Excellence in IT Management and Digitalisation

Privacy Information

Scope
This Privacy Information explains the nature, scope and purpose of processing personal data (hereinafter ‘data’) in the course of providing our services and within our online content and the web pages, features and content associated with this, as well as external online presences, such as possible social media profiles (hereinafter jointly referred to as ‘online content’). As far as terminology, such as ‘processing’ or ‘controller’, for example, is concerned, please refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Controller
LEXTA GmbH
Dorotheenstraße 37
10117 Berlin
Germany

info@lexta.com
Phone +49 30 887124-0
Fax +49 30 887124-20

Commercial Register 136589 B Charlottenburg District Court
VAT ID. No.: DE 217 181 452
Managing Directors: Frank Baumann, Christian Tölkes
Power of procuration (“Vertretungsberechtigt”): Jutta Häfner, Simone Funke

Contact address for Data Protection Officer: datenschutz@lexta.com

Categories of personal data
  • user data (for example, master personal data, names or addresses)
  • contact details (for example, e-mail, phone numbers)
  • content data (for example, text input, photographs, videos)
  • use data (for example, web pages visited, interest in content, access times).
  • metadata/communication data (for example, device information, IP addresses).

Data subject categories
Website visitors and users of online content (data subjects are also hereinafter jointly referred to as ‘users’).

Purposes of processing
  • to make our online content and its features available,
  • to respond to enquiries and communicate with users,
  • security measures,
  • measurement of reach/marketing.

Terminology used
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (for example, cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Processing’ means any operation or set of operations which is performed on personal data whether or not by automated means. The term is comprehensive and covers virtually all handling of data.

‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Relevant legal bases
Pursuant to Article 13 GDPR, we inform you of the legal bases for processing your data. If the legal basis is not stated in this Privacy Information, the following shall apply to users falling under the jurisdiction of the General Data Protection Regulation (GDPR), i.e. in the EU and the EEC:
The legal basis for obtaining consent shall be Article 6 (1) a) and Article 7 GDPR;
The legal basis for processing in order to provide our services, discharge obligations that we have entered into and respond to enquiries shall be Article 6 (1) b) GDPR;
The legal basis for processing in order to fulfil our legal obligations shall be Article 6 (1) c) GDPR;
In the event that vital interests of the data subject or of another natural person render the processing of personal data necessary, Article 6 (1) d) GDPR shall be the legal basis.
The legal basis if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller shall be Article 6 (1) e) GDPR.
The legal basis for processing in order to protect our legitimate interests shall be Article 6 (1) f) GDPR;
The processing of data for purposes other than those for which they were collected shall be determined in accordance with Article 6 (4) GDPR.
The processing of special categories of data (in accordance with Article 9 (1) GDPR) shall be determined in accordance with Article 9 (2) GDPR.

Security measures
In accordance with legal requirements, taking account of the state of the art, implementation costs and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures in order to ensure an appropriate level of protection against the risk.

These measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well access affecting them, input, transfer, ensuring of availability and their separation. Moreover, we have put procedures in place to guarantee the safeguarding of data subject rights, the erasure of data and a response to situations where data is compromised. Furthermore, we take account of the protection of personal data when developing or selecting hardware, software and procedures, in accordance with the principle of data privacy through technology design and default privacy settings.

Cooperation with processors, joint controllers and third parties
Insofar as we disclose data to other persons and companies (processors, joint controllers or third parties), transfer data to them or grant them access to data in another manner, this shall take place only on the basis of legal permission (for example, if transferring data to a third party, such as a payment provider, is required in order to discharge obligations under a contract), if users have consented to this, a legal obligation provides for this or on the basis of our legitimate interests (for example, when using authorised representatives, web hosts etc.).

If we disclose or transfer data to other companies in our group of companies or allow them access to such data in another manner, this shall be for administrative purposes as a legitimate interest and furthermore on a basis in accordance with the legal requirements.

Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEC) or the Swiss Confederation) or this happens in the course of using third party services or disclosure or transfer of data to other persons or companies, this shall only take place if it happens in order to meet our (pre)contractual obligations, based on your consent, on a legal requirement or on our legitimate interests. Subject to statutory or contractual permission, we shall only process or leave data in a third country if the legal requirements have been met. In other words, processing shall take place on the basis of certain guarantees, such as the officially recognised establishment of a data protection level that matches the level in the EU (for example, through the ‘Privacy Shield’ in the case of the USA) or compliance with officially recognised special contractual obligations.

Rights of the data subject
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and to information about these data as well as to further information and a copy of the data in accordance with the legal requirements.

You have the right in accordance with the legal requirements to request the completion of data concerning you or the rectification of inaccurate personal data concerning you.

Pursuant to the legal requirements, you have the right to obtain from the controller the erasure of personal data concerning you without undue delay or pursuant to the legal requirements, to obtain a restriction of processing of these data.

In accordance with the legal requirements, you have the right to receive the personal data concerning you which you have provided to us and to request that these data are transferred to other controllers.

You also have the right in accordance with the legal requirements to lodge a complaint with the competent supervisory authority:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Federal Republic of Germany
Phone +49 30 13889-0
Fax +49 30 2155050
Email mailbox@datenschutz-berlin.de.

Right to withdraw
You have the right to withdraw consent that has been given with future effect.

Right to object
You may object to the future processing of data concerning you at any time in accordance with the legal requirements. You may object to processing for direct advertising purposes in particular.

Cookies and right to object in the case of direct advertising
‘Cookies’ are small files which are stored on a user’s computer. Various information can be stored in cookies. A cookie serves primarily to store information about a user (or the device on which the cookie is stored) during or even after the user has visited a website. Cookies that are deleted once a user has left a website and closed their browser are called ‘temporary cookies’, ‘session cookies’ or ‘transient cookies’. The contents of a shopping basket in an online shop or login details can be stored in these types of cookies. Cookies that remain stored even after a browser is closed are called ‘permanent’ or ‘persistent’ cookies. Login details may be stored, for example, if the user searches for these after several days. A user’s interests can also be stored in these types of cookies which are used to measure reach or for marketing purposes. Cookies that are used by providers other than the controller, which provides the online content, are called ‘third party cookies’ (cookies created by the host site are called ‘first party cookies’).

We may use both temporary and permanent cookies and provide an explanation of these in our Privacy Information.

If users do not want cookies to be stored on their computer, they should disable the relevant option in their browser's system settings. Cookies that have been stored can be deleted in the browser’s system settings. Disabling cookies may lead to certain features of our online content being restricted.

A general objection to the use of cookies for online marketing purposes can be made in the case of many services, particularly in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Moreover, the storage of cookies can be managed by disabling them in your browser settings. Please note this may mean it will not be possible to use all the features of our online content.

Erasure of data
The data we process are erased in accordance with the legal requirements or their processing is restricted. Unless expressly stated in this Privacy Information, the data we store are erased as soon as they are no longer required for their intended purpose and their erasure is not contrary to any statutory retention requirements.

If data are not erased because they are required for other legally permissible purposes, their processing will be restricted. In other words, the data are blocked and are not processed for other purposes. This shall apply, for example, to data which needs to be retained for commercial or tax reasons.

Privacy Information changes and updates
Please check the content of our Privacy Information on a regular basis. We shall amend this Privacy Information as soon as changes to our data processing make this necessary. We will notify you as soon as your cooperation or other personal notification is required (for example, your consent).

Contractual services
We process data of our partners and prospective customers as well as of other contractors, customers, clients or partners (jointly referred to as ‘partners’) in accordance with Article 6 (1) b GDPR in order to provide them with our contractual or (pre)contractual services. The data processed in this case, the nature, scope, purpose and necessity of their processing, shall be determined in accordance with the underlying contractual relationship.

The data that are processed include the master data of our partners (for example, names and addresses), contact details (for example, e-mail addresses and phone numbers) as well as contract details (for example, services used, contract content, contractual communication, names of contact persons) and payment data (for example, bank details, payment history).

In general, we do not process special categories of personal data, unless these form part of processing that has been commissioned or is in accordance with a contract.

