Information on the processing of personal data

This document informs you about how we process personal data.

Introduction and structure of the document

We, the company STAUFEN.AG (hereinafter referred to as “the company”, “we” or “us”), thank you for visiting our website and for your interest in our company and our services. Your personal data will only be processed in accordance with the provisions of German and European data protection law.

Data protection law requires us, as the data controller, to ensure the protection of your personal data through a variety of measures. One of these obligations is to inform you transparently about the nature, scope, purpose, duration and legal basis of the data processing (cf. Art. 13 and 14 EU GDPR). In the following, we will also refer to you as the person affected by the data processing as “customer”, “user”, “you” or “data subject”. In this Privacy Policy, we inform you about how we process your personal data.

Our Privacy Policy has a modular structure. It consists of a general part, which applies to any processing of personal data and any processing situation that may arise and a specific part, the content of which applies only to the processing situation specified therein. We may also use this online document to inform you about processing operations that do not primarily take place on the website. These can be found in the special section of the document. If you want to navigate quickly through the document, many browsers offer a search function using “Ctrl+f” key combination.


Definitions

Following the example of Art. 4 EU GDPR, this document is based on the following definitions:

“Personal data” (Art. 4 No. 1 EU GDPR) means any information relating to an identified or identifiable natural person (“data subject”). A person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by reference to information about his or her physical, physiological, genetic, mental, economic, cultural or social identity characteristics. Identifiability may also be achieved by linking such information or other additional knowledge. It does not matter where the information comes from, or what form it takes (even photographs, video or audio recordings can contain personal data).

“Processing” (Art. 4 No. 2 EU GDPR) means any operation which involves the handling of personal data, whether or not by means of automated (i.e., technology-based) processes. This includes, in particular, the collection (i.e., acquisition), recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, as well as changing a purpose or intended use on which a data processing was originally based.

“Controller” (Art. 4 No. 7 EU GDPR) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

“Third party” (Art. 4 No. 10 EU GDPR) means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who are authorized to process the personal data under the direct responsibility of the controller or processor.

Processor” (Art. 4 No. 8 EU GDPR) means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller, in particular in accordance with the controller’s instructions (e.g., IT service provider). In particular, a processor is not a third party in the sense of data protection law.

“Consent” (Art. 4 No. 11 EU GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of his or her wishes in the form of a statement or any other unambiguous affirmative act, by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.


Controller name and address

Please refer to the imprint on our website for information about the entity responsible for processing your personal data as defined by Art. 4 No. 7 EU GDPR, as well as contact details and other information about our company.


Contact details of the data protection officer

Our data protection team, consisting of data protection coordinators and our data protection officer, are available at all times to answer any questions you may have and to act as your contact person on the subject of data protection at our company.

You can reach the data protection team:

  • By mail to our address given in the imprint with the addition “data protection team”
  • By e-mail at datenschutz@staufen.ag

Your rights

You may exercise your rights as a data subject with regard to your processed personal data at any time by contacting us using the contact details provided at the beginning of this document. You will facilitate our request by contacting the data protection team directly.

As the data subject, you have the right:

  • in accordance with Art. 15 EU GDPR, to request information about your data processed by us. In particular, you may request information about the purposes of the processing, the category of data, the categories of recipients to whom your data have been or will be disclosed, the intended storage period, the existence of a right to rectification, erasure, restriction or objection, the existence of a right of appeal, the origin of your data if not collected by us, as well as the existence of automated decision making including profiling and, where applicable, meaningful information about its details;
  • in accordance with Art. 16 EU GDPR, to request the correction of inaccuracies or the completion of your data stored by us without delay;
  • in accordance with Art. 17 EU GDPR, to request the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
  • in accordance with Art. 18 EU GDPR, to request the restriction of the processing of your data if the accuracy of the data is disputed by you or the processing is unlawful;
  • in accordance with Art. 20 EU GDPR, to receive the data you have provided to us in a structured, common and machine-readable format or to request its transfer to another controller (“data portability”);
  • in accordance with Art. 21 EU GDPR, to object to processing, provided that the processing is based on Art. 6 (1) lit. e or lit. f EU GDPR. This is particularly the case if the processing is not necessary for the performance of a contract with you. Except in the case of a direct marketing objection, when you exercise such an objection, we will ask you to explain why you do not want us to process your data as we have done. In the event of your legitimate objection, we will review the facts of the case and either discontinue or adapt the processing, or provide you with our compelling legitimate grounds for continuing the processing. For many services on our websites that process personal data in accordance with Art. 6 para. 1 lit. f EU GDPR, the objection can be technically implemented using technologies available or to be installed in the browser, e.g., by blocking JavaScripts or cookies;
  • in accordance with Art. 7 para. 3 of the GDPR, to withdraw your consent – i.e., your voluntary, informed and unequivocal will expressed through a declaration or other unambiguous act that you consent to the processing of the personal data in question for one or more specific purposes – given to us once (even before the GDPR became applicable, i.e., before May 25, 2018), at any time, if you have given such consent. As a result, we may not continue to process data based on that consent in the future; and
  • to lodge a complaint about the processing of your personal data in our company with the competent data protection authority in accordance with Art. 77 EU GDPR.

Legal basis of data processing

In principle, the law only permits the processing of personal data if it is based on one of the following justifications:

Art. 6 para. 1 lit. a EU GDPR (“Consent”): Where the data subject has indicated, voluntarily, in an informed manner and unambiguously, by a statement or other unambiguous affirmative action, that he or she consents to the processing of personal data relating to him or her for one or more specified purposes;

Art. 6 para. 1 lit. b EU GDPR (“Contract”): If the processing is necessary for the performance of a contract to which the data subject is a party, or for the performance of pre-contractual measures taken at the request of the data subject;

Art. 6 para. 1 lit. c EU GDPR (“Legal obligation”): When processing is necessary to comply with a legal obligation to which the controller is subject (e.g., a legal obligation to keep records);

Art. 6 para. 1 lit. d EU GDPR: If the processing is necessary to protect the vital interests of the data subject or another natural person;

Art. 6 para. 1 lit. e EU GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or

Art. 6 para. 1 lit. f EU GDPR (“Legitimate Interests”): If the processing is necessary to protect the legitimate (in particular legal or economic) interests of the controller or a third party, except where the conflicting interests or rights of the data subject are overridden (in particular if the data subject is a child). To the extent that the processing of personal data is based on Art. 6 para. 1 lit. f EU GDPR, the aforementioned purposes also represent our legitimate interests.

