Privacy Policy

As of September 2025 (Version 1.0)

I. Privacy is a matter of trust

Privacy is a matter of trust, and your trust is important to us. To ensure that you feel secure when visiting our website, we strictly observe the statutory provisions and would like to inform you transparently about how we handle your data. You should know when we collect, store and use which data, and for what purposes.

 

The following privacy notice summarizes for you the data processing activities carried out in our company.

 

This Privacy Policy applies to all websites and other services and performances we provide, in particular the corporate website including our career portal and the use of the applicant management system under www.holtzbrinck.com.

 

The use of personal data by us is processed exclusively within the scope of these provisions and in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), and the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TDDDG).

 

We make every effort to protect your data against unauthorized access, loss, misuse or destruction. In addition, we take procedural and electronic security measures in accordance with the requirements of Art. 32 GDPR and Section 19 TDDDG to protect your personal data.

 

1. Data Controller

 

The Data Controller within the meaning of the GDPR and BDSG is:

 

Georg von Holtzbrinck GmbH & Co. KG
Gänsheidestrasse 26
70184 Stuttgart
Germany

 

Phone: +49 711 2150-0
Email: info@holtzbrinck.com
Website: www.holtzbrinck.com

 

If you have any questions regarding this Privacy Policy or data protection at our company, you may contact, in addition to our external Data Protection Officer, our internal Data Protection Team via email at datenschutz@holtzbrinck.com or by post to:

 

Georg von Holtzbrinck GmbH & Co. KG
Attn. Data Protection Team
Gänsheidestrasse 26
70184 Stuttgart

 

2. Data Protection Officer

 

Contact details of our external Data Protection Officer:

 

ISiCO GmbH
Am Hamburger Bahnhof 4
10557 Berlin
Germany
Phone: +49 (0)30-213002850
Email: info@isico-datenschutz.de
Website: www.isico-datenschutz.de

II. General Information on Data Processing

1. Personal Data

 

Personal data are individual pieces of information concerning the personal or factual circumstances of a specific or identifiable natural person. Accordingly, your personal data include all data that contain information about your personal or factual circumstances and allow identification, such as your civil name, address, telephone number, or email address.

 

2. Scope of Processing of Personal Data

 

We process personal data of our users only to the extent necessary to provide a functional website as well as our content and services. Depending on how you contact us and which services you use, different data from various sources may be collected. The processing of personal data of our users is generally carried out only after the user has given consent. An exception applies in cases where obtaining prior consent is not possible for factual reasons and the processing of data is permitted by statutory provisions.

 

3. Legal Basis for the Processing of Personal Data

 

  • Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6(1)(a) GDPR serves as the legal basis.
  • In the processing of personal data necessary for the performance of a contract to which the data subject is party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual measures.
  • Insofar as processing of personal data is required for compliance with a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.
  • In the event that vital interests of the data subject or of another natural person necessitate the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis.
  • If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6(1)(f) GDPR serves as the legal basis for the processing.

 

4. Data Erasure and Storage Period

 

Unless a specific storage period is expressly stated below for the processing operations carried out by us, your personal data will be deleted, blocked, or anonymized as soon as the purpose or legal basis for storage no longer applies. As a rule, your data are stored only on our servers in Germany, subject to any transfer in accordance with the provisions in Section VII.
Storage may also occur where provided for by European or national legislators in EU regulations, laws, or other provisions to which we as the controller are subject (e.g. Section 257 German Commercial Code - Handelsgesetzbuch – HGB, Section 147 German Fiscal Code - Abgabenordnung – AO). When the legally prescribed retention period expires, deletion, blocking, or anonymization of the personal data takes place unless further storage by us is necessary and a legal basis for this exists.

