Privacy Policy Moving Adventures Medien GmbH

As of June 5, 2024

1. SUBJECT MATTER AND SCOPE OF APPLICATION

This Privacy Policy provides information about which personal data is collected during individual processing operations and how and for what purposes this personal data is processed.

This Privacy Policy provides information about data processing when visiting the various websites of our tours and events, our ticket portal Outdoorticket and our streaming portal Outdoor Cinema, but also in other contexts, e.g. about the processing of customers' data when purchasing tickets, participating in competitions, applicants and participating in video conferences.

Your personal data will always be processed in accordance with the statutory data protection regulations and this Privacy Policy.

2. CONTROLLER AND DATA PROTECTION OFFICER

Controller is
Moving Adventures Medien GmbH
Thalkirchner Straße 58
80337 München
Deutschland
Tel. +49-(0)89-383 967-80
Fax +49-(0)89-383 967-40
e-mail: info@moving-adventures.de.

Our data protection officer is Rechtsanwalt Christian Schmoll
e-mail: c.schmoll@compliance.one.

If you have any questions about data protection, you can contact our data protection officer at any time.

3. VISITING THE WEBSITE

3.1 Hosting and Log Files

Each time the website is accessed, the system automatically collects data and information from the computer system of the accessing end device. The following data is recorded or logged:

  • IP address of the calling computer
  • Operating system of the calling computer
  • Browser version of the calling computer
  • Name of the retrieved file/website
  • Date and time of retrieval
  • Transferred amount of data
  • Referring URL

This data is processed in order to be able to present the website, to ensure the security, availability and integrity of the website (e.g., detection and defense against DoS attacks or access by bots), to improve the quality and presentation of the website, to be able to identify and correct errors and for statistical purposes. This data is regularly deleted after a few days.

The website is hosted by a service provider on the basis of a data processing agreement.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the legitimate interest of the Controller in the above-mentioned purposes.

3.2 Cookies

Cookies are used on the website. Cookies are pieces of information that are transferred from our web server or third-party web servers to the browser of the website visitor and stored there for later retrieval. Cookies can be small files or other types of information storage. Information is stored in cookies that is generated in connection with the specific end device used. Cookies contain a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. A cookie also contains information about its origin and the storage period. However, this does not mean that the identity of the website visitor can be obtained directly from a cookie.

When you visit the website, cookies are set that are absolutely necessary for the operation of the website. These absolutely necessary cookies may, for example, be cookies that are required to display the website with a content management system, that are used to recognize language settings or that are used to document whether consent has been given to the setting of further (optional) cookies or whether such storage has been rejected. The strictly necessary cookies, including their purpose and storage or deletion period, are explained below.

Optional cookies are also used, for example, to collect additional information about the interests of visitors to the website or their usage behavior in order to analyze and optimize the website and customer interactions in general.

Optional cookies, including their purpose and storage or deletion period, are explained below. Optional cookies are only set if you have expressly consented to the setting of optional cookies.

3.3 Google Tag Manager

The tool Google Tag Manager is used on the website. Google Tag Manager is provided by Google Ireland Limited in Ireland. The provider acts as a data processor on the basis of a data processing agreement.

The tool Google Tag Manager allows tags to be integrated centrally via a user interface. Tags are small sections of code that can track activities. Script codes from other tools are integrated via the tool and it is possible to control when a specific tag is triggered.

The tool Google Tag Manager is only used to integrate and control other tools; with the exception of the IP address of website visitors, the tool Google Tag Manager does not process any personal data.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the Controller's legitimate interest in the simple central integration and control of other tools. If consent has been obtained for the use of the tool, the expressly granted consent, which can be revoked at any time, constitutes the legal basis.

3.4 Google reCAPTCHA

The tool reCAPTCHA provided by Google Ireland Limited in Ireland is used on the website. The provider acts as a data processor on the basis of a data processing agreement.

reCAPTCHA is used to determine whether a person or computer makes a certain entry in a form. Google uses the following data to check whether a person or computer is making an entry IP address of the end device used, the website that is visited and on which the captcha is integrated, the date and duration of the visit to the website, information on the type of browser and operating system used, the Google account if the user is logged in to Google, mouse movements on the reCAPTCHA areas and tasks in which images are to be identified.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The use of the reCAPTCHA service is absolutely necessary in order to provide the website securely. The legal basis for the data processing described is the Controller's legitimate interest in the security of the website and, in particular, protection against automated input and attacks.