The applicable legal basis for each of our processing operations is set out below. The processing may also be based on several legal bases.


Data deletion and retention period

For each of the processing operations we perform, we indicate below how long we will store the data and when it will be deleted or blocked. In the case of consents, the deletion and retention period specified in the consent request applies. Unless an explicit retention period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. Your data will only be stored within the Federal Republic of Germany, a member state of the European Union (EU) or another member state of the European Economic Area (EEA). Possible exceptions to this are described in the following sections and processing procedures. However, we may store your data for longer periods in the event of a (threatened) legal dispute with you or other legal proceedings, or if storage is required by law to which we are subject as a responsible party (e.g., §257 German Commercial Code (HGB), §147 German Fiscal Code (AO)). Upon expiration of the retention period required by law, the personal data will be blocked or deleted unless further retention by us is necessary and there is a legal basis for doing so.


Data security: website, email, fax

We use technical and organizational security measures in order to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties (e.g., TLS encryption for our website), taking into account the state of the art, the implementation costs, and the scope, context and purpose of the processing, as well as the existing risks (including their probability and impact) for the data subject. Our security measures are continually improved as technology evolves.

We use a hybrid encryption protocol called Transport Layer Security (TLS), better known by its predecessor Secure Sockets Layer Software (SSL), to securely transfer data over the Internet. This software encrypts the information you send. All information relevant to data protection is stored in encrypted form in a secure database.

Please note that the confidentiality of email cannot be guaranteed. Although we provide Transport Layer Security (TLS) through our mail servers, confidentiality may depend on various mail relay servers over which we have no control: whether they also use TLS and whether they evaluate emails is beyond our control.

When you send us a fax, the transmission is made over the Internet Protocol (FoIP). The transmission is technically identical to sending an email or web page data. We do not know whether an IP-based service encrypts data, so the confidentiality of the data sent is not guaranteed. We do not recommend faxing sensitive information.

Please contact us for more information. Please contact our data protection team for more information.


Cooperation with processors

Like any large company, we also use outside service providers to help us conduct our business, such as for IT, logistics, telecommunications: delivering packages, sending letters or emails, analyzing our databases, advertising, processing payments, sales, and marketing. These service providers have access to personal data that they need to perform their functions. However, they may not use these data for any other purpose. Order processors act only at our direction and are appointed for the purpose of Art. 28 EU GDPR contractually obliged to comply with the provisions of data protection law. Order processors are not third parties.


Conditions for the transfer of personal data to third countries

In the course of our business relationship, your personal data may be transferred or disclosed to third parties. These may be located outside the European Economic Area (EEA), i.e., in third countries. Such processing is done solely for the purpose of fulfilling contractual and business obligations and maintaining your business relationship with us. We will inform you of the details of the transfer in the appropriate sections below. Accordingly, we usually indicate the location of the company providing a service.

The European Commission certifies data protection comparable to the EEA standard for some third countries by means of so-called adequacy decisions. The Commission has issued adequacy decisions for the following countries and territories: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, Republic of Korea, and the United Kingdom (as of December 2021).

However, other third countries to which personal data may be transferred may not provide a consistently high level of data protection due to a lack of legislation. Where this is the case, we will ensure that there is a generally adequate level of data protection. This can be done through binding corporate policies, the European Commission’s standard contractual clauses for the protection of personal data, certificates or recognized codes of conduct.


Automated decision making

We do not intend to use any personal data collected from you for any automated decision making process (including profiling).


Obligation to provide personal data

We do not require you to provide us with personal data in order to enter into a contract with us. As a customer, you are under no legal or contractual obligation to provide us with your personal data; however, if you do not provide us with the required information, we may be unable to provide certain services to you. If, by way of exception, this should be the case for the products or processes described below, you will be notified separately.


Legal obligation to transmit certain data

We may be subject to a specific legal or statutory obligation to disclose the lawfully processed personal data to third parties, in particular public bodies (Art. 6 para. 1 lit. c EU GDPR).


Change of the Privacy Policy

This document will be periodically reviewed to determine whether it needs to be amended or supplemented in light of developments in data protection law, as well as technological or organizational changes. We reserve the right to change this privacy policy at any time in accordance with applicable privacy laws. We will publish the changes here. Current status: August 10, 2023


Information on the processing of personal data in special processing operations

The following sections describe the processing operations grouped by the different categories of individuals whose data are processed (“data subjects”).


Website visitors

You can obtain information about our company and the services we offer in particular at www.staufen.ag together with the associated sub-pages (hereinafter collectively referred to as “websites”). When you visit our websites, personal data will be processed.

Your data will only be processed for as long as is necessary to achieve the above-mentioned processing purposes; the legal bases stated in the context of the processing purposes apply accordingly. Third parties engaged by us will store your data on their system for as long as is necessary in connection with the provision of the services for us in accordance with the respective order.

The following categories of recipients, which are usually processors, may receive access to your personal data:

Service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g. for data center services, payment processing, IT security). The legal basis for the transfer is then Art. 6 para. 1 lit. b or lit. f EU-DSGVO, insofar as it does not involve order processors;

Government agencies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the disclosure is then Art. 6 para. 1 lit. c EU-DSGVO;

Persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 para. 1 lit. b or lit. f EU-DSGVO.

In addition, we will only disclose your personal data to third parties if you have given your express consent to do so in accordance with Art. 6 (1) a EU-DSGVO.


Personal data processed on the website/log data

The following categories of personal data are collected, stored and processed by us when you use the websites for information purposes. When you visit our websites, our web server temporarily and anonymously stores a so-called server log file. This consists in particular of:

  • The page from which the page was requested (referrer URL)
  • Name and URL of the requested page
  • The date and time of the access
  • The description of the type, language and version of the web browser used
  • The IP address of the requesting computer
  • The amount of data transferred
  • The operating system
  • The message whether access was successful (access status/HTTP status code)
  • The GMT time zone difference

Processing of log files is for statistical purposes and to improve the quality of our website, in particular the stability and security of the connection (legal basis is Art. 6 para. 1 lit. f EU GDPR).

We may temporarily process other information that your operating system, browser and/or other technologies provide to our web servers in order to provide the web pages. The legal basis for this is also Art. 6 para. 1 lit. f EU GDPR.


Services that store information on your device or access information already stored on your device (cookies, plug-ins, JavaScript, etc.)

On our websites, we use services and technologies to store information on your device and/or technologies to access information that is already stored on your device. These technologies may include cookies. Cookies are text files and/or entries in a browser’s own database that identify the browser you are using by a characteristic string. Certain information flows between the entity that sets the cookie and your device.