III. Your Visit to Our Website

1. Creation of Logfiles

 

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device (so-called logfiles) transmitted by your browser:

  • Information about the browser type and version used
  • The operating system of the user
  • The Internet service provider of the user
  • The IP address of the user
  • Date and time of access
  • Websites from which the user’s system reaches our website
  • Websites accessed by the user’s system via our website

 

The temporary storage of the IP address by the system is necessary to enable the delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session. Storage in logfiles also takes place to ensure the functionality of the website. The collected data are used for purposes of data security, in particular to avert attempted attacks, to stabilize operational security, and for statistical evaluations. The data are not evaluated for marketing purposes in this context.

 

The data are deleted or anonymized after a maximum of 7 days. In the case of anonymization, IP addresses are altered in such a way that the individual information regarding personal or factual circumstances can no longer be attributed to a specific or identifiable natural person. Logfiles are neither used for the creation of individual user profiles nor disclosed to third parties.

 

The collection of data for the provision of the website and the storage of data in logfiles is strictly necessary for the operation of the website. Consequently, the user has no right to object.

 

The legal basis for the temporary storage of data and logfiles is Art. 6(1)(f) GDPR in conjunction with Section 25(2) No. 2 TDDDG.

 

2. Cookies

 

We use so-called session cookies to enable you to navigate through the pages and use essential functions. Cookies are small files stored on your computer with the help of your internet browser. These “necessary” session cookies are usually deleted after the browser session ends. In this way, we can optimize our website, improve content or personalization, and simplify usage.

 

On our career page we use the cookie JSESSIONID as a technically necessary session cookie. This stores a so-called session ID, which allows various requests from your browser to be assigned to the same session. This enables your device to be recognized when you return to our website. This session cookie is deleted when you log out or close the browser.

 

The legal bases for setting session cookies without consent are Art. 6(1)(b) and (f) GDPR and Section 25(2) No. 2 TDDDG.

 

3. Website Optimization

 

To understand the use of our website and improve it, we use the web analysis tool Plausible Analytics, provided by Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia. Plausible does not set cookies, does not store information in the browser, and does not collect any personal data. Details can be found in the Privacy Policy of Plausible Analytics at www.plausible.io/data-policy.

IV. Contact Requests

1. Contact via Web Form or Email

 

If you contact us via our web form or by email, we process the mandatory information you provide, such as your email address, first name, and last name, as well as any voluntary information, exclusively for the purpose of handling your request. Please direct general inquiries to our web form or to info@holtzbrinck.com and career-related inquiries to karriere@holtzbrinck.com. The data will be deleted once your inquiry has been fully processed, unless statutory retention obligations prevent such deletion.

 

The legal bases are Art. 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract) and – in the absence of a contract – Art. 6(1)(f) GDPR (our legitimate interest in responding to inquiries). Where you have given your consent to further contact (e.g. request for a call-back), Art. 6(1)(a) GDPR applies.

 

2. Contact via Social Media

 

If you use our profiles on social networks (see Section VIII.2.) to contact us, the data you transmit will be processed solely for the purpose of contacting you. We delete stored data after one year, as soon as storage is no longer necessary, or if you request us to delete it. In the case of statutory retention obligations, we will restrict the processing of stored data accordingly.

 

Please note that whenever you contact us via one of our social media profiles, your data are also processed by the respective social media provider for its own purposes. We have no influence over these processing operations (including Page Insights Data). Please refer to the provider for information in this regard. The same applies to the exercise of your data subject rights (e.g. right to object) with respect to such data.

 

The legal basis is Art. 6(1)(a), (b), and (f) GDPR.

 

V. Application / Recruitment

We process your personal data in the context of your application, provided that you make such data available to us, e.g. via our applicant tool.

 

1. Use and Disclosure of Personal Data in the Recruitment Process

 

The personal data you enter into the online applicant system are collected, processed, and used by us exclusively for the purpose of handling the application process and filling the position. We store and process your data confidentially in accordance with the applicable data protection provisions. Recruitment within the Holtzbrinck Group takes place through cooperation between the HR department and the relevant business unit/management. The responsible employee of the business unit/management as well as the responsible employee of the HR department may belong to different legal entities of the Holtzbrinck Group. Therefore, your data may be processed within the Holtzbrinck Group on behalf of another entity in order to handle your application. Whether and to what extent this occurs is explained below.