We process data that are required for legitimation and discharging of contractual services and shall point out the necessity of their disclosure if this is not obvious to the partners. Disclosures shall only be made to external persons or companies if these are required under the terms of a contract. When processing data entrusted to us under the terms of a contract, we shall act in accordance with the customer’s instructions and legal requirements.

We may store IP addresses and times of the respective user action when our online content is viewed. These data shall be stored on the basis of our legitimate interests and the interests of the user in protection against misuse and other unauthorised use. In general, we shall not pass these data on to third parties, unless this is necessary for the purposes of pursuing our legitimate interests pursuant to Article 6 (1) f GDPR or is necessary for compliance with a legal obligation pursuant to Article 6 (1) c GDPR.

Data shall be erased if the data are no longer required in order to discharge contractual or legal duties of care or for handling any guarantee or comparable obligations, wherein the necessity for retaining data shall be reviewed every three years; moreover, the statutory retention requirements shall apply.

Data protection notice for job application process
We shall only process applicant details for the purposes of and in the course of an application process in accordance with the legal requirements. Applicant details shall be processed in order to fulfil our (pre)contractual obligations as part of an application process as laid down in Article 6 (1) b) GDPR and Article 6 (1) f) GDPR, if we are required to process data in the context of legal proceedings, for example (Article 26 of the German Data Protection Act (BDSG) shall also apply in Germany).

An application process shall require applicants to notify us of their details. Insofar as we provide an online form, the applicant details required shall be marked, otherwise they can be found in the job descriptions and essentially include details about the person, postal and contact addresses and the documents forming part of the application, such as covering letter, CV and references. Applicants may also provide additional information voluntarily.

By sending an application to us, applicants agree to the processing of their data for the purposes of the application process in accordance with the nature and scope specified in this Privacy Information.

If special categories of personal data as laid down in Article 9 (1) GDPR are notified voluntarily as part of the application process, these are processed as well in accordance with Article 9 (2) b) GDPR (for example, health data, such as severe disability or ethic origin). If applicants are required to provide special categories of personal data as laid down in Article 9 (1) GDPR as part of the application process, these shall also be processed in accordance with Article 9 (2) a) GDPR (for example, health data, if these are necessary in order to do the job).

If provided, applicants may send us their applications using an online form on our website. The data will be sent to us in state of the art encrypted form. Applicants can also send us their applications by e-mail. However, in this case we ask that e-mails are not generally sent in an encrypted form and applicants must provide encryption themselves. We are therefore unable to accept any liability for the transmission link between the sender and receipt on our server and therefore recommend using an online form or sending applications by post. Applicants shall have the option to send us their application by post in any case rather than submitting an application using the online form or by e-mail.

If their application is successful, we may further process data provided by applicants for the purposes of the employment relationship. If their application is unsuccessful, applicants’ data shall be erased. Applicants’ data shall also be erased if an application is withdrawn. Applicants shall be entitled to withdraw their application at any time.

Subject to a legitimate withdrawal by an applicant, data shall be erased after a period of six months so that we can answer any follow-up questions to the application and fulfil our obligations to provide proof pursuant to the German Equal Treatment Act [Gleichbehandlungsgesetz]. Invoices relating to any reimbursement of travel expenses shall be kept on file as required by tax law.

Contacting us
When contacting us (for example, through a contact form, by e-mail, telephone or through social media), the user’s particulars shall be processed in order to deal with the enquiry pursuant to Article 6 (1) b) (in the course of contractual/pre-contractual relations) and Article 6 (1) f) (other enquiries) GDPR. The user’s particulars may be stored in a customer relationship management system (‘CRM system’) or comparable system for organising enquiries.

We shall delete enquiries as soon as these are no longer needed. We shall review the respective need every two years; furthermore, the statutory archiving obligations shall apply.

salesforce CRM system
We use the CRM system from provider salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany in order to process user enquiries faster and more efficiently (legitimate interest pursuant to Article 6 (1) f) GDPR).

salesforce is certified under the Privacy Shield Agreement and therefore offers an additional guarantee of compliance with the European Data Protection Regulation if data are processed in the USA ( https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active).

salesforce uses user data solely for the technical processing of enquiries and does not pass these on to third parties. The specification of a correct e-mail address is the minimum requirement for using salesforce. Pseudonymous use is possible. It may be necessary to collect additional data in the course of processing service enquiries (name, address).

If users do not agree to the collection and storage of data in the external salesforce system, we offer them alternative contact options so they can submit service requests by e-mail, phone, fax or post.

Users can find additional information in the salesforce Privacy Information: https://www.salesforce.com/de/company/privacy/.

Hosting and e-mail distribution
The hosting services that we contract allow us to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, e-mail distribution, security services as well as technical maintenance services, which we use for the purpose of providing our online content.

In providing these services, we or our hosting providers process inventory data, contact details, content data, contract data, use data, metadata and communication data of customers, prospective customers and viewers of this online content, based on our legitimate interests in the efficient and secure provision of this online content pursuant to Article 6 (1) f) GDPR in conjunction with Article 28 GDPR (conclusion of a processing contract).

Collection of access data and log files
We or our hosting providers collect data relating to all access to the servers on which this service is located (‘server log files’) based on our legitimate interests as laid down in Article 6 (1) f) GDPR. Access data includes the name of the website requested, file, date and time of the request, data volume transferred, report on successful request, browser type and version, the user’s operating system, referrer URL (page visited previously), IP address and the requesting provider.

For security reasons (to clarify misuse or fraud, for example), log file information is stored for a maximum period of 7 days and then erased. Data, which has to be kept for longer for evidential purposes, are not erased until the respective incident has been completely resolved.

Google Analytics
Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online content as laid down in Article 6 (1) f) GDPR), we use Google Analytics, a web analytics service offered by Google LLC (‘Google’). Google uses cookies. Information generated by cookies about the use of online content by a user is usually sent to and stored on a Google server in the USA. Google is certified under the Privacy Shield Agreement and therefore offers an additional guarantee of compliance with the European Data Protection Regulation ( https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google will use this information on our behalf to analyse the use of our online content by users in order to compile reports on activities within this online content and to provide us with additional services associated with the use of this online content and use of the Internet. Pseudonymous use profiles of users can be created from the data that are processed.

We only use Google Analytics with IP anonymisation enabled. This means that user IP addresses are truncated by Google in European Union Member States or in other countries which are contracting parties to the Agreement on the European Economic Area. Full IP addresses are only sent to a Google server in the USA and shortened there in exceptional cases.

Google will not combine the IP address sent by a user’s browser with other data. Users can prevent the storage of cookies via the relevant setting in their browser software; users can also prevent the collection of data generated by cookies and data relating to their use of the online content as well as the processing of these data by Google, by downloading and installing the browser add-on available at: http://tools.google.com/dlpage/gaoptout?hl=de.

Further information about how Google uses data, settings options and procedures for raising objections can be found in the Google Privacy Information ( https://policies.google.com/technologies/ads) and in the Google ads settings ( https://adssettings.google.com/authenticated).

Personal data of users shall be erased or anonymised after a period of 14 months.

Embedded services and third party content
We use content and services from third party providers in our online content based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online content as laid down in Article 6 (1) f) GDPR) in order to integrate their content and services, such as videos or font types, for example (hereinafter uniformly referred to as ‘content’).

This always requires the third party providers of this content to detect the user’s IP address, as without the IP address they would not be able to send content to the user’s browser. The IP address is therefore required to display this content. We endeavour to only use such content where its respective provider uses an IP address solely for the purpose of delivering the content. Furthermore, third party providers may use pixel tags (invisible graphics, also called web beacons) for statistical or marketing purposes. Pixel tags can be used to analyse information, such as visitor traffic on the pages of this website. Moreover, pseudonymous information can be stored in cookies on a user’s device and contain, among other things, technical information about the browser and operating system, referring websites, length of visit as well as other information regarding the use of our online content, and can also be combined with such information from other sources.

