Error found?
Englisch Deutsch
Advanced Search

Privacy Policy

Contact Person and Information on Company Group

In accordance with the General Data Protection Regulation (GDPR), one of the two publishers listed below is the responsible data controller:

- Felix Meiner Verlag GmbH

- Helmut Buske Verlag GmbH

Both publishers have the address Richardstraße 47, 22081 Hamburg.

For questions about our products and services, address changes, or the withdrawal of consent, please contact our respective service teams directly (info@meiner.de or info@buske.de).

For questions regarding data protection, you can also contact our Data Protection Officer for both publishers: Attorney David Heimburger, dh@davidheimburger.de, 040 / 22863648.

You can identify the specific responsible publisher based on your business relationship or communication with one of the two publishers. For services through websites with "meiner.de" in the name, emails to addresses with "meiner.de," or for business transactions with invoices or contracts bearing the Felix Meiner Verlag letterhead, Felix Meiner Verlag is the responsible entity. For all transactions with "buske.de" or the Helmut Buske Verlag letterhead, Helmut Buske Verlag is the responsible entity.

Both publishers operate independently in terms of business. However, the Helmut Buske Verlag has entrusted Felix Meiner Verlag with many infrastructure tasks, such as the technical operation of databases, for both publishers. In some cases, especially with regard to our service providers, Felix Meiner Verlag acts as a representative for both companies.

In situations involving the shared use of database infrastructures, we process data from our respective business partners jointly under Article 26 of the GDPR. For all actions taken jointly, you can approach either of the two publishers if you wish to exercise your data protection rights. We will then internally determine who is primarily responsible for the process related to your request.

Your Rights in General

At this point, we summarize the general rights granted to you under the GDPR regarding your personal data processed by us. For explanations of legal terms, we refer to the definitions in the GDPR (see Article 4 there). If anything remains unclear, please feel free to contact us.

(1) You can revoke your consent to the processing or sharing of your data at any time for future use (Article 7(3) GDPR).

(2) If the legal basis for processing your data is a legitimate interest under Article 6(1)(f) GDPR, you have the right to object to the data processing under Article 21 GDPR. If the data processing pertains to direct marketing, you are not required to provide any reasons for your objection; in all other cases, you would need to provide reasons based on your specific situation.

(3) If we have incorrect information about you, you can request the correction of your data (Article 16 GDPR).

(4) You can request information about what data we process about you (Article 15 GDPR, § 34 BDSG).

(5) You can request the deletion of your data or the restriction of its processing, provided there are no higher retention obligations (Article 17 or 18 GDPR, § 35 BDSG).

(6) You can request that we provide you with the data you have provided to us in a machine-readable format for transfer to third parties (Article 20 GDPR).

(7) You have the right to lodge a complaint with a supervisory authority for data protection, such as the Hamburg Commissioner for Data Protection, regarding data protection matters with us.

Data Processing in General

Any form of processing of personal data requires a legal basis that allows us to perform this processing. The legal basis primarily derives from the purpose for which the data is processed. The legality within a legal basis is generally determined by the specific extent of data processing and the measures we have taken to protect your data.

The legal bases for data processing are derived from Article 6(1) GDPR and for particularly sensitive data, such as health data, from Article 9(2) GDPR. These regulations list the preparation or fulfillment of contractual, legal, or societal obligations as the most important legal bases for data processing. In addition, many data processing activities are carried out in our legitimate interest unless the interests of the data subjects prevail in the specific circumstances. If one of the aforementioned legal bases is applicable, further consent from you is not required for processing.

Furthermore, data processing may occur based on your consent (Article 7 GDPR) or, for individuals under 16 years of age using services of the information society (e.g., websites, online games, social media platforms), together with the consent of a parent or guardian (Article 8 GDPR).

We explicitly state that none of our services requiring consent are directed at individuals under 16 years of age.

Part of our obligation to seek your consent may arise not only from the GDPR but also from the Telemedia Telecommunications Data Protection Act (TTDSG) or the Unfair Competition Act (UWG). We have taken these obligations into account without explicitly mentioning them below.

If data is transferred to a country outside the European Economic Area (EEA), we ensure that data protection, as defined in Articles 44-49 GDPR, is guaranteed. Such a transfer outside the EEA is referred to as a "third-country transfer" in data protection law.

General Note on Cookies

Cookies are a specific form of text entries that are stored on your device by your browser when you visit a website. Cookies can store various information. Sometimes, a cookie only stores a yes or no ("true" or "false") or a country identifier like "de" for the German language; sometimes, a string is stored that allows for the unique identification of the browser when revisiting the website (a so-called cookie ID).

The right to set cookies is not determined solely by the GDPR but primarily by § 25 TTDSG. The regulation distinguishes between essential cookies that are absolutely necessary for the operation of the online offering and those that are not. Essential cookies may be set without consent, but non-essential cookies always require consent, even if it is not required under the GDPR (e.g., when there is a legitimate interest as the legal basis or when the data is not personal).

Before storing non-essential cookies on your device, we will ask for your consent in accordance with the provisions of § 25 TTDSG.

