Data protection

Below we inform you about the protection of your personal data (hereinafter referred to as “data“). In this respect, the data protection information provide here fulfills the information obligations in accordance with the requirements of Art. 12 et seq. of the EU General Data Protection Regulation (hereinafter “GDPR“). We would like to inform you in detail about the data we process about you when you use our website and our services and products (hereinafter referred to as “services“). In addition, we would like to inform you about the rights to which you are entitled and the technical and organizational protective measures we have taken with regards to the processing of your data.

Table of contents:

1. Who is responsible for processing my data?
2. Personal data
3. What data will be processed?
4. For what purposes is my data collected?
5. Who receives my data?
6. Will my data be processed outside the EU or the EEA  (third country transfer)?
7. What data protection rights do I have?
8. How do we ensure the security of the processing?
9. To what extent is there automated decision making?
10. Does profiling take place?
11. Updating the data protection information

The

BFS finance GmbH (hereinafter referred to as the “Company“)
Carl-Bertelsmann-Straße 23
33332 Gütersloh

E-Mail: info@bfs-finance.com
Website: www.bfs-finance.com

is the operator of the website and is responsible under data protection law for the personal data collected about you here. The company processes personal data in accordance with the provisions of the GDPR and relevant national data protection laws.

You can contact the company’s data protection officer at the above postal address, with the addition “To the data protection officer” or via the e-mail address: datenschutz@bfs-finance.com

Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an e-mail address, a postal address or an online identifier such as an IP address or a cookie identifier.

Personal data may only be processed with legal permission. Your personal data will only be processed when you visit and use the website and the services offered on it if the company has legal permission to do so.

When you use our website, information is automatically collected from the accessing computer or mobile device (hereinafter referred to as “access data“). This access data includes server log files, which usually consist of information about the browser type and version, the operating system, the Internet service provider, the date and time of use of the website, the previously visited websites and newly accessed websites as well as the IP address of the client device.

This data is stored for reasons of data security in order to ensure the stability and operational security of our website. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

If we process data other than the data mentioned here when you visit our website, the relevant data categories and the purposes of data processing, the legal basis for data processing, the storage period and criteria for storage, possible data recipients and your rights in connection with the data processing relating to you are described in detail in section 4 of this data protection notice.

The purposes of data processing within the scope of our offer may result from technical, contractual or legal requirements and, if applicable, from consent.

The company uses the data referred to in section 3 and the data referred to in section 4 for the following purposes, among others:

• to provide the website and ensure technical security, in particular to correct technical errors and to ensure that unauthorized persons do not gain access to the website systems;
• to process your contact request and preparing contractual relationships;
• for the purpose of fulfilling legal obligations (e.g. from the Money Laundering Act or the Banking Act)
• for the purpose of improving the website;
• for the purpose of web tracking and analysis of user behavior and

Further information on the listed purposes of data processing can be found in the following sections of this privacy notice.

Cookies are small text files that are used by websites to improve the user experience, among other things. We use cookies to technically provide the services offered, to personalize content and advertisements and to analyze access to our website.

Under applicable law, we may store cookies on your device if they are strictly necessary for the operation of the site. For all other types of cookies, we need your permission, which we ask for using our Cookie Consent Manager when you access the website. You can change or withdraw your consent to the use of cookies at any time using our Cookie Consent Manager.

Which cookies are used in detail and to what extent can be tracked at any time via our Cookie Consent Manager.

If we use third-party services when using cookies or provide them with information from the cookies, this is done exclusively on the basis of a so-called order processing relationship with the service provider concerned. Such a contract ensures that the these service provider are bound by instructions and that the purpose of the processing is limited, so that your data may not be used for other purposes that deviate from this data protection notice.

If these service providers are located outside the European Union or the European Economic Area (hereinafter referred to as “EU or EEA”), a so-called third country transfer takes place. This is permitted if you have consented to it, or if we have established additional safeguards (e.g. via standard contractual clauses, certification mechanisms or adequacy decisions by the EU commission) to ensure that your data will be handled as secure as within the European Union.

If there is a transfer to a third country when using our cookies, we will inform you of this by providing appropriate information. Further information on the recipients of your data and the topic of third country transfers can be found in sections 6 and section 7 of this privacy notice.

