With the following we wish to inform you about how we process your personal data and the claims and rights to which you are entitled under the data protection regulations. This privacy policy explains to you the nature, scope and purpose of the processing of personal data within our website (hereinafter referred to as “website”). This privacy policy applies regardless of the domains and devices used (e.g. desktop, mobile, etc.). Personal data are all data that are personally identifiable to you, e.g. name, address, e-mail addresses, user behavior. Which data is processed in detail and how it is used depends largely on the services used.

In our data protection declaration we use various other terms in the sense of the GDPR. These include terms such as processing, restriction of processing, profiling, pseudonymization, responsible party, order processor, recipient, third party, consent, supervisory authority and international organization. You will find appropriate definitions for these terms in Art. 4 GDPR.

1. Who is responsible for data processing and who can I turn to?

The responsible body is:

insglück Gesellschaft für Markeninszenierung mbH
Bülowstr. 66
10783 Berlin
+49 (0) 30 – 4000 68 60
+49 (0) 30 – 4000 68 99
info@insglueck.de

You can contact our Data Protection Officer at:

mip Consult GmbH
Rechtsanwalt Asmus Eggert
Alte Jakobstr. 77
10179 Berlin
Telefon +49 (0)30 20 88 999 0
datenschutz@insglueck.de
www.sofortdatenschutz.de

2. What sources and data do we use?

We process personal data that we receive from you as part of your use of our website and, if applicable, our business relationship.
For purely informational use of the website, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. When you visit our website, we collect the following access data, which are technically necessary for us to display our website to you and to ensure stability and security. The access data includes the IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (i.e. name of the specifically accessed website), access status/HTTP status code, data volume transmitted in each case, referrer URL (previously visited page), browser type and version, operating system and its interface, language and version of the browser software, notification of successful retrieval.
Furthermore, we receive your personal data if you contact us via contact form or e-mail. In this case for instance, personal data consists of name, address, e-mail, telephone number, position, company (hereinafter referred to as “contact data”).

3. Why do we process your data (purpose of the processing) and on what legal basis do we do so?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) for the following purposes and on the basis of the following statutes:

Purpose

Legal basis

If you have given us your consent to the processing of personal data for certain purposes, in particular the establishment of contact (e.g. via our contact form or via e-mail for processing and handling the inquiry), the legality of this processing is given on the basis of your consent. Consent may be revoked at any time. Please note that the revocation will only take effect for the future. Processing that took place before the revocation is not affected by this. Processing that occurs prior to the revocation are not affected by the revocation. The revocation can be made to the contact data given above.

Consent, Art. 6 Sec. 1a GDPR

When contacting us (via contact form or e-mail), your details will be processed in addition to any consent given for processing the contact enquiry and its processing, also on the basis of the implementation of pre-contractual measures, Art. 6 Sec. 1b GDPR.

We use Salesforce from salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany, as our customer management system in order to be able to process enquiries from interested parties quickly and efficiently. For more information, see Salesforce’s Privacy Statement: https://www.salesforce.com/de/company/privacy/.

Execution of pre-contractual measures upon request of the person, Art. 6 Sec. 1b GDPR, in the context of weighing up interests in order to safeguard legitimate interests, Art. 6 Sec. 1f GDPR

When contacting us in connection with your application for employment or a freelance position, we process your data to assess your suitability for the position (or any other open position in our company) or project and to complete the application process. Your application data will be reviewed by the personnel department upon receipt of your application. Suitable applications will then be forwarded internally to the department managers responsible for the respective open position or project. There, a decision will be made on how to proceed. In the company only those persons have access to your data who need it for the proper course of our application procedure.
To support the application process, we use the personnel administration and applicant management software of Personio GmbH, Buttermelcherstr. 16, 80469 Munich. The Personio GmbH Privacy Declaration is available at
https://insglueck-jobs.personio.de/privacy-policy?language=de

We process your access data (see above under point 2) to protect our legitimate interests or those of third parties. In particular, we pursue the following legitimate interests:

  • Ensuring IT security, in particular that of the website;
  • Advertising or market research and opinion polling, to the extent that you have not objected to the use of your data;
  • Assertion of legal claims and defense in legal disputes;

In the context of weighing up interests in order to safeguard legitimate interests, Art. 6 Sec. 1f GDPR