3.5 Videos (YouTube)

YouTube videos are embedded on the website. These are provided by Google Ireland Ltd. in Ireland via a plugin. The provider acts as a data processor on the basis of a data processing agreement.

When a website with the YouTube plugin is accessed, a connection to Google is inevitably established and the IP address of the website visitor is transmitted to Google.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the Controller's legitimate interest in the integration of videos and the associated optimization of the interactivity of the website and customer interactions. If consent has been obtained, the expressly granted consent, which can be revoked at any time, constitutes the legal basis.

3.6 Videos (Vimeo)

Videos are embedded on the website. This functionality is made available via a plugin provided by Vimeo, LLC, in the USA. The provider acts as a data processor on the basis of a data processing agreement.

When you visit a website that is equipped with such a Vimeo plugin, a connection to Vimeo is established and your IP address is transmitted to Vimeo. Even if you start a video by clicking on it, this information is transmitted to Vimeo. If you are logged in to Vimeo, the transmitted information may be linked to your Vimeo account.

Further information on the scope and purpose of data processing by Vimeo and the processing and use of your data by Vimeo as well as your setting options for protecting your privacy in this regard can be found in Vimeo's privacy policy at https://vimeo.com/privacy. Additional information on the use of cookies by Vimeo can be found here in the Vimeo Cookie Policy at https://vimeo.com/cookie_policy.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing in the context of embedding videos is the express consent given and revocable at any time.

3.7 Google Maps

The website uses the Google Maps service provided by Google Ireland Limited in Ireland. The provider acts as a data processor on the basis of a data processing agreement.

Google Maps enables the display of interactive maps. When a website on which Google Maps is used is accessed, information about the use of the website by the respective website visitor (e.g. the IP address) is transmitted to Google's servers in the USA and stored there.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the Controller's legitimate interest in providing a user-friendly and interactive website. If consent has been obtained, the expressly granted consent, which can be revoked at any time, constitutes the legal basis.

3.7 Web Analytics (Google Analytics)

The website uses the web analytics service Google Analytics provided by Google Ireland Limited in Ireland. The provider acts as a data processor on the basis of a data processing agreement.

Google Analytics uses JavaScript tags to collect information about the use of the website. Google Analytics uses cookies to collect information on the interactions of visitors to the website with the website.

As part of the use of Google Analytics, the IP address of visitors to the website, information about the use of the website, browser type and version, operating system used, the previously visited page and the time of the server request are transmitted to Google servers and processed there.

The IP addresses of users collected are truncated within the EU before being transmitted to the USA. Only in exceptional cases, in the event of technical faults in Europe, will the unabridged IP address be transmitted to Google in the USA and abbreviated there. The transmitted IP addresses are not merged with other Google data.

Accordingly, personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the express consent of the website visitor.

3.8 Google Ads

The website provider uses the Google Ads advertising program provided by Google Ireland Limited in Ireland. The provider acts as a data processor on the basis of a data processing agreement.

The Google Ads advertising program makes it possible to display targeted, interest-based advertisements on the Google search engine and on third-party websites and to evaluate and optimize the performance of individual advertisements, e.g. by analyzing which advertisements were clicked on and how often.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the express consent of the website visitor.

3.9 Google AdSense

The website uses the Google AdSense advertising service provided by Google Ireland Limited in Ireland. Google. The provider acts as a data processor on the basis of a data processing agreement.

AdSense makes it possible to display targeted advertisements from third parties on the website or to have them displayed by Google. The content of the advertisements is selected based on the interests and previous user behavior of the website visitors. Google AdSense uses cookies and so-called "web beacons" (small invisible graphics) and device fingerprints (which can be used to recognize end devices based on the configuration).

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the express consent of the website visitor.

3.10 Tracking-Pixel

Tracking pixels and cookies from various providers, e.g. LinkedIn, Bing, Meta, Google, Outbrain, Pinterest, Snapchat, Taboola, TikTok, Twitter and/or Yahoo Native (Gemini), are used on the website to track the use of the website and the actions of website visitors for the purpose of conversion tracking.

