Types of Processed Data:
- Master data (e.g. names, addresses).
- Contact data (e.g. e-mail, telephone numbers).
- Content data (e.g. text entries, photographs, videos).
- Contract data (e.g. contract subject matter, term, customer category).
- Payment data (e.g. bank account details, payment history).
- Utilization data (e.g. visited websites, interest in contents, access times).
- Metadata/communication data (e.g. device information, IP addresses).
- Optional Application data for the use of recruiting services (e.g. curriculum vitae, certificates, references).
Processing Special Categories of Data (Art. 9 Subsection 1 GDPR):
- No special categories of data are processed.
Categories of the Persons Affected by the Processing:
- Customers / interested parties / suppliers.
- Visitors and users of the online services.
In the following, we will also refer to the data subjects jointly as “Users”.
Purpose of the Processing:
- Provision of the online services, their contents and functions.
- Provision of contractual performance, service and customer maintenance.
- Answering of contact inquiries and communication with users.
- Marketing, advertising and market research.
- Security measures.
As of: Sep 4, 2020
1. Relevant Legal Foundations
3. Security Measures
- On the basis of Art. 32 GDPR, in consideration of the state-of-the-art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probability of occurrence and the seriousness of the risk for the rights and freedoms of natural persons, we will arrange for appropriate technical and organizational measures, in order to guarantee a protection level, which is commensurate with the risk; these measures particularly include the assurance of confidentiality, integrity and availability of data by checking the physical access to the data, as well as the relevant access, the entry, disclosure, assurance of availability and their separation. Furthermore, we have set up procedures, which guarantee the exercising of rights by the data subjects, deletion of data and responding to endangering of the data. Furthermore, we already take the protection of personal data into consideration for the development/selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data-protection-friendly default settings (Art. 25 GDPR).
- The security measures particularly include the encrypted transfer of data between your browser and our server.
4. Cooperation With Processors and Third Parties
- Insofar as we disclose data to other persons and companies within the scope of our processing (processors or third parties), send data to these or otherwise grant them access to data, this only occurs on the basis of legal permission (e.g. if sending of the data to third parties, such as payment service providers is required for contract fulfillment in accordance with Art. 6 Subsection 1 lit. b GDPR), if you have consented, a legal obligation prescribes this or on the basis of our legitimate interests (e.g. for the use of authorized representatives, web hosting services etc.).
- Insofar as we commission third parties with the processing of data on the basis of a so-called “Data Processing Agreement”, this occurs on the basis of Art. 28 GDPR.
5. Transmissions to Third Countries
Insofar as we process data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or disclose it within the scope of using third-party services or if disclosure/transmission of data occurs to third parties, this only occurs, if it is required for fulfilling our (pre-)contractual duties, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process, or have the data processed, in a third country if the specific preconditions of Art. 44 et seqq. GDPR exist. I.e. the processing occurs, e.g. on the basis of specific guarantees, such as the observance of officially recognized specific contractual obligations (so-called “standard contractual clauses”) or accaptance of the transaction by the user in accordance with article 49 paragraph 1 sentence 1 lit. GDPR.
6. Rights of the Data Subjects
- You have the right to request a confirmation about whether relevant data are processed and to receive information about these data, as well as additional information and a copy of the data in accordance with Art. 15 GDPR.
- In accordance with Art. 16 GDPR, you have the right to request the completion of the data relating to you or correction of the inaccurate data relating to you.
- On the basis of Art. 17 GDPR, you have the right to request that relevant data are deleted immediately, or alternatively, on the basis of Art. 18 GDPR, to request a restriction to the processing of the data. You can request data deletion by sending an email to firstname.lastname@example.org or by deleting your account in your profile settings under "Login and Security".
- You have the right to request the receipt of the data relating to you, which you provided to us on the basis of Art. 20 GDPR and request that it be sent to other responsible parties.
- Furthermore, in accordance with Art. 77 GDPR, you have the right to file a complaint with the responsible supervisory authority.
7. Cancellation Right
You have the right to revoke granted consents in accordance with Art. 7 Subsection 3 GDPR with effect for the future.
8. Right to Object
You may object to the future processing of the data relating to you on the basis of Art. 21 GDPR at any time. The objection may specifically be made against processing for the purpose of direct marketing.
