Data Privacy

1. Preface

Data protection is of great importance to DSC Software AG.

This data privacy statement explains the method, extent, and aim of the processing of personal data in our online services and related websites, functions, and content (in the following referred to jointly as “online services” or “website”). The data privacy statement applies independently of domains, systems, platforms, and devices (e.g. desktop or mobile) on which the online services are executed.

2. Data Controller

The data controller in the sense of the General Data Protection Regulation (GDPR), or other data protection laws applicable in the member states of the European Union and other regulations regarding data protection is:

DSC Software AG
Am Sandfeld 17
76149 Karlsruhe
Germany

Tel.:                 +49 721 9774 100
E-Mail:            info@dscsag.com
Website:         www.dscsag.com

3. Data Protection Officer

The data protection officer of the data controller is:

ah-consulting GmbH
Am Sandfeld 17 a
76149 Karlsruhe
Germany

+49 721 75408840
privacy@ah-consulting.gmbh

For questions and suggestions on data protection, any data subject can refer to our data protection officer anytime.

4. Definition

Our data privacy statement is based on the terminology used by the European Regulatory Body in adoption of the General Data Protection Regulation (GDPR). Our data privacy statement is intended to be easy to read and to understand by the public, our customers, and our business partners.

In order to ensure this, we will explain the terminology used in advance. Terms used, such as “personal data” or its “processing” are defined in Art. 4 of the General Data Protection Regulation (GDPR).

In this data privacy statement, we use, among others, the following terms:

4.1. Personal Data

Personal data is defined as all information referring to an identified or identifiable natural person (in the following referred to as the “data subject”). An identifiable person is a natural person who can be identified directly or indirectly, in particular by means of an assignment to a label such as a name, an ID number, location data, an online ID or one or more special features that is an expression of the physical, physiological, genetic, psychic, economic, cultural, or social identity of this natural person.

4.2. Data Subject

The data subject is any identified or identifiable natural person whose personal data is processed by the data controller.

4.3. Processing

Processing is any process or operation carried out with or without the help of automated procedures or any such series of operations in connection with personal data, for example: collecting, recording, organizing, ordering, storing, adapting, or changing, reading, retrieving, using, disclosing through transmission, dissemination or other form of provision, comparing or linking, restricting, deleting, or destroying.

4.4. Restriction of Processing

Restriction of processing is the marking of stored personal data with the aim of limiting its future processing.

4.5. Profiling

Profiling is any kind of automated processing of personal data that consists in using such personal data in order to evaluate personal aspects referring to a natural person, in particular to analyze, or predict aspects regarding job performance, economic situation, health, personal preference, interests, reliability, conduct, place of residence, or change of locality of this natural person.

4.6. Pseudonymization

Pseudonymization is the processing of personal data in a way that the personal data can no longer be assigned to a specific data subject without additional information, provided that this additional information is stored separately and is subject to technical and organizational measures that ensure that the personal data cannot be assigned to an identified or identifiable natural person.

4.7. Data Controller

The data controller is the natural or legal person, authority, institution, or other entity that determines, either alone or jointly with others, the purposes and means of the processing of personal data. If the purposes and means of this processing are controlled by EU law or the laws of EU member states, the data controller – or the specific criteria of his or her nomination – can be determined according to EU law or the laws of EU member states.

4.8. Processor

The processor is a natural or legal person, authority, institution, or other entity that processes personal data on behalf of the data controller.

4.9. Recipient

The recipient is a natural or legal person, authority, institution, or other entity to whom personal data is disclosed, regardless of whether this is a third party or not. However, authorities that may receive personal data in the course of a particular inquiry in accordance with EU law or the laws of EU member states are not considered recipients.

4.10. Third Party

A third party is a natural or legal person, authority, institution, or other entity (other than the data subject, the data controller, the processor, and the persons who are authorized to process the personal data under the direct responsibility of the data controller or the processor) that is authorized to process the personal data.

4.11. Consent

Consent is any expression of willingness issued freely for the specific case in an informed manner and unambiguously by the data subject in the form of a declaration or any other clearly affirmative act, with which the data subject makes it clear that they agree with the processing of the personal data.

5. General Notes on Data Processing

5.1. Extent of Processing of Personal Data

We generally collect and use the personal data of our users only insofar as it is necessary for maintaining a well-functioning website as well as for our contents and services. The collection and use of personal data of our users takes place regularly only with the prior consent of the users. An exception applies in cases where it is impossible to obtain consent in advance and the processing of the data is permitted by legal regulations.