The tracking pixels are a code snippet that can be used to track the actions of visitors to the website, which makes it possible to personalize and improve advertisements and measure their success. In this way, the use of the website can be evaluated for statistical and market research purposes and advertising campaigns can be optimized.

The data collected via the tracking pixels can be used by the providers of the respective pixels for their own tracking and advertising purposes. Further details can be found in the Privacy Policies of the providers of the respective pixels.

If a visitor to the website is a member of a social media platform of one of the providers of the tracking pixels and has allowed the respective provider to do so via the settings of the user account with the social media network, the provider of the social media network or tracking pixel can link the information collected about the visit to the website with the associated user account with the respective social media network and use it for the targeted placement of advertisements.

The website provider can also measure the effectiveness of advertisements in the respective social media networks and see whether a user was redirected to the website via such advertisements (conversion measurement).

When such tracking pixels are integrated, personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing, including the transfer of data to LinkedIn, is the express consent of the visitor to the website.

4. TICKET PURCHASE AND ONLINE SHOP

In the course of processing orders that you place in our online shop, we process inventory data (e.g. names, contact addresses, delivery addresses) and contract data (e.g. tickets purchased or other services used, payment information) to fulfill our contractual obligations.

If you order a ticket for a third party, we process the personal data of the third party provided by you (name and contact details, if applicable) for ticket personalization and, if applicable, for sending the ticket to the third party. If you order a ticket for a third party, you must ensure that the third party has been sufficiently informed by you about the processing of its data by us and that you are authorized to provide the third party's data as part of the order.

If you provide us with health data (e.g., severely disabled status) as part of an order or inquiry, we will only process these special categories of personal data if you have given us your consent to do so and if the processing is necessary to fulfill your order or respond to your inquiry.

If you purchase tickets or other products and services in our online shop, we offer you various payment options. For payment processing (and, if applicable, a refund of the payment), we transmit your personal data to banks, payment service providers, financial service providers and credit card companies, depending on the payment method selected.

When paying with PayPal, your billing-related data will be passed on to PayPal (Europe) S.à r.l. et Cie, S.C.A., in Luxembourg. The data protection information of PayPal is available at paypal.com/de/webapps/mpp/ua/privacy-full.

When paying by means of the service Sofortüberweisung, billing-relevant data is transmitted to Sofort GmbH in Germany. Information on data protection at Sofort GmbH is available at klarna.com/sofort/kundenservice/erfahre-mehr-ueber-den-datenschutz-bei-sofort-gmbh-a-klarna-group-company.

When paying in the shop by credit card, we use the payment service provider Stripe Payments Europe Ltd. in Ireland. Information on data protection at Stripe can be found at stripe.com/de/privacy

The processing of this data is necessary to carry out the transactions with the respective payment service provider.

The data processing in the context of payment processing is governed by the data protection information of the respective payment service provider, which is available on the website or in the app of the respective payment service provider.

If we send tickets or other products and services to you, we will transmit your personal data to the respective shipping service provider commissioned.

This data processing in the context of orders in the online shop is necessary for the fulfillment of the contract. Accordingly, the legal basis is Art. 6 para. 1 lit. b) GDPR.

If the initiation of a collection procedure is necessary, we transmit your personal data to collection service providers who carry out the procedure for us. The legal basis for this data processing and transfer is the performance of the contract pursuant to Art. 6 para. 1 lit. b) GDPR and our legitimate interest in enforcing our legal claims (Art. 6 para. 1 lit. f) GDPR).

In the context of legal disputes, we transmit your data to the respective court and, if applicable, the lawyers involved in order to conduct the legal dispute. The legal basis for this data processing and transfer is the fulfillment of a legal obligation based on Art. 6 para. 1 lit. c) GDPR as well as our legitimate interest to protect, enforce and/or defend our legal interests (Art. 6 para. 1 lit. f) GDPR).

5. STREAMING-PORTAL OUTDOOR-CINEMA.NET

For the provision of our streaming portal at outdoor-cinema.net, we use the service provider Shift72 in New Zealand as a processor. As part of the provision of the streaming portal by the service provider, the service provider receives access to personal data of the users of our streaming portal (inventory data at login, IP address, payment data, usage data) in order to provide the streaming portal to the users.

