Data protection

The protection of your personal data (hereinafter referred to as “data”) is of great importance and a major concern to us. In the following, we would, therefore, like to inform you in detail as to what data is collected when you visit our online offers (website, social media), hereinafter referred to as “websites”, and how this data is processed by us in the following. In addition, we would like to inform you about the rights to which you are entitled and the technical and organisational protection measures we have taken with regard to the processing of your data.

The data protection information fulfils the information obligations in accordance with the requirements of Art. 12 et seq. of the EU General Data Protection Regulation (hereinafter referred to as “GDPR”) and provides you with an overview of the processing of your personal data within the scope of the online offers (website, social media) of BFS finance GmbH (hereinafter referred to as “websites”).

Table of contents:

1. Who is responsible for processing my data?
2. Personal data
3. What data is collected?
4. For what purposes is the data collected?
5. Who receives my data?
6. Is my data processed outside the EU or EEA (third country transfer)?
7. What data protection rights do I have?
8. To what extent is there automated decision-making?
9. Privacy policy on links to other websites
10. Does profiling take place?
11. Updating the data protection notice

The company

BFS finance GmbH (hereinafter referred to as the “company”) Carl-Bertelsmann-Str. 23
33332 Gütersloh
E-mail: info@bfs-finance.com

Internet: www.bfs-finance.com

is the operator of the website and responsible for the processing of your data on this website. The company processes personal data in accordance with the provisions of the GDPR and the Federal Data Protection Act (hereinafter referred to as “BDSG”).

You can reach the company’s data protection officer at the above postal address, with the addition “Addressed to the data protection officer” or via the e-mail address: datenschutz@bfs-finance.com.

Personal data is any information relating to an identified or identifiable natural person. An identifiable person is a natural person who can be identified directly or indirectly, in particular, by assigning an identifier such as a name, an e-mail address, a postal address or an online identifier such as an IP address or a cookie identifier.

Processing of personal data is only permitted with legally vaild permission. Your personal data will only be processed when you visit and use the website if the company has legal permission to do so.

When you visit the website, information is automatically collected by the accessing computer (hereinafter referred to as “access data”). This access data includes server log files, which usually consist of information about the browser type and version, the operating system, the Internet service provider, the date and time of use of the website, the previously visited websites and newly accessed websites via the website and the IP address of the computer. With the exception of the IP address, the server log files are not personally identifiable. An IP address is personally identifiable if it is permanently assigned when the internet connection is used, and the internet provider can assign it to a person.

If you continue to use the website services, pseudonymous usage profiles and/or the data you enter on the website (e.g. search words, login data, ratings, form or contract entries, click data) are processed.

In principle, you can use the website without providing your data, for example, to obtain information about us.

A detailed breakdown of the purposes for which, how long, and on what legal basis this data is processed can be found in clause 4 of this privacy policy.

The purposes of data processing on this website may result from technical, contractual or legal requirements and, where applicable, consent.

The company shall use the data referred to in clause 3 and the data referred to in clause 4 for the following purposes, among others:

• to provide the website and ensure its technical security, in particular, to correct technical errors, and to ensure that unauthorised persons do not gain access to the website’s systems,
• to process your contact request,
• for the purpose of improving the website offer,
• for the purpose of web tracking and analysis of user behaviour.

Further information on the listed purposes of data processing can be found in the following sections of this privacy notice. If personal data is processed for purposes other than those just listed, you will be informed in the following section about the subject matter, the manner and duration, the purpose, the legal basis applied and any different responsibilities for the processing.

Cookies are small text files used by websites to make the user experience more efficient. We use cookies to personalise content and ads, and to analyse traffic to our website. We also share information about your use of our website with our analytics partners.

By law, we may store cookies on your device if they are strictly necessary for the operation of this site. For all other cookie types, we need your permission. You can change or withdraw your consent at any time from the cookie statement on our website.

