Data Protection

This data protection declaration informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within the scope of the provision of our services as well as our online offer and the websites, functions and contents connected with it as well as external online presences referred to as “online offer”. With regard to the terms used, such as “processing” or “controller”, we refer to the definition in Art. 4 of the General Data Protection Regulation (GDPR).

Even though you are certainly aware of this, we would like to point out in this place that data transmission on the Internet (e.g. communication via e-mail) can always have security issues. A complete protection of data against access by third parties is therefore unfortunately not possible for us.

Name and contact details of the controller


Hörstkamp 7
48431 Rheine
Managing partner: Ulf Gassner
Management: Vanessa Salomon


CONCEPT X Koblenz GmbH & Co. KG
Löhrstraße 87 a
56068 Coblenz
Managing partners: Desiree Sturm, Ulf Gassner

Name and contact details of the company data protection officer

Carla Holterhus
Papenstraße 20
48488 Emsbüren

Collection and storage of personal data as well as their type, purpose and use

Types of data processed

  • Inventory data (e.g., personal master data, names or addresses)
  • Contact data (e.g., e-mail, telephone numbers)
  • Content data (e.g., text entries, photographers, videos)
  • Usage data (e.g., websites visited, interest in content, access times)
  • Meta/ communication data (e.g., device information, IP addresses)

Categories of data subjects

Visitors and users of the online offer (hereinafter we also refer to the data subjects collectively as “users”)

Purpose of the processing

  • Provision of the online offer, its functions and contents
  • Responding to contact requests and communicating with users
  • Security measures
  • Reach measurement/ marketing

Terminology used

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed upon personal data, whether by automatic means. The term is broad and covers virtually any handling of data.

“Pseudonymisation” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable the natural person.

“Profiling” means any automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location.

“Controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant legal basis

In accordance with Art. 13 GDPR, we inform you of the legal basis for our data processing. For users from the area of application of the General Data Protection Regulation (GDPR), i.e. the EU and the EEC, the following applies, unless the legal basis is stated in the data protection declaration:

  • The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 GDPR.
  • The legal basis for processing for the fulfilment of our services and implementation of contractual measures as well as answering enquiries is Art. 6 para. 1 lit. b GDPR.
  • The legal basis for processing for the fulfilment of our legal obligations is Art. 6 para. 1 lit. c GDPR.
  • If vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
  • The legal basis for the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is Article 6 para. 1 lit. e of the GDPR.
  • The legal basis for processing to protect our legitimate interests is Art. 6 para. 1 lit. f GDPR.
  • The processing of data for purposes, other than those for which it was collected, is determined by the requirements of Art. 6 para. 4 GDPR.
  • The processing of special categories of data (in accordance with Art. 9 para. 1 GDPR) is determined in accordance with the requirements of Art. 9 para. 2 GDPR.

Security measures

We take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with the law and considering the state of art, the cost of implementation, the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, entry into, disclosure of, assurance of availability of and segregation of the data. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, deletion of data and response to data compromise. Furthermore, we already take the protection of personal data into account in the development and selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and through data protection-friendly default settings.

Cooperation with processors, joint controllers and third parties

If, in the course of our processing, we disclose data to other persons and companies (order processors, jointly responsible persons or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of legal permission (e.g. if a transmission of the data to third parties, such as to payment service providers, is necessary for the performance of the contract), users have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we disclose or transfer data to other companies in our group of companies or otherwise grant them access, this is particularly done for administrative purposes as a legitimate interest and, in addition, on a basis that complies with the legal requirements.

Rights of the data subjects

  • You have the right to obtain confirmation as to whether or not data relating to you is being processed and to obtain information about it, as well as further information and a copy of the data, in accordance with the law.
  • You have the right, in accordance with the law, to request that data concerning you be completed or that inaccurate data concerning you be corrected.
  • You have the right, in accordance with the law, to request that the data in question be deleted immediately or, alternatively, to request that the processing of the data be restricted in accordance with the law.
  • You have the right to demand that the data concerning you, that you have provided to us, be received in accordance with the legal requirements and to demand that it be transferred to other persons responsible.

