Sirato_Logo_Color

Data Privacy

The following data protection declaration provides you with a detailed overview of how your personal data is processed when you visit our website www.sirato-group.com.
This website is operated by Sirato Recruitment GmbH.

If you – as a client or as a candidate – make use of the placement services of a company of the Sirato Recruitment GmbH, we would like to refer you to our further data protection information for these specific processes and the associated data processing:

For reasons of clarity, this information is provided separately under the aforementioned links.

Data Protection Declaration for Website Users

§ 1 Contact details of the persons responsible and the data protection officer

The purposes pursued by each of the data controllers in the context of their re-spective business activities are listed in section 1.1.

1.1 Name and address of the responsible persons

The persons responsible within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations for the operation of these websites as well as the processing of personal data of the visitors of the websites caused thereby is Sirato Recruitment GmbH.

Sirato Recruitment GmbH
Alter Hof 5
80331 Munich, Germany
Tel: +49 89 599 1822 0
E-Mail: info@sirato-group.com
Website: www.sirato-group.com

Sirato Recruitment GmbH is responsible within the scope of its business activities for the placement of candidates in temporary projects and permanent positions with our clients.

If you have any questions about your personal data, please contact: datenschutz@sirato-group.com

1.2 Contact data protection officer

You can contact our data protection officer under: dsb@sirato-group.com

§ 2 General information on the collection of personal data

In principle, the collection, processing, and use of personal data for the use of our website is limited to the necessary extent and the necessary data. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior. In addition, we use the widespread SSL procedure (Secure Socket Layer) on our website in conjunction with the highest level of encryption supported by your web browser. As a rule, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.

§ 3 Purposes and legal bases of the processing of your personal data and further information on specific data processing

3.1 Processing of your data when visiting our website

3.1.1 Description and scope of data processing

Each time you visit our website, our system automatically collects data and information from the computer system of the calling computer (personal data transmitted by your browser to our server). This is also the case if you do not register or otherwise transmit information to us. The following data is collected:

  • IP address of the user
  • Date and time of the request or access
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request comes (from which the user’s system accesses our website)
  • Website that is called up by the user’s system via our website
  • Information about the type of browser and the version used
  • Operating system and its interface
  • Language and version of the browser software
3.1.2 Purposes of data processing

The processing of the aforementioned data, in particular the IP address by the system, is necessary and required to enable delivery of the website to your computer. Further purposes are to ensure system security and system stability.

3.1.3 Legal basis for data processing

The legal basis for the temporary storage of data is Art. 6 para. 1 lit. f DSGVO. Our legitimate interest follows from the purposes for data collection listed above. In no case do we use the collected data for the purpose of drawing conclusions about your person.

3.1.4 Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is regularly the case when the respective session has ended.

3.1.5 Possibility of objection and elimination

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is regularly no possibility of objection on your part.

3.2 Data protection when using the contact form

3.2.1 Description and scope of data processing

On our website, we offer every visitor the opportunity to contact us via a contact form by providing personal data.
The following data is compulsorily collected from you when contacting us via the contact form:

  • IP address
  • Date and time of the message
  • Your name
  • e-mail address
  • Subject of message
  • message

In addition, you can provide further voluntary information:

  • Information in a file attachment

Whether and to what extent you provide us with additional personal data in the file attachment and we process it cannot be controlled by us at first. However, unless necessary, we ask you not to send us any personal data in the file attachments.

3.2.2 Purposes of data processing

The processing of your data is solely for the purpose of handling and responding to your inquiry. The specification of your e-mail address is necessary in order to be able to contact you. Your name is used to personalize your inquiry or reply and for internal allocation within our company.

3.2.3 Legal basis for data processing

If you have given your consent, the legal basis for processing your data is Art. 6 Para. 1 S. 1 lit. a DSGVO. If the inquiry already serves the fulfillment of a contract to which you are a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. b DSGVO. In order to allocate your inquiry to our company, a further legal basis is the protection of our legitimate interests, Art. 6 Para. 1 lit. f DSGVO; our legitimate interests follow from the purposes described, whereby we assume that your interests do not outweigh ours.

3.2.4 Duration of storage; possibility of objection and elimination

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is particularly the case if your inquiry has been finally processed and, if applicable, answered. If the purpose of contacting you is already the implementation of a contract to which you are a party or the implementation of a pre-contractual measure, then the data will be deleted when it is no longer necessary for the implementation of the contract. It may also be necessary to store personal data in order to comply with contractual or legal obligations or to protect our legitimate interests. If the processing of your data is based on your consent, you have the option of revoking this consent. By clicking on the corresponding checkbox (opt-in) before transmitting your entered data to us, you consent to the processing of your data in accordance with this data protection declaration. If the data is also required for the fulfillment of a contract or for the implementation of pre-contractual measures, premature deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.

3.3 Use of cookies

When you visit and use our website, cookies are stored on your computer. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user calls up a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

Some of them are essential, i.e. they are technically required for the operation of our website. Other cookies are used for statistical purposes or to analyse access to our website or for marketing purposes or to offer you the use of external media. Both temporary/session cookies and longer stored cookies (so-called per-manent cookies) are used. Temporary cookies are deleted as soon as you close your browser. Permanent cookies remain for a longer period of time, but can be deleted manually at any time. Some of the cookies are placed by third parties.

