Data Protection Statement

INFORMATION ON DATA PROTECTION

This privacy statement informs you about how we treat your data. To make the processing of your data transparent, we would like to provide you with the following information to give you an overview of these processing operations. To keep things fair, we additionally want to inform you about your rights pursuant to the EU-General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

In addition, we inform you in detail about
 

  1.    General Information
  2.    Data Processing on our Website
  3.    Data Processing on our Social Media
  4.    Further Data Processing

 

IMMAC Holding AG is the controller of the data processing (hereinafter referred to as ‘we’ or ‘us’).

I. General Information

1. Contact

If you have any questions or feedback concerning this information or wish to contact us to exercise your rights, please send your enquiry to

IMMAC Holding AG
Große Theaterstraße 31-35
20354 Hamburg
Tel.: +49 40 34 99 40 0
E-Mail:

2. Legal Basis

The legal term ‘personal data’ refers to all information relating to an identified or identifiable natural person.

We process personal data in compliance with the data protection regulations, in particular the GDPR and the BDSG. We solely process data based on law. We process personal data

  • solely with your consent (Art. 6 section 1 letter a) GDPR),
  • to perform a contract to which you are a party or to take steps at your request prior to entering into a contract (Art. 6 section 1 letter b) GDPR),
  • to comply with a legal obligation (Art. 6 section 1 letter c) GDPR) or
  • where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 section 1 letter f) GDPR).

If you apply for an open position in our company, we will, additionally, process your personal data to decide on whether to hire you (section 26 para. 1 sentence 1 BDSG).

3. Period of Storage

Unless otherwise stated in the following, we will only store your data for as long as required to achieve the intended processing purpose or to fulfil our contractual or statutory obligations. In particular, such statutory retention requirements may result from regulations under commercial or tax law.

4. Recipients of Data

For certain processing activities, we rely on service providers. These processing activities include, for example, hosting, maintenance and support for IT systems, customer and client management, order processing, accounting, marketing or destruction of paper files and data carriers. A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors process data not for their own purposes but solely for the controller and are contractually obliged to implement appropriate technical and organizational measures ensuring data protection.

Apart from that, we may transfer your data to postal and delivery services, our bank, consultants/auditors or the fiscal authority if necessary.

Should your data be transferred to further recipients, you can find this information under the description of the respective processing activity.

5.Processing in the Exercise of your Rights pursuant to Art. 15 to 22 GDPR

If you exercise your rights pursuant to Art. 15 to 22 GDPR, we process the personal data transferred in order for us to grant you your rights and to acquire proof thereof. For the purpose of providing information and preparing such information, we will process the stored data only for this purpose as well as for purposes of data protection control and otherwise restrict processing in accordance with Art. 18 GDPR. These processing operations are based on Art. 6 section 1 letter c) GDPR in combination with Art. 15 to 22 GDPR and section 34 para. 2 BDSG.

6. Your Rights

As the data subject, you are entitled to exercise your rights against us. In particular, you have the following rights:

  • Pursuant to Art. 15 GDPR and section 34 BDSG, you have the right of access to information confirming whether and, if so, to what extent we are processing personal data concerning you.
  • Pursuant to Art. 16 GDPR, you have the right to rectification of your data.
  • Pursuant to Art. 17 GDPR and section 35 BDSG, you have the right to erasure of your personal data.
  • Pursuant to Art. 18 GDPR, you have the right to require us to restrict the processing of your personal data.
  • Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transfer such data to another controller.
  • Where you have granted us specific consent to a processing activity, you can withdraw such consent at any time pursuant to Art. 7 section 3 GDPR. Any such withdrawal of consent shall not affect the lawfulness of processing based on that consent prior to its withdrawal.
  • If you are of the view that the processing of your personal data infringes GDPR provisions, you have the right to lodge a complaint with a supervisory authority pursuant to Art.77 GDPR.

7. Right to Object

Pursuant to Art. 21 section 1 GDPR, you have the right to object to processing activities based on Art. 6 section 1 letter e) or letter f) GDPR on grounds relating to your particular situation. If we process your personal data for the purpose of direct marketing, you may object to such processing pursuant to Art. 21 section 2 and section 3 GDPR.

8. Data Protection Officer

You can contact our data protection officer via the following address:

 

II. Data Processing on our Website

During use of our website, we collect information that you provide yourself. We also automatically collect certain information about your use of the site during your visit to the site. In data protection law, the IP address is also considered personal data. An IP address is assigned to each device connected to the internet by the internet provider so that it can send and receive data.