5.2. Legal Framework for Processing Personal Data

If we obtain the consent of the data subject for the processing of personal data, Art. 6 Sec. 1 lit. a EU General Data Protection Regulation serves as the legal basis.

In the processing of personal data that is required for fulfilling a contract of which the data subject is a contractual party, Art. 6 Sec. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations required for the implementation of pre-contractual measures.

If the processing of personal data is required for meeting a legal obligation, to which our company is subject, Art. 6 Sec. 1 lit. c GDPR serves as the legal basis.

In the event that vital interests of the data subject or of another natural person require the processing of personal data, Art. 6 Abs. 1 lit. d GDPR serves as the legal basis.

If processing is required for safeguarding a justified interest of our company or a third party, and if the interests, basic rights, and fundamental freedoms of the data subject do not outweigh the first-named interest, Art. 6 Abs. 1 lit. f GDPR serves as the legal basis for the processing.

5.3. Data Deletion and Storage Duration

The personal data of the data subject is deleted or blocked as soon as the purpose of storage is no longer valid. Storage can also happen if stipulated by European or national legislation in EU regulations, laws, or other rules to which the data controller is subject.

The data can also be blocked or deleted if a storage period prescribed by the mentioned standards expires – unless it is necessary to store the data for the purposes of the conclusion or fulfillment of a contract.

6. Provision of the Website and Creation of Log Files

6.1. Description and Extent of Data Processing

Every time our website is called, our system automatically records data and information of the computer system of the calling computer.

The following data is collected:

  • Information about the browser type and the version used
  • User’s operating system
  • User’s IP address
  • Date and time of access
  • Websites from which the user’s system accesses our website
  • Session cookie for identifying the logged-in user
  • Date and time of the user login
  • Storage of failed login attempts
  • Date and time of the creation of the user
  • Storage of denied accesses (403)
  • Storage of sites not found (404)
  • User’s acceptance of cookie policies
  • Information about whether the user has activated JavaScript

The data is stored in the log files of our system. This data is not stored together with other personal data of the user.

7. Legal Framework for Data Processing

The legal framework for the temporary storage of data and log files is Art. 6 Sec. 1 lit. f GDPR.

8. Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable the website to be sent to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

Data is stored in log files in order to ensure the correct functioning of the website. The data also serves to optimize the website and to ensure the security of our information technology systems. In this context, there is no evaluation of the data for marketing purposes.

These aims also include our justified interest in data processing according to Art. 6 Sec. 1 lit. f GDPR.

9. Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection. In case of a data collection for the provision of the website, this applies when the respective session ends.

If the data is stored in log files, this applies after a maximum of seven days. Longer storage is possible. In this case, the users‘ IP addresses are deleted or distorted so that the calling client can no longer be identified.

10. Possibility of Objection and Disposal

The recording of data for providing the website and the storage of the data in log files is mandatory for the operation of the website. Therefore, the user has no possibility of objection.

11. Use of Cookies

11.1.  Description and Extent of Data Processing

Due to our justified interest, we use so-called cookies on this website. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. If a user calls a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string that enables a unique identification of the browser when the website is called again.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can still be identified following a website change.

The following data is stored and transmitted in the cookies:

  • Technical cookies or system cookies (Session, JavaScript)
  • Cookies for improving usability (status of pop-up menus)
  • Analysis cookies for analyzing and improving site accesses
  • When users are logged in, it contains a session cookie to identify the user. The corresponding information of the user is stored.

When you visit our website, a pop-up window “Privacy Preferences” is displayed containing information concerning the use of cookies and a link to this Privacy Policy. Within this window, the user can object to the use of cookies, except of essential cookies.

11.2.  Legal Framework for Data Processing

The legal framework for the processing of personal data with the use of cookies is Art. 6 Sec. 1 lit. f GDPR.

The legal framework for the processing of personal data using technically necessary cookies is Art. 6 Sec. 1 lit. f GDPR.

11.3.  Purpose of Data Processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some of the functions of our website cannot be offered without the use of cookies. For these functions, it is necessary that the user is recognized after a website change.

User data collected by technically necessary cookies is not used for the creation of user profiles.

We need cookies for the following applications:

  • JavaScript activated
  • Consent to cookie disclaimer
  • Toolbar opened
  • Authentication of user in logged-in state to the website
  • Request limitation
  • Tracker version
  • User identification
  • Toolbar opened

Analysis cookies are used for improving the quality of our website and its contents. The analysis cookies tell us how the website is used, so we can continuously optimize our services.

In the cookie, an ID is stored linking the user with the data sent.

These aims also include our justified interest in the processing of personal data according to Art. 6 Abs. 1 lit. f GDPR.

