With the following information we would like to give you an overview of how Andersch AG (“Andersch“) processes your personal data and your rights as per the data protection law. Which individual data is processed and how the data are used depends substantially on your relationship to us, whether you are a client, employee, website user or other data subject (such as a freelancer appointed for a certain project or someone who is interested in our services). Therefore, not all parts of this information will apply to you.
Who is responsible for the data processing (the controller) and who can I contact for information?
The controller is
Neue Mainzer Straße 80
60311 Frankfurt am Main, Germany
You can contact our data protection officer at:
RA Florian Hoffmann
- Data Protection Officer -
Neue Mainzer Straße 80
60311 Frankfurt am Main, Germany
Which data and sources do we use?
We process personal data that we have received from our clients in the scope of our business relationships or from our employees in the scope of the employment (including trainees and working students), from website users or other data subjects. Furthermore, we process–if required to carry out our services–personal data that we have obtained legally from publicly accessible sources (e.g. commercial and company registers, land registers, press, internet) or that third parties have been authorized to give us (e.g. from a credit agency).
Relevant personal data are personal details (name, address and other contact information, date and place of birth as well as nationality) and identification data (e.g. information on passports or ID cards). These can also include order information (e.g. from our assignment letter), data from fulfilling our contractual obligations (e.g. from our payment transactions), documentation data (e.g. consultation report) as well as other data comparable to the categories stated here).
Why and on which legal basis do we process your data?
We process personal data as per the provisions in the
- General Data Protection Regulation (GDPR) and the
- German Federal Data Protection Act (BDSG).
(1) Within the scope of employment (Art. 26 (1) sentence 1 GDPR)
We process the personal data of our employees (including trainees and working students) in order to enter into, perform and end the respective employment.
(2) Based on consent having been given (Art. 6 (1) point a) GDPR)
If you have given us consent to process personal data for certain purposes (e.g. to establish contact, receive newsletters, register to our annual restructuring meeting), the lawfulness of this processing is based on your consent. The data subject has the right to withdraw his or her consent at any time. This also applies to the withdrawal of a declaration of consent that was given to us before the GDPR became valid, thus prior to 25 May 2018. The withdrawal of consent only applies to the future and is without prejudice to the lawfulness of the data processed before the withdrawal.
(3) For fulfilling (pre)contractual obligations (Art. 6 (1) point b) GDPR)
The processing of personal data belonging to our clients and to freelancers appointed by us for a certain project is necessary to perform and fulfill our contractual services with our clients or in order to take steps at the request of the data subject prior to entering into a contract. Further details on the data processing purposes are available in the relevant contractual documents and terms and conditions.
(4) Based on legal obligations (Art. 6 (1) point c) GDPR)
Furthermore, as a public limited company, we are subject to various legal obligations (e.g. in the German Commercial Code (HGB), German Stock Corporation Act (AktG), the German Securities Trading Act (WpHG), the German Money Laundering Act (GwG), tax laws). Processing purposes include, among others, the identification obligation to prevent money laundering, the obligation to set up and store reference files and compliance with reporting obligations under tax law.
(5) Based on overriding interests (Art. 6 (1) point f) GDPR)
If required in order to safeguard legitimate interests on our part, we will process your data beyond the purposes stated above, especially for
- measures to manage the business and to further develop services and products,
- marketing (also for direct contact) and market research provided you have not objected to the use of your data,
- for establishing legal claims and in defense during legal disputes.
Who can get hold of my data?
At Andersch, the people who require access to your data in order to fulfil our contractual and legal obligations are given access to your data. External third parties (especially freelancers and IT services) appointed by us and their vicarious agents may also be given data for these purposes and are bound by contract to treat all data confidentially. Data may also be transferred to other recipients, for instance, if you have given your consent to such bodies receiving your personal data or if we are authorized, based on overriding interests, to transfer the data to such bodies.
Are data transmitted to third countries?
There is basically no data transmission to bodies in countries outside of the European Union (in so-called third countries), unless
- it is prescribed by law (e.g. due to reporting obligations under tax law, provisions for combatting money laundering, terrorist financing and other criminal acts),
- you have given us your consent for this, or
- it is necessary in order to ensure IT operations and the CRM system at Andersch to transmit your personal data possibly to an IT service in the US or another third country that is in keeping with the same level of data protection as in Europe.
How long will my data be stored for?
We process and store your personal data as long as it is required for us to fulfil our contractual and legal obligations. It should be noted that our business relationship is a contract for the performance of a continuing obligation that certainly lasts several months and in many cases many years.
