Privacy Policy overview

Beyss Architekten GmbH Privacy Policy

Your privacy matters to us. We aim to reassure you that your personal data will be kept safe and secure as you use our website and services.

We have divided our Privacy Policy into three privacy statements. Select the statement that applies to you by clicking one of the following links:

Privacy statement for visitors to our website

Privacy statement for customers, business associates and their employees

Privacy statement for job applicants

Visitors to our website

Privacy statement of Beyss Architekten GmbH, Bonn, for visitors to our website

Your browsing behaviour may be analysed for statistical purposes when you visit our website. This especially involves cookies and analysis programs. Your data will usually be analysed anonymously; this means that it will not be possible to track your browsing behaviour back to you. You may object to this analysis or prevent it altogether by not using certain tools. Refer to the following privacy statements for more details.

We place importance on informing you as to which personal data will be collected and used when you use our services. By personal data, we mean data that might be used to reveal your identity; this could be your name, postal or e-mail address, or information that refers to you as an individual. We will collect data that you submit voluntarily, such as when you send us an enquiry or an order for information material. The data that you enter into our online forms will always be transmitted to us securely and in encrypted form.

Responsibility for the processing activities described in the following according to data protection standards (“the controller”):

Beyss Architekten GmbH represented by the CEO

Graduate Engineer Dipl.-Ing. Wolfgang Beyß, Architect (BDA)

Haydnstraße 36

53115 Bonn

Tel.: +49 228 9 45 54 52-0

Fax: +49 228 9 45 54 52-90

E-mail: office [at] beyss-architekten.de (office[at]beyss-architekten[dot]de)

Mr. Andreas Majer is our central contact partner if you wish to exercise your rights as a person affected by this Privacy Policy (“data subject”).

Please address any questions you might have about our Privacy Policy to our Data Protection Officer:

Ralf A. Lanz

Ernastraße 10

53881 Euskirchen

Tel.: +49 2255 9218-235

E-mail: ba-ds [at] lanz-consult.de (ba-ds[at]lanz-consult[dot]de) oder or directly to rlanz [at] lanz-consult.de (rlanz[at]lanz-consult[dot]de)

First, we would like to provide you with a brief description of your rights that apply to all persons affected by this Privacy Policy (“data subject”):

You may always revoke any consent you have previously given to having your data processed.

You also have a right to know whether we are processing personal data about you, and if so, which personal data.

In addition, you may request your data to be corrected if necessary, or erased or restricted from processing as applicable. You may object to having your personal data processed due to circumstances arising from your personal situation where applicable.

In most cases, you will not be required to provide us with any personal data. However, if you do not provide us with your data, we may not be able to process an enquiry or provide a service for you.

Finally, you have the right to data portability or to file a complaint with a supervisory authority.

You may refuse to be subjected to solely automated decision-making processes affecting you, including profiling, in cases where we have automated our decision-making processes or use profiling techniques.

Finally, you may file a complaint with a supervisory authority. The supervisory authority applicable in our case can be reached at the following address:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestr. 2-4, 40213 Düsseldorf.

Click the following link for details on your rights as a data subject: Your rights as a data subject.

This Privacy Policy uses terms that you will find in the European General Data Protection Regulation. A Privacy Policy should be accessible, so we have included a glossary to explain the main terms used.

About processing personal data

General information about your visit to our website

We do not use any automated decision-making or profiling in any of the processing activities as described in the following.

Where necessary, we conclude data processing contracts with any contractors we might commission for data processing (“processors”) in order to ensure that your data will only be used according to order as given in our instructions, and to guarantee the security and confidentiality of your data.

You may always object to having your data processed if we process personal data for direct advertising purposes.

We process the following personal data given by you:

Contact form

By sending us an enquiry using the contact form, your data from the form, including any contact details you have provided, will be stored for processing your enquiry and kept on store in case we need to contact you again. We will not pass on your data without your consent.