11.4.  Duration of Storage, Possibility of Objection and Disposal

Cookies are stored on the user’s computer and transferred via that computer to us. As a user, you therefore have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transfer of cookies. Stored cookies can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, it is possible that not all features of the website can be fully used.

Cookie Preferences

12. Contact Form and E-Mail Contact

12.1.  Description and Extent of Data Processing

On the basis of our justified interests, on this website we use a contact form that can be used for the electronic first contact and for the upload of documents. If a user uses this contact form, the data entered in the input mask is transferred to us and stored.

This data is required for mandatory fields:

  • Title
  • First and last name
  • E-mail address
  • Company
  • City
  • Country

All other entries that are not mandatory but are filled in anyway, are also transmitted and stored.

The following data is also stored at the time of registration:

  • IP address of the calling computer
  • Date and time of registration
  • E-mail address
  • Documents that are uploaded

During this process, your consent is obtained and you are referred to this data privacy statement.

Alternatively, an initial contact is possible by means of the e-mail address provided. In this case, the user’s personal data that is sent with the e-mail is stored.

In this context, no data is passed on to third parties. The data is used exclusively for processing the conversation.

12.2.  Legal Framework for Data Processing

The legal framework for the processing of the data if the user consents is Art. 6 Sec. 1 lit. a GDPR.

The legal framework for processing data transmitted via e-mail is Art. 6 Sec. 1 lit. f GDPR. If the aim of the e-mail contact is to conclude a contract, an additional legal framework for the processing is Art. 6 Sec. 1 lit. b GDPR.

12.3.  Purpose of Data Processing

We need to process personal data from the input mask only for dealing with the initial contact. If this contact is made via e-mail, there is also a justified interest in the processing of the data.

The other data processed during the transmission procedure serves to prevent a misuse of the contact form and to ensure the security of our information technology systems.

12.4.  Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection. For personal data provided via the input mask of the contact form, and the data sent by e-mail, this is the case when the respective conversation with the user ends. The conversation ends when it can be inferred from circumstances that the situation concerned has been clarified finally.

The extra data collected during the sending process is deleted after a maximum period of seven days.

12.5.  Possibility of Objection and Disposal

At all times, users can withdraw their consent to the processing of their personal data. If users contact us by e-mail, they can object to the storage of their personal data at any time. In this case, the conversation cannot be continued.

The withdrawal of consent and the objection to storage must be sent in writing to the data protection officer.

In this case, all personal data stored during the contact is deleted.

13. Google Fonts

13.1.  Extent of Processing of Personal Data

On the basis of our justified interests, we use the Google Fonts service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).

Google Fonts provides an intuitive and robust directory of open-source designer web fonts. With a comprehensive catalog, typography can be integrated seamlessly in any design project.

This service is used to integrate web fonts in our websites. The integration of the Google fonts takes place with a server call to Google, regularly via the URL https://fonts.google.com. The fonts are supplied by various designers and are open-source.

When a user accesses our online services, a request is usually transmitted to a Google server in the USA, where it is stored and processed.

Technically, the fonts embedded in our website are stored on a Google server and loaded from there when the site is being called. By using Google Fonts, the Google server sends a corresponding file to each user, based on the technologies supported by the user’s browser.

The connection to Google Fonts is not authenticated. During a visit of our online services, no cookies or login information is sent to Google. Corresponding queries to Google Fonts servers are sent to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com, so that requirements for fonts are generally separated from login information, which otherwise is sent to Google domains such as google.com or google.de, which can be authenticated.

Google Fonts logs data records of the CSS and the font file requirements. For statistical purposes, Google assigns aggregated usage numbers showing how popular font families are, and publishes these results on an Analytics website (https://fonts.google.com/analytics).

For further information on the Google Fonts service, see https://developers.google.com/fonts/faq.

Google is certified under the Privacy Shield Agreement, which means it offers a guarantee to comply with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

The EU-US Privacy Shield Agreement was declared invalid by the European Court of Justice in August 2020. Since then, for companies of the EU or the EEA it is only possible to collaborate with US companies based on EU standard contract clauses. As far as possible, EU standard contract clauses were concluded with the affected US companies. Additionally, further measures for ensuring the data protection level were agreed upon with US companies to some extent.

13.2.  Legal Framework for Processing Personal Data

The legal framework for the processing of users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

13.3.  Purpose of Data Processing

Data is processed out of interest in the analysis, optimization, and economic operation of the online services in order to integrate content or services of third parties or their contents and services.

We use Google Fonts to make our website independent of the fonts installed by the user, the so-called system fonts, and to ensure a consistent display on different systems.