4.1.1 Legal basis for data processing

The legal basis for storing of technically necessary cookies and the data processing associated with them is Art. 6 para. 1 lit. f GDPR in conjunction with §25 II No. 2 TDDDG. Necessary cookies are set to ensure the technical provision and usability of the website. Conversely the legal basis for the setting of optional cookies and the use of your data for these purposes is Art. 6 para. 1 lit. a GDPR in conjunction with §25 I TDDDG. We therefore processing your data only if you have given us consent with the help of our cookie consent manager.

4.1.2 Duration of storage or criteria for determining this duration

The data that is collected and analyzed when optional cookies are used is generally stored until you object to their use. However, analysis cookies are stored for a maximum of 24 months. Technically necessary cookies, on the other hand, are generally deleted at the end of the respective session. Further information on this can be found in the Cookie Consent Manager.

4.1.3 Possibility of objection and removal

You have the right to object to the processing of your personal data when using necessary cookies in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation. If you would like to exercise your right to object, please contact us at the address given in section 1. If you object to this data processing, you will only be able to use the website to a limited extent or not at all.

Furthermore, you can revoke your consent to the processing of your data in the context of the use of optional cookies at any time with effect for the future. The objection can be made technically by opting out in our Cookie Consent Manager on this website or by technically clearing cookies using your browser. You can access the settings screen of our Cookie Consent Manager via the following link:

We use various security technologies as well as analysis and tracking mechanisms on our website to make our website more secure and to help us improve our services. What all analysis and tracking mechanisms have in common is that we only use them if and insofar as we have received your consent for this via our Cookie Consent Manager. When using security technology (e.g. web applications firewalls), the legal basis may be our legitimate interest (Art. 6 para. 1 lit. f) GDPR) in data processing or your consent (Art. 6 para. 1 lit. a GDPR). It may also be the case that we have to process your personal data due to a legal obligation affecting us (Art. 6 para. 1 lit. c GDPR).

 

• Consent management

Provider: Borlabs GmbH, Hamburger Straße 11, 22083 Hamburg, Deutschland Cookie name: borlabs-cookie Cookie duration: 60 days Description: This cookie stores consent information for service groups and individual services. Links to the provider: –       CMP Tool: https://de.borlabs.io/borlabs-cookie/ –       Data protection: https://de.borlabs.io/datenschutz/ Legal basis: Art. 6 I lit. c GDPR, §25 II No. 2 TDDDG

• Google Analytics

Provider: Google Ireland Limited, Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland Cookie name: _ga, _gid, _gat, _ga_<container-id>, _gac_gb_<container-id> Cookie duration: Maximum 2 years Data categories: IP address, browser type, pages visited, session duration, user interactions Description: Google Analytics cookies collect and analyze data about the use of the website. They help to understand user behavior, measure the effectiveness of marketing campaigns and improve the user experience. The data collected includes page views, session duration and user interactions. Links to the provider: –       Terms of use: http://www.google.com/analytics/terms/de.html –       Data protection: http://www.google.com/intl/de/analytics/learn/privacy.html –       Privacy policy: http://www.google.de/intl/de/policies/privacy Legal basis: Art. 6 I lit. a GDPR, §25 I TDDDG

• Google Tag Manager

Provider: Google Ireland Limited, Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland Cookie name: gtm_auth, gtm_debug, gtm_previe Cookie duration: Maximum 2 years Data categories: IP address, browser type, websites visited, user interactions, unique user ID Description: Google Tag Manager enables the management and implementation of tags on the website without having to change the source code directly. This facilitates the integration and management of tracking tags that are used to analyze user behavior and optimize marketing campaigns. Legal basis: Art. 6 I lit. a GDPR, §25 I TDDDG

• Google

Provider: Google Ireland Limited, Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland Cookie name: _GRECAPTCHA, NID. Cookie duration: Maximum 6 months Data categories: IP address, mouse movements, keyboard strokes, device data, time spent on the website. Description: Google reCAPTCHA is used to protect websites from spam and abuse by distinguishing between human users and bots. It analyses user interactions such as mouse movements and keyboard strokes to minimize the risk of automated attacks. Legal basis: Art. 6 I lit. a GDPR, §25 I TDDDG