9. Cookies and the Right to Object to Direct Marketing
10. Deletion of Data
- According to legal provisions, the retention specifically occurs for 6 years in accordance with Section 257 Subsection 1 HGB [German Commercial Code] (trading books, annual financial statement, commercial letters, booking vouchers, etc.), as well as for 10 years in accordance with Section 147 Subsection 1 AO [German Fiscal Act] (accounts, records, management reports, booking vouchers, commercial and business letters, documentation relevant to taxation, etc.).
- We process master data (e.g. names and addresses, as well as contact details of users), contract data (e.g., services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 Subsection 1 lit. b. GDPR. The entries marked as being mandatory in online forms are required for the conclusion of the contract.
- The registration as a member requires the storage and processing of various biographical and personal data, e.g. first name, educational status, gender, main course of studies, industry interests, degree studies and higher education institution. Optionally, additional biographical data can be entered, which relate to e.g. the curriculum vitae, interests etc. Within the scope of the registration, the required mandatory details are notified to the users. In the future, this list may be extended with reference to the legal foundations referred to in Point 1. After registration, other users of PrepLounge may view their user profile with the details provided by you and interact with you. Furthermore, curriculum vitae and application data may be sent to PrepLounge GmbH. These may be made available to recruiting companies, only after the user’s consent has been obtained. Other users of PrepLounge cannot view this application data. If users have cancelled their user account, their data will be deleted in respect of the user account, unless their retention is necessary for commercial-law or tax-law reasons in accordance with Art. 6 Subsection 1 lit. c GDPR. In the case of a cancelation, the users are responsible for securing their data prior to the end of the contract. We are authorized to irretrievably delete all of the user’s data stored during the term of the contract.
- Within the scope of the registration and new logins, as well as the use of these online services, we store the IP address and the time of the respective user action. The storage occurs on the basis of our legitimate interests, as well as those of the users, in respect of protection from misuse and other unauthorized use. Disclosure of these data to third parties does not occur, as a general rule, except if it is required for pursuing our claims or if a legal obligation exists to do so in accordance with Art. 6 Subsection 1 lit. c GDPR.
- We process utilization data (e.g. the visited websites of our online services, interest in our products) and content data (e.g., entries in the contact form or user profile) for marketing purposes in a user profile, in order to e.g. display product information for the users, based on their services used so far.
- Deletion occurs after the expiration of statutory warranty and comparable duties, the necessity to retain the data is checked every three years; in the case of statutory archiving duties, the deletion occurs after their expiration (end of commercial-code (6 years) and tax-law (10 years) retention duty); details in the customer account remain until their deletion.
12. Making Contact
- When making contact with us (via contact form, e-mail or telephone), the user’s details are processed to handle the contact request and for its processing in accordance with Art. 6 Subsection 1 lit. b) GDPR.
- The user’s details can be stored in our Customer Relationship Management System (“CRM System”) or comparable request organization.
- We delete the requests, if they are no longer required. We check the necessity every two years; we permanently store requests from customers, who have a customer account and refer to the details about the customer account with regard to deletion. In the case of statutory archiving duties, the deletion occurs after their expiration (end of commercial-law (6 years) and tax-law (10 years) retention duty).
13. Comments and Contributions
- If users leave comments or other contributions, their IP addresses are stored for 14 days on the basis of our legitimate interests within the meaning of Art. 6 Subsection 1 lit. f. GDPR.
- This occurs for our security, in the event that someone leaves unlawful content in comments and contributions (insults, banned political propaganda, etc.). In this case, we can be claimed upon ourselves for the comment or contribution and are therefore interested in the identity of the author.
- Publicly viewable contributions of this type (e.g. within our Consulting Q&As) also remain in place after the termination of a membership/deletion of the user account with PrepLounge. The authorship of such contributions is anonymized by us. Furthermore, we ensure that they no longer contain any personal data.
14. Collection of Access Data and Logfiles
- We collect data on the basis of our legitimate interests within the meaning of Art. 6 Subsection 1 lit. f. GDPR about any access to the server, on which this service is situated (so-called server logfiles). The access data include the name of the accessed website, file, date and time of the access, transferred data volume, message about successful retrieval, browser type and version, the User’s operating system, referrer URL (the previously visited website), IP address and the requesting Provider.
- Logfile information is stored for a maximum term of 14 days for security reasons (e.g. to clarify acts of misuse or fraud) and are deleted thereafter. Data, which needs to continue being retained for evidence purposes, are exempted from deletion until final clarification of the respective incident.
15. Online Presences in Social Media
- We maintain online presences within social networks and platforms, in order to communicate with the customers, interested parties and users, who are active there, and inform them about our services. For accessing the respective networks and platforms, the terms and conditions and data processing policies of their respective operators apply.