The purpose and extent of data collection and the processing, as well as the use of the data by Google can be found in Google’s Privacy Policy at https://policies.google.com/privacy?hl=de.

13.4.  Duration of Storage

The data is deleted as soon as it is no longer required for our recording purposes.

13.5.  Possibility of Objection and Disposal

For further information on Google’s use of data, and setting and objection options, see the following Google websites: (“How Google uses information from sites or apps that use our services”), http://www.google.com/policies/technologies/ads (“How Google uses cookies in advertising”), http://www.google.com/policies/technologies/ads (“Use of data for promotional purposes”), http://www.google.de/settings/ads (“Managing information used by Google to display advertising”).

14. YouTube

14.1.  Description and Scope of Data Processing

On the basis of our justified interests, we use components of the YouTube service, operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”).

YouTube is an internet video portal that enables video publishers to post video clips free of charge, and other users to view, rate, and comment on these clips, also free of charge. YouTube permits the publication of all kinds of videos, which is why both whole film and TV programs, but also music videos, trailers, or videos made by the users themselves, can be retrieved via the internet portal.

After every call of one of the individual pages of this website, which is operated by the data controllers and on which a YouTube component (YouTube video) is integrated, the internet browser on the IT system of the data subject is automatically prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. Further information on YouTube can be retrieved under https://www.youtube.com/intl/com/about/. Within the framework of this technical procedure, YouTube and Google receive knowledge about the actual subpage of our website that the data subject visits.

If the data subject is simultaneously logged into YouTube, YouTube can see from the retrieval of a subpage containing a YouTube video the actual subpage of our website that the data subject visits. YouTube and Google collect this information and assign it to the respective YouTube account of the data subject.

Via the YouTube component, YouTube and Google always receive information that the data subject has visited our website if the data subject is simultaneously logged into YouTube at the time our website is retrieved; this takes place irrespective of whether the data subject clicks a YouTube video or not. If the data subject does not desire such transfer of information to YouTube and Google, he or she can prevent the transfer by logging out of the YouTube account before visiting our website.

14.2.  Legal Basis for Data Processing

The legal basis for the processing of the users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

14.3.  Purpose of Data Processing

The data is processed out of interest in the analysis, optimization, and economic operation of the online offer.

For the purpose and scope of data collection, and further processing and use of the data by YouTube, see the YouTube data privacy statement under https://policies.google.com/privacy?hl=en&gl=de

14.4.  Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection.

14.5.  Possibility of Objection and Disposal

If a user is simultaneously a user of YouTube services and wants to prevent YouTube from collecting (via this online offer) data about him or her and linking it to his or her user data stored by YouTube, he or she must log out from YouTube before using our online offer, and delete his or her cookies.

YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. It may therefore be necessary for the user to log out from any possible Google user account and delete all related cookies.

Under https://www.google.com/settings/ads/authenticated, YouTube offers the option of objecting to targeted advertising.

15. Yourls

15.1.  Extent of Processing of Personal Data

Due to our legitimate interest, we use the open-source tool Yourls, https://yourls.org/. This tool allows shortening links to create short URLs. Yourls analyses the IP address, browser settings, and browser information to identify where the request comes from.

Yourls is hosted on servers of DSC Software AG. DSC Software AG exclusively carries out the collection and statistical analysis of the data.

15.2.  Legal Framework for the Processing of Personal Data

The legal framework for the processing of the users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

15.3.  Purpose of Data Processing

Data is processed out of interest in the analysis, optimization, and economic operation of the online offer.

15.4.  Duration of Storage

The data is deleted as soon as it is no longer necessary for our recording purposes.

15.5.  Possibility of Objection and Disposal

There is no possibility of objection and disposal.

16. XING

16.1.  Description and Extent of Data Processing

On the basis of our justified interests, we use components of the XING service, which is operated by XING AG, Dammtorstraße 30, 20354 Hamburg, Germany (“XING”).

XING is an internet-based social network that enables users to connect with existing business contacts and to create new business contacts. The individual users can create a personal profile of themselves at XING. Companies may, e.g. create company profiles or publish job offers on XING.

Every access to one of the individual pages of this website, which is operated by the data controller and on which a XING component (XING plug-in) is integrated, automatically causes (due to the respective XING component) the internet browser on the IT system of the data subject to download a display of the corresponding XING component from XING. For further information on the XING plug-ins, see https://dev.xing.com/plugins. During this technical procedure, XING receives knowledge about the actual subpage of our website that is visited by the data subject.

