Privacy Policy
This privacy policy informs you about the type, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offerings and the associated websites, features, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as “online offering”). Regarding the terminology used, such as “processing” or “controller,” we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Controller
Apenberg + Partner GmbH
Print Business Consultants
Ulmenstraße 21
22299 Hamburg
Email: welcome@apenberg.de
Impressum: https://www.apenberg.de/impressum/
CEO: Michael Apenberg
Types of processed data:
– Inventory data (e.g., names, addresses).
– Contact details (e.g, E-Mail, phone).
– Content data (e.g., text inputs, photographs, videos).
– Usage data (e.g., visited websites, interest in content, access times).
– Meta/communication data (e.g., device information, IP addresses).
Categories of affected individuals
Visitors and users of the online services (hereinafter referred to collectively as “users”).
Purpose of processing
– Provision of the online services, its functions, and content.
– Responding to contact inquiries and communication with users.
– Security measures.
– Reach measurement/marketing.
Terminology Used
“Personal data” refers to any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, online identifier (e.g., cookie), or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing” is any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data.
“Pseudonymization” is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures that ensure that the personal data is not assigned to an identified or identifiable natural person.
“Profiling” refers to any type of automated processing of personal data that involves using personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects regarding work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.
A “controller” is the natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.
“A processor” is a natural or legal person, authority, agency, or other body that processes personal data on behalf of the controller.
Applicable Legal Bases
In accordance with Article 13 of the GDPR, we inform you of the legal bases for our data processing. If the legal basis is not mentioned in this privacy policy, the following applies: The legal basis for obtaining consent is Article 6 (1) (a) and Article 7 of the GDPR; the legal basis for processing to fulfill our services and carry out contractual measures as well as to respond to inquiries is Article 6 (1) (b) of the GDPR; the legal basis for processing to fulfill our legal obligations is Article 6 (1) (c) of the GDPR; and the legal basis for processing to safeguard our legitimate interests is Article 6 (1) (f) of the GDPR. In cases where vital interests of the data subject or another natural person require the processing of personal data, Article 6 (1) (d) of the GDPR serves as the legal basis.
Security Measures
We take appropriate technical and organizational measures in accordance with Article 32 of the GDPR, considering the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.
These measures specifically include ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access, input, transfer, availability, and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, deletion of data, and response to data breaches. Additionally, we consider the protection of personal data during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default (Article 25 of the GDPR).
Collaboration with Processors and Third Parties
If we disclose data to other persons and companies (processors or third parties) as part of our processing, transmit data to them, or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g., if the transfer of data to third parties, such as payment service providers, is necessary for contract fulfillment in accordance with Article 6 (1) (b) of the GDPR), if you have given your consent, if a legal obligation requires it, or based on our legitimate interests (e.g., when using agents, web hosts, etc.).
If we engage third parties to process data based on a so-called “data processing agreement,” this is done in accordance with Article 28 of the GDPR.
Transfers to Third Countries
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of utilizing services from third parties or disclosing or transferring data to third parties, this will only be done if it is necessary for fulfilling our (pre-)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we will only process or have the data processed in a third country if the specific conditions of Articles 44 et seq. of the GDPR are met. This means that processing occurs, for example, based on special guarantees, such as the officially recognized determination of a level of data protection equivalent to that of the EU (e.g., for the USA through the “Privacy Shield”) or adherence to officially recognized specific contractual obligations (so-called “Standard Contractual Clauses”).
Right of Withdrawal
You have the right to withdraw consents granted in accordance with Article 7 (3) of the GDPR with effect for the future.
Right to Object
You can object to the future processing of your personal data at any time in accordance with Article 21 of the GDPR. The objection may particularly be made against processing for direct marketing purposes.
Cookies and Right to Object to Direct Marketing
We only use technically necessary cookies and do not use tracking cookies.
“Cookies” are small files that are stored on users’ computers. Various information can be stored within the cookies. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering. Temporary cookies, also known as “session cookies” or “transient cookies,” are cookies that are deleted after a user leaves an online offering and closes their browser. For example, such a cookie can store the contents of a shopping cart in an online shop or a login status. “Permanent” or “persistent” cookies are those that remain stored even after the browser is closed. For example, the login status can be retained when users return after several days. Similarly, such a cookie can store user interests that are used for reach measurement or marketing purposes. “Third-party cookies” are cookies offered by other providers than the controller operating the online offering (otherwise, if they are only the controller’s cookies, they are referred to as “first-party cookies”).