This site uses different types of cookies. Some cookies are placed by third parties that appear on our pages. You can find out which cookies are used in detail in the Cookie Content Manager.

1. Necessary cookies help make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

1. Functional cookies help website owners understand how visitors interact with websites by collecting information anonymously.
2. Marketing cookies help optimise the user experience and measure the website’s reach. With the help of these cookies, we are able to record and evaluate user behaviour on the website. For web tracking, however, the personal identification of the user in question is generally not required, so when your access data is recorded, the stored IP address is either not used or only used in a shortened form (shortening by the last octet) and pseudonymous usage profiles are created. Personal usage profiles are only created in exceptional cases and if you have given your consent for the relevant cookie to be set via our Cookie Consent Manager. These cookies can basically share the information collected with other organisations or advertisers. These are persistent cookies that almost always come from third parties. Web tracking services are regularly provided by our service providers, who, however, only process usage profiles according to our instructions and not for their own purposes. This is ensured by means of commissioned processing contracts. If the service providers are established outside the European Union or the European Economic Area (hereinafter referred to as “EU or EEA”), a so-called third country transfer takes place. This is permissible if you have consented to it, we have created a guarantee for a level of data protection that is adequate to the European standard, or the EU Commission has classified the respective third country as a secure third country. The third country transfer of the respective service is marked below. Further information on the recipients of your data and the transfer to third countries can be found in clauses 6 and 7 of this data protection notice.

4.1.1 Legal basis for data processing

The legal basis for setting functional cookies is Art. 6 (1) lit. f GDPR. Functional cookies are set to ensure the technical usability of the website. The legal basis for setting optional cookies for the purpose of collecting and evaluating pseudonymous usage profiles is Art. 6 (1) lit. a GDPR. The data processing is, therefore, based on your consent to the data processing with the help of our cookie consent manager (opt-in).

4.1.2 Duration of storage or criteria for determining this duration

The data that is collected and evaluated when functional and optional cookies are used is generally stored until you object to their use. However, the storage period of the analysis cookies is a maximum of 24 months.

4.1.3 Possibility to register your objection and request removal

You have the right to object to the processing of your personal data when using functional cookies in accordance with Art. 21 GDPR, insofar as there are grounds for doing so that arise from your particular situation. If you wish to exercise your right of objection, please contact the contact address given in clause 1.  If you object to this data processing, you will only be able to use the website to a limited extent or not at all.

Furthermore, you can revoke your consent to the processing of your data in the context of the use of optional cookies at any time with effect for the future. The revocation can be done from a technical standpoint by an opt-out in our cookie manager on this website or by the technical cleaning of cookies by the browser you use. Via the “Privacy Settings” footer, which can be found at the bottom of the website, you can access the settings screen of our Cookie Consent Manager.

On the website, there is the possibility to subscribe to free newsletters. In order to send you a newsletter, we process the e-mail address, name of your company and the country provided by you on the basis of the consent you gave when registering. We use the so-called double opt-in procedure to register for the newsletter. After you have registered and given your consent, we will send you a message to the e-mail address you have provided, in which we ask you to confirm your registration. In order to prevent misuse of your data and to prove your consent, we store your access data recorded during registration, as well as the registration notification and the texts used for this purpose. After confirmation, you are registered for the newsletter, and your data will be stored in our customer database.

For the dispatch of our free, personalised newsletter, we collect statistical data on the use of our website, in order to optimise our offer accordingly and to adapt the offer (newsletter and other content) to your needs. For this purpose, one or more cookies are stored on your computer, with the help of which data is collected for marketing and optimisation purposes, and then stored and processed on the servers of our marketing automation tool. The data collected will be merged with the personal data you provide on the website to create a profile. Profiling can be stopped by deactivating the cookie function in your browser.

4.2.1 Purposes and legal basis of data processing

The dispatch of our newsletter and the downloading of content aim to address business customers in an advertising manner, in order to inform them about the products, solutions and services of BFS finance GmbH.

