Introduction and terms
2.1 Personal data
“Personal data” is any information relating to an identified or identifiable person (Art. 4 no. 1 GDPR). Personal data relating to an identified person may for example include their name or email address. However, personal data also includes data from which the person's identity is not immediately apparent but which can be used in combination with internal or external information to identify them. A person can for example be identified from their address, bank account information, date of birth, user name, IP addresses and/or location data. All information that can be used in any way to draw conclusions regarding a person's identity is relevant in this context.
“Processing” as defined in Art. 4 no. 2 GDPR means any operation performed on personal data. It refers in particular to the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
Data controller and data protection officer
The controller responsible for processing personal data is:
Company: wordinc GmbH ("we")
Legal representatives: Christina Jagdmann (Managing Director)
Address: Eiffestraße 426, 20573 Hamburg, Germany
Telephone: +49 40 300305950
Fax: +49 40 300305958
4. Data protection officer
We have appointed an external data protection officer for our company. He can be reached as follows:
Name: Arne Platzbecker
Address: HABEWI GmbH & Co. KG, Palmaille 96, 22767 Hamburg, Germany
Telephone: +49 40 18189800
Fax: +49 40 181898099
Scope of processing
5. Scope of processing: Website
With respect to the website with the URL www.wordinc.de, we process personal data of the types listed below in sections 6-14. We only process the data which you actively enter on our website (e.g. by filling out forms) or which you provide automatically when using our services.
Your data is processed exclusively by us and is never sold, lent or transferred to third parties. In instances where we engage external service providers to help process your data, this service takes the form of so-called contract processing in which we as the client are entitled to give instructions to our contractors. We use external service providers to host, maintain, look after and develop our website. If other external service providers are engaged to assist with data processing of the types listed in sections 6-14, these are named in the relevant section. Our website is hosted by OMCnet (OMCnet Internet Service GmbH, Ernst-Abbe-Straße 10, 25451 Quickborn, Germany).
Data is never transferred to third countries; neither is any such transfer planned. We will inform you of exceptions to this rule in the processing descriptions provided below.
Individual types of processing
6. Website provision and server log files
6.1 Description of processing activities
Whenever you visit our website, we automatically collect the data which your browser transmits to our server (so-called log files). This data consists of the following:
This data is stored in our system's log files. Your IP address has to be temporarily stored by the system so that our website can be delivered to your terminal device. Your IP address is therefore stored for the duration of the session. However, your IP address is not recorded in our log files.
This type of processing is carried out to facilitate access to the website and to ensure that it is stable and secure. It is also carried out for purposes of statistical analysis and to improve our online services.
6.3 Legal basis
The processing of this data is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose specified in section 6.2.
6.4 Storage period
This data is erased as soon as it is no longer required for the purpose for which it was collected. If the data is collected in order to provide access to the website, this is the case when the respective session ends. The log files are erased after 7 days.
7 Contact form and email contact
7.1 Description of processing activities
We have provided a contact form on our website through which you can contact us. This contact form requires you to enter your email address, your name and a message to us. When you click the “Send” button, this data is secured by SSL encryption (see section 15) and then transmitted to us. The contact form can only be transmitted if you accept our data protection provisions by activating the respective checkbox. You can also contact us at the email addresses provided on the website. If you do so, we will process the personal data transmitted with your email.
Our purpose in providing a contact form on our website is to offer a convenient way to contact us. The data transmitted in and with the contact form or your email is used solely for the purpose of processing and responding to your query.
7.3 Legal basis
The processing of this data is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose specified in section 7.2. If the email correspondence relates to the conclusion or performance of a contract, the data is processed for the purpose of performing the contract (Art. 6(1)(b) GDPR).
7.4 Storage period
We erase the data as soon as it is no longer required for the purpose for which it was collected. This is usually the case when our correspondence with you has been terminated. The correspondence is understood to have been terminated when it can be inferred from the circumstances that the matter in question has finally been closed. If legal provisions on mandatory retention periods prevent us from erasing your data, we will do so as soon as the respective mandatory retention period has expired.
8.1 Description of processing activities
8.3 Legal basis
The processing of this data is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose specified in section 8.2.
8.4 Storage period
Cookies are deleted automatically when the session ends or when the above-mentioned storage period expires. Since cookies are stored on your terminal device, you as the user have full control over their use. You can deactivate or restrict the transmission of cookies by changing the settings in your web browser. Cookies that have already been stored can be deleted at any time. This can also occur automatically. If cookies are deactivated for our website, you will be unable to use certain website functions or will only be able to use them to a limited degree.