• Google Ads

Provider: Google Ireland Limited, Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) Cookie name: NID, __gsas, __eoi, __gpi, __gpi_optout. Cookie duration: Maximum 12 months Data categories:  IP address, browser type, websites visited, click behavior, ad interactions, unique user ID. Description: We use Google Ads to promote our website through relevant advertising on third-party websites and in Google search results. If you reach our website via a Google ad, a so-called conversion cookie is stored on your system. This cookie loses its validity after 30 days and is not used to identify you personally.The conversion cookie enables us to check whether certain subpages of our website, such as the shopping cart, have been accessed and whether sales have been nerated. The data collected by the cookies is used by Google to compile visit statistics for our website and to measure the success of our ads. Neither we nor other Google Ads advertisers receive information that could identify you personally.You can object to interest-based advertising by Google by adjusting the settings at www.google.de/settings/ads. Links to the provider: –        Terms of use: http://www.google.com/analytics/terms/de.html –        Data protection: http://www.google.com/intl/de/analytics/learn/privacy.html –        Privacy policy: http://www.google.de/intl/de/policies/privacy Legal basis: Art. 6 I lit. a GDPR, §25 I TDDDG

• Microsoft Clarity

Provider: Microsoft Ireland Operations Limited (MIOL), One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Irland Cookie name: _clck, _clsk, CLID, ANONCHK, MR, MUID, SM. Cookie duration: Maximum 1 year Data categories: Session data, pages visited, user interactions, location data, language settings. Description: Clarity cookies collect detailed data about user interactions on the website, including mouse movements, clicks and scrolling behavior. This information is used to create heat maps and session logs that help analyze and improve the user experience. Links to the provider: –        Privacy policy: https://clarity.microsoft.com/privacy Legal basis: Art. 6 para. 1 lit. a GDPR, §25 I TDDDG

• Polylong

Provider: Cookie name: pll_language. Cookie duration: Maximum 1 year Data categories: Language settings of the user. Description: Polylang cookies store the language selected by the user to ensure that the website is displayed in the preferred language on future visits. This makes navigation easier and improves user-friendliness, especially on multilingual websites. Legal basis: Art. 6 para. 1 lit. a GDPR, §25 II No. 2 TDDDG

4.2.1 Legal basis for data processing

The legal basis for the processing of your data in connection with the use of our analysis and tracking mechanisms is Art. 6 I lit. a GDPR. Your data is therefore processed on the basis of your consent to data processing, which you have given us via our Cookie Consent Manager. The use of our Consent Management Platform, on the other hand, is based on Art. 6 I lit. c GDPR i.V.m. §25 II No. 2 TDDDG.

4.2.2 Duration of storage or criteria for determining this duration

We store data that we process in connection with the use of our security, analysis, and tracking mechanisms until you object to the use of the data with effect for the future. The same applies to the analysis activities described here on the basis of legitimate interests and to data that we process on the basis of Art. 6 I lit. c GDPR.

4.2.3 Possibility of objection and removal

You have the right to object to the data processing described here with effect for the future.

The objection can be made technically by opting out in our Cookie Consent Manager on this website or by technically clearing cookies using your browser. The following link will take you to the settings screen of our Cookie Consent Manager:

The website offers the option of contacting the company via a contact form, telephone, or email. If you take advantage of this option, we will process the information you provide there and your request when you contact the company. Depending on the nature of your request (e.g., questions about our services or assertion of your rights as a data subject, such as your right to information), your contact details will be processed further (if necessary, with the help of service providers).

4.3.1 Legal basis for data processing

The legal basis for the processing of your contact data is Art. 6 I lit. f GDPR. Our legitimate interests lie in processing your request and carrying out further communication with you. If your contact is intended to conclude a contract with the company, the legal basis for the processing of your contact data is Art. 6 I lit. b GDPR. If we process your data to fulfill legally obligations such as fulfilling data subject rights, the legal basis is Art. 6 lit. c GDPR.