1. Processing of Server-Log-Files

When using our website for informative purposes only, general information that your browser transfers to our server is initially stored automatically (not via registration). This includes by default: browser type/-version, operating system used, page called, the previously visited page (referrer URL), IP address, date and time of server request and HTTP status code. The processing is carried out in pursuit of our legitimate interests and is based on Art. 6 section 1 letter f) GDPR. This processing serves the technical administration and security of the website. The data collected will be anonymized immediately or no later than seven days after collection unless there is a justified suspicion of illegal use based on concrete indications and further examination and processing of the information is necessary for this reason. We are unable to identify you as a data subject based on the information collected. Art. 15 to 22 GDPR therefore do not apply pursuant to Art. 11 section 2 GDPR, unless you provide additional information to enable your identification in order to exercise the rights set out in these articles.

2. Data Transfer to the USA

Visiting our website may involve the transfer of certain personal data to the USA. For the transfer of data to the USA as a non-member country, a country in which the GPDR is not applicable law, the European Commission has decided in accordance with Art. 45 GDPR that an adequate level of data protection is provided by companies certified under the EU-US Privacy Shield. The transfer to such companies in the USA is, therefore, lawful. Certified companies are listed by the U.S. Department of Commerce at: https://www.privacyshield.gov/list.

3. Contact Form

Our website contains a contact form via which you can send us messages. Your data will be transferred encrypted (recognizable by the ‘https’ in the address field of your browser). All data fields marked as mandatory must be filled in to enable us to process your request. Failure to fill in the mandatory fields results in our inability to process your request. Providing further data is voluntary. Alternatively, you can send us a message via the contact email address. We will process the transferred data in order to process the request. If your request aims at conclusion or performance of a contract with us, the processing is based on Art. 6 section 1 letter b) GDPR. Apart from that, we process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.

5. Cookies

We use cookies and similar technologies on our website. Cookies are small text files that are stored by your browser when you visit a website. This makes the browser identifiable so it can be recognised by our web server. We use so-called ‘session cookies’, which are deleted when the browser session is ended. Other cookies (‘persistent cookies’) are automatically deleted after a specific period, which may vary depending on the cookie.

In part, the use of cookies is necessary to maintain functionality and operation of our website. Apart from that, we use cookies and similar technologies to measure the coverage of our website and analyse the use of our website.

Cookies are stored on the computer of the user. Therefore, you as the user have full control over the use of cookies. You can delete cookies in the security settings of your browser at any time. You can object to the use of cookies entirely or for certain cases in your browser settings. Further information from the Federal Office for Information Security is available at
https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/Sicherheitsmassnahmen/Cookies/cookies_node.html.

You can find information on how we use cookies and similar technologies in the description of the specific processing activity. Further information about cookies used on our website can be found via the privacy settings in the consent banner.

You can change the settings on the consent banner via the following link:
Privacy Preference

6. Google Analytics

In order to evaluate visits to our website, we use Google Analytics, a service provided by Google Ireland Limited (Ireland/EU). Google uses cookies enabling analysis of the use of our website. During this process, personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about your interaction with our website will be collected. The information aggregated through the cookie will normally be transferred to Google’s servers in the USA and stored there. Google will use this information on our behalf, to analyse the use of our website, create reports about the general activity on our website and to provide us with further services in relation to the use of our website. During this process, the data can be used to build pseudonymous user profiles for single users.

We only use Google Analytic with activated IP address anonymisation. With this setting the user’s IP address will be shortened within the EU or the European Economic Area. The user’s full IP address will only be sent to Google’s servers in the USA and shortened there in exceptional cases. The user’s IP address provided by the user’s web browser will not be merged with other data stored by Google.

We use a product variant called Google Universal Analytics. This service enables us to connect data from multiple sessions and multiple devices under a unique User-ID. By using it, we can put single user interactions in a broader context and are able to analyse long term relationships.

User interaction data will be stored for a duration of 14 months and will be deleted automatically afterwards. The deletion process of data for which the storage period has expired is performed automatically, once per month.

The setting of cookies and the processing of personal data described here, are conducted with your consent. Legal basis for the processing of personal data through Google Analytics is therefore Art. 6 section 1 letter a) GDPR. You can prevent the storage of cookies by Google Analytics by changing the respective settings of your web browser. Furthermore, you can prevent the collection of the information aggregated by the cookie by downloading and installing the browser plugin available via the following link: https://tools.google.com/dlpage/gaoptout.

If you are visiting our website with a mobile device, you can disable Google Analytics by clicking this link. Please be advised, that we will document your consent, as we are required to do by Art. 7 section 1 GDPR. Because we are required to do so by law, the legal basis for the storage is Art. 6 section 1 letter c) GDPR.