Right of objection

If your personal data is processed based on legitimate interests pursuant to Article 6 para. 1 sentence 1 lit. f of the GDPR, you have the right to object to the processing of your personal data pursuant to Article 21 of the GDPR, insofar as there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right of objection, which will be implemented by us without specifying a particular situation. If you wish to exercise your right of revocation or objection, you can contact us at any time using the contact details provided in the imprint.


If we process your personal data based on consent, you have the right to revoke your consent at any time without affecting the lawfulness of the processing carried out based on the consent until revocation.

Right of complaint to a supervisory authority

For CONCEPT X Rheine GmbH & Co. KG respectively Cologne/ Hamburg, the competent supervisory authority is:

The State Commissioner for Data Protection NRW
Kavalleriestrasse 2 - 4
40213 Düsseldorf

Website with further contact details:

The competent supervisory authority for CONCEPT X Koblenz GmbH & Co. KG, the competent supervisory authority is:

The State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate.
PO Box 30 40
55020 Mainz

Website with further contact details:

Deletion of data

The data processed by us will be deleted or restricted in its processing in accordance with the legal requirements. Unless expressly stated within the scope of this data protection declaration, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention obligations.

If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.


We process our clients’ data as part of our contractual services which include conceptual and strategic consulting, campaign planning, software and design development/ consulting or maintenance, implementation of campaigns and processes/ handling, server administration, data analysis/ consulting services and training services.

In doing so, we process inventory data (e.g., customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., text entries, photographs, videos), contract data (e.g., subject matter of the contract, term), payment data (e.g., bank details, payment history), usage and metadata (e.g., in the context of evaluating and measuring the success of marketing measures).

In principle, we do not process special categories of personal data, unless they are part of a commissioned processing. Those affected include our customers, interested parties as well as their customers, users, website visitors or employees as well as third parties. The purpose of the processing is to provide contractual services, billing and our customer service. The legal basis for the processing results from Art. 6 para. 1 lit. b GDPR (contractual services), Art. 6 para. 1 lit. f GDPR (analysis, statistics, optimisation, security measures).

We process data that isare necessary to justify and fulfil the contractual services and point out the need to provide them. Disclosure to external parties only takes place if it is necessary in the context of a contract. When processing the data provided to us as part of an order, we act in accordance with the instructions of the client as well as the legal requirements of an order processing pursuant to Art. 28 GDPR and process the data for no other purposes than those required by the order.

We delete the data after expiry of statutory warranty and comparable obligations. The need for data retention shall be reviewed every three years; in the case of statutory archiving obligations, deletion takes place after their expiry (6 Y, according to § 257 para. HGB, 10 Y, pursuant to § 147 (1) AO). In the case of data disclosed to us by the client in the context of an order, we will delete the data in accordance with the specifications of the order, in principle after the end of the order.

Administration, financial accounting, office organisation, contact management

We process data in the context of administrative tasks as well as organisation of our operations, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the course of providing our contractual services. The processing bases are Art. 6 para. 1 lit. c GDPR, Art. 6 para. 1 lit. f GDPR. Customers, interested parties, business partners and website visitors are affected by the processing.

The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, archiving of data, i.e. tasks that serve the maintenance of our business activities, the performance of our tasks and the provision of our services. The deletion of data regarding contractual services and contractual communication corresponds to the information specified in these processing activities.

In this context, we disclose or transmit data to the tax authorities, advisors, such as tax consultants or auditors, as well as other fee offices and payment service providers.

Furthermore, we store information on suppliers, organisers and other business partners based on our business interests, e.g. for the purpose of contacting them at a later date. This data, most of which is company-related, is stored permanently.

Business analyses and market research

In order to run our business economically, to be able to recognise market trends, wishes of contractual partners and users, we analyse the data we have on business transactions, contracts, enquiries, etc.. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata based on Art. 6 para. 1 lit. f GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online offer.

The analyses are carried out for the purpose of business evaluations, marketing and market research. In doing so, we may take into account the profiles of registered users with information, e.g. on the services they have used. The analyses serve us to increase user-friendliness, to optimise our offer and to improve business management. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarised values.

