Research
|
DE

Privacy Policy

1. Controller

8com GmbH & Co. KG
represented by Sandra Schartner, Götz Schartner
Europastrasse 32
67433 Neustadt/Wstr.

Phone: +49 6321 / 484 46 - 0
Fax: +49 6321 / 484 46 - 29
E-Mail: info@8com.de
Internet: www.8com.de

(hereafter “8com” or “We”)

2. Contact details of the data protection officer

Thomas Ott
Kolbcom GmbH
P7 22
68161 Mannheim
E-Mail: dsb@8com.de

We welcome you to our website. The protection of your data is very important to us. We therefore explain below how we process your personal data.

3. General processing of user data

The use of our website is generally possible without providing personal data.
However, we would like to point out that access data is still collected in this case and stored in the server log files. This includes the following data in particular:

• Browser type / browser version
• Operating system
• IP address

As a matter of principle, we evaluate this information in anonymized form to defend against attacks and to improve our offer (processing of personal data in the context of a balancing of interests pursuant to Art. 6 para. 1 p. 1 lit. f) GDPR) and subsequently delete it. The data cannot be traced back to you personally and will not be merged with other data.

However, in the event of concrete indications of unlawful use, we reserve the right to evaluate the data retrospectively.

4. Processing of personal data

In principle, we process the personal data that is transmitted by you in connection with the use of our website or which you communicate to us in the context of an inquiry, a pre-contractual legal relationship, or a contractual relationship. In individual cases and insofar as this is necessary for the performance of the contract, we also process personal data that has been lawfully extracted from publicly accessible sources (e.g. commercial registers, debtor directories, Internet) or has been lawfully transmitted to us by third parties (e.g. credit agencies).

This may include technical data relating to you (IP address, browser type), personal data (name, birthday, legal representative), address data (address, e-mail address, contact person), financial data (name of account holder, IBAN, BIC), contract data (contract term, purchased services, cancellations), communication data (correspondence, e-mail traffic), advertising data (advertising letters) and other comparable categories of personal data.

In connection with our business relationships with customers, we process the following personal data:

• Customer master data (first name, last name, acad. title)
• Contact data (address, telephone number and e-mail address)
• Bank data (esp. account data)
• Invoice address
• Place of delivery or service
• Billing data
• Contract data
• Dunning history and collection data
• Communication data (e-mails, telephone calls, logs)

4.1. Processing of personal data after consent (Art. 6 para. 1 p. 1 lit. a) GDPR)

We obtain consent from you in individual cases for specific purposes expressly designated in connection with the collection of data.

In these cases, data is processed exclusively based on your consent. It may be that the processing of your request is not possible without your consent and must therefore be made dependent on it. The data will be processed exclusively for the purpose(s) expressly stated.

You can revoke the consent you have given at any time with effect for the future. The revocation has no influence on the lawfulness of the processing until the time of the revocation.

4.2. Processing of personal data for contract execution or contract initiation (Art. 6 para. 1 p. 1 lit. b) GDPR)

If a contract is concluded with us, we use personal data insofar as this is necessary for the execution of the contract or for the implementation of pre-contractual measures. The purposes of the data processing depend on the concrete contents of the contract, which you can find in the contract documents.
If a contract already exists with us, we process your data in order to verify that you are our contractual partner and in order to properly provide the contractual service owed.

4.3. Processing of personal data in the context of a balancing of interests (Art. 6 para. 1 p. 1 lit. f) GDPR)

We process personal data after balancing interests, insofar as this is necessary to protect our interests or the interests of third parties.

Examples of such purposes are:

• Ensuring the IT security and integrity of our systems
• Prevention or investigation of criminal offences
• Assertion of or defense against legal claims

5. Purposes of processing and legal bases

a) Execution and initiation of contracts

We process your personal data primarily in the context of the initiation of a contractual relationship with you to answer your inquiries, to process your orders and to make certain information about our offers accessible. Furthermore, the processing of your personal data is necessary to properly provide and invoice our services. Insofar as the processing of your personal data is necessary for the initiation or implementation of a contractual relationship with us or in the context of the implementation of pre-contractual measures, the processing is carried out lawfully based on Art. 6 para 1 p. 1 lit. b) of the GDPR.