The legal basis for data processing when using essential cookies is Art. 6 Para. 1, S. 1 lit. f DSGVO or Art. 25 Para. 2 No. 2 TTDSG, when using all other cookies the legal basis is your consent according to Art. 6 Para. 1, S. 1 lit. a DSGVO or § 25 Para. 1 TTDSG. If we do not process your data on the basis of your explicit consent, your personal data will only be processed to the extent that this is necessary to protect our legitimate interests or the legitimate interests of a third party and your interests or fundamental rights and freedoms, which require the protection of personal data, do not take precedence.

Detailed information about the use of the respective cookies, in particular about their purpose, the respective function duration and the extent to which they are placed by third parties or third parties have access to the data collected via the cookies, can be found in our „Cookie Settings“ in addition to the information provided in our data protection declaration. Here you will also find detailed information on the legal basis for the respective data processing, depending on the category of cookies used.

You can consent to the use of the respective categories of cookies individually; you can also change your consent at any time under the „Cookie Settings“ or revoke it with respect to us.

§ 4 Hosting of the websites (SiteGround)

4.1 Description and scope of data processing

These websites are hosted by the web hosting service Site Ground. The service provider is the Spanish company SiteGround Spain S.L., Calle de Prim 19, 28004 Madrid, Spain (hereinafter “SiteGround”). Web hosting is the provision of storage capacity and the hosting of websites on the web server of the web hosting service.

The personal data collected on our website is stored on the servers of the hosting provider. This may include, but is not limited to

  • IP addresses
  • contact details
  • Meta and communication data
  • contract data
  • website traffic

and other data generated via a website and presented in the context of this privacy policy.

We have concluded an order processing agreement with the hosting provider, which ensures that the data collected in this way is processed exclusively in accordance with our instructions and in compliance with the DSGVO and the TTDSG. We have located our hosting servers exclusively in the Federal Republic of Germany to ensure that your personal data is only processed in a country with a high level of data security. In the case of data processing by SiteGround, however, it cannot be completely ruled out that personal data may be transferred to the USA and the United Kingdom, as SiteGround operates affiliated companies there within the group of companies. In this case, we have agreed with SiteGround within the framework of the concluded order processing contract that the requirements of the GDPR for a transfer to so-called third countries must be complied with (see below).

4.2 Purposes of data processing

The storage of the above-mentioned data, in particular the IP address, by our systems is only carried out temporarily for the duration of the session and is necessary to ensure the proper operation and presentation of the websites. We also use SiteGround to display our websites in a way that allows you to access our website without problems. We also want to secure our website against the influence of unauthorized third parties and improve it regularly.

4.3 Legal Basis

4.3.1 Legal basis for data processing

The use of SiteGround is in our interest to ensure a stable and appealing presentation and accessibility of our website for you. This constitutes a legitimate business interest within the meaning of Art. 6 (1) p. 1 lit. f) DSGVO.

4.3.2 Legal basis in the event of data transfer to a third country

As described, in the case of data processing by SiteGround, it cannot be completely ruled out that personal data will be transferred to the USA and the United Kingdom, as SiteGround operates affiliated companies there within the group of companies. In each case, Your personal data will be transferred to the USA and the United Kingdom on the basis of the available adequacy decision described at
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de
Subject to legal or contractual permissions, personal data may only be processed in a third country if the special prerequisites of Art. 44 et seq. DSGVO are met. Accordingly, data may be transferred in particular if the European Commission has determined by way of a decision within the meaning of Article 45 (1) and (3) of the GDPR that an adequate level of data protection is provided in the third country concerned. By means of such so-called adequacy decisions, the European Commission certifies a level of data protection in third countries that is comparable to the recognised standard in the European Economic Area (a list of these countries and a copy of the adequacy decisions can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de).
Insofar as a data transfer takes place between the USA or the United Kingdom and the EU, it should be noted that such an adequacy decision exists for the USA and the United Kingdom. The data protection agreement (USA) and the adequacy decision (United Kingdom) can be found at Adequacy decision EU-US Data Privacy Framework_en.pdf (europa.eu) as well as EUR-Lex – L:2021:360:TOC – EN – EUR-Lex (europa.eu). The decisions state that the US and the UK will ensure an adequate level of protection – comparable to that of the European Union – for personal data.

US companies can become certified under the new data protection agreement by committing to comply with specified data protection requirements, including, for example, obligations to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure the continuity of protection when personal data is disclosed to third parties. A list of all certified US companies can be found at https://www.dataprivacyframework.gov/s/participant-search.

SiteGround (SG Hosting Inc.) is certified under the new US data protection agreement.

The agreement introduces binding safeguards. It provides that access by US intelligence agencies to EU data will be limited to what is necessary and proportionate and that a Data Protection Review Court (DPRC) will be established to which EU data subjects will have access. For example, if the DPRC finds that the new safeguards have been breached in the collection of the data, it can order the deletion of the data. The safeguards in the area of government access to data complement the obligations that US companies importing data from the EU must comply with.

Data subjects have several remedies if their data is not handled properly by US companies. These include free independent dispute resolution mechanisms and an arbitration board.

In addition, the data protection agreement provides certain safeguards regarding access by US authorities to data transferred within the data protection agreement, in particular for access for law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
EU data subjects have access to an independent and impartial redress mechanism, including referral to a data protection review tribunal, in relation to the collection and use of their data by US intelligence agencies. This tribunal independently investigates and resolves complaints, including by ordering binding remedies.