We have concluded an order processing agreement with the service provider in accordance with Art. 28 GDPR.

When using the streaming portal, personal data is transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

Detailed information on data protection at Shift 72 can be found here: shift72.com/privacy-policy.

6. TICKETING AND SUPPORT

When making support requests or creating support tickets and when processing requests, the personal data provided, the user's contact details and the other content and information provided are collected and processed in order to manage, process and document the respective request. In addition, information about the browser, the IP address and the location of the respective user is processed.

An external service provider is used as a data processor for the ticketing system.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this storage and processing is the performance of the contract or the implementation of pre-contractual measures and/or the Controller's legitimate interest in the provision of services and communication with the users of the website or platform and the provision of optimal support for the users of the platform or visitors to the website.

7. PROSPECTS, CUSTOMERS AND SERVICE PROVIDERS (CRM)

If you contact us, e.g. by email or via a contact form, the information you provide will be processed for the purpose of handling your inquiry.

We need the information requested in a contact form in order to process your inquiry, address you correctly and send you an answer.

We process the data of our customers, service providers and suppliers as part of the provision of our contractual services. This may involve processing inventory data (e.g. surname and first name of the contact person(s), address), contact data (e.g. email address, telephone number), contract data (e.g. subject matter of the contract, term), payment data and data that is collected as part of the provision of services and/or is necessary for the provision of services.

Inquiries and customer relationships are regularly processed in our CRM system. The data processed (surname, first name, title, postal address, date of birth if applicable, your specific interest in our products and services and your interactions with us) may also be used by us for direct marketing purposes, in particular for postal advertising, in compliance with legal requirements.

The legal basis for this data processing is the Controller's legitimate interest in communicating with customers, service providers, suppliers, interested parties, visitors to the website and other third parties, in maintaining relationships with interested parties, customers and service providers and in marketing the products and services. If the contact is aimed at the conclusion of a contract or takes place in the context of the performance of a contract, the legal basis for the processing is the fulfillment of the contract or the implementation of pre-contractual measures.

8. E-MAIL NEWSLETTER

8.1 Registration

You can register on the website to receive an e-mail-newsletter. When you register, the data from the input screen, the IP address of the accessing computer and the date and time of registration are collected and stored.

The so-called "double opt-in" procedure is used to verify that a registration for the sending of a newsletter is made by the actual owner of an e-mail address. In this process, a confirmation e-mail is sent to the registered e-mail address after an e-mail address has been registered. Registration for the newsletter is only completed when a confirmation link contained in the confirmation email is activated. The IP address of the accessing computer and the date and time of activation of the confirmation link are also collected and stored.

You can unsubscribe from the newsletter at any time by using the unsubscribe link contained in each newsletter or by contacting the Controller using the contact details provided above.

The legal basis for the processing of data as part of the registration and sending of the email newsletter is your express consent, which can be revoked at any time.

Please note that if consent is withdrawn, the consent data will be stored until the statutory limitation period expires to enable the Controller to defend itself legally if necessary. The duty of accountability and proof takes precedence over the duty of erasure for this period. The legal basis for this retention of consent data is the fulfillment of a legal obligation (accountability) and the Controller's legitimate interest in a potential legal defense.

8.2 E-mail Newsletter for Existing Customers

If you register as a user of the platform and enter your e-mail address, it may be used to send you an e-mail newsletter, provided you have not objected to such use. Only direct advertising for our own similar goods or services is sent via the e-mail newsletter as part of an existing customer relationship. You can object to the use of your email address for this purpose at any time, without incurring any costs other than the transmission costs according to the basic rates, by using the unsubscribe link contained in each email newsletter or by contacting the Controller using the contact details given above.

The legal basis for sending the email newsletter as part of an existing customer relationship is the Controller's legitimate interest in carrying out direct marketing measures.

Please note that in the event of an objection to the further sending of the email newsletter as part of an existing customer relationship, the consent data will be retained until the expiry of the statutory limitation period in order to enable the Controller to defend itself legally if necessary. The obligation to provide accountability and evidence takes precedence over the obligation to delete data for this period. The legal basis for this retention of consent data is the fulfillment of a legal obligation (accountability) and the Controller's legitimate interest in a potential legal defense.