You have various options to prevent the acceptance of cookies on your device:

a) The standard case is that when you visit one of our websites, you decide through our consent manager which cookies to allow and which not to allow. In some cases, we can only offer you a blanket acceptance or rejection of all cookies or cookie groups.

b) In general, you can configure your browser to never accept cookies. However, by completely excluding them, you are likely to lose functionalities that rely on cookies and that you may want to allow or that are not subject to consent requirements.

c) You can access websites in your browser's private mode. The private mode also prevents the placement of cookies in your browser's memory and automatically deletes all cookies at the end of the session.

d) Some browsers or browser plug-ins offer you the option to make more specific preferences about which cookies you want to accept as the default and which ones you do not.

e) A special case: Google provides a browser plug-in that blocks the setting of various Google cookies. You can find the corresponding plug-in here: https://tools.google.com/dlpage/gaoptout?hl=en

Specific Data Processing

Visiting Our Websites

Providing Our Websites

Description: In order for a web server to make our website available to your browser, the server must collect technical data about your device, your browser, and your internet connection. This is referred to as the so-called log file or web log. These are the same data that you leave behind when you visit any website. The focus is on the IP address from which you access our pages. The web server sends the data you want to see to this internet address.

Data Categories: IP address from which our site was accessed; date and time of access; objects on our website accessed in the browser; type and version of internet browser; type and version of the operating system.

Data Recipients (if applicable, third-country transfer): Our hosting provider, who is bound by a data processing agreement ensuring data protection. In case of an attack on our website, disclosure to forensic experts and law enforcement agencies contracted by us. No third-country transfer occurs.

Purpose + Legal Basis: Providing our website and conducting investigations in case of unauthorized access to our websites (e.g., a hacking attempt). The legal basis is a legitimate interest, as operating a website is not possible without logging the web log. In the specific case of an attack on our website, we have a legitimate interest in being able to provide investigators with evidence of how the attack occurred.

Storage Duration: 7 days

Cookie Management

Description: For all consent-required cookies, we ask for your consent before storing them in your browser cache. The decisions you make are stored in a cookie called "Cookielaw" on your device, so we don't have to ask for your consent again when you revisit our websites. You can revise your decision at any time by deleting the corresponding cookie (named Cookielaw) from your device's browser settings.

Data Categories: Consent status

Data Recipients (if applicable, third-country transfer): None

Purpose + Legal Basis: Consent management for cookies. The legal basis is a legitimate interest, as storing the cookie decision only minimally restricts visitors' rights and simplifies the use of the site upon repeated visits. This cookie can also be set without your consent according to § 25 TTDSG, as the cookie selection represents an essential function.

Storage Duration: We store the consent cookie as a session cookie. It is automatically deleted when you leave our website.

reCAPTCHA

Description: When registering for our newsletter, we use the reCAPTCHA service from Google to verify whether you are a human or a so-called bot. reCAPTCHA allows us to distinguish between human and automated, abusive entries. By using the reCAPTCHA service, data about you is transmitted to Google. Google sets a cookie called "_GRECAPTCHA" (expiration: 6 months) in your browser's memory.

The data processing by reCAPTCHA is done in accordance with Google's privacy information: https://policies.google.com/privacy

We do not receive any data from Google about your usage behavior.

Data Categories: IP address from which the page is accessed; date and time of access; type and version of internet browser; type and version of the operating system; Google ID stored in cookies, as well as mouse movements in the reCAPTCHA checkbox area.

Data Recipients (if applicable, third-country transfer): Google LLC, accessible to us as a European organization through Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. In the event Google transfers data to third countries, Google guarantees the handling of data at EU data protection levels through the use of standard data protection clauses. Additionally, the company has certified itself according to the US-EU Privacy Shield standards, covering data transfers to the USA as of the EU Commission's adequacy decision from July 2023.

Purpose + Legal Basis: Securing our newsletter registration against bot attacks. The legal basis for data transfer is a legitimate interest, as there is a high interest in securing our infrastructure.

Storage Duration: The storage duration is within Google's responsibility. Data deletion is not required by us since we do not collect any data through the use of reCAPTCHA.

Online Fonts (Google Fonts)

Description: To enable individual design of our websites, we use so-called web fonts. These fonts are loaded by your browser from the internet to display our pages if the fonts have not been loaded into your browser's memory from a previous visit to a page with this font.

Mostly, the fonts are available directly on our own server. Therefore, it is not an independent processing beyond the "Providing Our Websites" processing. In some cases, we access fonts from external servers, such as Google Fonts, on the registration page for our newsletter. Google allows extremely fast provision of font files and ensures the provision of the currently optimal font set.

To download the fonts from Google's font servers (gstatic.com), your IP address must be transmitted to Google since the data packet cannot be transmitted otherwise. In connection with this processing, Google does not receive any additional data from you.

Data Categories: IP address from which your device connects to the internet, time.

Data Recipients (if applicable, third-country transfer): Google LLC, accessible to us as a European organization through Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. In case Google transfers data to third countries, Google guarantees handling of data at EU data protection levels through the use of standard data protection clauses. Additionally, the company has certified itself according to the US-EU Privacy Shield standards, covering data transfers to the USA as of the EU Commission's adequacy decision from July 2023.

Purpose + Legal Basis: Providing Google Fonts in a fast and up-to-date form. The legal basis is a legitimate interest, as this processing solely involves the transmission of your device's IP address without further references to your internet usage.

Storage Duration: The storage duration is within Google's responsibility. Data deletion by us is not possible since we do not collect any data from you through the use of Google Fonts.

Customers

Personal User Account (Webshop)

Description: You can create a personal user account on our website. Through this account, you can manage your purchases with us. We will send ordered goods and invoices to the addresses provided here.