Cookies and other services may contain data that allows the device being used to be recognized. In some cases, cookies and other technologies only contain information about certain settings that cannot be linked to a specific person.

You may be able to decline or technically prevent some services if your browser allows you to do so. However, please be aware that if you choose to decline cookies, you will not be able to use the full functionality of our website.

The Help function on the menu bar of most web browsers will tell you, for example, how to prevent your browser from accepting new cookies, how to notify your browser when you receive a new cookie, or how to delete all received cookies. You can also modify your browser so that it does not run special technologies (such as JavaScript) that require the services. Insofar as the services on our websites process personal data in accordance with Art. 6 para. 1 lit. f EU GDPR, the objection can be technically implemented via these browser functions and technologies.

Services can be further subdivided according to their function:

  • Technical services: These services are necessary for you to navigate the website, use basic functions, and ensure the security of the website; they do not collect information about you for marketing purposes, nor do they store information about which pages you visit;
  • Performance Services: These collect information about how you use our website, which pages you visit, and whether any errors occur when using the website; they do not collect any information that could identify you – all information collected is anonymous and is used only to improve our website and to find out what our users are interested in;
  • Advertising, targeting & sharing services, social media plug-ins: These are used to provide the website user with customized advertisements on the website or third party offers and to measure the effectiveness of those offers. These services may also be used to enhance the interactivity of our website with other services (e.g., social networks).

What all services have in common is that they store information on your device and/or access information that is already stored on your device.

In contrast to the functional distinction of services, the legislator distinguishes only between two purposes of services:

  1. Services that are necessary for the transmission of a message over a public telecommunications network and/or that are absolutely necessary for the provider of a telemedia service to be able to provide a telemedia service expressly requested by the user. The necessity can be based on technical, legal, economic, operational and/or contractual agreements.
  2. Services for all other purposes.

Any use of services that is absolutely necessary from a technical, legal, economic, operational and/or contractual perspective in order to provide an expressly requested service may be based on a legal basis other than consent pursuant to Art. 6 para. 1 lit. a EU GDPR.

Special section: General services on the website

We currently use the following of the services described above. If the processing is based on consent in accordance with Art. 6 para. 1 lit. a EU GDPR, we will also indicate the manner in which consent was obtained.

Google (and Alphabet, where applicable) services, products and technologies

In this section we have grouped the services provided by Alphabet Inc. (a publicly traded U.S. holding company) and, in particular, Google, which is part of the holding company. The use of these services may involve the transfer of data to a third country (USA). For the U.S., there is an adequacy decision by the EU Commission dated July 10, 2023, which establishes an adequate level of data protection for transfers to companies participating in the EU-U.S. data protection framework. The transfer of data to the USA is also based on the standard contractual clauses of the EU Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/controllerterms/mccs/


Service: Google Maps

This website uses the Google Maps service, operated by Google Ireland Limited, registration number: 368047, Gordon House, Barrow Street, Dublin 4, Ireland, to display maps and site plans.

The processing will only take place if you have given your consent in accordance with Art. 6 para. 1 lit. a EU GDPR. For more information about this possible processing, see the consent query in the Consent Management Tool.

When consent is given, each time you access the Google Maps service, information will be stored and read on your device in order to process user preferences and data when viewing the page on which Google Maps is integrated.


Service: Google Analytics

This website uses Google Analytics, a web analytics service operated by Google Ireland Limited, registration number: 368047, Gordon House, Barrow Street, Dublin 4, Ireland.

The processing will only take place if you have given your consent in accordance with Art. 6 para. 1 lit. a EU GDPR. For more information about this possible processing, see the consent query in the Consent Management Tool.

When consent is given, analysis of your use of our websites and online services is made possible. Information about your use of this website and online services is transmitted to and stored by Google on servers in the USA. For the U.S., there is an adequacy decision by the EU Commission dated July 10, 2023, which establishes an adequate level of data protection for transfers to companies participating in the EU-U.S. data protection framework. The transfer of data to the USA is also based on the standard contractual clauses of the EU Commission. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators, and providing other services relating to website activity and Internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf.


Service: Google Tag Manager

We use the Google Tag Manager service on our websites, which is operated by Google Ireland Limited, registration number: 368047, Gordon House, Barrow Street, Dublin 4, Ireland. The processing will only take place if you have given your consent in accordance with Art. 6 para. 1 lit. a EU GDPR. For more information about this possible processing, see the consent query in the Consent Management Tool.

When consent is given, we may use the Google Tag Manager to reload JavaScript instructions and other services. In the process, information is transferred to and stored on Google servers. Servers are also located in the USA. Google may share this information with contractors. You can find more information about Google Tag Manager at https://www.google.com/analytics/terms/tag-manager/


Dienst: Google Web Fonts/External Fonts

We use the Google Web Fonts service on our websites, which is operated by Google Ireland Limited, registration number: 368047, Gordon House, Barrow Street, Dublin 4, Ireland. The processing will only take place if you have given your consent in accordance with Art. 6 para. 1 lit. a EU GDPR. For more information about this possible processing, see the consent query in the Consent Management Tool.

When consent is given, Google Web Fonts can be used to provide consistent font rendering. When you view a page, your browser caches the web fonts it needs to display text and fonts correctly. This requires your browser to connect to Google’s servers. This means that Google knows that our website was accessed via your IP address.


Service: Google Static / gstatic

We use the Google Static service on our website. The service is provided by Google Ireland Ltd, Gordon House, Barrow Street Dublin 4, Ireland. gstatic is a service for the delivery of static content (e.g., images, CSS, JavaScript). The purpose is to improve network speed for users and reduce bandwidth usage to make browsing more efficient. The processing will only take place if you have given your consent in accordance with Art. 6 para. 1 lit. a EU GDPR. More information about this possible processing can be found in the consent query in the Consent Management Tool. Use of the service may involve transfer of data to a third country (USA). For the U.S., there is an adequacy decision by the EU Commission dated July 10, 2023, which establishes an adequate level of data protection for transfers to companies participating in the EU-U.S. data protection framework. The transfer of data to the USA is also based on the standard contractual clauses of the EU Commission. For more information, see the provider’s privacy policy at the following URL: https://policies.google.com/privacy


Service: Google Ads

We use the Google Ads service on our website. The service is provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The processing will only take place if you have given your consent in accordance with Art. 6 para. 1 lit. a EU GDPR. For more information about this possible processing, see the consent query in the Consent Management Tool.