We can use temporary and permanent cookies and will clarify this in our privacy policy.
If users do not wish for cookies to be stored on their computer, they are requested to disable the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. Excluding cookies may lead to functional limitations of this online offering.
A general objection to the use of cookies employed for online marketing purposes can be declared with a variety of services, especially in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be achieved by disabling them in the browser settings. Please note that not all functions of this online offering may be available if this is done.
Deletion of Data
The data we process will be deleted in accordance with Articles 17 and 18 of the GDPR or its processing will be restricted. Unless explicitly stated otherwise in this privacy policy, the data stored with us will be deleted as soon as they are no longer required for their intended purpose and there are no legal retention obligations preventing deletion. If the data are not deleted because they are required for other legally permissible purposes, their processing will be restricted. This means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.
According to legal requirements in Germany, data must be retained for 10 years in accordance with Sections 147 (1) of the AO, 257 (1) No. 1 and 4, (4) HGB (books, records, management reports, booking documents, commercial books, documents relevant for taxation, etc.) and for 6 years in accordance with Section 257 (1) No. 2 and 3, (4) HGB (commercial letters).
According to legal requirements in Austria, data must be retained for 7 years in accordance with Section 132 (1) of the BAO (accounting documents, receipts/invoices, accounts, documents, business papers, statements of income and expenses, etc.), for 22 years in connection with real estate, and for 10 years for documents related to electronically provided services, telecommunications, broadcasting, and television services provided to non-businesses in EU member states, for which the Mini-One-Stop-Shop (MOSS) is used.
Business-Related Processing
In addition, we process: – Contract data (e.g., subject of the contract, duration, customer category). – Payment data (e.g., bank details, payment history) from our customers, interested parties, and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising, and market research.
Agency Services
We process the data of our customers as part of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services, and training services.
In this context, we process inventory data (e.g., customer master data, such as names or addresses), contact data (e.g., email, phone numbers), content data (e.g., text inputs, photographs, videos), contract data (e.g., subject of the contract, duration), payment data (e.g., bank details, payment history), usage and metadata (e.g., in the context of evaluating and measuring the success of marketing measures). We generally do not process special categories of personal data unless these are part of a commissioned processing. The affected parties include our customers, interested parties, as well as their customers, users, website visitors, or employees, and third parties. The purpose of the processing is to provide contractual services, billing, and our customer service. The legal bases for the processing arise from Article 6 (1) (b) of the GDPR (contractual services), Article 6 (1) (f) of the GDPR (analysis, statistics, optimization, security measures). We process data that are necessary for establishing and fulfilling the contractual services and point out the necessity of their provision. Disclosure to external parties occurs only when it is required in the context of a contract. When processing data entrusted to us in the context of a contract, we act according to the instructions of the clients as well as the legal requirements of a data processing agreement in accordance with Article 28 of the GDPR and process the data for no other purposes than those specified in the contract.
We delete the data after the expiration of statutory warranty and comparable obligations. The necessity of retaining the data is checked every three years; in the case of statutory retention obligations, deletion occurs after these have expired (6 years in accordance with Section 257 (1) HGB, 10 years in accordance with Section 147 (1) AO). In the case of data disclosed to us in the context of a contract by the client, we delete the data according to the specifications of the contract, generally after the end of the contract.
Contractual Services
We process the data of our contractual partners and interested parties as well as other clients, customers, clients, or partners (collectively referred to as “contractual partners”) in accordance with Article 6 (1) (b) of the GDPR to provide our contractual or pre-contractual services to them. The data processed in this context, the type, scope, purpose, and necessity of their processing, are determined by the underlying contractual relationship.
The processed data includes the master data of our contractual partners (e.g., names and addresses), contact data (e.g., email addresses and phone numbers), as well as contract data (e.g., services used, contract content, contractual communication, names of contact persons) and payment data (e.g., bank details, payment history).