We will only process the data you have entered in the contact form on your consent according to GDPR Art. 6.1 (a). You may always revoke this consent. All you need to do is send us an informal request by e-mail. Remember that this will not affect the legitimacy of any data processing activities that have taken place before your revocation.

We will keep the data from the contact form on file until you request deletion or revoke your consent to have the data stored, or until the purpose for storing the data has ceased to apply, such as after we have dealt with your enquiry. This does not affect storage of data due to mandatory statutory regulations – especially retention periods – or to assert a claim.

Other processing acitivities

Cookies

We use cookies on our website. Cookies are text files stored on a computer through a web browser. Many websites and servers use cookies.

Many cookies include what is referred to as a cookie ID, which is a unique identification code. This identification code consists of a string – a series of numbers and letters – that is used to match a website and server to the specific browser used to store the cookie. This allows the respective website and server to distinguish your browser from other browsers, which will have other cookies. A certain browser can be recognised and identified using a unique cookie ID.

Most of the cookies we use are what are referred to as “session cookies,” which are automatically deleted after you leave our website. Other cookies will remain on your device until you delete them. These cookies make it possible for us to recognise your browser on your next visit to our website.

You may configure your browser to notify you when it is about to store a cookie, or to allow this once for certain cases or reject all cookies, or automatically delete all cookies once you close the browser.

Note that if you choose to deactivate cookies, you may not be able to use all the features on this website.

Google Analytics

This website uses Google Analytics and Google Remarketing. These are services provided by Google Inc. (“Google”).

Google uses what are referred to as “cookies” – text files that are stored on your computer to make it possible to analyse how you use our website.

The IP anonymisation function has been activated for the cookie generated on your use of this website, including your IP address. This involves Google truncating the last octet of an IP address from a member state of the European Union or other parties to the Agreement on the European Economic Area before transmission to the US. The full unabbreviated IP address will only be sent by Google servers in the USA in exceptional cases.

Google will use this information to analyse your use of our website, compile reports on website activities for the webmaster, and provide additional services involving website and Internet use as commissioned by this website's webmaster.

Google will not link your IP address in the Google Analytics service with any other data held by Google. Google adheres to the Privacy Policy as laid down in the US Safe Harbor Agreement and is registered with the Safe Harbor Program of the US Department of Commerce. Google will not under any circumstances associate your IP address with any other Google data; however, Google will use this information to analyse your use of our website, compile reports on website activities for the webmaster, and provide additional services involving website and Internet use.

Google may also transfer data to third parties where legally necessary, or where Google’s contractors need to process the information. Third party vendors – including Google – post ads on websites. Third party vendors – including Google – use stored cookies to post ads based on previous visits by individual users to this website.

According to the data processing agreement that we have signed with Google Inc., Google prepares evaluations of website use and activity using the information collected, and provides services related to Internet use. This purpose reflects our legitimate interest in processing the data. Section 15 paragraph 3 of the German Telemedia Act (TMG) and GDPR Art. 6.1 (f) provide the legal basis for using Google Analytics.

You may always refuse to have your data collected and saved for the future. You may prevent your browser from storing cookies on your device by adjusting the corresponding settings in your browser. You may not be able to use all the features on this website if your browser does not allow cookies.

Preventing storage using a browser-plugin

You may prevent your browser from storing cookies using the appropriate settings in your browser software; however, if you should choose to do so, note that you may not be able to use the website’s functionality to its full extent.

You may also prevent Google from collecting and using data in the form of cookies and data such as your IP address by downloading and installing the browser plugin available at http://tools.google.com/dlpage/gaoptout.

Objection to data acquisition

You may prevent Google from acquiring data using Google Analytics by clicking the following link. This will store an opt-out cookie on your device to prevent your browser from collecting information when you visit this website: Disable Google Analytics.

Google Web Fonts

This website uses what are referred to as Google Web Fonts in order to ensure a consistent and uniform appearance.

When you access this website, your browser will automatically download the web fonts needed into your browser cache in order to render text and fonts correctly. Your browser will need to connect to Google servers for this purpose. However, this will also inform Google that our website has been accessed using your IP address.