 

2. Applications for a Specific Job Vacancy

 

When you apply for a specific job advertisement, e.g. via our career portal under “Career,” you provide us with your personal data. As a rule, these data are available only to the company within the Holtzbrinck Group that has advertised the position (target entity). For senior positions, the HR department of Holtzbrinck Holding (Georg von Holtzbrinck GmbH & Co. KG) is also involved, processing the data on behalf of the target entity. In addition, there is only technically required and unavoidable access by the hosting provider, in particular the system administrators, who may access the data to the extent necessary in case of technical necessity. Any other unauthorized access within the Holtzbrinck Group is excluded.

 

If you have expressly consented during the application process, your application may be forwarded within the Holtzbrinck Group to the relevant business unit/entity should HR staff consider you for another position.

 

Some of our job postings are recommended by employees of the Holtzbrinck Group, e.g. via email or postings on social networks such as XING or LinkedIn. In the event of an application via such a recommendation link, the recommending employee will subsequently be informed that you have applied for the linked job posting. The application documents themselves are not forwarded. If you wish your application to remain anonymous to the recommending employee, you can ensure this by selecting the corresponding opt-in during the application process.

 

3. Unsolicited Applications

 

Unlike applications for advertised vacancies (see Section V.2.), unsolicited applications provide us with your personal data for the purpose of assessing suitability for various positions. Therefore, in addition to processing by the HR department, your documents may be forwarded to several business units and entities within the Holtzbrinck Group. The legal basis is Section 26(1) BDSG and Art. 6(1)(b) GDPR (pre-contractual measures). If you do not wish this, please indicate so in your application or subsequently to the contact address specified in Section I.1., e.g. by email to karriere@holtzbrinck.com.

 

4. Use of the Applicant Management System "softgarden"

 

If you apply via our career portal, your data will be processed through the applicant management system provided by softgarden e-recruiting GmbH (“softgarden”). Below we inform you which personal data we collect in the course of your application via softgarden, for what purpose, and on what legal basis.

 

a. Processing by a Processor

 

For handling our recruitment procedures, we use the applicant management system of softgarden e-recruiting GmbH, Tauentzienstr. 14, 10789 Berlin, which operates the applicant management as a processor within the meaning of Art. 4(8) GDPR. We have concluded a data processing agreement pursuant to Art. 28 GDPR with the provider to ensure compliance with data protection provisions. We remain your primary point of contact for the exercise of your data subject rights and throughout the recruitment process.

 

b. Place of Data Processing

 

softgarden operates IT infrastructure at its office locations in Berlin and Saarbrücken, as well as in data centers of the following providers:

  • myLoc managed IT AG, Am Gatherhof 44, 40472 Düsseldorf
  • PlusServer GmbH, Hohenzollernring 72, 50672 Cologne

All data centers are located in Germany.

 

c. Collection and Use of Your Data

 

softgarden and third-party services may, for operational and maintenance purposes, collect files that record interactions via the application (system logs) or use other personal data (e.g. IP address) for this purpose.

 

When accessing softgarden products, your internet browser automatically transmits data for technical reasons. The following data are stored separately from other data you may voluntarily provide:

  • Date and time of access
  • Browser type and version
  • Operating system used
  • URL of the previously visited website
  • Amount of data transmitted
  • IP address of access

These data are not used for direct allocation within the recruitment process and will be deleted in accordance with applicable retention periods, unless longer retention is necessary for legal or factual reasons (e.g. evidence purposes). In individual cases, longer storage may be considered for the aforementioned purposes.

 

The legal basis is Art. 6(1)(f) GDPR and Section 25(2) No. 2 TDDDG.