16. Cookies & Reach Measurement
- Cookies are items of information, which are transferred from our webserver or third-party webservers to the users’ web browsers and are stored there for retrieval later on. Cookies may be small files or other types of stored information.
- We use “session cookies”, which are only filed for the duration of the actual visit to our online presence (e.g. to store your login status or the shopping basket configuration and therefore make the use of our online services possible at all). In a session cookie, a randomly generated unique identification number is filed, a so-called session ID. Furthermore, a cookie contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted, if they are no longer required.
- If the users do not want cookies to be stored on their computer, they are requested to deactivate the relevant option in the system settings of their browser. Stored cookies can be deleted in the browser’s system settings. The exclusion of cookies can lead to functional restrictions of these online services.
17. Google Tag Manager
We use the service called Google Tag Manager from Google. "Google" is a group of companies and consists of Google Ireland Ltd. (provider of the service), Gordon House, Barrow Street, Dublin 4, Ireland as well as Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and other affiliated companies of Google LLC.
We have concluded an order processing agreement with Google. The Google Tag Manager is an auxiliary service and processes personal data itself only for technically necessary purposes. The Google Tag Manager takes care of loading other components, which in turn may collect data. The Google Tag Manager does not access this data.
Please note that American authorities, such as intelligence agencies, could potentially gain access to personal data that is inevitably exchanged with Google due to the Internet Protocol (TCP) when this service is integrated, due to American laws such as the Cloud Act.
18. Google Analytics
- Google will use this information on our behalf, to evaluate the use of our online services by the users, to produce reports concerning the activities within the online services and to produce additional services associated with the use of these online services and the Internet for us. Pseudonymous utilization profiles of the users can be created from the processed data.
- We use Google Analytics in order to display the advertisements placed by Google and its partners within marketing services only to those users, who also have shown an interest in our online services or show specific characteristics (e.g. interests in specific topics or products, which are determined on the basis of the visited websites), which we send to Google (so-called “Remarketing”, or “Google Analytics Audiences”). With the assistance of the Remarketing Audiences, we also intend to ensure that our advertisements match the potential interest of the users and are not annoying for them.
- We only use Google Analytics with activated IP anonymization. However, in the case of activation of IP anonymization on this website, your IP address will be previously abbreviated by Google within Member States of the European Union or in other Member States, which are parties to the Agreement on the European Economic Area. The full IP address will only be transferred to a Google server in the USA and abbreviated there in exceptional cases.
- The IP address sent by the user’s browser within the context of Google Analytics will not be combined with other data of Google. The users can prevent the storage of the cookies with an appropriate setting in their browser software; furthermore, the users can prevent the recording of the data generated by the cookie and their use of the online services to Google, as well as the processing of these data by Google, by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
- Additional information about use of data by Google, setting and objection options is available on the Google website: https://www.google.com/intl/en/policies/privacy/partners (“How Google uses data when you use our partners' sites or apps”), https://policies.google.com/technologies/ads (“Use of data for marketing purposes”), https://adssettings.google.com/authenticated (“Managing information that Google uses for displaying advertising to you”).
19. Google Re/Marketing Services
- On the basis of our legitimate interests (i.e. interest in the analysis, optimization and commercial operation of our online services within the meaning of Art. 6 Subsection 1 lit. f. GDPR), we use the Marketing and Remarketing Services (in short “Google Marketing Services”) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
- The Google Marketing Services allow us to display advertising for and on our website in a more targeted manner, in order to present users only with advertisements, which potentially match their interests. If advertisements are e.g. displayed for products, for which the user has shown an interest on other websites, this is referred to as “Remarketing”. For this purpose, when accessing our website and others, on which Google Marketing Services are active, a Google code is directly executed by Google and so-called (re)marketing tags (invisible graphics or code, also referred to as “web beacons”) are integrated into the website. With the aid of these, an individual cookie is stored on the users’ device, i.e. a small file (comparable technologies may also be used, instead of cookies). The cookies may be set by various domains, among others, by google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. In this file, it is noted which websites the user visits, which contents he has shown an interest in and which offers he has clicked on, furthermore, technical information about the browser and operating system, linking websites, visit time and other details about the use of the online services. The IP address of the user is also recorded, whereby, within the scope of Google Analytics, we inform you that the IP is abbreviated within the Member States of the European Union or in other Member States, which are parties to the Agreement on the European Economic Area and are only transferred in full to a server of Google in the USA and abbreviated there in exceptional cases. The IP address is not combined with data of the user within other Google services. The information referred to above may also be linked by Google with such information from other sources. If the user subsequently visits other websites, customized advertisements, which match his interests, may be displayed to him.
