Privacy policy

With the following privacy policy, we aim to inform you about the types of your personal data (hereinafter also referred to as "data"), the purposes for which we process them, and the scope of such processing. This privacy policy applies to all personal data processing activities we conduct, both in the context of providing our services and, in particular, on our websites, mobile applications, and external online presences, such as our social media profiles (collectively referred to as "online offering").

The terms used are not gender-specific.
 

Effective date: October 21, 2025

• Preamble

• Controller

• Data Protection Officer Contact

• Overview of Processing

• Legal Bases

• Security Measures

• Disclosure of Personal Data

• International Data Transfers

• General Information on Data Storage and Deletion

• Business Services

• Providers and Services Used in Business Activities

• Credit Checks

• Provision of Online Offering and Web Hosting

• Acquisition of Applications via App Stores

• Contact and Inquiry Management

• Artificial Intelligence (AI)

• Videoconferences, Online Meetings, Webinars, and Screen Sharing

• Cloud Services

• Promotional Communication via Email, Mail, Fax, or Telephone

• Social Media Presences

• Data Processing in Employment Relationships

• Application Procedures

Arendi AG
Eichtalstraße 55
8634 Hombrechtikon
Switzerland

​

Authorized representative: Roger Nauer

Email: info@arendi.ch

For questions regarding data protection, please contact our data protection advisor:
 

PlanSec AG
Dieter Huber
Sinserstrasse 67
6330 Cham
Switzerland
https://www.plansec.ch
mail@plansec.ch

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the affected individuals.

​

Types of data processed

• Präambel

• Master data

• Employee data

• Payment data

• Contact data

• Content data

• Contract data

• Usage data

• Meta, communication, and procedural data

• Social data

• Applicant data

• Image and/or video recordings

• Audio recordings

• Log data

• Performance and behavioral data

• Working time data

• Creditworthiness data

• Salary data

Special categories of data

• Health data

• Religious or philosophical beliefs

• Trade union membership.

Categories of data subjects

• Service recipients and clients

• Employees

• Interested parties

• Communication partners

• Users

• Applicants

• Business and contract partners

• Depicted persons

• Third parties

Purposes of processing

• Provision of contractual services and fulfillment of contractual obligations

• Communication

• Security measures

• Direct marketing

• Office and organizational procedures

• Organizational and administrative procedures

• Application procedures

• Feedback

• Marketing

• Provision of our online offering and user-friendliness

• Assessment of creditworthiness

• Establishment and execution of employment relationships

• IT infrastructure

• Public relations

• Sales promotion

• Business processes and economic procedures

• Artificial Intelligence (AI)

Automated decisions on a case-by-case basis

• Credit assessment

Legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations in your or our country of residence or registered office may also apply. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

​

• Consent (Art. 6(1)(a) GDPR): The data subject has given consent for processing their personal data for one or more specific purposes.

• Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract.

• Legal obligation (Art. 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation.

• Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, provided these are not overridden by the interests or fundamental rights and freedoms of the data subject.

• Application procedures as pre-contractual or contractual relationships (Art. 6(1)(b) GDPR): Insofar as, within the scope of the application process, special categories of personal data within the meaning of Art. 9(1) GDPR (e.g., health data such as disability status or ethnic origin) are requested from applicants so that the controller or the data subject can exercise rights arising from labor law and social security law and fulfill their respective obligations, such data is processed pursuant to Art. 9(2)(b) GDPR. In cases where the protection of vital interests of applicants or other persons is at stake, processing is carried out pursuant to Art. 9(2)(c) GDPR, or for purposes of preventive health care or occupational medicine, for assessing the working capacity of the employee, for medical diagnosis, for the provision or treatment in the health or social sector, or for the management of systems and services in the health or social sector pursuant to Art. 9(2)(h) GDPR. If special categories of data are provided voluntarily based on consent, processing is carried out on the basis of Art. 9(2)(a) GDPR.

• Processing of special categories of personal data in relation to health, profession, and social security (Art. 9(2)(h) GDPR): The processing is necessary for purposes of preventive health care or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, for the provision of health or social care or treatment, or for the management of health or social care systems and services, on the basis of Union law or the law of a Member State or pursuant to a contract with a health professional.

Relevant legal bases under the Swiss Data Protection Act: If you are located in Switzerland, we process your data on the basis of the Federal Act on Data Protection (abbreviated as “Swiss DPA”). Unlike, for example, the GDPR, the Swiss DPA generally does not require that a legal basis for the processing of personal data be specified, and the processing of personal data is carried out in good faith, lawfully, and proportionately (Art. 6 para. 1 and 2 of the Swiss DPA). Furthermore, we only collect personal data for a specific purpose that is recognizable to the data subject and only process it in a manner compatible with that purpose (Art. 6 para. 3 of the Swiss DPA).

