Development and
Cooperation

All monthly issues

Privacy policy

Preamble 

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to simply as “data”) we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites and within external online presences, such as our social media profiles (collectively referred to as the “online offering”). 

The terms used are not gender-specific. 

Status: November 2025 

 

Table of contents 

  • Preamble
  • Controller
  • Contact for data protection officer
  • Overview of processing activities
  • Relevant legal bases
  • Security measures
  • Disclosure of personal data
  • International data transfers
  • General information on data storage and deletion
  • Rights of data subjects
  • Provision of the online offering and web hosting
  • Use of cookies
  • Contact and inquiry management
  • Communication via messenger
  • Newsletter and electronic notifications
  • Web analytics, monitoring and optimization
  • Online marketing
  • Presences on social networks (social media)
  • Plug-ins and embedded functions and content
  • Changes and updates
  • Definitions
  • Amendments 

 

Controller 

Fazit Communication GmbH, Pariser Str. 1, 60486 Frankfurt am Main, Germany 

Email address: datenschutz@fazit.de 

Legal notice: https://dandc.eu/de/impressum 

 

 

Contact for data protection officer 

datenschutz@fazit.de 

 

Overview of processing activities 

The following overview summarizes the types of data processed, the purposes of their processing, and refers to the data subjects concerned. 

 

Types of data processed 

  • Inventory data
  • Location data
  • Contact data
  • Content data
  • Usage data
  • Meta-, communication and procedural data
  • Contact information (Facebook)
  • Event data (Facebook)
  • Log data 

 

Categories of data subjects 

  • Communication partners
  • Users 

 

Purposes of processing 

  • Communication
  • Security measures
  • Direct marketing
  • Reach measurement
  • Tracking
  • Conversion measurement
  • Click tracking
  • Audience building
  • Organizational and administrative procedures
  • Firewall
  • Feedback
  • Marketing
  • Profiles with user-related information
  • Provision of our online offering and user-friendliness
  • Information technology infrastructure
  • Public relations and informational purposes
  • Public relations 

 

Relevant legal bases 

Relevant legal bases under the GDPR: Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the GDPR regulations, national data protection requirements may apply in your or our country of residence or registered office. If more specific legal bases apply in individual cases, we will inform you of these in the privacy policy. 

- Consent (Art. 6(1) sentence 1 lit. a GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes. 

- Contract performance and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or for pre-contractual measures taken at the data subject’s request. 

- Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. 

 

National data protection regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions on the right of access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making including profiling. State data protection laws of the individual federal states may also apply. 

 

Relevant legal bases under the Swiss Data Protection Act: If you are in Switzerland, we process your data on the basis of the Federal Act on Data Protection (“Swiss FADP”). Unlike the GDPR, the Swiss FADP generally does not require legal bases to be explicitly stated for processing personal data; processing must be carried out in good faith, be lawful and proportionate (Art. 6(1) and (2) Swiss FADP). Moreover, we collect personal data only for a specific purpose recognizable to the data subject and process it only in a manner compatible with that purpose (Art. 6(3) Swiss FADP). 

 

Note on the applicability of the GDPR and Swiss FADP: These data protection notices serve to provide information under both the Swiss FADP and the GDPR. For broader territorial applicability and clarity, we use GDPR terminology. In particular, instead of the Swiss FADP terms “processing” of “personal data,” “overriding interest,” and “sensitive personal data,” we use the GDPR terms “processing” of “personal data,” “legitimate interest,” and “special categories of data.” The legal meaning of the terms remains determined by Swiss law where the Swiss FADP applies. 

 

Security measures 

In accordance with legal requirements and taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. 

Measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling both physical and electronic access to data and the access, input, transmission, ensuring availability and separation of data. We have also implemented procedures to ensure the exercise of data subjects’ rights, deletion of data, and responses to data threats. Furthermore, we take data protection into account in the development or selection of hardware, software and processes in accordance with the principle of data protection by design and by default. 

 

IP address truncation: If IP addresses are processed by us or by the service providers and technologies we use, and processing of a full IP address is not required, the IP address will be truncated (also known as “IP masking”). The last two digits, or the last segment of the IP address after a dot, are removed or replaced by placeholders. Truncating the IP address is intended to prevent or substantially hinder the identification of a person based on their IP address. 

 

Securing online connections via TLS/SSL encryption technology (HTTPS): To protect users’ data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cornerstones of secure data transmission on the internet. These technologies encrypt information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. A website secured by an SSL/TLS certificate is indicated by HTTPS in the URL, signaling to users that their data is transmitted securely and encrypted. 

 

Disclosure of personal data 

In the course of processing personal data, it may be disclosed to or transmitted to other locations, companies, legally independent organizational units, or persons. Recipients may include, for example, service providers tasked with IT services or providers of services and content integrated into a website. In such cases, we observe legal requirements and, in particular, conclude appropriate contracts or agreements with recipients to protect your data. 

 

Data transfers within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to such data. This data sharing is based on our legitimate business and economic interests. These include, for example, improving business processes, ensuring efficient and effective internal communication, optimal use of our human and technological resources, and enabling informed business decisions. In certain cases, data sharing may also be necessary to fulfill our contractual obligations, or may be based on the consent of the data subjects or a legal permission. 

 

Data transfers within the organization: We may transfer personal data to other departments or units within our organization or grant them access to such data. If data is shared for administrative purposes, it is based on our legitimate business and economic interests, or occurs if necessary to fulfill our contractual obligations, or where consent of the data subjects or a legal permission exists. 

 

International data transfers 

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the course of using third-party services or disclosing/transferring data to other persons, bodies or companies (which is evident based on the provider’s postal address or when the privacy policy expressly refers to transfers to third countries), this is always done in compliance with legal requirements. 
 

