Allolio&Konrad Consulting GmbH takes the protection of personal data very seriously. We would like to inform you about which data we collect and when, and how we use them. As a private-law company, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the additional regulations of the Federal Statute on Data Protection (BDSG-neu). To ensure that both we ourselves and our external service providers comply with the provisions on data protection, we have taken the appropriate technical and organisational measures.
The controller under Art. 4(7) of the GDPR and other national data protection statutes of the Member States of the European Union as well as other data protection regulations is:
Allolio&Konrad Consulting GmbH
2. Definitions of Terms
2.1 Personal Data
‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. IP address or cookies) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. In principle this includes any handling of personal data, such as their collection, recording, alteration, use, transmission, dissemination, erasure or destruction, etc.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller must ensure the lawfulness of the data processing by implementing technical and organisational measures, which must be subject to periodic review.
‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Recipient’ means a natural or legal person, public authority, agency or another body to which personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
2.7 Third Party
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent is the expression of self-determination regarding one’s personal data. It means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Any consent given may be withdrawn at any time.
3. General Information on Data Processing
3.1 Scope of Processing of Personal Data
As a matter of principle, we will only process your personal data if this is necessary for the provision of our online services and contents. The collection and use of your personal data is carried out regularly only once consent has been given or if the processing of the data is allowed under statutory regulations.
3.2 Legal Basis of Processing of Personal Data
The principle of data protection is a so-called ban with permit reservation. This means that the processing of personal data is illegal in principle, unless the data subject has given consent or there is a legal basis permitting the processing of such data. We are required to inform you of the legal basis of data processing.
Where we obtain your consent for the processing of your personal data, the legal basis is Art. 6(1)(a) of the GDPR.
Where data processing operations are necessary for the performance of a contract agreed upon by you and us or in order to take steps prior to entering into a contract, the legal basis is Art. 6(1)(b) of the GDPR.
Where personal data processing is necessary for compliance with a legal obligation to which our company is subject, like for example legal data retention and storage regulations, the legal basis is Art. 6(1)(c) of the GDPR.
In case processing is necessary to protect the vital interests of the data subject or another natural person, the legal basis is Art. 6(1)(D) of the GDPR.
If processing is necessary for the purposes of the legitimate interests pursued by us or a third party and where such interests are not overridden by your interests or fundamental rights and freedoms, the processing of personal data is legitimised by Art. 6(1)(f) of the GDPR.
3.3 Transmission of Personal Data to Third Parties and Processors
We will not normally transmit personal data to third parties without your express consent. Where in the context of processing we do disclose or transmit your data to third parties or otherwise give third parties access to the data, this will only be on the basis of one of the aforementioned legal grounds. For example, we transmit data to payment service providers where this is necessary for the performance of contracts. Your data will be disclosed to entities entitled to this information where we are required by law or a court order to disclose such data.
To process your data, we sometimes make use of carefully selected external service providers. Where in the context of processing data are transmitted to service providers, this will be on the basis of Art. 28 of the GDPR. Our processors are carefully selected, are bound by our instructions and are subject to regular inspection by us. We will only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of GDPR and BDSG-neu and ensure the protection of your rights.
3.4. Transfer of Data to Third Countries
The GDPR guarantees an equally high level of data protection within the European Union. Therefore, wherever possible, we rely on European partners in selecting our service providers and cooperation partners for processing your personal data. Only in exceptional cases will we have data processed outside the European Union or the European Economic Area in the context of using services provided by third parties.
We only authorise the processing of your data in a third country if the special conditions of Art. 44 et seqq. of the GDPR are met. This means that your data may only be processed on the basis of special safeguards, such as official recognition by the EU Commission of a level of protection equivalent to that in the EU or adherence to officially recognised special contractual obligations, the so-called ‘standard contractual clauses’. In the case of US service providers, we will require their use of these standard clauses or their participation in the ‘Privacy Shield’ Framework, the data protection agreement negotiated between the European Union and the United States (privacyshield.gov).