Once the data is no longer required for fulfilling contractual or legal obligations, such data is erased regularly unless the further processing (for a limited period) is required for the following purposes:
- to fulfill the obligation to preserve records under trade or tax law that may in particular arise from the German Commercial Code (HGB), German Stock Corporation Act (AktG), the German Money Laundering Act (GwG), the German Securities Trading Act (WpHG) and the German Tax Code). The time limits prescribed there for the preservation of relevant documents generally amount to between two and ten years.
- Keeping evidencing documents in line with the statute of limitations.
As per Sections 195 et seq. of the German Civil Code (BGB) statutes of limitation may last up to thirty years whereby the standard limitation period is three years.
What data protection rights do I have?
Each and every data subject has the
- right to access as per Art. 15 GDPR,
- the right to request rectification as per Art. 16 GDPR,
- the right to erasure as per Art. 17 GDPR,
- the right to restriction of processing as per Art. 18 GDPR,
- the right to object as per Art. 21 GDPR,
- the right to data portability as per Art. 20 GDPR.
The restrictions as per Sections 34 and 35 German Federal Data Protection Act (BDSG) apply to the right of access and the right to erasure. Moreover, the right to lodge a complaint with a competent data protection supervisory authority applies as per Art. 77 GDPR in conjunction with Section 19 German Federal Data Protection Act (BDSG).
You may withdraw consent given for processing personal data at any time. This also applies to the withdrawal of a declaration of consent that was given to Andersch before the GDPR became valid, thus prior to 25 May 2018. Please note that the withdrawal only applies to the future. It does not affect processing that took place before the withdrawal.
How does Art. 21 GDPR determine the right to object?
On grounds relating to your particular situation, you have the right to object at any time to processing of personal data concerning you which is based on Art. 6 (1) point f) GDPR (weighing up different interests); this also includes profiling within the meaning of Art. 4 (4) GDPR based on those provisions.
If you object, we will no longer process the personal data concerned, unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
In individual cases we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also includes profiling provided to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
The objection can be written informally with the subject line “objection”, including your name, address and date of birth, and be sent to our data protection officer (see above).
Am I under obligation to make data available?
Within the scope of your business relationship with Andersch, you must make available any personal data that are required to enter into, perform and end a business relationship and that are required to fulfill the contractual obligations relating thereto or that we are legally required to collect. Generally, we will not be able to conclude, perform or end a contract with you without such data.
In particular, we are bound by the money laundering rules to identify you by means of your ID document before entering into a business relationship and thereby to collect and record your name, date and place of birth, nationality, address and ID information (cf. Section 11 (1) and (4) of the German Money laundering Act (GwG). To enable us to comply with this obligation, you are required under the German Money Laundering Act (GwG) to make available the necessary information and documents and inform us without undue delay of any changes to such information that may occur during our business relationship. If you do not make available to us the necessary information and documents, we will not be able to honor your request to begin or continue the business relationship.
To what extent does automated decision-making or profiling take place?
Andersch does not employ any fully automated decision-making as per Art. 22 GDPR to enter into or perform business relationships.
We process some of your data automatically in order to evaluate certain personal aspects (so-called profiling), for example in order to inform you about and offer advice on our products and services. This enables us to communicate, undertake marketing and market research on an as-needed basis.
Which data is collected, processed or used on the Andersch website and for what purposes?
It could however result in not all features on our website being available for use.
(2) Log files
Each time a page is clicked on, the Andersch website records various general data and information. This general data and information is stored in the server’s log files.
- The browser type and versions used,
- the operating system used by the accessing system,
- the referrer website from which an accessing system reaches our website,
- the sub-pages that an accessing system wants to reach on our website,
- the date and time the page was accessed,
- an internet protocol address (IP-address),
- the internet service provider of the accessing system and
- other similar data and information that serve to avert danger in the event of attacks on our information technology systems
may be collected.
When using this general data and information, Andersch has no inference on the data subject. In fact, this information is required to
- deliver the website content correctly,
- optimize the content of our website and website marketing,
- ensure our information technology systems and our website technology function permanently, and
- to make available any information required for criminal prosecution to the prosecution authorities in the event of a cyber attack.
These anonymous data and information collected are thus analyzed by Andersch for statistical reasons and with the objective of increasing data protection and data security in our company in order to ensure an optimal level of protection for the personal data that we process. The anonymous data of the server log files are stored separately from all personal data made available by the data subject.
In order to contact you, send newsletters, register you to our annual restructuring meeting etc. as offered on our website, we ask you to provide us with your name, address and email address via the standard contact form. By entering your data, you consent to us storing your data and to using your data for the purposes stated above. The data subject has the right to withdraw his or her consent at any time.