YouTube
We embed ‘YouTube’ videos from provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Information: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google Maps
We embed maps from the Google Maps service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data processed may include IP addresses and user location data, which are, however, not collected without the user’s consent (generally implemented to the extent permitted by the user’s mobile device settings). Data may be processed in the USA. Privacy Information: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Use of Facebook social plugins
Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online content as laid down in Article 6 (1) f) GDPR), we use social plugins (‘plugins’) from the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (‘Facebook’). This may include content such as images, videos, texts and interfaces, for example, which users can use to share elements of this online content on Facebook. The list and appearance of Facebook social plugins can be found here: https://developers.facebook.com/docs/plugins/.

Facebook is certified under the Privacy Shield Agreement and therefore offers an additional guarantee of compliance with the European Data Protection Regulation ( https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

If a user requests a feature of this online content that contains such a plugin, the user’s device establishes a direct connection to the Facebook servers. The plugin content is sent by Facebook directly to a user’s device and embedded by the latter into the online content. Use profiles of users can be created from the data that are processed. Consequently, we have no control over the scope of the data that Facebook collects with the help of this plugin and would therefore like to clarify how we believe the system works.

Embedding the plugins means that Facebook receives the information that a user has requested the relevant page of the online content. If the user is logged into Facebook, Facebook can assign the visit to the user’s Facebook account. If users interact with the plugins, for example, click the Like button or leave a comment, the corresponding information will be sent from your device directly to Facebook and stored there. If a user does not have a Facebook account, there is still the possibility that Facebook may find out and store the user's IP address. According to Facebook, only anonymised IP addresses are stored in Germany.

Users can find details of the purpose and extent of data collection and further processing and use of data by Facebook, as well as rights and settings options to protect user privacy, in the Facebook Privacy Information: https://www.facebook.com/about/privacy/.

If a user has a Facebook account and does not want Facebook to collect data about them via this online content and link this data to their account data stored by Facebook, the user must log out of Facebook prior to using our online content and delete its cookies. Further settings and objections to the use of data for advertising purposes are possible in the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are independent of the platform, i.e. they are implemented for all devices, such as PCs or mobile devices.

Twitter
Features and content from Twitter provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, may be embedded in our online content. These may include images, videos, texts and interfaces, for example, which users can use to share elements of this online content on Twitter. If users have a Twitter account, Twitter can assign requests for the aforementioned content and features to Twitter user profiles. Twitter is certified under the Privacy Shield Agreement and therefore offers an additional guarantee of compliance with the European Data Protection Regulation ( https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Privacy Information: https://twitter.com/de/privacy, opt-out: https://twitter.com/personalization.

Xing
Features and content from Xing provided by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany, may be embedded in our online content. These may include images, videos, texts and interfaces, for example, which users can use to share elements of this online content on Xing. If users have a Xing account, Xing can assign requests for the aforementioned content and features to Xing user profiles. Xing Privacy Information: https://privacy.xing.com/de/datenschutzerklaerung.

LinkedIn
Features and content from LinkedIn provided by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland, may be embedded in our online content. These may include images, videos, texts and interfaces, for example, which users can use to share elements of this online content on LinkedIn. If users have a LinkedIn account, LinkedIn can assign requests for the aforementioned content and features to LinkedIn user profiles. LinkedIn Privacy Information: https://www.linkedin.com/legal/privacy-policy. LinkedIn is certified under the Privacy Shield Agreement and therefore offers an additional guarantee of compliance with the European Data Protection Regulation ( https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active). Privacy Information: https://www.linkedin.com/legal/privacy-policy, opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Google+
Features and content from Google+ provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’) may be embedded in our online content. These may include images, videos, texts and interfaces, for example, which users can use to share elements of this online content on Google. If users have a Google+ account, Google can assign requests for the aforementioned content and features to Google user profiles.

Google is certified under the Privacy Shield Agreement and therefore offers an additional guarantee of compliance with the European Data Protection Regulation ( https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). More information about how Google uses data, settings options and procedures for raising objections, can be found in the Google Privacy Information ( https://policies.google.com/technologies/ads) and in the Google ads settings ( https://adssettings.google.com/authenticated).

Created by Dr. Thomas Schwenke using Datenschutz-Generator.de