 

d. Data Entered by Users

 

General

To make the application process transparent for you, you may register. For this purpose, you must enter your name, email address and a password. These data are required to set up and manage an account in the career portal. We also need these and possibly further data to respond to requests, questions or feedback.

 

Additional optional data include:

  • Contact details (address, telephone number)
  • Curriculum vitae data (e.g. education, professional training, work experience, language skills)
  • Profiles in social networks (e.g. XING, LinkedIn, Facebook)
  • Documents related to applications (application photos, cover letters, certificates, references, work samples, etc.)

The legal basis for processing is Section 26(1) BDSG and Art. 6(1)(b) GDPR.

 

Processing of CV Documents

softgarden processes and analyzes documents uploaded by applicants to extract CV data and transfer them into a structured form (CV parsing). Processing is carried out within softgarden’s infrastructure under a data processing agreement pursuant to Art. 28 GDPR. Provider is Textkernel B.V., Nieuwendammerkade 26 A 5, 1022 AB Amsterdam, Netherlands. Data processing takes place on a server in Germany in a secure environment. Your data are deleted from the temporary storage at Textkernel after processing.

 

The legal basis is Section 26(1) BDSG and Art. 6(1)(b) and (f) GDPR.

 

Subscription to Job Alerts

On the career portal you may subscribe to receive automatic notifications about new vacancies within the Holtzbrinck Group. This can be done either via email newsletter or via RSS feed. You may specify target group, job group, and location, or simply receive general job alerts. If you want to be informed about new vacancies via our email newsletter, we require your email address.

 

The legal basis is your consent to receive newsletters in accordance with Art. 6(1)(a) GDPR and Section 25(1) TDDDG. You may withdraw your consent at any time for the future by using the unsubscribe link in the newsletter. No personal data are processed when receiving job alerts via RSS feed.

 

Talent Pool

 

After an unsuccessful application, you may be admitted to our talent pool if you provide us with corresponding consent. Should a similar or otherwise suitable position become available, we may then contact you. Admission to the talent pool is voluntary, e.g. via the use of an opt-in link, if available.

 

The legal basis is the data subject’s consent to inclusion in the talent pool pursuant to Art. 6(1)(a) GDPR. You may withdraw this consent at any time, in particular by email to karriere@holtzbrinck.com. Furthermore, 6 months after granting the aforementioned consent we will contact you to ask whether you still wish to remain part of the talent pool.

 

Social Share Buttons

 

You may share job postings on various social networks. For this, different buttons are offered for each network. After clicking one of these buttons, you will be redirected to the respective network and taken to its login page. These buttons are not plug-ins and do not transmit personal data directly to the operators of the social networks. Currently, job postings may be shared on the following social networks:

  • Facebook (https://de-de.facebook.com/privacy/explanation)
  • X (formerly Twitter) (https://x.com/de/privacy)
  • LinkedIn (https://www.linkedin.com/legal/privacy-policy)
  • Xing (https://privacy.xing.com/de/datenschutzerklaerung)

 

The legal basis is Art. 6(1)(f) GDPR.

 

Please refer to the linked privacy policies of the social networks to learn how your personal data are processed. We have no influence on such processing.

 

e. Use of Collected Data

 

The purpose of processing your data is the handling of your application in a predefined workflow and the improvement of applicant communication through the e-recruiting software softgarden. We have concluded a data processing agreement pursuant to Art. 28 GDPR with softgarden.

 

Data are collected for the provision of softgarden’s services. In addition, data are collected for the following purposes: analytics, interaction with support and possibly evaluation platforms, administration of support and contact requests, administration of user databases, administration of contacts and sending of messages, contacting users, access to third-party profiles (e.g. login via LinkedIn or XING), and displaying content from external platforms.

 

The personal data used for these purposes are described in the respective sections of this document.

 

f. Scheduling

 

For scheduling and invitations, we use an integrated service provided by Cronofy Limited, 9a Beck Street, Nottingham, NG1 1EQ, UK.