We use Google Web Fonts to keep our online services presented in a uniformly attractive way. This represents a legitimate interest according to GDPR Art. 6.1 (f).

Your browser will select a standard font on your computer if it does not support Google Web Fonts.

See https://developers.google.com/fonts/faq and the Google data Privacy Policy at https://www.google.com/policies/privacy/ for more details on Google Web Fonts.

Google Maps

This website uses the Google Maps API. This a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Using this feature will require storing your IP address. This information is usually transmitted to a server in the US and stored there. The provider of our website has no control on this data transmission.

The use of Google Maps also serves towards creating an attractive presentation of our online services and ease of finding locations named on our website. This represents a legitimate interest according to GDPR Art. 6.1 (f).

See the Google Privacy Policy for details on how this service handles user data: http://www.google.de/policies/privacy.

Log files for internal and statistical purposes ('log files')

Our website collects a variety of general data and information each time you or an automated system accesses it. The general data and information are stored in the log files of the server.

This includes the browser type and version as well as the operating system used by the system accessing the website, the “referrer” or previously visited website that linked the user to this website, web pages controlled using an accessing system on our website, date and the time of access to our website, anonymised internet protocol address (IP address) and other similar data and information that serve to secure us in the event of attacks on our IT systems.

This does not involve us drawing any conclusions on you as an individual. However, we need this information to show the content of our website correctly and optimise it when necessary, ensure constant availability of our IT systems and technology serving our website, and also for information that criminal investigation authorities may need in order to pursue any criminal cyberattacks on our website.

The data collected in anonymised form will be used for statistical purposes in order to ensure the best possible customer experience in visiting our website. The anonymous data in the server log files will be stored separately from any personal data concerning any particular data subject.

Technical and organisational measures

We use organisational and technical security measures to protect your personal data from any intentional or unintentional manipulation, loss, destruction, or access from unauthorised third parties. This also applies to any services we may have contracted out to third parties. Any personal data you may enter will always be transmitted in encrypted form.

Alterations and updates to this Privacy Policy

We recommend that you visit this Privacy Policy on a regular basis to keep up to date on the content. We will update this Privacy Policy as needed to take account of any changes in data processing as and when they happen. We will notify you if we need any input from you such as your consent or need to send you any individual notifications.

In detail: Your rights as a data subject

You have the following rights as a data subject according to the European data protection regulation:

Disclosure

You may demand confirmation from the controller (Beyss Architekten GmbH, Bonn) on whether we are processing your data, and if so, information on the personal data, purpose of processing your personal data, personal data categories, recipients or categories of recipients for your data in the past or future, and planned duration of data storage where possible or alternatively, criteria determining the duration of processing. Your right to disclosure is limited where the provisions of Section 34 paragraph 1 of the German Data Protection Act (BDSG) in its new version are satisfied.

You have a right to disclosure on the origin of any data not collected directly from you. According to GDPR Art. 46, you have the right to be informed on any data transmitted to a country outside the EEA or international organisation. We shall provide a copy of the data undergoing processing.

Correction

You may request that we immediately correct any errors or, taking into consideration the purpose of processing, complete any omissions in your personal data.

Erasure

You may request that we immediately erase your personal data under any of the following circumstances:

The purpose for which your personal data has been collected no longer requires your data
You have revoked your consent according to GDPR Art. 6.1 (a) or Art. 9.2 (a) and there is no other legal basis for processing your data
You object to processing according to GDPR Art 21.1 with no prevailing legitimate reason for processing, or according to GDPR Art. 21.2
We have been processing your data unlawfully
Erasure fulfils legal requirements
The purpose of collecting your personal data involved an information society service according to GDPR Art. 8.1

If we as the controller have made your personal data public and are obliged to erase the personal data according to GDPR Art. 17.1, we shall take reasonable steps, including technical measures and within the restrictions of available technology and cost of implementation, to inform third-party processors commissioned to process your personal data that you have requested the erasure of links to, or copies or replications of your personal data.