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), recognized by the European Commission on 10 July 2023 via an adequacy decision as a secure legal framework. In addition, we have concluded Standard Contractual Clauses (SCCs) with the respective providers, which comply with the European Commission’s requirements and set contractual obligations to protect your data. 

 
This dual safeguard ensures comprehensive protection of your data: The DPF forms the primary layer of protection, while the SCCs serve as an additional safety net. Should changes occur within the DPF, the SCCs act as a reliable fallback option. In this way, we ensure that your data remains adequately protected even in the event of political or legal changes. 
For individual service providers, we inform you whether they are certified under the DPF and whether SCCs are in place. Further information on the DPF and a list of certified companies can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). 

 
For data transfers to other third countries, corresponding safeguards apply, in particular SCCs, explicit consents, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the European Commission’s information offering: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de. 

General information on data storage and deletion 

 
We delete personal data we process in accordance with statutory provisions as soon as the underlying consent is revoked or no further legal basis for processing exists. This applies, for example, where the original purpose of processing ceases to apply or the data is no longer needed. Exceptions exist where statutory obligations or particular interests require longer retention or archiving. 

 
In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for legal prosecution or for the protection of the rights of other natural or legal persons must be duly archived. 

 
Our data protection notices contain additional information on retention and deletion of data specifically applicable to certain processing operations. 

 
Where multiple retention periods or deletion deadlines are specified for a data item, the longest period is decisive. 

 
If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the effective date of termination or other end of the legal relationship. 

 
Data retained not for the original purpose but due to legal requirements or other reasons is processed exclusively for the reasons justifying its retention. 

Further notes on processing operations, procedures and services: 

 
Retention and deletion of data: The following general periods apply to retention and archiving under German law: 

  • 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet as well as work instructions and other organizational documents required to understand them (§ 147(1) no. 1 in conjunction with (3) AO, § 14b(1) UStG, § 257(1) no. 1 in conjunction with (4) HGB).
  • 8 years – accounting vouchers, such as invoices and cost receipts (§ 147(1) nos. 4 and 4a in conjunction with (3) sentence 1 AO and § 257(1) no. 4 in conjunction with (4) HGB).
  • 6 years – other business documents: received commercial or business letters, copies of dispatched commercial or business letters, other documents relevant for taxation, e.g., timesheets, cost accounting sheets, calculation documents, price labels, as well as payroll documents where not already accounting vouchers and till receipts (§ 147(1) nos. 2, 3, 5 in conjunction with (3) AO, § 257(1) nos. 2 and 3 in conjunction with (4) HGB).
  • 3 years – data required to consider potential warranty and damage claims or similar contractual claims and rights, and to handle related inquiries, based on prior business experience and common industry practice, are stored for the regular statutory limitation period of three years (§§ 195, 199 BGB). 

Retention and deletion of data: The following general periods apply under Swiss law: 

  • 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting vouchers and invoices as well as all required work instructions and other organizational documents (Art. 958f Swiss Code of Obligations (CO)).
  • 10 years – data needed to consider potential damage claims or similar contractual claims and rights, and for handling related inquiries, based on prior business experience and common industry practices, is stored for the statutory limitation period of ten years, unless a shorter period of five years applies in specific cases (Art. 127, 130 CO). After five years, claims lapse for rent, lease and capital interest and other periodic payments, delivery of food, meals and innkeepers’ debts, as well as for artisan work, small sales of goods, medical services, professional work of lawyers, legal agents, procurators and notaries, and from employment relationships of workers (Art. 128 CO). 

Rights of data subjects 

 
Rights of data subjects under the GDPR: As data subjects, you have various rights under the GDPR, particularly arising from Art. 15 to 21 GDPR: 

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Art. 6(1) lit. e or f GDPR; this also applies to profiling based on these provisions. Where personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw consent at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data and a copy of the data in accordance with legal requirements.
  • Right to rectification: You have the right, in accordance with legal requirements, to have incomplete data concerning you completed or inaccurate data rectified.
  • Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request the immediate erasure of data concerning you or, alternatively, restriction of processing in accordance with legal requirements.
  • Right to data portability: You have the right, in accordance with legal requirements, to receive data concerning you which you have provided to us in a structured, commonly used and machine-readable format or to have it transmitted to another controller.
  • Complaint to a supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, workplace, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. 

Rights of data subjects under the Swiss FADP: 
As a data subject under the Swiss FADP, you have the following rights: 

  • Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed, and to receive information necessary to exercise your rights under the law and ensure transparent data processing.
  • Right to data release or transmission: You have the right to request the release of your personal data that you have provided to us in a common electronic format.
  • Right to rectification: You have the right to request correction of inaccurate personal data concerning you.
  • Right to object, deletion and destruction: You have the right to object to the processing of your data, and to request that personal data concerning you be deleted or destroyed. 

Provision of the online offering and web hosting 

 
We process users’ data to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to users’ browsers or devices. 

Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta-, communication and procedural data (e.g., IP addresses, timestamps, involved persons). Log data (e.g., log files regarding logins or data retrieval or access times). Content data (e.g., textual or visual messages and posts and related information such as author details or creation time). 
 

  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures. Firewall.
  • Retention and deletion: Deletion as specified in the section “General information on data storage and deletion.”
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). 

Further notes on processing operations, procedures and services: 

  • Provision of online offering on rented storage space: To provide our online offering, we use storage space, computing power and software that we rent or otherwise obtain from a server provider (“web host”); legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of “server log files.” Server log files may include the address and name of the retrieved web pages and files, date and time of retrieval, data volumes transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (previous page visited), and typically IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to avoid server overload (particularly in the case of abusive attacks, so-called DDoS attacks), and also to ensure server load and stability; legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until the respective incident is finally clarified. 

