Vogelsanger Straße 76
Contact: Telephone: +49 (0)221-913920 - 0
Fax: +49 (0)221-913920 - 29
Managing Directors of brandung GmbH: Michael Hacke
Contact details for the data protection officer:
Types of processed data:
- Basic data (e.g. names, addresses).
- Contact data (e.g. email, telephone numbers).
- Content data (e.g. text entries, photographs, videos).
- Usage data (e.g. websites visited, interest in contents, access times).
- Metadata/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online offer (the data subjects are hereinafter jointly referred to as “users”).
Purpose of the processing
- Provision of the online offer, its functions and contents.
- Responding to contact requests and communication with users.
- Security measures.
- Reach measurement/marketing
Terms and definitions
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is very broad and includes practically any handling of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal bases
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons in accordance with Art. 32 GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The measures particularly include ensuring the confidentiality, integrity and availability of data by monitoring the physical access to the data as well as the associated access, entry, transmission, ensuring availability and its separation. Moreover, we have established procedures that ensure the recognition of the rights of data subjects, erasure of data and a response to a threat to the data. In addition, we take account of the protection of data at the early development stage and the selection of hardware, software and procedures in line with the principle of data protection by design and default (Art. 25 GDPR).
Cooperation with processors and third parties
If we disclose data to other persons and companies (processors or third parties) as part of our processing, transmit data to such persons and companies or otherwise grant access to the data, this only takes place where this is permitted by law (e.g. if a transfer of the data to third parties, such as a payment service provider, is necessary to perform the contract in accordance with Art. 6(1) lit. b GDPR), you have provided your consent, a legal obligation to do so exists or based on our legitimate interests (e.g. when using agents, web hosters, etc.).
If we assign third parties to process data based on “contract data processing”, this takes place based on Art. 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this takes place as part of the utilisation of third-party services or disclosure or the transfer of data to third parties, this only occurs in order to meet our (pre-)contractual obligations, on the basis of your consent, based on a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process the data in a third country, or allow the data to be processed in a third country if the special requirements in Art. 44 et seqq. GDPR are in place. I.e. for example, the processing takes place based on special guarantees, such as the officially recognised establishment of a level of data protection equivalent to that in the EU (e.g. for the USA, the “Privacy Shield”) or compliance with officially recognised special contractual obligations (“standard contract clauses”).
Rights of data subjects
You have the right to request confirmation as to whether or not data concerning you is being processed, and, where that is the case, access to further information and a copy of the data in accordance with Art. 15 GDPR.
In accordance with Art. 16 GDPR, you have the right to complete the data concerning you or to rectify inaccurate data concerning you.
In accordance with Art. 17 GDPR, you have the right to demand the immediate erasure of the data concerning you or, alternatively, in accordance with Art. 18 GDPR, you have the right to demand a restriction of the processing of the data.
You have the right to receive the data concerning you, which you provided to us in accordance with Art. 20 GDPR, and the right to transmit this data to another controller.
Furthermore, in accordance with Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.
Right to withdraw consent
You have the right to withdraw consents granted with effect for the future in accordance with Art. 7(3) GDPR
Right to object
You can object to the future processing of data concerning you at any time in accordance with Art. 21 GDPR. The objection can particularly be made against processing for the purposes of direct marketing.
Cookies and right to object to direct marketing
“Cookies” are small files that are stored on users computers. Cookies can be used to store various information. A cookie is primarily used to store information on a user (or the device on which the cookie is stored) during or even after their visit to the online offer. Temporary cookies, “session cookies” or “transient cookies” are cookies that are deleted once a user exits an online offer and closes their browser. This kind of cookie can, for example, store the contents of a shopping basket in an online shop or a login status. “Permanent” or “persistent” cookies are those that remain stored even after closing the browser. For example, this allows the login status to be saved if users look this up after several days. This kind of cookie can also store user interests, which are used for reach measurement or marketing purposes. “Third-party cookies” are cookies that are offered by providers other than the controller that operates the online offer (otherwise, if only the controller’s cookies are used, these are referred to as “first-party cookies”).
If users do not want cookies to be stored on their computer, they are asked to disable the relevant option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. Disabling cookies can restrict the functions of this online offer.
For a range of services, especially in the case of tracking, a general objection to the use of the cookies used for online marketing purposes can be submitted via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Moreover, the storage of cookies can be prevented by disabling the browser settings. Please note that, in this case, not all of the functions of this online offer will be able to be used.