Using Google Analytics, a transfer of your personal data to the US based Google LLC cannot be ruled out. Google LLC (USA) is certified under the EU-US Privacy Shield

7. Integrated Services and Third-Party Content

We use services and content (hereinafter referred to collectively as ‘Content’) provided on our Website by third parties. For the integration of such Content we rely on a two-click-solution. With the two-click-solution no connection will be established with the third party at first. Instead, a placeholder is loaded from our server. This can be a preview image of the integrated maps or videos. Connection to the third-party server will only be established after clicking on the respective placeholder. Thus, the IP address is only transferred, if you confirm this by clicking on the placeholder.
The data processing is based on your consent and finds its legal basis in Art. 6 section 1 letter a) GDPR.

We have incorporated into our website content from the following third-party services.

Wir haben in unsere Website Inhalte der folgenden durch Drittanbieter bereitgestellten Dienste eingebunden:

  • ‘Google Maps’ by Google Ireland Limited (Ireland/EU) to display maps. Using Google services, a transfer of your personal data to the US based Google LLC cannot be ruled out. Google LLC (USA) is certified under the EU-US Privacy Shield.
  • ‘YouTube’ by YouTube LLC (USA) to display videos. YouTube is certified under the EU-US Privacy Shield as a Google subsidiary.

On our website, we use further services and contents by third parties which are necessary for the proper operation of our website and for providing specific functions of the site. For such an integration processing your IP address is necessary, so that the Content can be sent to your browser. Your IP address will, therefore, be transferred to the respective third-party providers. This data processing is carried out in order to safeguard our legitimate interests and finds its legal basis in Art. 6 section 1 letter f) GDPR. You can object to this data processing at any time by changing the settings of your browser or by using certain browser extensions. One such extension is the uMatrix matrix-based firewall for the Firefox and Google Chrome browsers. Please note that this may result in restrictions of the functionality of the website.

We have incorporated into our website content from the following third-party services:

  • ‘Google Web Fonts’ by Google Ireland Limited (Ireland/EU) to display fonts. Using Google services, a transfer of your personal data to the US based Google LLC cannot be ruled out. Google LLC (USA) is certified under the EU-US Privacy Shield
  • ‘Fontawesome’ by Fonticons Inc. (USA) to display fonts and icons. Fonticons is not certified under the EU-US Privacy Shield

 

III. Data Processing on our Social Media

We operate company pages on multiple social media platforms via which we offer further opportunities to obtain information about our company and for exchange. We operate company pages on the following social media platforms:

  • Facebook
  • LinkedIn
  • Xing
  • YouTube

Visiting a company page on social media can result in your personal data being processed. The information in your social media account constitutes personal data. This also encompasses messages and statements made with the account. Additionally, certain information about your visit to a company page is often collected automatically during your visit.

1. Data Processing during the Visit of a Social Media Page

a. Facebook-Seite

Certain information about you is processed relating to your visit to our Facebook page on which we present our company or individual products. Facebook Ireland Ltd (Ireland/EU – ‘Facebook’) is the sole controller of this processing. Further information about the processing of personal data by Facebook is available via https://www.facebook.com/privacy/explanation.

Facebook provides the opportunity to object to certain processing activities; corresponding information and opt-out-methods are available via https://www.facebook.com/settings?tab=ads.

Facebook stellt uns für unsere Facebook-Seite in anonymisierter Form Statistiken und Einblicke bereit, mit deren Hilfe wir Erkenntnisse über die Arten von Handlungen erhalten, die Personen auf unserer Seite vornehmen (sog. „Seiten-Insights“). Diese Seiten-Insights werden auf der Grundlage von bestimmten Informationen über Personen, die unsere Seite besucht haben, erstellt.

Diese Verarbeitung personenbezogener Daten erfolgt durch Facebook und uns als gemeinsam Verantwortliche. Die Verarbeitung dient unserem berechtigten Interesse, die Arten von vorgenommenen Handlungen auf unserer Seite auszuwerten und unsere Seite anhand dieser Erkenntnisse zu verbessern. Rechtsgrundlage für diese Verarbeitung ist Art. 6 Abs. 1 Buchst. f) DSGVO. Wir können die über die Seiten-Insights erhaltenen Informationen nicht einzelnen Facebook-Profilen, die mit unserer Facebook-Seite interagieren, zuordnen.

Facebook provides us with anonymised statistics and insights for our Facebook page, which enable us to gain knowledge about the ways in which people interact with our page (so called ‘insights’). These insights are created based on certain information about persons who have visited our page.

Facebook and we are joint controllers of this processing. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. This finds its legal basis in Art. 6 section 1 letter f) GDPR. It is impossible to match the information obtained via insights to individual accounts which interact with our Facebook page.

We have concluded an agreement with Facebook on joint controllership in which the data protection duties are allocated between Facebook and us. Details of the processing of personal data for the creation of insights and of the agreement we concluded with Facebook are available via https://www.facebook.com/legal/terms/information_about_page_insights_data.

Regarding these processing activities, you may also exercise your rights (see above ‘Your Rights’) against Facebook directly. Further information is available in Facebook’s privacy statement via https://www.facebook.com/privacy/explanation.