If the data subject is simultaneously logged-in on XING, XING recognizes with each access to our website by the data subject – and for the entire duration of their stay on our website – the specific subpage of our website visited by the data subject. This information is collected by the XING component and assigned by XING to the respective XING account of the data subject. If the data subject clicks on one of the XING buttons integrated on our website, e.g. the “Share” button, then XING assigns this information to the personal XING user account of the data subject and stores the personal data.

By means of the XING component, XING always receives information that the data subject has visited our website if the data subject is simultaneously logged in on XING; this takes place independently of whether the data subject clicks a XING component or not. If the data subject does not want this information to be transmitted to XING, they can prevent it by logging off from the XING account before calling our website.

16.2.  Legal Basis for Data Processing

The legal framework for the processing of the users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

16.3.  Purpose of Data Processing

Data is processed out of interest in the analysis, optimization, and economic operation of the online services.

The purpose and extent of data collection and the further processing and use of the data by XING are accessible in the data privacy statement of XING under https://www.xing.com/privacy. Data privacy information on the XING Share button can be found at https://www.xing.com/app/share?op=data_protection.

16.4.  Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection.

16.5.  Possibility of Objection and Disposal

If a user is simultaneously using the services of XING and does not want XING to collect data about these online services and link it to the user data stored with XING, they should log off from XING and delete all related cookies before using our online services.

Under https://nats.xing.com/optout.html?popup=1&locale=de_DE, XING offers the option of objecting to web analysis. For further opt-out options, see https://www.xing.com/privacy.

17. LinkedIn

17.1.  Description and Extent of Data Processing

On the basis of our justified interests, we use components of the LinkedIn service, which is operated by LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA (“LinkedIn”).

LinkedIn is an internet-based social network that enables users to connect with existing business contacts and to create new business contacts.

With each access to our website, which contains a LinkedIn component (LinkedIn plug-in), this component causes the browser used by the data subject to download a representation of the component from LinkedIn.

For further information on the LinkedIn plug-ins, see https://developer.linkedin.com/plugins. During this technical procedure, LinkedIn receives knowledge about the actual subpage of our website that is visited by the data subject.

If the data subject is simultaneously logged-in on LinkedIn, LinkedIn recognizes with each access to our website by the data subject – and for the entire duration of their stay on our website – the specific subpage of our website visited by the data subject. This information is collected by the LinkedIn component and assigned by LinkedIn to the respective LinkedIn account of the data subject. If the data subject clicks on one of the LinkedIn buttons integrated on our website, then LinkedIn assigns this information to the personal LinkedIn user account of the data subject and stores the personal data.

By means of the LinkedIn component, LinkedIn always receives information that the data subject has visited our website if the data subject is simultaneously logged in on LinkedIn; this takes place independently of whether the data subject clicks a LinkedIn component or not. If the data subject does not want this information to be transmitted to LinkedIn, they can prevent it by logging off from the LinkedIn account before calling our website.

17.2.  Legal Basis for Data Processing

The legal framework for the processing of the users’ personal data is Art. 6 Sec. 1 lit. f GDPR.

17.3.  Purpose of Data Processing

Data is processed out of interest in the analysis, optimization, and economic operation of the online services.

The purpose and extent of data collection and the further processing and use of the data by LinkedIn are accessible in the data privacy statement of LinkedIn under https://www.linkedin.com/legal/privacy-policy. The cookie policy is available under https://www.linkedin.com/legal/cookie-policy.

17.4.  Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection.

17.5.  Possibility of Objection and Disposal

If a user is simultaneously using the services of LinkedIn and does not want LinkedIn to collect data about these online services and link it to the user data stored with LinkedIn, they should log off from LinkedIn and delete all related cookies before using our online services.

Under https://www.linkedin.com/psettings/guest-controls, LinkedIn enables the user to subscribe from receiving e-mails, SMS messages, and personalized offers and to manage their ads settings.

LinkedIn additionally uses partners like Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua, and Lotame, which may set cookies. The user can decline such cookies under https://www.linkedin.com/legal/cookie-policy.

The responsibility for data privacy issues outside the USA lies with LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

18. Optimizely

18.1. Description and Extent of Data Processing

Due to our justified interest, on this website we use Optimizely Content Cloud as the content management system by Episerver GmbH. The Optimizely platform is based on Microsoft standard technology – cloud strategy on the basis of Microsoft Azure (PaaS solution).
Optimizely Content Cloud enables the creation of websites and e-commerce sites. Episerver GmbH has no control over the contents of these websites, e-mails, or other messages, or the type of personal data that is collected or processed by Episerver products or services.
In these cases, the customers of Episerver GmbH control the processing of personal data. Episerver GmbH acts on their behalf as data processor by collecting and processing information under the control of their customers. They do not have a direct relation to the persons whose personal data they process. The conditions of the processing activities are controlled with a data privacy agreement that is concluded between Episerver GmbH and their customers.
Further information on data protection of Episerver GmbH is available at https://www.optimizely.com/legal/privacy-policy/.