​

Note on the applicability of the GDPR and Swiss DPA: These privacy notices serve both as information under the Swiss DPA and under the General Data Protection Regulation (GDPR). For this reason, please note that, due to the broader territorial scope and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss DPA such as “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data,” the terms used in the GDPR—“processing” of “personal data,” “legitimate interest,” and “special categories of data”—are applied. However, the legal meaning of the terms continues to be determined according to the Swiss DPA within the scope of its applicability.

We take appropriate technical and organizational measures, in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities and severity of the risk to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

​

These measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, transfer, securing availability, and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. We also take into account the protection of personal data already during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

IP Address Truncation:
If IP addresses are processed by us or by service providers and technologies we use, and the processing of a full IP address is not necessary, the IP address is truncated (also referred to as "IP masking"). In this process, the last two digits or the last part of the IP address after a dot are removed or replaced by placeholders. The truncation of the IP address is intended to prevent or significantly hinder the identification of a person based on their IP address.

Securing Online Connections via TLS/SSL Encryption Technology (HTTPS):
To protect the data of users transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and in encrypted form.

Securing Online Connections via TLS/SSL Encryption Technology (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and in encrypted form.

In the course of our processing of personal data, it may occur that such data is transferred to other entities, companies, legally independent organizational units, or individuals, or disclosed to them. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or the disclosure or transfer of data to other persons, entities, or companies (which can be recognized by the postal address of the respective provider or if the privacy policy explicitly refers to data transfer to third countries), this is always carried out in compliance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission on July 10, 2023. In addition, we have concluded standard contractual clauses with the respective providers that comply with the requirements of the EU Commission and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary level of protection, while the standard contractual clauses serve as additional security. Should changes occur within the DPF, the standard contractual clauses act as a reliable fallback option. In this way, we ensure that your data remains adequately protected even in the event of political or legal changes.

For each service provider, we inform you whether they are certified under the DPF and whether standard contractual clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, corresponding security measures apply, in particular standard contractual clauses, explicit consents, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

Disclosure of personal data abroad: According to the Swiss Federal Act on Data Protection (DSG), we only disclose personal data abroad if adequate protection of the affected persons is ensured (Art. 16 Swiss DSG). If the Federal Council has not determined adequate protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement alternative security measures.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of Switzerland on June 7, 2024. In addition, we have concluded standard data protection clauses with the respective providers, which have been approved by the Swiss Federal Data Protection and Information Commissioner (EDÖB) and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary level of protection, while the standard data protection clauses serve as additional security. Should changes occur within the DPF, the standard data protection clauses act as a reliable fallback option. In this way, we ensure that your data remains adequately protected even in the event of political or legal changes.

For each service provider, we inform you whether they are certified under the DPF and whether standard data protection clauses are in place. The list of certified companies and further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, corresponding security measures apply, including international treaties, specific guarantees, standard data protection clauses approved by the EDÖB, or internal data protection regulations recognized in advance by the EDÖB or a competent data protection authority of another country.

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or there are no further legal grounds for processing. This applies to cases where the original purpose of processing ceases to exist or the data is no longer needed. Exceptions to this rule exist if statutory obligations or special interests require longer retention or archiving of the data.

​

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that apply specifically to certain processing operations.

​

If there are multiple indications of retention periods or deletion deadlines for a piece of data, the longest period always applies. Data that is no longer required for the originally intended purpose but is retained due to legal requirements or other reasons is processed exclusively for the reasons that justify its retention.

​

Retention and deletion of data: The following general periods apply for retention and archiving under Swiss law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting vouchers and invoices, as well as all necessary work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (CO)).

• 10 years – Data that is necessary for the consideration of potential claims for damages or similar contractual claims and rights, as well as for the processing of related inquiries, based on previous business experience and usual industry practices, is stored for the period of the statutory limitation period of ten years, unless a shorter period of five years is relevant, which applies in certain cases (Art. 127, 130 CO). After five years, claims for rent, lease and capital interest as well as other periodic services, for the delivery of food, for board and lodging debts, as well as from craft work, retail sales of goods, medical care, professional work by lawyers, legal agents, attorneys and notaries, and from the employment relationship of employees become time-barred (Art. 128 CO).