b) Consent

If you expressly give us consent to process your personal data for certain purposes, the respective processing is carried out lawfully on the basis of Art. 6 (1) p. 1 lit. a) GDPR. Consent is given voluntarily and can be revoked at any time with effect for the future; refusal to give consent is not associated with any disadvantages. You can revoke your consent at any time without giving any reason with effect for the future (see section 10 below).

c) Legal obligation

In some cases, we are subject to legal obligations that make it necessary for us to process your personal data. If we process your data on the basis of such an obligation, this is done on the basis of art. 6 para. 1 p. 1 lit. c) GDPR.

d) Legitimate interest

We also process your personal data insofar as this is necessary to protect the legitimate interests of us or third parties and it does not represent an unjustified interference with your rights and interests. The legal basis for such processing is art. 6 para. 1 p. 1 lit. f) DSGVO. Legitimate interests on the basis of which we process your data are in particular:

• Improvement of our services and products
• Creation of customized offers and products
• Marketing communication
• Prevention of credit risks
• Prevention and investigation of criminal offences
• Recovery of receivables
• Assertion and defense of legal claims
• Effective execution of the deletion of your data
• Compliance with legal requirements

5.1. Contact & service presentation

If you contact us by e-mail or telephone, we process the personal data you provide to respond to your inquiry. The legal basis for this is generally art. 6 para. 1 p. 1 lit. b) GDPR, but exceptionally, if there is no contractual reference, art. 6 para. 1 p. 1 lit. f) GDPR, whereby the legitimate interest lies in the proper response to your inquiry. We delete the data after the final processing of your request, unless there is a contractual or legal obligation to retain the data.

The same applies insofar as we communicate with you in the context of a web session or a service presentation and present our products and services to you in more detail. Regarding the respective service providers that we use to provide the communication channel, we refer to the following explanations.

If you agree to a callback with us, the data processing associated with the callback is carried out based on art. 6 para. 1 p. 1 lit. b) GDPR, insofar as a contractual relationship exists, and otherwise to protect the common legitimate interest in the desired communication in accordance with art. 6 para. 1 p. 1 lit. f) GDPR.

6. Source of the personal data

We usually collect personal data only directly from you. If we have not received your contact details from you personally (e.g.: handing over a business card or cover letter by e-mail), we obtain your data from the company for which you work because we have a business relationship with them and you have been identified as our contact person, or we access publicly available information from public sources (such as company websites).

6.1. Contact form

If you send us an inquiry via our contact form, we process the data you provide based on your consent pursuant to art. 6 para. 1 p. 1 lit. a) GDPR in order to process your inquiry. In principle, your data will be deleted after processing the request, unless there is a contractual or legal obligation to retain it. If you provide us with contractually relevant information, we will transfer it to our inventory system.

You can revoke your consent at any time with effect for the future using any of the contact details provided.

6.2. Live chat feature (Userlike)

Our site uses a live chat feature. This is made possible by the software of Userlike UG, Probsteigasse 44-46, 50670 Cologne. The chat can be used like a contact form to communicate in real time with our employees.

In this context, data is collected, processed and stored. This includes chat transcript, e-mail address, name, URL (where the chat was started), survey before and after the chat, chat topic, chat status, chat rating after the chat, duration of the chat, date of the chat, user generated content, IP address. Depending on your request and the information you have provided, further personal data may be collected and processed. The legal basis for this processing is your consent in accordance with art. 6 para. 1 p. 1 lit. a) GDPR.

The data will be deleted after 30 days unless the storage is necessary for the implementation of a contractual relationship. In this case, further processing is carried out in accordance with the above-mentioned general requirements.

Cookies are also used as part of the live chat feature. The use takes place in accordance with the information provided under "Use of cookies & local storage".

A data processing contract has been concluded between us and Userlike in accordance with art. 28 (3) of the GDPR.

Please also refer to the data protection provisions of Userlike:

https://www.userlike.com/de/data-privacy

6.3. Job application

Insofar as we process data as part of your job application, please refer to the privacy policy for applicants, available at https://www.8com.de/datenschutzerklarung-bewerbungen.

We process your data, in particular your name, contact information, curriculum vitae, evidence of academic, professional and vocational achievements and content data that you provide in your cover letter, for the purpose of concluding an employment contract. The legal basis for this data processing is § 26 BDSG. We store your data, should the application not be successful, for 6 months after the end of the application process. Should your application lead to employment, your data will be stored for the duration of the employment relationship.