When consent is given, Google Ads may be used to show ads on the Google search engine or on third-party websites when a user enters certain search terms on Google (keyword targeting). In addition, targeted ads may be displayed based on user information available to Google, such as location and interests (target group targeting). Website operators can quantify this data by analyzing which search terms resulted in the display of ads and how many ads resulted in clicks.


Service: Google APIs CDN

We use the Google APIs CDN service, a content delivery network, on our websites. The service is provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The service can load content from these websites over a distributed network. Using this technology, when you use this service, the server that is geographically closest to you is called from this network. The Content Delivery Network is used to provide a better user experience and to optimize the performance and availability of our website. To do this, this service processes your IP address and information about when you visited our website.

The legal basis for this is Art. 6 para. 1 lit. f EU GDPR. We have a legitimate interest in making our website as fast, secure and reliable as possible. If we use a Consent Management Tool, we may also decide to base the processing on consent in accordance with Art. 6 para. 1 lit. a. EU GDPR. You can then learn more about consent in the Consent Management Tool.

Use of the service may involve the transfer of data to a third country (USA). For the U.S., there is an adequacy decision by the EU Commission dated July 10, 2023, which establishes an adequate level of data protection for transfers to companies participating in the EU-U.S. data protection framework.

For more information, see the provider’s privacy policy at the following URL https://policies.google.com/privacy.


Facebook and Meta Platforms services, products and technologies

In this section, we have grouped the services offered by Meta Platforms, Inc. and specifically Facebook.

Service: Facebook/Facebook Like Button/Facebook Connect

We use services provided by Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA (Facebook) on our websites.

The processing will only take place if you have given your consent in accordance with Art. 6 para. 1 lit. a EU GDPR. For more information about this possible processing, see the consent query in the Consent Management Tool.

When consent is given, your browser establishes a direct connection with Facebook’s servers. The content of the plugin is sent directly from Facebook to your browser, which then integrates it into the website. By integrating the plugins, Facebook receives information that your browser has visited the corresponding page on our website, even if you do not have a Facebook account or are not currently logged in to Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the USA and stored there.

When you interact with the plugins, such as by clicking the “LIKE” or “SHARE” button, that information is also sent directly to a Facebook server and stored there.

The information is also posted on Facebook and may be displayed to your Facebook friends. Facebook may use this information for advertising, market research, and customization of Facebook pages. For this purpose, Facebook creates usage, interest and relationship profiles, e.g., to evaluate your use of our website with regard to the advertisements displayed to you on Facebook, to inform other Facebook users about your activities on our website and to provide other services related to the use of Facebook. If you do not want Facebook to associate the data collected through our websites with your Facebook account, you must log out of Facebook before visiting our website. Please note that we have no knowledge of the content of the data transmitted to Facebook and its use.


Service: LinkedIn

We use services on our websites such as analytics and conversion tracking technology provided by LinkedIn Inc, 2029 Stierlin Ct, Mountain View, CA 94043, USA (LinkedIn).

The processing will only take place if you have given your consent in accordance with Art. 6 para. 1 lit. a EU GDPR. For more information about this possible processing, see the consent query in the Consent Management Tool.

When consent is given, information about your use of our website will be collected and shared with LinkedIn, including for advertising purposes. We receive aggregated and anonymous reports from LinkedIn about advertising activity and information about how you interact with our website.


Service: Yumpu

We use the Yumpu service on our websites, which is operated by i-magazine AG, Gewerbestrasse 3, 9444 Diepoldsau, Switzerland. For Switzerland there is an adequacy decision of the European Commission according to Art. 45 EU GDPR.

Yumpu is a digital platform for publishing magazines, brochures or catalogs. The content of PDF files is presented as a flip catalog/flip book and displayed directly in the web browser without loading the PDF files.

Yumpu uses essential cookies and may use other technologies to ensure the basic functionality of the service. Yumpu automatically collects and stores in so-called server log files data that your browser automatically transmits (including browser type and version, operating system, referrer and requested URL, timestamp of the server request, IP address). Yumpu keeps this data for up to one month, after which it is deleted.

The integration of the service is therefore technically and commercially necessary in order for the website visitor to be able to use the requested content. The legal basis for the data processing is Art. 6 para. 1 lit. f EU GDPR. More information about Yumpu can be found at: https://www.yumpu.com/de/info/privacy_policy and https://www.yumpu.com/de/info/cookie_policy


Service: Friendly Captcha

We use the Friendly Captcha service on our websites, operated by the company Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. This service checks whether the entries on a contact form, for example, are actually made by a human user or by machine or automated programs (“bots”). For this purpose, program code from Friendly Captcha has been integrated so that the user’s end device can establish a connection to Friendly Captcha’s servers in order to receive a calculation task from Friendly Captcha. The visitor’s terminal solves the calculation task, which takes up certain system resources, and sends the calculation result to our web server. The server contacts the Friendly Captcha server via an interface and receives a response indicating whether the puzzle was solved correctly by the end device. Depending on the result, we can apply security rules to requests via our website and thus, for example, process or reject them.

The data is used exclusively for the protection against bots described above. Friendly Captcha does not set or read cookies on the end device of the visitor. IP addresses are only stored in hashed (one-way encrypted) form and do not allow us and Friendly Captcha to draw any conclusions about an individual person. The legal basis for the processing is the legitimate interest according to Art. 6 para. 1 lit. f EU-DSGVO in protecting the website against abusive access by bots, spam protection and protection against attacks (e.g. mass requests) and generally to detect and prevent abusive or technically harmful use of our website.

For more information about Friendly Captcha’s privacy practices, please visit https://friendlycaptcha.com/legal/privacy-end-users/.


Service: WPML

We use the WPML service on our website, which is a language tool to display the website in different languages. The provider of the service is OnTheGoSystems Ltd, 22/F 3 Lockhart Road, Wanchai, Hong Kong, China. This service can be hosted locally. This is a language tool that is considered essential.

The legal basis for this is Art. 6 para. 1 lit. f EU GDPR. Our legitimate interest is to provide visitors to our website with information in their native language. If we use a Consent Management Tool, we may also decide to base the processing on consent in accordance with Art. 6 para. 1 lit. a. EU GDPR. You can then learn more about consent in the Consent Management Tool.

For more information, see the provider’s privacy policy at the following URL: https://wpml.org/documentation/privacy-policy-and-gdpr-compliance/.


Service: LinkedIn Analytics/LinkedIn Insight Tag

This website uses the LinkedIn Analytics/LinkedIn Insight Tag service, a web analytics service operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

The processing will only take place if you have given your consent in accordance with Art. 6 para. 1 lit. a EU GDPR. For more information about this possible processing, see the consent query in the Consent Management Tool.

