optimization of products and/or services
Legal basis: Art. 6 (1) (1) (f) GDPR
Legitimate interests: Design, operation and availability of digital products; advertising and image improvement, market and opinion research; customer acquisition, customer retention, customer recovery
Data categories: Master data, contact data, content data, usage data, connection data, in some cases location data
Recipients of data: Platform operators and media (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Irland („Twitter“))
Intended third country transfer: in individual cases USA and other third countries
YouTube Channel
Purpose of processing: Advertising and personalized marketing activities; analysis and Performance measurement as well as optimization of products and/or services
Legal basis: Art. 6 (1) (1) (f) GDPR
Legitimate interests: Design, operation and availability of digital products; advertising and image improvement, market and opinion research; customer acquisition, customer retention, customer recovery
Data categories: Master data, contact data, content data, usage data, connection data, in some cases location data
Recipients of data: Platform operators and media (Google Ireland Ltd., Gordon House, Barrow Street Dublin 4, Irland ("Google"))
Intended third country transfer: in individual cases USA and other third countries
TikTok
Purpose of processing: Advertising and personalized marketing activities; analysis and Performance measurement as well as optimization of products and/or services
Legal basis: Art. 6 (1) (1) (f) GDPR
Legitimate interests: Design, operation and availability of digital products; advertising and image improvement, market and opinion research; customer acquisition, customer retention, customer recovery
Data categories: Master data, contact data, content data, usage data, connection data, in some cases location data
Recipients of the data:Platform operator and media (TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, London, England ("TikTok UK") and TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland ("TikTok Ireland") as joint controllers ("TikTok")
Intended third country transfer:In individual cases third countries
Information regarding joint controllers
n the cases listed below, we are jointly responsible with another body within the meaning of Art. 4 No. 7, 26 GDPR. You are free to contact any of the joint controllers directly with your request. Depending on the specific agreement on data subject rights with the other entity, we will forward your request to the other entity.
Operation of our Facebook page(s)
As part of the operation of our Facebook page(s), there is a joint responsibility with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta").
The essence of the agreement can be found here: https://www.facebook.com/legal/terms/page_controller_addendum.
Facebook is responsible for implementing your data subject rights.
Facebook will inform you about your rights as a data subject at: https://www.facebook.com/legal/terms/information_about_page_insights_data
Operation of our Instagram page(s)
As part of the operation of our Facebook page(s), there is a joint responsibility with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta").
The essence of the agreement can be found here: https://www.facebook.com/legal/terms/page_controller_addendum.
Facebook is responsible for implementing your data subject rights.
Facebook will inform you about your rights as a data subject at: https://www.facebook.com/legal/terms/information_about_page_insights_data
Operation of our LinkedIn page(s)
As part of the operation of our LinkedIn page, there is a joint responsibility with LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland).
The essence of the agreement can be found here: https://legal.linkedin.com/pages-joint-controller-addendum
LinkedIn is responsible for implementing your data subject rights..
LinkedIn will inform you about your rights as a data subject at: www.linkedin.com/legal/privacy-policy.
Operation of our TikTok page(s)
As part of the operation of our TikTok site(s), we have a joint responsibility with TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, London, England ("TikTok UK") and TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland ("TikTok Ireland").
The essence of the agreement can be found here: ads.tiktok.com/i18n/official/article?aid=300871706948451871
TikTok is responsible for the implementation of your data subject rights (see the overview of responsibilities under the above link).
TikTok will inform you about your data subject rights at: www.tiktok.com/safety/de-de/privacy-and-security-on-tiktok/
Marketing measures (Facebook Custom Audiences)
In the context of our marketing measures via the "Facebook Custom Audiences" service, there is joint responsibility with Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2. This relates to the processing of event data for the targeting of advertisements, for the improvement of ad delivery and personalization of functions and content, as well as the delivery of commercial and transaction-related data, if applicable.
The essence of the concluded agreement (including information on the implementation of your data subject rights) can be found here:https://www.facebook.com/legal/controller_addendum
Further information on the processing of personal data by Facebook, the legal basis on which Facebook bases the processing and the exercise of data subject rights vis-à-vis Facebook can be found athttps://www.facebook.com/about/privacy
iX. Definition of terms
The terms used in this privacy policy (e.g. data categories, purposes and legitimate interests, as well as terms from the GDPR) are explained in the "Definition of terms" section.
From the GDPR
This privacy policy uses the terms of the legal text of the GDPR. You can view the definitions (Art. 4 GDPR), for example, at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679 .
