Privacy Policy

Customise Cookie Settings

You can adjust or withdraw your consent at any time.

Preamble

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender specific.

Status: 15 June 2026

Table of contents

  • Preamble
  • Person responsible
  • Contact data protection officer
  • Overview of processing
  • Relevant legal bases
  • Safety measures
  • Transmission of personal data
  • International data transfers
  • Rights of the data subjects
  • General information on data storage and deletion
  • Business services
  • Business processes and procedures
  • Payment procedure
  • Provision of the online offer and web hosting
  • Use of cookies
  • Blogs and publication media
  • Contact and enquiry management
  • Registration and provision of media library content
  • Toolfinder – enquiry and comparison of HR tools
  • Freelancer pool – registration and placement
  • Customer testimonials and references
  • Video conferences, online meetings, webinars and screen sharing
  • Cloud services
  • Newsletter and electronic notifications
  • Advertising communication via e-mail, post, fax or telephone
  • Web analysis, monitoring and optimisation
  • Customer reviews and evaluation process
  • Presence in social networks (social media)
  • Plug-ins and embedded functions and content
  • Management, organisation and support tools
  • Processing of data in the context of employment relationships
  • Application procedure

Person responsible

Edl Consulting AG
Haldenstrasse 14
8716 Schmerikon
Switzerland

Persons authorised to represent the company: Alexandra Edl, Ralf Edl

E-mail address: [email protected]

Contact data protection officer

If you have any questions about data protection, please contact our data protection advisor:

PlanSec AG
Dieter Huber
Sinserstrasse 67
CH-6330 Cham

[email protected]
https://www.plansec.ch

Overview of processing

The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

  • Inventory data.
  • Employee data.
  • Payment data.
  • Contact details.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication and process data.
  • Social data.
  • Applicant data.
  • Image and/or video recordings.
  • Sound recordings.
  • Protocol data.
  • Performance and behaviour data.
  • Working time data.
  • Creditworthiness data.
  • Salary data.

Special categories of data

  • Health data.
  • Religious or ideological beliefs.
  • Trade union membership.
  • Data on sexual orientation.

Categories of data subjects

  • Employees.
  • Customers.
  • Interested parties.
  • Communication partner.
  • Users.
  • Applicants.
  • Business and contractual partners.
  • Pupils/students/participants.
  • Subscribers.
  • Third parties.
  • Participants of competitions and campaigns.

Purposes of processing

  • Provision of contractual services and fulfilment of contractual obligations.
  • Communication.
  • Safety measures.
  • Direct marketing.
  • Range measurement.
  • Office and organisational procedures.
  • Organisational and administrative procedures.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online offer and user-friendliness.
  • Information technology infrastructure.
  • Assertion of legal claims and defence in legal disputes.
  • Business processes and economic procedures.
  • Application procedure.
  • Establishment and execution of the employment relationship.

Relevant legal bases

Relevant legal bases according to the Swiss Data Protection Act: If you are in Switzerland, we process your data on the basis of the Federal Data Protection Act (hereinafter "Swiss DPA"). Unlike the GDPR, the Swiss DPA does not generally require that a legal basis for the processing of personal data be specified and the processing of personal data is carried out in good faith, lawfully, proportionately, transparently and the personal data is accurate and up to date. In addition, personal data may only be processed for the purpose that is recognisable to the data subject at the time of collection or that is provided for by law (Art. 6 para. 3 and 4 Swiss DPA).

Relevant legal bases according to the GDPR: The following is an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.
  • Application procedure as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR) - If special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants within the scope of the application procedure so that the controller or the data subject can exercise the rights arising from labour law and the law on social security and social protection and fulfil its obligations in this regard, the processing of such data is carried out in accordance with Art. 9 para. 2 lit. b) GDPR, in the case of the protection of vital interests of the applicants or other persons in accordance with Art. 9 para. 2 lit. c) GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector in accordance with Art. 9 para. 2 lit. h) GDPR. In the case of a communication or publication of special categories of data based on voluntary consent, their processing is carried out on the basis of Art. 9 para. 2 lit. a) GDPR.

National data protection regulations in Switzerland: In addition to the data protection provisions of the Swiss DPA, national data protection provisions in Switzerland apply. This includes in particular the Ordinance on Data Protection (DPO). The DPO specifies the Swiss DPA in more detail and contains provisions on the processing of personal data, the rights of data subjects and the obligations of data controllers.

Safety measures

We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, entry of, disclosure of, ensuring the availability of and segregation of the data. We also have procedures in place to ensure the exercise of data subjects' rights, the deletion of data and responses to data compromise. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and processes in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transferred between the website or app and the user's browser (or between two servers), which prevents unauthorised access to the data. TLS, as the more advanced and secure version of SSL, ensures that all data transfers meet the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by HTTPS in the URL. This serves as an indicator for users that their data is transmitted securely and encrypted.

Transmission of personal data

As part of our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organisational units or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

International data transfers

Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this is only done in accordance with the legal requirements.

Subject to express consent or contractually or legally required transfer, we only process or have data processed in third countries with a recognised level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en).