4.4 Duration of storage

Your personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

4.5 Further information

Further information on the purpose and scope of the data collection and its processing, as well as further information on your rights in this regard and setting options for protecting your privacy, can be obtained at the above address and at https://de.siteground.com/privacy.htm?tid=331668599105.

§ 5 Integration of YouTube videos

5.1 Description and scope of data processing

We have integrated YouTube videos into our online offer, which are stored on http://www.YouTube.de or http://www.YouTube.com and can be played directly from our website. The service provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”).

When you visit our website, Google receives the information that you have access to the corresponding sub-page of our website. In addition, the data that (as described above) is collected for technical reasons each time you visit our website will be passed on to Google.

The data transfer takes place regardless of whether Google provides a user account via which you are logged in or whether no user account exists. If you are logged in to YouTube, your data will be directly assigned to your account. If you do not wish your data to be associated with your YouTube profile, you must log out of YouTube before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or designing its website to meet your needs. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, and you must contact Google to exercise this right.

5.2 Purposes of data processing

The data processing, in particular the data transfer to Google, is carried out for the purpose of simplifying the use of our media content and increasing the attractiveness of our website. By integrating YouTube films, we give you the opportunity to interact with the social network YouTube and other users of this network, so that we can improve our offer and make it more interesting for you as a user.

5.3 Legal basis for data processing

5.3.1 Legal basis for storing and reading information in terminal equipment

Google can analyze and evaluate the user behavior of the data subject via so-called “tracking”. Tracking is data processing for the purpose of tracking the individual behavior of users on websites (usually across websites). Tracking is technically possible by identifying users through the use of so-called cookies, web bugs, JavaScripts, or browser fingerprinting.

According to § 25 para. 1 p. 1 TTDSG in conjunction with. Art. 6 para. 1 p. 1 lit. a) DSGVO, the storage and readout of information on or from an end device, irrespective of the personal reference of the information, generally requires the consent of the person concerned. This includes, for example, the reading of browser information such as screen resolution, operating system versions or installed fonts by means of a JavaScript code, from which a unique and long-lasting (hash) value is formed and transmitted to a server (see above “browser fingerprinting”). Furthermore, this includes the setting or placement of so-called “cookies” (see section 3.3 on the term “cookie”), unless the use of the cookie is absolutely necessary for the operation of the website. Furthermore, the technical reading of cookies that have already been set requires the consent of the person concerned.

Google uses the above technologies to analyze and evaluate the user behavior of the data subject to the extent described in section 4.1.

Your personal data for the analysis and evaluation of your user behavior to the extent described in section 4.1 and for the purposes described in section 4.2 will only be processed if you have given us your explicit and voluntary consent in accordance with Art. 6 para. 1 sentence 1 lit. a) DSGVO.
You can revoke your consent at any time with effect for the future (see § 17).

5.3.2 Legal basis for the transfer of personal data to a third country

Your personal data will be transferred to the USA on the basis of an adequacy decision available at
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de
Subject to legal or contractual permissions, personal data may in principle only be processed in a third country if the special prerequisites of Art. 44 et seq. DSGVO are met. Accordingly, data may be transferred in particular if the European Commission has determined by way of a decision within the meaning of Article 45 (1) and (3) of the GDPR that an adequate level of data protection is provided in the third country concerned. The European Commission certifies third countries by means of such so-called adequacy decisions a level of data protection that is comparable to the recognized standard in the European Economic Area (a list of these countries, as well as a copy of the adequacy decisions, can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de).
Insofar as a data transfer takes place between the USA and the EU, it should be noted that such an adequacy decision exists for the USA. The European Commission adopted its adequacy decision for the new EU-US data protection agreement on 10 July 2023. The data protection agreement and the adequacy decision can be found at Adequacy decision EU-US Data Privacy Framework_en.pdf (europa.eu). The decision states that the US will ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies within the scope of the new data protection agreement.

US companies can become certified under the new data protection agreement by committing to comply with specified data protection requirements, including, for example, obligations to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continued protection when personal data is transferred to third parties. A list of all certified US companies can be found at https://www.dataprivacyframework.gov/s/participant-search.

Google is certified under the new data protection agreement.

The agreement introduces binding safeguards. It provides that access by US intelligence agencies to EU data will be limited to what is necessary and proportionate and that a Data Protection Review Court (DPRC) will be established to which EU data subjects will have access. For example, if the DPRC finds that the new safeguards have been breached in the collection of the data, it can order the deletion of the data. The safeguards in the area of government access to data complement the obligations that US companies importing data from the EU must comply with.

Data subjects have several remedies if their data is not handled properly by US companies. These include free independent dispute resolution mechanisms and an arbitration board.

In addition, the data protection agreement provides certain safeguards regarding access by US authorities to data transferred within the data protection agreement, in particular for access for law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
EU data subjects have access to an independent and impartial redress mechanism, including referral to a data protection review tribunal, in relation to the collection and use of their data by US intelligence agencies. This tribunal independently investigates and resolves complaints, including by ordering binding remedies.