We independently operate our own shop on web hosting that we have booked.

Data Categories: Registration data (name, email address, password), contact details (phone number, address), orders (goods/services, payment and delivery conditions, invoices), activity history (login, logout).

Data Recipients (if applicable, third-country transfer): Our web hosting service provider, who is bound by a data processing agreement ensuring data protection. No third-country transfer occurs.

Purpose + Legal Basis: Operating your user account serves to fulfill our respective terms of use. The legal basis is the fulfillment of our contractual obligations towards you.

Storage Duration: Your customer data remains active until your customer relationship with us ends. After that, we store the data depending on the respective retention requirements related to our business relationship.

Customer Database

Description: We maintain your data in our customer database, which we operate from our own servers. In the database, we store your contract and invoice data, as well as the history of your customer relationship with us. We use the database to manage communication with you, such as invoice delivery, marketing consents, or responses to your inquiries.

If you have set up a user account for our webshop with us, our customer database accesses the data stored in the webshop. If you order by phone from us, we record your order directly in our customer database.

Data Categories: Contact details (name, email address, phone number, address), orders (goods/services, payment and delivery conditions, invoices), activity history, marketing consents.

Data Recipients (if applicable, third-country transfer): None.

Purpose + Legal Basis: Use of a database that allows us to comprehensively support our customers from initial contact to billing. The legal basis for the immediate processing of an order is contract fulfillment, and partly a legitimate interest, as the use of the customer database enhances service levels and makes processes more efficient.

Storage Duration: We store your customer account for up to six years after the conclusion of the last customer contact. In this regard, we fulfill the retention obligation for business correspondence under commercial law.

Shipping Your Order

Description: We send ordered goods by mail, courier service, freight forwarding, or a similar logistics company. Compliance with data protection by these service providers is additionally regulated by postal law in addition to the GDPR and is supervised by the Federal Commissioner for Data Protection and Freedom of Information.

In addition to the postal address, shipping service providers nowadays also require the email address of the recipient in order to independently transmit notifications about the expected delivery date and an individual tracking code for shipment tracking. This established communication between logistics companies and recipients facilitates the delivery process for both parties. The logistics companies provide us with the tracking ID so that our service team can answer questions about the shipping status in case of delivery difficulties.

Data Categories: Name + address; email address; logistics company's tracking ID.

Data Recipients (if applicable, third-country transfer): Logistics companies subject to postal secrecy. Transfer to third countries only occurs when the shipment is destined for an address outside the European Economic Area. Data protection in these cases is ensured through international agreements on postal secrecy.

Purpose + Legal Basis: Delivery of ordered goods. The legal basis for providing the postal address is contract fulfillment. The provision of the email address follows a legitimate interest since communication of tracking IDs for shipment tracking has become the norm.

Storage Duration: Documentation of the shipping process must be kept for six years in accordance with commercial law requirements.

Print on Demand

Description: Some books are produced only after an order is placed (Print on Demand). This production takes place with a service provider of our publishing house, whom we regularly commission for direct shipping of the books to the purchasers. In this regard, the print shop acts as a data processor under the GDPR.

Data Categories: Name + address; ordered title.

Data Recipients (if applicable, third-country transfer): Our Print on Demand service provider, who is bound by a data processing agreement ensuring data protection. No third-country transfer occurs.

Purpose + Legal Basis: Delivery of ordered goods. The legal basis is contract fulfillment.

Storage Duration: Documentation of the shipping process must be kept for six years in accordance with commercial law requirements.

Billing Your Order

Description: If your order with us is not placed online and paid via credit card or PayPal, we invoice you or collect payment by direct debit (debit authorization). Invoices are created and sent internally by us. Direct debits are processed through our house bank. Your payment data is encrypted and stored by us in our webshop and then transmitted to our bank in encrypted form.

Data Categories: Your name, your bank details, invoice number, invoice amount.

Data Recipients (if applicable, third-country transfer): For the direct debit process, our house bank, which is a financial services provider subject to banking secrecy. No transfer to third countries occurs.

Purpose + Legal Basis: Payment processing. The legal basis for us is contract fulfillment, and for the house bank, it is based on a legitimate interest, as it is a service provider under banking supervision control.

Storage Duration: Booking documents must be kept for 10 years in accordance with tax law requirements.

PayPal Payment Service Provider

Description: In our webshop, you can pay for your order using the financial service provider PayPal. An encrypted connection is established from our webshop to PayPal. Through this connection, we communicate a transaction number, a description of the service, and the invoice amount to PayPal, and we redirect you to PayPal to authorize your payment. We do not receive any information about your bank account or credit card from PayPal. PayPal only notifies us when the invoice amount can be credited to us for a transaction number generated by us.

Regarding all transactions with PayPal, data protection is governed by your independent contractual relationship with PayPal.

PayPal, as a financial service provider, is subject to European banking supervision. Details regarding data protection at PayPal can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

Data Categories: Transaction number, service description (booking text), and invoice amount.

Data Recipients (if applicable, third-country transfer): PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg. No transfer to third countries occurs.

Purpose + Legal Basis: Processing your payment through your PayPal account. The legal basis is contract fulfillment for both PayPal and us.

Storage Duration: Booking documents must be kept for 10 years in accordance with tax law requirements.