We generally do not process special categories of personal data unless these are part of a commissioned or contractual processing.
We process data that is necessary for establishing and fulfilling the contractual services and point out the necessity of providing this information if it is not evident to the contractual partners. Disclosure to external persons or companies occurs only if it is necessary within the context of a contract. When processing data entrusted to us in the context of a contract, we act according to the instructions of the clients as well as the legal requirements.
In the context of using our online services, we may store the IP address and the time of each user action. The storage is based on our legitimate interests, as well as the interests of users in protection against abuse and other unauthorized use. This data will not generally be disclosed to third parties unless it is necessary to pursue our claims in accordance with Article 6 (1) (f) of the GDPR or there is a legal obligation in accordance with Article 6 (1) (c) of the GDPR.
The deletion of the data occurs when the data is no longer necessary for fulfilling contractual or legal duties of care as well as for handling any warranty and comparable obligations, whereby the necessity of retaining the data is checked every three years; otherwise, the statutory retention obligations apply.
Administration, Financial Accounting, Office Organization, Contact Management
We process data as part of administrative tasks as well as the organization of our operations, financial accounting, and compliance with legal obligations, such as archiving. In this context, we process the same data that we process in the provision of our contractual services. The processing bases are Article 6 (1) (c) of the GDPR, Article 6 (1) (f) of the GDPR. Those affected by the processing include customers, interested parties, business partners, and website visitors. The purpose and our interest in processing lies in administration, financial accounting, office organization, data archiving, i.e., tasks that serve to maintain our business activities, fulfill our tasks, and provide our services. The deletion of data concerning contractual services and contractual communication corresponds to the information provided in these processing activities.
In this context, we disclose or transmit data to the tax authorities, consultants, such as tax advisors or auditors, as well as other fee offices and payment service providers.
Furthermore, we store information about suppliers, organizers, and other business partners based on our business interests, e.g., for later contact. These predominantly company-related data are generally stored permanently.
Business Analyses and Market Research
To operate our business economically, identify market trends, and understand the wishes of our contractual partners and users, we analyze the data we have regarding business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, and metadata based on Article 6 (1) (f) of the GDPR, whereby the affected persons include contractual partners, interested parties, customers, visitors, and users of our online offerings.
The analyses serve the purpose of business evaluations, marketing, and market research. We may consider the profiles of registered users with details, e.g., regarding their utilized services. The analyses help us to increase user-friendliness, optimize our offerings, and ensure business efficiency. The analyses are solely for our use and will not be disclosed externally unless they are anonymous analyses with summarized values.
If these analyses or profiles are personal, they will be deleted or anonymized upon termination by the users, otherwise, after two years from the conclusion of the contract. Furthermore, overall business analyses and general trend determinations will be created anonymously whenever possible.
Privacy Notices in the Application Process
We process applicant data only for the purpose and within the framework of the application process in accordance with the legal provisions. The processing of applicant data occurs to fulfill our (pre-) contractual obligations within the application process within the meaning of Article 6 (1) (b) of the GDPR and Article 6 (1) (f) of the GDPR if the data processing, e.g., becomes necessary for us in the context of legal proceedings (in Germany, § 26 BDSG also applies).
The application process requires that applicants provide us with their applicant data. The necessary applicant data are marked if we offer an online form; otherwise, they are derived from the job descriptions and generally include personal information, postal and contact addresses, and the application documents such as cover letter, CV, and certificates. Additionally, applicants may voluntarily provide us with additional information.
By submitting their application to us, applicants consent to the processing of their data for the purposes of the application process as described in this privacy policy.
If special categories of personal data under Article 9 (1) of the GDPR are voluntarily provided during the application process, their processing occurs additionally in accordance with Article 9 (2) (b) of the GDPR (e.g., health data, such as disability status or ethnic origin). If special categories of personal data under Article 9 (1) of the GDPR are requested from applicants during the application process, their processing occurs additionally in accordance with Article 9 (2) (a) of the GDPR (e.g., health data when required for the exercise of the profession).