If these analyses or profiles are personal, they will be deleted or anonymised upon termination by the user, otherwise after two years from the conclusion of the contract. Furthermore, the macroeconomic analyses and general tendency determinations are created anonymously if possible.

Data protection information in the application procedure

We only process applicant data for the purpose of and within the scope of the application procedure in accordance with the legal requirements. Applicant data is processed to fulfil our (pre)contractual obligations within the scope of the application procedure in accordance with Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR insofar as the data processing becomes necessary for us, e.g. within the scope of legal procedures (in Germany, § 26 BDSG also applies).

The application procedure requires that applicants provide us with the applicant data. The necessary applicant data are marked if we offer an online form, otherwise they result from the job descriptions and basically include personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. In addition, applicants can voluntarily provide us with additional information.

By submitting an application to us, applicants consent to the processing of their data for the purposes of the application process in the manner and to the extent set out in this privacy policy.

Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily provided within the scope of the application procedure, their processing is additionally carried out in accordance with Art. 9 para. 2 lit. b GDPR (e.g. health data, such as severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are requested from applicants as part of the application process, their processing is additionally carried out in accordance with Art. 9 para. 2 lit. a GDPR (e.g. health data if this is necessary for the exercise of the profession).

If provided, applicants can submit their applications to us using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art.

Furthermore, applicants can send us their applications via e-mail. However, please note that e-mails are generally not encrypted and applicants must ensure that they are encrypted themselves. We cannot therefore accept any responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend rather using an online form or sending by post. This is because instead of applying via the online form and email, applicants still have the option of sending us the application by post.

The data provided by applicants may, in the event of a successful application, be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is unsuccessful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Subject to a justified revocation by the applicant, the data will be deleted after the expiry of a period of six months, so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.

Talent pool

As part of the application process, we offer applicants the opportunity to be included in our “talent pool” for a period of two years based on consent within the meaning of Art. 6 para. 1 lit. a and Art. 7 GDPR.

The application documents in the talent pool are processed solely within the framework of future job advertisements and the search for employees and are destroyed at the latest after expiry of the deadline. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future and declare their objection within the meaning of Article 21 of the GDPR.


When contacting us (e.g. by e-mail, telephone or via social media), the user’s details will be used to process the contact request and its handling in accordance with Art. 6 para. 1 lit. b (in the context of contractual/ pre-contractual relations), Art. 6 para. 1 lit. f (other enquiries) GDPR. The user’s details may be stored in a customer relationship management system (“CRM system”) or comparable enquiry organisation.

We delete the requests if they are no longer necessary. We review the necessity every two years; furthermore, the legal archiving obligations apply.

Cookies and the right to object to direct advertising

Storage of cookies on the end device

Cookies are small text files that are usually stored in the browser of the user’s terminal device for the duration of the current session, i.e. until the browser is closed, but in some cases also beyond this time. A more comprehensive overview of the cookies we use and the possibility of objecting to data processing by cookies (“opt-out”) can be found in the list in the Cookie Policy.

The user can also object to the use of cookies by third-party providers on the following Digital Advertising Alliance website:

Deactivating cookies may lead to functional limitations of the website.

Third party services and tools

A more comprehensive overview of the third-party services we use can be found in the list at the end of this privacy policy.

We would like to inform you separately about the following services in advance:

The website uses various services from Google Ireland Limited and Google LLC (based in the USA). These include Google Analytics, Google Analytics Ads and Google AdWords.

Data processing outside the EU

Google LLC, based in the USA, is certified for the EU-US data protection agreement “Privacy Shield”, which ensures compliance with the level of data protection applicable in the EU. Of course, CONCEPT X has concluded an order processing agreement with Google for the use of the above-mentioned Google tools and services.

Web analytics services

Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f GDPR), we use the following web analytics services:

Google Universal Analytics

CONCEPT X uses Google Analytics for its own website. Google Analytics is a web analytics service provided by Google Ireland Ltd. In this context, cookies are stored on the visitor’s terminal device, which enable an analysis of the use of the website. The information generated by the cookie is transferred to a Google server in the USA and stored there.