Commencement of the period at the end of the year: If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the period is the date on which the termination becomes effective or other ending of the legal relationship.

We process data of our contractual and business partners, e.g., customers and interested parties (collectively referred to as "contractual partners"), within the framework of contractual and comparable legal relationships as well as related measures and with regard to communication with the contractual partners (or pre-contractually), for example, to respond to inquiries.

​

We use this data to fulfill our contractual obligations. This includes, in particular, the obligations to provide the agreed services, any update obligations, and remedies for warranty and other service disruptions. Furthermore, we use the data to safeguard our rights and for the purposes of administrative tasks associated with these obligations as well as corporate organization. In addition, we process the data on the basis of our legitimate interests both in proper and economically efficient business management and in security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). In accordance with applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the purposes or to fulfill legal obligations. Further forms of processing, such as for marketing purposes, are explained to the contractual partners within this privacy policy.

​

Which data is required for the aforementioned purposes is communicated to the contractual partners before or during data collection, e.g., in online forms, by special marking (e.g., colors) or symbols (e.g., asterisks or similar), or personally.

​

We delete the data after the expiration of statutory warranty and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for statutory archiving reasons (for tax purposes, usually ten years). Data that has been disclosed to us by the contractual partner in the context of an assignment is deleted in accordance with the specifications and generally after the end of the assignment.

​

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); contract data (e.g., subject matter of the contract, duration, customer category).

• Categories of data subjects: Service recipients and clients; interested parties; business and contract partners.

• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; communication; office and organizational procedures; organizational and administrative procedures; business processes and economic procedures.

• Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

• Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing activities, procedures, and services:

​

• Project and development services: We process the data of our customers as well as clients (hereinafter collectively referred to as "customers") in order to enable them to select, acquire, or commission the chosen services or works as well as related activities, and also their payment and provision or execution or delivery. The required information is identified as such in the context of the order, purchase, or comparable contract conclusion and includes the information necessary for the provision of services and billing, as well as contact information to enable any necessary follow-up communication. Insofar as we gain access to information of end customers, employees, or other persons, we process this in accordance with legal and contractual requirements; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

• Provision of software and platform services: We process the data of our users, registered users, and any test users (hereinafter collectively referred to as "users") in order to provide them with our contractual services and, on the basis of legitimate interests, to ensure the security of our offering and to further develop it. The required information is identified as such in the context of the order, purchase, or comparable contract conclusion and includes the information necessary for the provision of services and billing, as well as contact information to enable any necessary follow-up communication; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

• Provision of software and platform services: We process the data of our users, registered users, and any test users (hereinafter collectively referred to as "users") in order to provide them with our contractual services and, on the basis of legitimate interests, to ensure the security of our offering and to further develop it. The required information is identified as such in the context of the order, purchase, or comparable contract conclusion and includes the information necessary for the provision of services and billing, as well as contact information to enable any necessary follow-up communication; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

• Technical Services: We process the data of our customers as well as clients (hereinafter collectively referred to as "customers") in order to enable them to select, acquire, or commission the chosen services or works as well as related activities, and also their payment and provision or execution or delivery.
  The required information is identified as such in the context of the order, purchase, or comparable contract conclusion and includes the information necessary for the provision of services and billing, as well as contact information to enable any necessary follow-up communication. Insofar as we gain access to information of end customers, employees, or other persons, we process this in accordance with legal and contractual requirements; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

In the course of our business activities, we use additional services, platforms, interfaces, or plug-ins from third-party providers (hereinafter referred to as "services") in compliance with legal requirements. Their use is based on our interests in the proper, lawful, and economical management of our business operations and our internal organization.

​

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and contributions as well as information relating to them, such as authorship or time of creation); contract data (e.g., subject matter of the contract, duration, customer category).

• Categories of data subjects: Service recipients and clients; interested parties; business and contract partners.

• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and economic procedures.

• Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

If we provide goods or services in advance or assume comparable economic risks (e.g., in the case of purchase on account), we reserve the right, in order to safeguard our legitimate interests, to obtain an identity and credit check for the purpose of assessing credit risk based on mathematical-statistical procedures from specialized service providers (credit agencies).

The information received from the credit agencies regarding the statistical probability of a payment default is processed by us as part of a proper discretionary decision regarding the establishment, execution, and termination of the contractual relationship. We reserve the right, in the event of a negative result of the credit check, to refuse payment on account or any other advance performance.

​​

The decision as to whether we provide advance performance is made solely on the basis of an automated individual decision in accordance with legal requirements, which our software makes based on the information from the credit agency.