We ask you not to provide any particularly sensitive data with your application. This concerns data on racial or ethnic origin, political opinion, religious or ideological beliefs or trade union membership, genetic data, biometric data for the unique identification of a natural person, health data, data on sex life or sexual orientation, see art. 9 para. 1 GDPR. We also ask you not to attach a photograph to the application.

6.4. Use of cookies & local storage

During your visit to our website, various cookies and local storage technologies may be used. Cookies are text files that are placed on your computer and, among other things, enable a smooth visit to our website. In the case of local storage, data is stored locally in the cache of your browser, whereby this data continues to exist and can be read even after the browser window is closed - provided the cache is not deleted.

In some cases, cookies or local storage are necessary to ensure the functionality or IT security of our website. The use of such functional cookies is based on a legitimate interest in enabling the use of our website including its functions according to art. 6 para. 1 p. 1 lit. f) GDPR. Furthermore, the processing in these cases is carried out in accordance with Section 25 (2) No. 2 TTDSG.

We may use other – unnecessary – cookies or local storage techniques on the basis of art. 6 para. 1 p. 1 lit. a) GDPR and thus based on your consent. The purposes of the cookies used in each case may include:

• Enabling the use of special functions
• Analysis (pseudonymized) of user behavior in order to optimize our website
• Increase of the attractiveness as well as the user comfort of our website
• Improvement and design of our offer according to the needs of our customers

The use of cookies and local storage techniques that are not necessary is carried out in the context of so-called usage profiles. You will be assigned a pseudonym under which the usage data will be stored. Your IP address is stored exclusively in shortened form, so that a personal assignment of the usage profile is no longer possible.

If we use cookies or local storage, especially for purposes of (re)marketing or the implementation of (social media) plug-ins, we base this use on your voluntary consent to such data processing and require your consent in this respect. Regarding the individual plug-ins or tracking tools, we refer to the following detailed explanations.

Most of the cookies we use are deleted from your computer after you close the browser (session cookies). Other types of cookies may remain on your computer and allow us to recognize your computer by means of the created usage profile the next time you visit our site (persistent cookies).

You can choose which cookies are set through our cookie banner, which appears at the beginning of your visit to our website. For the cookie banner, we use the service CookieHub provided by CookieHub ehf, Hafnargata 18, 230 Reykjanesbær, Iceland. By using this service, personal data may be transmitted to the service provider. The legal basis for data processing in this regard is art. 6 para. 1 p. 1 lit. f) GDPR, whereby our legitimate interest lies in the provision of a functional, modern website that complies with legal requirements. We delete the data as soon as the purpose of its collection has been fulfilled. For further information, please refer to the privacy policy and cookie statement of CookieHub, which can be accessed via the following link: https://www.cookiehub.com/legal/privacy-policy.

Cookies and local storage techniques are used on our site exclusively by us and not by third parties, except for third-party cookies and local storage techniques, which are explicitly mentioned in this privacy policy.

You can indicate your consent by acknowledging our cookie banner when you visit our website. Once you have given your consent, you can revoke it at any time with effect for the future.

We use the following cookies:

(cookie: purpose, storage period)
.8com.de: Necessary cookiehub, 365 days
.linkedin.com: Analytics  UserMatchHistory, 30 days
.ads.linkedin.com: Analytics  Language Session session
.www.linkedin.com: Analytics  Bcookie, 730 days, 12 hours
.linkedin.com: Analytics lidc, 1 day
.linkedin.com: Analytics lang, session
.linkedin.com: Analytics bscookie, 730 days, 12 hours
.linkedin.com: Analytics AnalyticsSyncHistory, 30 days
.linkedin.com: Analytics li_gc, 728 days, 4 hours
.8com.de: Analytics  Google  _gcl_au, 90 days
.8com.de: Analytics  Google  _gcl_au, 1 hour
.8com.de: Analytics  Google  _ga, 730 days
.8com.de: Analytics  Google  _gid, 1 day
.8com.de: Analytics  Google  _gat_UA-90742582-1, 1 hour
.8com.de: Analytics Userlike uslk_umm_1661_s, 1 day, 6 hours
www.8com.de: Marketing Userlike uslk_umm_1661_s, 365 days
.doubleclick.net: Marketing test_cookie, 1 hour

We use local storage for the following services:
(Service: Purpose)
Webflow: Creation and maintenance of the website
Userlike: Provision of the chat feature

6.5. Web analytics and marketing

We use the following services for the purpose of web analytics and retargeting.