5.4 Duration of storage, possibility of objection and removal at YouTube (company of the Google/Alphabet group of companies)

We have no influence on the data collected and the data processing procedures, nor are we aware of the full extent of the data collection, the purposes of the processing or the storage periods. We also have no information on the deletion of the collected data by Google. Google may store your personal data as a user profile and use it for advertising, market research and/or to tailor its website to your needs. Such an evaluation is carried out in particular (also for users who are not logged in) for the display of needs-based advertising and in order to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, and to exercise this right you must contact Google. For further information on the purpose and scope of data collection and processing by Google, please refer to the provider’s privacy policy. There you will also find further information on your rights in this regard and possible settings for the protection of your privacy.

5.5 Further information

Further information on the purpose and scope of the data collection and its processing, as well as further information on your rights in this regard and on how to protect your privacy, can be obtained from: Google Ireland Limited Gordon House, Barrow Street Dublin 4 and at https://policies.google.com/privacy?hl=en

§ 6 Services of Borlabs GmbH

6.1 Description and scope of data processing

We use the so-called Borlabs cookie on our website. Borlabs Cookie is a Word-Press plugin that allows us to obtain permission to set cookies. For this purpose, we display a pop-up on our website that asks users for their consent via opt-in. The plug-in is provided by Borlabs GmbH, Rübenkamp 32, 22305 Hamburg Ger-many.

The following information is stored in the Borlabs cookie:

  • Cookie duration
  • Cookie version
  • Domain and path of the WordPress website
  • Consents
  • UID (randomly generated ID)

The aforementioned information is not transmitted to Borlabs GmbH. The data is stored on our servers.
If you wish to withdraw your consent, simply delete the cookie in your browser. When you re-enter/reload the website, you will be asked again for your cookie consent.
Alternatively, you can adjust your consent at any time in the Cookie Settings

6.2 Legal basis

The Borlabs cookie is absolutely necessary to operate our website. The legal basis is our legitimate interests pursuant to Art. 6 para. 1 p. 1 lit. f) DSGVO for the purposes stated in section 5.1.

6.3 Storage period

The Borlabs cookie has a duration of one year.

6.4 Further information

You can find further information at: https://de.borlabs.io/borlabs-cookie/

§ 7 Services of Personio GmbH

7.1 Description and scope of data processing

We use the services of Personio GmbH & Co. KG, Rundfunkplatz 4, 80335 Munich, Germany, which offers personnel administration and applicant management software. We have concluded an order processing agreement with Personio.

When using our job board for internal positions, your IP address is stored anonymously. Further personal data will only be processed after the application as part of the applicant management process. Further information on this process can be found in our data protection information for applicants.

7.2 Legal basis

The legal basis for the processing of your data is Art. 6 para. 1 p. 1 lit. b GDPR The data processing is necessary for the presentation of our internal positions and thus for the initiation of a contractual relationship between you and us and for the fulfillment of the obligations resulting therefrom.

7.3 Storage period

We will delete or block your personal data as soon as the purpose of the storage no longer applies; blocking in this context means any removal of the reference of the data to your person. Data may also be stored if this has been provided for by the European or national legislator in regulations, laws or other provisions to which we are subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

7.4 Further information

You can find further information at: https://www.personio.com/privacy-policy/

§ 8 Integration of Microsoft Teams

8.1 Description, scope and purpose of data processing

For communication with our customers, we use, among other things, the conference tool Microsoft Teams. The provider is Microsoft Corporation, One Micro-soft Way, Redmond, WA, 98052-6399, USA (“Microsoft”).

Microsoft collects all data that you provide/use for the use of the tools (e-mail address and/or your telephone number). Furthermore, Microsoft processes the duration of the conference, the beginning and end (time) of participation in the conference, the number of participants and other “contextual information” in connection with the communication process (metadata). Furthermore, Microsoft processes all technical data that is required for the handling of online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loud speaker and the type of connection. If content is exchanged, uploaded or otherwise made available within Microsoft Teams, it will also be stored on Microsoft’s servers. Such content includes but is not limited to, cloud recordings, chat/social messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using Microsoft Teams. Please note that we do not have full control over the data processing operations of the tools used.

8.2 Description, scope and purpose of data processing

8.2.1 Legal basis for the use of Microsoft Teams

When using Microsoft Teams, we process your personal data on the basis of Art. 6 (1) p. 1 lit. f) GDPR. We have a legitimate interest in conducting communications with you directly and effectively using an online conference tool. This also serves to optimize our business processes.

If we process your data via Microsoft Teams beyond the scope described in section 7.1, e.g. record and store conversations, this will only be done if you have been expressly informed of this beforehand and only if you explicitly consent to the storage in accordance with the supplementary data protection information. By default, we do not record any conversations using Microsoft Teams.

8.2.2 Legal basis for the transfer of personal data to a third country

Your personal data will be transferred to a third country on the basis of the adequacy decision available at
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de
Subject to legal or contractual permissions, personal data may in principle only be processed in a third country if the special prerequisites of Art. 44 et seq. GDPR are met. Accordingly, data may be transferred in particular if the European Commission has determined by way of a decision within the meaning of Article 45 (1) and (3) of the GDPR that an adequate level of data protection is provided in the third country concerned. By means of such so-called adequacy decisions, the European Commission certifies a level of data protection in third countries that is comparable to the recognized standard in the European Economic Area (a list of these countries, as well as a copy of the adequacy decisions, can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de).
Insofar as a data transfer takes place between the USA and the EU, it should be noted that such an adequacy decision exists for the USA. The European Commission adopted its adequacy decision for the new EU-US data protection agreement on 10 July 2023. The data protection agreement and the adequacy decision can be found at Adequacy decision EU-US Data Privacy Framework_en.pdf (europa.eu) . The decision states that the US will provide an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies within the scope of the new data protection agreement.
US companies can become certified under the new data protection agreement by committing to comply with specified data protection requirements, including, for example, obligations to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continued protection when personal data is transferred to third parties. A list of all certified US companies can be found at https://www.dataprivacyframework.gov/s/participant-search.