18.2. Legal Basis for Data Processing

The legal framework for the processing of personal data is Art. 6 Sec. 1 lit. f GDPR.

18.3. Purpose of Data Processing

The purpose of data processing is the provision of the website. The functions of our website cannot be offered without the use of Optimizely.

This purpose also includes our justified interest in the processing of personal data according to Art. 6 Abs. 1 lit. f GDPR.

18.4. Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection.

18.5. Possibility of Objection and Disposal

There is no possibility of objection and disposal.

19. Matomo

19.1.  Extent of Processing of Personal Data

Based on our justified interests we use the open-source software tool Matomo (former PIWIK) on this website for web analysis with the cookie technology. Matomo is a service of InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769. The software sets a cookie on the user’s computer.

If single sites of our website are accessed, the following data is stored:

One byte of the IP address of the user’s system accessing the site

The website accessed

The website from which user reaches the accessed site (Referrer)

The subsites accessed from the accessed website

The duration of stay on the website

The frequency of accessing the website

Thereby, the software only runs on the servers of our websites. Personal data is only saved on these servers. The data is not passed on to any third parties.

The software settings ensure, that IP addresses are not saved completely. Instead, three bytes of the IP address are masked (e.g. 168.xxx.xxx.xxx). Thus, an assignment of the shortened IP address to the calling computer is no longer possible.

19.2.  Legal Framework for the Processing of Personal Data

The legal framework for the processing of the users’ personal data is Art. 6 Sec.1 lit. f GDPR.

19.3.  Purpose of Data Processing

The processing of the users’ personal data enables an analysis of the users’ surfing behavior. With the data generated from the analysis, we are able to gain information about the usage of the single components of our website. This helps us to continuously improve our website and to make it more user-friendly.

With the anonymization of IP addresses, the users’ interest in the protection of personal data is sufficiently taken into account.

19.4.  Duration of Storage

The data is deleted as soon as it is no longer necessary for our recording purposes. In this case, this applies after 12 months.

19.5.  Possibility of Objection and Disposal

Cookies are stored on the user’s computer and transferred via that computer to us. As user, you therefore have full control over the use of cookies. By changing the settings within your internet browser, the transfer of cookies can be disabled or restricted anytime. Stored cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it is possible that not all features are entirely accessible.

We offer our users an opt-out possibility from the analysis process on our website. Therefore, please follow the respective link. This way, another cookie is set on your system that indicates our system not to save the user’s data. If the user deletes the respective cookie from their system in the meantime, the opt-out cookie needs to be set again.

Additional information about the privacy settings of the Matomo software is available here: https://matomo.org/docs/privacy/.

20. Microsoft Azure

20.1 Extent of Processing of Personal Data

Based on our justified interest for the provision of our websites and further services provided, we use Microsoft Azure Cloud. The service provider is the company Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

Microsoft processes data, among other countries, in the USA. We point out that according to the Court of Justice of the European Union, there is currently no appropriate protection level for data transfer to the USA. This can be accompanied by various risks for the legitimacy and security of data processing.

Microsoft accepted the EU standard contractual clauses of the European Commission regarding the transfer of personal data to third countries.

Information on Microsoft’s standard contractual clauses is available at:

https://learn.microsoft.com/en-us/compliance/regulatory/offering-eu-model-clauses.

Information on Microsoft’s data processing is available at:

https://learn.microsoft.com/de-de/compliance/regulatory/gdpr-dpia-azure.

All personal data processed by Microsoft in relation to online services is received as customer data, diagnostic data, or service-generated data. Personal data that is provided by Microsoft, or in the name of the user by using the online services, is also considered customer data.

20.2 Legal Framework for the Processing of Personal Data

The legal framework for the processing of users’ personal data is Art. 6 Sec.1 lit. f GDPR.

20.3 Purpose of Data Processing

Provision of websites and further services.

Microsoft Azure only processes data for providing customers with online services. This includes the purposes that are compatible with the provision of these online services, e.g. personalization, security, prevention of fraudulent software and malware, troubleshooting, and improvement.

20.4 Duration of Storage

Upon the expiration of the 90-day retention period, Microsoft will deactivate the customer’s account and delete the customer data. Customers can delete personal data upon request by the data subject and by using the capabilities according to GDPR documentation regarding requests for Azure data subjects.