- The users’ data are processed within the scope of the Google Marketing Services pseudonym. I.e. Google does not store and process e.g. the name of e-mail address of the user, but processes the relevant data on the basis of cookies within pseudonymous user profiles. I.e. from Google’s point of view, the advertisements are not managed and displayed for a concretely identified person, but for the cookie-holder, regardless of who this cookie-holder is. This does not apply, if a Google user has expressly allowed the data to be processed without this pseudonymization. The information collected by Google Marketing Services about the users are sent to Google and store on Google’s servers in the USA.
- The Google Marketing Services, which we use, include, inter alia, the “Google AdWords” online marketing program. In the case of Google AdWords, each AdWords customer receives a different “conversion cookie”. Cookies can therefore not be tracked via the websites of AdWords customers. The information obtained using the cookie have the purpose of creating conversion statistics for AdWords customers, who have chosen conversion tracking. The AdWords customers find out the total number of users, who have clicked on their advertisement and have been forwarded to a website with a conversion tracking tag. However, they do not receive any information, with which users can be personally identified.
- We can also use the “Google Optimizer” service. Within the scope of so-called ”A/B Testing”, Google Optimizer allows us to trace what effect various changes to a website have (e.g. changes to the input fields, the design, etc.). For these test purposes, cookies are filed on the users’ devices. Only pseudonymized user data are processed for this.
- Furthermore, we can use the “Google Tag Manager” in order to integrate the Google Analysis and Marketing Services into our website and manage them.
- If you would like to object to interest-related advertising by Google Marketing Services, you can use the setting and opt-out options provided by Google: https://adssettings.google.com/authenticated.
20. Facebook, Custom Audiences and Facebook Marketing Services
- Within our online services, on the basis of our legitimate interests in analysis, optimization and commercial operation of our online services and for these purposes, the so-called “Facebook Pixel” of the Facebook social network is used, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are domiciled in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook").
- Using the Facebook Pixel, it is possible for Facebook to determine the visitors to our online services as a target group for the display of advertisements (so-called “Facebook Ads”. Accordingly, we use the Facebook Pixel display Facebook Ads, which we have placed, only to those Facebook users, who also have shown an interest in our online services or show specific characteristics (e.g. interests in specific topics or products, which are determined on the basis of the visited websites), which we send to Facebook (so-called “Custom Audiences”). With the assistance of the Facebook Pixel, we also intend to ensure that our Facebook Ads match the potential interest of the users and are not annoying for them. With the assistance of the Facebook Pixel, we can also trace the effectiveness of the Facebook advertisements for statistical and marketing purposes, by seeing whether users are forwarded to our website after clicking on a Facebook advertisement (so-called “conversion”).
- Furthermore, for the use of the Facebook Pixel, we use the additional “extended comparison” function (data, such as telephone numbers, e-mail addresses or Facebook IDS of the users) are used to form target groups (“custom audiences” or “look-alike audiences”), which are sent to Facebook (encrypted)). Additional information about the “extended comparison”: https://www.facebook.com/business/help/611774685654668).
- We also use the “Custom Audiences from File” procedure of the social network Facebook, Inc. In this case, the e-mail addresses of the newsletter recipients are uploaded at Facebook. The upload procedure occurs in an encrypted form. The upload is exclusively for the purpose of determining recipients of our Facebook advertisements. With this, we intend to ensure that the advertisements are only displayed to users, who have an interest in our information and services.
- The processing of data by Facebook occurs within the scope of Facebook’s Data Utilization Policy. Accordingly, general information about the display of Facebook Ads, in the Data Utilization Policy of Facebook: https://www.facebook.com/policy.php. Specific information and details about the Facebook Pixel and its functionality are available in the help section of Facebook: https://www.facebook.com/business/help/651294705016616.
- You can object to the recording by the Facebook Pixel and the use of your data for displaying Facebook Ads. In order to set which types of advertisements are displayed to you within Facebook, you can access the site set up by Facebook and follow the instructions there for use-based advertising: https://www.facebook.com/settings?tab=ads. The settings occur platform-independently, i.e. they are adopted for all devices, such as desktop computers or mobile devices.