Swiss DPA - Data transfer abroad: In accordance with the Swiss DPA, we only transfer personal data abroad if an adequate level of protection is guaranteed (Art. 16 Swiss DPA). If the Federal Council has not determined that adequate protection exists (list: https://www.bj.admin.ch/bj/en/home/staat/datenschutz/internationales/anerkennung-staaten.html), we take alternative safeguards. These may include international treaties, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the FDPIC, as well as prior approval by the FDPIC. In some cases, we may be authorised to transfer data abroad on the basis of exceptions, in particular in the case of legal proceedings, overriding public interests, for the performance of a contract with the data subject, with the consent of the data subject or for the protection of the life or physical integrity of a person (Art. 17 Swiss DPA, Art. 16 para. 2 Swiss DPA).

Rights of the data subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
  • Right of withdrawal for consent: You have the right to withdraw any consent you have given at any time.
  • Right of access: You have the right to obtain confirmation as to whether or not data in question is being processed and to information about this data as well as further information and a copy of the data in accordance with the legal requirements.
  • Right to rectification: You have the right, in accordance with the law, to request that data concerning you be completed or that inaccurate data concerning you be rectified.
  • Right to erasure and restriction of processing: You have the right, in accordance with the statutory provisions, to demand that data relating to you be deleted immediately or, alternatively, to demand that processing of the data be restricted in accordance with the statutory provisions.
  • Right to data portability: You have the right to receive data relating to you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the legal requirements, or to request that it be transferred to another controller.
  • Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Data protection rights under the Swiss Data Protection Act: Under Swiss data protection law, you have the following rights:

  • Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary for you to exercise your rights under this Act and to ensure transparent data processing.
  • Right to data portability: You have the right to request that we provide you with personal data that you have disclosed to us in a commonly used electronic format.
  • Right to rectification: You have the right to request that inaccurate personal data concerning you be rectified.
  • Right to object, erasure and destruction: You have the right to object to the processing of your data and to demand that personal data concerning you be deleted or destroyed.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal regulations as soon as the underlying consent is withdrawn or no further legal basis for processing exists. This applies to cases in which the original processing purpose no longer applies or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal proceedings or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy policy contains additional information on data storage and deletion that applies specifically to certain processing activities.

If there are multiple specified retention periods or deletion deadlines for a particular date, the longest period always applies. Data that is no longer needed for the originally intended purpose, but is retained due to legal requirements or other reasons, is processed by us exclusively for the reasons that justify its retention.

Data Retention and Deletion

The following general retention periods apply under Swiss law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting documents and invoices, as well as all necessary work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (CO)).
  • 10 years – Data necessary for considering potential claims for damages or similar contractual claims and rights, as well as for processing related inquiries, based on past business experience and standard industry practices, will be stored for the statutory limitation period of ten years, unless a shorter period of five years applies in certain cases (Art. 127, 130 CO). Claims for rent, lease payments, and interest on capital, as well as other periodic payments, for the delivery of food, for meals, and for innkeepers' debts, and for skilled trades work, retail sales of goods, medical care, professional services provided by lawyers, legal agents, procurators, and notaries, and from the employment relationship of employees, become statute-barred after five years (Art. 128 of the Swiss Code of Obligations).

The limitation period begins at the end of the year: If a limitation period does not expressly begin on a specific date and is at least one year long, it starts automatically at the end of the calendar year in which the event triggering the limitation period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the limitation period is the effective date of termination or other dissolution of the legal relationship.

Review and compliance with deletion periods: Compliance with legal and internal requirements regarding the deletion of personal data is regularly reviewed. It is ensured that all personal data that is no longer needed or whose retention period has expired is deleted in accordance with the relevant data protection regulations or, in the case of archiving and retention obligations, that processing is restricted to these purposes. These checks of the deletion requirements and compliance with the established deletion periods take place regularly, at least annually. The results of the check are documented and evaluated by the person(s) responsible for the deletion review. If deviations are identified, corrective measures are initiated immediately, and the effectiveness of these measures is evaluated in subsequent reviews to ensure ongoing compliance.

Business services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners") in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractual), e.g. to answer enquiries.

We process this data in order to fulfil our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions. In addition, we process the data to protect our rights and for the purpose of the administrative tasks associated with these obligations and the company organisation. Furthermore, we process the data on the basis of our legitimate interests in proper and business management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other ancillary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only disclose the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfil legal obligations. Contractual partners are informed about further forms of processing, e.g. for marketing purposes, within the scope of this privacy policy.

We inform the contractual partners which data is required for the aforementioned purposes before or in the course of data collection, e.g. in online forms, by means of special labelling (e.g. colours) or symbols (e.g. asterisks or similar), or in person.

We delete the data after expiry of statutory warranty and comparable obligations, i.e. generally after 4 years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal archiving reasons. The statutory retention period for documents relevant under tax law as well as for commercial books, inventories, opening balance sheets, annual financial statements, the work instructions required to understand these documents and other organisational documents is ten years.