Service provider for online offering and web hosting 

 
blackpoint: Services in the area of provision of information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: blackpoint GmbH, Friedberger Str. 106 b, 61118 Bad Vilbel; Website:https://www.blackpoint.de/. Privacy policy:https://www.blackpoint.de/datenschutz. 

Use of cookies 

 
“Cookies” are functions that store information on users’ devices and read information from them. Cookies can be used for various purposes, such as ensuring functionality, security and convenience of online offerings, and compiling analyses of visitor flows. We use cookies in accordance with statutory requirements. Where necessary, we obtain users’ consent in advance. Where consent is not necessary, we rely on our legitimate interests. This applies when storing and reading information is essential to provide expressly requested content and functions. This includes, for example, storing settings and ensuring the functionality and security of our online offering. Consent can be revoked at any time. We provide clear information about their scope and which cookies are used. 

 
Notes on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent is provided, it serves as the legal basis. Without consent, we rely on our legitimate interests, as explained above in this section and in the context of the respective services and procedures. 
 

Storage duration: Regarding storage duration, the following types of cookies are distinguished: 

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be stored and preferred content displayed directly when the user revisits a website. Similarly, usage data collected via cookies can be used for reach measurement. If we do not provide users with explicit information on the type and storage duration of cookies (e.g., when obtaining consent), they should assume that these are permanent and the storage duration can be up to two years. 

 
General notes on withdrawal and objection (opt-out): Users can revoke consents they have given at any time and also declare an objection to processing in accordance with legal requirements, including via the privacy settings in their browser. 
 

  • Types of data processed: Meta-, communication and procedural data (e.g., IP addresses, timestamps, involved persons).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Consent (Art. 6(1) sentence 1 lit. a GDPR). 

Further notes on processing operations, procedures and services: 

 
Processing of cookie data based on consent: We use a consent management solution through which users’ consent to the use of cookies or to the procedures and providers mentioned in the consent management solution is obtained. This procedure serves to obtain, record, manage and revoke consents, especially related to the use of cookies and comparable technologies used to store, read and process information on users’ devices. As part of this procedure, users’ consents for the use of cookies and the associated processing of information, including specific processing and providers named in the consent management procedure, are obtained. Users also have the option to manage and revoke their consents. Declarations of consent are stored to avoid repeated queries and to provide proof of consent as required by law. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or using comparable technologies to assign consent to a specific user or their device. If there are no specific details about providers of consent management services, the following general notes apply: The storage duration of consent is up to two years. A pseudonymous user identifier is created and stored together with the time of consent, the scope of consent (e.g., categories of cookies and/or service providers concerned), and information about the browser, system and device used; legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). 

Service provider for consent management 

Usercentrics: Consent management: Procedure for obtaining, recording, managing and revoking consents, in particular for the use of cookies and similar technologies for storing, reading and processing information on users’ devices and their processing; Service provider: Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany; Website:https://usercentrics.com/de/. Privacy policy:https://usercentrics.com/de/datenschutzerklaerung/. 

"Cookie Settings"

Contact and inquiry management 
When contacting us (e.g., by post, contact form, email, phone or via social media) and in the context of existing user and business relationships, we process the information of the persons making contact to the extent necessary to respond to contact requests and any requested measures. 

  • Types of data processed: Inventory data (e.g., full name, contact information, customer number, etc.); contact data (e.g., email addresses or phone numbers); content data (e.g., textual or visual messages and posts and related information, such as author details or creation time); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta-, communication and procedural data (e.g., IP addresses, timestamps, involved persons).
  • Data subjects: Communication partners. 
    Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion as specified in the section “General information on data storage and deletion.”
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Contract performance and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR). 

Further notes on processing operations, procedures and services: 

  • Contact form: When contacting us via our contact form, email or other channels, we process the personal data transmitted to us to respond to and handle the specific request. This typically includes information such as name, contact details and, where applicable, other information shared with us and required for adequate handling. We use this data solely for the specified purpose of contact and communication; legal bases: Contract performance and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). 

Communication via messenger 

 
We use messengers for communication purposes and therefore ask you to note the following information on how messengers work, encryption, the use of communication metadata and your options to object. 

 
You can also contact us via alternative means, e.g., by phone or email. Please use the contact options provided to you or those specified within our online offering. 

 
In the case of end-to-end encryption of content (i.e., the content of your messages and attachments), we point out that communication content (i.e., the message content and attached images) is end-to-end encrypted. This means that the content of messages is not visible, not even to the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure the encryption of message content. 
We also inform our communication partners that while messenger providers cannot view the content, they may learn that and when communication partners communicate with us, and technical information about the device used by communication partners and, depending on device settings, location information (so-called metadata) may be processed. 

 
Notes on legal bases: If we ask communication partners for permission before communicating via messenger, the legal basis for processing their data is their consent. Otherwise, if we do not request consent and they contact us on their own initiative, we use messengers in relation to our contracting partners and within the framework of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, on the basis of our legitimate interests in fast and efficient communication and meeting the communication needs of our partners. We further point out that we do not transmit contact data shared with us to messengers for the first time without your consent. 

 
Withdrawal, objection and deletion: You can withdraw consent at any time and object to communication with us via messenger at any time. For communication via messenger, we delete messages according to our general deletion policies (i.e., for example, as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that any queries from communication partners have been answered, no reference to a previous conversation is to be expected, and no statutory retention requirements prevent deletion. 

 
Reservation of referring to other communication channels: To ensure your security, please understand that we may not be able to answer inquiries via messenger for certain reasons. This concerns situations where, for example, contract details must be treated particularly confidentially or a reply via messenger does not meet formal requirements. In these cases, we recommend using more suitable communication channels. 