The free, personalised newsletter aims to address (potential) business customers in an advertising manner, in order to inform them about products, solutions and services of BFS finance GmbH, as well as about events. The legal basis for the processing of your data when registering and participating in the newsletter is consent in accordance with Art. 6 (1) lit. a GDPR / Section 7 (2) No. 3 Unfair Competition Act (UWG).

4.2.2 Duration of storage or criteria for determining this duration

Your data will be stored during your participation in the newsletter. Following a period of inactivity with regard to the newsletter, your data will be stored for a period of 1 year in order to be able to prove that your consent was obtained for the newsletter, and that we have acted in accordance with the law. The same applies if you have revoked your consent. Data processing for advertising purposes will then no longer take place.

4.2.3 Possibility to register your objection and request removal

You can revoke your consent to processing in the context of sending personalised newsletters at any time by informing the company of your revocation via the e-mail address info@bfs-finance.com or with the subject line “Revocation of Consent to Newsletter”. An objection can also be made by using the unsubscribe link in the newsletter e-mail.

In return for the download of whitepapers/e-books/studies (hereinafter referred to as “Content”) on current topics from our business areas, as well as in return for services provided within the scope of special promotions (e.g. fundraising campaigns, etc.), we have agreed with you to send you a personal newsletter.

Under this agreement, and in order to send you a newsletter, we process the e-mail address, name of your company and country that you provide. We use the so-called double opt-in procedure to register for the newsletter. After registration, we will send you a message to the e-mail address you provided, in which we ask you for confirmation. In order to prevent the misuse of your data and to prove this agreement, we store your access data recorded during registration, as well as the registration notification and the texts used for this purpose.

For the dispatch of our free, personalised newsletter, we collect statistical data on the use of our website, in order to optimise our offer accordingly and to adapt the offer (newsletter and other content) to your needs. For this purpose, one or more cookies are stored on your computer, with the help of which data is collected for marketing and optimisation purposes, and then stored and processed on the servers of our marketing automation tool. The data collected will be merged with the personal data you provide on the website to create a profile. Profiling can be stopped by deactivating the cookie function in your browser.

After confirmation, you are registered for the newsletter, and your data will be stored in our customer database.

4.3.1 Purposes and legal basis of data processing

The dispatch of our newsletter and the downloading of so-called content aims to address business customers in an advertising manner, in order to inform them about products, solutions and services of BFS finance GmbH and about events.

The free, personalised newsletter aims to address (potential) business customers in an advertising manner, in order to inform them about products, solutions and services of BFS finance GmbH, as well as about events. The legal basis for the processing of your data when registering and participating in the newsletter is consent in accordance with Art. 6 (1) lit. a GDPR / Section 7 (2) No. 3 Unfair Competition Act (UWG).

4.3.2 Duration of storage or criteria for determining this duration

Your data will be stored during your participation in the newsletter. Following a period of inactivity with regard to the newsletter, your data will be stored for a period of 1 year in order to be able to prove that your consent was obtained for the newsletter, and that we have acted in accordance with the law. The same applies if you have revoked your consent. Data processing for advertising purposes will then no longer take place.

4.3.3 Possibility to register your objection and request removal

You can revoke your consent to processing in the context of participation in our personalised newsletter offer when downloading e-books/whitepapers/studies at any time by notifying the company of your revocation via the e-mail address info@bfs-finance.com or with the subject “Revocation of Consent to receive Newsletter”. An objection can also be made by using the unsubscribe link in the newsletter e-mail.

If you have a business relationship with us, we may occasionally use your information to conduct a customer survey to gauge your satisfaction with our services and identify areas for improvement. Participation in the survey is voluntary, and only takes place with those customers who have given us their consent to do so when establishing the business relationship. The survey is conducted with the help of service providers who are controlled by us as order processors, and who are bound by instructions. A data protection review of these was carried out by us before the surveys were conducted.