Within the scope of web analytics, cookies may be used on various pages. These are text files that are placed on your computer and, among other things, enable a smooth experience when visiting our website.

The use of cookies takes place in the context of so-called usage profiles. You will be assigned a pseudonym under which the usage data will be stored.

6.6. Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies.

We rely on your consent to the collection of data in the context of the use of cookies. If you do not consent to the use of data when you first visit our website, we will not collect your user behavior and other personal data that may be collected during your visit to the website and will therefore not use this information for the purpose of user analytics and subsequent remarketing activities. This also applies to third-party cookies such as the Google Analytics plug-in.

If you consent to the processing of your data in the opt-in procedure (confirmation of the cookie banner), the lawfulness of the processing of your data is based on consent in accordance with art. 6 para. 1 p. 1 lit. a) GDPR, which means that we use your data to the extent of the consent you have given for the purposes of marketing and evaluating your user behavior.

The information generated by the cookie about your use of this website is usually transmitted to a Google LLC server in the USA and stored there. If applicable, information about the use of this website and your IP address will be transmitted to a Google server in the USA and stored on this server. The data transfer is permissible based on your consent in accordance with art. 49 para. 1 p. 1 lit. a) GDPR. If IP anonymization is activated on this website, however, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google unless you have configured the web and app activity settings in a Google account to allow Google to merge it.

For more information on terms of use and privacy, please visit https://marketingplatform.google.com/about/analytics/terms/de/ or https://policies.google.com/?hl=de&gl=de.

On our website, Google Analytics has been extended by the code "anonymizeIp" in order to be able to record IP addresses anonymously (so-called IP masking).
You can also prevent data collection by Google Analytics by clicking on the following link. This will set an opt-out cookie that will prevent your data from being collected when you visit this website in the future:

Please note that if you delete your cookies, the opt-out cookie will also be deleted and may need to be reactivated by you.

6.7. Google Tag Manager

We use Google Tag Manager on our website. The service allows us to manage tags added to our website in one interface. No cookies are used, nor are any personal data collected. Google Tag Manager triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. Any deactivation at the domain or cookie level remains in effect for all tracking tags implemented with Google Tag Manager.

Data processing and disclosure are based on your consents according to art. 6 para. 1 p. 1 lit. a) GDPR or art. 49 para. 1 lit. a) GDPR.
For further information on data processing in connection with Google services, please refer to the explanations under “Google Analytics”.

6.8. Google Ads

This website uses Google Ads. This is a service of Google Ireland Limited for the integration of advertisements, and cookies are used on our website for this purpose. These cookies collect personal data relating to you (e.g. your IP address), which, among other things, enable us to evaluate your user behavior on our website. Based on this data, you will be shown targeted advertising on other websites and in your Google searches.

The data processing and disclosure are based on your consent according to art. 6 para. 1 p. 1 lit. a) GDPR or art. 49 para. 1 lit. a) GDPR.

For further information on data processing in connection with Google services, please refer to the explanations under "Google Analytics".

6.9. LinkedIn Insight Tag

The website uses the analysis and tracking tool of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

It enables the collection of data from visitors to our website, such as IP address, browser, timestamp and pages viewed. Collected data is encrypted and anonymized within seven days. Anonymized data is deleted after 90 days. LinkedIn does not transmit any personal data to us. Only a summarized report on the website target group and ad performance is provided.

Furthermore, there is the possibility of retargeting website visitors. We can use this data to place targeted advertisements outside of our own website without identifying the individual website visitor.  

We process the data based on your consent declared in the cookie banner when you visit the website in accordance with art. 6 para. 1 p. 1 lit. a) GDPR. The transfer of data to the USA is permitted based on your consent in accordance with art. 49 para. 1 p. 1 lit. a) GDPR.

LinkedIn members can control the use of their personal data for advertising purposes in their account settings.

More information on data protection on LinkedIn can be found in LinkedIn's privacy policy at https://de.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

6.10. Social Plug-ins

Some of our websites include social plug-ins, which are, however, deactivated in the default setting for privacy reasons. If a user calls up our website, no data is therefore transmitted to any social media services (e.g. YouTube). Profiling by third parties is thus excluded.