Erasure of data
According to the legal provisions in Germany, storage is effectively required for 10 years in accordance with Sections 147(1) AO (Tax Code), 257(1) no. 1 and 4 HGB (German Commercial Code) (accounts, records, management reports, accounting records, trading books, relevant tax documents, etc.) and 6 years in accordance with Section 257(1) no. 2 and 3, (4) HGB (business letters).
According to the legal provisions in Austria, storage is effectively required for 7 years in accordance with Section 132(1) BAO (Federal Fiscal Code) (accounting documents, receipts/invoices, accounts, business documents, breakdown of income and expenses, etc.), for 22 years in connection with properties and for 10 years for documents in connection with electronic services, telecommunication, radio and television services, which are provided for non-business customers in EU member states and for which the mini-one-stop-shop (MOSS) approach is used.
We process our customers’ data within the scope of our contractual services, including conceptual and strategic consultation, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analyses/consulting services and training services.
In doing so, we process basic data (e.g. customer master data, such as names and addresses), contact data (e.g. email, telephone numbers), content data (e.g. test entries, photographs, videos), contract data (e.g. object of the contract, term), payment data (e.g. bank account, payment history), usage and metadata (e.g. as part of the evaluation and success measurement of marketing measures). We essentially do no process special categories of personal data, except if these are part of a commissioned processing operation. The data subjects include our customers, prospective customers and their customers, users, website visitors and employees, as well as third parties. The purpose of the processing is to provide contractual services, billing and our customer service. The legal bases of the processing arise from Art. 6(1) lit. b GDPR (contractual services), Art. 6(1) lit. f GDPR (analysis, statistics, optimisation, security measures). We process data that is required to establish and perform the contractual services and refer to the necessity of their disclosure. Disclosure to external parties only takes place if this is necessary within the scope of an order. When processing the data transferred to us as part of an order, we act in accordance with the clients’ instructions as well as the legal provisions of contract data processing in accordance with Art. 28 GDPR and do not process the data for any other than the contractual purposes.
We erase the data after the expiration of the statutory warranty and similar obligations. The necessity of storing the data is reviewed every three years and; if legal archiving obligations exist, the data is erased after these obligations expire (6 years according to Section 257(1) HGB, 10 years according to Section 147(1) AO). In case of data that is disclosed to us as part of an order by the client, we delete the data in accordance with the order’s specifications; essentially upon completion of the order.
Administration, financial accounting, office organisation, contact management
We process data as part of administration tasks as well as the organisation of our operation, financial accounting and compliance with legal obligations, such as archiving. In this case, we process the same data that we process within the scope of the provision of our contractual services. The processing is based on Art. 6(1) lit. c. GDPR and Art. 6(1) lit. f GDPR. Customers, prospective customers, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organisation and archiving of data, i.e. tasks intended to maintain our business activities, perform our activities and provide our services. The erasure of the data with regard to contractual services and the contractual communication corresponds to the information provided for these processing activities.
In this respect, we disclose or transfer data to the fiscal authority, consultants, such as accountants or auditors, as well as other billing offices and payment service providers.
Moreover, we store information on suppliers, organisers and other business partners based on our commercial interests, e.g. to establish contact at a later date. We essentially store this predominantly corporate data permanently.
When establishing contact with us (e.g. via the contact form, email, telephone or social media), the user’s information is used to respond to and process the contact request in accordance with Art. 6(1) lit. b) GDPR. The users’ information can be stored in a customer relationship management system (“CRM system”) or similar enquiry system.
We erase the enquiries once they are no longer required. We check the necessity every two years; the legal archiving obligations also apply.
Hosting and sending emails
The hosting services that we use are required to provide the following services: Infrastructure and platform services, processing capacity, memory and database services, sending emails, security services as well as technical maintenance services, which we use for the purpose of operating this online offer.
In this respect, we or our hosting providers process basic data, contact data, content data, contract data, usage data, metadata and communication data of customers, prospective customers and visitors to this online offer based on our legitimate interest of the efficient and secure provision of this online offer in accordance with Art. 6(1) lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a processing contract).
Collecting access data and logfiles
We or our hosting providers collect data on all access to the server on which this service is located (server logfiles) on the basis of our legitimate interests within the meaning of Art. 6(1) lit. f GDPR. The access data includes the name of the accessed website, the file, date and time of access, transferred data quantity, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited website), IP address and the requesting provider.