 

If we invite you to an interview using this feature, you will receive a calendar invitation created via Cronofy by email. This includes your email address, the title of the meeting, a description, and a location where the appointment will take place. No further personal data will be transmitted to Cronofy.

 

Data processing takes place in encrypted form on a server in Germany. Adequate security standards for data processing have been agreed with the provider.

 

If you do not wish data to be processed by Cronofy, please indicate this in advance of scheduling (objection).

 

The legal basis is Art. 6(1)(f) GDPR, as integration of scheduling into our applicant management system helps to efficiently plan and manage interviews and other appointments.

 

g. Referral Manager

 

Through the Referral Manager tool, recruiters and employees can share vacant positions in the Holtzbrinck Group on social networks or via email with acquaintances and friends in order to address potential applicants or provide direct recommendations.

 

If you decide to apply for a position suggested directly or indirectly, your personal data will be processed in accordance with the regular application process. Your data will be displayed to authorized users and processed in the applicant management system. Before submitting your application, you will have the option to display your application anonymously in the referral manager. In this case, the recommending person will only be able to see that someone has applied. Otherwise, name, position, and application photo may also be visible.

 

The legal basis for processing your data for referral and application purposes is Art. 6(1)(a) and (f) GDPR. The data are processed and deleted in accordance with the regular application process.

 

h. Duration of Storage

 

Your data will be stored for the duration of the application process and in accordance with the legitimate retention periods after the application process has been completed.

 

In the case of rejection, your personal data will be deleted 6 months after the application date. This does not apply if you have expressly consented to longer storage until withdrew, e.g. by declaring that we may store your application indefinitely to contact you for further vacancies matching your profile (see Section V.4.d Talent Pool).

 

If you are hired, your personal data will be stored and processed for the purpose of the hiring process and the subsequent employment relationship.

 

The legal basis is Art. 6(1)(b) GDPR.

 

Instead of deletion, data may be fully anonymized after the retention period has expired. Anonymized data sets are no longer subject to data protection law and may be processed for statistical and analytical purposes, market research, or product development.

 

i. Cloudflare

 

softgarden uses the services of the ISO 27001-certified provider Cloudflare Inc., 101 Townsend St, San Francisco, USA, or its subsidiary Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich, Germany (“Cloudflare”), to increase platform security, in particular protection against DDoS attacks, and to improve delivery speed. Cloudflare provides a network of servers able to deliver optimized content to end users and filter malicious traffic.

 

The services provided by Cloudflare include the product Data Localisation Suite with the components Regional Services and Metadata Boundary for Customers. Both components ensure that the transfer of personal data when using our platform takes place exclusively within the EU.

 

softgarden has selected Germany as the region. Thus, all data traffic is processed solely on servers in Germany. Metadata Boundary ensures that Cloudflare does not transfer customer logs outside the EU. The personal data processed by Cloudflare include all content transmitted by customers and applicants – i.e. beyond IP addresses, all files (application documents) and multimedia material, graphics, audio, video, as well as any interaction of your browser with the softgarden system.

 

Cloudflare is a recipient of your personal data and acts as a processor for softgarden. This corresponds to a legitimate interest within the meaning of Art. 6(1)(f) GDPR to ensure security, risk prevention, and user-friendliness of the platform.

 

Your personal data are stored by Cloudflare as long as required for the described purposes, usually 124 calendar days.

 

Further information on Cloudflare can be found at Cloudflare DPA https://www.cloudflare.com/cloudflare-customer-dpa/.

VI. Categories of Recipients

In the context of processing your personal data, the following categories of recipients may gain access to your data:

  • Internal recipients: departments and responsible persons within the Holtzbrinck Group handling your inquiry or (in case of applications) the recruitment procedure (e.g. HR/Recruiting).
  • Processors (IT/Hosting): service providers supporting us in operating, maintaining, and securing the website/career page (including hosting/support) pursuant to Art. 28 GDPR.
  • Applicant management: softgarden e-recruiting GmbH as processor for our applicant management system. For this purpose, softgarden may use sub-processors – in particular Cloudflare (security/performance within the EU), Textkernel (CV parsing), Cronofy (scheduling), and job boards/status feedback.
  • Authorities, courts, legal counsel: where legally required, for legal defense or enforcement.