Your consent in the cookie banner to the use of social plug-ins activates these services. If a social plug-in is activated, certain data is transmitted to the respective social network, e.g. the user's IP address, information about the browser and operating system used, the accessed website, and the date and time. During this communication, data is also uploaded from a server of the social media provider to our website.

The respective provider of the social plug-in receives information about which websites you visit. This may happen regardless of whether you are currently logged in to the provider of the social plug-in or not. The provider may also process this data outside the European Union and may be able to create individualized user profiles. Insofar as necessary, we obtain your consent for this. We have no influence on the type, scope and purpose of data processing by the providers of the respective social media services.

In the context of the use of social plug-ins, a contract on joint responsibility as defined by art. 26 of the GDPR has been concluded between us and the respective plug-in providers. For further information, please refer to the respective section on the individual social plug-in.

YouTube: Plug-ins from the social network YouTube are used on our website. The operator of YouTube is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("YouTube").

When using plug-ins, we rely on your consent to data collection. If you do not consent to the use of your data when you first visit our website, the YouTube plug-in will not be activated, so that no data is transmitted even if you accidentally interact with a YouTube plug-in.

If you consent to the processing of your data by the "YouTube" plug-in as part of the opt-in procedure, the lawfulness of the processing of your data is based on consent in accordance with art. 6 para. 1 p. 1 lit. a) GDPR, meaning we will use your data to the extent of the consent you have given for the purposes of linking to YouTube.

If you are on one of our website pages that contains such a plug-in, your browser only establishes a direct connection with the YouTube servers when the user activates the relevant button by clicking on it ("extended data protection mode"). The content of the plug-in is then transmitted by YouTube to your browser and integrated into the website by it. By activating the plug-in, YouTube receives the information that you have accessed the corresponding page of our website. Content is then transmitted from YouTube to your browser and included on the page. YouTube thereby receives notice that you are on the corresponding page of our website. This happens even if you do not have a profile on YouTube or are not logged in. Personal data (including your IP address) is then automatically forwarded to a YouTube server located in the USA and saved.

A direct allocation on the part of YouTube only takes place if you are logged in to YouTube. A corresponding interaction takes place even if you actively press the corresponding button. The consequence is a publication on your YouTube account and the display in your contacts. For further details on how YouTube handles your personal data, please refer to the following page: https://policies.google.com/privacy?hl=de&gl=de

The transfer of data to the USA is permissible based on your consent in accordance with art. 49 para. 1 p. 1 lit. a) GDPR.

In the context of the use of social plug-ins, a joint responsibility agreement as defined by art. 26 of the GDPR has been concluded between us and YouTube.

6.11. jQuery

The website uses the jQuery Javascript library. We load this library via the CDN (content delivery network) of Amazon Web Services Germany GmbH, Domagkstraße 28, 80807 Munich, Germany, with its parent company located in the USA, unless the library has already been loaded as a result of visiting another page and your browser can therefore access the cached copy. If your browser downloads the Library, the IP address and the page from which the request is made, among other things, are transmitted from your browser to Amazon Web Services. We use the service to increase the loading speed and improve the user experience of our site.

Data transfer is based on your consent given in the cookie banner according to art. 49 para. 1 p. 1 lit. a) GDPR or art. 49 para. 1 lit. a) GDPR.

6.12. Inxmail

This website uses Inxmail for sending newsletters, web session registration and service requests. The provider is Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, Germany.

Inxmail is a service with which, among other things, the sending of newsletters can be organized and analyzed. The data entered by you to subscribe to the newsletter is stored on Inxmail's servers. Inxmail makes it possible to subdivide the newsletter recipients based on various categories (so-called tagging) and to track whether the newsletter has been opened. The newsletter recipients can, for example, be subdivided according to gender or customer relationship (e.g. customer or potential interested party). This data processing is based on your consent (art. 6 para. 1 p. 1 lit. a GDPR). You can revoke this consent at any time. The legality of already performed data processing operations remains unaffected by the revocation.

The data you provide when subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and then deleted from our servers as well as from the servers of Inxmail. For more details, please refer to the data protection provisions of Inxmail at https://www.inxmail.de/datenschutz. We have concluded a data processing agreement with Inxmail, in which we oblige Inxmail to protect the data of our newsletter recipients and not to pass it on to third parties.

