Data Privacy Policy

Date: June 27, 2023

Table of Contents

Responsible Party

Karl Banasek
Kalkgasse 15
64625 Bensheim

E-mail address:

karl.banasek@karbanhr.de

Phone:

+491778375760

Legal Notice:

https://karbanhr.de/en/legal-notice

Applicable Legal Bases

Relevant legal bases under GDPR: Below you will find an overview of the legal bases of the GDPR, on the basis of which we process personal data. Please note that in addition to the regulations of the GDPR, national data protection requirements may apply in your or our country of residence or domicile. Furthermore, if more specific legal bases are relevant in individual cases, we will inform you of these in the data protection declaration.

  • Consent (Art. 6 para. 1 s. 1 lit. a) GDPR) - The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6 para. 1 s. 1 lit. b) GDPR) - The processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal Obligation (Art. 6 para. 1 s. 1 lit. c) GDPR) - The processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate Interests (Art. 6 para. 1 s. 1 lit. f) GDPR) - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations apply to data protection in Germany. This includes in particular the Law on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). The BDSG contains special provisions on the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated individual decision-making, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on applicability of GDPR and Swiss DSG: This privacy notice serves both to provide information according to the Swiss Federal Act on Data Protection (Swiss DSG) and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that due to the wider scope of application and understanding, the terms of the GDPR have been replaced by Swiss terms. In particular, instead of the terms "processing" of "personal data" (or briefly "data"), and "legitimate interest" used in the GDPR, the terms "processing" of "personal data" and "overriding interest" used in the Swiss DSG are used. However, the legal meaning of the terms is still determined according to the Swiss DSG in the context of its application.

Overview of Processing

The following summary outlines the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

  • Inventory data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication and process data.

Categories of data subjects

  • Interested parties.
  • Communication partners.
  • Users.
  • Business and contract partners.

Purposes of processing

  • Provision of contractual services and customer service.
  • Contact inquiries and communication.
  • Security measures.
  • Reach measurement.
  • Office and organisational procedures.
  • Administration and response to inquiries.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online offer and user-friendliness.
  • Information technology infrastructure.

Security Measures

In accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

These measures include in particular securing the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, dissemination, assurance of availability and separation of the data. Furthermore, we have set up procedures to ensure the exercise of data subjects' rights, deletion of data and response to data compromise. Moreover, we take into account the protection of personal data already during the development or selection of hardware, software and procedures in accordance with the principle of data protection, through technology design and data-protection-friendly presettings.

TLS encryption (https): To protect your data transmitted via our online offer, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.

Transmission of Personal Data

In the course of our processing of personal data, it may happen that the data are transferred to other places, companies, legally independent organisational units or persons or that they are disclosed to them. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content that are incorporated into a website. In such cases, we observe the legal requirements and in particular conclude appropriate contracts or agreements which serve to protect your data with the recipients of your data.

Use of Cookies

Cookies are small text files or other storage notations that store information on end devices and read information from end devices. For example, to store the login status in a user account, a shopping cart content in an e-shop, the content called up or functions used in an online offer. Cookies can also be used for different purposes, e.g. for the functionality, security, and comfort of online offers as well as for the creation of analyses of visitor flows.

Notes on Consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless this is not required by law. Consent is not necessary in particular if the storage and reading of information, including cookies, are absolutely necessary to provide the users with a telemedia service (i.e. our online offer) explicitly requested by them. These generally include cookies with functions for the display and operability of the online offer, load balancing, security, storing user preferences and selection options, or similar purposes related to providing the main and secondary functions of the online offer requested by the users. The revocable consent is clearly communicated to the users and contains information about the respective cookie usage.

Notes on the legal basis for data protection: The legal basis on which we process the personal data of users with the help of cookies depends on whether we ask users for their consent. If the users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed using cookies is based on our legitimate interests (e.g. in the operational management of our online offer and its usability) or, if this is part of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We will explain for what purposes we process the cookies in the course of this privacy policy or in the context of our consent and processing processes.

Storage duration: In terms of storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his end device (e.g. browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Similarly, the data of users collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information about the type and duration of storage of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and the storage duration can be up to two years.

General notes on revocation and objection (so-called "Opt-Out"): Users can revoke their given consents at any time and object to the processing in accordance with legal requirements. For this purpose, users can restrict the use of cookies in the settings of their browser (although this may also limit the functionality of our online offer). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

  • Legal bases: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR); Consent (Art. 6 Para. 1 S. 1 lit. a) GDPR).