4.4.1 Purposes and legal basis of data processing

The purpose of the survey is to improve our products, our services and thus to expand and maintain good customer relations. The data protection basis for this survey is found in Art. 6 (1) lit. f GDPR. Our legitimate interests are to provide our customers with a regular and efficient channel to express criticism so that we can adapt our services accordingly.

4.4.2 Duration of storage or criteria for determining this duration

The data used is stored in our CRM system for the duration of our contractual relationship. After the termination of our contractual relationship, the data will only be used for a final customer satisfaction survey and then blocked for this type of data processing.

4.4.3 Possibility to register your objection and request removal

You have the right to revoke your consent to the use of your data for business customer survey purposes at any time. You will find a corresponding notice in every e-mail inviting you to participate. You also have the right to object to the processing of your data. You also have the right to demand the deletion of your data in accordance with Art. 17 GDPR. Furthermore, you have the right to correct your data and to receive information about the data stored by us.

In order to exercise your data subject rights, please get in touch via the contact address mentioned in clause 1.

This website links to the job vacancies of BFS finance GmbH and the Riverty group of companies, where you can apply for a job. You will be redirected to the applicant portal via the job advertisement. In this respect, the actual data processing for the application procedure for your online application does not take place on this website.

4.5.1 Deviating responsibility under data protection law

The company that has published the job advertisement and is looking for new employees is responsible for the job advertisements. This company is also the one that receives your data upon receipt of your application. Your data will not be passed on to other bodies unless this is required by law or you consent to this.

Further information on the responsibilities, the purpose of the data processing and the legal basis, as well as possible recipients and storage period, can be found in the respective job advertisement. You will find further details on the data processing for the specific application procedure for your online application when you register and create your applicant profile.

4.5.1 Purposes and legal basis of data processing

Upon receipt of your online application for a specific job vacancy, your data will be processed for recruitment purposes. In the contractual initiation phase of an employment relationship, your potential employer has an interest in ensuring that you have the professional competence and personal suitability required for the vacant position.

The legal basis for the processing of your data is Art. 6 (1) lit. b GDPR / Section 26 (1) p. 1 BDSG. The data processing, therefore, takes place for the purpose of establishing a potential contractual relationship or employment relationship with you.

4.5.2 Duration of storage or criteria for determining this duration

Your data will be processed as long as it is necessary for the establishment of the employment relationship. After completion of the online application and the hiring decision, your data will be deleted after expiry of the statutory retention period (currently, this is normally 6 months).

4.5.3 Possibility to register your objection and request removal

Due to the applicable legal basis, there is no right of objection pursuant to Art. 21 GDPR for the described processing operation. If you have any questions about this, you can always contact us at the address given in clause 1.

On the website, there is the possibility to contact the company via an e-mail address, a telephone number or our contact form. If you take advantage of this option, the data entered, your e-mail address and/or your telephone number, as well as your request, will be transmitted to the company. Depending on the request (e.g. questions about the company’s products and services, the assertion of your data subject rights such as information), your contact data will be processed further (with the help of service providers).

4.6.1 Purposes and legal basis of data processing

The legal basis for the processing of your contact data is Article 6 (1) lit. f GDPR. The legitimate interests lie in the processing of your request and further communication. If your aim of establishing contact involves the conclusion of a contract with the company, the legal basis for the processing of your contact data is Art. 6 (1) lit. b GDPR.

4.6.2 Duration of storage or criteria for determining this duration

After your request has been processed and further communication has ended, the contact data will be deleted. This is not the case if, by establishing contact, your aim is to conclude a contract with the company, or if you assert your data subject rights such as information. For this purpose, the data will be stored until the contractual and/or legal obligations have been fulfilled and legal retention periods do not prevent deletion. This is normally the case after 6 months.