  • Types of data processed: Inventory data; Payment data; Contact details; Contract data; Usage data; Meta, communication and process data; Creditworthiness data; Social data; Image and/or video recordings; Sound recordings; Performance and behaviour data.
  • Data subjects: Customers; Interested parties; Business and contractual partners; Pupils/students/participants.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Communication; Office and organisational procedures; Organisational and administrative procedures; Business processes and economic procedures; Assertion of legal claims and defence in legal disputes; Safety measures.
  • Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

  • Customer account: Contractual partners can create an account within our online offer (e.g. customer or user account, "customer account" for short). If registration of a customer account is required, contractual partners will be informed of this as well as of the information required for registration. Customer accounts are not public and cannot be indexed by search engines. As part of the registration process and subsequent logins and use of the customer account, we store the IP addresses of the customers together with the access times in order to be able to prove the registration and prevent any misuse of the customer account. If customers have cancelled their customer account, the data relating to the customer account will be deleted, subject to its retention being required for legal reasons. It is the responsibility of the customers to back up their data when their customer account is cancelled; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Coaching services: We process the data of our customers and interested parties and other clients or contractual partners (uniformly referred to as "customers") in order to enable them to use our services. The data processed, the type, scope and purpose and the necessity of its processing are determined by the underlying contractual and business relationship; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Consulting services: We process the data of our customers, clients and interested parties (uniformly referred to as "customers") in order to provide them with our consulting services. The data processed, the type, scope, purpose and necessity of its processing are determined by the underlying contractual and business relationship. We act as data processors or subcontractors, e.g. within the scope of outsourced tasks, as well as on our own responsibility, e.g. for sales, marketing or public relations purposes, where we comply with the requirements of data protection law and in particular conclude appropriate contracts or agreements with our clients that serve to protect data; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Offer of software and platform services: We process the data of our users, registered and any test users (hereinafter uniformly referred to as "users") in order to be able to provide them with our contractual services and on the basis of legitimate interests in order to ensure the security of our offer and to be able to develop it further. The required details are identified as such in the context of the order, purchase order or comparable contract conclusion and include the details required for the provision of services and invoicing as well as contact information in order to be able to hold any consultations; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Educational and training services: We process the data of participants in our educational and training programmes (uniformly referred to as "trainees") in order to provide them with our training services. The data processed, the type, scope, purpose and necessity of its processing are determined by the underlying contractual and business relationship. Forms of processing also include performance assessment and evaluation of our services and the instructors' teachings. As part of our activities, we may also process special categories of data, in particular information on the health of trainees and students, as well as data revealing ethnic origin, political opinions, religious or ideological convictions. To this end, we obtain the express consent of the trainees if necessary and otherwise process the special categories of data only if it is necessary for the provision of training services, for the purposes of health care, social protection or the protection of vital interests of the trainees; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Technical services: We process the data of our customers and clients (hereinafter uniformly referred to as "customers") in order to enable them to select, purchase or commission the selected services or works and related activities as well as their payment and delivery or execution or provision. The required details are identified as such in the context of the order, purchase or comparable contract conclusion and include the details required for delivery and invoicing as well as contact information in order to be able to hold any consultations; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Artistic and literary services: We process the data of our clients in order to enable them to select, purchase or commission the selected services, works and associated activities as well as their payment and delivery or execution or provision. The required details are identified as such within the scope of the order and include the details required for the provision of services and invoicing as well as contact information in order to be able to hold any consultations; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Project and development services: We process the data of our customers and clients (hereinafter uniformly referred to as "customers") in order to enable them to select, purchase or commission the selected services, works and related activities as well as their payment and delivery or execution or provision. The required details are identified as such in the context of the order, purchase or comparable contract conclusion and include the details required for the provision of services and invoicing as well as contact information in order to be able to hold any consultations. Insofar as access to the customers' facilities, facilities or technical infrastructures is necessary for the purposes of fulfilment, we comply with the corresponding customers' requirements; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Business processes and procedures

We process data of our business and contractual partners, e.g. customers and interested parties (collectively referred to as "contractual partners") within the framework of contractual and comparable legal relationships as well as related measures and within the framework of communication with contractual partners (or pre-contractual), e.g. to answer enquiries. We process this data in order to fulfil our contractual obligations and in order to safeguard our rights and for the purposes of the administrative tasks associated with this information as well as for corporate organisation. We only disclose the data of the contractual partners to third parties within the framework of the applicable law to the extent that this is necessary for the aforementioned purposes or for the fulfilment of legal obligations or with the consent of the persons concerned.

  • Types of data processed: Inventory data; Payment data; Contact details; Contract data; Usage data; Meta, communication and process data; Image and/or video recordings.
  • Data subjects: Customers; Interested parties; Business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Office and organisational procedures; Business processes and economic procedures; Assertion of legal claims and defence in legal disputes.
  • Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Payment procedure

Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use other banks and credit institutions as well as other payment service providers for this purpose (collectively "payment service providers").

The data processed by the payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed and stored by the payment service providers. This means that we do not receive any account or credit card-related information, but only information confirming (accepting) or rejecting the payment. Under certain circumstances, the payment service providers may transmit the data to credit agencies. The purpose of this transmission is to check identity and creditworthiness. Please refer to the general terms and conditions and the data protection information of the payment service providers.

The terms and conditions and data protection notices of the respective payment service providers apply to the payment transactions and can be accessed on the respective websites or transaction applications. We also refer to these for further information and the assertion of rights of revocation, information and other rights of data subjects.