Further information on processing processes, procedures, and services:

  • Processing of cookie data based on consent: We use a cookie consent management process in which the consent of users to the use of cookies, or the processing and providers mentioned in the context of the cookie consent management process, can be obtained, managed, and revoked by the users. The declaration of consent is stored in order not to have to repeat its query and to be able to prove the consent in accordance with the legal obligation. The storage can take place server-side and/or in a cookie (so-called opt-in cookie, or using comparable technologies) to assign the consent to a user or their device. Unless individual information is provided on the providers of cookie management services, the following applies: The duration of the storage of consent can be up to two years. A pseudonymous user identifier is formed and stored with the time of consent, details about the scope of the consent (e.g. which categories of cookies and/or service providers), and the browser, system, and device used; Legal bases: Consent (Art. 6 Para. 1 S. 1 lit. a) GDPR).
  • Compliance: Cookie consent management; Service Provider: Locally hosted on our server, no data transfer to third parties; Website: https://complianz.io/; Privacy Policy: https://complianz.io/legal/; Further information: An individual user ID, language, and types of consent and the time of their submission are stored server-side and in the cookie on the user's device.

Business Services

We process data of our contract and business partners, e.g., customers and prospects (collectively referred to as "contract partners") within the context of contractual and comparable legal relationships and associated measures and in the context of communication with the contractual partners (or pre-contractual), e.g., to answer inquiries.

We process these data in order to fulfill our contractual obligations. These obligations include in particular the obligations to provide the agreed services, any updating obligations, and remedy in the event of warranty and other performance disruptions. In addition, we process the data to safeguard our rights and for the purpose of the administrative tasks associated with these obligations and company organization. We also process the data based on our legitimate interests in proper and economic business operations and in security measures to protect our contract partners and our business operations from abuse, endangerment of their data, secrets, information, and rights (e.g., involving telecommunication, transport, and other auxiliary services, as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of the applicable law, we only pass on the data of contract partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contract partners are informed about other forms of processing, e.g., for marketing purposes, within the scope of this privacy policy.

We inform the contract partners about which data is necessary for the aforementioned purposes before or during data collection, e.g., in online forms, by special marking (e.g., colors) or symbols (e.g., asterisks or similar), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., basically after the expiry of 4 years, unless the data is stored in a customer account, e.g., as long as it must be stored for legal reasons of archiving. The legal retention period for tax-relevant documents, as well as trade books, inventories, opening balances, annual financial statements, the working instructions necessary for understanding these documents and other organizational documents, and booking receipts is ten years, and for received trade and business letters and reproductions of sent trade and business letters, it is six years. The period begins with the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance, the annual financial statement, or the management report was drawn up, the trade or business letter was received or sent, or the booking receipt was created, or the recording was made, or other documents were created.

As far as we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

  • Type of data processed: Inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., e-mail, telephone numbers); contract data (e.g., subject matter of the contract, duration, customer category).
  • Persons affected: Prospective customers; business and contractual partners.
  • Purposes of processing: Provision of contractual services and customer service; contact inquiries and communication; office and organizational procedures; administration and answering of inquiries.
  • Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR); Legal obligation (Art. 6 Para. 1 S. 1 lit. c) GDPR); Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

  • Project and development services: We process the data of our customers and clients (hereinafter collectively referred to as "customers") to enable them to select, purchase or commission the chosen services or works and related activities, and to enable their payment and provision or execution or performance. The necessary details are marked as such within the scope of the order, purchase, or comparable contract conclusion and include the information needed for performance and invoicing, as well as contact information to be able to maintain any necessary consultations. Insofar as we gain access to information of end customers, employees, or other persons, we process this in accordance with legal and contractual requirements; Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).

Provision of the online offer and web hosting

We process the data of users in order to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the contents and functions of our online services to the browser or the device of the user.

  • Types of data processed: Usage data (e.g., websites visited, interest in content, access times); Meta-, communication, and processing data (e.g., IP addresses, timestamps, identification numbers, consent status); Content data (e.g., entries in online forms).
  • Individuals affected: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offerings and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