​​

If we obtain explicit consent from contractual partners, the legal basis for the credit check and the transmission of the customer's data to the credit agencies is consent. If no consent is obtained, the credit check is carried out on the basis of our legitimate interests in the security of our payment claims.

​​

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); contract data (e.g., subject matter of the contract, duration, customer category). Creditworthiness data (e.g., credit score received, estimated probability of default, risk classification based on this, historical payment behavior).

• Categories of data subjects: Service recipients and clients; interested parties; business and contract partners.

• Purposes of processing: Assessment of creditworthiness and credit standing.

• Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

• Legal bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

• Automated individual decisions: Credit report (decision based on a credit check).

We process the data of users in order to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the contents and functions of our online services to the user's browser or device.

​

• Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons). Log data (e.g., log files concerning logins or the retrieval of data or access times).

• Categories of data subjects: Users (e.g., website visitors, users of online services).

• Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.

• Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing processes, procedures and services:

​

• Provision of Online Offering on Rented Storage Space:
  For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from an appropriate server provider (also referred to as a "web host"); Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

• Collection of Access Data and Log Files:
  Access to our online offering is logged in the form of so-called "server log files." Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, for example, to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and also to ensure the utilization and stability of the servers; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

The acquisition of our application takes place via special online platforms operated by other service providers (so-called "app stores"). In this context, in addition to our privacy notices, the privacy notices of the respective app stores also apply. This is particularly relevant with regard to the procedures used on the platforms for reach measurement and interest-based marketing, as well as any associated costs.

​

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); contract data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

• Categories of data subjects: Service recipients and clients. Users (e.g., website visitors, users of online services).

• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Provision of our online offering and user-friendliness.

• Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

​

Further information on processing processes, procedures and services:

​

• Apple App Store: App and software sales platform; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.apple.com/de/app-store/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/.

• Google Play: App and software sales platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://play.google.com/store/apps?hl=de. Privacy policy: https://policies.google.com/privacy.

When contacting us (e.g., by mail, contact form, email, telephone, or via social media) as well as in the context of existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to the contact inquiries and any requested measures.

​

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and contributions as well as information relating to them, such as authorship or time of creation); contract data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

• Categories of data subjects: Communication partners; service recipients and clients; interested parties; business and contract partners.

• Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form); provision of our online offering and user-friendliness; provision of contractual services and fulfillment of contractual obligations; office and organizational procedures.

• Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing processes, procedures and services:

​

Close CRM: Customer management, process and sales support with personalized customer care with multi-channel communication, i.e. management of customer inquiries from different channels, as well as analysis and feedback functions; Service Provider: Elastic Inc, PO Box 1145, Jackson, WY 83001, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.close.com. Privacy Policy: https://www.close.com/gdpr.

We use artificial intelligence (AI) to process personal data. The specific purposes and our interest in the use of AI are listed below. By AI, in accordance with the concept of an "AI system" as defined in Article 3(1) of the AI Regulation, we mean a machine-based system that is designed to operate autonomously to varying degrees, can be adaptable after its introduction and produces results such as predictions, content, recommendations or decisions from the inputs received, which may affect physical or virtual environments.

Our AI systems are used in strict compliance with legal requirements. These include both specific regulations for artificial intelligence and data protection requirements. In doing so, we adhere in particular to the principles of legality, transparency, fairness, human control, purpose limitation, data minimization and integrity as well as confidentiality. We ensure that the processing of personal data is always carried out on a legal basis. This can be either the consent of the data subjects or a legal permission.

​

When using external AI systems, we carefully select their providers (hereinafter referred to as "AI providers"). In accordance with our legal obligations, we ensure that AI providers comply with applicable regulations. We also observe our obligations when using or operating the AI services we receive. The processing of personal data by us and the AI providers is carried out exclusively on the basis of consent or legal authorization. In doing so, we place particular emphasis on transparency, fairness and maintaining human control over AI-supported decision-making processes.

​

To protect the processed data, we implement appropriate and robust technical and organizational measures. These ensure the integrity and confidentiality of the processed data and minimise potential risks. Through regular reviews of AI providers and their services, we ensure ongoing compliance with current legal and ethical standards.

​

• Types of data processed: Content data (e.g., textual or pictorial news and posts, and information about them, such as authorship or time of creation). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).

• Data subjects: Users (e.g. website visitors, users of online services). Third Persons.

• Purposes of processing: Artificial Intelligence (AI).

• Retention and deletion: Deletion as specified in the section "General information on data storage and deletion".

We use third-party platforms and applications (hereinafter referred to as "Conference Platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as the "Conference"). When selecting the conference platforms and their services, we observe the legal requirements.