4.3.2 Categories of personal data

As part of the processing activities described here, we process the following categories of data:

• Business-e-mail address
• Personal master data (first name, surname)
• Request and message content
• Company details
• Information on annual turnover

4.3.3 Duration of storage or criteria for determining this duration

After your request has been processed and further communication has ended, your contact details will be deleted. This does not apply if your contact is aimed at concluding a contract with the company or if you assert your rights as a data subject, such as information, or if you have given us your consent to use for advertising purposes. In this case, your data will be stored until the contractual and/or legal obligations have been fulfilled and statutory retention periods do not prevent deletion (this is usually the case after 6 months).

4.3.4 Objection and removal options

You have the right to object to the processing of your contact data on grounds relating to your particular situation. If you wish to exercise your right to object, please contact us at the address given in section 1. If you object, the communication cannot be continued. This does not apply if the storage of your contact data is necessary for the initiation or fulfillment of a contract or the assertion of your rights as a data subject. In such a case, there is no right to object to the processing of your data.

As part of our application management, we process personal data of applicants in order to carry out and process application procedures. In connection with job advertisements, we use the Group-wide CreateYourOwnCareer of Bertelsmann SE & Co. KGaA platform. This means that both the publication of job advertisements and the application process are technically carried out via this platform.

In the case of unsolicited applications to BFS finance GmbH, the documents submitted (e.g. CV, cover letter and personal contact details) are transferred to our internal system, where they are stored and processed for further processing.

4.4.1 Legal basis for data processing

The processing of your personal data as part of the application process is based on Art. 6 I lit. b GDPR. This provision permits the processing of personal data if it is necessary for the initiation of a contractual relationship – in this case an employment relationship.

4.4.2 Categories of personal data

We process the following categories of data as part of the processing activities described here:

• Personal master data (e.g. name, date of birth)
• Contact details (e.g. telephone number, e-mail address, postal address)
• Curriculum vitae (including details of education, professional experience, qualifications)
• Cover letter and other application documents
• E-mail correspondence as part of the application process

4.4.3 Duration of storage or criteria for determining this duration

Your personal data will generally be stored for the duration of the application process. If your application is rejected, we will delete your data no later than six months after completion of the application process, provided that there are no further statutory retention obligations, or in cases where you have given us your consent for a longer period (e.g. for an applicant pool). If your application is successful, your data will be processed further for the purposes of the employment relationship and transferred to your personnel file.

4.4.4 Recipients of personal data

As part of the application process, only those persons and positions that require your personal data to carry out the selection process will have access to it. This includes in particular employees from the HR department and the relevant specialist department.

In this context and after transmission of your data to the CreateYourOwnCareer website, technical processing is carried out by Bertelsmann SE & Co KGaA. In this context, service providers may also be involved as processors in accordance with Art. 28 GDPR to assist with technical implementation and maintenance. These are contractually obliged to comply with data protection regulations.

Further information on data processing on the CreateYourOwnCareer website can be found here.

4.4.4 Objection and removal options

Since the processing of your personal data as part of the application process is based on Art. 6 I lit. b GDPR (processing for the implementation of pre-contractual measures), there is generally no right of objection under Art. 21 GDPR.

If you have given us your consent to process your data in individual cases (e.g. for inclusion in an applicant pool), you can revoke this at any time with effect for the future. This does not affect the processing that has taken place up to the point of revocation.

You can send us declarations of revocation informally by e-mail or post. You can find our contact details in the legal notice or in section 1 of this privacy notice.

We maintain a company presence on the social media portal LinkedIn and Xing.

By presenting our company on social media portals, we would like to seek active communication with you and offer you the opportunity to find out about the products and services of our company and the group of companies in this way.

If you use the contact options on these social media portals, we will process the data you provide in order to process your request and answer your questions. Your feedback and reactions on the portals also help us to further develop and improve our product portfolio.

The operators of these social media portals provide our company with statistical data (so-called “page insights”) which provide us with information about user activities on our company websites. As part of our marketing measures, we also use the options provided by the social media portals to address specific target groups (“targeting”) on the respective platform.

The social media portals are not operated by us, but by the respective service providers under their own responsibility. The product sovereignty and product design of the respective social media portal lies with the respective social media portal operator, depending on the platform. We have no influence on the data and data processing procedures collected by the service provider, nor are we aware of the full extent of the data collection, the purposes of the processing or the storage periods of the data concerned. Only insofar as the social media portals process personal data on our instructions in certain cases, they do in fact act as our data processor (see section 5).

