This privacy statement clarifies the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the associated websites, functions and contents as well as external online presences, such as our social media profile (hereinafter jointly referred to as “online offering”). With regard to the terms used, e.g. “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
t.e.a.m. Unternehmensberatung AG
Authorized representative board: Thorsten Dickhaut, Andreas Sturm
Data protection officer: Christian.Hank@team-ag.de
Types of processed data
- Inventory data (e.g. names, addresses).
- Contact data (e.g. e-mail, telephone numbers).
- Content data (e.g. text entries, photographs, videos).
- Usage data (e.g. websites visited, interest in content, access times).
- Meta/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online offering (hereinafter refered to as “users”).
Purpose of the processing
- Provision of the online offering, its functions and contents.
- Answering of contact requests and communication with users.
- Security measures.
- Reach measurement/marketing.
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term has a broad meaning and covers virtually all processing of data. “Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. “Profiling“ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal bases
In accordance with Art. 13 GDPR we inform you about the legal basis of our data processing. If the legal basis is not stated in the data protection declaration, the following applies: The legal basis for obtaining consent is Art. 6 (1a) GDPR and Art. 7 GDPR, the legal basis for processing for the purpose of fulfilling our services and implementing contractual measures and answering enquiries is Art. 6 (1b) GDPR, the legal basis for processing for the purpose of fulfilling our legal obligations is Art. 6 (1c) GDPR and the legal basis for processing for the purpose of safeguarding our legitimate interests is Art. 6 (1f) GDPR. If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1d) GDPR serves as the legal basis.
In accordance with Art. 32 GDPR and taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk. Such measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling the physical access to data as well as the access, input, transmission, ensuring of availability and its separation. Furthermore, we have established procedures to ensure the exercise of data subject‘s rights, the deletion of data and to respond to any threat to the data. Moreover, we take the protection of personal data into account as early as the development or selection of hardware, software and processes, in accordance with the principle of data protection by design and by default (Art. 25 GDPR).
Cooperation with processors and third parties
If we disclose data to other persons and companies (processors or third parties) in the course of our processing, transfer it to them or otherwise grant them access to the data, this will only be done on the basis of a legal authorisation (e.g. if the data must be transferred to third parties, such as payment service providers in accordance with Art. 6 (1b) GDPR for the fulfilment of the contract), if you have given your consent, if a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.). If we commission third parties to process data based on a so-called “data processing agreement”, this is done on the basis of Art. 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using the services of third parties or disclosure or transfer of data to third parties, this will only take place if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or store the data in a third country only if the specific requirements of Art. 44 et seq. GDPR are fulfilled. This means that the processing is carried out, for example, on the basis of specific guarantees, such as the officially recognised establishment of a level of data protection equivalent to that in the EU (e.g. for the US through the ” Privacy Shield “) or compliance with officially recognised specific contractual obligations (so-called “standard contractual clauses”).
Rights of data subjects
You have the right to obtain confirmation as to whether or not data concerned are being processed and to obtain information on such data, as well as further information and a copy of the data in accordance with Art. 15 GDPR. In accordance with Art. 16 GDPR, you have the right to request the completion of your personal data or the correction of your personal data that is inaccurate. In accordance with Art. 17 GDPR, you have the right to demand that your personal data be deleted without undue delay, or alternatively, in accordance with Art. 18 GDPR, to demand that the processing of your personal data be restricted. In accordance with Art. 20 GDPR you have the right to receive your personal data that you have provided us with and to request that it be transmitted to another controller. You also have the right to bring a complaint before the competent supervisory authority in accordance with Art. 77 GDPR.
Right of withdrawal
You have the right to revoke consents granted with effect for the future in accordance with Art. 7 (3) GDPR.
Right of objection
According to Art. 21 GDPR, you can object to the future processing of your personal data at any time. The objection may in particular be made against processing for the purposes of direct marketing. If your personal data are processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing. This also applies to profiling if it is related to direct marketing. If you object, your personal data will no longer be used for the purpose of direct marketing (objection according to Art. 21 (2) GDPR).
Cookies and right of objection for direct marketing
Right to data portability
You have the right to have data, which we process automatically on the basis of your consent or in fulfilment of a contract, handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place as far as it is technically feasible.
SSL or TLS encryption
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as site operator. You can recognize an encrypted connection by the fact that the address bar of your browser changes from “http://” to “https://” and by the lock symbol in your browser bar. If the SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Erasure of data
The data processed by us will be deleted or restricted in their processing in accordance with Art. 17 GDPR and Art. 18 GDPR. Unless explicitly stated within the scope of this privacy statement, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any legally required storage time. If the data are not deleted because they are required for other and legally permitted purposes, their processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial law or tax law reasons.