When consent is given, analysis of your use of our websites and online services is made possible. Information about your use of these websites and online services is transmitted to and stored on LinkedIn servers in the USA. LinkedIn will use this information to evaluate your use of the website, to compile reports on website activity for us and to provide other services relating to website activity and Internet usage. LinkedIn may also transfer this information to third parties if required by law or if third parties process this data on LinkedIn’s behalf.

For more information, see the provider’s privacy policy at the following URL https://www.linkedin.com/legal/privacy-policy.


Service: LinkedIn Ads

We use the LinkedIn Ads service on our website. The provider of the service is Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.

LinkedIn Ads facilitates or enables the placement of advertisements and the evaluation of the success of those advertisements. Advertising is a source of revenue for our website. Personal data processed in the process. For this purpose, personal data is processed, in particular the IP address, access times and device information. Processing will only take place if you consent to this processing (via our consent banner on the website). The legal basis for this is Art. 6 para. 1 lit. f EU GDPR. Our legitimate interest is to make our website economical and efficient. If we use a Consent Management Tool, we may also decide to base the processing on consent in accordance with Art. 6 para. 1 lit. a. EU GDPR. You can then learn more about consent in the Consent Management Tool.

Use of the service may involve the transfer of data to a third country (USA). For the U.S., there is an adequacy decision by the EU Commission dated July 10, 2023, which establishes an adequate level of data protection for transfers to companies participating in the EU-U.S. data protection framework. The transfer of data to the USA is also based on the standard contractual clauses of the EU Commission.

For more information, see the provider’s privacy policy at the following URL: https://privacy.microsoft.com/de-de/privacystatement


Applicant

You can apply to us in a variety of ways. Regardless of how you apply to us, your applicant data will be processed solely for the purpose of processing your application and will be kept for a maximum of six months after the end of the selection process, after which time it will be deleted, unless you give us your consent to further processing in a talent pool.

In connection with an application, we will process the following personal information from you:

  • Any data you have provided to us during the application process (e.g., in your application materials or interviews)
  • Any additional data we may have legitimately collected as part of the application process (e.g., from public sources such as professional networks).
  • This may include special categories of personal data (e.g., disability status, racial or ethnic origin, religious or philosophical beliefs, or trade union membership), provided that such data has been provided to us in one of the two ways described above.

Legal basis is the decision on the establishment of the employment relationship or after the establishment of the employment relationship for its implementation according to §26 para.1 German Federal Data Protection Act (BDSG-neu) and Art. 6 para. 1 lit. b EU GDPR. After the selection process is complete, we will retain all data for six months in order to respond legally in the event of any disputes regarding the application process. This temporary storage takes place on the basis of Art. 6 para. 1 lit. f EU GDPR.


Dienst: Hubdrive-Bewerberportal und Bewerbungsmanagement

You have the possibility to apply to us by e-mail. Please send your application documents to bewerbung@staufen.ag. Please note that we cannot guarantee the confidentiality of your data when you apply by e-mail. Although we offer transport encryption (TLS) via our mail server, confidentiality may depend on various mail relay servers over which we have no control. Whether these also use TLS and whether they evaluate the e-mails is beyond our knowledge and influence. If you have any concerns in this regard, please use the postal service for your application.

Hubdrive is a processor for us (see section “Cooperation with processors”) and uses the legal basis of the controller. The transfer and processing of personal data in this case takes place exclusively on servers in the European Union. Further information on data protection at Hubdrive can be found at: https://www.dynamics-hr-management.com/de/about/datenschutz.html


Service: Application by email

You have the possibility to apply to us by e-mail. Please send your application documents to bewerbung@staufen.ag. Please note that we cannot guarantee the confidentiality of your data when you apply by e-mail. Although we offer transport encryption (TLS) via our mail server, confidentiality may depend on various mail relay servers over which we have no control. Whether these also use TLS and whether they evaluate the e-mails is beyond our knowledge and influence. If you have any concerns in this regard, please use the postal service for your application.


Business partners and those seeking information

You can contact us by phone, fax or email. Please also see the section entitled “Data security: website, email, fax”.

When you contact us by telephone, we collect caller identification information (caller ID). If your phone number is not suppressed or hidden, we will see the phone number you are calling us from. The phone number, date and time of the call are automatically stored by our phone system and will only be used to call you back if you request it or if your call is dropped due to technical problems. This data will be deleted after a maximum of four weeks. We do not record calls.

If you contact us by email, we will store and use it for the purpose you specify in the email (e.g., ordering products). The same applies to contact by fax.

When you order products or request information from us, we create a customer account for you. The customer account contains the following data:

  • The name and contact information of the company you are ordering for
  • Your first and last name as the contact person
  • For each order processed through this customer account, we store:
  • Order and delivery date
  • Ordered products
  • Current order status

This data is required to process your order and/or request and will only be processed for this purpose (Art. 6 para. 1 lit. b or lit. f EU GDPR). Unless otherwise described, the retention periods for this information are based on the legal retention requirements to which we are subject.


Participants in training measures

We provide training, education, training and other education-oriented services (hereinafter generally referred to as “Training”). In order to provide these services, we process personal data of the participants. This data is used to organize and conduct training. Selected data may also be viewable by other participants and training instructors.

In the context of a training course, at least the following personal data of you will be processed by us:

  • all data that you have provided to us in the preparation and in the course of a training,
  • Data we need to process contractual matters,
  • to the extent that public funding is used, data necessary for the organization and receipt of funding.

To conduct the training, we may also use services mentioned in the section “Participants in online meetings, conference calls with and without images, online support and webinars”.

The legal basis of the processing is the fulfillment of the contractual relationship arising from the participation in training (Art. 6 (1) lit. b EU-DSGVO). Occasionally, the processing may also be based on our legitimate interests (Art. 6(1)(f) EU GDPR) to provide engaging and effective training.


Service: FKC Learning Platform/ Learning Management System

We use the service of the FKC learning platform, provided by Fischer, Knoblauch & Co. Medienproduktionsgesellschaft mbH, Lilienthalallee 7, 80807 Munich, Germany.

Fischer, Knoblauch & Co. is a processor for us (see section “Cooperation with processors”) and thus uses the legal basis of the controller.

The learning platform stores further technical data (comparable to the information in the section “Processed personal data on the website/log data”) as well as transferred data volume, the access status (file transferred, file not found),some technically necessary cookies), as well as learning progress, test results and survey results.