We would like to point out that the processing of personal data in countries outside the European Union and the European Economic Area, in particular in the USA, cannot be ruled out. Under certain circumstances, this may be associated with the risk of more difficult legal enforcement, which represents a risk for the individual user. For further information on this, please refer to section 6 of this privacy notice.

For the collection, processing and use of data by the operators of the social media portals, please refer to their privacy policies:

• LinkedIn (LinkedIn Ireland Unlimited Company): https://www.linkedin.com/legal/privacy-policy
• Xing (New Work SE): https://privacy.xing.com/de/datenschutzerklaerung

In the case of requests for information and the assertion of your rights, we would like to point out that these can be asserted most effectively with the respective provider of the social network. Only the provider has access to the processed data and can take the measures requested by you and provide information.

4.5.1 Legal basis for data processing

We process your personal data on the basis of our legitimate interest, Art. 6 I lit. f GDPR, in communicating with you and in the continuous optimization of our corporate image and offers. If processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, we process your personal data on this basis, Art. 6 I lit. b GDPR. Advertising measures (e.g. retargeting), on the other hand, are only carried out if you have given us your consent in advance (Art. 6 I lit. a GDPR).

4.5.2 Categories of personal data

As part of the processing activities described here, we process the following categories of data:

• IP address
• Referrer URL
• Social media account data
• Transaction data (previous website visits)
• Social media content (posts, comments)

4.5.3 Recipients of personal data

We use the services of the following data recipients to process your data as part of the processing activities described here. These have been commissioned by us via data processing agreements to act on behalf of us as data processor or via contracts regulating joint controller data processing. Further information on the data recipients we use can be found in section 5 of this data protection notice.

• LinkedIn: LinkedIn Ireland Unlimited Company, Ireland
• Xing: New Work SE, Am Strandkai 1 in 20457 Hamburg, Germany

4.5.4 Duration of storage or criteria for determining this duration

We store your personal data for as long as is necessary to process your respective request or for as long as we are entitled or obliged to store it due to statutory retention obligations.

4.5.5 Objection and removal options

You have the right to object to the processing of your data in accordance with Art. 21 GDPR, insofar as there are reasons for this arising from your particular situation. If you would like to exercise your right to object, please contact us at the address given in section 1. If the processing is based on consent, you have the right to object at any time with effect for the future. The objection can be made technically by opting out in our Cookie Consent Manager on this website or by technically clearing cookies using your browser. The following link will take you to the settings screen of our Cookie Consent Manager:

In accordance with the provisions of the Act on the Tracing of Profits from Serious Crimes (“Money Laundering Act” – hereinafter referred to as “AMLA”), the company is obliged to collect, verify and retain data on its contractual partners, the persons acting on their behalf and the beneficial owner of the contractual partner. The company uses a service provider in individual cases for the legally required verification.

4.6.1 Legal basis for data processing

The company is a licensed by the German Federal Financial Supervisory Authority (BaFin) factoring institution within the meaning of § 1 I lit. a S. 1 No. 9 of the German Banking Act (KWG) and therefore an obligated party pursuant to § 2 I No. 2 AMLA.

Pursuant to § 10 I No. 1 and No. 2 AMLA, the company is obliged to identify and verify contractual partners, persons acting on their behalf and beneficial owners. The identification of the persons concerned in § 10 I No. 1 and No. 2 AMLA is carried out in accordance with § 11 I AMLA by collecting the data specified in § 11 IV and V AMLA. This data must be verified by the company in accordance with § 12 AMLA.

As an AMLA obligated party, the company must comply with the provisions of the GDPR. Data processed on the basis of the AMLA is subject to purpose limitation in accordance with § 11a AMLA.

The processing of data within the meaning of Art. 4 No. 2 GDPR in conjunction with § 10 I, §11 I, IV, V AMLA is carried out on the legal basis of Art. 6 I lit. c GDPR in conjunction with § 11a AMLA.