9 Social media networks
9.1 Description of processing activities
Our website does not use so-called ‘social media plug-ins’. The logos of the social media networks Facebook, Instagram and Xing displayed on our website link solely to our company profiles on the respective network websites. If you click on one of the logos, you will be forwarded to the external website of the respective social media network.
The social media networks with which you communicate store your data in pseudonymised user profiles which are then used for advertising purposes and market research. This makes it possible for the social media network and other third-party websites to show you advertising that reflects your alleged interests. The social media network usually stores cookies on your terminal device for this purpose. You will find more information about cookies in section 8. You have the right to object to the generation of these user profiles; however, you are required to contact the social media networks directly if you wish to exercise this right.
We maintain profiles on the above-named social media networks for the purpose of up-to-date, supportive public relations and corporate communications with clients and interested parties.
We use the function “Facebook Insights” to make the posts on our Facebook page more appealing to our visitors. This enables us for example to use the information on preferred visiting times to optimise the timing of our posts.
9.3 Legal basis
The legal basis for the processing of data in connection with our profiles on social media networks is the pursuit of our overriding legitimate interests (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose specified in section 9.2. If your consent is requested by the operator of a social media network, the legal basis is Art. 6(1)(a) GDPR. With regard to our Facebook page, the processing of data is otherwise based on a joint control agreement between ourselves and Facebook pursuant to Art. 26 GDPR. This agreement can be viewed here: https://www.facebook.com/legal/terms/page_controller_addendum.
9.4 Recipients and transfer to third countries
The respective social media networks are operated by the companies specified below. Further information on data protection with regard to our profiles on social media networks is provided in the linked privacy policies.
The social media networks also process your personal data in the USA and have entered the EU-U.S. Privacy Shield. You will find further information about the EU-U.S. Privacy Shield at https://www.privacyshield.gov/EU-US-Framework.
10 Font Awesome
Our website uses “Font Awesome”, an icon display and integration service developed by Fonticons, Inc. We operate Font Awesome exclusively as an installation on our own server. This means that the use and display of icons does not involve the transmission of data by Fonticons, Inc.
11 Google Analytics
11.1 Description of processing activities
The purpose of the data processing is to evaluate use of our website. The information obtained in this way enables us to improve and structure our web presence in accordance with requirements.
11.3 Legal basis
The processing of this data is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose specified in section 11.2.
11.4 Storage period and right to object
11.5 Recipients and transfer to third countries
Google Analytics renders contract processing services on our behalf. Google also processes your personal data in the USA and has entered the EU-U.S. Privacy Shield. You will find further information about the EU-U.S. Privacy Shield at https://www.privacyshield.gov/EU-US-Framework.
12 Content delivery networks (CDN)
12.1 Description of processing activities
12.3 Legal basis
The processing of this data is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose specified in section 12.2.
12.4 Recipients and transfer to third countries
13 Google AdWords conversion and Google remarketing
13.1 Description of processing activities
Our website uses the advertising service “Google Adword Conversion” provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). Google Adwords Conversions enables us to place advertising on external websites in order to draw your attention to our services when you visit them. This service also enables us to determine the reach and success of individual marketing measures. Google delivers our advertising through so-called “ad servers”. To do this, Google uses so-called “ad server” cookies to measure certain parameters that are indicative of success, for example ad displays or user clicks. If you access our website through a Google ad, Google Adwords stores a cookie on your terminal device (see section 8). According to Google, these cookies are not intended to identify you personally. As a rule, the unique cookie ID, the number of ad impressions per placement (frequency), the most recent impression (relevant for post-view conversions) and opt-out information (marker indicating that the user does not wish to be contacted any more) are stored with these cookies as analysis values. The cookies enable Google to recognise your web browser. If a user visits the website of an Adwords client and the cookie saved on their computer has not yet expired, Google and the client can recognise that the user clicked on the advertisement and was transferred to the page in question. A different cookie is assigned to each Adwords client. This means that cookies cannot be tracked through the websites of Adwords clients. We ourselves do not process personal data in connection with our Google Adwords advertising measures. Google merely provides us with statistical analyses. We can use these analyses to determine which of our advertising measures have been particularly successful. We do not receive any other data in connection with the use of advertising; in particular, we are unable to identify users on the basis of this information. The use of these tools means that your browser establishes a connection with the Google servers when you visit our website. We have no influence over the scope of the data collected by Google through the use of Google Adwords, neither can we influence the further use of this data. This means that we can only provide you with information which accords with our own knowledge: after integrating Google Adwords Conversion, Google receives information about which subpage of our website you accessed or is informed you have clicked on one of our advertisements. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or are not logged in, Google may be able to determine your IP address and store it.