  • Types of data processed: Inventory data; Payment data; Contract data; Usage data; Meta, communication and process data; Contact details.
  • Data subjects: Customers; Interested parties.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations.
  • Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing procedures, methods and services:

Provision of the online offer and web hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data; Meta, communication and process data; Protocol data; Content data.
  • Data subjects: Users.
  • Purposes of processing: Provision of our online offer and user-friendliness; Information technology infrastructure; Safety measures.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

  • Cloudflare Turnstile (protection against spam and automated access): To protect our input forms – in particular the media library unlock and the newsletter registration – against bots and automated misuse, we use the "Turnstile" service provided by Cloudflare, Inc. In doing so, technical information (in particular the IP address as well as details about the browser/device and interaction behaviour) is transmitted to Cloudflare and evaluated there in order to distinguish human users from automated access; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.cloudflare.com/; Privacy policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: A data processing agreement has been concluded with the provider. Basis for third-country transfers: Standard Contractual Clauses (SCC) and the EU-U.S. Data Privacy Framework.
  • Collection of access data and log files: Access to our online offer is logged in the form of so-called "server log files". The server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user's operating system, the referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the utilisation and stability of the servers; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Deletion of data: Log file information is stored for a maximum period of 30 days and then deleted or anonymised. Data whose further retention is required for evidentiary purposes is exempt from deletion until the respective incident has been finally resolved.
  • E-mail sending and hosting: The web hosting services we use also include the sending, receiving and storage of e-mails. For these purposes, the addresses of the recipients and senders as well as further information relating to the sending of e-mails (e.g. the providers involved) and the content of the respective e-mails are processed. The aforementioned data may also be processed for the purposes of SPAM detection. Please note that e-mails are generally not sent encrypted on the Internet. As a rule, e-mails are encrypted in transit, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore not assume any responsibility for the transmission path of e-mails between the sender and reception on our server; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Supabase (database and backend infrastructure): To operate certain functions of our online offer, we use the database and backend infrastructure of Supabase, on which the data described in this privacy policy is stored – in particular the e-mail address provided for access to the media library, details of partners and references, the enquiries submitted via our forms, and the profile data stored in the freelancer pool together with the CVs uploaded there (file storage/Supabase Storage). The data is stored on servers within the EU (Frankfurt am Main, Germany, and Ireland). The respective legal basis for the stored data results from the individual sections of this privacy policy; Service provider: Supabase Pte. Ltd, 65 Chulia Street #38-02/03, OCBC Centre, Singapore 049513; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://supabase.com/; Privacy policy: https://supabase.com/privacy; Data Processing Agreement: A data processing agreement has been concluded with the provider. Standard Contractual Clauses (Ensuring the level of data protection for processing in third countries): https://supabase.com/legal/dpa.
  • GitHub (source code management, deployment and backup execution): We manage the source code of our online offer at GitHub; the "GitHub Actions" automation is also used to build and publish the website and to run the regular automated backup of our data. As part of the backup, an export of our database – which also contains personal data (including the e-mail addresses provided for media library access and the profile data stored in the freelancer pool together with the uploaded CVs) – is temporarily processed in GitHub's execution environment ("runner") before being transferred to our backup storage in encrypted form. Personal data is not permanently stored at GitHub; Service provider: GitHub, Inc. (a company of the Microsoft group), 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://github.com/; Privacy policy: https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement; Data Processing Agreement: A data processing agreement has been concluded with the provider. Basis for third-country transfers: Standard Contractual Clauses (SCC) and the EU-U.S. Data Privacy Framework (DPF).
  • Cloudflare R2 (backup storage): The regular backups of our database and the uploaded files – including the personal data contained therein – are stored in the "R2" object storage of Cloudflare, Inc. The transfer takes place via an encrypted connection; the storage serves exclusively for data backup and restoration in the event of an error; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.cloudflare.com/; Privacy policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: A data processing agreement has been concluded with the provider. Basis for third-country transfers: Standard Contractual Clauses (SCC) and the EU-U.S. Data Privacy Framework.

Use of cookies

The term "cookies" refers to functions that store information on users' devices and read information from them. Cookies can also be used for different purposes, e.g. for the purposes of the functionality, security and convenience of online offers as well as the creation of analyses of visitor flows. We use cookies in accordance with the legal requirements. Where necessary, we obtain the prior consent of users. If consent is not required, we rely on our legitimate interests. This applies if the storage and reading of information is essential to provide explicitly requested content and functions. This includes, for example, saving settings and ensuring the functionality and security of our offer. Consent can be revoked at any time. We clearly inform about the scope of the consent and which cookies are used.

Notes on data protection legal bases: Whether we process personal data using cookies depends on whether consent is involved. If consent applies, the legal basis for processing your data is your declared consent. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests (e.g. in the business operation of our online offer and improving its usability) or, if this is done in the context of the fulfilment of our contractual obligations, if the use of cookies is necessary to fulfil our contractual obligations. We explain the purposes for which we process cookies in the course of this privacy policy or as part of our consent and processing procedures.

Storage period: With regard to the storage period, the following types of cookies are distinguished:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his or her end device (e.g. browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the terminal device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user revisits a website. The data collected by cookies can also be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and that the storage period can be up to two years.

General information on revocation and objection (so-called "opt-out"): Users can revoke the consent they have given at any time and object to the processing in accordance with the legal requirements, including by using the privacy settings of their browser.