For more information on how Fischer, Knoblauch & Co. Medienproduktionsgesellschaft handles your personal data can be found in the related privacy policy: https://www.fkc-online.com/datenschutz


Service: BCdiploma / provision of Open Badges/ digital training certificates.

We use the BCdiploma service provided by Blockchain Certified SAS, 104 Avenue Albert 1er, 92500 Rueil Malmaison, France.

BCdiploma is a service for managing, creating and securing digital training credentials in Open Badge format (training certificates). BCdiploma allows issuing digital and authenticated certificates based on Ethereum Blockchain technology.

We offer this service during some of our trainings. The use of these certificates created via BCdiploma by the training participant is voluntary. The type and amount of data depends on the training. If the training participant uses training certificates created via BCdiploma, then personal data is processed for the following purposes: Creation and issuance of training certificates for the training participant in digital form and making the certificates available to the training participant via a special Internet link, as well as the possibility of verification of the authenticity of training certificates by third parties, insofar as third parties have been provided with a verification link by the training participant.

All data that is readily accessible to third parties will be encrypted and only encrypted data will be stored in a public blockchain. Consequently, other participants in the blockchain will only have access to encrypted data. Certificate data is stored in the blockchain in such a way that it is preserved for the entire lifetime of this blockchain.

The legal basis of the processing is the fulfillment of the contractual relationship arising from the participation in training (Art. 6 (1) (b) EU GDPR). In addition, the processing is also based on our legitimate interests (Art. 6(1)(f) EU GDPR), specifically to automate and reduce the costs of issuing and storing certificates, to ensure the authenticity of the certificates we issue (and prevent forgery) and to track the use of our certificates.

If a training participant decides to use digital training certificates, then there may also be processing of personal data (surname, first name and e-mail address, logs of connections and actions, if applicable, e-mail correspondence with the support and sales departments) by the BCdiploma provider. The purpose of the processing is to enable the Training Participant’s access to the full functionality of the Service, including user support, maintenance and troubleshooting of the BCdiploma Service, as well as to improve the quality of the business relationship with the Customer. The legal basis for this processing of personal data is the legitimate interests pursued by Blockchain Certified SAS under Article 6(1)(f) EU GDPR, namely the proper use of the BCiploma Service in accordance with the General Terms of Use and the User Agreements.

For more information on how Blockchain Certified SAS handles personal data, please see the related privacy policy: https://docs.bcdiploma.com/legal/notice.html#foreword-gdpr


Whistleblowers

We provide channels for whistleblowers to report suspected violations of laws that apply to us. Personal data may also be processed. The categories of personal data vary depending on the person providing the information.

The information provided will be used, among other things, to verify and document reports, for internal investigations (including disclosure to external attorneys, auditors or other professionals bound by professional secrecy, as well as to responsible parties in other parts of the Group, where applicable) and, where appropriate, for disclosure to government authorities (e.g., police, prosecutors or courts).

The retention period depends on legal requirements, but is typically three years after the case is closed.

We assure all individuals who provide information that it will be kept confidential. This is based on the legal requirements of the German Whistleblower Protection Act in §8 and §9. In principle, we accept anonymous tips, but we cannot guarantee the anonymity of the person providing the tip in the course of proceedings.

Depending on the wishes of the potential whistleblower, we may also use the communication channel services described in the section entitled “Participation in online meetings, audio and video conference calls, online support and webinars.

The legal basis of the processing is the fulfillment of legal obligations (Art. 6 para. 1 lit. c EU GDPR).


service: yourIT Whistleblowing System

We use the service yourIT Whistleblowing System, provided by yourIT GmbH, Häselstr. 10, 72336 Balingen, Germany.

The whistleblowing system is operated as part of the activities of the data protection officer and provides the legally required reporting channels, i.e., reports in text form via an email address set up specifically for receiving and processing tips in accordance with the German Whistleblower Protection Act (HinSchG), a whistleblowing hotline via a switchboard, and, at the whistleblower’s request, the possibility to meet in person (both on site and via video conference). Part of the system is a digital exchange platform that provides confidentiality to the whistleblower. The service is part of the internal whistleblower reporting office and is subject to legal requirements. The transfer and processing is based on the legal basis of the fulfillment of legal obligations (Art. 6 para. 1 lit. c EU GDPR) and in particular §8 German Whistleblower Protection Act (HinSchG).


The term of personal data

The term of personal data is defined in the Federal Data Protection Act. According to this, these are individual data about personal or factual situations of a determined or determinable natural person. This includes your actual name, address, phone number or birthdate. The EU General Data Protection Regulation (GDPR), which will enter into effect as of May 25th, 2018, defines personal data as follows: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


Collection and processing of personal data

Staufen AG will only collect personal data when you disclose it on your own, e.g. to perform an order, for registration with the academy or an event. You will be informed about the intended purpose of processing and, if necessary, asked to consent to storage. Staufen AG and its service providers (e.g. Lettershops) will use the information collected during your registration for performance of our services and to send you offers for further education, also from our partner companies, by mail. We also inform our customers about our interesting further education offers that are similar to the ones they use by phone and email. You may, of course, object to use of your data for advertising purposes towards Staufen AG, address, under datenschutz@staufen.ag, or revoke your granted consent at any time. Without your consent, the personal data collected in the scope of our websites will be used only for processing of the order or to reply to requests. Only with your consent will your data be used beyond this in a centrally managed customer and potential customer database managed under the responsibility of Staufen AG (Customer Relationship Management Software Microsoft Dynamics). You can revoke your respective consent at any time, effective for the future. Your data will not be sold, rented out or provided to third parties in any other manner than described here. Personal data shall only be submitted to state institutions and authorities in the scope of mandatory national legal provisions. Our employees, cooperation partners and agencies are obligated to strictest secrecy by us.


Applications

You can apply to Staufen AG via our Application Management Portal. Your online application will be forwarded directly to the HR department via an encrypted connection and will, of course, be treated confidentially. We will, of course, only use your details to process your application and will not pass them on to third parties outside Staufen AG. You can revoke your consent to the storage of your personal data for the future at any time by sending a short message via datenschutz@staufen.ag.

In the context of an application, we process the following personal data from you:

  • All data that you have provided to us in the course of the application process (e.g. in your application documents or interviews)
  • If applicable, supplementary data that we have permissibly collected in the course of the application process (e.g., from public sources such as professional networks)
  • This may also include special categories of personal data (e.g. disability status, racial and ethnic origin, religious or ideological beliefs, or trade union membership), provided that these have been transmitted to us in one of the two aforementioned ways.