The above rights do not apply under the following circumstances:

Processing is necessary in exercising the right to freedom of expression
We need the data in order to fulfil our contractual obligations that involve processing the personal data
We need the data to establish, assert or defend legal claims
Erasing the data runs contrary to retention periods according to contract or by-laws as set out in Section 35 paragraph 3 of the German Data Protection Act (BDSG) in its new version

The right to erasure may be replaced by a restriction on processing in application of Section 35 of the German Data Protection Act (BDSG) where erasure would not be possible or only possible with a disproportionate amount of effort. The same applies where we have reason to assume that erasing the data would impinge on a legitimate interest of a data subject. If possible, we will inform you on the restriction.

Restriction on processing

You may request a restriction on processing your personal data under any of the following circumstances:

You contest the correctness of your personal data for the duration that we are permitted to review the data for errors
Processing would be unlawful, and erasure has been refused
We no longer need the personal data for the purposes of processing, but you need the data to establish, exercise or defend a legal claim
You have objected to processing pursuant to GDPR Article 21.1 pending verification as to whether our legitimate grounds may prevail over your interests

Where processing has been restricted according to GDPR Art. 18.1, the personal data in question shall, with the exception of storage, only be processed with your consent, or to establish, assert or defend legal claims or to protect the rights of another natural or legal person, or for reasons of important public interest.

If you have successfully had a processing restriction imposed, we will inform you before lifting the restriction.

Right to revoke consent for data processing

You may always object to having your data processed for reasons of your particular situation as long as processing takes place on the legal basis of GDPR Art. 6.1 (e) or (f). We as the controller will only process your personal data if we can demonstrate compelling vested reasons for processing that prevail over your interests, rights and freedoms, or to establish, exercise or defend legal claims.

You may always object to having your data processed if we process personal data for direct advertising purposes. This also applies to any profiling in connection with direct advertising. We will then no longer process your data for the purpose of direct advertising.

This right shall be referred to in the first correspondence at the latest.

You may exercise your right of objection by automated means using technical specifications in cases involving the use of information society services.

Revocation of consent

You may always revoke your consent according to GDPR Art. 7.3 after giving this consent.

Right to data portability

You may request the personal data you have provided to us be returned to you in a structured, generic machine-readable form and transmit the data without hindrance to another controller provided that:

Consent for processing has been given according to GDPR Art. 6.1 (a) or Art. 9.2 (a)
A contract has led to processing according to Art. 6.1 (b)
Automated methods are used to assist in processing

You may also assert this right by having your data sent directly from one controller to another as long as this is technically feasible and will not impinge on the rights and freedoms of others.

Automated decision-making and profiling

Where the controller uses automated decision-making or profiling, you have the right to request not to be subjected to decisions made solely on the strength of automated processing, including profiling, where such decisions may have legal consequences for you or may conflict with your interests in a similar way. This does not apply under any of the following circumstances:

The decision is necessary in order to conclude or complete a contract between you and the controller
Statutory regulations that apply to the controller allow this, and also include adequate measures to protect your rights and freedoms as well as your legitimate interests as a data subject
Processing takes place on your explicit consent

We shall ensure adequate measures to protect your rights and freedoms as well as your legitimate interests as long as statutory regulations do not require that we process your personal data.

Decisions made according to the above exceptions must not involve the special categories of personal data according to GDPR Art. 9.1 unless Art. 9.2 (a) or (t) applies and adequate measures have been taken to protect your rights and freedoms as well as your legitimate interests.

Right of objection with your supervisory authority

You may file a complaint with a supervisory authority. The supervisory authority applicable in our case can be reached at the following address:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestr. 2-4, 40213 Düsseldorf.

Privacy statement for customers and business associates

Privacy statement of Beyss Architekten GmbH, Bonn, for customers, business associates and their employees

Your privacy matters deeply to us. As the party responsible for data processing (“controller”), we have implemented a wide variety of technical and organisational measures to ensure a high level of personal data protection.

