GENERAL PART

Group of persons addressed:
This data protection declaration is directed at all persons who book or purchase a free and/or chargeable service from us or who wish to obtain information about our offers. For reasons of better readability, the simultaneous use of masculine, feminine and various forms of language has been dispensed with. However, all personal designations apply to all genders.

Person responsible:
The person responsible within the meaning of Article 4 number 7 DSGVO for the processing of personal data described here is: Frank Marco Günzel UG, represented by Dipl.- Ing. Frank Marco Günzel, Bruno-Granz-Str. 10, 09122 Chemnitz, fmg@fmgi.de

Your rights:
You have several rights with regard to the personal data processed about you under the General Data Protection Regulation. In particular

• the right to information about the stored, personal data,
• the right to have inaccurately stored, personal data corrected,
• the right to erasure of personal data for the storage of which there is no legal basis,
• the right to restrict the processing of stored personal data
• the right to data portability,
• the right to lodge a complaint with the data protection supervisory authority responsible for us. Processing operations involving automated decision-making (including profiling, where applicable).

Insofar as we indicate in the following statement that automated decision-making takes place, this means that we exceptionally carry out a special form of data processing in these tools/processing constellations. In this context, we would like to point out the following:

1. The special form of processing is the so-called automated decision-making. These are decisions which are based exclusively on automated processing and which have a significant effect on you, in law or otherwise (e.g. decision on the establishment of a contract). Such processing also includes “profiling”, which consists in any form of automated processing of personal data evaluating personal aspects relating to a natural person, in particular for the purpose of analyzing or forecasting aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or conduct, location or change of location, where this produces legal effects concerning the data subject or similarly significantly affects him or her.
2. n principle, such processing operations are prohibited (see Article 22(1) of the GDPR), although there are also exceptions to this prohibition. If we invoke exceptions, we explain them in our data protection information for persons towards whom we make contractual decisions, i.e. usually customers and/or suppliers. We refer to this explanation.

If we do not refer to it, we also do not use this technology within the framework of our website.

Transfer of data to bodies outside the European Union
t is possible that we transfer personal data to bodies that are located outside the European Union or at least cannot exclude this (henceforth: third country body).
In these cases, we must guarantee in accordance with Article 44 of the GDPR that this does not fall below the level of protection of the GDPR. As a precaution, we would like to point out that the third country agency can be both a controller and a processor.

Insofar as we refer to a so-called adequacy decision in the following statement, this means that the third country agency is located in a country, territory or specific sector for which the Commission has decided that it offers an adequate level of protection. This guarantee then follows from Article 45 GDPR.

Insofar as we refer to the so-called standard contractual clauses in the following statement, this means that the third country agency accepts the so-called EU standard contractual clauses and has thus contractually committed itself to respecting the level of protection of the General Data Protection Regulation. This guarantee then follows from Article 46(1) and (5) of the GDPR.

Insofar as we refer in the following statement to the fact that you have consented to the transfer to the third country agency, this means that you have been informed of all existing possible risks of such transfers, for which there is no adequacy decision or other guarantees, and have nevertheless consented to the data transfer. This guarantee then follows from Article 49(1)(a) of the GDPR. For reasons of transparency, we describe the corresponding risks in a separate section.

We are only providing this information as a precautionary measure. It only applies if we refer to it in the following declaration. There is also the possibility that we do not make use of this.

SPECIAL CONSTELLATIONS

EU Standard Contractual Clauses and Third-Party Data Containers Located in the USA
In addition to the explanations under “Data transfer to bodies outside the European Union” – paragraph 3, we would like to draw your attention to a special constellation. In the case of transfers to third-country entities based in the USA, the possibility of invoking the EU standard contractual clauses is restricted. Therefore, to the extent that we intend to invoke (or are already invoking) the EU standard contractual clauses in this context, please note the following:

We will only rely on the EU Standard Contractual Clauses to transfer personal data to U.S. third country entities if we have first conducted a thorough review of the facts involved. In doing so, we first determine a risk level (type and, in particular, sensitivity of the data concerned, scope of data processing, purpose of data processing, susceptibility to misuse). We then check whether the contractual commitments of the US third-country office and the technical and organizational measures taken there (e.g. processing of data exclusively in EU-based data centers, encryption technology) sufficiently minimize the risks identified in advance. Only if we come to the conclusion that the EU standard contractual clauses are a sufficient guarantee in exceptional cases, even in the case of a U.S. third country, will we invoke them.