Credit Card Payment Service Provider

Description: In our webshop, you can pay for your order using credit cards. We use the Saferpay service provided by the financial service provider Six Payment Services to process credit card payments. An encrypted connection is established from our webshop to Saferpay. Through this connection, we communicate a transaction number, service description, and the invoice amount to Saferpay, and we redirect you to Saferpay to verify your credit card information. We do not collect or store any data related to your credit card; we only store the corresponding transaction confirmation from Saferpay when the invoice amount is paid for a transaction number generated by us.

Six Payment Services, as a financial service provider, is subject to Swiss banking supervision. Details regarding data protection at Six Payment Services can be found at: https://www.six-payment-services.com/de/services/legal/privacy-statement.html

Data Categories: Transaction number, service description (booking text), and invoice amount.

Data Recipients (if applicable, third-country transfer): Six Payment Services AG, Switzerland. Data transfer to countries outside the European Economic Area is permissible since Switzerland is a country with data protection standards recognized by the EU.

Purpose + Legal Basis: Processing your payment by credit card. The legal basis is contract fulfillment for both Saferpay and us.

Storage Duration: Booking documents must be kept for 10 years in accordance with tax law requirements.

eLibrary

Description: We provide literature as an eLibrary, primarily aimed at educational institutions such as universities. We use a specialized hosting service provider and provide access to our (institutional) customers through interfaces.

Readers do not need to identify themselves within our infrastructure. What matters is that access to the eLibrary is made through an interface enabled for your institution.

However, readers can create a user account to save favorites (bookmarks), access their search history, and set up notifications for new publications.

Administrators and librarians of our customers are provided with user accounts with greater privileges, allowing them to configure various settings for their respective customer instances.

Data Categories: Classic weblog (IP address used for online access; location or country linked to the IP address, as well as the internet service provider for internet access; date and time of access; objects on our website accessed (clicked) in the browser; type and version of internet browser; type and version of the operating system); registration data (name, email address, password), activity history, saved settings (favorites, notification preferences).

Data Recipients (if applicable, third-country transfer): Our hosting service provider for the eLibrary is bound by a data processing agreement ensuring data protection. The service provider is located in the United Kingdom. Data transfer to the United Kingdom falls under the EU Commission's adequacy decision.

Purpose + Legal Basis: Providing an eLibrary for online access through specific interfaces for institutional customers, along with user accounts for readers and administrators. The legal basis is the fulfillment of our contractual obligations, as our contract with customers contains a service obligation to readers and administrators.

Storage Duration: The hosting service provider continuously deletes the weblog and data when it is no longer needed for a specific and lawful purpose.

Marketing Communication

Newsletter Registration

Description: You can subscribe to our email newsletter. To do so, you only need to provide an email address. Additional information, such as your name, is voluntary and is used to personalize the emails with a direct salutation.

When you subscribe to the newsletter online, you will receive an email to the address you provided, in which we ask you to confirm your registration. This is to prevent someone else from registering you for our newsletter who should not have access to that email address. This two-step process is called Double Opt-in for double consent.

By subscribing to our newsletter, you consent, both in terms of data protection and competition law, to receive emails on the topics described on the registration page.

You can revoke your registration and consent at any time for the future. This can be done both through the corresponding function on our website and through the link provided at the end of each newsletter sent by us.

We track the use of our newsletter through so-called tracking pixels. The tracking pixel accesses our newsletter server when you open the email.

Data Categories: Email address, documentation of email verification (Double Opt-in), time of your registration; your name (voluntary), your company/institution (voluntary); selection of specific newsletter packages; usage data (opening of the email).

Data Recipients (if applicable, third-country transfer): Our service provider for newsletter delivery, bound by a data processing agreement ensuring data protection. No third-country transfer takes place.

Purpose + Legal Basis: Providing an email newsletter and optimizing our newsletter content. The legal basis is your consent.

Storage Duration: Your data will be deleted immediately upon revocation of your consent.

Sending Catalogs and Other Information Materials

Description: We send information about our publishing products and services in the form of catalogs, publishing previews, and other advertising materials by postal mail to various recipient groups. Address data is partially printed for us by so-called lettershops, which act as data processors under the GDPR.

Recipients include private individuals who have requested such information. Additionally, recipients include individuals who work at bookstores or educational institutions whose field of expertise corresponds to the subject matter of our publishing house, authors affiliated with our publishing house, or individuals in other business relationships with our publishing house (referred to as business-to-business contacts, B2B).

If you wish to stop receiving such company information, we recommend setting up a marketing block with us instead of requesting data deletion. Deleting your data may result in your data being reintroduced into our database. By placing a marketing block on your data, we can prevent further mailings.

Data Categories: Name + address, marketing consent, organization + position, field of business.

Data Recipients (if applicable, third-country transfer): Our service provider for address printing and mailing (lettershop), bound by a data processing agreement ensuring data protection. No third-country transfer takes place. Postal service providers. Transfer to third countries only occurs when sending to an address outside the European Economic Area. Data protection in these cases is ensured through international agreements on postal secrecy.

Purpose + Legal Basis: Providing information about our publishing house's new releases. The legal basis is a legitimate interest, as company information by mail is generally permitted according to competition law regulations. However, direct advertising based on a legitimate interest can be objected to without providing reasons for the future. In some cases, the legal basis is your consent.

Storage Duration: Address data is no longer stored for mailing advertising materials as soon as consent is revoked, or mailing based on a legitimate interest is objected to, and data deletion is requested.