(4) Newsletter data
If you would like to receive the newsletter offered on the website of Andersch, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address and agree to receive the newsletter. Further data is not or only on a voluntary basis. We use these data exclusively for sending the requested information and do not pass them on to third parties.
The processing of the data entered in the newsletter registration form is based exclusively on your consent (Art. 6 para. 1 lit. a DSGVO). You can revoke your consent to the storage of the data, the e-mail address as well as its use for sending the newsletter at any time, e.g. via the “unsubscribe” link in the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation. The data you have provided us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have cancelled your subscription. Data that has been stored by us for other purposes remains unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored in a blacklist by us or the newsletter service provider to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in compliance with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interests.
(5) Google Analytics, Google-AdWords
Andersch has integrated the Google Analytics components on its website (with anonymization function).
Google Analytics is a web analysis service. Web analysis is the collection, compilation and evaluation of behavioral data of people using the website. A web analysis service records, for instance, data showing from which website the data subject accessed a website (referrer website), which sub-pages were accessed and how often a sub-page was visited and how much time was spent on it.
The controller, who is responsible for the processing, uses the ending “_gat._anonymizeIp” for the web analysis via Google Analytics. This ending means that the IP address of the data subject’s internet connection is shortened and anonymized by Google if our website is accessed from a Member State of the European Union or another state party to the Agreement on the European Economic Area.
The purpose of the Google-Analytics component is to analyze the streams of visitors on our website. Google uses the data and information collected, among other things, to analyze how our website is used, to collate online reports for Andersch which show the activity on our website, and to perform other services in connection with the use of our website.
Andersch has also integrated Google AdWords on its website.
Google AdWords is a service for internet marketing that allows the advertiser to advertise in the Google search engine results as well as in the Google advertising network. Google AdWords allows an advertiser to pre-determine certain key words with which an advertisement is then shown in the Google search engine results only if the user enters a search that is relevant to the key word in the search engine. In the Google advertising network, advertisements are distributed among relevant websites by means of an automatic algorithm taking into consideration the key words that were set in advance.
The purpose of Google AdWords is to advertise our website by displaying interest-relevant advertisement on third party websites and in the search engine results of the Google search engine and, if applicable, to display third party advertisements on our website.
Website users may object to the interest-related advertisements on Google. To do this, the data subject must go to www.google.de/settings/ads on all browsers used and make the appropriate settings there.
Both Google Analytics and Google AdWords generally place cookies on the information technology system of the respective data subject (for cookies see above).
The Google Analytics component and Google AdWords are operated by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Click on https://www.google.com/intl/de_de/analytics/ for a more detailed description of Google Analytics.
Andersch has also integrated YouTube components on its website.
YouTube is an internet video site that allows video publishers to upload videoclips free of charge and also allows other users to watch, evaluate and comment on them free of charge. YouTube allows all kinds of videos to be published and full-length films and television programs, music videos, film trailers or videos made by users can be accessed via the website.
Each time that one of the Andersch web pages with an integrated YouTube component (YouTube video) is clicked on, the respective YouTube component automatically triggers the internet browser on the data subject’s information technology system to download the respective YouTube component information from YouTube.
Within this technical process, YouTube and Google are given information as to which exact sub-page on our website the data subject is visiting. If the data subject is simultaneously logged into YouTube, YouTube recognizes upon calling up a sub-page that includes a YouTube video, which exact sub-page on our website the data subject is visiting. This information is collected by YouTube and Google and attributed to the data subject’s YouTube account.
YouTube and Google gain information via the YouTube components whenever the data subject has visited our website if the data subject is logged into YouTube when he or she clicks on our website; it is irrelevant whether the data subject clicks on a YouTube video or not. If the data subject does not want such information to be transmitted to YouTube and Google, the transmission can be prevented if the data subject logs out of YouTube before clicking on our website.
YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The data policy published by YouTube can be accessed via this link: https://www.google.de/intl/de/policies/privacy/.
Click on https://www.youtube.com/yt/about/de/ for further details on YouTube.
Andersch has also integrated components from LinkedIn Corporation on its website.
LinkedIn is an internet-based social network that connects users with existing business contacts and enables new business contacts to be made.
Each time that one of our web pages with an integrated LinkedIn component (LinkedIn plug-in) is clicked on, this component triggers the internet browser used by the data subject to download the respective component information from LinkedIn. Within this technical process, LinkedIn is given information as to which exact sub-page on our website the data subject is visiting.