6.13. Webflow

We use services of Webflow Inc., 398 11th St., San Francisco, USA, to create our website and to provide the various integrated services. In doing so, we process your personal data, e.g. your IP address, your browser, your searches.  Data processing is based on our legitimate interest in using a modern service to create and provide our web presence, art. 6 para. 1 p. 1 lit. f) GDPR.

A data processing agreement was concluded between us and Webflow in accordance with art. 28 (3) of the GDPR. Part of this contract was the conclusion of standard contractual clauses according to art. 46 para. 2 lit. c) GDPR to ensure the highest possible protection for your personal data.

Details of the service provider's data protection practices can be found by following the link below:

https://www.webflow.com/legal/eu-privacy-policy

6.14. Streaming server

For our live video transmission, we use the streaming server service of Hanseatic Bits UG & Co. KG, Zeissstraße 1, 49733 Haren (Ems), Germany. The data processing is based on our legitimate interest of being able to offer you our video transmission properly and reliably when you access it, art. 6 para. 1 p. 1 lit. f) GDPR.

An data processing agreement has been concluded between us and the service provider in accordance with art. 28 (3) of the GDPR.

6.15. Kununu

We use the Kununu seal on our website. In this context, personal data relating to you (e.g. your IP address) is transmitted to Kununu, a service of XING kununu Prescreen GmbH, Schottenring 2-6, 1010 Vienna, Austria, in order to properly display the seal. The data processing is thereby based on art. 6 para. 1 p. 1 lit. f) GDPR, whereby our legitimate interest lies in the proper display of employee satisfaction by means of a traceable system.

Details on the data protection practice of Kununu can be found in the following link:

https://www.privacy.xing.com/de/datenschutzerklaerung

7. Storage and deletion periods

We process your data only as long as this is necessary for the purpose for which it was collected. In principle, this amounts to the duration of our business relationship. This includes the initiation and execution of contracts.

In addition, we are subject to various statutory retention and documentation obligations, such as those arising from the German Commercial Code (HGB) or the German Fiscal Code (AO). These can range from two to ten years. In particular, we keep accounting documents (invoices, contract documents, account statements, etc.) for ten years and commercial letters and other business documents relevant under tax law for six years (§§ 147 AO, 257 HGB).

Finally, the storage period is also governed by the statutory limitation periods, which according to Sections 195 et seq. of the German Civil Code (BGB) are generally three years, but in certain cases can be up to thirty years.

Lastly, we store your data for a short period of time to ensure effective data erasure. Our systems process a large amount of data every day. Unfortunately, it is not possible to reliably delete individual data to the exact day. Therefore, data is deleted on a rotational basis as part of a special deletion concept, considering the above-mentioned deadlines. In the process, your data may be stored by us for a short time beyond the above-mentioned periods. This storage is based on our legitimate interest in the effective and efficient execution of a data deletion.

8. Data transfer

We disclose your personal data within our company exclusively to those areas and persons who need it to fulfill contractual and legal obligations or to protect our legitimate interests. We may transfer your personal data to companies affiliated with us, insofar as this is permissible within the framework of the purposes and legal bases set out in section 5 of this data protection information. In some cases, your personal data will also be processed by service providers engaged by us. In these cases, data is usually transferred by us based on order processing contracts in accordance with art. 28 of the GDPR. In this way, we ensure that the processing of personal data by our service providers is always in compliance with the provisions of the GDPR. The categories of recipients in this case are tax advisors, auditors, lawyers, banking institutions and providers of customer management systems and software.

Otherwise, your data will only be transferred to recipients outside our company if this is permitted or required by law, if the transfer is necessary for the fulfillment or execution of the contract or, at your request, for the implementation of pre-contractual measures, if we have your consent or if we are authorized to provide information. Under these conditions, we may transfer your data to the following recipients:

• Public bodies and institutions (e.g. public prosecutor's office, police, supervisory authorities, tax office) in the event of a statutory or official obligation
• JustOn GmbH, Mälzerstraße 3, 07745 Jena
• Datev eG, Paumgartenstraße 6-14. 90429 Nürnberg

If an audit is to be carried out based on existing contracts with your company, your data may be transferred to companies commissioned to carry out the audit.