4. Who receives my data?

Within the company, those departments will have access to your data that they require to fulfil our contractual and legal obligations.
Processors used by us (Art. 28 GDPR) may also receive data for the above-mentioned purposes. These are companies in the categories IT services, logistics, printing services, telecommunications, consulting and sales and marketing. If we use contract processors to provide our services, we take appropriate legal precautions as well as appropriate technical and organizational measures to ensure the protection of personal data in accordance with the relevant legal regulations.
Data will only be passed on to third parties within the framework of legal requirements. We only pass on user data to third parties if this is necessary, e.g. on the basis of Art. 6 Sec. 1 lit. b. GDPR for contractual purposes or on the basis of legitimate interests pursuant to Art. 6 Sec. 1 lit. f. GDPR to an economic and effective operation of our business or you have consented to the data transfer. In the purely informational use of the website, we do not pass on any data to third parties.

5. How long will my data be stored?

For security reasons (e.g. to investigate misuse or fraud), log file information is stored for a maximum of 4 weeks and then deleted (see point 2 above). Data whose further storage is required for evidentiary purposes are excluded from deletion until the respective incident has been ultimately clarified.
If necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and processing of a contract with a contact form or by e-mail.

Applicant data for internal positions will be deleted after 6 months in case of rejection. In the event that you have agreed to further storage of your personal data, we will transfer your data to our applicant pool. There, the data will be deleted if you revoke your consent or at the latest after 5 years. If we fill the advertised position with you, your data will be stored in our personnel management system. We store data of applicants for freelance activity beyond the end of the first activity on the basis of our legitimate interests in a repeated assignment. This data will be deleted at the latest 5 years after the last assignment.

In addition, we are subject to various storage and documentation obligations, which result, among other things, from the German Commercial Code (HGB) and the Tax Code (AO). The periods for storage and documentation specified there range from two to ten years.

In the end, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 ff. of the German Civil Code (BGB) may as a rule be 3 years, but in certain cases also up to thirty years, whereby the regular statute of limitations is 3 years.

6. Will data be transferred to a third country or an international organization?

The data provided will be processed within the European Union and in the USA. Please note that for recipients of your data in countries without a adequacy resolution verified by the Commission under Article 45 GDPR, as is the case with the US, we either ensure that they are certified under the EU-US Privacy Shield (such as Google, MailChimp, Salesforce, Facebook) or have agreed EU standard data protection clauses with these recipients. This is in order to protect your data and to achieve an appropriate level of protection for your personal data. You have the option of obtaining or viewing copies of the EU standard data protection clauses. If required, please contact us using the contact details given above under point 1.

7. What data protection rights do I have?

Every person effected has the right to
• Information as per Art. 15 GDPR,
• Rectification as per Art. 16 GDPR,
• Deletion as per Art. 17 GDPR,
• Restriction of the processing as per Art. 18 GDPR as well as
• Data portability from Art. 20 GDPR.

Furthermore, you may revoke consent, effective for the future.
Beyond that, there is a right to appeal to a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG).
In addition, we would like to draw attention to your right to object as per Art. 21 GDPR:

Information about your right to object as per Art. 21 GDPR

You have the right to object at any time for reasons arising from your particular situation to the processing of personal data concerning you under Article 6(1)(e) GDPR (Data Processing in the Public Interest) and Article 6(1)(f) of the General Data Protection Regulation (Data Processing on the basis of a balance of interests), including profiling based on this provision in terms of Article 4(4) GDPR, which we use for questionnaire evaluation or for promotional purposes.

If you object, we will no longer process your personal data, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

In individual cases we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct advertising. If you object to the processing for direct advertising purposes, we will no longer process your personal data for these purposes.

The objection can be made form-free and there are no other costs than the transmission costs according to the basic tariffs.

If possible, the objection must be sent to:

insglück Gesellschaft für Markeninszenierung mbH
Bülowstr. 66
10783 Berlin

or via email to: datenschutz@insglueck.de

8. To what extent is there automatic decision making in individual cases, including profiling?

When accessing our website or contacting us by form or e-mail, we do not use fully automatic decision making as defined in Article 22 GDPR. Should we use these procedures in individual cases, we will inform you separately, insofar as this is required by law.
We do not process your data automatically with the aim of evaluating certain personal aspects (profiling).