Authors, Service Providers, and Suppliers

Business Relationship

Description: We process personal data as a customer from our authors, suppliers, and service providers who are self-employed or partnerships, or our contact persons at such organizations, to communicate with them regarding the execution of orders.

In addition to substantive communication, your data is typically processed in the separately described processes of our "General Infrastructure" (see there).

Data Categories: Contact, contract, and invoice data.

Data Recipients (if applicable, third-country transfer): Tax consultants, auditors, lawyers in their capacity as professional confidentiality holders.

Purpose + Legal Basis: Proper business management. Legal bases include both contract fulfillment and legal obligations, as well as legitimate interests. In some cases, a research privilege (historical archiving) also applies.

Storage Duration: Invoice data must be kept for 10 years in accordance with tax law; contract data must be retained for varying durations depending on the type of contract. For copyright matters, such deadlines can extend up to 70 years beyond the author's death.

Mention in Publications

Description: In publications released by us, we credit authors in accordance with their right to be named. This credit extends to accompanying marketing and public relations work. If authors represent a relevant institution in relation to the publication, their affiliation with that institution is also mentioned. In some publications, professional contact details of authors are provided as a service to readers.

Data Categories: Name, academic titles; partial inclusion of institution and professional contact details.

Data Recipients (if applicable, third-country transfer): None.

Purpose + Legal Basis: Attribution of authorship. The legal basis for the name is fulfilling the author agreement. For contact details, the legal basis is a legitimate interest, as only professional contact information for relevant experts is disclosed.

Storage Duration: After printed publications are distributed, subsequent deletion by us is not possible.

Digital Signatures

Description: With some business partners, we confirm agreements (e.g., contract conclusions) using digital alternatives to handwritten signatures. We use the Adobe Sign service for this purpose.

Our business partners do not need their own Adobe accounts for this. However, if you agree to a corresponding digital request from us for an agreement in PDF format via Adobe Sign, certain data categories are captured and associated with the PDF.

Participation in Adobe Sign is voluntary. Alternatively, agreements can be confirmed in handwriting. If you wish for your data to be deleted from the Adobe system, you must contact us. If the underlying agreement remains valid or the document is still needed by us as evidence of a valid agreement, we must conclude a new agreement with handwritten confirmation before deleting the digitally confirmed PDF.

For deletion processes, see: https://helpx.adobe.com/de/sign/using/gdpr-compliance.html

More information in Adobe's privacy policy: https://www.adobe.com/de/privacy.html

Specific to Adobe Sign: https://www.adobe.com/de/privacy/policies-business/esign.html

Data Categories: Name, email address, IP address, time of document opening and signing.

Data Recipients (if applicable, third-country transfer): Adobe as a service provider for logging declarations of intent, acting as a data processor and bound by an appropriate agreement for data protection. Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland.

If the EU subsidiary transfers data to the US parent Adobe Inc. or other Adobe entities, Adobe guarantees handling of data at EU data protection levels through the use of standard data protection clauses. Additionally, the company has certified itself according to the standards of the US-EU Privacy Shield, covering data transfers from the EU Commission's adequacy decision on data transfers to the USA from July 2023.

Purpose + Legal Basis: Digital confirmation of agreements. The legal basis is contract fulfillment, as you have agreed to this form of confirmation.

Storage Duration: The logging data added to the PDF remains stored as long as the PDF or copies of it exist. The data stored at Adobe remains stored until we delete the corresponding record. This can occur upon your request after the expiration of the agreement term and subsequent retention periods.

Job Positions

Applications

Description: When you apply for a position with us, we process your application documents solely for the purpose of making a decision regarding your hiring until the conclusion of the application process. Access to your documents is restricted to individuals reasonably involved in the decision-making process.

If you are hired, your application documents become part of your personnel file. If you are not hired, we will either request your consent to include your details in our candidate pool or return or destroy your documents once it is no longer likely, under anti-discrimination law, that you will object to our decision.

Data Categories: Name + contact information (email, phone, address), photo, profile URL on professional networks (e.g., Xing); information in the cover letter, resume, certificates, and references, educational documents and professional qualifications, notes from application interviews (phone and in-person), and potentially results from aptitude tests.

Data Recipients (if applicable, third-country transfer): None.

Purpose + Legal Basis: Basis for hiring decisions. Legal basis is preparation of contract fulfillment (employment contract) and subsequently a legitimate interest in defending against objections to rejection decisions.

Storage Duration: 6 months after the conclusion of the original application process.

Candidate Pool

Description: If we cannot currently offer you a suitable position but wish to consider you for future vacancies, we request your consent to retain your application documents beyond the current application process. If more than two years pass without contact, we will request your consent for further retention, or we will return or delete your documents.

Data Categories: Name + contact information (email, phone, address), photo, profile URL on professional networks (e.g., Xing); information in the cover letter, resume, certificates, and references, educational documents and professional qualifications, notes from application interviews (phone and in-person), and potentially results from aptitude tests.

Data Recipients (if applicable, third-country transfer): None.

Purpose + Legal Basis: Basis for future hiring decisions. Legal basis is consent.

Storage Duration: 2 years from the last contact or consent.

General Infrastructure

Email Inbox, Contact Directory, Calendar

Description: We use Exchange accounts for email, contact directory, and calendar, which aggregate these data categories. Emails you send to us or receive from us, your contact details, and appointments with you are stored on the servers of our hosting provider and as local copies on the devices connected to our corresponding accounts.