  • Types of data processed: Meta, communication and process data.
  • Data subjects: Users.
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

  • Self-operated consent management (cookie banner): Consents are obtained and managed via a solution operated by us; no third-party providers are used for this purpose. The users' selection (including the cookie categories consented to as well as the time and version of the consent) is stored exclusively locally in the browser's storage (localStorage) on the users' device and is not transmitted to our servers. Consent can be withdrawn or adjusted at any time via the cookie settings; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Blogs and publication media

We use blogs or comparable means of online communication and publication (hereinafter "publication medium"). Readers' data is only processed for the purposes of the publication medium to the extent necessary for its presentation and communication between authors and readers or for security reasons. For the rest, we refer to the information on the processing of visitors to our publication medium within the scope of this privacy policy.

  • Types of data processed: Inventory data; Contact details; Content data; Usage data; Meta, communication and process data.
  • Data subjects: Users.
  • Purposes of processing: Feedback; Provision of our online offer and user-friendliness; Safety measures; Organisational and administrative procedures; Communication.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Contact and enquiry management

When contacting us (e.g. by post, contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the enquiring persons is processed to the extent necessary to respond to the contact requests and any measures requested.

  • Types of data processed: Inventory data; Contact details; Content data; Usage data; Meta, communication and process data.
  • Data subjects: Communication partner.
  • Purposes of processing: Communication; Organisational and administrative procedures; Feedback; Provision of our online offer and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing procedures, methods and services:

  • Contact form: When users contact us via our contact form, e-mail or other communication channels, we process the data provided to us in this context to process the communicated request; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Registration and provision of media library content

In our media library, we provide content (e.g. checklists, guides, templates and videos). Access to this content is reserved for our newsletter subscribers: by subscribing to our newsletter, you simultaneously unlock free access to all subscription-protected media library content. Excluded from this are freely accessible content items (e.g. case studies), which can be accessed without registration and without providing an e-mail address.

Unlocking and matching of the e-mail address: To unlock access, you provide your e-mail address. We check whether it is already registered for our newsletter; for this purpose we match the address against our local records and against the recipient list held by our newsletter service provider Brevo. If the address is already registered, access is unlocked immediately; otherwise we guide you through the newsletter registration.

Double opt-in procedure: After registration, you receive an e-mail containing a confirmation link. Your registration only becomes effective – and access to the media library is only unlocked – after the link has been clicked. This procedure ensures that nobody can register using other people's e-mail addresses and serves as proof of consent.

The provision of the subscription-protected media library content takes place as part of the newsletter subscription on the basis of your consent (see section "Newsletter and electronic notifications"). You can withdraw this consent at any time with effect for the future, e.g. via the unsubscribe link in every newsletter e-mail; withdrawal also ends access to the subscription-protected media library content. The data is technically stored by our database service provider Supabase (see section "Provision of the online offer and web hosting"); to send and manage the newsletter, the e-mail address is transmitted to Brevo (see section "Newsletter and electronic notifications"). To protect the input forms against automated misuse, we use Cloudflare Turnstile (see section "Provision of the online offer and web hosting").

  • Types of data processed: Contact details; Usage data; Meta, communication and process data.
  • Data subjects: Users; Interested parties.
  • Purposes of processing: Provision of our online offer and user-friendliness; Communication; Provision of contractual services and fulfilment of contractual obligations.
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Toolfinder – enquiry and comparison of HR tools

Via our "HR-Toolfinder" (edl-consulting.com/hr-toolfinder), users can use a form to request a comparison or recommendation of HR tools tailored to their situation. We process the data provided in this form in order to provide the requested service and to contact the users in this context. The processing of the information required for this purpose is carried out at the request of the users in order to take pre-contractual steps. Data is deleted as soon as it is no longer required for the stated purposes or after the withdrawal of any consent given.

  • Types of data processed: Inventory data (e.g. full name); Contact details (e.g. e-mail address, telephone number); Content data and information on the company and HR situation (e.g. company, job title, HR systems currently in use, number of employees); Meta, communication and process data.
  • Data subjects: Interested parties; Users.
  • Purposes of processing: Provision of the requested service (tool comparison); Communication and contact; Organisational and administrative procedures.
  • Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Freelancer pool – registration and placement

Via the form "Join our freelancer pool" (edl-consulting.com/freelancer-anmeldung), freelancers can register in our freelancer database so that we can consider them for and place them on suitable projects or mandates. Registration and inclusion in the pool take place on the basis of the explicit consent of the data subject, which can be withdrawn at any time with effect for the future.

Types of data processed: Inventory data (first and last name); Contact details (e-mail address, telephone number, LinkedIn profile); Location data (city, postal code, country and the geocoordinates derived from these for the radius search); Job-related data (language skills, skills and proficiency levels, experience with HR software, working-model preferences, hourly rate, available capacity, voluntary remarks); CV (PDF document, which may contain further personal data); Meta and process data (e.g. time of consent as well as creation and update timestamps).

Data subjects: Freelancers / self-employed persons who register in the pool.

Purposes of processing: Building and maintaining a freelancer database; searching for and selecting suitable freelancers for projects/mandates; contact and placement; reminders to update the information. Selection is carried out manually by us; automated decision-making within the meaning of Art. 22 GDPR does not take place.

Recipients / disclosure to clients: As part of the placement, we may pass on selected profile data, including the CV, to potential clients. As a rule, such disclosure only takes place after prior consultation with the data subject in the individual case. Legally, the disclosure is based on the consent explicitly given upon inclusion in the pool, which expressly covers the disclosure of selected profile data, including the CV, to potential clients for the purpose of placement.