We are only providing this information as a precautionary measure. It shall only apply if we refer to it in the following declaration. There is also the possibility that we do not make use of this.

Consent to the transfer of data to third-country data centers located in the USA, including the risk notice
In addition to the explanations under “Data transfer to bodies outside the European Union” – paragraph 4, we would like to draw your attention to another special constellation. In the case of transfers to third-country entities based in the USA, the possibility of invoking the EU standard contractual clauses is limited. Therefore, in some cases, the only option is to ask you for your consent to this transfer. However, before you give this consent, we ask you to take note of the following risks and consider them when deciding whether to consent:

We urge you to note that data transfers to the U.S. without the protection of an adequacy decision may involve significant risks. In particular, please note the following risks:

1. There is no uniform data protection law in the U.S.; certainly not one comparable to the data protection law applicable in the EU. This means that both U.S. companies and government agencies have more opportunities to process your personal data, especially for advertising targeting, profiling and conducting (criminal) investigations. Our ability to take action against this is significantly limited.
2. The U.S. legislator has granted itself numerous access rights to your personal data (see, for example, Section 702 of FISA or E.O. 12333 in conjunction with PPD-28), which are not compatible with our understanding of the law. In particular, there is no proportionality test before access comparable to those in the European Union.
3. Citizens of the European Union cannot expect effective legal protection in the USA.
4. As a rule, we will only ask you for such consent if we have come to the conclusion that the U.S. third party cannot successfully invoke EU standard contractual clauses.

We make this statement merely as a precautionary measure. It shall only apply if we refer to it in the subsequent declaration. It is also possible that we will not make use of this.

Note on the legal obligation to process data
Only insofar as we refer to Article 6 (1) sentence 1 lit. c DSGVO in the following data protection declaration, there is a legal obligation to process. Special Part. Processing operations necessary for the performance of contracts (legal basis Article 6(1) sentence 1 lit. b DSGVO).
General information on the purpose and legal basis of the processing operations described below.
The purpose of the processing operations described below is the establishment, performance and/or termination of contracts.

The legal basis for the respective data processing is Article 6 (1) sentence 1 lit. b DSGVO. According to this provision, the processing of your personal data is also permissible without your consent if it is necessary for the performance of a contract to which you are a party or for the implementation of pre-contractual measures that take place at your request. This is the case here.

Profiling does not take place unless it is explicitly mentioned below.

General information on the purpose and legal basis of the processing operations described below.
The purpose of the processing operations described below is the establishment, performance and/or termination of contracts.

The legal basis for the respective data processing is Article 6 (1) sentence 1 lit. b DSGVO. According to this provision, the processing of your personal data is also permissible without your consent if it is necessary for the performance of a contract to which you are a party or for the implementation of pre-contractual measures that are carried out at your request. This is the case here.

Profiling does not take place unless it is explicitly mentioned below.

General information on the storage period with regard to the data within the scope of the processing operations described below.
We store the data as long as this is necessary to establish, execute and, if necessary, terminate the contract.

If a contractual relationship is established between us, we store the data additionally until the expiry of our statutory retention periods. The legal basis for this is Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. § 147 AO, § 257 HGB. According to these regulations, some of the above-mentioned data must also be retained beyond the time when the purpose has been achieved.

Thus, we may be obliged to,

1. to retain data relating to you from books and records, inventories, annual financial statements, individual financial statements pursuant to Section 325 (2a) of the German Commercial Code (HGB), consolidated financial statements, management reports and group management reports, opening balances, accounting vouchers, documents pursuant to Article 15 (1) and Article 163 of the Union Customs Code, commercial ledgers, as well as the work instructions and other organizational documents required for their comprehension, for a period of ten years. As a rule, the retention period begins with the end of the calendar year in which the relevant document was created (Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. § 147 AO or in conjunction with. § 257 HGB),
2. to retain data concerning your person, which result from received commercial or business letters, from the reproduction of the received commercial or business letters as well as from other documents, which are of importance for the taxation, for six years, whereby the retention period begins as a rule with the end of the calendar year, in which the relevant document arose (Article 6 paragraph 1 sentence 1 lit. c DSGVO in connection with § 147 AO and/or i.V.m. § 257 HGB). § 147 AO or in conjunction with. § 257 HGB). Your use of our services and products. If you use one of our services and/or purchase products, regardless of whether this is for a fee or free of charge, we process all data that you provide to us as well as all data that is absolutely necessary for the establishment, execution and termination of the associated (possibly not for a fee) contract.

