Data Protection | TomSporer

Introduction

The following Privacy Policy is intended to inform you about the types of your personal data (hereinafter also referred to as ‘data’) we process, for what purposes and to what extent. This Privacy Policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as ‘online offer’).

Last updated: 15 May 2023

Controller

Jaguarstieg 14a 22527 Hamburg Germany

Authorised representatives: Thomas Sporer

Email address: datenschutz@tomsporer.de

Overview of processing operations

The following overview summarises the types of data processed and the purposes for which they are processed and identifies the data subjects.

Types of data processed

Inventory data (e.g. names, addresses)
Content data (e.g. text input, photographs, videos)
Contact details (e.g. email addresses, telephone numbers)
Meta/communication data (e.g. device information, IP addresses)
Usage data (e.g. websites visited, interest in content, access times)
Contract data (e.g. subject matter of contract, term, customer category)
Payment data (e.g. bank details, invoices, payment history)

Categories of data subjects

Business and contractual partners
Interested parties
Communication partners
Users (e.g. website visitors, users of online services)

Purposes of processing

Provision of our online offer and user-friendliness
Office and organisational procedures
Direct marketing (e.g. by email or post)
Interest-based and behavioural marketing
Contact enquiries and communication
Profiling (creation of user profiles)
Security measures
Tracking (e.g. interest-based/behavioural profiling, use of cookies)
Contractual services
Administration and response to enquiries

Relevant legal bases

In the following, we explain the legal basis of the General Data Protection Regulation (GDPR), on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence and domicile.

Consent (point (a) of Article 6 (1) GDPR) – The data subject has given his or her consent to the processing of personal data concerning him or her for one or more specific purposes.
Contractual performance and pre-contractual enquiries (point (b) of Article 6 (1) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre- contractual measures at the data subject’s request.
Legal obligation (point (c) of Article 6 (1) GDPR) – Processing is necessary for the fulfilment of a legal obligation to which the controller is subject.
Legitimate interests (point (f) of Article 6 (1) GDPR) – Processing is necessary to safeguard the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data override them.

National data protection regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. This includes, in particular, the German Federal Data Protection Act (BDSG). In particular, the BDSG contains special provisions relating to the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for otherpurposes and transmission and automated decision-making in individual cases, including profiling. Furthermore, it regulates the processing of data for the purposes of the employment relationship (Section 26 BDSG), in particular with regard to the establishment, execution or termination of employment relationships as well as the consent of employees. Furthermore, the data protection laws of the individual federal states may apply.

Security measures

We implement appropriate technical and organisational measures in accordance with statutory requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

Measures shall include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to, and access to, the data, the input, the transmission, the availability and the separation thereof. We have also put in place procedures to ensure that the rights of data subjects are exercised, that data is erased and that threats to data are responded to. Furthermore, we embrace privacy by both design and default to take the protection of personal data into account when developing or selecting hardware, software and procedures in accordance with the principle of data protection.

SSL encryption (https): We use SSL encryption to protect your data transmitted via our online offer. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.

Commercial and business services

We process the data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as ‘contractual partners’) within the framework of contractual and comparable legal relationships and associated measures and within the framework of communication with the contractual (or pre-contractual) partners, e.g. in order to answer enquiries.

We process this data in order to fulfil our contractual obligations, to safeguard our rights and for the purposes of the administrative tasks associated with this information and the business organisation. Within the framework of applicable law, we only pass on the data of the contractual partners to third parties insofar as this is necessary for the aforementioned purposes or for the fulfilment of legal obligations or is done with the consent of the contractual partners (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities). The contractual partners are informed about other forms of processing, e.g. for marketing purposes, in the context of this Privacy Policy.

Before or as part of the data collection process, we will inform the contractual partners of which data is required for the aforementioned purposes, e.g. in online forms, by means of special labelling (e.g. colours) or symbols (e.g. asterisks) or in person.

We erase the data after statutory warranty and comparable obligations have expired, i.e. generally after four years, unless the data is stored in a customer account, e.g. for as long as it has to be retained for statutory archiving reasons (e.g. for tax purposes, usually ten years). Data disclosed to us by the contractual partner as part of a contract will be deleted in accordance with the terms of the contract, generally after the end of the contract.