  • Types of data processed: Contact data (e.g., email addresses or phone numbers); content data (e.g., textual or visual messages and posts and related information such as author details or creation time); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta-, communication and procedural data (e.g., IP addresses, timestamps, involved persons).
  • Data subjects: Communication partners.
  • Purposes of processing: Communication. Direct marketing (e.g., via email).
  • Retention and deletion: Deletion as specified in the section “General information on data storage and deletion.”
  • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); contract performance and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). 

Further notes on processing operations, procedures and services: 

 
WhatsApp: Text messages, voice and video calls, sending images, videos and documents, end-to-end encryption for enhanced security; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website:https://www.whatsapp.com/; Privacy policy:https://www.whatsapp.com/legal. Third-country transfer basis: Data Privacy Framework (DPF). 

Newsletter and electronic notifications 

 
We send newsletters, emails and other electronic notifications (hereinafter “newsletter”) only with recipients’ consent or based on a legal basis. If the contents of the newsletter are specified as part of the sign-up process, these contents are decisive for users’ consent. Normally, your email address is sufficient to subscribe to our newsletter. However, to provide you with a personalized service, we may ask for your name for personal salutation in the newsletter or for additional information if necessary for the purpose of the newsletter. 

 
Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, in order to be able to prove the existence of prior consent. Processing of this data is limited to the purpose of potential defense against claims. An individual deletion request is possible at any time, provided the previous existence of consent is confirmed at the same time. In case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist. 

 
Logging of the registration process is carried out based on our legitimate interests for the purpose of demonstrating its proper execution. If we commission a service provider to send emails, this is done based on our legitimate interests in an efficient and secure mailing system. 

 
Contents: 
With our E+Z newsletter, news, in-depth analyses, good news and calls for proposals from the global development policy community land in your inbox twice a month. 

Types of data processed: Inventory data (e.g., full name, customer number, etc.); contact data (e.g., email address); meta-, communication and procedural data (e.g., IP addresses, timestamps, involved persons). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). 
 

  • Data subjects: Communication partners.
  • Purposes of processing: Direct marketing (e.g., via email).
  • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR).
  • Opt-out option: You can cancel receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. A link to cancel the newsletter can be found at the end of each newsletter, or you can use one of the contact options provided above, preferably email.
  • Further notes on processing operations, procedures and services: 
    Measurement of open and click rates: The newsletters contain a so-called “web beacon,” i.e., a one-pixel file, which is retrieved from our server or the server of the provider, if used, when the newsletter is opened. As part of this retrieval, both technical information is collected, such as details about the browser and your system, as well as your IP address and the time of retrieval. This information is used to technically improve our newsletter based on technical data or the target groups and their reading behavior based on retrieval locations (determinable using the IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to individual newsletter recipients and stored in their profiles until deletion. Evaluations serve to recognize our users’ reading habits and to adapt our content to them or to send different content according to users’ interests. Measuring open and click rates and storing measurement results in users’ profiles and their further processing are carried out based on users’ consent. A separate revocation of performance measurement is unfortunately not possible; in such cases the entire newsletter subscription must be canceled or objected to. In this case, stored profile information will be deleted; legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). 

Provider for newsletters and electronic notifications 

Web analytics, monitoring and optimization 

 
Web analytics (also referred to as “reach measurement”) serves to evaluate visitor flows to our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With reach measurement we can, for example, recognize at what times our online offering or its features or content are used most frequently or invite reuse. We can also determine which areas require optimization. 

 
In addition to web analytics, we may also use test procedures to test and optimize different versions of our online offering or its components. 

 
Unless otherwise stated below, for these purposes profiles (i.e., data compiled into a single usage process) may be created and information may be stored and then read in a browser or on a device. Data collected includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system used and details of usage times. If users have agreed to the collection of their location data by us or by the providers of the services we use, location data may also be processed. 

 
Furthermore, users’ IP addresses are stored. However, we use IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. As a rule, no clear data of users (such as email addresses or names) is stored as part of web analytics, A/B testing and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of users, but only the details stored in their profiles for the purposes of the respective procedures. 

 
Notes on legal bases: If we ask users for consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic and recipient-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy. 
 

  • Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta-, communication and procedural data (e.g., IP addresses, timestamps, involved persons).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion as specified in the section “General information on data storage and deletion.” Storage of cookies up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
  • Security measures: IP masking (pseudonymization of IP address).
  • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). 

Further notes on processing operations, procedures and services: 
 

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number contains no unique data such as names or email addresses. It serves to assign analytics information to a device, to recognize which content users have accessed within one or multiple usage sessions, which search terms they have used, whether they have accessed content again or interacted with our online offering. The time of use and duration are also stored, as well as the sources that refer users to our online offering and technical aspects of their devices and browsers. Pseudonymous profiles of users are created with information from usage across different devices, with cookies possibly used. Google Analytics does not log or store individual IP addresses for EU users. Analytics provides approximate geographic location data by deriving the following metadata from IP addresses: city (and derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used solely for this geolocation derivation before being immediately deleted. It is not logged, not accessible, and not used for other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before traffic is forwarded for processing to Analytics servers; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of IP address); Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, ad personalization settings: https://myadcenter.google.com/personalizationoff. More information: https://business.safety.google/adsservices/ (types of processing and processed data).
  • Google as recipient of consent: The consent granted by users in a consent dialog (also known as “cookie opt-in/consent,” “cookie banner,” etc.) serves multiple purposes. First, it enables us to fulfill our obligation to obtain consent to store and read information on and from users’ devices (under ePrivacy rules). Second, it covers the processing of users’ personal data in accordance with data protection requirements. In addition, this consent also applies to Google, as the company is required under the Digital Markets Act to obtain consent for personalized services. Therefore, we share the status of users’ consents with Google. Our consent management software informs Google whether consents have been granted or not. The aim is to ensure that users’ consents and withdrawals are taken into account when using Google Analytics and integrating functions and external services. This allows users’ consents and their withdrawal within Google Analytics and other Google services in our online offering to be dynamically adjusted depending on user choice; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://support.google.com/analytics/answer/9976101?hl=de. Privacy policy: https://policies.google.com/privacy.
  • Google Tag Manager: We use Google Tag Manager, a Google software that allows us to centrally manage website tags via a user interface. Tags are small code elements on our website that help record and analyze visitor activities. This technology supports us in improving our website and the content offered there. Google Tag Manager itself does not create user profiles, store cookies with user profiles or perform its own analyses. Its function is limited to simplifying and making more efficient the integration and management of tools and services we use on our website. Nevertheless, when using Google Tag Manager, users’ IP addresses are transmitted to Google, which is necessary for technical reasons to implement the services we use. Cookies may also be set. This data processing takes place only when services are integrated via Tag Manager. For more detailed information on these services and their data processing, see the relevant sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms). 