9. Is there an obligation on my part to provide data?

Within the framework of our website, you must provide the personal data that is technically or for IT security reasons necessary for the use of our website. If you do not provide the above information, you may not use our website.
When contacting us by form or e-mail, you only need to provide the personal data required to process your request. Otherwise, we will not be able to process your request.

10. Cookies

Cookies are information that is transferred from our web server or third-party web servers to the user’s web browser and stored there for later retrieval. Cookies are small files or other types of information storage. Cookies are used for security purposes or are required to operate our website (e.g. for optimal presentation of the website on various end devices) or to save your decision when confirming our cookie banner.
We currently do not use “session cookies”, i.e. cookies that are only stored for the duration of the current visit to our website. In the following section we will inform you about the use of cookies in the context of website tracking.
If you do not want cookies to be stored on your computer, you can deactivate the corresponding option in the system settings of your browser. Stored cookies can be deleted in the system settings of the browser. Please note that the deactivation of cookies can lead to functional limitations of this website.
You may object to the use of cookies that serve the purpose of website tracking and advertising by means of the network advertising initiative http://optout.networkadvertising.org/ or the American website http://www.aboutads.info/choices or the European website http://www.youronlinechoices.com/uk/your-ad-choices/.

11. Google Analytics

Based on our legitimate interests, i.e. our interest in analyzing and optimizing our website, we use the web analysis service Google Analytics from Google Inc. “(“Google”). The web analysis service Google Analytics uses cookies. The information generated by this cookie about the use of our website is usually transferred to a Google server in the USA and stored there.

Google is certified under the EU-US Privacy Shield agreement, guaranteeing compliance with European data protection laws (https://www.privacyshield.gov).

Google will use this information on our behalf to evaluate the use of our website by our users, to compile reports on the activities within this website and to provide us with further services associated with the use of this website. Pseudonymous user profiles can be created from the processed data.

We use Google Analytics with IP anonymization enabled. This means that Google will reduce the IP address of users within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there.

The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the recording of cookies generated by the cookie and their transmission to Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

Further information on data processing by Google, options for settings and objections can be found on Google’s website at https://www.google.de

12. Newsletter

With the following we provide you with information about our newsletter as well as the registration, distribution and evaluation procedure and inform you about your rights of objection. If you subscribe to our newsletter, you agree to receive the newsletter and the described procedures.
Newsletter content: We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter referred to as “newsletter”) only on the basis of the recipient’s consent or legal permission. If we specifically describe individual newsletters within the scope of registration, this description is decisive for the consent of a newsletter purchaser. If there is no separate description, you will receive information about our products, offers and promotions as well as information about our company in our newsletters.
Double opt-in: The registration to our newsletter takes place in the so-called double opt-in procedure. In other words, after you register for the newsletter, we will send you an e-mail asking you to confirm your registration. This confirmation serves to ensure that only persons who have access to the e-mail address given will register for our newsletter. We log the registrations for the newsletter in order to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. The changes of your data stored with the newsletter service provider are also logged.
Our newsletter is distributed by means of MailChimp, a newsletter distribution platform from the Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The privacy policy of the newsletter service provider can be viewed here: https://mailchimp.com/legal/privacy/. MailChimp has been certified under the Privacy Shield Agreement and with this provides a guarantee for maintaining the European level of data protection (https://www.privacyshield.gov/).
According to its own information, the newsletter service provider uses the data in pseudonymous form, i.e. without allocation to a user, to optimize or improve its own services. However, the newsletter service provider does not use the data of our newsletter recipients to write to them or pass them on to third parties.
To register for the newsletter it is sufficient to enter your e-mail address. We do ask you to also provide a name so that we can address you personally in the newsletter.
The newsletters contain a so-called web beacon, i.e. a file the size of a pixel, which is retrieved from the server of the newsletter service provider when the newsletter is opened. Within the scope of this retrieval, technical information such as information about the browser and your system, as well as your IP address and time of retrieval are first collected. This information is used to technically improve the services on the basis of technical data or target groups and their reading behavior on the basis of their retrieval locations (which can be determined with the help of the IP address) or access times. The statistical surveys also include determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our nor the distribution service provider’s intention to monitor individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our contents to them or to send different contents according to the interests of our users.
The distribution of the newsletter and the success metrics are performed on the basis of consent by the recipient in accordance with Art. 6 Sec. 1a, Art. 7 GDPR in connection with § 7 Sec. 2 No. 3 UWG (Unfair Competition Law) and on the basis of the statutory permission in accordance with § 7 Sec. 3 UWG.
The logging of the registration process is performed on the basis of our legitimate interest in accordance with Art. 6 Sec. 1f GDPR and serves as proof of consent for the reception of the newsletters.
You can unsubscribe from our newsletter at any time, i.e. revoke your consent. You will find a link to unsubscribe from the newsletter at the end of each newsletter. If users have only subscribed to the newsletter and cancelled their subscription, their personal data will be deleted.