Logfile information is stored for a maximum of 7 days for security reasons (e.g. to clarify misuse or fraud) before it is erased. Data whose extended storage is necessary for evidentiary purposes is excepted from erasure until the final clarification of the relevant incident.
Google Tag Manager
Google Tag Manager is a solution that allows us to manage website tags via an interface (for example, to integrate Google Analytics and other Google marketing services in our online offer). The Tag Manager itself (which implements the tags) does not process any of the users’ personal data. With regard to the processing of the users’ personal data, reference is made to the following information on the Google services. User guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.
Google is certified under the Privacy Shield agreement and guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google uses this information on our behalf in order to evaluate the use of our online offer by the users, to compile reports on the activities within this online offer and to provide us with additional services related to the use of this online offer and the use of the internet. This may involve the creation of pseudonymous user profiles from the processed data.
We only use Google Analytics with activated IP anonymisation. This means that the user’s IP address is shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA, where it is shortened.
The IP address transmitted by the user’s browser is not pooled with other Google data. Users may prevent the storage of cookies by adjusting the settings on their browser software; users can also prevent the recording of the data generated by the cookie in relation to the use of the online offer by Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
The users’ personal data is erased or anonymised after 14 months.
Google AdWords and conversion measurement
The user data is processed using pseudonyms within the scope of the Google advertising network. I.e. Google does not store and process, for example, the user’s name or email address, rather it processes the relevant data based on the cookie within pseudonymous user profiles. I.e. from Google’s perspective, the advertisements are not managed and displayed for a specifically identified person, but rather for the cookie owner, irrespective of who this cookie owner is. This does not apply if the user expressly allows Google to process the data without this pseudonymisation. The information collected about users is transmitted to Google and stored on Google servers in the USA.
You can object to Hotjar storing a user profile on our website and setting Hotjar tracking cookies on other websites via this link: https://www.hotjar.com/legal/compliance/opt-out
Integration of third-party services and contents
We use content or services offered by third-party providers within our online offer in order to integrate their contents and services, such as videos or font types (jointly referred to as “contents”) on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and efficient operation of our online offer within the meaning of Art. 6(1) lit. f GDPR).
This always requires the third-party providers of these contents to register the user’s IP address as, without the IP address, they could not send the contents to their browser. The IP address is therefore required to display these contents. We endeavour to only use the contents of providers who exclusively use the IP address to deliver the contents. Moreover, third-party providers can use pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. The “pixel tags” allow information, such as visitor traffic to the pages of this website, to be evaluated. Furthermore, the pseudonymous information can be stored in cookies on the user’s device and may also contain technical information on the browser and operating system, referrer websites, visiting time and other information on the use of our online offer and may also be connected with this type of information from other sources.
Online presences in social media
We maintain online presences within social networks and platforms in order to communicate with customers, prospective customers and users active in this area and inform them of our services.
Please note that user data may be processed outside the European Union as a result. This may lead to risks for users because, for example, the enforcement of user rights becomes more difficult. With regard to US providers that are certified under the Privacy Shield, it is important to note that they have made a commitment to comply with the EU’s data protection standards.
Moreover, user data is generally processed for market research and advertising purposes. For example, user profiles may be created from the user behaviour and the resulting user interests. The user profiles may, in turn, be used to place advertisements inside and outside the platforms that presumably correspond to the user’s interests. For these purposes, cookies are generally stored on user computers in which the user behaviours and interests are stored. Furthermore, data that is independent of the devices used by the users may be stored in the user profiles (especially if the users are members of the relevant platforms and are logged in).
The personal data of users is processed on the basis of our legitimate interest in effectively informing the users and communicating with the users in accordance with Art. 6(1) lit. f GDPR. If the users are asked to provide consent for the data processing by the relevant providers (i.e. declaring their consent, for example, by ticking a checkbox or pressing a button), the legal basis of the processing is Art. 6(1) lit. a, Art. 7 GDPR.
For a more detailed description of the relevant processing operations and the objection options (opt-out), we refer to the following links to the provider information.
In the event that you would like to request information or assert user rights, we would like to note that this will be most effective if the providers are contacted directly. Only the providers have access to the users’ data and can take immediate measures and provide information. But, if you require assistance, please contact us.