If the data subject is simultaneously logged into LinkedIn, LinkedIn recognizes which exact sub-page on our website the data subject is visiting each time the data subject clicks on our website and during the entire time spent on our website. This information is collected by the LinkedIn component and attributed by LinkedIn to the data subject’s LinkedIn account. If the data subject clicks on the LinkedIn button integrated on our website, LinkedIn attributes this information to the data subject’s personal LinkedIn account and stores the personal data.
LinkedIn gains information via the LinkedIn component whenever the data subject has visited our website when the data subject is logged into LinkedIn when he or she clicks on our website; it is irrelevant whether the data subject clicks on the LinkedIn component or not. If the data subject does not want such information to be transmitted to LinkedIn and Google, the transmission can be prevented if the data subject logs out of LinkedIn before clicking on our website.
LinkedIn allows you to unsubscribe from emails, text messages and targeted advertisements and to manage the advertisement settings by clicking on https://www.linkedin.com/psettings/guest-controls. LinkedIn also uses partners such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua und Lotame which may set cookies. Such cookies can be rejected by clicking on https://www.linkedin.com/legal/cookie-policy.
Further information on LinkedIn plug-ins is available at https://developer.linkedin.com/plugins.
Linkedin Insights and Conversion Tracking
The websites of Andersch use the LinkedIn Insight tag of the network LinkedIn.
Provider is the LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA.
The LinkedIn Insight tag creates a LinkedIn “browser cookie” that collects the following information:
- IP address,
- Page activities,
- demographic information about LinkedIn, if the user is an active LinkedIn member
This technology allows Andersch to generate reports on the performance of our ads as well as information on website interaction. To do this, the LinkedIn Insight tag is embedded on Andersch’s website, which connects to the LinkedIn server if you visit that website and are logged into your LinkedIn account.
Andersch processes your data to evaluate campaigns and collect information about website visitors that Andersch may have reached through campaigns on LinkedIn.
We process your data because you have consented to this, art. 6 par. 1 p. 1 lit. a. DSGVO. Andersch stores your data as long as we need you for the respective purpose (campaign evaluation), or you have not objected to the storage of your data or have revoked your consent. The collected data is encrypted.
Andersch has integrated Xing components on its website.
Xing is an internet-based social network that connects users with existing business contacts and enables new business contacts to be made. Individual users can set up a personal profile on Xing. Companies can set up a company profile or publish job offers on Xing.
Each time that one of our web pages with an integrated Xing component (Xing plug-in) is clicked on, the respective Xing component automatically triggers the internet browser on the data subject’s information technology system to download the respective Xing component information from Xing. Further information on Xing plug-ins is available at https://dev.xing.com/plugins.
Within this technical process, Xing is given information as to which exact sub-page on our website the data subject is visiting.
If the data subject is simultaneously logged into Xing, Xing recognizes which exact sub-page on our website the data subject is visiting each time the data subject clicks on our website and during the entire time spent on our website. This information is collected by the Xing component and attributed by Xing to the data subject’s Xing account. If the data subject clicks on the Xing button integrated on our website, for example the “Share” button, Xing attributes this information to the data subject’s personal Xing account and stores the personal data.
Xing gains information via the Xing components whenever the data subject has visited our website when the data subject is logged into Xing when he or she clicks on our website; it is irrelevant whether the data subject clicks on the Xing component or not. If the data subject does not want such information to be transmitted to Xing, the transmission can be prevented if the data subject logs out of his or her Xing account before clicking on our website.
Xing is operated by XING SE, Dammtorstraße 30, 20354 Hamburg, Germany.
(9) PERSPECTIVE (MOBILE FUNNEL)
On its internet pages, Andersch uses a so-called mobile funnel (hereinafter: Funnel), operated by Perspective Software GmbH (hereinafter: Perspective), a company based in Germany, which offers software for the creation and operation of Mobile Funnel (https://perspective.co/impressum). The data entered when using Mobile Funnel will be transmitted using SSL encryption and stored in a database. The operator of this website is solely responsible for this data in the sense of Art. 24 DS-GVO. Perspective is only the operator of the software and in this context is a processor according to Art. 28 DS-GVO. The basis for the processing by Perspective is a contract for order processing between the responsible party and Perspective. In addition, Perspective Software GmbH processes further data, some of which may also be personal data, in order to provide its services, in particular for the operation of Mobile Funnel. This will be discussed in detail in the following.
is the responsible body in terms of the data protection law:
Perspective Software GmbH, Müggelstraße 22, 10247 Berlin, e-mail: firstname.lastname@example.org
Access logs (“Server Logs”)
With each access to the funnels, general log data, so-called server logs, are automatically recorded. These data are usually pseudonyms and therefore do not allow conclusions about a natural person. Without this data it would be technically partly impossible to deliver and display the contents of the software. In addition, the processing of this data is absolutely necessary for security reasons, especially for access, input, transfer and storage control. In addition, the anonymous information may be used for statistical purposes and for optimizing the offer and technology. In addition, the log files can be subsequently checked and evaluated if there is any suspicion of illegal use of the software.