Data Categories: Name, contact information (email, phone, address, fax), your company, your company's business area, your job title, your responsibilities, location, time and context of contact, and any special notes regarding your availability or the business topics discussed; timestamp of email sending/receiving; email content (text, documents, images, other files); typical metadata of an email.

Data Recipients (if applicable, third-country transfer): Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is committed to data protection through a data processing agreement. If the EU subsidiary transfers data to the US parent Microsoft Corp. or other Microsoft entities, Microsoft ensures data handling at EU data protection levels through standard data protection clauses. Additionally, the company has certified itself according to the US-EU Privacy Shield standards, covering data transfers under the EU Commission's adequacy decision for data transfers to the USA from July 2023.

Purpose + Legal Basis: Use of synchronized email inbox, calendar, and contact directory. Legal basis is legitimate interest since participation in modern business activities would not be efficiently and securely possible without such digital infrastructure.

Storage Duration: We retain emails and entries as long as necessary to fulfill a purpose. Depending on the content of an email, the business relationship with a contact, or the context of an appointment, this can result in different retention periods.

For example, if your email pertains to preparing a contract, the obligation from the Commercial Code (HGB) to retain business letters for six years applies.

Phone Calls

Description: When we have phone conversations, our telephone system or mobile phones record your number and the time of the call.

If the conversation's content suggests it, we create a conversation note and document it in the appropriate place (e.g., in the customer database or for applicants and employees in the HR department). It is possible that we add your data to our contact directory for further communication.

Audio recordings of conversations only occur exceptionally and after obtaining your explicit consent.

Data Categories: Phone number; time of the call; potentially, the content of the conversation.

Data Recipients (if applicable, third-country transfer): Telecommunication providers covered by telecommunications secrecy. There is no transfer to third countries.

Purpose + Legal Basis: Communication via telephone call. Legal basis depends on the conversation's content: preparation or fulfillment of a contract, or a legitimate interest in communication with you.

Storage Duration: Depends on the conversation's content. Individual conversation notes may fall under the commercial law obligation to retain business letters for six years.

Postal Mail

Description: If you send us a letter, we typically respond with a letter created on a computer and saved as a file. We often scan your letter to archive it digitally as part of our digital office management. The specific processing of personal data in our correspondence depends on the thematic content of the letters and resulting retention obligations. It is possible that we add your data to our contact directory for further communication.

Data Categories: Name + address; personal details in the content of the letters, such as additional contact details in your letterhead, inquiries, orders, offers, complaints, or other topics.

Data Recipients (if applicable, third-country transfer): Postal service providers. Transfer to third countries only occurs when sending to an address outside the European Economic Area. In these cases, data protection is ensured through international agreements regarding postal secrecy.

Purpose + Legal Basis: Communication via postal mail. Legal basis depends on the content of the correspondence: preparation or fulfillment of a contract, or a legitimate interest in communication with you.

Storage Duration: Depends on the content of the correspondence; in general, commercial law requires the retention of business letters for six years.

Video Conferences

Description: Video conferences for which we are the organizers are conducted using external service providers that fall under the TTDSG (German Telecommunications Telemedia Data Protection Act) and are thus legally obligated to data protection.

The extent of data processing depends on the specific features of the conference tool you use. You can participate with or without video or audio signals, with or without a profile picture, background picture, hand signals, or chat activities. At times, you may choose your own usernames.

Access to your camera and microphone is granted only with your explicit consent.

Before recording conferences, all participants are asked for their consent or inactivity. If a recording takes place, the conversation history can be transcribed automatically or manually.

Each participant can technically take screenshots or recordings in whole or in part outside of the conference tool. Such actions without prior agreement from all participants constitute a data protection violation by the individual and, if it is not one of our employees, is beyond our responsibility. Covert recordings of spoken words may constitute a criminal offense under § 201 of the German Criminal Code (StGB). We reserve the right to take legal action of any kind against individuals who misuse their participation in a video conference for data protection purposes.

Data Categories: Username, email address; participation times; video or audio signal; video or audio recording (only with consent); audio transcript (only after recording); actions in chat, status word submission; profile data (profile picture, contact information, background picture), phone number (for telephone participation); log file (IP address, device identifiers, activity history).

Data Recipients (if applicable, third-country transfer): Providers of video conferencing systems covered by the TTDSG. If providers conduct third-country transfers, the service provider guarantees data handling at EU data protection levels through standard data protection clauses. Some providers that are US companies or are part of a US corporation as EU subsidiaries have certified themselves according to the US-EU Privacy Shield standards, covering data transfers under the EU Commission's adequacy decision for data transfers to the USA from July 2023.

Purpose + Legal Basis: Use of a video conference. Legal basis is a legitimate interest, as video conferences are not possible without a minimum level of data processing. For recordings, consent is the legal basis.

Storage Duration: If no recording takes place, all data is deleted upon completion of the conference. If the conference is recorded, the recording is deleted once the last purpose for which the recording was created has been fulfilled.

Collaboration - Digital Cooperation (Teams)

Description: For digital collaboration, we use Microsoft Teams. Here, channels can be set up for individual groups or projects. In these channels, text-based exchanges can take place, files can be saved and jointly edited or commented on using Microsoft Office apps, and notes can be added. The basic functions of Teams can be extensively expanded through so-called widgets, such as collaborative task planning and assignment.