We aim to satisfy the requirements on information and transparency in storing and processing personal data arising in our business relationship with you as our customer or business associate and your employees.

By personal data, we mean data that might be used to reveal your identity; this could be your name, postal or e-mail address, or information that refers to you as an identifiable individual. We would also like to inform you of your rights regarding privacy.

Responsibility for the processing activities arising from our business relationship and described in the following according to data protection standards (“the controller”):

Beyss Architekten GmbH represented by the CEO

Graduate Engineer Dipl.-Ing. Wolfgang Beyß, Architect (BDA)

Haydnstraße 36

53115 Bonn

Tel.: +49 228 9455452-0

Fax: +49 228 9455452-90

E-mail: office [at] beyss-architekten.de (office[at]beyss-architekten[dot]de)

Mr. Andreas Majer is our central contact partner if you wish to exercise your rights as a person affected by this Privacy Policy (“data subject”).

Please address any questions you might have about our Privacy Policy to our Data Protection Officer:

Ralf A. Lanz

Ernastraße 10

53881 Euskirchen

Tel.: +49 2255 9218-235

E-mail: ba-ds [at] lanz-consult.de (ba-ds[at]lanz-consult[dot]de) or directly to rlanz [at] lanz-consult.de (rlanz[at]lanz-consult[dot]de)

First, we would like to provide you with a brief description of your rights as a person affected by this privacy statement (“data subject”):

You may request that we at Beyss Architekten GmbH, Bonn, as your business associate, provide confirmation as to whether we are processing your data and, if so, information about this personal information.

You also have the right to request that we immediately correct any errors in your personal data and, if appropriate, erase your personal data or restrict the data from processing.

You may also file an objection against processing your personal data. You may always revoke your consent after giving this consent. You have the right to data portability, and you may request your personal data in a structured, generic machine-readable form.

Finally, you may file a complaint with a supervisory authority. The supervisory authority applicable in our case can be reached at the following address: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestr. 2-4, 40213 Düsseldorf.

Click the following link for details on your rights as a data subject: Your rights as a data subject.

We would like to inform you on which categories of data we collect and how we process your personal data in the following:

About processing personal data

General

We do not use any automated decision-making or profiling in any of the processing activities described in the following. We will also not transfer your personal information to any countries outside the EEA or international organisations.

We conclude data processing contracts with any contractors we might commission for data processing (“processors”) in order to ensure that your data will only be used according to order as given in our instructions, and to guarantee the security and confidentiality of your data.

You may always revoke any consent you have previously given to having your data processed based on this consent as follows:

Consequences of not providing data: If you do not provide your data for a processing activities such as HRM management, then we will not be able to perform this activity; this may render the business relationship impossible.

Processing activity: Scheduling and central office management

Purpose of processing:

Office organisation, central database for business transactions, appointments management, e-mail and document filing for projects.

Legal basis:

Performance of customer and supplier contracts according to GDPR Art. 6.1 (b).

Categories of personal data:

Name, address, contact details, project costs.

Data storage duration:

At least until the end of the project; business documents for ten years according to Section 257 of the German Commercial Code (HGB), then manual deletion; thirty years for documents subject to architectural liability.

Processing activity: Site project files, planning documentation, tenders

Purpose of processing:

Storage of building plans and construction documents, project participants lists, time sheets and project protocols for use as communications lists in a project, construction work costing, project documentation and administration/controlling.

Legal basis:

GDPR Art. 6.1 (b) for performance of customer and supplier contracts; Art. 6.1 (f) for business transactions.

Categories of personal data:

Name, possibly home address and contact details for private developers; company address; company contact details; project disciplines; deployment times; project participation.

Data recipients:

Project participants.

Processing activity: Financial accounting and administration, accounts receivable and payable, bank transactions

Purpose of processing:

Financial accounting, accounts receivable and payable, manual account statement comparison (payments) and administration.

Legal basis:

GDPR Art. 6.1 (c) according to the German Tax Code (AO), Commercial Code (HGB) and other legal provisions.

Categories of personal data:

Name, position in the company, address and contact details, transactions to and from accounts receivable and payable.