We use the option of IP anonymisation, so that the IP address is generally shortened by Google within member states of the European Union and in other contracting states of the Agreement on the European Economic Area before transmission to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

Google Analytics will use this information on our behalf to evaluate the use of the website by the website visitor, to compile reports on website activity for the website operators and to provide other services related to website and internet usage.

The IP address transmitted by the browser as part of Google Analytics is not merged with other data held by Google. The setting of cookies can be prevented by a corresponding setting in the browser; However, we would like to point out that in this case not all functions of this website can be used to their full extent.

The collection by Google Analytics can be prevented by installing the browser plug-in available at the following link:

An opt-out cookie is set which prevents the future collection of data when visiting this website.

Additional information on how Google handles personal data in its advertising network can be found here:

Google AdWords

This website uses Google AdWords, an analysis service provided by Google, and conversion tracking as part of Google AdWords.

Google AdWords places a cookie for conversion tracking on the hard disk of the computer (so-called “conversion cookie”) when the website visitor clicks on an ad placed by Google. These cookies expire after 30 days and are not used for personal identification. If certain pages on our website are visited, Google and we can recognise that the page visitor has clicked on the advertisement and was redirected to this page.

The information obtained with the help of the conversion cookies is used to generate statistics for AdWords customers who use conversion tracking. These statistics show us the total number of users who clicked on the ad placed by Google and accessed a page with a conversion tracking tag. Further information about the Terms of Use and Privacy Policy in the context of Google AdWords can be found here.

The site visitor can permanently deactivate the setting of cookies for ad settings by installing the browser plug-in available at the following link:

Information on data processing in connection with the Facebook Fanpage

We use our Facebook Fanpage to provide information about us and our products or services. And, of course, also to contact and communicate with Facebook users. Technically, the data processing is provided by Facebook. In this respect, we refer to the data protection information of Facebook at

However, according to the case law of the ECJ, Facebook and we may be jointly responsible for parts of the Facebook fan page. This processing then takes place based on an agreement on joint processing, which can be accessed at

Online presence in social media

We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services.

We would like to point out that user data may be processed outside the European Union. This may result in risks for the users, because it could, for example, make it more difficult to enforce the rights of the users. Regarding US providers certified under the Privacy Shield, we point out that they thereby undertake to comply with the data protection standards of the EU.

Furthermore, user data is usually processed for market research and advertising purposes. For example, usage profiles can be created from the usage behaviour and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users’ computers, in which the usage behaviour and the interests of the users are stored. Moreover, data may also be stored in the usage profiles irrespective of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

The processing of users’ personal data is based on our legitimate interests in effectively informing users and communicating with users pursuant to Art. 6 para. 1 lit. f GDPR. If the users are asked by the respective providers of the platforms for consent to the aforementioned data processing, the legal basis of the processing is Art. 6 para. 1 lit. a, Art. 7 GDPR.

For a detailed description of the respective processing and the opt-out options, please refer to the information of the providers linked below.

In the case of requests for information and the assertion of user rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users’ data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

Facebook, -pages, -groups

(Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) based on an agreement on joint processing of personal data.

Google/ YouTube

(Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)


(Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)


(Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)


(LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)


(XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany)

Data security

We would like to point out that our website uses SSL encryption for security reasons and to protect the transmission of confidential information, such as enquiries sent to us. You can easily recognise such encryption by the fact that the address line of the browser changes from http:// to https://. You will also find a lock symbol in the line of your browser. If SSL encryption is activated, the data you transmit to us cannot be read by third parties.

Actuality and change of the declaration

This privacy policy is currently valid as of 24.09.2021.

In compliance with the applicable data protection laws, we will revise this data protection notice in the event of changes to this website or other occasions that make this necessary. You can always find the current version at

Status: 24.09.2021


Hörstkamp 7
48431 Rheine
+49 (0)5971 1632-0
Löhrstraße 87 a
56068 Coblenz
+49 (0)261 973 299-0
Gemarkenstraße 12
51069 Cologne
+49 (0)172 241 8683
Zesenstrasse 22