Microsoft is certified under the new privacy agreement.

The agreement introduces binding safeguards. It provides that access by US intelligence agencies to EU data will be limited to what is necessary and proportionate and that a Data Protection Review Court (DPRC) will be established to which EU data subjects will have access. For example, if the DPRC finds that the new safeguards have been breached in the collection of the data, it can order the deletion of the data. The safeguards in the area of government access to data complement the obligations that US companies importing data from the EU must comply with.

Data subjects have several remedies if their data is not handled properly by US companies. These include free independent dispute resolution mechanisms and an arbitration board.

In addition, the data protection agreement provides certain safeguards regarding access by US authorities to data transferred within the data protection agreement, in particular for access for law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
EU data subjects have access to an independent and impartial redress mechanism, including referral to a data protection review tribunal, in relation to the collection and use of their data by US intelligence agencies. This tribunal independently investigates and resolves complaints, including by ordering binding remedies.

8.3 Storage period

The data collected directly by us via the video and conference tools is deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory legal retention periods remain unaffected. We have no influence on the storage period of your data that is stored by Microsoft for its own purposes.

8.4 Further information

Further information on the purpose and scope of the data collection and its processing, as well as further information on your rights in this regard and the settings you can make to protect your privacy, can be obtained from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, as well as at https://privacy.microsoft.com/de-de/privacystatement and https://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=18986

§ 9 Newsletter integration using Brevo

9.1 Description and scope of data processing

For the dispatch of our electronic newsletter, we use the e-mail dispatch service Brevo, a service of Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin.

For the registration, we process the following of your personal data:

  • Mandatory: e-mail address
  • Voluntary: First name, last name

The e-mail address is mandatory for sending the electronic newsletter. The processing of your further data serves the personalization of these contacts as well as the specialization of the offers and information and is voluntary.

9.2 Purposes of data processing

We process your e-mail address in order to contact you for the purpose of sending you our electronic newsletter, to inform you about current events and, if applicable, current developments and to maintain our contractual relationship with you. In addition, we use this data for advertising messages by e-mail and, if we have received your e-mail address in connection with our products and services, for advertising measures about our own similar products and services.

9.3 Legal basis for data processing

In order to send you our newsletter, we will always obtain your explicit declaration of consent. For this purpose, we use the so-called double opt-in procedure. After you have registered for the newsletter, we will send you an e-mail to the e-mail address you have provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 48 hours, your information will be blocked and automatically deleted after one month. In addition, we store your IP addresses used and the times of registration and confirmation. The purpose of this procedure is to prove your registration and to be able to clarify a possible misuse of your personal data.
If we do not already process your data on the basis of your explicit consent only in exceptional cases, your personal data will only be processed to the extent that this is necessary to protect our legitimate interests or the legitimate interests of a third party and does not override your interests or fundamental rights and freedoms which require the protection of personal data (Art. 6 para. 1 sentence 1 lit. f GDPR).

9.4 Storage period

We will delete your data as soon as we no longer need it for the purposes described. We will store your personal data for advertising and information purposes, i.e. sending you information and offers about services, or for the duration of your subscription.

For more information on data processing, please refer to the company’s privacy policy at https://www.brevo.com/legal/privacypolicy/.

9.5 Possibility of objection and removal

You can revoke your consent at any time and thus unsubscribe from receiving information about current and future products, services or other information about us. You can declare your revocation by clicking on the link provided in every newsletter e-mail, by sending an e-mail to news@aristo-group.com or by sending a message to our contact details provided. If you object to the use of your data, we will no longer send you promotional communications.

§ 10 Integration of Google Ads

10.1 Description, scope and purpose of data processing

On this website, we use the offer of Google Ads to draw attention to our offers with the help of advertising media (Adwords or Ads) on external websites. We can determine how successful the individual advertising measures are in relation to the data of the advertising campaigns. The provider is Google Ireland Limited Gordon House, Barrow Street Dublin 4. We pursue the interest in showing you advertising that is of interest to you, to make our website more interesting for you and to achieve a fair calculation of advertising costs.

These advertisements are delivered by Google via so-called “ad servers”. For this purpose, we use ad server cookies, which can be used to measure certain parameters for measuring success, such as the display of ads or clicks by users. If you access our website via a Google ad, Google Ads will store a cookie on your computer. The unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie.

These cookies enable the service provider Google to recognize your internet browser. If a user visits certain pages of a Google Ads customer’s website and the cookie stored on their computer has not yet expired, Google and the customer can recognize that the user has clicked on the ad and been redirected to that page. A different cookie is assigned to each Google Ads customer. Cookies can therefore not be tracked across Google Ads customers’ websites.

Ad server cookies usually expire after 30 days and should not be used to identify you personally.

We ourselves do not collect and process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google. These evaluations enable us to see which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising media; in particular, we cannot identify users on the basis of this information.