13. Our Social Media Presences

You will find us with presences within social networks and platforms, so that we can also communicate with you there and inform you about our services. We would like to point out that your data may be processed outside the European Union and that the data is usually processed there for market research and advertising purposes. User profiles can be created on the basis of user behavior and the resulting interests of users. These user profiles can in turn be used, for example, to place advertisements inside and outside the platforms that presumably correspond to the interests of the users. For this purpose, cookies may be stored on the user’s computer in which the user’s usage behavior and interests are stored. Other data may also be stored in these user profiles, in particular if the users are members of the respective platforms and are logged in to them.
The processing of users’ personal data is carried out on the basis of our legitimate interests in the broadest possible communication with our users in accordance with Art. 6 Sec. 1 lit. f GDPR. If the respective social networks obtain consent for data processing, the legal basis for processing is Art. 6 Sec. 1 lit. a GDPR. For information on the respective processing operations and the respective possibilities of objection, we refer to the following linked data protection declarations of the providers:

• Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), Facebook pages on the basis of an agreement about joint processing of personal data – privacy statement: https://www.facebook.com/about/privacy/, Opt-Out: https://www.facebook.com/settings?tab=ads und http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.

• Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – Privacy Statement: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

• Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Privacy Statement/ Opt-Out: http://instagram.com/about/legal/privacy/.

• Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – Privacy Statement: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.

• Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA) – Privacy Statement/ Opt-Out: https://about.pinterest.com/de/privacy-policy.

• LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – Privacy Statement https://www.linkedin.com/legal/privacy-policy , Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.

• Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Deutschland) – Privacy Statement/Opt-Out: https://privacy.xing.com/de/datenschutzerklaerung.
In case of requests for information and the assertion of user rights, we recommend that these be asserted directly with the providers, since the providers have direct access to the data. Should you nevertheless require assistance, then you can contact the above-mentioned contact data.

• Vimeo (Vimeo, Inc. 555 West 18th Street ,New York, New York 10011, Privacy@vimeo.com – Datenschutzerklärung (https://vimeo.com/privacy)

14. Other Services

In the framework of our legitimate interests in the sense of Art. 6 Sec. 1f GDPR, i.e. our interest in an optimal web appearance, we use service offers from third parties on our website. The IP address of the user may be transmitted to these third parties. The IP address is technically necessary so that the contents can be displayed. Third party providers may use so-called web pixels (invisible graphics, also referred to as “web beacons”) for evaluation or marketing purposes. The web pixels can be used to evaluate information such as visitor traffic to the website using the web beacon. The third-party providers can store information in cookies on the user’s device.
We use the following third-party providers on our website:

• For the inclusion of videos we use the third party provider Vimeo, LLC, headquartered at 555 West 18th Street, New York, New York 10011, USA. When you visit one of our pages equipped with a Vimeo plug-in, a connection is established to the Vimeo servers. The Vimeo server will be informed which of our pages you have visited and will receive your IP address. This also applies if you are not logged in to Vimeo or do not have an account with Vimeo. The information collected by Vimeo is transferred to the Vimeo server in the USA. If you are logged in to your Vimeo account, you enable Vimeo to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your Vimeo account. You can find more information about the handling of user data in Vimeo’s privacy policy at: https://vimeo.com/privacy.

• Within our website on some of our pages we link to functions from Twitter. Twitter is am offer from the Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The functions include the display of our contributions within Twitter within our website, the link to our profile on Twitter and the possibility to interact with the contributions and the functions of Twitter. Twitter is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law. (https://www.privacyshield.gov). You can find the Twitter Privacy Policy at https://twitter.com/de/privacy and do an opt out at https://twitter.com/personalization. If you do not want Twitter to associate the data collected via our website directly with your Twitter account, you must log out of Twitter before visiting our website. You can also completely prevent the loading of Twitter plugins with add-ons for your browser, e.g. with the script blocker “NoScript” (http://noscript.net/).