​

Data processed by conference platforms: In the context of participation in a conference, the conference platforms process the personal data of the participants listed below. The scope of the processing depends on the one hand on which data is required in the context of a specific conference (e.g. provision of access data or real names) and which optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, the data of the participants may also be processed by the conference platforms for security purposes or service optimization. The data processed includes personal data (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the Internet access, information on the end devices of the participants, their operating system, the browser and its technical and linguistic settings, information on the content-related communication processes, i.e. entries in chats as well as audio and language settings. Video data, as well as the use of other available functions (e.g. surveys). The contents of the communications are encrypted to the extent technically provided by the conference providers. If the participants are registered as users with the conference platforms, then further data may be processed in accordance with the agreement with the respective conference provider.

​

Logging and recordings: If text inputs, participation results (e.g. from surveys) and video or audio recordings are logged, this will be communicated transparently to the participants in advance and they will be asked for consent if necessary.

​

Data protection measures of the participants: Please refer to the details of the processing of your data by the conference platforms in their privacy policy and select the optimal security and data protection settings for you within the framework of the settings of the conference platforms. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by notifying roommates, locking doors and, as far as technically possible, using the function to blur the background). Links to the conference rooms as well as access data may not be passed on to unauthorized third parties.

​

Information on legal bases: If, in addition to the conference platforms, we also process the data of the users and ask the users for their consent to the use of the conference platforms or certain functions (e.g. consent to a recording of conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary for the fulfilment of our contractual obligations (e.g. in participant lists, in the case of processing the results of conversations, etc.). In addition, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

​

• Types of data processed: inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g., textual or pictorial news and posts, and information about them, such as authorship or time of creation); Usage Data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Image and/or video recordings (e.g. photographs or video recordings of a person); Sound recordings. Log data (e.g. log files regarding logins or the retrieval of data or access times.).

• Data subjects: communication partners; Users (e.g., website visitors, users of online services). People depicted.

• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Communication. Office and organizational procedures.

• Retention and deletion: Deletion as specified in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures and services:

​

• Microsoft Teams: Use to conduct online events, conferences and communication with internal and external participants. Voice transmission, direct messages, group communication and collaboration functions are used; name, business contact details, work profile, attendance and content (audio/video, voice, chat, files, voice transcription) are processed for purposes and out of interest in increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication, IT security, use of a central platform and business processing by Microsoft. Audio signals are generally not stored, except when recording is activated. Meeting and conference recordings are stored for 90 days by default, unless a different duration is specified. Chat and file contents are stored according to the guidelines determined by the administrator or user; no automatic deletion is preset. Channels must be renewed every 180 days, otherwise content will be deleted. In addition, system-generated protocol, diagnostic and metadata are processed and diagnostic data on product stability, safety and improvement are collected; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-teams/; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Safety Instructions: https://www.microsoft.com/de-de/trustcenter. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA), Schweiz - Data Privacy Framework (DPF), Standardvertragsklauseln (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

We use software services accessible via the Internet and running on their providers' servers (so-called "cloud services", also referred to as "software as a service") for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with certain recipients or publication of content and information).

​

In this context, personal data may be processed and stored on the providers' servers, insofar as they are part of communication processes with us or are otherwise processed by us as set out in this privacy policy. This data may include, in particular, master data and contact details of the users, data on processes, contracts, other processes and their content. The providers of the cloud services also process usage data and metadata, which they use for security purposes and service optimization.

​

If we use the cloud services to provide forms or similar documents and content to other users or publicly accessible websites, the providers may store cookies on users' devices for web analysis purposes or to remember user settings (e.g. in the case of media control).

​

• Types of data processed: inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g., textual or pictorial messages and posts, and information about them, such as authorship or time of creation). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).

• Data subjects: Interested parties; Communication partner. Business and contractual partners.

• Purposes of processing: Office and organizational procedures. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).

• Retention and deletion: Deletion as specified in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures and services:

​

• Microsoft EU Data Boundary: Our use of Microsoft cloud services takes place under the so-called "EU Data Boundary" (also referred to as the "EU Data Boundary"), which ensures that data is stored and processed within the European Union (EU) and the European Free Trade Association (EFTA).
  
  The EU Data Boundary is a defined region in which Microsoft commits to store and process customer data and personal data for certain online services (Microsoft 365, Azure, Dynamics 365, and the Power Platform). Companies that use these services can ensure that their data stays within the EU/EFTA region.
  