 

Online marketing 

 
We process personal data for online marketing purposes, which can include, in particular, marketing advertising space or displaying advertising and other content (collectively “content”) based on potential user interests and measuring their effectiveness. 

 
For these purposes, so-called user profiles are created and stored in a file (the “cookie”) or similar procedures are used to store the information relevant for displaying the aforementioned content to the user. This may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical information such as the browser used, the computer system used, and information on usage times and functions used. If users have consented to the collection of their location data, these can also be processed. 

 
Users’ IP addresses are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear data of users (e.g., email addresses or names) is stored as part of online marketing procedures, but pseudonyms. This means that neither we nor the providers of online marketing procedures know users’ actual identities, but only the data stored in their profiles. 

 
The statements in the profiles are generally stored in cookies or similar procedures. These cookies can later be read across other websites that use the same online marketing procedure, analyzed for the purpose of displaying content and supplemented with other data and stored on the server of the online marketing provider. 

 
Exceptionally, clear data may be assigned to profiles, mainly if users are, for example, members of a social network whose online marketing procedure we use and the network associates user profiles with the aforementioned data. Please note that users may enter into additional agreements with providers, e.g., by consenting during registration. 

 
We generally only receive access to aggregated information about the success of our advertisements. However, we can check within the framework of so-called conversion measurement which of our online marketing procedures led to a conversion, i.e., for example to a contract conclusion with us. Conversion measurement is used solely to analyze the success of our marketing measures. 

 
Unless otherwise stated, please assume that cookies used are stored for a period of two years. 
Notes on legal bases: If we ask users for consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic and recipient-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy. 

 
Notes on withdrawal and objection: 
We refer to the privacy notices of the respective providers and the opt-out options specified for the providers. If no explicit opt-out option is provided, you can disable cookies in your browser settings. However, this may restrict functions of our online offering. We therefore also recommend the following opt-out options, which are offered collectively for respective regions: 
a) Europe: https://www.youronlinechoices.eu 
b) Canada: https://www.youradchoices.ca/choices 
c) USA: https://www.aboutads.info/choices 
d) Cross-regional: https://optout.aboutads.info 

  • Types of data processed: Content data (e.g., textual or visual messages and posts and related information such as author details or creation time); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta-, communication and procedural data (e.g., IP addresses, timestamps, involved persons); Event data (Facebook) (“Event data” are information sent to Meta via the Meta Pixel (be it via apps or other channels) and relate to persons or their actions. These data include details of website visits, interactions with content and functions, app installations and product purchases. The processing of event data aims to create audiences for content and advertising messages (Custom Audiences). It is important to note that event data do not include actual content such as written comments, login information, or contact information such as names, email addresses or phone numbers. “Event data” are deleted by Meta after a maximum of two years, and the audiences derived from them disappear when our Meta user accounts are deleted.); Contact information (Facebook) (“Contact information” are data that clearly identify data subjects, such as names, email addresses and phone numbers, which can be transmitted to Facebook, e.g., via the Facebook Pixel or via upload for matching purposes to build Custom Audiences. After matching for audience building, the contact information is deleted).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest-/behavior-based profiling, use of cookies); conversion measurement (measuring the effectiveness of marketing measures); audience building; marketing; profiles with user-related information (creating user profiles); provision of our online offering and user-friendliness. Click tracking. 
  • Retention and deletion: Deletion as specified in the section “General information on data storage and deletion.” Storage of cookies up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
  • Security measures: IP masking (pseudonymization of IP address).
  • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). 

Further notes on processing operations, procedures and services: 