The use of an external accounting firm.
We have commissioned an external tax consultancy firm to carry out the accounting. This did not require a mandate under Article 28 GDPR, as the tax consultancy firm is already subject to strict professional law, which also regulates the duty of confidentiality.
We gladly described this processing operation as follows:

We transmit to this law firm your contact, billing and payment data and, if applicable, communication in the event of late payment, so that this law firm can provide us with tax advice and, if necessary, make declarations to the authorities responsible for the enforcement of tax law.

The use of Microsoft OneDrive cloud storage.
We use Microsoft OneDrive cloud storage to store data, the provider of which is Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park Leopardstown Dublin 18, D18 P521 Ireland. We have commissioned this provider in accordance with Article 28 DSGVO. The provider’s privacy policy can be found here:

https://privacy.microsoft.com/de-de/privacystatement 

We gladly described this processing operation as follows:

We store all mandate-related data with this service provider and also retrieve it there. You can find out more about this at:

https://www.microsoft.com/de-de/microsoft-365/onedrive/onedrive-for-business  

Processing operations that are in our legitimate interest (legal basis Article 6(1) sentence 1 lit. f DSGVO).

General information on the purpose and legal basis of the processing operations described below.
The purpose of the processing operations described below is described separately for each tool/processing constellation. It is the decisive justification for our legitimate interest in the processing.

The legal basis for the respective data processing is Article 6 (1) sentence 1 lit. f DSGVO. According to this provision, the processing of your personal data is also permitted without your consent if it is necessary for the protection of our legitimate interests or those of a third party, unless your interests or fundamental rights and freedoms requiring the protection of personal data are overridden.

Profiling does not take place unless it is explicitly mentioned below. General information on the storage period regarding the data in the context of the processing operations described below.

We store the data until our purpose has ceased to exist, which is always the case if you have raised a justified objection (see “Notice on the right to object.”).

If a contractual relationship is established between us following processing based on the legitimate interest, we store the data additionally until the expiry of our statutory retention periods. The legal basis for this is Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. § 147 AO, § 257 HGB. According to these regulations, some of the above-mentioned data must also be retained beyond the time when the purpose has been achieved. Thus, we may be obliged to,

1. to retain data relating to you from books and records, inventories, annual financial statements, individual financial statements pursuant to Section 325 (2a) of the German Commercial Code (HGB), consolidated financial statements, management reports and group management reports, opening balances, accounting vouchers, documents pursuant to Article 15 (1) and Article 163 of the Union Customs Code, commercial ledgers, as well as the work instructions and other organizational documents required for their comprehension, for a period of ten years. As a rule, the retention period begins with the end of the calendar year in which the relevant document was created (Article 6 (1) sentence 1 lit. c DSGVO in conjunction with. § 147 AO or in conjunction with. § 257 HGB),
2. to retain data concerning your person, which result from received commercial or business letters, from the reproduction of the received commercial or business letters as well as from other documents, which are of importance for the taxation, for six years, whereby the retention period begins as a rule with the end of the calendar year, in which the relevant document arose (Article 6 paragraph 1 sentence 1 lit. c DSGVO in connection with § 147 AO and/or i.V.m. § 257 HGB). § 147 AO or in conjunction with. § 257 HGB).

Note on the right to object.
Insofar as we base data processing in the following data protection statement on Article 6 (1) sentence 1 lit. f DSGVO, i.e. on a legitimate interest in the processing, you always have the right to object to the processing. As a rule, this is possible by sending an informal message to us (see “Responsible party.” above). If the objection is justified, we will stop the processing.

If the legitimate interest is based on the interest in direct advertising or promotional targeting, your objection is always justified, insofar as you are identified.