3.5 Erasure of Data and Storage Periods
As soon as the purpose of storage no longer exists, we will erase your data or make them unavailable. However, further storage may occur where this has been provided for by European or national legislators in EU regulations, laws or other regulations to which we are subject. For example, this applies to data which must be retained under commercial or fiscal laws, such as invoice data. Your data will be blocked or erased once a storage period specified by these regulations has expired, unless further retention of the data is required for entering into or performance of a contract.
3.6 Existence of Automated Decision-Making
We do not use automated decision-making or profiling.
4. Rights of Data Subjects
Whenever your personal data are processed, you are a data subject under the GDPR. You have the following rights in relation to us as controller:
4.1 Right to Withdraw Consent Given under Data Protection Law
Where the processing of personal data is based on your consent, you have the right to withdraw such consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
4.2 Right of Access
You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed by us. Where that is the case, you have the right to obtain access to the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, where in the context of transfers to a third country or an international organisation you have the additional right to be informed of the appropriate safeguards under Art. 46 of the GDPR;
- where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from you, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
We will provide you with a copy of the personal data undergoing processing within one month after receipt of your information request. For any further copies requested by you, we are may charge a reasonable fee based on administrative costs. Where you make the request by electronic means, and unless otherwise requested by you, we will provide the information in a commonly used electronic form.
4.3 Right to Rectification
You have the right to obtain from us without undue delay the rectification of inaccurate data concerning you. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
4.4 Right to Erasure (‘Right to Be Forgotten’)
You have the right to obtain from us the erasure of personal data concerning you without undue delay and we shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing is based and there is no other legal ground for the processing.
- You object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing.
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law.
- The personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) of the GDPR.
Where we have made the personal data public and are obliged to erase them, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure (‘right to be forgotten’) does not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task which is carried out in the public interest or in the exercise of official authority vested in us;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR in so far as the right referred to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
4.5 Right to Restriction of Processing
You have the right to obtain from us restriction of processing where one of the following applies:
- You contest the accuracy of the personal data concerning you, for a period enabling us to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
- you have objected to the processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted under the aforementioned conditions, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where processing has been restricted under the aforementioned conditions, we will inform you before the restriction is lifted.
4.6 Right to Data Portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or on a contract and is carried out by automated means.
In exercising your right to data portability you have the right to have the personal data transmitted directly from us to another controller, where technically feasible. The exercise of the right to data portability is without prejudice to the right to erasure (‘right to be forgotten’). That right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
4.7 Right to Object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) of the GDPR. This includes profiling based on those provisions. We will no longer process the personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding the e-Privacy Directive, you may exercise your right to object by automated means using technical specifications.
4.8 Automated Individual Decision-Making, Including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- is necessary for entering into, or performance of, a contract between you and us;
- is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- is based on your explicit consent.
We will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
4.9 Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
You may generally use our online services without disclosing your identity. In this section we explain when and in what context we process data when you use our online services, what services by service providers and cooperation partners we have implemented, how these operate and what happens to your data.
5.1 Data Collection When You Visit Our Websites
Where you use our websites solely for information without either registering, entering into a contract with us or otherwise disclosing information to us, we only collect such personal data as are transmitted to our servers by your browser. When you access our websites we collect the following data, which are technical requirements for us to be able display our websites and to ensure their stability and security:
- User’s IP address
- Date and time of the request
- Content of the request (specific page)
- Access status / HTTP status code
- The quantity of data transmitted for each request
- Website from which the request originates
- User’s operating system
- Language and version of the browser software.
These data are stored temporarily in our system’s log files for a period of no more than seven days. Storage beyond that period is possible; however, in that case, IP addresses are partially erased or modified so that they can no longer be associated with the client accessing the site. In this context, the log files are never stored together with other personal data concerning you. The legal basis for these data processing operations is point (f) of Art. 6(1) of the GDPR.
To the extent that the collection of data is essential for displaying the websites and their storage in log files is essential for the operation of our websites and for maintaining IT security, you have no right to object.