  • Meta Pixel and audience building (Custom Audiences): With the help of the Meta Pixel (or comparable functions for transmitting event data or contact information via interfaces in apps), Meta can determine visitors to our online offering as a target group for displaying ads (“Meta Ads”). Accordingly, we use the Meta Pixel to show our Meta Ads only to those users on Meta platforms and within the services of Meta’s partners (“Audience Network” https://www.facebook.com/audiencenetwork/) who have shown interest in our online offering or who exhibit features (e.g., interest in certain topics or products inferred from websites visited) that we transmit to Meta (“Custom Audiences”). With the help of the Meta Pixel, we also want to ensure that our Meta Ads correspond to users’ potential interests and do not appear intrusive. The Meta Pixel additionally allows us to track the effectiveness of Meta Ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta Ad (“conversion measurement”); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: Event data of users, i.e., behavioral and interest information, are processed for targeted advertising and audience building based on the joint controllership agreement (“Controller Addendum,” https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to collection and transmission of data to Meta Platforms Ireland Limited, a company located in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which particularly concerns transmission of data to the parent company Meta Platforms, Inc. in the USA (based on SCCs concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Advanced matching for the Meta Pixel: In addition to processing event data in the context of using the Meta Pixel (or comparable functions, e.g., in apps), contact information (person-identifying data such as names, email addresses and phone numbers) is also collected within our online offering or transmitted to Meta. Processing of contact information serves to build audiences (“Custom Audiences”) for content and advertising information oriented toward users’ presumed interests. Collection, transmission and matching with data held by Meta is not in clear text but as so-called “hash values,” i.e., mathematical representations of the data (e.g., used for storing passwords). After matching for audience building, the contact information is deleted; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Privacy policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: https://www.facebook.com/legal/terms/data_security_terms.
  • Facebook ads: Placement of ads within the Facebook platform and evaluation of ad results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Opt-out option: We refer to users’ privacy and advertising settings on Facebook platforms as well as Facebook’s consent procedures and contact options for exercising access and other data subject rights as described in Facebook’s privacy policy; Further information: Event data of users, i.e., behavioral and interest information, are processed for targeted advertising and audience building based on the joint controllership agreement (“Controller Addendum,” https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to collection and transmission of data to Meta Platforms Ireland Limited, a company located in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which particularly concerns transmission of data to the parent company Meta Platforms, Inc. in the USA (based on SCCs concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Google Ad Manager: We use “Google Ad Manager” to place ads in the Google advertising network (e.g., in search results, in videos, on websites, etc.). Google Ad Manager is characterized by showing ads in real time based on users’ presumed interests. This allows us to show ads for our online offering to users who might have a potential interest in our offering or have previously been interested, and to measure the success of the ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and processed data: https://business.safety.google/adsservices/; Data processing terms for Google advertising products: information on services, controller-controller data processing terms and SCCs for third-country data transfers: https://business.safety.google/adscontrollerterms. Where Google acts as processor: data processing terms for Google advertising products and SCCs for third-country transfers: https://business.safety.google/adsprocessorterms.
  • Google Ads and conversion measurement: Online marketing procedure for placing content and ads within the provider’s advertising network (e.g., in search results, in videos, on websites, etc.), so that they are shown to users presumed to be interested in the ads. We also measure ad conversions, i.e., whether users interacted with the ads and used the advertised offers (so-called conversions). We only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and processed data: https://business.safety.google/adsservices/. Controller-controller data processing terms and SCCs for third-country transfers: https://business.safety.google/adscontrollerterms.
  • LinkedIn Insight Tag: Code loaded when a user visits our online offering that tracks user behavior and conversions and stores them in a profile (possible uses: campaign performance measurement, ad delivery optimization, building custom and similar audiences); Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy, Cookie policy: https://www.linkedin.com/legal/cookie_policy; Data processing agreement: https://www.linkedin.com/legal/l/dpa; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • LinkedIn ads: Placement of ads within the LinkedIn platform and evaluation of ad results; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://business.linkedin.com/de-de/marketing-solutions/ads; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Data processing agreement: https://www.linkedin.com/legal/l/dpa; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://de.linkedin.com/legal/l/dpa), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://de.linkedin.com/legal/l/dpa); Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Further information: https://legal.linkedin.com/dpa.
  • UTM parameters: Analysis of sources and user actions based on an extension of web addresses referring to us with an additional parameter, the “UTM” parameter. For example, a UTM parameter “utm_source=platformX&utm_medium=video” can tell us that a person clicked the link on platform X within a video. UTM parameters provide information about the source of the link, the medium used (e.g., social media, website, newsletter), the type of campaign or campaign content (e.g., posting, link, image and video). Using this information, we can, for example, review our visibility online or the effectiveness of our campaigns; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
  • Stape: Server-side tag management, capture of user interactions without using browser cookies, forwarding of these data to analytics and marketing tools; Service provider: Stape Inc, 8 The Green Suite # 12892, Dover DE 19901, USA; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://stape.io/; Privacy policy: https://stape.io/privacy-notice; Data processing agreement: https://stape.io/dpa. Third-country transfer basis: EU/EEA – Standard Contractual Clauses (https://stape.io/dpa), Switzerland – Standard Contractual Clauses (https://stape.io/dpa). 

Presences on social networks (social media) 

 
We maintain online presences within social networks and process user data in this context to communicate with active users there or to provide information about us. 

 
We point out that user data may be processed outside the European Union. This may pose risks for users, for example because it could make it more difficult to enforce users’ rights. 

 
Furthermore, user data is generally processed within social networks for market research and advertising purposes. For example, user profiles may be created based on users’ usage behavior and resulting interests. These may in turn be used to place advertisements inside and outside the networks that presumably correspond to users’ interests. Therefore, cookies are generally stored on users’ computers, in which usage behavior and interests are stored. In addition, data may be stored in usage profiles regardless of users’ devices (especially if they are members of the respective platforms and logged in there). 

 
For a detailed description of the respective processing methods and opt-out options, we refer to the privacy policies and information of the operators of the respective networks. 

 
Even in the case of access requests and the exercise of data subject rights, we point out that these can be asserted most effectively with the providers. Only the latter have access to users’ data and can take appropriate measures directly and provide information. 

  • Types of data processed: Contact data (e.g., email addresses or phone numbers); content data (e.g., textual or visual messages and posts and related information such as author details or creation time); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); inventory data (e.g., full name, residential address, contact information, customer number, etc.). Meta-, communication and procedural data (e.g., IP addresses, timestamps, involved persons).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Communication; feedback (e.g., collecting feedback via online form); public relations; provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers etc.)). Public relations and informational purposes.
  • Retention and deletion: Deletion as specified in the section “General information on data storage and deletion.”
  • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). 