The legal basis for this can be found in § 15 (1) Telemedia Act (TMG) and Art. 6 (1) f DS-GVO. In general, data such as the domain name of the website, the web browser and web browser version, the operating system and the time stamp of access to the software are recorded. The user’s IP address is not stored. However, the user is assigned a so-called session ID. The scope of this logging does not exceed the usual scope of any other website on the Internet. The storage period of these access logs is up to 7 days. A right of objection does not exist.
Collection of User Behavior Data
In general, data such as the domain name of the website, the web browser and web browser version, the operating system, the user’s session ID and the time stamp of access to the software are collected. All data that the user enters when using the funnel (e.g. answering form fields; use of interactive components) is assigned to the user by means of a session ID and made available to the operator of this website. The operator of this website is responsible for the deletion, storage and further processing of this personal data in accordance with current legislation.
Rights of affected persons
If personal data is processed by Perspective Software GmbH as the responsible party, you as a data subject have certain rights under Chapter III of the EU Data Protection Regulation (DS-GVO) depending on the legal basis and purpose of the processing, in particular the right to information (Art. 15 DS-GVO), the right of rectification (Art.16 DS-GVO), the right of deletion (Art. 17 DS-GVO), the right to restrict processing (Art. 18 DS-GVO), the right to data transferability (Art. 20 DS-GVO), the right of objection (Art. 21 DS-GVO). If the processing of personal data is based on your consent, you have the right to revoke this data protection consent in accordance with Art. 7 III DS-GVO. Please contact the data protection officer of Perspective Software GmbH (see item B.) in order to assert your rights as a data subject with regard to the data processed for the operation of the Funnel.
We have concluded a so-called commissioned data processing agreement with Perspective, in which we commit Perspecitve to protect our customers’ data and not to pass it on to third parties.
The websites of Andersch use Active Campaign for sending newsletters.
The provider is ActiveCampaign, Inc, 1 N Dearborn, 5th Floor Chicago, Illinois 60602, USA.
ActiveCampaign is a service that can be used to organize and analyze the sending of newsletters, among other things. The data you enter to subscribe to the newsletter is stored on ActiveCampaign’s servers in Germany. If you do not wish to receive analysis from ActiveCampaign, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. You can also unsubscribe directly on the website.
Data analysis by ActiveCampaign
ActiveCampaign enables us to analyze our newsletter campaigns. For example, we can see whether a newsletter message was opened and which links were clicked on, if any. In this way, we can determine which links were clicked on particularly often. In addition, we can see whether certain previously defined actions were carried out after opening/clicking (conversion rate). For example, we can see whether you have made a purchase after clicking on the newsletter. ActiveCampaign also allows us to subdivide the newsletter recipients by different tags (“clustering”). This allows us to divide the newsletter recipients according to age, gender, place of residence, or offers received via the newsletter, for example. In this way, the newsletters can be better adapted to the respective target groups.
For detailed information about the features of ActiveCampaign, please follow the link below: https://www.activecampaign.com/email-marketing.
ActiveCampaign is certified according to the “EU-US Privacy Shield”. The Privacy-Shield is an agreement between the European Union and the United States to ensure compliance with European data protection standards for data processing in the United States. Every company certified according to the Privacy-Shield commits itself to comply with these data protection standards. Further details can be found at: https://www.activecampaign.com/gdpr-updates/.
The data processing is based on your consent (Art. 6 para. 1 lit. a DSGVO). You can revoke this consent at any time. The legality of the data processing operations already performed remains unaffected by the revocation.
Storage period The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you unsubscribe.
After you have been removed from the newsletter distribution list, your e-mail address may be stored in a blacklist by us or the newsletter service provider to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in compliance with the legal requirements when sending newsletters (legitimate interest in the sense of Art. 6 para. 1 lit. f DSGVO). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.
Conclusion of a contract on order processing We have a contract with ActiveCampaign under which ActiveCampaign agrees to protect our customers’ information and not to share it with third parties.
To integrate different databases and tools we use Zapier, a service of
Zapier Inc, 548 Market St #62411, San Francisco, California 94104, USA.
Customer data can be transmitted with the exception of payment data. Further information on data protection at Zapier can be found at https://zapier.com/privacy/.
We have concluded a so-called order data processing agreement with Zapier, in which we commit Zapier to protect our customers’ data and not to pass it on to third parties.