If provided, applicants may submit their applications via an online form on our website. The data will be transmitted to us in encrypted form according to the state of the art. Additionally, applicants may submit their applications via email. However, we ask applicants to note that emails are generally not sent encrypted, and applicants must ensure encryption themselves. Therefore, we cannot take responsibility for the transmission of the application between the sender and our server’s reception and recommend using the online form or postal delivery instead. However, instead of applying via the online form or email, applicants still have the option to send their application by mail.
The data provided by applicants may be processed further for the purposes of employment if the application is successful. Otherwise, if the application for a job offer is unsuccessful, the applicants’ data will be deleted. The applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.
Deletion occurs, subject to a justified withdrawal by the applicants, after a period of six months, so that we can answer any follow-up questions regarding the application and fulfill our documentation obligations under the General Equal Treatment Act. Invoices for any travel expense reimbursements will be archived according to tax law requirements.
Talent Pool
As part of the application, we offer applicants the opportunity to be included in our “Talent Pool” for a period of two years based on consent within the meaning of Articles 6 (1) (b) and 7 of the GDPR.
The application documents in the Talent Pool will only be processed in the context of future job postings and employee searches and will be destroyed at the latest after the expiration of the period. Applicants will be informed that their consent to inclusion in the Talent Pool is voluntary, has no impact on the current application process, and they can withdraw this consent at any time in the future and object within the meaning of Article 21 of the GDPR.
Contacting Us
When contacting us (e.g., via contact form, email, phone, or social media), the user’s information will be processed to handle the contact request and its processing in accordance with Article 6 (1) (b) (within contractual/pre-contractual relationships), Article 6 (1) (f) (other inquiries) of the GDPR. The user’s information may be stored in a customer relationship management system (“CRM system”) or a comparable inquiry organization.
We delete inquiries if they are no longer necessary. We check the necessity every two years; furthermore, the statutory archiving obligations apply.
Newsletter – Mailchimp
The newsletters are sent using the service provider “MailChimp,” a newsletter dispatch platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can view the privacy policy of the service provider here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield agreement, thereby guaranteeing compliance with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). The service provider is used based on our legitimate interests in accordance with Article 6 (1) (f) of the GDPR and a data processing agreement in accordance with Article 28 (3) Sentence 1 of the GDPR.
The service provider may use the recipient data in pseudonymous form, i.e., without assignment to a user, for optimizing or improving its own services, e.g., for the technical optimization of dispatch and presentation of the newsletters or for statistical purposes. However, the service provider does not use the data of our newsletter recipients to contact them directly or to pass the data on to third parties.
Newsletter – Success Measurement
The newsletters contain a so-called “web beacon,” i.e., a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a service provider, from its server. During this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, are collected.
This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behavior based on the retrieval locations (which can be determined using the IP address) or access times. Statistical data collection also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. While this information can technically be attributed to individual newsletter recipients, it is neither our intention nor, if used, that of the service provider to monitor individual users. The evaluations serve us much more to identify the reading habits of our users and to adapt our content accordingly or to send different content based on the interests of our users.
Unfortunately, a separate withdrawal of the success measurement is not possible; in this case, the entire newsletter subscription must be canceled.
Hosting and Email Dispatch
The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services, as well as technical maintenance services, which we use for the operation of this online offering.
In this context, we process, or our hosting provider processes, inventory data, contact data, content data, contract data, usage data, and meta- and communication data of customers, interested parties, and visitors to this online offering based on our legitimate interests in an efficient and secure provision of this online offering in accordance with Article 6 (1) (f) of the GDPR in conjunction with Article 28 of the GDPR (conclusion of a data processing agreement).
Collection of Access Data and Log Files
We or our hosting provider collect data about every access to the server on which this service is located (so-called server log files) based on our legitimate interests in the sense of Article 6 (1) (f) of the GDPR. The access data includes the name of the retrieved website, file, date and time of retrieval, amount of data transmitted, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.
Logfile information is stored for security reasons (e.g., to clarify abuse or fraud) for a maximum of 7 days and is then deleted. Data that must be retained for evidentiary purposes are excluded from deletion until the final clarification of the respective incident.
Pirsch Analytics
For web analysis, we use Pirsch Analytics. Pirsch Analytics is a cookie-free web analysis software developed according to the principle of Privacy by Design. To analyze visitor streams, Pirsch Analytics generates a 16-digit number as a visitor ID upon receiving a page view using a hashing algorithm. The input values include the IP address, the user agent, the date, and a salt.