We also cooperate with the following companies:

• Userlike UG, Probsteigasse 44-46, 50670 Cologne, Germany
• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
• Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA
• LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland
• Amazon Web Services Germany GmbH, Domagkstraße 28, 80807 Munich, Germany
• Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, Germany
• Webflow Inc, 398 11th St., San Francisco, USA
• Hanseatic Bits UG & Co. KG, Zeissstraße 1, 49733 Haren (Ems), Germany
• XING kununu Prescreen GmbH, Schottenring 2-6, 1010 Vienna, Austria
• CookieHub ehf, Hafnargata 18, 230 Reykjanesbær, Iceland
• Salesforce Inc, Salesforce Tower, 415 Mission Street, 3rd Floor, CA 94105, USA (from May 2023)

Furthermore, service providers can, for example, be entrusted with the tasks regarding the following areas:

• IT maintenance
• IT development
• IT deployment
• Lawyers

As far as necessary, we will pass on your personal payment data to a credit institution entrusted with the payment processing (SEPA direct debit or receipt).
The data transfer always takes place based on a legal standard or an appropriate contract in accordance with art. 26 or 28 GDPR, which ensures compliance with all data protection requirements. This does not apply if the data processing is carried out under separate responsibility.

Otherwise, data is only passed on in the cases provided for by law, for example in the case of a legal obligation to provide information to law enforcement authorities. In these cases, the data transfer is legitimized according to art. 6 para. 1 p. 1 lit. c) GDPR.

9. Data transfer to third countries

We share your personal data on a limited basis with companies whose headquarters are not located within the European Union.

This is done only in accordance with the legally provided permissible circumstances of art. 44 et seq. GDPR, for example on the basis of an adequacy decision ( art. 45 GDPR), appropriate guarantees (art. 45 GDPR) such as the conclusion of indispensable standard contractual clauses or consent given in advance. A transfer of data to the United States of America cannot be excluded whenever our processors or their sub-processors are US companies or belong to a US group and are obliged to hand over the data by US security authorities.

If personal data is transferred to a third country, we comply with the requirements of data protection law in that the data transfer is based on standard contractual clauses or we obtain your consent to this in accordance with art. 49 para. 1 sentence 1 lit. a) GDPR.

Data is transferred, for example, in connection with the use of analytics and social media services. Due to the use of these services, data is transmitted to the United States of America.

The data transfer will only take place if you give us your consent.

Due to the data transfer, there is a risk for your personal data. In the United States of America, there is no level of data protection comparable to EU law (GDPR) and / or national regulations (e.g. BDSG) or sufficient guarantees to ensure that an adequate level of data protection is maintained. Any deficits cannot, moreover, be compensated for by other specific guarantees due to the US legal situation. Nevertheless, depending on the service, standard contractual clauses are used in some cases to achieve the greatest possible protection for your data. You can find out whether standard contractual clauses are used in the explanations for the respective services.

You can revoke your consent at any time with effect for the future. The revocation has no influence on the lawfulness of the processing until the time of the revocation.

Recipients of the data you provide are the following companies:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (headquarters in the USA)
• Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA
• LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (Group headquarters in the USA)
• Amazon Web Services Germany GmbH, Domagkstraße 28, 80807 Munich, Germany (group headquarters in the USA)
• Webflow Inc, 398 11th St., San Francisco, USA
• CookieHub ehf, Hafnargata 18, 230 Reykjanesbær, Iceland
• Salesforce Inc, Salesforce Tower, 415 Mission Street, 3rd Floor, CA 94105, USA (as of May 2023)


9.1. Salesforce

The possibility of access to your data by American security authorities exists due to the software we use provided by the company Salesforce Inc., 415 Mission Street, 3rd Floor, San Francisco, CA 94105. There is a possibility that Salesforce Inc. will be obliged by US security authorities to hand over the data and that it will be processed in the USA. Please note that your data is generally processed exclusively in Salesforce data centers in Frankfurt am Main and Paris and that access by US authorities is an exceptional case. Due to the possible data transfer, there is a risk to your personal data. In the USA, there is currently no level of data protection comparable to EU law (GDPR) and / or national regulations (e.g. BDSG) or sufficient guarantees to ensure that an adequate level of data protection is maintained. Any deficits cannot, moreover, be compensated for by other specific guarantees due to the U.S. legal situation. Nevertheless, binding internal data protection rules (Binding Corporate Rules, or BCR) within the meaning of art. 46 (2) (b), art. 47 GDPR and standard contractual clauses (SCC) within the meaning of art. 46 (2) (c) GDPR are used to achieve the greatest possible protection for your data.