 

Any further disclosure to third parties will not take place without your express consent.

VII. Data Transfers to Third Countries

As a rule, data processing within our business relations takes place in Germany or other European countries. If, in exceptional cases, a transfer to countries outside the European Union (EU) or the European Economic Area (EAA) (so-called third countries) occurs, this may result in your data being transferred to a country with a lower level of data protection than in the EU/EAA.

 

In such cases, we ensure that your data are processed in third countries only if appropriate safeguards guarantee an adequate level of data protection (e.g. adequacy decision of the European Commission or so-called appropriate safeguards pursuant to Art. 44 et seq. GDPR such as the conclusion of Standard Contractual Clauses or certifications). This applies in particular when using sub-processors.

VIII. Links

1. Links

 

Certain sections of our website contain links to third-party websites. These websites are subject to their own privacy policies and terms of use. We are not responsible for their operation, in particular with regard to their data handling practices. If you submit information to or through such third-party sites, we recommend that you carefully review their privacy policies before providing any personal data.

 

2. Social Media Links

 

Our website contains links to services such as YouTube, LinkedIn, and kununu. After clicking the link, you will be redirected to the respective provider’s page; only then will user information be transmitted to the provider. Please refer to the privacy notices of these providers to learn how they handle your data:

  • YouTube: https://www.youtube.com/@HoltzbrinckMedia – Privacy Notice: https://policies.google.com/privacy?hl=en
  • LinkedIn: https://www.linkedin.com/company/holtzbrinck/ – Privacy Notice: https://www.linkedin.com/legal/privacy-policy
  • kununu: https://www.kununu.com/de/holtzbrinck – Privacy Notice: https://privacy.xing.com/en/privacy-policy

IX. Your Rights as a Data Subject

If your personal data are processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis us:

 

1. Right of Access (Art. 15 GDPR)

You may request information about the following:

  • the purposes for which personal data are processed;
  • the categories of personal data that are processed;
  • the recipients or categories of recipients to whom your personal data have been or will be disclosed;
  • the planned duration of storage of your personal data, or, if specific information is not possible, criteria for determining the storage duration;
  • the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by the controller, or a right to object to such processing;
  • the existence of a right to lodge a complaint with a supervisory authority;
  • any available information about the source of the data, if the personal data were not collected from the data subject;
  • the existence of automated decision-making including profiling pursuant to Art. 22(1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for the data subject.

 

Furthermore, you have the right to be informed whether your personal data are transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards we have agreed with the recipient of your data in connection with such transfer. You are entitled to receive copies of your data.

 

2. Right to Rectification (Art. 16 GDPR)

You have the right to obtain rectification and/or completion if the personal data concerning you are inaccurate or incomplete.

 

3. Right to Erasure (Art. 17 GDPR)

You have the right to obtain the erasure of personal data concerning you without undue delay where one of the following grounds applies:

  • The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  • You withdraw your consent on which the processing was based and there is no other legal ground for the processing.
  • You object to the processing and there are no overriding legitimate grounds for the processing.
  • The personal data have been unlawfully processed.
  • The personal data have to be erased for compliance with a legal obligation in European Union or Member State law to which we are subject.
  • The personal data have been collected in relation to the offer of information society services.

 

The right to erasure does not apply to the extent processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing under European Union or Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
  • for reasons of public interest in the area of public health;
  • for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes; or
  • for the establishment, exercise, or defense of legal claims.

 

Where statutory retention obligations prevent erasure, your personal data will be blocked instead. Please note that data you delete yourself may initially only be blocked and then permanently deleted with a time delay, in order to prevent accidental deletions or potential intentional damage.