8.3 Newsletter Analytics/Tracking

A statistical analysis of usage data can be carried out for the email newsletter. For this purpose, the openings of the e-mail and the internal clicks are collected and stored. This information is used to measure and optimize the success of the email newsletter campaigns by making the content of the email newsletters more interesting and relevant for the target group.

The legal basis for this analysis is the consent expressly granted and revocable at any time.

8.4 Newsletter Service Provider

An external service provider is used as a data processor to send and analyze the email newsletter.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

9. SOCIAL MEDIA

9.1 Social Media Buttons

Social media buttons of various social media networks (e.g. Linkedin, Instagram, Twitter and Facebook) are integrated on our website.

If you click on one of these social media buttons, you will be redirected to our pages on the respective social media network. In this case, the provider of the respective social media network receives the information that your browser has accessed the corresponding page of our website, even if you do not have a profile with the respective social media network or are not logged in there. This information (including your IP address) is transmitted by your browser directly to a server of the respective provider. If you click on a social media button and are either logged in to the respective social media network or then log in to the page of the respective social media network, the transmitted information can be assigned to your account with the social media network.

For information on the purpose and scope of data collection and processing by the providers of the respective social media network, the provider identification, a contact option and your rights and setting options for data protection, please refer to the respective privacy policy of the providers of the social media networks.The legal basis for the integration and use of social media buttons is Art. 6 (1) lit. f) GDPR. Our overriding legitimate interest is the marketing of our offers and our website.

9.2 Social Media Pages

We maintain a publicly accessible profile on various social media networks (e.g. Linkedin, Instagram, Twitter and Facebook).

If you visit our social media pages and are logged in to the respective social media network, the provider of the respective social media network can analyze your usage behavior and assign the information collected to your account with the social media network and enrich it there. Even if you are not logged in or if you do not have an account with the respective social media network, personal data may be collected by the provider of the respective social media network, for example your IP address or data collected via a cookie.

The operators of the social media networks can use this data to create user profiles. Based on your user profile, you can then be shown interest-based advertisements both on the websites of the social media network and on other websites.

If you visit one of our social media pages, we are jointly responsible with the provider of the social media network for the collection and processing of your personal data that takes place there. For information on the collection and processing of your personal data that takes place there, we refer you to the privacy policy of the respective social media network.

You can assert your data subject rights in accordance with Chapter III. of the GDPR (right to information, correction, deletion, restriction of processing, data portability, etc.) both against us and against the provider of the respective social media network. In this context, we would like to point out that we can only influence the processing of personal data and the implementation of data subject rights within the framework of our social media pages within the scope of the possibilities made available to us by the respective provider.

The legal basis for our use of social media pages is Art. 6 (1) lit. f) GDPR. Our overriding legitimate interest is the presence and marketing of our products and services on the Internet.

10. COMPETITIONS/SWEEPSTAKES

When participating in one of our offline or online competitions, we collect and process the personal data provided by the participants as part of their participation in the competition, usually their first and last name, address and email address.

We collect this data in order to enable participation in the competition, to carry out the competition, to inform participants of a prize if applicable and to send participants a prize if applicable.

Insofar as participants provide information that is not required for participation in the respective competition, this is done on a voluntary basis.

The legal basis for this data processing in the context of participation in the competition is the fulfillment of the contract.

11. ONLINE MEETINGS AND WEBINARS

When participating in an online meeting or a webinar offered or conducted by the Controller, the personal data of the participants is processed.

When participating in an online meeting or webinar, various categories of data are processed. The scope of the data also depends on what data the participants provide about themselves and as part of their participation.

When participating in an online meeting or a webinar, at least a name must regularly be provided when registering. However, a pseudonym can also be used. The IP address of the participants is also processed to enable participation. Login information and device/hardware information is also processed. Furthermore, if specified, the participant's email address and profile picture will be processed. In the case of participation by telephone, the telephone number and, if applicable, the IP address are processed, if transmitted.

When participating in an online meeting or a webinar, if the participant has activated the microphone and/or a camera on the end device, the participant's image and sound data will be processed as part of the participation. If the screen is shared, the information from this screen share is also processed. Participants are free to activate the microphone, camera or screen share.