4.6.2 Categories of personal data

We process the following categories of data as part of the processing activities described here:

• First and last name
• Date of birth, place of birth, nationalities
• Residential address or postal availability
• ID data (incl. copy, possibly also incl. video chat for video identification)
• Function in the company (e.g. authorized representative, beneficial owner, shareholder, guarantor)
• PEP status (Politically Exposed Person) and result of sanctions list screening
• Connections to other companies

4.6.3 Recipients of personal data

The data is always collected by employees of the company. The company’s employees make copies of the relevant documents when checking the identity documents presented on site.

If in-person verification is not possible, the company uses three procedures (PostIdent) offered by Deutsche Post AG as the service provider commissioned by the company.

In order to fulfill the legal verification obligation, the company sends an e-mail to the person to be verified with a link to the Deutsche Post AG Postident portal. The person concerned can choose from three identification procedures for verification:

• Online ID function: This function can be used to verify identity using an ID card with an active online ID function. Identity verification using the online ID function can be carried out via a computer or smartphone. In the case of verification via a computer, the user is forwarded to the AusweisApp2 of Deutsche Post AG. In the case of verification via smartphone, this takes place via the Postident app from Deutsche Post AG. The ID card will be read by a card reader connected to the smartphone/tablet. For the verification, the person concerned must enter the 6-digit PIN of the ID card, which was previously activated when the online ID function was activated. By entering the personal 6-digit PIN, the data subject agrees to the encrypted data transmission of the previously displayed information to Deutsche Post AG.
• Postident procedure in store: The Postident procedure can be used to verify identity at a local post office. First, the person concerned generates a QR code, the so-called Postident coupon, in the Postident portal. With the printed coupon (with individual reference number for internal assignment of the ID documents), the person concerned goes to the nearest post office together with their ID card or passport and a registration certificate. An employee at the post office checks the data from the ID documents using an ID card reader and transfers it to the coupon. The user’s photo is then compared with the ID document and the data is checked by the employee locally. The person concerned must then check the data and sign the coupon. The signed coupon is confirmed by the postal employee with a signature and stamp and sent to the company.
• Videoident procedure: If the person concerned has opted for the video ID procedure in the Postident portal, they may first have to enter personal data themselves and select an ID document. A video chat with a Deutsche Post AG service employee then takes place via the camera of the end device used. The employee guides the user through the identification process, checks the ID data and takes photos of it. In addition to the ID data, a photo/screenshot (portrait photo) is taken of the person concerned. Biometric data may be collected in the process (these are not stored). Furthermore, a complete audio-visual recording of the conversation is made. The person concerned then receives an SMS TAN, which they must enter. The data subject then confirms and completes the identification process.

The data collected in the Videoident procedure, the portrait photo and the video file are made available to the company via a Deutsche Post AG portal. The video stream for video identification is provided via an SFTP server due to the file size. The data is encrypted in each case. The company must actively collect the data.

4.6.4 Duration of storage or criteria for determining this duration

The data obtained through the identification process is stored both by the company and by the service provider, if the latter is involved in the identification process.

Deutsche Post AG sets its own requirements for the storage period and deletion of data. For the storage period of data at Deutsche Post AG and the deletion periods, please refer to the supplementary information POSTIDENT on the Deutsche Post AG website, in particular section 7) of the aforementioned information.

The company stores data collected exclusively on the basis of § 11 I, IV, and V of the AMLA in accordance with the statutory storage period. This data must be deleted by the company after the storage period specified in § 8 AMLA has expired.

A corresponding deletion run is implemented in the company’s core system and runs at the end of each year.

With regard to further data, the storage period and deletion are governed by the company’s general deletion and retention policy.

4.6.5 Objection and removal options

If the data processing is based on a contractual relationship agreed between you and us, there is no right to object to the described processing operation in accordance with Art. 21 GDPR. If your consent is the legal basis for data processing, you have the right to object to this processing at any time. In accordance with Art. 17 GDPR, you also have the right to request the erasure of your data. In addition, you have the right to correct your data and to receive information about the data stored by us. To exercise your rights as a data subject, please contact the address stated in section 1.

Insofar as data is processed directly by Deutsche Post AG by way of the above-mentioned Postident procedure, your above-mentioned options for objection and removal only exist directly vis-à-vis Deutsche Post AG.