To the extent that we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms shall apply in the relationship between the users and the providers.

Agency services: We process the data of our customers as part of our contractual services, which may include, for example, conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/consulting services and training services.

Types of data processed: Inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. email, telephone numbers), contract data (e.g. subject matter of contract, term, customer category)
Data subjects: Interested parties, business and contractual partners
Purposes of processing: Contractual services, contact enquiries and communication, office and organisational procedures, administration and response to enquiries
Legal basis: Performance of a contract and pre-contractual enquiries (point (b) of Article 6 (1) GDPR), legal obligation (point (c) of Article 6 (1) GDPR), legitimate interests (point (f) of Article 6 (1) GDPR)

Provision of the online offer and web hosting

In order to provide our online offer securely and efficiently, we use the services of one or more web hosting providers whose servers (or servers managed by them) can access the online offer. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.

The data processed in connection with the provision of the hosting offer may include all information concerning users of our online offer that is generated in the course of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the content of online offers to browsers, and all entries made within our online offer or from websites.

Email sending and hosting: The web hosting services we use also include sending, receiving and storing emails. For these purposes, the addresses of the recipients, senders and further information regarding the sending of emails (e.g. the providers involved) will be processed, as will the content of each email. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails on the Internet are generally not encrypted. As a rule, emails are encrypted during transmission, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. Therefore, we cannot assume any responsibility for the transmission path of the emails between the sender and the receipt on our server.

Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the accessed web pages and files, date and time of retrieval, data volumes transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.

The server log files can be used for security purposes, e.g. to avoid server overload (especially in the event of abusive attacks, known as DDoS attacks) and to ensure server load and stability.

Types of data processed: Content data (e.g. text input, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g. website visitors, users of online services).
Legal basis: Legitimate interests (point (f) of Article 6 (1) GDPR).

Plugins and embedded functions and content

We incorporate functional and content elements into our online offer that are obtained from the servers of their respective providers (hereinafter referred to as ‘third-party providers’). This may include, for example, graphics, videos or social media buttons as well as posts (hereinafter referred to collectively as ‘content’).

The integration always requires the third-party providers of this content to process the IP address of the users, as without the IP address they would not be able to send the content to their browser. The IP address is therefore required for the display of this content or these functions. We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use pixel tags (invisible graphics, also referred to as ‘web beacons’) for statistical or marketing purposes. The ‘pixel tags’ can be used to evaluate information, such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, amongst other things, technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offer, as well as be linked to such information from other sources.

Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for the processing of data is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this Privacy Policy.

Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), inventory data (e.g. names, addresses), contact data (e.g. email, telephone numbers), content data (e.g. text input, photographs, videos).
Data subjects: Users (e.g. website visitors, users of online services), communication partners.
Purposes of processing: Provision of our online offer and user-friendliness, contractual services and services, security measures, administration and response to enquiries, contact enquiries and communication, direct marketing (e.g. by email or post), tracking (e.g. interest-based/behavioural profiling, use of cookies), interest-based and behavioural marketing, profiling (creation of user profiles).
Legal basis: Legitimate interests (point (f) of Article 6 (1) GDPR), consent (point (a) of Article 6 (1) GDPR), performance of a contract and pre-contractual enquiries (point (b) of Article 6 (1) GDPR).

Services and service providers used:

Contentful: Contentful - Content Delivery Network (CDN) for images; service provider: Contentful GmbH, Address: Küsterstr. 3, 10967 Berlin, Germany; website: https://www.contentful.com; privacy policy: https://www.contentful.com/legal/privacy/; option to object (opt-out): Please note that Contentful serves as a CDN for hosting and delivering images on our website. While Contentful may collect certain technical data during this process, they do not directly process or store personal information through their CDN. For more details about their data handling practices, please refer to their privacy policy available at https://www.contentful.com/legal/privacy/.
Vimeo: Vimeo – video platform; service provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; website: https://vimeo.com; privacy policy: https://vimeo.com/privacy; option to object (opt- out): Please note that Vimeo may use Google Analytics and refer to the privacy policy (https://policies.google.com/privacy) and the opt-out options for Google Analytics (http://tools.google.com/dlpage/gaoptout?hl=us) or Google’s settings for data use for marketing purposes (https://adssettings.google.com/).
FormSpark.io: Form submission service; service provider: FormSpark.io, Address: Rue de Marsannay-la-Côte Mazy 16, 5032 Gembloux, Belgium; website: https://formspark.io; privacy policy: https://formspark.io/legal/privacy-policy; option to object (opt-out): Please note that FormSpark.io may use third-party analytics tools for statistical purposes. For more information on their data handling practices, please refer to their privacy policy available at https://formspark.io/legal/privacy-policy. You can also explore opt-out options for these analytics tools by visiting their respective privacy policies and settings. For information regarding GDPR compliance, please visit https://formspark.io/legal/gdpr.

Deletion of data

The data processed by us will be erased in accordance with the statutory provisions as soon as the consent to its processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data is no longer applicable or it is not necessary for the purpose).

Insofar as the data is not deleted because it is necessary for other and legally permissible purposes, its processing is limited to those purposes. In other words, the data is blocked and not processed for any other purpose. This applies, for example, to data that must be retained for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

Further information on the erasure of personal data can also be found in the individual data protection notices of this Privacy Policy.

Changes and updates to the Privacy Policy

We ask that you regularly check the content of our Privacy Policy. We will amend the Privacy Policy as soon as changes to the data processing we carry out make it necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

Definitions of terms

This section provides an overview of the terms used in this Privacy Policy. Many of the terms are taken from the law and are primarily defined in Article 4 GDPR. The statutory definitions are binding. The following explanations, on the other hand, are primarily intended to serve the purpose of understanding. The terms are sorted alphabetically.

Interest-based and behavioural marketing: Interest-based and/or behavioural marketing is when potential interests of users in ads and other content are predetermined as precisely as possible. This is done on the basis of information about their behaviour (e.g. visiting and staying on certain websites, buying behaviour or interacting with other users), which is stored in a so-called profile. Cookies are generally used for these purposes.
Personal data: ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Profiling: ‘Profiling’ means any type of automated processing of personal data consisting of the use of personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include information about age, gender, location and movement data, interaction with websites and their content, shopping behaviour, social interactions with others) (e.g. interests in certain content or products, click patterns on a website, or whereabouts). Cookies and web beacons are often used for profiling purposes.
Tracking: ‘Tracking’ is when the behaviour of users can be tracked across several online offers. As a rule, behavioural and interest information regarding the online offers used is stored in cookies or on the servers of the providers of tracking technologies (so-called profiling). This information may subsequently be used, for example, to display advertisements to users that are likely to correspond to their interests.
Controller: ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processing: ‘Processing’ means any operation or set of operations, whether or not by automated means, relating to personal data. The term is wide-ranging and covers practically any handling of data, be it collection, evaluation, storage, transmission or deletion.

Created with Datenschutz-Generator.de by Dr jur. Thomas Schwenke

Applicant data protection

In principle, we process the personal data you transmit to us as part of the application in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The legal basis for processing your application documents is your consent (point (a) of Article 6 (1) GDPR and Section 26 (2) BDSG), and the statutory provisions that German companies must comply with (point (c) of Article 6 (1) GDPR, Article 88 GDPR and Section 26 BDSG). If you have given us your consent to process personal data for specific purposes (e.g. storing application data for an extended period of time), the processing of that data is lawful on the basis of your consent. Consent may be revoked at any time. Simply send us a short email.

If you have applied for a vacancy, this data will be processed internally by the HR department in cooperation with the relevant department. Disclosure to other third parties will not take place without your consent. Your application documents will be deleted six months after completion of the application process.

If you send us your application documents by email and do not address our Jobs mailbox, we cannot guarantee permanent deletion. This is due to the applicable legal requirements, which require companies to keep their business communications, including emails, complete, true to the original, tamper-proof and available at all times for many years.

When communicating by email, the risk of unauthorised access by third parties cannot be excluded. Therefore, you are welcome to send us your documents with password protection and provide us with the password by telephone or by another means of transmission.