  This includes both general customer data and support data generated in the context of technical services. In many cases, pseudonymized data is also processed within this region.
  
  The EU Data Boundary covers all EU countries as well as the EFTA states (Liechtenstein, Iceland, Norway and Switzerland). Microsoft operates data centers in several of these countries, including Germany, France, Ireland, the Netherlands, Sweden, Spain, and Switzerland. Other locations may be added.
  
  Microsoft automatically creates logs as part of operations to ensure the security and functionality of its services. These logs mainly contain technical information, but in certain cases they may also include personal data, such as when documenting user actions.
  
  To protect this data, Microsoft uses techniques such as encryption, masking, and tokenization (replacing sensitive data with untraceable strings). This ensures that Microsoft employees only see pseudonymized data and cannot draw direct conclusions about individual users. There are also strict access rules and deletion deadlines for this data.
  
  Microsoft has assured that data transfers outside the EU will only take place in a few, well-defined cases. This may be necessary, for example, to implement global cybersecurity measures or to ensure the functionality of cloud services. These transfers are always carried out under high security standards such as encryption and pseudonymization.
  
  To learn more about the EU Data Boundary and Microsoft's privacy practices, visit the Microsoft EU Data Boundary Trust Center: https://www.microsoft.com/en-us/trust-center/privacy/eu-data-boundary.

We process personal data for the purposes of advertising communication, which can be carried out via various channels, such as e-mail, telephone, post or fax, in accordance with the legal requirements.

​

Recipients have the right to revoke their consent at any time or to object to advertising communications at any time.

​

After revocation or objection, we store the data required to prove the previous authorisation for contacting or sending you data for up to three years after the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. On the basis of the legitimate interest in permanently observing the revocation or objection of the users, we also store the data necessary to avoid renewed contact (e.g. e-mail address, telephone number, name, depending on the communication channel).

​

• Types of data processed: inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact details (e.g. postal and email addresses or telephone numbers). Content data (e.g., textual or pictorial messages and posts, and information about them, such as authorship or time of creation).

• Data subjects: Communication partners.

• Purposes of processing: direct marketing (e.g. by e-mail or post); Marketing. Promotion.

• Retention and deletion: Deletion as specified in the section "General information on data storage and deletion".

• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

​

We would like to point out that user data may be processed outside the area of the European Union. This can result in risks for users, for example, because it could make it more difficult to enforce user rights.

​

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on the user behavior and the resulting interests of the users. The latter may in turn be used, for example, to place advertisements inside and outside the networks that presumably correspond to the interests of the users. Therefore, cookies are usually stored on the users' computers, in which the user's usage behaviour and interests are stored. In addition, data can also be stored in the user profiles regardless of the devices used by the users (in particular if they are members of the respective platforms and logged in there).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the latter have access to the user data and can directly take appropriate measures and provide information. If you still need help, you can contact us.

​

• Types of data processed: contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g., textual or pictorial messages and posts, and information about them, such as authorship or time of creation). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: communication; Feedback (e.g. collecting feedback via online form). Public relations.

• Retention and deletion: Deletion as specified in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures and services:

​

• LinkedIn: Social Network - We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitor data, which is used to create the "page insights" (statistics) of our LinkedIn profiles. This data includes information about the types of content users view or interact with, as well as the actions they take. It also collects details about the devices used, such as IP addresses, operating system, browser type, language settings, and cookie data, as well as information from user profiles, such as job function, country, industry, hierarchical level, company size, and employment status. Data protection information on the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.
  We have entered into a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum", https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular what security measures LinkedIn must observe and in which LinkedIn has agreed to comply with the rights of the data subjects (i.e. users can, for example, direct requests for information or deletion to LinkedIn). The rights of users (in particular the right to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection and transfer of the data to LinkedIn Ireland Unlimited Company, a company based in the EU. The further processing of the data is the exclusive responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transmission of the data to the parent company LinkedIn Corporation in the USA; Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

In the context of employment relationships, personal data is processed with the aim of effectively establishing, implementing and terminating such relationships. This data processing supports various operational and administrative functions required for the management of employee relations.

​

Data processing includes various aspects, ranging from the initiation of contracts to the termination of the contract. This includes the organization and administration of daily working hours, the management of access rights and authorizations, as well as the handling of personnel development measures and employee appraisals. Processing is also used for accounting and managing payroll payments, which are critical aspects of contract execution.

​

In addition, the data processing takes into account the legitimate interests of the responsible employer, such as ensuring safety in the workplace or recording performance data for the evaluation and optimisation of operational processes. Furthermore, data processing includes the disclosure of employee data in the context of external communication and publication processes, where this is necessary for operational or legal purposes.