 

4. Right to Restriction of Processing (Art. 18 GDPR)

You may request restriction of processing of personal data concerning you where one of the following applies:

  • you contest the accuracy of the personal data for a period enabling the controller to verify the accuracy;
  • the processing is unlawful and you oppose erasure of the personal data and request restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims;
  • you have objected to processing and it has not yet been determined whether the legitimate grounds of the controller override yours.

 

Where processing has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State. You will be informed before the restriction is lifted.

 

5. Right to Notification (Art. 19 GDPR)

If you have exercised your right to rectification, erasure, or restriction of processing, we are obliged to communicate this rectification or erasure of data or restriction of processing to all recipients to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You also have the right to be informed about those recipients.

 

6. Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another controller without hindrance, where:

  • the processing is based on consent or on a contract; and
  • the processing is carried out by automated means.

 

In exercising this right, you further have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others shall not be adversely affected thereby.

This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, or processing based solely on other statutory obligations.

 

7. Right to Object (Art. 21 GDPR)

You have the right to object at any time to the processing of your personal data. In such case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or unless the processing serves the establishment, exercise, or defense of legal claims.

Where your personal data are processed for market research purposes or for direct marketing, you have the right to object at any time to processing for such purposes. If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes. We currently do not carry out direct marketing. Should we do so in the future, the aforementioned right will apply without restriction.

 

8. Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right to withdraw your consent under data protection law at any time with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

9. Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent supervisory authority if you consider that the processing of your personal data infringes the GDPR and/or the BDSG.

 

If you wish to exercise this right, please contact the supervisory authority responsible for us:
The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Office address:
Lautenschlagerstraße 20
70173 Stuttgart
Postal address:
P.O. Box 10 29 32
70025 Stuttgart
Phone: +49 711/615541-0
Email: poststelle@lfdi.bwl.de
Website: https://www.baden-wuerttemberg.datenschutz.de/

 

We recommend that you always address your requests regarding the exercise of your rights or a complaint to our Data Protection Team or our Data Protection Officer first, providing clear identification of your person.

 

Information on Your Right to Object (Art. 21 GDPR)

1. You have the right to object at any time to the processing of your data which takes place pursuant to Art. 6(1)(f) GDPR (data processing based on legitimate interests) or Art. 6(1)(e) GDPR (data processing in the public interest), for reasons arising from your particular situation. This also applies to profiling based on these provisions pursuant to Art. 4(4) GDPR.

 

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights, and freedoms, or unless the processing serves the establishment, exercise, or defense of legal claims.

1. We may also process your personal data in individual cases for the purpose of direct marketing. If you do not wish to receive advertising, you may object at any time; this also applies to profiling, insofar as it is connected with such direct marketing. Your objection will take effect for the future once received.

2. Apart from that, upon receipt of your objection, we will no longer process your data for direct marketing purposes.

 

The objection may be submitted in any form and should be directed to the address specified in Section I.1.

X. Extent of Your Obligation to Provide Data

In principle, you are not obliged to provide us with your personal data. However, if you do not, we may, depending on the situation, be unable to provide our website, respond to your inquiries, conduct recruitment procedures, and/or conclude a contract with you. Personal data that we do not require mandatorily for the aforementioned processing purposes are identifiable as voluntary information.

XI. Automated Decision-Making / Profiling

We do not conduct automated decision-making or profiling (automated analysis of your personal circumstances). Should such processing become necessary in the future, we will obtain your explicit consent in advance in a transparent manner.

XII. Amendments to this Privacy Policy

We reserve the right to amend or supplement this Privacy Policy at any time in light of continuously changing legal, technical, and organizational requirements for the processing of personal data. This also applies to potential translation errors and differences regarding national requirements of data protection law.
Any amendments will be announced by publishing the revised Privacy Policy on our website. Unless otherwise specified, such changes shall take effect immediately. Please therefore review this Privacy Policy regularly to view the current version.