To collaborate via Teams, the Teams app must be installed on your mobile device or desktop/laptop. The responsibility for downloading the Teams app lies not with us but directly with Microsoft. By downloading the Teams app to your device, you establish an independent legal relationship between yourself and Microsoft.

A Microsoft 365 account is not required to use Teams; it can be used as an unregistered guest. If you have a Microsoft 365 account, the responsibility for it lies with you or the organization that provides you with the account. Through your 365 account, you can maintain your profile (profile picture, additional contact details).

Data transfer between your device and the Teams server requires Microsoft to be aware of the IP address through which you access Teams content. The servers also collect all types of data that typically arise when using telemedia services. Part of the Microsoft 365 services is Microsoft Graph, an automatic analysis function that evaluates the metadata of all files to improve their findability.

For information on data protection at Microsoft, please visit: https://privacy.microsoft.com/en-gb/privacystatement

Data Categories: Username, publications in Teams channels, saving and editing files stored in Teams, profile data (profile picture, contact details); other data categories such as IP address or email address are processed by Microsoft on their own responsibility.

Data Recipients (if applicable, third-country transfer): Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is committed to data protection through a data processing agreement. If the EU subsidiary transfers data to the US parent Microsoft Corp. or other Microsoft entities, Microsoft ensures data handling at EU data protection levels through standard data protection clauses. Additionally, the company has certified itself according to the US-EU Privacy Shield standards, covering data transfers under the EU Commission's adequacy decision for data transfers to the USA from July 2023.

Purpose + Legal Basis: Use of collaboration software for digital cooperation. Legal basis depends on the content of the collaboration: preparation or fulfillment of a contract or a legitimate interest in communication with you.

Storage Duration: Individual channels in Teams, as well as files stored there, are deleted as soon as the last purpose for which they were created or saved has been achieved. If your Office 365 account is deleted, the name entries for publications or file metadata in Teams will change to "unknown."

Faxing

Description: We use a classic fax machine in the form of a facsimile device. If you send us a fax, the document is made available as a printout from our receiving device. The device captures the sender data transmitted by you and documents it, along with the receipt time, on both the printout and in the device's journal. If we send you a fax, the journal records the recipient's number, sending time, page count, and transmission success.

The security of transmission corresponds to the security of modern telephone networks, which also transmit fax data as so-called Voice/Fax over IP. Within the network of a single network provider (e.g., Deutsche Telekom), the data is encrypted, and unencrypted transmission occurs at network handover points between companies that are subject to telecommunications secrecy and data protection.

Data Categories: Phone number, sender name if applicable, sending or receipt time, page count, transmission success; potentially, personal contents of the sent document.

Data Recipients (if applicable, third-country transfer): Telecommunication providers subject to telecommunications secrecy. There is no transfer to third countries, or it falls under international laws on telecommunications secrecy.

Purpose + Legal Basis: Communication via fax. Legal basis depends on the content of the conversation: preparation or fulfillment of a contract or a legitimate interest in communication with you.

Storage Duration: Dependent on the content of the sent document; in general, commercial law requires the retention of business letters for six years.

Invoicing

Description: When we issue an invoice to you, it involves the processing of personal data if the invoice recipient is a natural person (self-employed or a partner in a partnership) or if you are named as a contact person in the invoice. We create our invoices internally and store them in our accounting system.

Data Categories: Name, address, date, customer and invoice number, invoice amount, and invoice content.

Data Recipients (if applicable, third-country transfer): Our service provider for cloud-based accounting software, who is contractually obligated to data protection. There is no transfer to third countries.

Purpose + Legal Basis: Invoicing. Legal basis for us is contract fulfillment.

Storage Duration: Invoices are to be retained as accounting documents for 10 years in accordance with tax regulations.

Financial Accounting

Description: All payments are recorded in financial accounting. This involves documenting the identity of the payer or payee. For legal entities, this sometimes also includes the names and contact details of contact persons for the transaction. Sometimes, information about individuals or their activities can also be inferred from the reason for the payment (e.g., salary/honorarium payments, travel bookings, expense reimbursements).

We use cloud-based software for our accounting.

Data Categories: Name, customer or supplier number, bank details or credit card information, reason for payment, travel data (date, destination, accommodation, transportation, costs), entertainment expenses (date, location/establishment, individuals entertained, reason for entertainment, costs), information on other expenses (purchases, gifts).

Data Recipients (if applicable, third-country transfer): Our service provider for cloud-based accounting software, who is contractually obligated to data protection. There is no transfer to third countries.

Purpose + Legal Basis: Management of all payment transactions. Legal basis is contract fulfillment or legal obligation (tax and commercial law).

Storage Duration: We retain the data in financial accounting for 10 years in accordance with tax regulations.

Payment Transfers

Description: Payments made from our bank or credit card accounts are documented in bank statements.

Data Categories: Name, bank details, payment date, payment amount, payment reason (booking text).

Data Recipients (if applicable, third-country transfer): Our banking and credit card institutions, which are legally obligated to data protection through bank secrecy and banking supervision. There is no transfer to third countries.

Purpose + Legal Basis: Cashless payment transactions; legal basis is contract fulfillment.

Storage Duration: Bank statements are retained for 10 years in accordance with tax regulations.