4.6.3 Possibilities of objection and removal

You have the right to object to the processing of your contact details on grounds relating to your particular situation. If you wish to exercise your right of objection, please contact the contact address given in clause 1. If you object, the communication cannot be continued. This does not apply if the storage of your contact data is necessary for the initiation or fulfilment of a contract, or the assertion of your data subject rights.

Loox is a cloud-based contact relationship management system (CRM system) and is used to record and keep up-to-date information on prospects, new customers, existing customers, partners, competitors, suppliers and service providers of AFS companies.

If your contact details are collected, for example, on this website by registering for our newsletter, the data is transferred to the contact relationship management system for further processing, and is processed there for the purposes for which it was collected. Logical client separation ensures that only those companies have access to the data stored there that are legally authorised to do so (e.g. through their consent or a corresponding contractual relationship with you).

4.7.1 Purposes and legal basis of data processing

The purpose of the data processing is the legally compliant use of your personal master data for further data processing for which you have authorised us, among other things, through your consent, or for which we have been authorised through a corresponding contractual relationship for data processing. The legal basis is, therefore, Art. 6 (1) lit. a GDPR or Art. 6 (1) lit. b GDPR.

4.7.2 Duration of storage or criteria for determining this duration

The data used is stored in our CRM system for the duration of our contractual relationship. After the termination of our contractual relationship, the data will only be used for a final customer satisfaction survey and then blocked for this type of data processing. If the data processing is based on consent, the data will be deleted if you have objected to its further use in the future.

4.7.3 Possibilities of objection and removal

If the data processing is based on a contractual relationship agreed between you and us, there is no right to object to the processing operation described in accordance with Art. 21 GDPR. If your consent is the legal basis for the data processing, you have the right to object to this processing at any time. You also have the right to demand the deletion of your data in accordance with Art. 17 GDPR. Furthermore, you have the right to correct your data and to receive information about the data stored by us. To exercise your data subject rights, please contact the contact address mentioned in clause 1.

The company offers digital events for its employees, customers and/or service providers (hereinafter “Participants”). The events take place on separate areas of the own website, or on the externally hosted platforms of connected service providers. Depending on the event, participants are required to visit the website prepared for the event (a so-called landing page) by means of a user name and password, or by means of a password defined in advance for the event (hereinafter “participation data”). In the process, the IP address and the required participation data of the participants are processed.

4.8.1 Purposes and legal basis of data processing

The purpose of the data processing is to enable participation in the company’s digital events and functions. The legal basis under data protection law is based on the purposes pursued with the events. In the case of mandatory training for our employees, for example, the legal basis is regularly Art. 6 (1) lit. b) GDPR / Section 26 (1) BDSG. Participation and the associated data processing are, therefore, necessary for the performance of the employment relationship. If the event offered is an optional, i.e. voluntary training or an information event for the participants, the legal basis is regularly Art. 6 (1) lit. f) GDPR. The processing is, therefore, carried out on the basis of a legitimate interest that lies in the creation of additional offers for the participants and is, moreover, voluntary. It is also possible that service providers do not provide the offered event as a data processor within the meaning of Art. 4 No. 8 GDPR, but act as a data controller within the meaning of Art. 4 No. 7 GDPR. In these cases, the participation is always voluntary and depends on your consent to the data processing. If it concerns such an event, you will be asked on the landing page to give your consent to the data processing of the respective organiser. The legal basis for data processing is then Art. 6 (1) lit. a) GDPR. In this case, they must assert their data protection rights directly with the organiser. For more information on this, see clause 7.

4.8.2 Duration of storage or criteria for determining this duration

The company processes your data in the context of offering digital events and functions until the conclusion of the respective event. Accordingly, your data (user name, e-mail address, IP address) will be completely deleted after the end of the event. If your data is processed by the organiser under its own responsibility, the duration of storage is determined by the respective data protection information of the organiser.