Through the integration of Google Ads Conversion, Google receives the information that you have called up the corresponding part of our website or clicked on the advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in to a Google service, it is possible that the provider may obtain and store your IP address.

You can prevent participation in this tracking process in several ways: (1) by setting your browser software accordingly – suppressing third-party cookies will result in you not receiving third-party ads; (2) by disabling conversion tracking cookies by setting your browser to block cookies from the domain www.googleadservices.com (https://www.google.de/settings/ads), which setting will be deleted when you delete your cookies; (3) by disabling the interest-based ads of the providers that are part of the self-regulatory campaign “About Ads” via the link http://www.aboutads.info/choices, which setting will be deleted when you delete your cookies; (4) by permanently disabling them in your browsers Firefox, Internet Explorer or Google Chrome under the link http://www.google.com/settings/ads/plugin. Please note that in this case you may not be able to use all the functions of this website to their full extent.
In addition to Google Ads Conversion, we use the Google Ads Remarketing application. Through this application, our advertisements can be displayed to you in your subsequent internet use after a visit to our website. This is done by means of cookies stored in your browser, which are used by Google to record and evaluate your usage behavior when visiting various websites. In this way, Google can determine your previous visit to our website. According to its own statements, Google does not combine the data collected in the course of Google Remarketing with your personal data that may be stored by Google (e.g. because you have registered for a Google service such as Gmail). According to Google, pseudonymisation is used in remarketing.

10.2 Legal basis for data processing

10.2.1 Legal basis for storing and reading information in terminal equipment

Google can analyze and evaluate the user behavior of the data subject via so-called “tracking”. Tracking is data processing for the purpose of tracking (usually across websites) the individual behavior of users on websites. Tracking is technically possible by identifying users through the use of so-called cookies, web bugs, JavaScripts or browser fingerprinting.

According to § 25 para. 1 p. 1 TTDSG in conjunction with. Art. 6 para. 1 p. 1 lit. a) GDPR, the storage and readout of information on or from an end device, irrespective of the personal reference of the information, generally requires the consent of the person concerned. This includes, for example, the reading of browser information such as screen resolution, operating system versions or installed fonts by means of a JavaScript code, from which a unique and long-lasting (hash) value is formed and transmitted to a server (see above “browser fingerprinting”). Furthermore, this includes the setting or placement of so-called “cookies” (see section 3.3 on the term “cookie”), unless the use of the cookie is absolutely necessary for the operation of the website. Furthermore, the technical reading of previously set cookies also requires the consent of the person concerned.
Google uses the above technologies to analyze and evaluate the user behavior of the data subject to the extent described in section 9.1.

Your personal data for the analysis and evaluation of your user behavior to the extent described in section 9.1 and for the purposes described in section 9.1 will only be processed if you have given us your explicit and voluntary consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR.

You can revoke your consent at any time with effect for the future (see § 17).

10.2.2 Legal basis for the transfer of personal data to a third country

Your personal data will be transferred to a third country on the basis of the adequacy decision available at
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de Subject to legal or contractual permissions, personal data may in principle only be processed in a third country if the special prerequisites of Art. 44 et seq. GDPR are met. Accordingly, data may be transferred in particular if the European Commission has determined by way of a decision within the meaning of Article 45 (1) and (3) of the GDPR that an adequate level of data protection is provided in the third country concerned. By means of such so-called adequacy decisions, the European Commission certifies a level of data protection in third countries that is comparable to the recognized standard in the European Economic Area (a list of these countries, as well as a copy of the adequacy decisions, can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de).
Insofar as a data transfer takes place between the USA and the EU, it should be noted that such an adequacy decision exists for the USA. The European Commission adopted its adequacy decision for the new EU-US data protection agreement on 10 July 2023. The data protection agreement and the adequacy decision can be found at Adequacy decision EU-US Data Privacy Framework_en.pdf (Europa.eu) . The decision states that the US will ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies within the scope of the new data protection agreement.
US companies can become certified under the new data protection agreement by committing to comply with specified data protection requirements, including, for example, obligations to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continued protection when personal data is transferred to third parties. A list of all certified US companies can be found at https://www.dataprivacyframework.gov/s/participant-search.

Google is certified under the new data protection agreement.

The agreement introduces binding safeguards. It provides that access by US intelligence agencies to EU data will be limited to what is necessary and proportionate and that a Data Protection Review Court (DPRC) will be established to which EU data subjects will have access. For example, if the DPRC finds that the new safeguards have been breached in the collection of the data, it can order the deletion of the data. The safeguards in the area of government access to data complement the obligations that US companies importing data from the EU must comply with.

Data subjects have several remedies if their data is not handled properly by US companies. These include free independent dispute resolution mechanisms and an arbitration board.

In addition, the data protection agreement provides certain safeguards regarding access by US authorities to data transferred within the data protection agreement, in particular for access for law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
EU data subjects have access to an independent and impartial redress mechanism, including referral to a data protection review tribunal, in relation to the collection and use of their data by US intelligence agencies. This tribunal independently investigates and resolves complaints, including by ordering binding remedies.

10.3 Further information

For more information on the purpose and scope of data collection and its processing, as well as further information on your rights in this regard and the settings you can make to protect your privacy, please contact: Google Ireland Limited Gordon House, Barrow Street Dublin 4, Advertising Privacy Policy: https://policies.google.com/technologies/ads?hl=en&gl=en.