The processing of this data is always carried out in compliance with the applicable legal framework, with the aim of always creating and maintaining a fair and efficient working environment. This also includes the consideration of the data protection of the employees concerned, the anonymisation or deletion of data after fulfilment of the purpose of processing or in accordance with statutory retention periods.

​

• Types of data processed: employee data (information on employees and other persons in an employment relationship); Payment data (e.g. bank details, invoices, payment history); Contract data (e.g. subject matter of the contract, term, customer category); Inventory data (e.g., full name, home address, contact information, customer number, etc.); Contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g., textual or pictorial news and posts, and information about them, such as authorship or time of creation); social data (data subject to social secrecy and processed, for example, by social security institutions, social welfare agencies or pension authorities); Log data (e.g. log files relating to logins or the retrieval of data or access times); Performance and behavioral data (e.g., performance and behavioral aspects such as performance evaluations, feedback from supervisors, training attendance, company policy compliance, self-evaluations, and behavioral reviews.); Working time data (e.g. start of working hours, end of working hours, actual working hours, target working hours, break times, overtime, vacation days, special vacation days, sick days, absences, home office days, business trips); Salary data (e.g. basic salary, bonus payments, bonuses, tax bracket information, bonuses for night work/overtime, tax deductions, social security contributions, net payout amount); Image and/or video recordings (e.g. photographs or video recordings of a person); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Metalogical, communication and procedural data (e.g. IP addresses, times, identification numbers, persons involved).

• Special categories of personal data: health data; Religious or ideological beliefs. Trade union membership.

• Data subjects: Employees (e.g. employees, applicants, temporary staff and other employees).

• Purposes of processing: Establishment and implementation of employment relationships (processing of employee data in the context of the establishment and implementation of employment relationships); business processes and business procedures; Provision of contractual services and fulfilment of contractual obligations; Public relations. Security Measures.

• Legal basis: Performance of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Processing of special categories of personal data relating to healthcare, occupation and social security (Art. 9 para. 2 lit. h) GDPR).

Further information on processing processes, procedures and services:

​

• Time tracking: Procedures for recording employees' working hours include both manual and automated methods, such as the use of time clocks, time tracking software, or mobile apps. Activities such as entering arrival and departure times, break times, overtime and absences are carried out. Checking and validating the recorded working hours includes comparison with deployment or shift schedules, checking absenteeism and approving overtime by supervisors. Reports and analytics are generated based on tracked working hours to provide timesheets, overtime reports, and absence statistics for management and HR; Legal basis: Performance of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Authorization management: procedures required in defining, managing, and controlling access rights and user roles within a system or organization (e.g., creation of authorization profiles, role- and access-based control, review and approval of access requests, periodic review of access rights, tracking and auditing of user activities, creation of security policies and procedures); Legal bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Special categories of personal data: Special categories of personal data are processed in the context of the employment relationship or to comply with legal obligations. The special categories of personal data processed include data relating to the health, trade union membership or religious affiliation of employees. This data may be passed on to the health insurance companies, for example, or processed to assess the employees' ability to work or for occupational health management or for information provided to the tax office; Legal bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Business trips and expense reporting: procedures required in the planning, implementation and accounting of business trips (e.g. booking trips, arranging accommodation and transport, managing travel expense advances, submitting and auditing expense reports, controlling and accounting for expenses incurred, complying with travel guidelines, handling travel expense management); Legal bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Payroll accounting and payroll accounting: Procedures required for the calculation, payment and documentation of wages, salaries and other remuneration of employees (e.g. recording of working hours, calculation of deductions and surcharges, payment of taxes and social security contributions, preparation of payroll accounting, management of payroll accounts, reporting to the tax office and social security institutions); Legal basis: Performance of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR).

• Deletion of employee data: Employee data in Switzerland is deleted when it is no longer necessary for the purpose for which it was collected, unless it must be retained or archived due to legal obligations or due to the interests of the employer. The following retention and archiving obligations are observed:

  • 10 years - retention period for books and records, annual financial statements, inventories, annual reports, opening balance sheets, accounting documents and invoices as well as all necessary work instructions and other organisational documents (Art. 958f of the Swiss Code of Obligations (CO)).