Within the company, those departments that need your data to fulfill the purposes described in section 4 will have access to it. Service providers used by the company may also receive access to your data (so-called “processors”, e.g. data centers, hosting, IT infrastructure support or web design). Contracts for order processing ensure that these service providers are bound by instructions, data security and the confidential handling of your data.

We will only disclose your data to third parties if this is necessary for the fulfillment of the contract, if we or the third party have a legitimate interest in the disclosure or if we have your consent to do so. In addition, data may be transferred to third parties if we are obliged to do so by law or by an enforceable official or court order.

Please note that we will not sell your personal data to third parties. Furthermore, we will not share your data with third parties for direct marketing or other forms of direct marketing, opinion polls or market research unless you have given us your consent to do so.

Further information on the specific data recipients can be found in the processing descriptions in section 4 of this data protection notice.

Insofar as the service providers and/or third parties outside the EU or the EEA mentioned in section 4 process your data for the purposes set out in section 4, this may result in your data being transferred to a country where a level of data protection appropriate to the EU or the EEA cannot be guaranteed. However, such a level of data protection can be ensured with a suitable guarantee. Suitable guarantees include standard contractual clauses provided by the EU Commission. In accordance with the judgment of the European Court of Justice of 16 July 2020 (Case C-311/18), service providers commissioned by us in third countries will be obliged to disclose to us which additional appropriate technical and organizational measures have been implemented to prevent state monitoring mechanisms. If there are doubts about the legality of such data processing, the service providers concerned will be obliged to adapt their technical and organizational measures.

You can request a copy of these guarantees using the contact details given in section 1.

Any guarantees may be waived in exceptional cases, for example if you give your consent or if the transfer to a third country is necessary for the performance of a contract with the company. The EU Commission has also recognized certain third countries as safe third countries or agreed corresponding certification mechanisms, so that suitable guarantees in the above sense can also be waived by the company at this point.

third country transfer takes place in the following cases, among others:

• For the use of web tracking services (see section 4.2), service providers are used whose data centers are located in a third country or who can access the data centers within the European Union or the EEA from a branch in a third country. The company has agreed compliance with the European level of data protection with these service providers via standard contractual clauses in accordance with Art. 46 II lit. c GDPR. If no standard contractual clauses have been concluded with the service providers concerned, data will only be transferred if they have consented to the processing in accordance with Art. 49 I lit. a GDPR or if a corresponding certification mechanism secures the data transfer.

You have the right to get access to information about the personal data we have stored about you at any time. If your personal data is incorrect or no longer up to date, you have the right to request that it be corrected. You also have the right to request the erasure or restriction of the processing of your data in accordance with Art. 17 or Art. 18 GDPR. You may also have the right to receive the data you have provided in a commonly used and machine-readable format (right to data portability). If you have given your consent to the processing of personal data for certain purposes, you can revoke your consent at any time with effect for the future. The revocation must be addressed to the company at the contact address stated in section 1. In accordance with Art. 21 GDPR, you also have the right to object at any time, on grounds relating to your particular situation, to the processing of your data which is carried out on the legal basis of Art. 6 I lit. f GDPR.

You also have the option of contacting a data protection authority and lodging a complaint there. The authority responsible for the company is the

State Commissioner for Data Protection and Information Security NRW

NRW Kavalleriestraße 2 – 4

40213 Düsseldorf

0211 38424 0

poststelle@ldi.nrw.de

However, you can also contact the data protection authority responsible for your place of residence.

The Company takes all necessary technical and organizational measures to protect your data from unauthorized access, disclosure, destruction or other unauthorized processing. The security measures include firewalls, encryption, the use of secure IT environments, access controls, training for employees who work with your data and the careful selection of processors who process personal data for us in accordance with our instructions. In addition, access to your data is restricted to persons who need your data to perform their tasks.

We do not use automated decision-making within the meaning of Art. 22 GDPR for the purposes mentioned under section 4.

No profiling within the meaning of Art. 22 GDPR takes place for the purposes mentioned under section 4.

Should this data protection notice be amended, the amendment will be indicated in this notice, on the website and in other appropriate places.

 

Status of the privacy policy: June 2025

Last updated: June 2025