You will find further information about data protection at Google here: http://www.google.com/intl/en/policies/privacy and https://services.google.com/sitestats/en.html.
The purpose of the data processing is to enable us to carry out targeted advertising for our own services and to evaluate its effectiveness and reach.
13.3 Legal basis
The processing of this data is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose specified in section 13.2.
13.4 Storage period and right to object
We explain the storage period and your cookie control and setting options in section 8. Furthermore, you can object to the processing of your data by Google Adword Conversion and Google remarketing at any time by acting on the instructions on the following website: http://www.google.com/ads/preferences.
13.5 Recipients and transfer to third countries
The integration of Google Adword Conversion and Google remarketing may cause personal data to be transmitted to Google. Google also processes your personal data in the USA and has entered the EU-U.S. Privacy Shield. You will find further information about the EU-US Privacy Shield at https://www.privacyshield.gov/EU-US-Framework.
14 Processing applicant data
14.1 Description of processing activities
We process the data you provide in connection with your application to review your suitability for the position (or, if applicable, for other vacant positions in our company) and to conduct the application procedure. In general, the data concerned consists of general personal data (e.g. names, address and contact data), information on your education and professional qualifications, information on further vocational training, knowledge and skills, and any other information you disclose to us in connection with your application. This information is usually provided in cover letters, CVs, references, written correspondence, verbally or by phone.
Our aim is to evaluate all applicants solely on the basis of their qualifications; we therefore request you to refrain from disclosing “special categories of personal data” pursuant to Art. 9 of the General Data Protection Regulation (e.g. photos from which your ethnic origins can be identified, information about severe disabilities etc.) in your application. If your application contains information of this type, please send us a corresponding declaration of consent as we will otherwise be unable to consider it.
If your application is successful, we will transfer your data to your employee record; we will then use it during the course of your employment and to terminate the employment relationship.
If we are unable to offer you employment at this time, we may process your data after sending you a rejection in order to defend ourselves in the event of legal claims, in particular claims relating to any alleged discrimination during the application procedure.
If you are not selected for the vacant post, we will transfer your data to our pool of applicants provided we have your consent to do so.
The purpose of the data processing is to conduct the application procedure, to reach a decision regarding the establishment of a work relationship with us, and to document compliance with statutory provisions during the application procedure.
14.3 Legal basis
The legal basis for the processing of data in connection with application procedures is section 26 par. 1 s. 1 BDSG and Art. 6(1)(b) GDPR. If your application is successful, the legal basis for the further processing of your data is Art. 6(1)(b) GDPR in conjunction with Art. 88(1) GDPR in conjunction with section 26 par. 1 BDSG, the purpose being to establish, continue and terminate the employment relationship. If you have given us your consent, e.g. to add your data to our applicant pool, the legal basis for the processing of your data is Art. 6(1)(a) GDPR. Otherwise, the legal basis for the processing of your data following a rejection is Art. 6(1)(f) GDPR. Our legitimate interest lies in the defence of legal claims.
14.4 Storage period
If your application is successful, your data will be transferred to your employee record and erased in compliance with the provisions that apply to employee records. If we are currently unable to offer you any employment, we will continue processing your data for up to six months following the issue of a rejection. Should we transfer your data to the applicant pool following the application procedure, we will erase your data from the applicant pool in the event of an employment relationship being established at any later date or two years after the transfer.
14.5 Data recipients, transmission of data to third parties, transfer to third countries
After we receive your application, your data is viewed by the human resources department. Suitable applications are then forwarded internally to the department manager responsible for the respective job vacancy. The further proceedings are then agreed. Within the company, your data can only be accessed by the persons who need it for the proper implementation of the application procedure. Your data is not transmitted to third parties. Your data is not transferred to third countries, nor is this planned.
15.1 Description of processing activities
We send out a newsletter at irregular intervals that informs you about special offers and our work. You only receive the newsletter if you actively register on our mailing list or if you are a regular customer.
Only your email address is required to sign up for the newsletter. All other information (e.g. your first name and surname) is optional and serves the sole purpose of personalising the emails.
The purpose of processing the data is to be able to offer the newsletter feature and to send newsletter emails to subscribers as well as to regular customers. Collecting and saving the date, time and IP address when registering for the newsletter serves to document that approval was given and protects against unwanted registration of email addresses.
15.3 Legal basis
The processing of data of our newsletter subscribers is carried out subject to consent and in accordance with Art. 6(1)(a) GDPR. The declaration of consent may be accessed at any time on our website. You may give your consent voluntarily. Collecting and saving the date, time, and IP address when registering for the newsletter is necessary to safeguard the overriding legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose specified in section 15.2.