Audio and video recordings of online meetings or webinars can be created. In this case, the data of all audio, video and presentation recordings will be processed. There will always be a reference to the recording if one is made and, if necessary, the explicit consent of the participants will always be obtained for the recording.

It is also possible to use the chat, question or survey functions in online meetings or webinars. In this respect, the text entries made by the participants are processed in order to display them in the respective online meeting or webinar and, if necessary, to record them.

An external service provider is used as a data processor to conduct and, if necessary, record online meetings and webinars.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this processing is the fulfillment of the contract or the implementation of pre-contractual measures, provided that the implementation and participation in the online meeting or webinar within the framework of an existing contractual relationship is necessary for the fulfillment of the contract or is aimed at the conclusion of a contract. This is regularly the case for employees, customers, interested parties, service providers and suppliers. Otherwise, the legal basis for processing is the Controller's legitimate interest in efficient communication, both internally and with external stakeholders.

12. JOB APPLICATIONS

12.1 Active Sourcing

We carry out so-called active sourcing measures to identify promising potential employees on the external labor market and actively contact potential applicants and employees. The purpose of data processing is recruitment, e.g. by individually drawing the attention of promising candidates to job vacancies in our company.

We collect the following categories of data for active sourcing: Surname, first name, gender, contact details, education, professional experience, qualifications, salary data, application data, non-professional experience and interests and other information resulting from public profiles on social networks, in particular LinkedIn and Xing, and/or from other publicly accessible sources on the internet.

All personal data processed in the context of active sourcing is collected from generally/publicly accessible sources on the Internet, in particular from social networks such as LinkedIn and Xing.

The legal basis for the collection and processing of publicly accessible data in the context of active sourcing is the Controller's legitimate interest in identifying, approaching and recruiting the best possible employees for the company.

12.2 Application Process

We collect and process personal data from applicants for the purpose of carrying out the application process.

If we conclude an employment contract with an applicant, the data transmitted will be processed for the purpose of implementing the employment relationship in compliance with the statutory provisions. If no employment contract is concluded, the application documents will be deleted immediately after the end of the application procedure, provided that there is no overriding legitimate interest in deletion, such as the defense against claims or the preservation of evidence in accordance with equal treatment and anti-discrimination laws.

The legal basis for this storage and processing is the implementation of pre-contractual measures.

12.3 Talent Pool

If the applicant has consented to a longer storage of his/her data, we will store the data submitted as part of the application in our talent pool for a further 2 years after the end of the application process in order to identify future positions of potential interest to the applicant and, if necessary, contact the applicant in this regard. After this period, the data will be deleted.

Such consent to the storage of application data in our talent pool can be withdrawn at any time for the future. To do so, please send us an email to the contact details provided above.

The legal basis for the storage of application documents in our Talent Pool is, where applicable, the explicit consent of the applicant, which can be revoked at any time.

12.4Compliance/Sanctions Screening

Applicants who are shortlisted as part of the application process may be subject to an initial compliance check. The compliance check involves a comparison of the applicant's name and address with relevant sanctions lists, in particular on the basis of the EU anti-terrorism regulations.

To carry out the compliance/sanctions list screening, we use an external service provider as a data processor on the basis of a data processing agreement.

The legal basis for this storage and processing is, if there is a legal obligation to carry out a compliance/sanctions list screening, the fulfillment of the legal obligation. In individual cases, depending on a balancing of interests, compliance/sanctions list screening can also take place if there is no mandatory legal obligation. In this case, the legal basis is our legitimate interest in avoiding potential sanctions by foreign authorities.

13. VIDEO SURVEILLANCE

Some of our production sites are monitored by video. This monitoring is clearly indicated by signs. The legal basis for this storage and processing is Art. 6 (1) lit. b) GDPR. The purpose of video surveillance and our legitimate interest is to safeguard the rights of the home, to protect our employees from dangerous situations, to protect our property, in particular our business premises including equipment, and to preserve evidence after criminal offences. Only the management has access to the records. In individual cases, the records may be passed on to criminal prosecution authorities in accordance with their purpose. The deletion of the data is carried out by the system after 7 working days, provided that there are no incidents in the sense of our legitimate interest, which make a longer storage necessary.