Further notes on processing operations, procedures and services: 

  • Bluesky: Decentralized social media network – enables creating, sharing and commenting on content as well as following user profiles; Service provider: Bluesky, PBLLC., Seattle, USA, support@bsky.app; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://bsky.social/. Privacy policy: https://bsky.social/about/support/privacy-policy. 
  • Facebook pages: Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data of visitors to our Facebook page (“Fanpage”). These data include information on the types of content users view or interact with or actions they take (see “Things you and others do and provide” in Facebook’s Data Policy: https://www.facebook.com/privacy/policy/), as well as information about users’ devices (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in Facebook’s Data Policy: https://www.facebook.com/privacy/policy/). As explained under “How do we use this information?” in Facebook’s Data Policy, Facebook also collects and uses information to provide analytics services, so-called “Page Insights,” for page operators, to provide insights into how people interact with their pages and with associated content. We have concluded a special agreement with Facebook (“Information about Page Insights,” https://www.facebook.com/legal/terms/page_controller_addendum), which regulates, in particular, the security measures Facebook must observe and in which Facebook undertakes to fulfill data subject rights (i.e., users can address access or deletion requests directly to Facebook). Users’ rights (especially the right of access, deletion, objection and complaint to a competent supervisory authority) are not limited by the agreements with Facebook. Further information can be found in the “Information about Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint controllership is limited to collection and transmission of data to Meta Platforms Ireland Limited, a company located in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which particularly concerns transmission of data to the parent company Meta Platforms, Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
  • LinkedIn: Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of data of visitors used to compile “Page Insights” (statistics) for our LinkedIn profiles. These data include information about the types of content users view or interact with and actions they take. Details about devices used are also collected, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job function, country, industry, seniority, company size and employment status. Privacy information on the processing of user data by LinkedIn can be found in LinkedIn’s privacy notices: https://www.linkedin.com/legal/privacy-policy. We have concluded a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum,” https://legal.linkedin.com/pages-joint-controller-addendum), which regulates, in particular, the security measures LinkedIn must observe and in which LinkedIn undertakes to fulfill data subject rights (i.e., users can address access or deletion requests directly to LinkedIn). Users’ rights (especially the right of access, deletion, objection and complaint to a competent supervisory authority) are not limited by the agreements with LinkedIn. Joint controllership is limited to collection and transmission of data to LinkedIn Ireland Unlimited Company, a company located in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, particularly concerning transmission of data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • X: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://x.com. Privacy policy: https://x.com/de/privacy.
  • Sprinklr: The customer experience management tool “sprinklr” is used by Fazit Communication GmbH to process and evaluate social media content. The tool is operated by Sprinklr Inc., 29 West 35th Street New York, NY 10001, USA. The tool processes content from the social media channels Facebook, X and Instagram operated by Fazit Communication GmbH. The data collected there are content distributed and processed via the respective platforms. https://www.sprinklr.com/privacy/ 

 

Plug-ins and embedded functions and content 
 

We integrate functional and content elements into our online offering that are retrieved from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos or maps (collectively referred to as “content”). 

 
Integration always requires that third-party providers of these content process users’ IP addresses, as they could not send the content to users’ browsers without IP addresses. The IP address is therefore required to display such content or functions. We endeavor to use only content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. Pseudonymous information may also be stored in cookies on users’ devices and contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other details on the use of our online offering, and may also be combined with such information from other sources. 
 

  • Notes on legal bases: If we ask users for consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic and recipient-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.
  • Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta-, communication and procedural data (e.g., IP addresses, timestamps, involved persons); location data (information on the geographical position of a device or person). Event data (Facebook) (see definition above).
  • Data subjects: Users (e.g., website visitors, users of online services). 
    Purposes of processing: Provision of our online offering and user-friendliness; reach measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest-/behavior-based profiling, use of cookies); audience building; marketing. Profiles with user-related information (creating user profiles).
  • Retention and deletion: Deletion as specified in the section “General information on data storage and deletion.” Storage of cookies up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
  • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). 

Further notes on processing operations, procedures and services: 
Integration of third-party software, scripts or frameworks (e.g., jQuery): We integrate software into our online offering that we retrieve from other providers’ servers (e.g., function libraries we use to display or improve the user-friendliness of our online offering). In doing so, the respective providers collect users’ IP addresses and may process them to transmit the software to users’ browsers and for security purposes, as well as to evaluate and optimize their offering. We integrate software into our online offering that we retrieve from other providers’ servers (e.g., function libraries we use to display or improve the user-friendliness of our online offering). In doing so, the respective providers collect users’ IP addresses and may process them to transmit the software to users’ browsers and for security purposes, as well as to evaluate and optimize their offering; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). 
 

  • Bluesky: Decentralized social media network – enables creating, sharing and commenting on content as well as following user profiles; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Service provider: Bluesky, PBLLC., Seattle, USA, support@bsky.app; Website: https://bsky.social/. Privacy policy: https://bsky.social/about/support/privacy-policy.
  • Facebook plug-ins and content: Facebook social plug-ins and content – These may include content such as images, videos or texts and buttons that allow users to share content from this online offering within Facebook. The list and appearance of Facebook social plug-ins can be viewed here: https://developers.facebook.com/docs/plugins/. We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt as part of a transmission (but not further processing) of “event data” that Facebook collects via Facebook social plug-ins (and embedding functions for content) executed on our online offering or receives as part of a transmission for the following purposes: a) displaying content and advertising information that correspond to users’ presumed interests; b) delivery of commercial and transactional messages (e.g., addressing users via Facebook Messenger); c) improving ad delivery and personalization of functions and content (e.g., improving recognition of which content or advertising information presumably corresponds to users’ interests). We have concluded a special agreement with Facebook (“Controller Addendum,” https://www.facebook.com/legal/controller_addendum), which regulates, in particular, the security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook undertakes to fulfill data subject rights (i.e., users can address access or deletion requests directly to Facebook). Note: When Facebook provides us with metrics, analyses and reports (which are aggregated, i.e., contain no information on individual users and are anonymous to us), this processing is not under joint controllership but based on a data processing agreement (“Data Processing Terms,” https://www.facebook.com/legal/terms/dataprocessing), the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, based on Standard Contractual Clauses (“Facebook EU Data Transfer Addendum,” https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (especially the right of access, deletion, objection and complaint to a competent supervisory authority) are not limited by the agreements with Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF).
  • Google Fonts (served from own server): Provision of font files for a user-friendly display of our online offering; Service provider: Google Fonts are hosted on our server, no data is transmitted to Google; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
  • gstatic.com: Content Delivery Network (CDN) – service that helps deliver content of an online offering, especially large media files such as graphics or program scripts, faster and more securely using regionally distributed servers connected via the internet; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.google.de/. Privacy policy: https://policies.google.com/privacy.
  • Google Fonts (served from own server): Provision of font files for a user-friendly display of our online offering; Service provider: Google Fonts are hosted on our server, no data is transmitted to Google; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). 