§ 11 Integration of OpenStreetMap

11.1 Description and scope of data processing

This site uses the OpenStreetMap mapping service via an API interface for map sections to locate our sites. The provider is the Open-StreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WE, United Kingdom.

To use the functions of OpenStreetMap, it is necessary to store your IP address, data on your browser, device type and operating system, as well as the date and period of use. This information is usually transferred to a server of OpenStreetMap in the United Kingdom (Great Britain and Northern Ireland) and in the Netherlands and stored there. The provider of this site has no influence on this data transmission.

11.2 Purpose of data processing

The use of OpenStreetMap is in the interest of an attractive presentation of our online offers and an easy location of the places indicated by us on the website.

11.3 Consent to the transfer of personal data to a third country

Subject to legal or contractual permissions, personal data may in principle only be processed in a third country if the special prerequisites of Art. 44 et seq. GDPR are met. Accordingly, data may be transferred in particular if the European Commission has determined by way of a decision within the meaning of Article 45 (1) and (3) of the GDPR that an adequate level of data protection is provided in the third country concerned. By means of such so-called adequacy decisions, the European Commission certifies a level of data protection in third countries that is comparable to the recognized standard in the European Economic Area (a list of these countries, as well as a copy of the adequacy decisions, can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de).
Insofar as a data transfer takes place between the USA and the EU, it should be noted that such an adequacy decision exists for the USA. The European Commission adopted its adequacy decision for the new EU-US data protection agreement on 10 July 2023. The data protection agreement and the adequacy decision can be found at Adequacy decision EU-US Data Privacy Framework_en.pdf (europa.eu) . The decision states that the US will ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies within the scope of the new data protection agreement.

US companies can become certified under the new data protection agreement by committing to comply with specified data protection requirements, including, for example, the obligations to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure the continuity of protection when personal data is transferred to third parties. A list of all certified US companies can be found at https://www.dataprivacyframework.gov/s/participant-search.

To our knowledge (02.08.2023), the provider is not certified under the new data protection agreement.

In this respect, the data transfer is based on your express and voluntary consent. By consenting to the collection of data by OpenStreetMap, you expressly agree to the data transfer described here. This consent can be revoked at any time. A revocation does not affect the legality of the processing carried out on the basis of the consent until the revocation.

11.4 Legal basis for data processing

The legal basis is your explicit and voluntary consent in accordance with Art. 6 para. 1, p. 1 lit. a) DSGVO to the processing of your personal data for darting purposes using OpenStreetMap.

11.5 Further information

Further information on the purpose and scope of the data collection and its processing, as well as further information on your rights in this regard and possible settings for the protection of your privacy, can be obtained from: OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WE, United Kingdom, at https://wiki.osmfoundation.org/wiki/Privacy_Policy.

§ 12 Use of the SalesViewer technology

12.1 Description and scope of data processing

This website uses the SalesViewer technology of SalesViewer GmbH, Huestraße 30, 44787 Bochum, Germany, to collect and store data for marketing, market research and optimization purposes.

Within the framework of SalesViewer, a javascript-based tracking code is used on our website, with the help of which the following information (hereinafter referred to as company data) is determined within the framework of the procedure described below:

  • Name, origin and industry of the visiting company
  • Source/referrer of the visiting company
  • keyword
  • Visitor behavior (e.g. (sub)pages visited, time of visit, duration of visit)

We do not specifically access any information stored in the end device of the website visitor that is not already transmitted when the website is called up, nor are cookies or similar files stored in the end device.

Instead, the visiting company is identified by means of the comparison with generally accessible information described below. For this purpose, the online identifier of the website visitor is encrypted using a non-reversible one-way function (so-called hashing) and, after a preselection by means of which private accesses are filtered out, is transmitted to the provider in pseudonymized form.

These online identifiers are matched by the provider with a database limited to company-related data.

Insofar as company-related accesses can be identified within the scope of this procedure, corresponding company-related data of the website visit is made available to us via a secured and encrypted login area of the provider, on which it is also possible to research further generally accessible data (e.g. address and contact data) about the visiting companies.

We have concluded an order processing contract with SalesViewer in accordance with Art. 28 GDPR. This comprehensively regulates the rights and obligations with regard to the processing of personal data.

12.2 Purpose of the Data Processing

The purpose of using the SalesViewer technology is to collect and store data for marketing, market research and optimization purposes.

12.3 Legal basis of data processing

Our pursued marketing, market research and optimization purposes represent legitimate interests within the meaning of Art. 6 (1) lit. f GDPR. Due to the limited processing purpose, the pseudonymous data processing, the low intensity of intervention resulting from the restriction to company data, the provision of data protection information on the website in accordance with Art. 13 GDPR and the simple option to object (opt-out), our interests in optimizing our business processes outweigh these.

12.4 Further information

You can object to the collection and storage of data at any time with effect for the future by clicking on this link https://www.salesviewer.com/opt-out in order to prevent the collection by SalesViewer in the future.

§ 13 Web analysis through Matomo

13.1 Description and scope of data processing

We use Matomo on this website, a website analysis software offered by InnoCraft Ltd, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. A representative for the EU is ePrivacy Holding GmbH, Große Bleichen 21, 20354 Hamburg, Germany.
Cookies are set through the use of Matomo.