The visitor’s IP address is neither fully nor partially persisted and is completely and irreversibly anonymized through the hash. By incorporating the date and using a salt per webpage, it is ensured that website visitors cannot be recognized for more than 24 hours and cannot be tracked across multiple websites. A rough localization (country/city) is performed via a locally embedded database.
Online Presences in Social Media
We maintain online presences within social networks and platforms to communicate with active customers, interested parties, and users there and to inform them about our services.
We would like to point out that user data may be processed outside the European Union. This could pose risks for users, as enforcing their rights could become more difficult. Regarding US providers certified under the Privacy Shield, we note that they commit to adhering to EU data protection standards.
Furthermore, user data is generally processed for market research and advertising purposes. For example, usage profiles may be created based on user behavior and resulting interests. These usage profiles may then be used to display advertisements on and off the platforms that presumably match user interests. To this end, cookies are generally stored on users’ computers, which store user behavior and interests. Additionally, data can be stored in usage profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in).
The processing of users’ personal data is based on our legitimate interests in effectively informing and communicating with users according to Article 6 (1) (f) of the GDPR. If users are asked for their consent to data processing by the respective providers (i.e., if they express their consent by checking a box or confirming a button), the legal basis for processing is Article 6 (1) (a), Article 7 of the GDPR.
For detailed information about the respective processing and the options for objection (opt-out), we refer to the linked information from the providers below.
In the case of inquiries for information and the assertion of user rights, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to users’ data and can take direct action and provide information. If you still need assistance, you can contact us.
- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Privacy Policy/ Opt-Out: http://instagram.com/about/legal/privacy/.
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – Privacy Policy: https://www.linkedin.com/legal/privacy-policy, Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.
Integration of Third-Party Services and Content
We integrate third-party content or service offerings within our online services based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering in accordance with Article 6 (1) (f) of the GDPR) to incorporate their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”).
This always requires that the third-party providers of this content perceive the user’s IP address, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required for the display of this content. We strive to use only content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Through the “pixel tags,” information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the users’ devices and may contain technical information about the browser and operating system, referring websites, visit times, and other information regarding the use of our online offering, and may also be linked with such information from other sources.
YouTube
YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, United States
Auf unserer Website binden wir YouTube-Videos ein, die dazu dienen, unser Team und unser Unternehmen vorzustellen.
Wenn Sie ein eingebundenes YouTube-Video auf unserer Website abspielen, werden Daten an YouTube übermittelt. Dabei kann es sich um personenbezogene Daten wie Ihre IP-Adresse, technische Informationen (z. B. Browsertyp, Betriebssystem) und ggf. auch Daten über Ihr Nutzerverhalten handeln.
YouTube nutzt diese Informationen für verschiedene Zwecke, einschließlich der Verbesserung seines Dienstes und der Bereitstellung zielgerichteter Inhalte. Bitte beachten Sie, dass wir keinen Einfluss auf die Verarbeitung Ihrer personenbezogenen Daten durch YouTube haben. Weitere Informationen zur Datenverarbeitung durch YouTube finden Sie hier: YouTube-Datenschutzerklärung.
Die eingebundenen Videos wurden von uns so konfiguriert, dass sie ohne Werbung angezeigt werden, um eine störungsfreie Darstellung der Inhalte zu gewährleisten.
Rechtsgrundlage für die Einbindung der Videos und die damit verbundene Datenverarbeitung ist Art. 6 Abs. 1 S. 1 lit. f DSGVO. Unser berechtigtes Interesse liegt in der Bereitstellung von Informationen über unser Unternehmen und die Förderung der Kommunikation mit Ihnen.
Sie können der Verarbeitung Ihrer personenbezogenen Daten durch die Einbindung der YouTube-Videos widersprechen. Bitte wenden Sie sich hierzu formlos per E-Mail an welcome@apenberg.de.
Google Fonts
In general, when visiting our website, there is no need to call external Google servers to display the Google Fonts, as they are hosted locally. However, if you actively load Google Maps, the following applies:
We incorporate the fonts (“Google Fonts”) from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.