Further definitions
Data Categories
When we specify the categories of data processed, this refers in particular to the following data:
- Master Data (e.g. name, address, dates of birth)
- Contact Data (e.g. e-mail address, telephone number, messenger services)
- Content Data (e.g. text input, photographs, videos, contents of documents/files)
- Contract Data (e.g. subject of contract, terms, customer category)
- Payment Data (e.g. bank details, payment history, use of other payment service providers)
- Usage Data (e.g. history on our website, use of certain content, access times, contact or order history)
- Connection Data (e.g. device information, IP addresses, URL referrers)
- Location Data (e.g. GPS data, IP geolocation, access points)
- Diagnostic Data (e.g. crash logs, performance data of the website/app, other technical data for the analysis of faults and errors)
- Applicant and employee data (e.g. employment history, working hours, vacation periods, periods of incapacity for work, appraisals, training and further education, social data, bank details, social security number, health insurance/health insurance number, salary expectations and salary data as well as the tax identification number, proofs and documents, working hours, public offices held, social security data, data on occupational integration management)
Purposes of data processing
In the following sections, to improve comprehensibility and readability, we indicate the purposes pursued as purpose categories. In some cases, there may be overlaps with our "legitimate interests" (see definitions below). This is in the nature of things.
Unless otherwise stated, the purposes are to be understood as follows:
- Advertising and personalized marketing activities: Includes, for instance, the opening of public and, where applicable, restricted-access websites, apps and/or external pages for general information about our products/services (e.g., general website about our company, press pages, social media pages), personalized communication with users, prospects and/or customers (e.g., newsletters), playout of (personalized) recommendations and advertising measures (e.g., personalized newsletters, playout of advertising on other websites, search engines, social media pages and/or apps and generally in advertising networks), merging and linking of data (possibly involving other parties such as publishers in advertising networks) to ensure commission claims for advertising materials.
- Safety and emergency management: Includes all processes which, in the relevant context, serve to ensure the relevant safety specifications and the prevention and/or handling of accidents and emergencies, such as access controls, video surveillance, logging, evacuation, personal rescue and damage limitation.
- Analysis and Performance measurement as well as optimization of products and/or services: Includes, for instance, opinion polls and voting, comparison tests (so-called A/B testing), analysis and (usually aggregated) evaluation of user, prospect and/or customer behavior in the online and/or offline area (e.g. through click paths, mouse movements and heat maps), analysis and evaluation of the success of general and, if applicable, personalized marketing measures, needs-based design of our (digital) products and services based on the analyzed demand and/or usage behavior.
- Purchase order execution and contract management: Includes all processing operations required for the fulfillment of the relevant purchase orders/contracts, such as the processing of master and contact data for the execution and fulfillment of the customer's purchase orders, payment processing including any necessary transfer of data to payment service providers, processing of returns, license verification.
- Operation and further development of internal IT systems: Includes, among other things, user management, authentication and technical logging, as well as IT support and the further development and adaptation of systems and the associated processing of personal data. This applies regardless of whether the IT systems are operated by the controller itself or by a service provider acting on controller's behalf (processor).
- Applicant management: This includes recruitment marketing and processes relating to the initiation of employment, such as processing applications (digital and analog), communicating with applicants, conducting job interviews, assessment center procedures and trial work, setting up talent pools and documenting the outcome of applications.
- Business partner maintenance: Includes all processes which serve to analyze and select suitable business partners and to maintain existing business relationships.
- Warranty, guarantee, goodwill and general service: Includes, without limitation, the handling of warranty, guarantee and goodwill cases, as well as any information on updates, improvements and recalls.
- Identity and/or creditworthiness check: The aim of the processing is to check the identity of the data subject, insofar as this is necessary for the relevant process, and/or to check the creditworthiness and/or solvency of a prospect or contractual partner.
- Information security: Includes processing operations which serve to protect against hazards and to secure IT systems, as well as to achieve the protection goals of confidentiality, availability and integrity of data, systems and processes (e.g., distinguishing between human access and bot access, detecting and warding off abusive access, security-relevant analysis of the use of digital products and services).
- Logistics and fleet management: Includes, among other things, the planning, management and control of our logistics, including external logistics service providers, and the management of our vehicle fleet, including compliance with legal obligations.
- User, prospect and/or customer support: Includes, for instance, contact forms, chat systems including chat bots and callback options, and generally the handling of various inquiries (e.g., advice, service, complaints).
- Human resources and HR management: Includes all processes relating to the performance of employment or processes that are closely related to employment, such as onboarding, HR administration, the fulfillment of employer obligations, personnel development including training and further education, voluntary employer benefits, HR planning and controlling, company health management, company social counseling, company co-determination, measures to terminate employment, investigative and disciplinary measures and offboarding.