The legal basis is the decision on the establishment of an employment relationship or after the establishment of the employment relationship for its implementation according to §26 para.1 BDSG-new and Art. 6 para. 1 lit. b EU-GDPR. After the end of the selection process, we retain all data for a further six months in order to respond legally to any such allegations in the event of potential disputes regarding the application process. Temporary storage is carried out according to Art. 6 para. 1 lit. f EU-GDPR.


Application management portal (Hubdrive)

Please use the encrypted upload function there to apply for jobs with us. Alternatively, you can also send us your application by e-mail, but please note that in this case we cannot guarantee the confidentiality of your data. Although we offer transport encryption (TLS) through our e-mail server, confidentiality may depend on various e-mail relay servers over which we have no control. Whether they also use TLS and whether they evaluate the e-mails is beyond our knowledge and influence. If you have any concerns in this regard, please use the postal service for your application.

We process data submitted to us in applications in Hubdrive. The service is provided by Hubdrive GmbH, Beethovenstrasse 5c, 97080 Würzburg, Germany.

Hubdrive services as a processor for us and uses the legal basis of the data controller. The transmission and processing of personal data takes place exclusively on servers in the European Union. Further information on data protection at Hubdrive can be found here


Participants in training measures

We provide training, education, training, and other education-oriented services (hereinafter generally referred to as “Training”). In order to provide these services, we process personal data of the participants. This data is used to organize and conduct training. Selected data may also be viewable by other participants and trainers.

In the context of a training course, at least the following personal data of you will be processed by us:

  • All data that you have provided to us in preparation for and in the course of a training,
  • Data we need to process contractual matters,
  • Insofar as public funding is used, data necessary for the organization and receipt of funding.

To conduct training, we may also use services mentioned in the section “Participants in online meetings, conference calls with and without images, online support and webinars.”

The legal basis for processing is the fulfillment of the contractual relationship by participating in the training (Art. 6 para. 1 lit. b EU-GDPR). Occasionally, processing may also be based on our legitimate interests (Art. 6(1)(f) EU GDPR) to provide engaging and effective training.


FKC Learning Platform/Learning Management System

We use the service of the FKC learning platform, provided by Fischer, Knoblauch & Co. Medienproduktionsgesellschaft mbH, Lilienthalallee 7, 80807 Munich, Germany.

Fischer, Knoblauch & Co. serves as a processor for us (see section “Cooperation with processors”) and thus uses the legal basis of the data controller.

The learning platform stores additional technical data (comparable to the information in the section “Processed personal data on the website/log data”) as well as transferred data volume, the access status (file transferred, file not found), some technically necessary cookies), as well as learning progress, test results, and survey results.

Further information on how Fischer, Knoblauch & Co. Medienproduktionsgesellschaft handles your personal data can be found in the relevant privacy policy.


Contact

You have the option of contacting us via our email address or the contact form. Of course, we will use the personal data submitted to us in this manner only for the purpose for which you submitted them to us when you contact us. As far as we request any input via our contact form that is not necessary for contacting us, we have always marked this as optional. This information serves to specify your request and improve processing of your request. Disclosure of this information shall expressly be on a voluntary basis and with your consent. As far as this is information on communication channels (e.g. email address, phone number), you also agree that we may contact you through this communication channel as well in order to answer your request. Of course, you may revoke this consent at any time, effective for the future. Please contact contact@staufen.ag or our data protection officer for this, whose contact details you can find below.


Data transfer

Your data will generally not be transferred to any third parties outside Staufen AG, except if we are legally required to do so or if forwarding of the data is required to perform the contract, or if you have expressly consented to passing on of your data. External service providers and partner companies will only receive your data as far as this is required to process your request. In this case, handling of the submitted data shall, however, be limited to the required minimum. As far as our service providers and partners come into contact with your personal data, we will ensure that they comply with the provisions of the data protection laws in the same manner. Please also note the respective data protection notices of the providers. The respective service providers shall be responsible for the contents of third-party services. We shall review the services for compliance with the statutory requirements at the reasonable scope.


Cookies, IP address, anonymized use evaluation

This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses “cookies”, i.e. text files that are stored on your computer and that permit analysis of your use of the website. The information generated by the cookie regarding your use of this website (including your IP address) will be transferred to a server of Google in the USA and stored there. Google will use this information in order to evaluate your use of the website, in order to compile reports on the website activities for the website operators and in order to render further services connected to use of the website. Google may also pass this information on to third parties as far as required by law or as far as third parties process these data on the order of Google. Google shall in no case combine your IP address with any other data of Google. You may prevent installation of the cookies by setting your browser software accordingly; however, please note that you may be unable to use all functions of this website in full then. By using this website, you agree to processing of the data collected about you by Google in the manner and for the purpose described above.

By using this internet offer, you agree to processing of the data collected about you by Google in the manner and for the purpose described above.

You may prevent the installation of Google cookies by setting your browser software accordingly and thus prevent collection and processing of your user data. However, please note that you may be unable to use all functions of this internet offer in full.


Google Analytics

This website uses Google Analytics. On the order of the operator of this website, Google shall evaluate your use of the website, in order to compile reports on the website activities and in order to render further services connected to use of the website.

Since the coordination of the Hamburg officer for data protection and freedom of information with Google based on the resolution of the Düsseldorfer Kreis on the data-protection-compliant design of analysis methods for determination of the reach of internet offers, it has been possible to use Google Analytics in compliance with data protection and without complaints under certain conditions. Of course, we comply with these requirements. Google Analytics also uses “cookies”. The information generated by the cookie regarding your use of this website is usually transferred to a server of Google in the USA and stored there. You may prevent storage of the cookies by setting your browser software accordingly; however, please note that you may be unable to use all functions of this website in full then. You may also prevent transmission of the data generated by the cookie regarding your use of the website (incl. your IP address) to Google and processing of such data by Google by downloading and installing the browser add-on. Clicking here will set an opt-out cookie that will prevent future recording of your data when you visit this website:


LinkedIn Analytics and LinkedIn Ads

We use the conversion tracking technology and the retargeting function of LinkedIn Ireland Unlimited Company, 70 Sir John Rogerson’s Quay, Dublin 2, Dublin, D02r296, Ireland on our website.

With the help of this technology, visitors to this website can be served personalized advertisements on LinkedIn. Furthermore, the possibility arises to create anonymous reports on the performance of the advertisements as well as information on website interaction. For this purpose, the LinkedIn Insight tag is embedded on this website, which establishes a connection to the LinkedIn server if you visit this website and are logged into your LinkedIn account at the same time.