20.5 Possibility of Objection and Disposal

Microsoft allows customers to act upon requests of data subjects for the exercise of the data subjects' rights according GDPR, consistently with the function of the online service and the role of Microsoft as processor of data subjects’ personal data. If Microsoft receives a request of a customer’s data subject for exercising one or several of their rights according to GDPR in relation with an online service, for which Microsoft is the processor or subprocessor, Microsoft refers the data subject to the customer so that the data subject can direct their request directly to said customer. The customer is responsible to answer such a request, including, if necessary, by using the functionalities of the online service. Microsoft fulfills appropriate requests of customers after the support for processing of requests of data subjects.

21. Rights of the Data Subject

If your personal data is being processed, you are the data subject in the sense of the General Data Protection Regulation (GDPR) and you have the following rights against the data controller:

21.1.  Right to Information

From the data controller, you can demand confirmation about whether personal data concerning you is processed by us.

If your data is being processed, you can demand information from the data controller about the following:

  1. The reason why the personal data is being processed;
  2. The categories of personal data that are being processed;
  3. The recipients or categories of recipients to whom your personal data has been or will be disclosed;
  4. The planned duration of storage of your personal data or, if nothing concrete can be specified here, criteria for defining the duration of storage;
  5. A right of rectification or erasure of your personal data, a right to restrict processing by the data controller, or a right of objection to this processing;
  6. The right to complain to a supervisory authority;
  7. All available information about the origin of the data if the personal data is not collected for the data subject;
  8. The existence of an automated decision-making process including profiling in accordance with Art. 22 Sec. 1 and 4 GDPR and – in these cases at least – meaningful information concerning the logic involved as well as the scope and the intended effects of such processing for the data subject.

You have the right to demand information about whether your personal data is transmitted to a third country or an international organization. In this context, you can demand to be informed about suitable guarantees acc. to Art. 46 GDPR in connection with the transmission.

This right to information can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

21.2.  Right to Correction

You have a right to correction and/or completion against the data controller if your processed personal data is incorrect or incomplete. The data controller has to make the correction immediately.

Your right to correction can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

21.3.  Right to Restriction of Processing

You can demand restriction of processing of your personal data under the following conditions:

  1. If you dispute the correctness of your personal data for a duration that enables the data controller to check the correctness of your personal data;
  2. Processing is illegal and you reject the deletion of your personal data and instead demand the restriction of the use of your personal data;
  3. The data controller no longer requires the personal data for purposes of processing, but you require it for the assertion, enforcement or defense of your legal rights;
  4. You have objected to the processing in accordance with Art. 21 Sec. 1 GDPR and it is not yet certain whether the justified reasons of the data controller outweigh your reasons.

If processing of your personal data has been restricted, this data – apart from its storage – may only be processed with your consent or for the assertion, enforcement or defense of your legal rights or to protect the rights of another natural or legal person or for reasons of an important public interest of the EU or a member state.

If restriction of processing is limited to the conditions listed above, you will be informed of this by the data controller before the restriction is lifted.

Your right to restriction of processing can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

21.4.  Right to Deletion

You can demand from the data controller that your personal data be deleted immediately, and the data controller is obliged to delete this data immediately if one of the following reasons applies:

  1. Your personal data is no longer required for the purposes for which it was collected or otherwise processed.
  2. You withdraw your consent on the basis of which processing was carried out in accordance with Art. 6 Sec. 1 lit. a or Art. 9 Sec. 2 lit. a GDPR, and there exists no other legal basis for processing.
  3. You object to processing in accordance with Art. 21 Sec. 1 GDPR and there exist no overriding justified reasons for processing, or you object to processing in accordance with Art. 21 Sec. 2 GDPR.
  4. Your personal data concerned was unlawfully processed.
  5. The deletion of your personal data is necessary for the fulfillment of a legal obligation according to EU law or the laws of a member state to which the data controller is subject.
  6. Your personal data was collected with regard to services offered by information society in accordance with Art. 8 Sec. 1 GDPR.
21.5.  Information for Third Parties

If the data controller has published your personal data and is legally obliged to delete it in accordance with Art. 17 Sec. 1 GDPR, he or she must take appropriate (including technical) measures with regard to the available technology and the implementation costs to inform the data controller who also process your personal data that you as the data subject have demanded the deletion of all links to this personal data or of copies or replications of this personal data.