- Project management including project collaboration: Coordination and implementation of projects, project planning, project schedule management, exchange of information within projects, collaboration within projects
- Legal affairs and compliance measures: Includes, for instance, the assertion, exercise, and enforcement of legal claims and processes to comply with legal requirements (e.g., as part of data privacy consent management) and to prevent and/or detect and prosecute legal violations.
- Event management: Includes all processes required for the implementation of offline and online events and meetings (e.g. registration, participant management, implementation of the event, processing of personal preferences and needs, data processing in the context of video conferencing and/or instant messaging services), photo, audio and/or video documentation of events, issuing of certificates of participation.
- Administration: Includes processes that comprise, without limitation, basic business functions such as communication, accounting, invoicing and reporting, documentation and archiving, know-how and contact management.
Legitimate interests
In the following sections, we state our legitimate interests within the meaning of Art. 6 (1) (1) (f) GDPR as categories to improve comprehensibility and readability. In some cases, there may be overlaps with our "purposes" (see the definitions above). This is in the nature of things.
Unless otherwise stated, the stated legitimate interests are to be understood as f Promotion of sales activities: e.g. promotion of our sales by analyzing and evaluating the demand of our customers, analysis of the interests and buying and demand behavior of our prospects, users and/or customers.
- Promotion of sales activities:g. promotion of our sales by evaluating the demand of our customers, analysis of the interests and purchasing and demand behavior of our prospects, users and/or customers.
- Promotion of economic interests:g. measures to reduce costs and cut costs, avoidance/reduction of significant additional costs, general increase in earnings (especially through outsourcing to service providers) and avoidance of competitive disadvantages.
- Advertising and image improvement, market and opinion research:g. opinion polls, voting, product and/or service ratings and other reviews, and the integration of these results.
- Analysis and optimization of our own offers, services and advertising measures:g. analysis of user, prospect and/or customer behavior for the optimization of processes, services and products, needs-based design of our products, services and marketing measures and direct customer contact.
- Design, operation and availability of digital products: Includes, for instance, the integration of general functions of websites, apps and other digital products.
- Operation, integrity and security of digital products: Includes, without limitation, the defense against requests overloading the service (denial of service attacks) or excessive use of bots to destabilize a platform, IT security measures such as storing log files and, in particular, IP addresses over a longer period of time to detect and ward off misuse, including beyond the legally required level.
- Direct marketing (personalized marketing): Includes, without limitation, direct approaches to prospects and customers that are not based on consent, such as product recommendations based on past demand behavior, including the processing of data in preparation for direct marketing (e.g., customer segmentation, affinity ratings).
- Integration of desired or required functionalities: Integration of functionalities that are in the interest of the customer, are played out at the request of the customer and/or are necessary for the provision of the service (e.g., the integration of contact options on websites or in apps or, for instance, the possibility of saving configurations by the user (e.g., language selection)).
- Assertion, exercise or defense of legal claims:g. preservation of evidence, to clarify the facts in the event of a foreseeable legal dispute.
- Customer acquisition, customer retention, customer recovery:g. operation of a customer relationship management (CRM) for prospect and customer care.
- Freedom of expression, press and broadcasting: Includes, without limitation, processing operations previously covered by the so-called media privilege.
- Protection of the body and health of the data subject: in particular, processing operations which are in the interest of the data subject and in the public interest (e.g. pastoral care)
- Promotion of legitimate interests within a group of undertakings: Performance of organizational, procedural or entrepreneurial tasks within the cooperation of several affiliated companies (for this, see the explanations in Recital 48 GDPR).
- Prevention of criminal offenses, administrative offenses and other detrimental actions: Includes, without limitation, fraud prevention, preventive measures within the framework of an internal control system, measures for the clarification of risks following corresponding suspicious cases or other indications of possible actions to the detriment of the controller or other persons
- Reduction of failure risks: Identification of economic, technical, procedural or organizational risks to the company that could lead to a complete or partial failure of the company, parts of the company or products or services of the company.
- Employee support: Integration or implementation of services and activities that are in the interests of employees, such as satisfaction surveys, voluntary events and activities, birthday lists, sending greeting cards, etc.
- Employee retention: Integration or implementation of services and activities to achieve long-term employee loyalty to the employer, e.g. promotion of personal development, birthday lists, sending birthday gifts
- Other legitimate interests: Where relevant, these interests are explained separately at the respective points.
Categories of recipients
In the following section, we list the categories of recipients that we use in our privacy policy:
- Banks and other financial service providers
- Authorities and other public bodies
- Professional secrecy holders and their companies/entities
- IT service providers
- Opponents in legal disputes
- Group companies and other affiliated companies
- Customers and prospects
- Suppliers
- Personnel service providers
- Platform operators and media
- Associations, organizations and interest groups
- Landlords
- Insurances
- Contractual partners (without customers)