  • 10 years - Data necessary for the consideration of potential claims for damages or similar contractual claims and rights, as well as for the processing of related requests, based on past business experience and common industry practices, will be retained for the statutory limitation period of ten years, unless a shorter period of five years is applicable, which is relevant in certain cases (Art. 127,  130 CO). Claims expire after five years for rents, lease and capital interest payments as well as other periodic services, for the supply of foodstuffs, for catering and restaurant debts as well as from craft services, retail sales of goods, medical care, professional work of lawyers, legal agents, lawyers and notaries and from the employment relationship of employees (Art. 128 CO).

• Personnel file management: procedures required in the organization, updating and management of employee data and documents (e.g. recording of personnel master data, storage of employment contracts, references and certificates, updating of data in the event of changes, compilation of documents for employee interviews, archiving of personnel files, compliance with data protection regulations); Legal bases: Performance of a contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR), Processing of special categories of personal data relating to healthcare, profession and social security (Art. 9 para. 2 lit. h) GDPR).

• Personnel development, performance evaluation and appraisal interviews: Procedures that are required in the area of promotion and development of employees as well as in the assessment of their performance and in the context of employee appraisals (e.g. needs analysis for further training, planning and implementation of training measures, preparation of performance evaluations, implementation of target agreement and feedback discussions, career planning and talent management, succession planning); Legal bases: Performance of a contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR), Processing of special categories of personal data relating to healthcare, profession and social security (Art. 9 para. 2 lit. h) GDPR).

• Obligation to provide data: The controller informs employees that it is necessary to provide their data. This is generally the case if the data is necessary for the establishment and implementation of the employment relationship or if its collection is required by law. The provision of data may also be necessary if employees assert claims or if employees are entitled to claims. The performance of these measures or the performance of services is dependent on the provision of this data (for example, the provision of data for the purpose of receiving wages); Legal bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Publication and disclosure of employee data: Employee data will only be published or disclosed to third parties if this is necessary for the performance of work tasks in accordance with the employment contract. This applies, for example, if employees are named as contact persons in correspondence, on the website or in public registers after consultation or agreed job description, or if the field of responsibility contains representative functions. This may also be the case if a presentation or communication with the public takes place in the course of the performance of tasks, such as taking pictures in the context of public relations work. Otherwise, employee data will only be published with their consent or on the basis of the employer's legitimate interests, for example in the case of stage or group photo recordings as part of a public event; Legal basis: Performance of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information provided there.

​

In principle, the required information includes personal information, such as name, address, a contact option and proof of the qualifications necessary for a job. On request, we will also be happy to provide you with information that is required.

​

If available, applicants are welcome to submit their applications via our online form, which is encrypted according to the latest state of the art. Alternatively, it is also possible to send applications to us by e-mail. However, we would like to point out that e-mails on the Internet are generally not sent in encrypted form. Although emails are typically encrypted in transit, this is not done on the servers from which they are sent and received. Therefore, we cannot assume any responsibility for the security of the application on its transmission path between the sender and our server.

​

For the purposes of searching for applicants, submitting applications and selecting applicants, we may make use of applicant management and recruitment software and third-party platforms and services, in compliance with the legal requirements.

​

Applicants are welcome to contact us about the method of submitting the application or to send us the application by post.

​

Processing of special categories of data: To the extent that special categories of personal data (Art. 9 para. 1 GDPR, e.g. health data, such as severely disabled status or ethnic origin) are requested from or communicated by applicants in the context of the application process, their processing takes place so that the controller or the data subject can provide him or her with the information he or she derives from labour law and social security and social protection law exercising and fulfilling his or her obligations in this regard, in the case of the protection of the vital interests of candidates or other persons, or for the purposes of preventive health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnostics, for health or social care or treatment, or for the management of health or social care systems and services.

​

Deletion of data: The data provided by the applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job offer is not successful, the applicant's data will be deleted. Candidates' data will also be deleted when an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicants, the deletion will take place after a period of six months at the latest, so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the regulations on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.

​

Admission to an applicant pool: Admission to an applicant pool, if offered, is based on consent. Applicants are instructed that their consent to be included in the talent pool is voluntary, has no influence on the ongoing application process and that they can revoke their consent at any time for the future.

​

• Types of data processed: inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g., textual or pictorial messages and posts, and information about them, such as authorship or time of creation). Applicant data (e.g. personal details, postal and contact addresses, the documents associated with the application and the information contained therein, such as cover letter, CV, certificates and other information relating to a specific position or voluntarily provided by applicants regarding their person or qualifications).

• Data subjects: Applicants.

• Purposes of processing: Application procedure (justification and possible subsequent implementation as well as possible later termination of the employment relationship).

• Retention and deletion: Deletion as specified in the section "General information on data storage and deletion".

• Legal basis: Application procedure as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR).