Research
|
DE

Privacy Policy

1. Controller

8com GmbH & Co. KG, represented by Sandra Schartner, Götz Schartner

Europastraße 32

67433 Neustadt/Weinstrasse

Telephone: +49 6321 / 484 46 – 0

Fax: +49 6321 / 484 46 – 29

E-mail: info@8com.de

Internet: www.8com.de

(hereinafter referred to as "8com" or "We")

2. Data Protection Officer

Thomas Ott

Kolbcom GmbH

P7 22

68161 Mannheim

E-mail: dsb@8com.de

We welcome you to our website. The protection of your data is very important to us. Therefore, we would like to inform you below about how we process your personal data.

3. General Processing of Visitor Data

The use of our website is generally possible without providing personal data.

However, we would like to point out that, even in this case, access data is collected and stored in the server log files. This includes in particular the following data:

• Browser type / browser version

• Operating system

• IP address

We generally evaluate this information in anonymised form to prevent attacks and to improve our services (processing of personal data within the framework of a balancing of interests according to Art. 6(1)(f) GDPR) and then delete it. The data cannot be traced back to you personally and is not combined with other data.

However, if there are specific indications of illegal use, we reserve the right to subsequently analyse the data.

4. Processing of Personal Data

We generally process the personal data that is transmitted to us in connection with the use of our website by you or that you provide to us within the scope of an enquiry, a pre-contractual relationship or a contractual relationship. In individual cases and as far as necessary within the framework of the fulfilment of the contract, we also process personal data that has been lawfully obtained from publicly accessible sources (e.g. commercial register, debtor registers, internet) or lawfully transmitted to us by third parties (e.g. credit agencies).

This may include technical data relating to you (IP address, browser type), personal data (name, date of birth, legal representatives), address data (address, e-mail address, contact person), financial data (name of account holder, IBAN, BIC), contract data (contract term, services purchased, cancellations), communication data (correspondence, e-mail communication), advertising data (advertising letters) as well as other comparable categories of personal data.

In connection with our business relationships with customers, we process the following personal data:

• Customer master data (first name, surname, academic title)

• Contact details (address, telephone number, and e-mail address)

• Bank details (in particular, account data)

• Billing address

• Place of delivery or performance

• Billing data

• Contract data

• Dunning history and collection data

• Communication data (e-mails, telephone calls, records)

4.1. Processing of Personal Data Based on Consent (Art. 6(1)(a) GDPR)

We obtain consent from you on a case-by-case basis for specific purposes expressly stated in connection with data collection.

Data processing in these cases is carried out exclusively on the basis of your consent. It may be that your request cannot be processed without your consent and must therefore depend on it. The processing of the data is carried out exclusively for the expressly stated purposes.

You can withdraw your consent at any time with effect for the future. The withdrawal does not affect the lawfulness of the processing carried out until the time of withdrawal.

4.2. Processing of Personal Data for Contract Execution or Contract Initiation (Art. 6(1)(b) GDPR)

If a contract is concluded with us, we use personal data insofar as this is necessary for the execution of the contract or for the implementation of pre-contractual measures. The purposes of the data processing are determined by the specific contract content, which you can refer to in the contract documents.

If a contract already exists with us, we process your data to verify that you are our contractual partner and to properly provide the contractual service owed.

4.3. Processing of Personal Data within the Framework of a Balancing of Interests (Art. 6(1)(f) GDPR)

We process personal data on the basis of a balancing of interests, insofar as this is necessary to protect our interests or the interests of third parties.

Examples of such purposes include:

• Ensuring IT security and the integrity of our systems,

• Preventing or investigating criminal offences,

• Asserting or defending legal claims.

5. Purposes of Processing and Legal Bases

a) Execution and Initiation of Contracts

We primarily process your personal data within the framework of initiating a contractual relationship with you in order to respond to your enquiries, to process your orders, and to provide you with specific information about our offerings. Furthermore, the processing of your personal data is necessary to properly provide and bill for our services. Insofar as the processing of your personal data is necessary for the initiation or execution of a contractual relationship with us or for the implementation of pre-contractual measures, the processing is lawful on the basis of Art. 6(1)(b) GDPR.

b) Consent

If you have given us explicit consent to process your personal data for certain purposes, the respective processing is lawful on the basis of Art. 6(1)(a) GDPR. Consent is given voluntarily and can be withdrawn at any time with effect for the future; refusal to grant consent does not entail any disadvantages. You can withdraw a given consent at any time without stating reasons with effect for the future (see clause 10 below).

c) Legal Obligation

In some cases, we are subject to legal obligations that make it necessary for us to process your personal data. If we process your data due to such an obligation, this is done on the basis of Art. 6(1)(c) GDPR.

d) Legitimate Interest

We also process your personal data insofar as this is necessary to protect our legitimate interests or the legitimate interests of third parties, and there is no undue interference with your rights and interests. The legal basis for such processing is Art. 6(1)(f) GDPR. Legitimate interests on the basis of which we process your data include:

• Improving our services and offerings,

• Creating tailored offers and products,

• Marketing communications,

• Preventing creditor risks,

• Preventing and investigating criminal offences,

• Debt collection,

• Asserting and defending legal claims,

• Effective deletion of your data,

• Compliance with legal regulations.

5.1. Contact & Service Presentation

If you contact us by e-mail or telephone, we process the personal data you provide to answer your enquiry. The legal basis for this is generally Art. 6(1)(b) GDPR, but in exceptional cases, where there is no contractual reference, Art. 6(1)(f) GDPR applies, whereby the legitimate interest lies in the proper handling of your enquiry. We delete the data after your enquiry has been fully processed, provided there is no contractual or legal retention obligation.

The same applies when we communicate with you within the framework of a web session or a service presentation and present our products and services to you. Regarding the respective service providers we use to provide the communication channel, we refer you to the following explanations.

If you arrange a callback with us, the data processing associated with the callback will be carried out, insofar as a contractual reference exists, on the basis of Art. 6(1)(b) GDPR, otherwise to protect the mutual legitimate interest in the desired communication in accordance with Art. 6(1)(f) GDPR.

6. Source of Personal Data

As a rule, we collect personal data directly from you. If we have not received your contact details from you personally (e.g. through the handing over of a business card or an e-mail), we have received your data from the company you work for, as we are in a business relationship with them and you have been identified as our contact person, or we rely on publicly accessible information from public sources (such as company websites).

6.1. Contact Form

If you send us an enquiry via our contact form, we process the data you provide on the basis of your consent in accordance with Art. 6(1)(a) GDPR in order to process your enquiry. As a rule, your data will be deleted after the enquiry has been processed, provided there is no contractual or legal retention obligation. If you provide us with contractually relevant information, we will transfer this to our inventory system.

You can withdraw your consent at any time with effect for the future via any of the contact details provided.

6.2. Live Chat Function (Userlike)

Our site uses a live chat function provided by the software from Userlike UG (haftungsbeschränkt), Probsteigasse 44-46, 50670 Cologne. The chat can be used like a contact form to communicate with our staff in real-time.

In this context, the following data is collected, processed, and stored: chat transcript, e-mail address, name, URL (where the chat was started), survey before and after the chat, chat topic, chat status, chat rating after the chat, chat duration, chat date, user-generated content, IP address. Depending on your concern and the information you provide, additional personal data may be collected and processed. The legal basis for this processing is your consent according to Art. 6(1)(a) GDPR.

The data will be deleted after 30 days unless storage is required for the execution of a contractual relationship. In this case, further processing will be carried out in accordance with the general provisions mentioned above.

Cookies are also used as part of the live chat function. The use of these is in accordance with the information provided under "Use of Cookies."

A data processing agreement according to Art. 28(3) GDPR has been concluded between us and Userlike.

Reference is also made to Userlike's privacy policy: https://www.userlike.com/en/data-privacy.

6.3. Job Application

Insofar as we process data during your job application, please refer to the privacy policy for applicants, which can be accessed at https://www.8com.de/datenschutzerklarung-bewerbungen.

We process your data, in particular your name, contact information, CV, evidence of already acquired academic, professional and vocational qualifications, as well as the content data you provide in your cover letter, for the purpose of concluding an employment contract. The legal basis for this data processing is § 26 BDSG. If the application is unsuccessful, we will retain your data for 6 months after the end of the application process. If your application leads to an employment, your data will be stored for the duration of the employment relationship.

We ask that you do not include any particularly sensitive data in your application. This includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the unique identification of a natural person, health data, data concerning sex life or sexual orientation, as per Art. 9(1) GDPR. We also ask that you do not include a photo in your application.

6.4. Use of Cookies & Local Storage

During your visit to our website, various cookies and local storage techniques may be used. Cookies are text files that are placed on your computer and enable a smooth visit to our website. Local storage allows data to be stored locally in your browser's cache, which can persist and be read even after the browser window is closed—provided the cache is not cleared.

Some cookies or local storage are necessary to ensure the functionality or IT security of our website. The use of such function cookies is based on a legitimate interest in enabling the use of our website, including its functions, according to Art. 6(1)(f) GDPR. Furthermore, processing in these cases is in accordance with § 25(2) No. 2 TTDSG.

Other—non-essential—cookies or local storage techniques may be used based on Art. 6(1)(a) GDPR and, thus, based on your consent. The purposes of the respective cookies used may include:

• Enabling the use of special functions,

• (pseudonymised) analysis of user behaviour to optimise our website,

• Increasing the attractiveness and ease of use of our website,

• Improving and tailoring our offering to meet demand.

The use of non-essential cookies and local storage techniques is carried out within the framework of so-called usage profiles. You are assigned a pseudonym under which the usage data is stored. Your IP address is only stored in a truncated form, so that personal attribution of the usage profile is generally no longer possible.

If we use cookies or local storage, especially for (re-)marketing purposes or the implementation of (social media) plugins, we rely on your voluntary consent for such data processing and therefore require your consent. Regarding the individual plugins or tracking tools, we refer to the following detailed explanations.

Most of the cookies we use are deleted from your computer after closing the browser (session cookies). Other types of cookies may remain on your computer and allow us to recognise your computer via the created usage profile during your next visit to our site (persistent cookies).

You can select which cookies are to be set on our cookie banner, which appears at the beginning of your visit to our website. We use the CookieHub service from CookieHub ehf, Hafnargata 18, 230 Reykjanesbær, Iceland, as a cookie banner. By using this service, personal data may be transferred to the service provider. The legal basis for the data processing is Art. 6(1)(f) GDPR, whereby our legitimate interest lies in providing a functional, legally compliant, and modern website. We delete the data as soon as the purpose for which it was collected has been fulfilled. Further information can be found in the privacy policy and cookie declaration of CookieHub, which can be accessed via the following links: https://www.cookiehub.com/legal/privacy-policy.

Cookies and local storage techniques are used exclusively by us on our site and not by third parties, except for third-party cookies and local storage techniques expressly mentioned in this privacy policy.

You can declare your consent by confirming our cookie banner when you visit our website. You can withdraw your consent at any time with effect for the future.

We use the following cookies:

(Cookie: Purpose, storage duration)

• .8com.de: Necessary cookiehub, 365 days

• .linkedin.com: Analytics UserMatchHistory, 30 days

• .ads.linkedin.com: Analytics Language Session session

• .www.linkedin.com: Analytics Bcookie, 730 days, 12 hours

• .linkedin.com: Analytics lidc, 1 day

• .linkedin.com: Analytics lang, session

• .linkedin.com: Analytics bscookie, 730 days, 12 hours

• .linkedin.com: Analytics AnalyticsSyncHistory, 30 days

• .linkedin.com: Analytics li_gc, 728 days, 4 hours

• .8com.de: Analytics Google _gcl_au, 90 days

• .8com.de: Analytics Google _gcl_au, 1 hour

• .8com.de: Analytics Google _ga, 730 days

• .8com.de: Analytics Google _gid, 1 day

• .8com.de: Analytics Google _gat_UA-90742582-1, 1 hour

• .8com.de: Analytics Userlike uslk_umm_1661_s, 1 day, 6 hours

• www.8com.de: Marketing Userlike uslk_umm_1661_s, 365 days

• .doubleclick.net: Marketing test_cookie, 1 hour

• We use local storage for the following services:

(Service: Purpose)

• Webflow: Creation and maintenance of the website

• Userlike: Provision of the chat function

6.5. Web Analytics and Marketing

We use the following services for the purpose of web analytics and retargeting.

As part of the web analytics, cookies may be used on various pages. These are text files that are placed on your computer and, among other things, enable a smooth visit to our website.

The use of cookies takes place within the framework of so-called usage profiles. You are assigned a pseudonym under which the usage data is stored.

6.6. Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies.

We rely on your consent for data collection as part of the use of cookies. If you do not agree to the use of your data when you first visit our website, we will not collect your usage behaviour or other personal data that may be collected during your visit to the website, and we will not use it for usage analysis or for remarketing activities afterwards. This also applies to third-party cookies such as the Google Analytics plugin.

If you consent to the processing of your data as part of the opt-in procedure (confirmation of the cookie banner), the lawfulness of the processing of your data is based on your consent according to Art. 6(1)(a) GDPR, so we will use your data to the extent of the consent you have given for marketing purposes and to evaluate your usage behaviour.

The information generated by the cookie about your use of this website is usually transmitted to and stored on a Google LLC server in the USA. Information about the use of this website and your IP address may be transmitted to a Google server in the USA and stored there. The data transfer is lawful based on your consent according to Art. 49(1)(a) GDPR. In the event of the activation of IP anonymisation on this website, your IP address will be truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before transmission. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.

On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activity, and provide other services related to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google unless you have configured the web and app activity settings in a Google account to allow Google to merge them.

Further information on terms of use and data protection can be found at https://marketingplatform.google.com/about/analytics/terms/gb/ or https://policies.google.com/?hl=en&gl=en.

On our website, Google Analytics has been extended by the code "anonymizeIp" to allow the anonymised collection of IP addresses (so-called IP masking).

You can also prevent the collection by Google Analytics by clicking the following link. An opt-out cookie will be set, which will exclude the collection of your data on future visits to this website:

Please note that if you delete your cookies, the opt-out cookie will also be deleted and may need to be activated again by you.

6.7. Google Tag Manager

We use Google Tag Manager on our website. The service allows us to manage tags embedded on our website in one interface. Neither cookies are used nor personal data is collected. Google Tag Manager triggers other tags, which may, in turn, collect data. Google Tag Manager does not access this data. If deactivation has been carried out on a domain or cookie level, it remains in effect for all tracking tags implemented with Google Tag Manager.

The data processing and transfer are based on your consent according to Art. 6(1)(a) GDPR or Art. 49(1)(a) GDPR.

Further information on data processing in connection with Google services can be found in the explanations under "Google Analytics."

6.8. Google Ads

This website uses Google Ads. This is also a service provided by Google Ireland Limited for the integration of advertisements, for which cookies are used on our website. These cookies collect personal data relating to you (e.g. your IP address), which, among other things, enables us to evaluate your usage behaviour on our website. Based on this data, you will be shown targeted advertising on other websites and in your Google searches.

The data processing and transfer are based on your consent according to Art. 6(1)(a) GDPR or Art. 49(1)(a) GDPR.

Further information on data processing in connection with Google services can be found in the explanations under "Google Analytics."

6.9. LinkedIn Insight Tag

The website uses the analysis and tracking tool of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

This allows the collection of data about the visitors of our website, such as IP address, browser, timestamp, and pages viewed. Collected data is encrypted and anonymised within seven days. Anonymised data is deleted after 90 days. LinkedIn does not transmit personal data to us. Only aggregated reporting on the website audience and ad performance is provided.

There is also the possibility of retargeting website visitors. Using this data, we can display targeted advertising outside our website without identifying individual website visitors.

We process the data based on your consent declared in the cookie banner when you visit the website according to Art. 6(1)(a) GDPR. The data transfer to the USA is lawful based on your consent according to Art. 49(1)(a) GDPR.

LinkedIn members can manage the use of their personal data for advertising purposes in their account settings.

More information on LinkedIn's data protection can be found in LinkedIn's privacy policy at https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

6.10. Social Plugins

Our websites contain social plugins that are deactivated by default for privacy reasons. When a user visits our website, no data is transmitted to the social media services (e.g. YouTube). This excludes profiling by third parties.

By agreeing to the use of social plugins in the cookie banner, these services are activated. Once a social plugin is activated, certain data is transmitted to the respective social network, such as the user's IP address, information about the browser and operating system used, the website visited, and the date and time. During this communication, data from a social media provider's server is also loaded onto our website.

The respective provider of the social plugin receives information about which websites you visit. This may happen regardless of whether you are logged in to the provider of the social plugin or not. The provider may also process this data outside the European Union and may be able to create individualised user profiles. Where necessary, we obtain your consent for this. We have no control over the nature, extent, and purpose of the data processing by the providers of the respective social media services.

In the context of using social plugins, a joint responsibility agreement pursuant to Art. 26 GDPR has been concluded between us and the respective plugin providers. Further information can be found in the respective section on the individual social plugins.

YouTube: Our website uses plugins from the social network YouTube. YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("YouTube").

As part of using plugins, we rely on your consent for data collection. If you do not consent to the use of data when you first visit our website, the YouTube plugin will not be activated, and no data transfer will occur even if you inadvertently interact with a YouTube plugin.

If you consent to the processing of your data by the "YouTube" plugin as part of the opt-in procedure, the lawfulness of the processing of your data is based on consent according to Art. 6(1)(a) GDPR, so we will use your data to the extent of your consent to link with YouTube.

If you are on a page of our website that contains such a plugin, your browser establishes a direct connection with the servers of YouTube only when you activate the corresponding button by clicking on it ("extended data protection mode"). The content of the plugin is then transmitted from YouTube to your browser and integrated into the website. By activating the plugin, YouTube receives the information that you have accessed the corresponding page of our website. Content is then transmitted from YouTube to your browser and integrated into the page. YouTube receives the message that you are on the corresponding page of our website. This happens even if you do not have a YouTube profile or are not logged in. Personal data (including your IP address) is then automatically transferred to and stored on a YouTube server in the USA.

Direct attribution by YouTube only occurs if you are logged in to YouTube. Such interaction will also occur if you actively engage with the corresponding button. The result is a publication on your YouTube account and its display to your contacts. Further details on YouTube's handling of your personal data can be found on the following page: https://policies.google.com/privacy?hl=en&gl=de.

The data transfer to the USA is lawful based on your consent according to Art. 49(1)(a) GDPR.

In the context of using social plugins, a joint responsibility agreement pursuant to Art. 26 GDPR has been concluded between us and YouTube.

6.11. jQuery

The website uses the JavaScript library jQuery. We load this library via the content delivery network (CDN) of Amazon Web Services, among others, Amazon Web Services Germany GmbH, Domagkstraße 28, 80807 Munich, headquartered in the USA, provided the library has not already been loaded as a result of visiting another site, and your browser, therefore, uses the copy stored in the cache. If your browser downloads the library, your browser will transmit, among other things, the IP address and the page from which the call is made to Amazon Web Services. We use the service to increase loading speed and improve the convenience of our site.

The data transfer is based on your consent given in the cookie banner according to Art. 49(1)(a) GDPR or Art. 49(1)(a) GDPR.

6.12. Newsletter (Salesforce Account Engagement)

We use Salesforce Account Engagement (formerly Pardot), a tool from Salesforce Inc., to manage and send our newsletter. As part of this processing, personal data that you have provided to us in connection with the subscription to our newsletter (e-mail address, company) is processed by Salesforce Account Engagement.

The data is used exclusively for the purpose of sending you our newsletter, analysing your usage behaviour concerning the newsletter, and tailoring our offerings to your interests. For these purposes, Salesforce Account Engagement may collect and store technical information such as IP addresses and usage data (e.g. opening and click behaviour).

Data processing is based on your consent according to Art. 6(1)(a) GDPR. You can withdraw this consent at any time with effect for the future by unsubscribing via the corresponding link in the newsletter or by contacting us directly.

Processing of your data by Salesforce Account Engagement may also take place in the USA. However, Salesforce is obliged to take appropriate security measures to ensure the protection of your data in accordance with European data protection standards. Further information on data processing by Salesforce can be found in this statement under point 9.1 and in Salesforce's privacy policy.

We have concluded a data processing agreement with Salesforce to ensure that your data is processed exclusively in accordance with our instructions and applicable data protection laws.

6.13. Webflow

We use the services of Webflow Inc., 398 11th St., San Francisco, USA, to create our website and provide the various embedded services. In doing so, personal data concerning you is processed, e.g. your IP address, your browser, your searches. The data processing is based on our legitimate interest in using a modern service to create and provide our website, Art. 6(1)(f) GDPR.

A data processing agreement according to Art. 28(3) GDPR has been concluded between us and Webflow. As part of this agreement, standard contractual clauses pursuant to Art. 46(2)(c) GDPR were also agreed upon to ensure the greatest possible protection for your personal data.

Details on the service provider's data protection practices can be found at the following link: https://webflow.com/legal/eu-privacy-policy.

6.14. Streaming Server

We use the streaming server service provided by Hanseatic Bits UG (haftungsbeschränkt) & Co. KG, Zeissstraße 1, 49733 Haren (Ems), Germany, for our live video broadcasts. The data processing is based on our legitimate interest in being able to offer you our video broadcast properly and reliably when accessed, Art. 6(1)(f) GDPR.

A data processing agreement according to Art. 28(3) GDPR has been concluded between us and the service provider.

6.15. Kununu

We use the Kununu seal on our website. In this context, personal data concerning you (e.g. your IP address) is transmitted to Kununu, a service provided by XING kununu Prescreen GmbH, Schottenring 2-6, 1010 Vienna, Austria, to display the seal correctly. The data processing is based on Art. 6(1)(f) GDPR, whereby our legitimate interest lies in correctly displaying employee satisfaction via a transparent system.

Details on Kununu's data protection practices can be found at the following link: https://privacy.xing.com/en/privacy-policy.

7. Retention Period and Deletion Deadlines

We process your data only as long as it is necessary for the purpose for which it was collected. As a rule, this is for the duration of our business relationship. This also includes the initiation and execution of contracts.

In addition, we are subject to various legal retention and documentation obligations, such as those arising from the German Commercial Code (HGB) or the Fiscal Code (AO). These can range from two to ten years. In particular, we keep booking documents (invoices, contract documents, account statements, etc.) for ten years, and business letters and other tax-relevant business documents for six years (§§ 147 AO, 257 HGB).

Finally, the retention period is also determined by the statutory limitation periods, which, according to §§ 195 ff. of the German Civil Code (BGB), are generally three years, but in certain cases can also be up to thirty years.

Lastly, we store your data for a short period to ensure effective data deletion. Our systems process a large amount of data daily. Unfortunately, reliable deletion of individual data on a daily basis is not feasible. Therefore, data is regularly deleted according to a special deletion concept, taking into account the aforementioned deadlines. This may result in your data being stored by us for a short period beyond the aforementioned deadlines. This storage is based on our legitimate interest in the effective and efficient execution of data deletion.

8. Data Sharing

We share your personal data within our company only with the departments and individuals who need it to fulfil contractual and legal obligations or to protect our legitimate interests. We may transfer your personal data to affiliated companies to the extent permitted within the purposes and legal bases set out in section 5 of this privacy notice. In some cases, your personal data is also processed by service providers we engage. In these cases, data is usually transferred by us based on data processing agreements according to Art. 28 GDPR. This ensures that the processing of personal data by our service providers is always in compliance with the provisions of the GDPR. The categories of recipients in this case include tax consultants, auditors, lawyers, banks, and providers of customer management systems and software.

Your data will only be transferred to other recipients outside our company if this is legally permitted or required, particularly for the fulfilment or execution of the contract or, at your request, for the implementation of pre-contractual measures, if we have your consent or are authorised to provide information. Under these conditions, we may transfer your data, in particular, to the following recipients:

Public authorities and institutions (e.g. public prosecutor's office, police, supervisory authorities, tax office) in the event of a legal or official obligation;

• JustOn GmbH, Mälzerstraße 3, 07745 Jena;

• Datev eG, Paumgartenstraße 6-14, 90429 Nuremberg.

If an audit is provided for based on existing contracts with your company, your data may be transferred to companies commissioned to carry it out.

In addition, we work with the following companies:

• Userlike UG (haftungsbeschränkt), Probsteigasse 44-46, 50670 Cologne, Germany;

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;

• Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA;

• LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland;

• Amazon Web Services Germany GmbH, Domagkstraße 28, 80807 Munich, Germany;

• Webflow Inc., 398 11th St., San Francisco, USA;

• Hanseatic Bits UG (haftungsbeschränkt) & Co. KG, Zeissstraße 1, 49733 Haren (Ems), Germany;

• XING kununu Prescreen GmbH, Schottenring 2-6, 1010 Vienna, Austria;

• CookieHub ehf, Hafnargata 18, 230 Reykjanesbær, Iceland;

• Salesforce Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, CA 94105, USA (from May 2023).

Furthermore, service providers may be engaged in the following areas:

• IT maintenance,

• IT development,

• IT provision,

• Lawyers.

If necessary, we will pass on your personal payment data to a bank commissioned with payment processing (SEPA direct debit or receipt).

Data sharing is always based on a legal norm or an appropriate contract according to Art. 26 or 28 GDPR, which ensures compliance with all data protection requirements. This does not apply where data processing is carried out under separate responsibility.

Otherwise, data sharing takes place exclusively within the legally prescribed cases, for example, in the event of a legal obligation to provide information to law enforcement authorities. Data sharing is legitimate in these cases according to Art. 6(1)(c) GDPR.

9. Data Sharing with Third Countries

We share your personal data with companies headquartered outside the European Union only to a limited extent.

This only happens in accordance with the legally stipulated permission requirements of Art. 44 ff. GDPR, e.g. on the basis of an adequacy decision (Art. 45 GDPR), appropriate safeguards (Art. 46 GDPR) such as the conclusion of mandatory standard contractual clauses, or previously declared consent. Data transfers to the United States of America cannot always be ruled out if our processors or their sub-processors are US companies or belong to a US corporation and are obliged by US security authorities to hand over data.

Insofar as personal data is transferred to a third country, we comply with the data protection requirements for this by basing the data transfer on standard contractual clauses or obtaining your consent to it according to Art. 49(1)(a) GDPR.

Data transfers occur, for example, in connection with the use of analytics and social media services. Due to the use of these services, data is transferred to the United States of America.

The data transfer only takes place if you give us your consent.

Due to data sharing, your personal data is at risk. There is no level of data protection in the United States of America comparable to EU law (GDPR) and/or national regulations (e.g. BDSG) or sufficient safeguards to ensure an adequate level of data protection. Any deficiencies cannot be compensated for by other specific safeguards under US law. Nevertheless, depending on the service, standard contractual clauses are used to achieve the highest possible level of protection for your data. Whether standard contractual clauses are used can be found in the descriptions of the respective services.

You can withdraw your consent at any time with effect for the future. The withdrawal does not affect the lawfulness of the processing carried out until the time of withdrawal.

Recipients of the data you provide are the following companies:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (headquarters in the USA);

• Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA;

• LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (headquarters in the USA);

• Amazon Web Services Germany GmbH, Domagkstraße 28, 80807 Munich, Germany (headquarters in the USA);

• Webflow Inc., 398 11th St., San Francisco, USA;

• CookieHub ehf, Hafnargata 18, 230 Reykjanesbær, Iceland;

• Salesforce Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, CA 94105, USA (from May 2023).

9.1. Salesforce

There is a possibility that American security authorities may access your data due to the software we use from Salesforce Inc., 415 Mission Street, 3rd Floor, San Francisco, CA 94105. Salesforce Inc. may be obliged by US security authorities to hand over data and process it in the USA. We would like to point out that your data is generally only processed in Salesforce data centres in Frankfurt am Main and Paris and that access by US authorities is an exception. Due to the potential data transfer, your personal data is at risk. There is currently no level of data protection in the USA comparable to EU law (GDPR) and/or national regulations (e.g. BDSG) or sufficient safeguards to ensure an adequate level of data protection. Any deficiencies cannot be compensated for by other specific safeguards under US law. Nevertheless, binding corporate rules (BCR) according to Art. 46(2)(b), Art. 47 GDPR, and standard contractual clauses (SCC) according to Art. 46(2)(c) GDPR are used to achieve the highest possible level of protection for your data.