• So-called social plugins (plugins) from the Google+ social network are used on our website. Google+ is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google“). The plugins can be recognized, for example, by buttons with the character “+1” on a white or colored background. You can find an overview of the Google plugins and their appearance here: https://developers.google.com/+/plugins. If you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the Google servers. The content of the plugin is transmitted by Google directly to your browser and integrated into the page. Through the integration, Google receives the information that your browser has called the corresponding page of our website, even if you do not have a profile on Google+ or are not currently logged into Google+. This information (including your IP address) is transmitted directly from your browser to a Google server in the USA and stored there. If you are logged in at Google+, Google can assign the visit of our website directly to your Google+ profile. If you interact with the plugins, for example by pressing the “+1” button, the corresponding information is also transmitted directly to a Google server and stored there. The information is also published on Google+ and displayed to your contacts there. For the purpose and scope of data collection and the further processing and use of the data by Google, as well as your rights and settings to protect your privacy in this respect, please refer to Google’s data protection information: http://www.google.com/intl/de/+/policy/+1button.html. If you do not want Google to assign the data collected via our website directly to your profile on Google+, you must log out of Google+ before visiting our website. You can also completely prevent the loading of Google plugins with add-ons for your browser, e.g. with the script blocker “NoScript” (http://noscript.net/).

• Functions from services provided by Xing from the XING AG, Dammtorstraße 29-32, 20354 Hamburg, Deutschland, may be included in our website. When you access Xing, your browser establishes a connection to XING AG servers; however, Xing does not store any personal data and in particular no IP addresses. Nor is there any evaluation of your usage behavior regarding the use of cookies in connection with the “XING Share Button”. The current data protection information of Xing can be viewed under the following link: https://www.xing.com/app/share?op=data_protection.

• There are buttons from the Facebook social network, from Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA, integrated in our website. You can recognize the Facebook buttons by the Facebook logo or the “Share” button on our page. We do not use the “Like” button for data protection reasons. You can find an overview of the Facebook buttons and plug-ins here: https://developers.facebook.com/docs/plugins/. When you visit our pages, no personal data is initially passed on to Facebook. A connection between your browser and the Facebook server is only established when you click on the “Share” button. If you click on the “Share” button, Facebook automatically receives the information that you have visited our site with your IP address. If you are logged into your Facebook account, you can link the contents of our page to your Facebook profile. This allows Facebook to associate visiting our pages with your user account. We would like to point out that, as the provider of the pages, we do not have any knowledge of the content of the data transmitted or its use by Facebook. Further information on this can be found in Facebook’s privacy policy at https://www.facebook.com/about/privacy/. If you do not want Facebook to be able to assign visits to our pages to your Facebook user account, do not click the “Share” button and log out of your Facebook user account.

• So-called social plugins (plugins) from Instagram, operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA (”Instagram“), are used on our website. The plugins are identified with an Instagram logo, for instance in the form of an “Instagram camera“. An overview of the Instagram plugins and their appearance can be found under: http://blog.instagram.com/post/36222022872/introducing-instagram-badges. When you visit a page on our website that contains such a plugin, your browser establishes a direct connection to Instagram’s servers. The content of the plugin is transmitted by Instagram directly to your browser and integrated into the page. This integration tells Instagram that your browser has accessed the appropriate page on our site, even if you do not have an Instagram profile or are not logged into Instagram. This information (including your IP address) is transferred directly from your browser to an Instagram server in the USA and stored there. If you are logged in to Instagram, Instagram can directly associate your visit to our website with your Instagram account. If you interact with the plugins, for example by pressing the “Instagram” button, this information will also be sent directly to an Instagram server and stored there. The information is also published to your Instagram account and displayed to your contacts. The purpose and scope of the data collection and the further processing and use of the data by Instagram as well as your related rights and privacy settings can be found in Instagram’s privacy policy: https://help.instagram.com/155833707900388/. If you do not wish Instagram to associate the data collected through our website directly with your Instagram account, you must log out of Instagram before visiting our website. You can also prevent the Instagram plugins from loading completely with add-ons for your browser, e.g. with the script blocker “NoScript” (http://noscript.net/).