- To prevent tracking on our site through the Facebook Pixel please visit our Privacy Settings. Under the tab "Marketing" you can disable the tracking through the Facebook Pixel.
21. Amazon Partner Program
- With the following details, we are informing you about the contents of our newsletter, as well as the registration, delivery and statistical evaluation procedure and your objection rights. By subscribing to our newsletter, you are declaring your consent to the receipt and the described procedures.
- Content of the newsletter: We only send newsletters, e-mails and additional electronic messages with marketing information (hereinafter referred to as “newsletter”) with the consent of the recipient or legal permission. Our newsletters contain for example information about new cases, exciting jobs, relevant events and selected employers. Insofar as its contents are concretely described within the scope of registration, they are decisive for the consent of the users. Furthermore, our newsletters contain information about our products, offers, campaigns and our company.
- Verification and logging: Successful registration for our newsletter only takes place if the e-mail address of the recipient has been verified beforehand. I.e. after the registration, you receive an e-mail, in which you are requested to confirm your registration. This confirmation is necessary, so that no one can login with third-party e-mail addresses. The registrations for the newsletter are logged, in order to verify the registration process in accordance with the legal requirements. This includes storing the time of registration and the time of confirmation, as well as the abbreviated IP address. The changes to your data stored with the E-mail Service Provider are also logged.
- Furthermore, according to its own information, the E-mail Service Provider may use these data in a pseudonymized form, i.e. without allocation to a user, for optimization or improvement of its own services, e.g. for technical optimization of the delivery and the display of the newsletter or for statistical purposes, in order to determine which countries the recipients come from. However, the E-mail Service Provider does not use the data of our newsletter recipients, in order to write to them itself or disclose the data to third parties.
- Success measurement – the newsletters contain a so-called “web beacon”, i.e. a pixel-sized file, which is retrieved by the E-mail Service Provider’s server when the newsletter is opened. Within the scope of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of the retrieval, is collected. This information is used for the technical improvement of the service on the basis of the technical data or the target groups and their reading behavior on the basis of their retrieval locations (which can be determined using the IP address) or the access times. For the statistical surveys also include the determination of whether the newsletters are opened, when they are opened and which links are clicked on. For technical reasons, this information can be allocated to the individual newsletter recipients. However, it is neither our aim or that of the E-mail Service Provider, to monitor individual users. In fact, the purpose of the evaluations is for us to identify the reading habits of our users and to adapt our contents to them or send different contents in accordance with the interests of our users.
- The delivery of the newsletter and the success measurement occur on the basis of a consent from the recipient in accordance with Art. 6 Subsection 1 lit. a, Art. 7 GDPR in conjunction with Section 7 Subsection 2 No. 3 UWG [German Fair Trade Practices Act] or on the basis of legal permission in accordance with Section 7 Subsection 3 UWG.
- The logging of the registration procedure occurs on the basis of our legitimate interests in accordance with Art. 6 Subsection 1 lit. f GDPR and serves to verify the consent in the receipt of the newsletter.
- Cancellation/revocation – You may cancel the receipt of our newsletter at any time, i.e. revoke your consents. You can find a link to cancel the newsletter at the end of every newsletter.
23. Integration of Services and Third-Party Contents
- Within our online services, on the basis of our legitimate interests (i.e. interest in the analysis, optimization and commercial operation of our online services within the meaning of Art. 6 Subsection 1 lit. f. GDPR), we use content or services of third-party providers, in order to integrate their content and services, e.g. videos or fonts (hereinafter uniformly referred to as “contents”). This always presupposes that the third-party providers of these contents perceive the IP address of the users, as they could not send the contents to their browser without the IP address. Therefore, the IP address is required for the presentation of these contents. We endeavor to only use such contents, whose respective providers only use the IP address for delivering the contents. Furthermore, third-party providers can also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. With the “pixel tags”, information can be evaluated, such as the visitor traffic on the pages of these websites. The pseudonymized information can furthermore be stored in cookies on the device of the user and, among other things, contain technical information about websites linking to the browser and operating system, visit time and other details about the use of our online services, as well as being associated with such information from other sources.
- The following description provides an overview of third-party providers and their contents, in addition to links to their data protection policies, which contain additional information about processing data and, partly objection opportunities already referred to here (so-called opt-out):
- If our customers use the payment services of third parties (e.g. PayPal or Sofort), the terms and conditions and data protection policies of the respective third-party providers apply, which are retrievable within the respective websites or transaction applications.