According to their own information, Salesforce transfers the data within the group based on binding corporate rules according to Art. 46(2)(b) in conjunction with Art. 47 GDPR. For data transfers from Salesforce to third-party processors, Salesforce uses standard contractual clauses to ensure a level of protection for personal data adequate to the European level. Further details can be found at the following link: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-transfer-mechanisms-FAQ.pdf.

A list of the sub-processors used by Salesforce can be found in section 6 here: https://www.salesforce.com/company/privacy/full_privacy/.

Your personal data is transferred to Salesforce by us based on a data processing agreement according to Art. 28(3) GDPR.

Further data protection information regarding the use of Salesforce can be accessed at https://www.salesforce.com/company/privacy/ and https://www.salesforce.com/company/privacy/full_privacy/.

Furthermore, cross-border data sharing may be based on your consent to this under Art. 49(1)(a) GDPR.

The data transfer only takes place if you give us your consent. You can withdraw your consent at any time with effect for the future. The withdrawal does not affect the lawfulness of the processing carried out until the time of withdrawal.

If data is transferred to a third country based on consent without an adequacy decision or other appropriate safeguards, you must be informed of the increased risk of data processing during the transfer according to Art. 49(1)(a) GDPR. However, we would like to assure you that potential risks are successfully minimised thanks to careful selection and constant monitoring of the standards of our contractual partners. For further details, please refer to the section "Cross-Border Data Transfer" (Art. 49(1)(a) GDPR) above.

10. Rights of the Data Subject

You have the right to access the personal data we process about you according to Art. 15 GDPR, the right to rectification or erasure of your data according to Art. 17 GDPR, the right to restrict processing according to Art. 18 GDPR, the right to notification according to Art. 19 GDPR, and the right to data portability according to Art. 20 GDPR.

If we process your personal data based on your consent according to Art. 6(1)(a) GDPR, you have the right to withdraw this consent at any time according to Art. 7 GDPR. Please note that a withdrawal is only effective for the future. Processing that took place before your withdrawal will not be affected by it and will remain lawful. Please note that despite your withdrawal, we are legally obliged to retain and document certain data (see clause 7 of this privacy notice).

10.1. Right to Object to Direct Marketing

In some cases, we process personal data to carry out direct marketing. In this case, you have the right to object to the processing of your personal data for such advertising purposes at any time (Art. 21 GDPR).

If you object to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

To exercise your above rights, a written communication addressed to the address above or an e-mail sent to dsb@8com.de is sufficient.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with the competent data protection authority.

In Rhineland-Palatinate, the competent supervisory authority is:

The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate

Postfach 30 40

55116 Mainz

Telephone: +49 (0) 6131 8920-0

E-mail: poststelle@datenschutz.rlp.de

Further information can also be found at the following link: https://www.datenschutz.rlp.de/en/homepage/

However, you are of course welcome to contact us directly if you are dissatisfied or have any questions about data protection. You can reach our internal contact for data protection matters most quickly using the contact details provided above.

12. Necessity of Providing Personal Data

The provision of personal data for the establishment, implementation, or fulfilment of a contract or for the implementation of pre-contractual measures is generally neither legally nor contractually required. Therefore, you are not obliged to provide personal data. However, please note that such data is generally necessary for making a decision regarding a contract conclusion, contract fulfilment, or pre-contractual measures.

If you do not provide us with personal data, we may not be able to make a decision within the framework of contractual measures. We recommend always providing only the personal data necessary for concluding the contract, fulfilling the contract, or pre-contractual measures.

13. Automated Decision-Making

We generally do not use any procedures involving fully automated decision-making according to Art. 22 GDPR. Should we use such procedures in individual cases, we will inform you separately and obtain your consent if this is legally required.

14. Contact

If you have any questions regarding the processing of your personal data, we are always available to assist you. Please direct any inquiries to the above-mentioned address.

15. Currency and Changes to this Privacy Notice

This privacy notice is currently valid as of August 2024.

We reserve the right to update this privacy notice as necessary to adapt to legal and technical developments or in connection with offering new services or products. Should we change our privacy policy, we will publish it directly in this statement on our homepage and in other locations that we consider appropriate. We reserve the right to change this privacy policy at any time.