Changes and updates 

Please review the content of our privacy policy regularly. We adjust the privacy policy as soon as changes in our data processing make this necessary. We will inform you if changes require an action on your part (e.g., consent) or other individual notification. 
If we specify addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and verify information before contacting. 

Definitions 

This section provides an overview of the terms used in this privacy policy. Where terms are defined by law, the legal definitions apply. The explanations below are intended primarily to aid understanding.  

  • Inventory data: Inventory data comprise essential information necessary for the identification and management of contracting parties, user accounts, profiles and similar assignments. These data may include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), dates of birth and specific identifiers (user IDs). Inventory data form the basis for any formal interaction between individuals and services, institutions or systems, enabling unique assignment and communication.
  • Firewall: A firewall is a security system that protects a computer network or an individual computer from unwanted network access.
  • Content data: Content data comprise information generated in the course of creating, editing and publishing content of all kinds. This category may include texts, images, videos, audio files and other multimedia content published on various platforms and media. Content data are not limited to the content itself, but also include metadata providing information about the content, such as tags, descriptions, author information and publication dates.
  • Click tracking: Click tracking allows an overview of users’ movements within an entire online offering. As results of these tests are more accurate when user interaction can be tracked over a period of time (e.g., to determine whether a user likes to return), cookies are generally stored on users’ computers for these testing purposes.
  • Contact data: Contact data are essential information that enables communication with individuals or organizations. They include, among other things, phone numbers and email addresses, as well as communication means such as social media handles and instant messaging identifiers.
  • Conversion measurement: Conversion measurement (also referred to as “visit action evaluation”) is a method to determine the effectiveness of marketing measures. A cookie is typically stored on users’ devices within the websites where marketing measures occur and then retrieved on the target website. For example, this allows us to understand whether ads we placed on other websites were successful.
  • Meta-, communication and procedural data: These are categories containing information about how data is processed, transmitted and managed. Metadata, also known as data about data, include information that describes the context, origin and structure of other data. They may include details on file size, creation date, document author and change histories. Communication data capture the exchange of information between users across various channels, such as email traffic, call logs, social network messages and chat histories, including involved persons, timestamps and transmission paths. Procedural data describe processes and workflows within systems or organizations, including workflow documentation, logs of transactions and activities, and audit logs used to track and verify operations.
  • Usage data: Usage data refers to information that captures how users interact with digital products, services or platforms. These data include a wide range of information showing how users use applications, which features they prefer, how long they spend on certain pages and through which paths they navigate an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information and location data. They are particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences and potential problem areas within digital offerings.
  • Personal data: “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Profiles with user-related information: Processing of “profiles with user-related information,” or simply “profiles,” includes any type of automated processing of personal data that uses such personal data to analyze, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information regarding demographics, behavior and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are often used for profiling purposes.
  • Log data: Log data are information about events or activities that have been logged in a system or network. These data typically contain information such as timestamps, IP addresses, user actions, error messages and other details about the use or operation of a system. Log data are often used to analyze system issues, for security monitoring or to prepare performance reports.
  • Reach measurement: Reach measurement (also referred to as web analytics) serves to evaluate visitor flows to an online offering and may include visitors’ behavior or interests in specific information, such as website content. Using reach analysis, operators of online offerings can identify, for example, when users visit their websites and which content they are interested in. This allows them to better adapt website content to visitors’ needs. For reach measurement, pseudonymous cookies and web beacons are often used to recognize returning visitors and obtain more accurate analyses of the use of an online offering.
  • Location data: Location data arise when a mobile device (or another device capable of determining location) connects to a radio cell, a Wi-Fi network or similar technical means and location determination functions. Location data indicate the geographically determinable position on earth of the respective device. Location data can be used, for example, to display map functions or other location-dependent information.
  • Tracking: “Tracking” refers to following users’ behavior across multiple online offerings. As a rule, behavior and interest information is stored in cookies or on the servers of providers of tracking technologies with regard to the online offerings used (so-called profiling). This information can then be used, for example, to show users advertisements that presumably match their interests.
  • Controller: “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
  • Processing: “Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data, whether collection, evaluation, storage, transmission or deletion.
  • Audience building: “Audience building” (English “Custom Audiences”) refers to determining audiences for advertising purposes, e.g., displaying ads. For example, based on a user’s interest in certain products or topics on the internet, it can be inferred that this user is interested in ads for similar products or the online shop where they viewed the products. “Lookalike Audiences” (or similar audiences) refers to displaying content deemed suitable to users whose profiles or interests presumably correspond to those of users for whom profiles were created. For building Custom Audiences and Lookalike Audiences, cookies and web beacons are typically used. 

Amendments 

From time to time, it is necessary to adjust the content of these data protection notices. We therefore reserve the right to change them at any time for the future. We will also publish the amended version of the data protection notices at this point. Therefore, when you visit us again, you should read the data protection notices again.