The processing of data required to send newsletters to our regular customers is carried out on the basis of Article 6(1)(f) GDPR to safeguard the overriding legitimate interests pursued by the controller. Our legitimate interest here is the direct mailing service for regular customers. This is permissible according to Section 7(3) of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, or UWG), which we observe.
15.4 Storage period and right to object
Should you fail to confirm your registration to our newsletter within 24 hours of receiving the confirmation email, your data will be automatically deleted. Otherwise, we will process your personalised data for the duration of your subscription to the newsletter. You may end your subscription to our newsletter at any time by revoking your permission. You may also at any time object to the use of your email address for sending our newsletter to regular customers.
To do so, send a message to that effect via email to firstname.lastname@example.org, via fax to the number +49 40 300 30 59-58, or in a letter sent through the mail. Unsubscribing from the newsletter is also possible by clicking the unsubscribe link included in every newsletter. By revoking your permission, no more newsletters will be sent to you and your personalised data will be removed from our mailing list. We will carry out the revocation by entering your email address to a limited extent on our so-called “black list”. This ensures that you receive no more newsletters from us and that your email address is not misused by third parties.
15.5 Recipients and transfer to third countries
To manage our newsletter and send the emails, we use the services of the newsletter provider Mailchimp. This takes place within the scope of the contract processing arrangements. Mailchimp is a registered trademark of The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA (hereinafter: “Mailchimp”). With your newsletter registration, the data given in the registration process is transferred to Mailchimp and processed on Mailchimp servers in the United States. Mailchimp is subject to the EU-US Privacy Shield. You can find more information about the EU-US Privacy Shield at https://www.privacyshield.gov/EU-US-Framework. More information about data protection at Mailchimp can be found in their data protection policy at http://mailchimp.com/legal/privacy/.
16 Security measures
Our website has an SSL/TLS certificate to protect your personal data from unauthorised access. SSL stands for “Secure Sockets Layer” and TLS for “Transport Layer Security”; these functions serve to encrypt data communication between a website and the user's terminal device. You can see whether SSL or TLS encryption is active from the small padlock symbol displayed at the left side of the browser address bar.
17 Rights of data subjects
As the data subject, you have the following rights with regard to the processing of your personal data by our company as described above:
17.1 Information (Art. 15 GDPR)
You have the right to request confirmation from us as to whether we are processing your personal data. If this is the case and the conditions specified in Art. 15 GDPR are met, you have the right to obtain information regarding this personal data along with the other types of information listed in Art. 15 GDPR.
17.2 Rectification (Art. 16 GDPR)
You have the right to obtain from us the rectification of inaccurate personal data and, if applicable, the completion of incomplete data without undue delay.
17.3 Erasure (Art. 17 GDPR)
You have the right to obtain from us the erasure of your personal data without undue delay if one of the grounds set out in Art. 17 GDPR applies, e.g. if your data is no longer required for our purposes.
17.4 Restriction of data processing (Art. 18 GDPR)
You have the right to have us restrict the processing of your data if one of the conditions set out in Art. 18 GDPR applies; if you are contesting the accuracy of your personal data, for example, the processing of your data will be restricted for the time required for us to verify your data.
17.5 Data portability (Art. 20 GDPR)
Provided the conditions specified in Art. 20 GDPR are met, you have the right to request the handover of your personal data in a structured, commonly used and machine-readable format.
17.6 Withdrawal of consent (Art. 7(3) GDPR)
If the processing of your data is based on your consent, you have the right to withdraw this at any time. The withdrawal of your consent applies from the time this right is exercised. In other words, it is effective for the future. Your withdrawal does not affect the lawfulness of any processing that took place beforehand.
17.7 Complaints (Art. 77 GDPR)
If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. You may exercise this right by lodging a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
17.8 Prohibition of automated decision-making/profiling (Art. 22 GDPR)
Decisions that produce legal effects for you or have similar significant effects may not be based solely on the automated processing of personal data, including profiling. We herewith confirm that we do not carry out automated decision-making/profiling with regard to your personal data.
17.9 Objection (Art. 21 GDPR)
If we are processing your personal data on the basis of Art. 6(1)(f) GDPR (for the pursuit of our overriding legitimate interests), you have the right to object to this provided the conditions specified in Art. 21 GDPR are met. However, this is only possible on grounds that relate to your particular situation. If you lodge an objection, we will cease processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. Neither do we have to cease processing your personal data if this is necessary for the establishment, exercise or defence of legal claims. Irrespective of your particular situation, you have the right to object at any time to the processing of your personal data for direct marketing purposes.
Version: May 2020