21.6.  Exceptions

The right to deletion does not exist if processing is necessary:

  1. For exercising the right to freedom of expression and information
  2. For fulfilling a legal obligation that requires processing according to EU law or the laws of the member states to which the data controller is subject, or performing a task that is in the public interest or in the exercise of official authority that is assigned to the data controller
  3. For reasons of public interest in the area of public health in accordance with Art. 9 Sec. 2 lit. h and i as well as Art. 9 Sec. 3 GDPR
  4. For archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes in accordance with Art. 89 Sec. 1 GDPR, provided the right named under Section 1. will foreseeably make the realization of the aims of processing impossible or extremely difficult
  5. For the assertion, enforcement or defense of legal rights.
21.7.  Right to Information

If you have enforced you right to correction, deletion or restriction against data controller, this person is legally obliged to inform all recipients to whom your personal data was disclosed about this correction or deletion of the data or restriction of processing unless this proves to be impossible or is connected with disproportionate effort.

You have the right against the data controller to be informed about these recipients.

21.8.  Right to Data Portability

You have the right to receive the personal data that you have provided to the data controller in a structured, common, and machine-readable format. You also have the right to transfer this data to another data controller without hindrance by the data controller to whom the personal data was provided, if:

  1. Processing is based on consent in accordance with Art. 6 Sec. 1 lit. a GDPR or Art. 9 Sec. 2 lit. a GDPR or on a contract in accordance with Art. 6 Sec. 1 lit. b GDPR and
  2. Processing takes place with the aid of automated procedures.

In enforcing this right, you also have the right to ensure that your personal data is transferred directly from one data controller to another data controller as far as this is technically possible. The freedom and rights of other persons may not be impaired by this.

The right to data portability does not apply to the processing of personal data that is required for performing a task that is in the public interest or in the exercise of an official authority that was assigned to the data controller.

22. Right of Objection

You have the right for reasons applying to your particular situation, to object at any time to processing of your personal data that takes place on the basis of Art. 6 Sec. 1 lit. e or f GDPR; this also applies to profiling based on these regulations.

The data controller no longer processes your personal data unless he or she can provide compelling legitimate reasons for processing that outweigh your interest, rights and freedoms, or the processing serves the assertion, enforcement, or defense of your legal rights.

If your personal data is processed to pursue direct advertising, you have the right to object at any time to processing of your personal data for the purposes of such advertising; this also applies to profiling, if this is related to such direct advertising.

If you object to processing for the purposes of direct advertising, your personal data is no longer processed for these purposes.

In connection with the use of information society services – irrespective of Regulation 2002/58/EG – you can exercise your right of objection using automated procedures for which technical specifications are used.

You also have the right for reasons applying to your particular situation to object to processing of your personal data conducted for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 Sec. 1 GDPR.

Your right of objection can be restricted if it is foreseeable that it will make the realization of research or statistics purposes impossible or extremely difficult and if the restriction is necessary for fulfilling research and statistics purposes.

23. Right to Withdraw Declaration of Consent Concerning Data Privacy

You have the right at any time to withdraw your consent concerning data privacy. Through the withdrawal of consent, the legitimacy of the processing carried out on the basis of your consent up to its withdrawal is not affected.

24. Automated Decision for Individual Cases Including Profiling

You have the right not to be subjected to a decision based exclusively on automated processing including profiling, a decision that has a legal effect on you or that considerably adversely affects you. This does not apply if the decision:

  1. is necessary for the conclusion or fulfillment of a contract between you and the data controller
  2. is permissible on the basis of legal regulations of the EU or the member states to which the data controller is subject and these legal regulations include appropriate measures for preserving your rights and freedoms as well as your justified interests, or
  3. is made with your express consent.

However, these decisions may not be based on special categories of personal data in accordance with Art. 9 Sec. 1 GDPR, as long as Art. 9 Sec. 2 lit. a or g GDPR does not apply and appropriate measures have been taken to protect your rights and freedoms as well as your justified interests.

With regard to the cases named in (1) and (3), the data controller takes appropriate measures to protect your rights and freedoms as well as your justified interests, to which at least belongs the right to obtain the intervention of a person on the part of the data controller, to present one’s own position, and to challenge the decision.

25. Right to Complain to a Supervisory Authority

Irrespective of any other regulatory or legal remedy, you have the right to complain to a supervisory authority, in particular in the member state of your place of residence, your workplace, or the place of the alleged violation if you are of the opinion that the processing of your personal data violates the General Data Protection Regulation (GDPR).

The supervisory authority to which the complaint is submitted informs the complainant about the state and results of the complaint including the possibility of a legal remedy in accordance with Art. 78 of the General Data Protection Regulation (GDPR).