Please note that user data is also processed in the USA and other third countries according to Facebook’s data protection guidelines. Facebook only transfers user data to countries for which the European Commission has made an adequacy decision pursuant to Art. 45 GDPR or based on appropriate safeguards pursuant to Art. 46 GDPR. Facebook Inc. is certified under the EU-US Privacy Shield and, thus, provides an adequate level of data protection pursuant to Art. 45 GDPR (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

b. LinkedIn-Company Page

Generally, the LinkedIn Ireland Unlimited Company (Ireland/EU – ‘LinkedIn’) is the sole controller of the processing of your personal data relating to a visit to our LinkedIn page. Further information on the processing of personal data by LinkedIn are available via https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

If you visit or follow our LinkedIn company page, LinkedIn processes personal data to provide us with anonymised statistics and insights which enable us to gain knowledge about the ways in which interact with our page (so called ‘insights’). For this purpose, LinkedIn processes, in particular, such data that you already shared with LinkedIn by adding it to your profile like, for example, position, country, field of work, seniority, company size and employment status. Further, LinkedIn collects information on how you interact with our LinkedIn company page, for example whether you follow our LinkedIn company page.

LinkedIn does not share personal data with us by providing us with the insights. We only have access to a summarized version of the insights. Also, we are unable to make conclusions about individual members from the information in the insights.

LinkedIn and we are joint controllers of the processing regard the page insights. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. This finds its legal basis in Art. 6 section 1 letter f) GDPR.

We have concluded an agreement with LinkedIn on joint controllership in which the data protection duties are allocated between LinkedIn and us. The agreement is available via https://legal.linkedin.com/pages-joint-controller-addendum. The agreement stipulates the following:

  • LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights pursuant to the GDPR. In order to do so, you can contact LinkedIn online via (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or via the contact details in the data protection guidelines. You can contact the Data Protection Officer of LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also reach out to us via the contact details mentioned above for the exercise of your rights relating to the processing of your personal data for insights. In such a case, we will forward your request to LinkedIn.
  • LinkedIn and we have agreed that the Irish data protection commission shall be the responsible supervisory authority monitoring the processing for insights. You always have the right to lodge a complaint with the Irish data protection commission (see www.dataprotection.ie) or any other supervisory authority.

Please note that user data is also processed in the USA and other third countries according to LinkedIn’s data protection guidelines. LinkedIn only transfers user data to countries for which the European Commission has made an adequacy decision pursuant to Art. 45 GDPR or based on appropriate safeguards pursuant to Art. 46 GDPR. The LinkedIn Corporation is certified under the EU-US Privacy Shield and, thus, provides an adequate level of data protection pursuant to Art. 45 GDPR (https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active).

c. Xing

Generally, the New Work SE (Germany/EU) is the sole controller of the processing of your personal data relating to your visit to our Xing profile. Further information on the processing of personal data by New Work SE is available via https://privacy.xing.com/de/datenschutzerklaerung.

d. YouTube

Generally, Google Ireland Limited (Ireland/EU) is the sole controller of the processing of your personal data relating to your visit to our YouTube channel. Further information on the processing of personal data by YouTube and Google Ireland Limited is available via https://policies.google.com/privacy.

2. Processing of Data you Share with us via our Company Pages

Additionally, we process information which you provide us with via the respective social media platform. Such information can include the username, contact details or a message to us. Generally, we only process this personal data if we have expressly requested you to share this data with us like, for example, in connection with a survey or a lottery. We are the sole controller of such processing activities.

We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.
Additionally, we might process such data shared with us for purposes of evaluation or marketing. Such processing is based on Art. 6 section 1 letter f) GDPR and serve our legitimate interest to develop our product range and inform you about our product range. Further data processing can take place if you have consented (Art. 6 Sec. 1 letter a) GDPR) or if this serves to fulfil a legal obligation (Art. 6 Sec. 1 letter c) GDPR).

 

IV. Further Data Processing

1. Contact via Email

If you send us a message via our contact email address, we will process the transferred data in order to process the request. We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.

2. Contractual Relationship

In order to establish and execute the contractual relationship with our customers, suppliers and business partners it is regularly necessary to process the master, contract and payment data provided to us. If we process personal data of our contact persons at commercial customers, suppliers and business partners in the course of this, this happens in pursuit of our legitimate interests and is based on Art. 6 section 1 letter f) GDPR. If you are our contract partner, we process your data to perform the contract pursuant to Art. 6 section 1 letter b) GDPR. Further data processing can take place if you have consented (Art. 6 Sec. 1 letter a) GDPR) or if this serves to fulfil a legal obligation (Art. 6 Sec. 1 letter c) GDPR).

Last update: 20.05.2020