When you use our websites, in addition to the aforementioned data, we also store cookies on your device during and also after your visit to our online services. These are small text files sent to the browser by a website which are stored and returned by the browser. Different information can be stored in cookies, which is then read out by the site that sets the cookie. They generally contain a distinctive sequence of characters (ID) that allows the unique identification of the browser the next time the website is accessed or when the user changes pages. Their primary purpose is to make our online services more user-friendly and efficient overall. The user data collected in the cookies are pseudonymised by technical means, so that it is normally no longer possible to associate the data with the user accessing the site. Where identification is possible, as with a login cookie whose session ID is necessarily linked to the user’s account, you will be informed of this in the appropriate place.
This website uses so-called ‘first-party cookies’, which are set by us as the data processing controller. Insofar we are using transient cookies, also known as temporary or ‘session cookies’, which are cookies that are erased when you leave our online services and close your browser. Such cookies are used to store e.g. language settings. We use temporary cookies on all of our secure pages to assign and register a session ID. You can browse our entire site without interruption. The session ID is generated for each visitor of our website. The session ID is stored for the duration of your visit. This identifier is also used for internal reporting purposes. It does not allow us to identify you by name and this type of cookie does not leave any information recoverable on your hard drive. Most of our proprietary cookies fall into this category and expire when you close your Internet browser.
You can also configure your browser settings in order to decline the acceptance of specific cookies or all cookies. However, that may mean that some functions of our online services are no longer available to you.
If you choose to deactivate cookies, you may continue to sue certain parts of our Site. However, some useful features may not work any more, depending on which cookies you deactivate. Please note, if you have disabled one or more cookies, we may continue to use the information that was collected by such cookies before they were deactivated. However, we will cease to collect any information via the opted out cookie once a cookie has been deactivated.
The legal basis for the processing of personal data using cookies is point (f) of Art. 6(1) of the GDPR.
In case of questions or other queries please contact us via firstname.lastname@example.org.
5.3 Contact Form and Email Contact
In our online services you can find contact forms and email links (mailto), which can be used for contacting us electronically. We thereby comply with, among other things, the legal requirement to provide a fast electronic means to contact us. If you use this facility, your information will be processed and stored automatically for the purpose of answering your enquiry in accordance with point (c) of Art. 6(1) of the GDPR. We will erase these enquiries where they are no longer required and there are no legal requirements for archiving.
5.4 Social Media Buttons
For sharing the contents of our online services via social media networks, we provide so-called social media buttons. To that end we use a solution that provides data protection compliant social media buttons.
The buttons provided directly by the operators of social networks unlawfully transmit personal data as soon as the website in which they are integrated is loaded, such as IP addresses or entire cookies, and thus transmit unsolicited detailed information about your surfing behaviour to the social media providers. For this to happen you need neither be logged in to or be a member of the network in question. In contrast, our solution only establishes direct contact between the social network and the user when the user actively clicks on the share button. In this way our solution prevents your leaving a digital trail on each site you visit and improves data protection. By using our solution we are able to protect your personal data while still integrating buttons for social sharing.
5.5 External Links
6. Online Services on Social Media Platforms
We offer online service on social media in order to provide information and to be able to make contact with you.
We have no influence over the processing of personal data by the provider of the relevant platform. As a rule, when you visit our social media services, the platform provider will set cookies in your browser which store your user behaviour and/or your interests for the purposes of market research and advertising. The user profiles thus collected - usually across devices - are used by the platform providers to serve you with personalised advertising. The data processing may also affect persons who are not registered as a user with the relevant social media platform. In some circumstances your data will be processed outside the area of the European Union, which may make it more difficult to enforce your rights. In selecting such social media platforms we do, however, take care that the providers commit to complying with EU data protection standards.
The processing of your personal data when visiting one of our social media services is on the basis of our legitimate interest in a varied external presentation of our company and the use of an efficient information source, as well as in communicating with you. The legal basis for this is point (f) of Art. 6(1) of the GDPR. You may also have given consent to the processing of data to the platform provider; in that case, the legal basis is point (a) of Art. 6(1) of the GDPR.
Our services are generally intended for adults. Without the consent of their parents or legal guardians, persons under 16 years of age may not provide us with their personal data.