IT Administration

Description: We use service providers for the administration, maintenance, and upkeep of our information technology. These service providers do not deal with the content of the personal data processed by us. However, in the maintenance of databases and other system components, it may happen that personal data is viewed by service providers. All our service providers have been expressly obligated to confidentiality through appropriate contracts, commensurate with the sensitivity of the data they may access.

Data Categories: Any type of data.

Data Recipients (if applicable, third-country transfer): IT service providers who are contractually obligated to data protection through data processing agreements or other forms of confidentiality obligations. There is no transfer to third countries.

Purpose + Legal Basis: Utilizing competent service providers for professional IT administration. Legal basis is a legitimate interest, as the service providers have been obligated to confidentiality in line with data protection requirements.

Storage Duration: Independent storage does not occur.

File Storage

Description: In addition to data capture in individual (previously described) databases, we store documents on our storage media. This typically includes office documents (Word, Excel, PowerPoint), PDF files, images, videos, layouts, and other formats of text, spreadsheet, and presentation files, as well as any type of file suitable for our business processes. Data protection questions related to the content of the files are determined by the relevant processing purposes. Additionally, the storage of files and the regularly associated metadata (primarily the creator's signature) results in independent processing. Office documents, in particular, contain personal metadata when worked on collaboratively (collaboration) using comment and note functions, as well as the change mode.

In addition to local storage, we use Microsoft 365 as a cloud solution for file storage (in Teams, SharePoint, or OneDrive). Part of the Microsoft 365 services is Microsoft Graph, an automatic analysis function that evaluates the metadata of all files to improve their findability.

Comprehensive information on the use of data collected by Microsoft can be found in Microsoft's privacy statement https://privacy.microsoft.com/en-gb/privacystatement.

Data Categories: Any type of data, but with a focus on metadata: file creator's signature, file editor's signatures (also in comments + notes); creation, editing, or storage time.

Data Recipients (if applicable, third-country transfer): Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is contractually obligated to data protection through a data processing agreement. If the EU subsidiary transfers data to the US parent Microsoft Corp. or other Microsoft entities, Microsoft ensures data handling at EU data protection levels through standard data protection clauses. Additionally, the company has certified itself according to the US-EU Privacy Shield standards, covering data transfers under the EU Commission's adequacy decision for data transfers to the USA from July 2023.

Purpose + Legal Basis: File storage in a high-performance data center and the use of modern search functionalities. Legal basis is a legitimate interest, as processing is carried out as part of data processing.

Storage Duration: Dependent on the storage time for each individual file.

Disposal of Data Carriers and Documents

Description: The deletion or destruction of data also constitutes data processing. Paper documents with correspondingly sensitive personal data are shredded by us or disposed of through the sealed containers of a professional document shredder. The quality level of the shredder used or the level of document destruction agreed upon with the service provider corresponds to the risk or confidentiality classification of the documents to be destroyed.

Storage media (hard drives, e.g., from servers, computers, smartphones, tablets, USB sticks, memory cards) on which sensitive personal data was previously stored but are no longer intended for data storage, are securely deleted by our IT administration through multiple complete overwrites or handed over to a professional media destruction service. The level of deletion or destruction corresponds to the risk or confidentiality classification of the data previously stored on the medium.

Data Categories: Any type of data.

Data Recipients (if applicable, third-country transfer): Service providers for professional paper document and media destruction who are obligated to data protection through data processing agreements. There is no transfer to third countries.

Purpose + Legal Basis: Risk-compliant destruction or deletion of personal data. Legal basis is the legal obligation for data minimization and deletion as per the GDPR.

Storage Duration: Storage beyond deletion/destruction does not occur.

Legal Proceedings

Description: In the event that we become involved in a legal dispute with you, we may disclose data about your person and the circumstances of the dispute to lawyers and, if necessary, to authorities or courts.

Data Categories: Name, contact details, information about the subject of the dispute.

Data Recipients (if applicable, third-country transfer): Lawyers, authorities, courts, bailiffs. All recipients are bound to confidentiality, either as public bodies or as holders of professional confidentiality. There is no transfer to third countries.

Purpose + Legal Basis: Legal proceedings. Legal basis is the legitimate interest in seeking legal representation with lawyers and potentially involving authorities or courts when necessary.

Storage Duration: The mentioned recipients of your data process it according to their own guidelines to fulfill their respective tasks. We store the data related to a legal dispute until the final conclusion of the dispute, including all relevant statutes of limitations and objection periods. If the possibility of a similar dispute with you or other individuals is conceivable, we will store at least the decision-relevant documents, possibly in anonymized form, for a longer period.

Data Protection Management

Description: When you assert your data protection rights against us, we document the associated communication and processes in our data protection management application.

Data Categories: Name, contact details, information about the data protection request.

Data Recipients (if applicable, third-country transfer): Our data protection officer, who is legally bound to confidentiality, is located in the EEA. Our service provider for the cloud application for data protection management, who is obligated to data protection through a data processing agreement, is located in the EEA. There is no transfer to third countries.

Purpose + Legal Basis: Data protection management. Legal basis is the legal accountability requirement under the GDPR.

Storage Duration: We store the data related to a data protection dispute until the final conclusion of the dispute, including all relevant statutes of limitations and objection periods. If the possibility of a similar dispute with you or other individuals is conceivable, we will store at least the decision-relevant documents, possibly in anonymized form, for a longer period.

Last Updated: October 2023