Service providers used (processors):

  • Supabase (database and file storage): Storage of the database entries and the uploaded CVs (storage). The data is stored on servers within the EU (Frankfurt am Main, Germany). Further details in the section "Provision of the online offer and web hosting".
  • Resend (e-mail dispatch): Sending the confirmation, status and reminder e-mails to freelancers as well as the notification to us about new entries. Service provider: Resend, Inc., USA; Website: https://resend.com/; Privacy policy: https://resend.com/legal/privacy-policy; Basis for third-country transfer: Standard Contractual Clauses (Art. 46 para. 2 lit. c) GDPR).

Self-management of data: Freelancers receive a personal edit link via which they can view, update, confirm as still current, or completely delete their entry at any time.

Retention and deletion: The data is stored until consent is withdrawn or until deletion. There is no automatic deletion; deletion is carried out either by the data subject themselves via the edit link or by us. To keep the information up to date, freelancers receive a reminder every six months to review and confirm or update their details.

Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR; Art. 31 Swiss FADP). Insofar as the placement serves the initiation or performance of a contract, additionally contract performance and pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Customer testimonials and references

On our websites, we publish customer testimonials and references. This may include the name, professional role (job title) and a photo of the respective person. Publication is based on the consent of the data subjects, which can be withdrawn at any time with effect for the future. After withdrawal, or once the data is no longer required for the purpose, it is deleted.

  • Types of data processed: Inventory data (e.g. full name); Content data (e.g. statement, professional role); Image and/or video recordings (e.g. photographs of a person).
  • Data subjects: Customers; Business and contractual partners; Persons depicted.
  • Purposes of processing: Public relations; Marketing; Provision of our online offer and user-friendliness.
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Video conferences, online meetings, webinars and screen sharing

We use platforms and applications of other providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "conference"). When selecting the conference platforms and their services, we comply with the legal requirements.

Data processed by conference platforms: In the context of participation in a conference, the conference platforms process the personal data of the participants listed below. The extent of the processing depends on the extent of the data required for participation in a conference (e.g. specification of access data or real names) and which optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, participants' data may also be processed by the conference platforms for security purposes or service optimisation. The processed data includes personal data (first name, surname), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information on the professional position/function, the IP address of the Internet access, information on the end devices of the participants, their operating system, the browser and its technical and linguistic settings, information on the content-related communication processes, i.e. entries in chats and audio and video data, as well as the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If the participants are registered as users on the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.

Logging and recording: If text entries, participation results (e.g. from surveys) as well as video or audio recordings are recorded, this will be communicated to the participants in advance and they will be asked – if necessary – for their consent.

Data protection measures of participants: Please refer to the data protection information of the conference platforms for details on the processing of your data and select the optimum security and data protection settings for you within the scope of the settings of the conference platforms. Please also ensure data and background protection for the duration of a conference (e.g. by notifying housemates, locking doors and using the background masking function of the software, if available). Links to the conference rooms and access data should not be passed on to unauthorised third parties.

Notes on legal bases: Insofar as we process the data of users in addition to the conference platforms and ask the users for their consent for the use of the conference platforms or certain functions (e.g. consent to the recording of conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary for the fulfilment of our contractual obligations (e.g. in participant lists, in the case of processing of conversation results, etc.). In all other respects, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Types of data processed: Inventory data; Contact details; Content data; Usage data; Meta, communication and process data; Protocol data; Image and/or video recordings; Sound recordings.
  • Data subjects: Communication partner; Users; Pupils/students/participants.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Communication; Office and organisational procedures.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

Cloud services

We use software services accessible via the Internet and running on the servers of their providers (so-called "cloud services", also referred to as "Software as a Service") for document and file management, calendaring, e-mail delivery, spreadsheets and presentations, sharing documents, content and information with specific recipients or publishing web pages, forms or other content and information, as well as chats and participation in audio and video conferences.

Within this framework, personal data may be processed and stored on the servers of the providers insofar as this is part of the communication processes with us or is otherwise documented by us in accordance with the provisions of this privacy policy. This data may include, in particular, master data and contact data of users, data on processes, contracts, other proceedings and their content. The cloud service providers also process usage data and metadata that they use for security purposes and service optimisation.

If we use cloud services to provide forms or other documents and content to other users or publicly accessible websites, the providers may store cookies on the users' devices for the purpose of web analysis or to remember the users' settings (e.g. in the case of media control).

  • Types of data processed: Inventory data; Contact details; Content data; Usage data; Meta, communication and process data; Protocol data.
  • Data subjects: Customers; Employees; Interested parties; Communication partner.
  • Purposes of processing: Office and organisational procedures; Information technology infrastructure; Provision of contractual services and fulfilment of contractual obligations.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

Newsletter and electronic notifications

We send newsletters, e-mails and other electronic notifications (hereinafter "newsletter") only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described in the context of registration, they are decisive for the consent of the users. Otherwise, our newsletters contain information about our services and us.

To subscribe to our newsletter, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name, for the purpose of addressing you personally in the newsletter, or further details, if these are required for the purposes of the newsletter.

Double opt-in procedure: Registration for our newsletter is generally carried out in a so-called double opt-in procedure. This means that after registration you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary so that nobody can register with other people's e-mail addresses. Registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored with the dispatch service provider are also logged.