Data recipients:

Authorised tax advisors sworn to professional confidentiality.

Data storage duration:

Ten years according to the German Commercial Code (HGB) and Tax Code (AO).

Processing activity: Written settlement of business activities

Purpose of processing:

Settlement of transactions and correspondence, project protocols, minutes from meetings and similar activities involving the storage of personal data.

Legal basis:

GDPR Art. 6.1 (b) in managing contractual relationships and business activities as a legitimate interest according to Art. 6.1 (f).

Categories of personal data:

Name, address and business contact details, other company-related personal data, possibly position or role in activities and projects.

Data storage duration:

Until the end of the retention period as set in statute or tax law (usually six to ten years) or the end of limitation periods in claims (usually three years).

Processing activity: E-mail correspondence

Purpose of processing:

Processing e-mails, contacts, activities, notes, public folders and archives.

Legal basis:

GDPR Art. 6.1 (b) in managing contractual relationships and communication with business associates as a legitimate interest according to Art. 6.1 (f).

Categories of personal data:

E-mail inboxes, calendars and schedules, connection metadata: Sender or recipient with the logged time, IP address and similar.

Data recipients:

Based on communication contents: all contacts, all content.

Data storage duration:

Deletion by the client software user.

Processing activity: Backups

Purpose of processing:

Central backup of all local servers and systems.

Legal basis:

GDPR Art. 6.1 (c) to ensure the integrity and availability of data according to Art. 32.

Categories of personal data:

All personal data mentioned in the other processes.

Data storage duration:

Erasure by overwriting according to method used in data backup. Physical destruction where unusable data carriers are destroyed.

Alterations and updates to this Privacy Policy

Privacy for job applicants (m/f/d)

Privacy statement of Beyss Architekten GmbH, Bonn, for job applicants (m/f/d)

We aim to satisfy the requirements on information and transparency in storing and processing personal data arising from your application as a job applicant at our company.

Responsibility for the processing activities arising from your application and described in the following according to data protection standards (“the controller”):

Beyss Architekten GmbH represented by the CEO

Graduate Engineer Dipl.-Ing. Wolfgang Beyß, Architect (BDA)

Haydnstraße 36

53115 Bonn

Telefon: +49 228 9 45 54 52-0

Fax: +49 228 9 45 54 52-90

E-mail: office [at] beyss-architekten.de (office[at]beyss-architekten[dot]de)

Mr. Andreas Majer is our central contact partner if you wish to exercise your rights as a person affected by this Privacy Policy (“data subject”).

Please address any questions you might have about our Privacy Policy to our Data Protection Officer:

Ralf A. Lanz

Ernastraße 10

53881 Euskirchen

Tel.: +49 2255 9218-235

E-mail: ba-ds [at] lanz-consult.de (ba-ds[at]lanz-consult[dot]de) or directly to rlanz [at] lanz-consult.de (rlanz[at]lanz-consult[dot]de)

First, we would like to provide you with a brief description of your rights as a person affected by this privacy statement (“data subject”):

You may request that we at Beyss Architekten GmbH, Bonn, as your potential future employer, provide confirmation as to whether we are processing your data and, if so, information about this personal information.

You also have the right to request that we immediately correct any errors in your personal data and, if appropriate, erase your personal data or restrict the data from processing.

You may also file an objection against processing your personal data. You may always revoke your consent after giving this consent.

You have the right to data portability, and you may request your personal data in a structured, generic machine-readable form.

Finally, you may file a complaint with a supervisory authority. The supervisory authority applicable in our case can be reached at the following address: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestr. 2-4, 40213 Düsseldorf.

Click the following link for details on your rights as a data subject: Your rights as a data subject.

We would like to inform you on which categories of data we collect and how we process your personal data in the following:

About processing personal data

General

You may always revoke any consent you have previously given to having your data processed based on this consent as follows:

Consequences of not providing data: If you do not provide your data for a processing activities such as HRM management, then we will not be able to perform this activity; this may make it impossible for us to process your application.