Furthermore, in order to analyze the website

  • Your IP address and
  • information such as timestamps,
  • visited web pages and
  • your language settings

are processed.

The information collected in this way is stored on a server of our hosting provider.

We have concluded a data processing contract with the hosting provider, which ensures that the data collected is processed according to our instructions and in compliance with the GDPR and the TTDSG.

Matomo is used with the extension “_anonymizeIp()”. This means that IP addresses are processed in abbreviated form and personal references can thus be ruled out. If the data collected about you is personally identifiable, this is immediately excluded and the personally identifiable data is immediately deleted. The IP address transmitted by your browser within the scope of Matomo is not merged with other data collected by us.

The EU Commission has issued an adequacy decision for New Zealand.

13.2 Purposes of data processing

We use Matomo to analyze our website and to improve it regularly. The statistics obtained enable us in particular to make our offer more interesting for you.

13.3 Legal basis for storing and reading information in terminal equipment

Using Matomo, we can analyze and evaluate the user behavior of the person concerned via so-called “tracking”. Tracking is data processing for tracking the individual behavior of users on websites (usually across websites). Tracking is technically possible by identifying users through the use of so-called cookies, web bugs, JavaScripts or browser fingerprinting.

According to § 25 para. 1 p. 1 TTDSG in conjunction with. Art. 6 para. 1 p. 1 lit. a) GDPR, the storage and readout of information on or from an end device, irrespective of the personal reference of the information, generally requires the consent of the person concerned. This includes, for example, the reading of browser information such as screen resolution, operating system versions or installed fonts by means of a JavaScript code, from which a unique and long-lasting (hash) value is formed and transmitted to a server (see above “browser fingerprinting”). Furthermore, this includes the setting or placement of so-called “cookies”, insofar as the use of the cookie is not absolutely necessary for the operation of the website. Furthermore, the technical reading of cookies that have already been set requires the consent of the person concerned.

We can and will only use Matomo to analyze and evaluate your user behavior to the extent and for the purposes described above if you have given us your explicit and voluntary consent in accordance with Art. 6 para. 1 p. 1 lit. a) GDPR in conjunction with. § 25 1 p. 1 TTDSG.

You can revoke your consent at any time with effect for the future.

13.4 Further information

Further information on the purpose and scope of the data collection and its processing, as well as further information on your rights in this regard and on how to protect your privacy, can be obtained from InnoCraft Ltd (150 Willis St, 6011 Wellington, New Zealand) at https://matomo.org/matomo-cloud-privacy-policy/

§ 14 Disclosure of your data to third parties

Except as set out above, we do not disclose personal data to any company, organization or person outside our company, except in one of the following circumstances:

14.1 With your consent

Insofar as already described in detail above, but in individual cases also beyond this, we pass on personal data to companies, organizations or persons outside our company if we have received your consent to do so (Art. 6 Para. 1, Sentence 1 lit. a, if applicable in conjunction with Art. 9 Para. 2 lit. a GDPR).

14.2 Processing by other bodies

We make personal data available to other companies that are associated with us in a group of companies, as well as to our third-party business partners, other trustworthy companies or persons who process it on our behalf. This is done on the basis of our instructions and in accordance with our data protection statement and other appropriate confidentiality and security measures.

14.3 For legal reasons

We will disclose personal data to companies, organizations or persons outside our company if we can reasonably assume that access to this data or its use, storage or disclosure is necessary, in particular, to comply with applicable laws, regulations or legal procedures or to comply with an enforceable official order; the legal basis in this respect is Art. 6 Para. 1, S. 1 lit. c in conjunction with Art. 9 Para. 2 lit. b GDPR. Art. 9 para. 2 lit. b GDPR.

14.4 Transfer of your data to a third country or an international organization

Unless expressly stated in this data protection declaration, your personal data will not be transferred to third countries (countries outside the EU or the EEA) or international organizations. However, within the framework of the jointly-used IT systems for the operation of the website, we also transfer your data to – as described in detail – Aristo AG, which is based in Switzerland. Switzerland has an appropriate level of data protection. This was determined by the EU Commission by means of an adequacy decision (pursuant to Article 45 of the GDPR).

§ 15 Automated decision-making

Unless expressly described otherwise above, automated decision-making does not take place.

§ 16 Your rights

You have the right:

  • In accordance with Art. 15 GDPR, to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as about the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details;
  • in accordance with Art. 16 GDPR, to request the correction of incorrect or incomplete personal data stored by us without delay;
  • to request the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims;
  • in accordance with Art. 18 GDPR, to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR;
  • pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller;
  • to revoke your consent at any time in accordance with Art. 7 (3) GDPR. This means that we may no longer process the data based on this consent in the future; and
  • complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

§ 17 Objection to or revocation of the processing of your data

If you have given your consent to the processing of your data, you may revoke this consent at any time in accordance with Art. 7 (3) GDPR. Such a revocation affects the permissibility of the processing of your personal data after you have expressed it to us.

Insofar as the processing of your personal data is based on our legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR, you have the right to object to the processing pursuant to Art. 21 GDPR. This is the case if the processing is not necessary, in particular, for the fulfillment of a contract with you, which is shown by us in each case in the description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the situation and either discontinue or adjust the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing.

Of course, you can object to the processing of your personal data for advertising and data analysis purposes at any time. You can inform us of your objection to advertising using the contact details above.

Data protection in our processes