Deletion and restriction of processing: We may store unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before deleting them in order to be able to prove consent previously given. The processing of this data is limited to the purpose of a possible defence against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the e-mail address in a blocklist solely for this purpose.

The logging of the registration process takes place on the basis of our legitimate interests for the purpose of proving that it has been carried out properly. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure sending system.

Content: Information about us, our services, promotions and offers.

  • Types of data processed: Inventory data; Contact details; Meta, communication and process data; Usage data.
  • Data subjects: Communication partner; Users; Subscribers.
  • Purposes of processing: Direct marketing; Provision of our online offer and user-friendliness.
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Option to unsubscribe: You can cancel the receipt of our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can use one of the contact options listed above, preferably e-mail, for this purpose.

Further information on processing procedures, methods and services:

  • Measurement of opening and click rates: The newsletters contain a so-called "web beacon", i.e. a pixel-sized file that is retrieved from our server or, if we use a mailing service provider, from their server when the newsletter is opened. As part of this retrieval, technical information such as information about the browser and your system, as well as your IP address and the time of retrieval, is initially collected. This information is used for the technical improvement of our newsletter on the basis of the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined with the help of the IP address) or the access times. This analysis also includes determining whether the newsletters are opened, when they are opened and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until they are deleted. The evaluations serve us to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of open rates and click rates as well as the storage of the measurement results in the profiles of the users and their further processing are carried out on the basis of the consent of the users. Unfortunately, a separate revocation of the performance measurement is not possible; in this case, the entire newsletter subscription must be cancelled or objected to. In this case, the stored profile information will be deleted; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
  • Brevo: E-mail marketing platform; Service provider: Brevo GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.brevo.com/de; Privacy policy: https://www.brevo.com/de/legal/privacypolicy/; Data Processing Agreement: https://www.brevo.com/de/legal/termsofuse/#702f7137-7e01-4c30-9009-29a6e325e792.

Advertising communication via e-mail, post, fax or telephone

We process personal data for the purposes of advertising communication, which can take place via various channels, such as e-mail, telephone, post or fax, in accordance with legal requirements.

The recipients have the right to revoke their consent at any time or to object to the advertising communication at any time.

After revocation or objection, we may store the data required to prove consent for up to three years on the basis of our legitimate interests before deleting it. The processing of this data is limited to the purpose of a possible defence against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.

  • Types of data processed: Inventory data; Contact details.
  • Data subjects: Communication partner.
  • Purposes of processing: Direct marketing; Marketing.
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Web analysis, monitoring and optimisation

Web analysis (also referred to as "reach measurement") is used to evaluate the flow of visitors to our online offer and may include the behaviour, interests or demographic information of visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognise at what time our online offer or its functions or content are most frequently used or invite re-use. We can also understand which areas require optimisation.

In addition to web analysis, we may also use testing procedures, e.g. to test and optimise different versions of our online offer or its components.

Unless otherwise stated below, profiles, i.e. data summarised for a usage process, may be created for these purposes and information may be stored in a browser or in a terminal device and read from it. The information collected includes, in particular, websites visited and elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data from us or from the providers of the services we use, location data may also be processed.

The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) is stored in the context of web analysis, A/B testing and optimisation, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

  • Types of data processed: Usage data; Meta, communication and process data; Protocol data.
  • Data subjects: Users.
  • Purposes of processing: Range measurement; Profiles with user-related information.
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

Customer reviews and evaluation process

We participate in review and rating processes in order to evaluate, optimise and promote our services. If users rate us or otherwise provide feedback via the participating rating platforms or procedures, the general terms and conditions of business or use and the data protection information of the providers also apply. As a rule, the rating also requires registration with the respective provider.

In order to ensure that the persons rating are actually using our services, we transmit the data required for this purpose to the respective rating platform with regard to the customer and the service used, with the consent of the customer. This data is used solely to verify the authenticity of the user.

  • Types of data processed: Contract data; Usage data; Meta, communication and process data.
  • Data subjects: Customers; Users.
  • Purposes of processing: Feedback; Marketing.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

Presence in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may entail risks for users because, for example, it could make it more difficult to enforce users' rights.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behaviour and resulting interests of users. The usage profiles can in turn be used, for example, to place advertisements inside and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behaviour and interests of the users are stored. Furthermore, data may also be stored in the usage profiles independently of the devices used by the users (in particular if the users are members of the respective platforms and are logged in to them).

For a detailed description of the respective forms of processing and the options to object (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can take appropriate measures and provide information directly. If you still need help, please do not hesitate to contact us.

  • Types of data processed: Contact details; Content data; Usage data; Meta, communication and process data.
  • Data subjects: Users.
  • Purposes of processing: Communication; Feedback; Marketing.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

Plug-ins and embedded functions and content

We integrate functional and content elements into our online offer that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can be, for example, graphics, videos or city maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is therefore required for the display of this content or functions. We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visit times and other information about the use of our online offer, as well as being linked to such information from other sources.