Processing activity: Managing applications

Purpose of processing:

Conducting the application process for gaining new employees, initiation and termination of employment contracts.

Legal basis:

GDPR Art. 6.1 (b) for initiating employment contracts; Art. 6.1. (c) for fulfilling obligations according to employment law and other laws such as the German General Act on Equal Treatment (AGG).

Categories of personal data:

Name, possibly results from aptitude tests, CVs, possibly work and residence permits, identity card or passport copies; possibly a copy of a valid driving licence, previous references from employers; proof of qualifications and training programmes; additional activities; home address and contact details; employment contract (on conclusion); correspondence between employer and applicant; possibly applicant’s social security data for social and health insurance coverage, leave, data used for payroll. Transfer of documents and data to the personnel file on concluding an employment contract.

Data storage duration:

At least until the end of the application process, possibly beyond if required by statute or tax law, or if needed to assert legal interests.

Processing activity: Scheduling and central office management

Purpose of processing:

Office organisation, central database for business transactions, appointments management, e-mail filing.

Legal basis:

Managing applications according to GDPR Art. 6.1 (b).

Categories of personal data:

Name, address, contact details.

Data storage duration:

At least until the end of the application process or possibly beyond as set in statute or tax law (usually three or six to ten years) or the end of limitation periods in claims (usually three years). Anonymisation is initiated manually.

Processing activity: Financial accounting and administration, accounts receivable and payable, bank transactions

Purpose of processing:

Accounts receivable and payable, manual account statement comparison (payments) and administration

Legal basis:

GDPR Art. 6.1 (c) according to the German Tax Code (AO), Commercial Code (HGB) and other legal provisions.

Categories of personal data:

Name of the applicant, address and contact details, transactions to and from accounts receivable and payable.

Data recipients:

Authorised tax advisors sworn to professional confidentiality.

Data storage duration:

Ten years according to the German Commercial Code (HGB) and Tax Code (AO).

Processing activity: Correspondence

Purpose of processing:

Settlement of written communications and correspondence, minutes from meetings and similar activities involving the storage of personal data.

Legal basis:

GDPR Art. 6.1 (b) on managing applications.

Categories of personal data:

Name, address and contact information, other personal data, possibly qualifications.

Data storage duration:

Until the end of the retention period as set in statute or tax law (usually six to ten years) or the end of limitation periods in claims (usually three years).

Processing activity: E-mail correspondence

Purpose of processing:

Processing e-mails, contacts, activities, notes, public folders and archives.

Legal basis:

GDPR Art. 6.1 (b) on initiating an employment relationship.

Categories of personal data:

E-mail inboxes, calendars and schedules, connection metadata: Sender or recipient with the logged time, IP address and similar.

Data recipients:

Based on communication contents: all contacts, all content.

Data storage duration:

Deletion by the client software user.

Processing activity: Backups

Purpose of processing:

Central backup of all local servers and systems.

Legal basis:

GDPR Art. 6.1 (c) to ensure the integrity and availability of data according to Art. 32.

Categories of personal data:

All personal data mentioned in the other processes.

Data storage duration:

Erasure by overwriting according to method used in data backup. Physical destruction where unusable data carriers are destroyed.

Alterations and updates to this Privacy Policy

Glossary

This Privacy Policy uses terms that you will find in the European General Data Protection Regulation. A Privacy Policy should be accessible, so we would like to explain the following terms in detail:

Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or member state law, the controller or the specific criteria for its nomination may be provided for by Union or member state law.

Processor means a natural or legal person, public authority, agency or other body processing personal data on behalf of the controller.

Recipient means a natural person or company, public authority, agency, or other party receiving personal information regardless of whether or not the recipient is a third party. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not regarded as recipients; the processing of those data by those public authorities must be in compliance with the data protection regulations applicable according to the purposes of the processing.

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her by statement or clear affirmative action.

Supervisory authority means any independent public office established by a member state charged with ensuring and monitoring for compliance with the provisions of data protection law.