According to legal requirements in Germany, the storage takes place in particular for 10 years in accordance with section 147 (1) German General Fiscal Code (AO), section 257 (1), point 1 and 4 and section 257 (4) German Commercial Code (HGB) (books, records, management reports, posting documents, trading books, documents relevant for taxation, etc.) and 6 years in accordance with section 257 (1), point 2 and 3 German Commercial Code (HGB) and section 257 (4) German Commercial Code (HGB) (commercial correspondence).
Additionally, we process
- Contract data (e.g. object of contract, duration, customer category).
- Payment data (e.g. bank details, payment history)
by our customers, interested parties and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.
Order processing and customer account
We process the personal data of our customers in our system within the scope of the ordering process to enable them to select and order the selected products and services, as well as to pay and deliver or execute them. The processed data includes inventory data, communication data, contract data and payment data and the persons affected by the processing include our customers, interested parties and other business partners. The data is processed for the purpose of providing contractual services within the scope of service provision, invoicing, delivery and customer service. The processing is based on Art. 6 (1b) GDPR (execution of order processes) and Art. 6 (1c) (legally required archiving) GDPR. The information marked as required is mandatory to justify and fulfil the contract. We disclose the data to third parties only within the scope of delivery, payment or within the scope of legal permits and obligations to legal advisors and authorities. The data will only be processed in third countries if this is necessary for the fulfilment of the contract (e.g. upon customer request for delivery or payment). When using our online services, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the users’ interests in protection against misuse and other unauthorized use. This data will not be passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 (1c) GDPR. Erasure takes place after the expiry of legal warranty and comparable obligations. The necessity of data storage is reviewed every three years; in the case of legal archiving obligations, erasure takes place after the expiry of these obligations (end of commercial law (6 years) and tax law (10 years) storage obligation).
We process the data of our customers within the scope of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services. In this context we process inventory data (e.g. customer master data, such as names or addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), contract data (e.g. subject matter of the contract, duration), payment data (e.g. bank details, payment history), usage and meta data (e.g. in the context of evaluation and performance measurement of marketing measures). As a matter of principle, we do not process special categories of personal data, unless they are part of a commissioned processing. The affected parties include our customers, interested parties and their customers, users, website visitors or employees and third parties. The purpose of processing is to provide contractual services, billing and our customer service. The legal bases of the processing derive from Art. 6 (1b) GDPR (contractual services) and Art. 6 (1f) GDPR (analysis, statistics, optimisation, security measures). We process data which are necessary for the justification and fulfilment of the contractual services and point out the necessity of their specification. Disclosure to external parties will only be made if it is necessary within the scope of an order. When processing the data provided to us within the scope of an order, we act in accordance with the instructions of the client and the legal requirements of an order processing in accordance with Art. 28 GDPR and do not process the data for any other purposes than those specified in the order. We delete the data after expiry of legal warranty and comparable obligations. The necessity of storing the data is reviewed every three years; in the case of legal archiving obligations, deletion takes place after their expiry (6 years according to section 257 (1) German Commercial Code (HGB), 10 years according to section 147 (1) German General Fiscal Code (AO). In the case of data disclosed to us by the client within the scope of an order, we delete the data in accordance with the specifications of the order, generally after the termination of the order.
We process the data of our contractual partners and interested parties as well as other principals, customers, mandators, clients or contractual partners (uniformly referred to as “contractual partners”) in accordance with Art. 6 (1b) GDPR in order to provide them with our contractual or pre-contractual services. The data processed, the type, scope, purpose and necessity of their processing are determined by the contractual relationship. The processed data include the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers) as well as contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history). As a matter of principle, we do not process special categories of personal data, unless these are part of a commissioned or contractual processing. We process data which are necessary for the justification and fulfilment of the contractual services and point out the necessity of their provisioning if this is not evident to the contractual partners. Disclosure to external persons or companies is only made if it is required under a contract. When processing the data provided to us within the context of an order, we act in accordance with the instructions of the client and the legal requirements. Within the context of using our online services, we may store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the users’ interests in protection against misuse and other unauthorized use. This data will not be passed on to third parties unless it is necessary to pursue our claims in accordance with Art. 6 (1f) GDPR or there is a legal obligation to do so in accordance with Art. 6 (1c) GDPR. The data will be deleted when the data is no longer necessary for the fulfilment of contractual or statutory duties of care as well as for dealing with any warranty and comparable obligations, whereby the necessity of keeping the data will be reviewed every three years; otherwise the statutory storage obligations apply.