14. MERGERS AND ACQUISITIONS (M&A)

If we are involved in a restructuring, acquisition, asset sale, merger, financing, transfer of services to another provider, due diligence, insolvency or receivership, your personal data may be transferred to third parties to the extent legally permitted in connection with and as part of the relevant legal process, subject to the basic principles of data protection law.

15. AGE RESTRICTION

This website is not intended or designed for use by children under the age of 16. We do not knowingly collect personally identifiable information from or about anyone under the age of 16.

16. RECIPIENTS OF DATA

Within the Controller's organization, access to data is granted to those internal departments or organizational units that need it to perform their tasks, if necessary to fulfill contracts, for data processing based on the consent of the data subject(s) or to protect overriding legitimate interests.

Data will only be passed on to third parties in accordance with legal requirements. Your data will only be passed on to third parties if this is necessary for contractual purposes or to safeguard our overriding legitimate interest in the effective performance of our business operations.

If we use service providers or third-party providers to provide the website or other services, we take suitable legal precautions and appropriate technical and organizational measures to ensure the protection of your personal data.

17. DATA SUBJECT RIGHTS

Within the scope of the legal requirements, data subjects have the following rights with regard to the processing of personal data:

17.1 Right of Access

Data subjects have the right to request information about the personal data processed about them.

17.2 Right to Rectification

Data subjects have the right to request the rectification of inaccurate personal data concerning them. They also have the right to request the completion of incomplete personal data.

17.3 Right to Erasure

Data subjects have the right to request the erasure of personal data concerning them.

17.4 Right to Restriction of Processing

Data subjects have the right to request that the processing of personal data concerning them be restricted.

17.5 Right to Object to Processing

Data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or which is based on a legitimate interest. In this case, the data will no longer be processed unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

In addition, data subjects have the right to object at any time to the processing of personal data concerning them for the purpose of direct marketing; this also applies to any profiling insofar as it is associated with such direct marketing.

17.6 Right to Withdraw a Consent

Data subjects have the right to withdraw their consent if they have given their consent for processing.

17.7 Right to Data Portability

Data subjects have the right to receive the personal data concerning them, which they have provided to a Controller, in a structured, commonly used and machine-readable format ("data portability") and the right to transmit those data to another Controller.

17.8 Exercising the Rights

The rights of data subjects can be exercised by notifying the Controller or, where applicable, the Data Protection Officer using the contact details provided above.

17.9 Right to Lodge a Complaint with the Data Protection Supervisory Authorities

If data subjects believe that the processing of personal data concerning them breaches data protection law, they have the right to lodge a complaint with a data protection supervisory authority.

18. MANDATORY INFORMATION AND PROFILING

The provision of personal data is neither legally nor contractually required. There is no obligation to provide personal data, however, the provision of personal information is necessary for the conclusion of a contract insofar as certain information is mandatory in order to conclude (and execute) a contract.

Automated decision-making, including profiling, is not carried out.

19. RETENTION AND DELETION

We adhere to the principles of data avoidance and data economy and only store your personal data for as long as is necessary to achieve the respective purpose of the data processing purposes or as stipulated by the storage periods provided by law.

If the purpose of storage no longer applies or if a storage period provided for by law expires, the personal data will be routinely anonymized or deleted in accordance with the statutory provisions.

20. INFORMATION SECURITY

We take appropriate technical and organizational measures in accordance with the state of the art to ensure a level of protection for the personal data we process that is appropriate to the risk of the respective processing and to protect the data we process against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.

Our website uses SSL encryption for security reasons and to protect the transmission of confidential content, such as orders, inquiries or payment data that you send to us.

Our employees receive regular training on data protection and information security and are committed to confidentiality and data protection.

A restrictive rights and roles concept on a "need to know" basis ensures that employees only have access to the personal data they absolutely need to perform their duties.

21. AMENDMENT OF THIS PRIVACY POLICY

We reserve the right to amend this Privacy Policy from time to time so that it always complies with current legal requirements and/or in order to implement changes to our services in the Privacy Policy, e.g. when introducing new services. When visiting the website or using our services, the current privacy policy always applies.