In the privacy policy of LinkedIn you will find more information on data collection and data use, as well as the options and rights to protect your privacy. If you are logged in to LinkedIn, you can deactivate the data collection at any time at the following link: https://www.linkedin.com/psettings/enhanced-advertising

We use the LinkedIn Insight Tag to design our website according to demand and to advertise it (legitimate interest according to Art. 6 (1) lit f. DSGVO).


Google Tag Manager

For reasons of transparency, we inform you that we use the Google Tag Manager. The Google Tag Manager does not record any personal data directly. The Tag Manager makes it easier for us to integrate and manage our tags. Tags are small code elements that are used, among others, to measure traffic and visitor behavior and to record the effects of online advertisement and social channels. We use the tag manager for the Google services Google Analytics and GA Audience. If you have deactivated it, this deactivation will be considered by the Google Tag Manager. For more information on the Google Tag Manager, see: https://www.google.com/intl/de/tagmanager/use-policy.html


Friendly Captcha

We use the service Friendly Captcha on our websites, operated by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. This service checks whether the entries on a contact form, for example, are actually made by a human user or by machine or automated programs (“bots”). For this purpose, program code from Friendly Captcha was integrated so that the user’s device can establish a connection to Friendly Captcha’s servers in order to receive a calculation task from Friendly Captcha. The visitor’s device solves the calculation task, which takes up certain system resources, and sends the calculation result to our web server. This contacts the Friendly Captcha server via an interface and receives as a response whether the puzzle was solved correctly by the device. Depending on the result, we can apply security rules to requests via our website and thus, for example, process them further or reject them.

The data is used exclusively for the protection against bots described above. Friendly Captcha does not set or read cookies on the visitor’s device. IP addresses are only stored in hashed (one-way encrypted) form and do not allow us and Friendly Captcha to identify individuals. The legal basis for the processing is the legitimate interest according to Art. 6 para. 1 lit. f EU-GDPR in protecting websites against abusive access by bots, spam protection, and protection against attacks (e.g., mass requests) and in general to detect and prevent abusive or technically damaging use of our website.

For more information about Friendly Captcha’s privacy practices, please visit here


BCdiploma / Provider of Open Badges/ Digital Training Certificates 

We use the services of BCdiploma, provided by Blockchain Certified SAS, 104 Avenue Albert 1er, 92500 Rueil Malmaison, France. 

BCdiploma is a service for administering, preparing and backing up digital training certificates in Open Badge format. BCdiploma facilitates the issuance of digital and authenticated certificates based on Ethereum blockchain technology.  

We offer this service for our own training programs. The use of certificates prepared using BCdiploma by training attendees is voluntary. The type and scope of data depends on the training. If the training attendee uses training certificates created via BCdiploma, their personal data will be processed for the following purposes: Preparation and issuance of training certificates for the training attendee in digital form , making the certificates available to the training attendee by means of a special online link, and the ability for third parties to verify the authenticity of training certificates, insofar as a verification link has been delivered to the third party by the training attendee. 

All data that is readily accessible to third parties is encrypted and only such encrypted data will be stored in a public blockchain. Consequently, any other subscriber to the blockchain will only have access to encrypted data. Certificate data is stored in the blockchain so that it remains available for the entire life of this blockchain. 

The legal basis for processing is the fulfillment of the contractual relationship by attending the training (Art. 6 (1.b) EU GDPR). Moreover, processing is also based on our legitimate interests (Art. 6(1.f) EU GDPR), specifically to automate and reduce the cost of issuing and storing certificates, to ensure the authenticity of the certificates we issue (and prevent forgery) and to be able to trace how our certificates are used.  

If a training attendee decides to use digital training certificates, this may also involve the processing of personal data (‘last name’, ‘first name’ and ’email address’, if applicable, records of connections and actions, and possibly email correspondence with the support and sales departments) by the BCdiploma provider. The purpose of the processing is to provide the training attendee access to the full range of service features, including user support, maintenance, and troubleshooting of the BCdiploma service, and to improve the quality of the business relationship with the client. The legal basis for this processing of personal data is the legitimate interests pursued by Blockchain Certified SAS pursuant to Art. 6 (1.f) EU DSGVO, i.e. the proper use of the BCiploma Service in accordance with the General Terms of Use and the User Agreements. 

For more information on how Blockchain Certified SAS handles personal data, refer to the relevant privacy policy.


Data security

Staufen AG uses technical and organizational safety measures in order to protect your data managed by us from accidental or willful manipulation, loss, destruction or access by unauthorized persons. Our safety measures will be continually improved according to the technological development. We have aligned our company in accordance with ISO 27001 (information protection management).


Information requirements for whistleblowers

Whistleblowers

We provide communication channels for whistleblowers to report suspected violations of laws that are relevant to us. Personal data of the person providing the information may also be processed. The categories of personal information vary depending on the person providing the information.

The information provided will be processed, among other things, for the purposes of verifying and documenting reports, conducting internal investigations (including disclosure to external lawyers, auditors or other professionals bound to secrecy by professional law, as well as to persons responsible in other parts of the group of companies), and reporting to government authorities (e.g., police, prosecutors, or courts) as appropriate.

The retention period depends on legal requirements, typically three years after the conclusion of a case.

We assure all people who provide information that it will be kept confidential. This is based on the legal requirements of Sections 8 and 9 of the German Whistleblower Protection Act (HinSchG). We accept anonymous tips, but cannot guarantee the anonymity of the individual submitting the tip during the course of the investigation.

The legal basis of the processing is the fulfillment of legal obligations (Art. 6 para. 1 point c EU GDPR).


Service: yourIT Whistleblowing System

We use the service yourIT Whistleblowing System, provided by yourIT GmbH, Häselstr. 10, 72336 Balingen, Germany.

The whistleblowing system is operated as part of the activities of the data protection officer and provides the legally required reporting channels, i.e., textual reports are received via an email address set up specifically for the receipt and processing of whistleblower reports under the German Whistleblower Protection Act (HinSchG); verbal reports are received via a whistleblower hotline at the switchboard and – optionally at the whistleblower’s request – in a personal meeting (both on-site and via video conference). Part of the system is a digital exchange platform that provides confidentiality to whistleblowers. The service is part of the internal whistleblower reporting system and is subject to legal requirements. The transfer and processing is based on the legal basis of the fulfillment of legal obligations (Art. 6 para. 1 point c EU GDPR) and in particular Section 10 of the German Whistleblower Protection Act (HinSchG).

More things to know

Staufen Back To Top Button