  • Provision of online services on rented storage space: We use storage space, computing power, and software that we rent or otherwise acquire from a corresponding server provider (also known as a "web host"); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Collection of access data and log files: Access to our online offer is logged in the form of so-called "server log files". The server log files can include the address and name of the accessed websites and files, date and time of access, amounts of data transferred, notification of successful access, type of browser along with the version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the capacity and stability of the servers; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidence purposes is exempted from deletion until the respective incident has been finally clarified.
  • Email dispatch and hosting: The web hosting services we use also include the sending, receiving and storage of emails. For these purposes, the addresses of the recipients and senders as well as other information concerning the email dispatch (e.g., the involved providers) and the contents of the respective emails are processed. The aforementioned data can also be processed for the purpose of detecting SPAM. Please note that emails on the internet are generally not sent encrypted. Emails are usually encrypted during transmission, but (unless an end-to-end encryption process is used) not on the servers from which they are sent and received. We therefore cannot take responsibility for the transmission path of emails between the sender and reception on our server; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • STRATO: Services in the field of providing information technology infrastructure and associated services (e.g., storage space and/or computing capacity); Service provider: STRATO AG, Pascalstraße 10,10587 Berlin, Germany; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.strato.de; Privacy policy: https://www.strato.de/datenschutz; Data processing contract: Provided by the service provider.
  • WordPress.com: Hosting and software for the creation, provision and operation of websites, blogs and other online offerings; Service provider: Aut O’Mattic A8C Irland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://wordpress.com; Privacy policy: https://automattic.com/de/privacy/; Data processing contract: https://wordpress.com/support/data-processing-agreements/.

Contact and inquiry management

When contacting us (e.g., by post, contact form, e-mail, telephone, or via social media) and in the context of existing user and business relationships, the information of the inquiring persons is processed insofar as this is necessary to answer the contact requests and any requested measures.

  • Types of data processed: Contact data (e.g., email, telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); Meta-, communication and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Individuals affected: Communication partners.
  • Purposes of processing: Contact requests and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via an online form); Provision of our online services and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing processes, procedures, and services:

  • Contact form: If users contact us via our contact form, email or other communication channels, we process the data communicated to us in this context to process the communicated concern; Legal bases: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Web analysis, monitoring, and optimization

Web analysis (also referred to as "reach measurement") serves the evaluation of visitor flows of our online offer and can include behavior, interests or demographic information about the visitors, such as age or gender, as pseudonymous values. With the help of range analysis, we can, for example, recognize at which time our online offer or its functions or content are most frequently used or invite for reuse. Likewise, we can understand which areas need optimization.

In addition to web analysis, we can also use testing procedures, for example, to test and optimize different versions of our online offer or its components.

Unless stated otherwise below, profiles, i.e., data summarized in a usage process, can be created for these purposes and information can be stored in a browser or device and read out from it. The collected information primarily includes visited websites and elements used there as well as technical information, such as the browser used, the computer system used, and information about usage times. If users have agreed to the collection of their location data to us or to the providers of the services we use, location data can also be processed.

The IP addresses of users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) are stored in the context of web analysis, A/B testing and optimization, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

  • Types of data processed: Usage data (e.g., websites visited, interest in content, access times); Meta-, communication and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Individuals affected: Users (e.g., website visitors, users of online services ).
  • Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Profiles with user-related information (creation of user profiles).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing processes, procedures, and services:

  • Jetpack (WordPress Stats): Jetpack offers analysis functions for WordPress software; Service provider: Aut O’Mattic A8C Irland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://automattic.com; Privacy policy: https://automattic.com/privacy.

Presence in social networks (Social Media)

We maintain online presences within social networks and process data of users in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data can be processed outside the European Union. This can pose risks for users because, for example, the enforcement of user rights could be made more difficult.

In addition, user data is usually processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests of users. The usage profiles can in turn be used to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the computers of the users, in which the user behavior and the interests of the users are stored. Furthermore, data can be stored in the user profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged in).

For a detailed presentation of the respective processing forms and the possibilities of objection (opt-out), we refer to the privacy statements and information of the operators of the respective networks.

Also, in the case of information requests and the assertion of data subject rights, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, you can contact us.

  • Types of data processed: Contact data (e.g., email, telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); Meta-, communication and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Individuals affected: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Contact requests and communication; Feedback (e.g., collecting feedback via an online form); Marketing.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

Plugins and embedded functions and content

We integrate into our online offer functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can, for example, be graphics, videos or city maps (hereinafter uniformly referred to as "content").

The integration always presupposes that the third-party providers of this content process the IP address of the users, since they could not send the content to their browser without the IP address. The IP address is thus necessary for the presentation of this content or functions. We strive to use only those contents whose respective providers use the IP address only for the delivery of the contents. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offer, as well as being linked to such information from other sources.

  • Types of data processed: Usage data (e.g., websites visited, interest in content, access times); Meta-, communication and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Individuals affected: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offer and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

  • Google Fonts (hosted on our own server): Provision of font files for a user-friendly presentation of our online offer; Service provider: The Google Fonts are hosted on our server, no data is transferred to Google; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Font Awesome (hosted on our own server): Display of fonts and symbols; Service provider: The Font Awesome icons are hosted on our server, no data is transmitted to the provider of Font Awesome; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Created with free Datenschutz-Generator.de by Dr. Thomas Schwenke