Salesforce states that it transfers data within the Group based on binding internal data protection regulations within the meaning of art. 46 (2) b) in conjunction with art. 47 GDPR. For data transfers from Salesforce to third party processors, Salesforce makes use of the standard contractual clauses to ensure a level of protection of personal data that is adequate to the European level. For more details, please visit the following link:

https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-transfer-mechanisms-FAQ.pdf

A list of sub-processors used by Salesforce can be found in section 6 here:

https://www.salesforce.com/company/privacy/full_privacy/

Your personal data will be transferred by us to Salesforce based on a data processing agreement as defined in art. 28 (3) of the GDPR.

You can find more detailed data protection information regarding the use of Salesforce at https://www.salesforce.com/de/company/privacy/ and https://www.salesforce.com/.company/privacy/full_privacy/.

Furthermore, the cross-border data transfer may be based on your consent according to art. 49 para. 1 p. 1 lit. a) GDPR.

The data transfer only takes place if you give us your consent. You can revoke your consent at any time with effect for the future. The revocation has no influence on the lawfulness of the processing until the time of revocation.

If data is transferred to a third country on the basis of consent without an adequacy decision or other suitable guarantees being in place at the same time, the associated increased risk of data processing in the context of the transfer must be pointed out on the basis of art. 49 (1) p. 1 lit. a) GDPR. However, we would like to assure you that thanks to careful selection and constant review of the standards of our contractual partners, potential risks are successfully minimized. You can find more details on this above under "Cross-border data transfer" (art. 49 para. 1 p. 1 lit. a) GDPR).

10. Rights of data subjects

You have the right to information about the processing of your personal data carried out by us according to art. 15 GDPR, the right to correction or deletion of your data according to art. 17 GDPR, the right to restriction of processing, according to art. 18 GDPR, the right to notification according to art. 19 GDPR and the right to data portability according to art. 20 GDPR.

If we process your personal data based on your consent in accordance with art. 6 para. 1 p. 1 lit. a) GDPR, you have the right to revoke this at any time in accordance with art. 7 GDPR. We would like to point out that a revocation is only effective for the future. Processing that took place before your revocation is not affected by your revocation and remains lawful. Please note that despite your revocation, we are legally obliged to retain and document certain data (see section 7 of this privacy information).

10.1. Right to object to direct advertising

In individual cases, we process personal data to conduct direct advertising. In this case, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising (art. 21 GDPR).

If you object to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

To exercise your rights, it is sufficient to send a letter in text form to the above address or by e-mail to dsb@8com.de.

11. Right of appeal

You have the right to appeal to the competent data supervisory authority.

In Rhineland-Palatinate, the competent supervisory authority is:

The State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate
P.O. Box 30 40
55116 Mainz
Phone: +49 (0) 6131 8920-0
Mail: poststelle@datenschutz.rlp.de

More information is also available at the following link:

https://www.datenschutz.rlp.de/de/startseite/

However, you can of course also contact us directly if you are dissatisfied or have questions about data protection. The quickest way to reach our internal contact person about data protection is to use the contact details listed above.

12. Necessity of providing personal data

As a rule, the provision of personal data for the purpose of establishing, implementing or fulfilling a contract or for the performance of pre-contractual measures is not required by law or contract. You are therefore not obliged to provide personal data. Please note, however, that these are usually required for the decision on the conclusion of a contract, the performance of the contract or for pre-contractual measures.

If you do not provide us with personal data, we may not be able to make a decision within the scope of contractual measures. We recommend that you only provide personal data that is required for the conclusion of the contract, the fulfillment of the contract or for pre-contractual measures.

13. Automated decision-making

As a matter of principle, we do not use any processes that involve fully automated decision-making in accordance with art. 22 of the GDPR. If we do use such procedures in individual cases, we will inform you separately and obtain your consent if this is required by law.

14. Contact

If you have any questions regarding the processing of your personal data, we are at your disposal at any time. Please send them to the above address.

15. Applicability and modification of this privacy information

This data protection information is currently valid and was updated in April 2023.

We reserve the right to update this privacy information as necessary to adapt it to legal and technical developments or in connection with the offer of new services or products. If we change our privacy policy, we will post those changes directly to this statement on our homepage and other places we deem appropriate. We reserve the right to change this privacy policy at any time.