4.8.3 Possibilities of objection and removal

If the data processing is based on a contractual relationship and/or employment relationship agreed between you and us, there is no right to object to the processing operation described in accordance with Art. 21 GDPR. If your consent is the legal basis for the data processing, you have the right to object to this processing at any time for the future. You also have the right to demand the deletion of your data in accordance with Art. 17 GDPR. Furthermore, you have the right to correct your data and to receive information about the data stored by us. In order to exercise your data subject rights, please get in touch via the contact address mentioned in clause 1.

Within the company, access to your data is given to those offices that need it to fulfil the purposes outlined in clause 4.  Service providers used by the company may also have access to your data (so-called “order processors”, e.g. data centres, hosting, IT infrastructure support or web design). Contracts for order processing ensure that these service providers are bound by instructions, data security and the confidential handling of your data.

Insofar as the service providers and/or third parties outside the EU or the EEA mentioned in clause 4 process your data for the purposes mentioned in clause 4, this may result in your data being transferred to a country where no level of data protection adequate to the EU or the EEA can be guaranteed. However, such a level of data protection can be ensured with an appropriate guarantee. Standard contractual clauses provided by the EU Commission can be considered as a suitable guarantee. Pursuant to the judgement of the European Court of Justice of 16 July 2020 (Case C-311/18), service providers engaged by us in a third country will be obliged to disclose to us what additional appropriate technical and organisational measures have been implemented to prevent government surveillance mechanisms. If there are doubts regarding the lawfulness of such data processing, the service providers concerned shall be obliged to adapt their technical and organisational measures.

A copy of these guarantees can be requested from the contact details given in clause 1 above.

Any guarantees may be waived by way of exception if, for example, you consent or the third country transfer is necessary for the performance of your contract with the company. The EU Commission has also recognised certain third countries as secure third countries, so that appropriate guarantees on the part of the company can also be dispensed with at this point.

A third country transfer takes place in the following cases, among others:

• for the provision and default settings of the website, service providers are used whose data centres are located in a third country or who can access the data centres within the European Union or the EEA from a branch in a third country. The company has agreed with these service providers on compliance with the European level of data protection via standard contractual clauses.
• for the use of web tracking services, service providers are used whose data centres are located in a third country or who can access the data centres within the European Union or the EEA from a branch in a third country. The company has agreed with these service providers on compliance with the European level of data protection via standard contractual clauses pursuant to Art. 46 (2) lit. c GDPR.

You have the right to the disclosure of personal information held about you by us at any time. If data about you is incorrect or no longer up to date, you have the right to request that it be corrected. You also have the right to request the deletion or restriction of the processing of your data in accordance with Art. 17 or Art. 18 GDPR. You may also have the right to receive the data you have provided in a common and machine-readable format (right to data portability). If you have given your consent to the processing of personal data for certain purposes, you can revoke this consent at any time with effect for the future. The revocation is to be addressed to the company at the contact address stated under clause 1.  In accordance with Art. 21 GDPR, you also have the right to object at any time to the processing of your data on the legal basis of Art. 6 (1) lit. f GDPR for reasons arising from your particular situation.

In addition, you have the option of contacting a data protection authority and filing a complaint there. The competent authority for the company is the

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia

Kavalleriestr. 2-4
40213 Düsseldorf
Tel.: 0211/38424-0
Fax: 0211/38424-999
E-mail: poststelle@ldi.nrw.de

However, you can also contact the data protection authority responsible for your place of residence.

We do not use any fully automated decision-making processes for the purposes mentioned under clause 4 .

This privacy policy applies to the www.bfs-finance.com website of BFS finance GmbH. The websites in this presentation may contain links to other providers outside BFS finance GmbH to which the data protection declaration does not extend. When you leave the website of BFS finance GmbH, please be aware of (and read) the privacy statements of each and every website that collects personally identifiable information.

No profiling takes place for the purposes mentioned under clause 4.

If this privacy policy is amended, a notice of amendment will be posted in this policy, on the homepage and in other appropriate places.

Status of the privacy policy: September 2022

Last updated: September 2022