Administration, financial accounting, office organization, contact management
We process data within the scope of administrative tasks as well as the organization of our operations, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process within the scope of providing our contractual services. The processing bases are Art. 6(1c) GDPR and Art. 6 (1f) GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in processing is in the administration, financial accounting, office organization and archiving of data, i.e. tasks that serve to maintain our business activities, perform our tasks and provide our services. The erasure of data in relation to contractual services and contractual communication is in accordance with the indications given for these processing activities. In doing so, we disclose or transfer data to the tax authorities, consultants (e.g. tax advisors) or auditors, as well as other fee earners and payment service providers. Furthermore, we store information on suppliers, event organisers and other business partners based on our business interests, e.g. for the purpose of contacting them later. We store these mostly company-related data permanently.
Economic analyses and market research
In order to run our business economically, to be able to identify market trends, wishes of contractual partners and users, we analyse the data available to us on business transactions, contracts, inquiries, etc.. We process inventory data, communication data, contract data, payment data, usage data, meta data on the basis of Art. 6 (1f) GDPR, whereby the persons concerned include contractual partners, interested parties, customers, visitors and users of our online offer. The analyses are carried out for the purpose of economic evaluations, marketing and market research. In doing so, we can take into account the profiles of registered users with information, e.g. on the services they use. The analyses serve us to increase user-friendliness, to optimize our offer and business efficiency. The analyses are solely for our use and are not disclosed externally, unless they are anonymous analyses with summarized values. If these analyses or profiles are personal, they will be deleted or made anonymous upon termination by the user, otherwise after two years from conclusion of the contract. For the rest, the macroeconomic analyses and general trend determinations are prepared anonymously wherever possible.
Data protection notices in the application procedure
We process the applicant data only for the purpose and within the scope of the application procedure in accordance with the legal requirements. The processing of the applicant data is carried out to fulfil our (pre-)contractual obligations within the context of the application procedure in accordance with Art. 6 (lb) GDPR, Art. 6 (1f) GDPR if the data processing becomes necessary for us, e.g. within the context of legal procedures (in Germany, section 26 Federal Data Protection Act (BDSG) applies additionally). The application procedure requires that applicants provide us with their application data. If we offer an online form, the necessary applicant data is marked, otherwise it is derived from the job descriptions and basically includes personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. In addition, applicants may voluntarily provide us with additional information. By submitting their application to us, applicants agree to the processing of their data for the purposes of the application procedure in accordance with the type and scope described in this data protection declaration. As far as special categories of personal data within the meaning of Art. 9 (1) GDPR are voluntarily communicated as part of the application procedure, their processing is additionally carried out in accordance with Art. 9 (2b) GDPR (e.g. health data, such as severely disabled status or ethnic origin). If special categories of personal data within the meaning of Art. 9 (1) GDPR are requested from applicants as part of the application procedure, their processing is also carried out in accordance with Art. 9 (2a) GDPR (e.g. health data if this is necessary for the exercise of the profession). If provided, applicants can send us their applications using an online form on our website. The data is transmitted to us in encrypted form according to the state of the art. Applicants can also send us their applications by e-mail. Please note that e-mails are generally not sent in encrypted form and the applicants themselves must ensure that they are encrypted. We can therefore not take responsibility for the transmission path of the application between the sender and the reception on our server and therefore recommend rather to use an online form or the postal dispatch. Instead of applying via the online form and e-mail, applicants still have the option of sending us their application by post. In case of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicants, the deletion will take place after the expiry of a period of six months so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.
As part of the application process, we admit applicants to our “talent pool” for a period of two years on the basis of consent within the meaning of Art. 6 (1b) GDPR and Art. 7 GDPR. The application documents in the talent pool will be processed solely in the context of future job advertisements and the search for employees and will be destroyed at the latest when the deadline expires. Applicants are informed that by submitting an application, they give their consent to be included in the talent pool, that they have no influence on the current application procedure and that they can revoke this consent for the future at any time and declare their objection in accordance with Art. 21 GDPR.
When contacting us (e.g. via contact form, e-mail, telephone or via social media), the user’s details are processed for the purpose of handling the contact request and its processing in accordance with Art. 6 (1b) GDPR. The information provided by users may be stored in a customer relationship management system (“CRM system”) or comparable inquiry organization. We will delete the requests if they are no longer necessary. We review the necessity every two years; furthermore, the statutory archiving obligations apply.
Hosting and e-mailing
The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services as well as technical maintenance services which we use for the purpose of operating this online offer. In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors of this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer in accordance with Art. 6 (1f) GDPR in conjunction with Art. 28 GDPR (conclusion of contract processing agreement).
Collection of access data and log files
We, or our hosting provider, on the basis of our legitimate interests as defined in Art. 6 (1f) GDPR collect data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited site), IP address and the requesting provider. For security reasons (e.g. to clarify misuse or fraud), log file information is stored for a maximum of 7 days and then deleted. Data whose further storage is required for evidential purposes are excluded from deletion until final clarification of the respective incident.
Social media online presence