  • Types of data processed: Usage data; Meta, communication and process data; Inventory data; Contact details; Content data; Protocol data.
  • Data subjects: Users.
  • Purposes of processing: Provision of our online offer and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

  • Google Forms: Online forms; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.google.de/intl/de/forms; Privacy policy: https://policies.google.com/privacy; Data Processing Agreement: https://workspace.google.com/terms/dpa_terms.html.
  • YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Opt-Out: Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of advertising: https://adssettings.google.com/authenticated.
  • YouTube videos (via privacy-enhanced embedding): We embed YouTube videos on our website. The associated plug-ins establish a connection to YouTube/Google only when you actively visit pages with a YouTube video. We use the "extended data protection mode", which according to the provider ensures that YouTube does not initially store any cookies on your device. However, when the affected pages are accessed, the YouTube video player, the YouTube logo and the URL are loaded, and the YouTube API is also loaded. Your IP address is transmitted to YouTube. This transmission takes place regardless of whether YouTube provides a user account that you are logged in to or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish this assignment with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy.

Management, organisation and support tools

We use services, platforms and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organising, managing, planning and providing our services. When selecting third-party providers and their services, we comply with the legal requirements.

Within this framework, personal data may be processed and stored on the servers of the third-party providers. This may include various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact details of users, data on processes, contracts, other procedures and their content.

If users are referred to the third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata that can be processed by them for security purposes, service optimisation or marketing purposes. We therefore ask you to observe the data protection notices of the respective third-party providers.

  • Types of data processed: Content data; Usage data; Meta, communication and process data; Contact details; Inventory data; Contract data.
  • Data subjects: Communication partner; Users; Business and contractual partners; Pupils/students/participants; Customers; Employees; Interested parties.
  • Purposes of processing: Office and organisational procedures; Information technology infrastructure; Provision of contractual services and fulfilment of contractual obligations; Business processes and economic procedures; Communication.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing procedures, methods and services:

Processing of data in the context of employment relationships

In the context of the employment relationship, we process personal data of employees and other persons in an employment relationship (collectively "employees" or "employment relationship") in order to establish, implement, manage and terminate the employment relationship. To this end, we process personal data that is necessary for the justification, performance, fulfilment and termination of the employment relationship and for the organisation of the company, work and social partnership.

In doing so, we comply with the legal requirements for the processing of employees' personal data, which are regulated in Art. 88 GDPR in conjunction with national provisions.

The processing of employees' data may include establishing and terminating the employment relationship, payroll, work organisation and scheduling, personnel management and development, health and safety at work, data protection, exercising the right to manage the company and ensuring order in the business, using IT systems and communication tools, social benefits and other contractual obligations, as well as compliance with legal obligations and the assertion of rights arising from the employment relationship.

We only disclose the personal data of employees to third parties in accordance with the legal requirements, which include the legitimate interests of the employees. In doing so, we comply with the applicable data protection regulations and ensure that the employees' data is protected.

  • Types of data processed: Employee data; Inventory data; Payment data; Contact details; Content data; Contract data; Meta, communication and process data; Social data; Image and/or video recordings; Sound recordings; Performance and behaviour data; Working time data; Salary data.
  • Special categories of data: Health data; Religious or ideological beliefs; Trade union membership; Data on sexual orientation.
  • Data subjects: Employees.
  • Purposes of processing: Establishment and execution of the employment relationship; Office and organisational procedures; Organisational and administrative procedures; Safety measures; Assertion of legal claims and defence in legal disputes; Communication; Provision of contractual services and fulfilment of contractual obligations; Business processes and economic procedures.
  • Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR).

Application procedure

The application procedure requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description, or in the case of online forms, in the information contained therein, or otherwise in the context of the application process, the required information includes personal details such as name, address, a contact option and proof of the qualifications required for the position being applied for. In addition, applicants may voluntarily provide us with additional information.

By submitting an application to us, applicants consent to the processing of their data for the purposes of the application procedure in accordance with the type and scope set out in this privacy policy. If special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily provided in the course of the application procedure, they are additionally processed in accordance with Art. 9 para. 2 lit. b GDPR (e.g. health data, such as severely disabled status, or ethnic origin).

Insofar as this is provided for in the context of the application procedure, applicants may submit their applications to us by means of an online form. The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails on the Internet are generally not sent in encrypted form. As a rule, e-mails are encrypted in transit, but not on the servers from which they are sent and received. We can therefore not accept any responsibility for the transmission path of the application between the sender and the receipt on our server.

For the purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management software, platforms and services from third-party providers in compliance with the legal requirements. Applicants may contact us regarding the processing method or submit their applications directly to us.

If an application is successful, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicant, the data will be deleted after a period of 6 months at the latest so that we can answer any follow-up questions regarding the application and fulfil our obligations to provide evidence under the regulations on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax law requirements.

Talent pool

As part of the application process, we offer applicants the opportunity to be included in our "talent pool" for a period of two years on the basis of consent. The profiles in the talent pool are processed exclusively in the context of future vacancies and the search for applicants. Applicants are free to dissolve their inclusion at any time. In this case, the profiles are removed from the talent pool, subject to legal reasons for retention. In all other respects, the provisions applicable to applications within the scope of this privacy policy apply.

  • Types of data processed: Applicant data; Usage data; Meta, communication and process data.
  • Data subjects: Applicants.
  • Purposes of processing: Application procedure.
  • Legal bases: Application procedure as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR); Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing procedures, methods and services:

Your Privacy, Your Choice

We use cookies to give you the best possible experience and to understand how our website is used. Necessary cookies are always active. Privacy Policy