The processing of your data for the purpose of promotional targeting.

If you have not already been informed by us, we will inform you that we will now address you in an advertising manner.

We will use your name, e-mail address and order-related communication content as well as information on your reading and clicking behavior to address you in an advertising manner. The promotional approach via e-mail and/or postal mail. In terms of content, the promotional approach includes any statement by us, in the exercise of our, specific trade with the aim of promoting the sale of our goods or the provision of our services. This includes, but is not limited to, regular and irregular newsletters, invitations, customer satisfaction surveys and offers for specific products and services. Furthermore, the promotional approach includes that we may draw your attention to the free and chargeable products and services offered by our cooperation partners by e-mail.

Your data will not be transmitted to these cooperation partners. Rather, we merely recommend their products to you, whereby we can edit these messages ourselves. In particular, we would like to point out that you can object to the use of your data for advertising purposes at any time without incurring any costs other than the transmission costs according to the basic rates.

Our legitimate interest follows from the fact that a free and/or paid contractual relationship exists between us.

The use of Klick-Tipp.
We use Klick-Tipp. The provider of Klick-Tipp is KLICK-TIPP LIMITED, 15 Cambridge Court, 210 Shepherd’s Bush Road, London W6 7NJ, United Kingdom (hereinafter: Klick-Tipp). For more information about Klick-Tipp’s privacy practices, please visit:

https://www.klick-tipp.com/datenschutzerklärung   

You can find out more about the possible uses of your data and how it is processed at:

https://www.klick-tipp.com/handbuch   

Our contractual partner, Digistore24 GmbH, St.-Godehard-Straße 32, 31139 Hildesheim in Germany, has enabled us in its capacity as a reseller to gain access to Klick-Tipp services. Abstract to this, we have commissioned Klick-Tipp in accordance with Article 28 DSGVO. First, we carefully selected Klick-Tipp. Then, we contractually bound Klick-Tipp accordingly, thus ensuring in particular that we retain full control over the data and that Klick-Tipp follows our instructions. Finally, we will regularly review and monitor Klick-Tipp and thus ensure that Klick-Tipp continues to comply with data protection law.

The commissioning of this service provider is also not prevented by the fact that it has its registered office outside the European Union. This is because, in view of the agreement between us and the provider, the data processing associated with this is additionally justified by Article 46 DSGVO in conjunction with the Commission Decision of 5 February 2010 on standard contractual clauses (C (2010) 593) of 5 February 2010.

In our communication with you (for example, to process the contract or follow-up emails) and in the delivery of newsletters and webinars, we use in particular the so-called “tags” of Klick-Tipp. A tag is a label of information with additional information, specifications or categories.

With so-called tagging, information is linked with suitable keywords, categories or other parameters defined by us in advance. You can find more information about tagging at Klick-Tipp at

https://www.klick-tipp.com/handbuch/erste-schritte/tag-erstellen 

It is important that we use and define these tags and that Klick-Tipp follows our instructions here. Klick-Tipp uses so-called SmartTags and manual tags. SmartTags are used when you register for something (appointment, newsletter, webinar, etc.) via a registration form. In this case, you automatically receive a tag with the name of the relevant registration form.

Klick-Tipp also automatically sets the tags “Email received”, “Email opened”, “Email clicked” and “Email viewed in browser” for us. We set manual tags completely independently. For example, we may tag you “customer” or, more specifically, “product B purchased” or “webinar viewed up to this point”. Klick-Tipp collects some of the information that becomes the basis for tagging via additional tracking pixels. The tags are basically used to enable us to fulfill our pre-contractual and contractual obligations.

Furthermore, they enable us to communicate with you in an automated manner, which increases our accessibility and thus our service level. If we use the tags to send advertising, this is part of the legal basis claimed for this. We also use the tags to improve promotional targeting. If you do not want any analysis by Klick-Tipp, you must therefore unsubscribe from the newsletter or webinar. For this purpose, we provide a corresponding link in every message aimed at this. Furthermore, you can also unsubscribe from the newsletter or webinar directly on the website.

Klick-Tipp provides interfaces for the use of other third-party service providers. Insofar as we use third-party service providers via these interfaces, we refer to the rest of the data protection declaration and the explanations regarding the third-party service providers there.