Data privacy

This data protection declaration informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within the scope of the provision of our services as well as within our online offer and the websites, functions and contents connected with it as well as external online presences, such as our social media profiles (hereinafter jointly referred to as “online offer”). With regard to the terms used, such as “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Even though you are certainly aware of this, we would like to point out at this point that data transmission on the Internet (e.g. communication by e-mail) can always have security gaps. Unfortunately, it is not possible for us to provide complete protection of data against access by third parties.

Name and contact details of the controller

Location Rheine

CONCEPT X GmbH & Co. KG
Hörstkamp 7
48431 Rheine
Germany
Managing partner: Ulf Gassner
Management: Vanessa Salomon

Location Koblenz

CONCEPT X Koblenz GmbH & Co. KG
Löhrstraße 87 a
56068 Koblenz
Germany
Managing partners: Desiree Sturm, Ulf Gassner

Name and contact details of the company data protection officer

Carla Holterhus
Kanalgasse 19
49808 Lingen
Germany
E-Mail: datenschutz@conceptx.de

Collection and storage of personal data and the nature, purpose and use thereof

Types of data processed

• Inventory data (e.g., personal master data, names or addresses)
• Contact data (e.g., e-mail, telephone numbers)
• Content data (e.g., text entries, photographs, videos)
• Usage data (e.g., websites visited, interest in content, access times)
• Meta/communication data (e.g., device information, IP addresses)

Categories of persons affected

Visitors and users of the online offer (hereinafter we also refer to the data subjects collectively as “users”).

Purpose of processing

• Provision of the online offer, its functions and contents
• Responding to contact requests and communicating with users
• Security measures
• Reach measurement / marketing

Terms used

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and includes virtually any handling of data.

“Pseudonymization” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.

“profiling” means any automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.

“Controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Relevant legal bases

In accordance with Art. 13 DSGVO, we inform you about the legal basis of our data processing. For users from the area of application of the Basic Data Protection Regulation (DSGVO), i.e. the EU and the EEC, the following applies, unless the legal basis is stated in the privacy policy:

• The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 DSGVO.
• The legal basis for processing for the fulfillment of our services and implementation of contractual measures as well as answering inquiries is Art. 6 para. 1 lit. b DSGVO.
• The legal basis for processing to fulfill our legal obligations is Art. 6 (1) lit. c DSGVO.
• In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) lit. d DSGVO serves as the legal basis.
• The legal basis for the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is Art. 6 (1) lit. e DSGVO.
• The legal basis for processing to protect our legitimate interests is Art. 6 (1) lit. f DSGVO.
• The processing of data for purposes other than those for which they were collected is determined by the requirements of Art. 6 (4) DSGVO.
• The processing of special categories of data (according to Art. 9 (1) DSGVO) is determined according to the requirements of Art. 9 (2) DSGVO.

Security measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, entry into, disclosure of, assurance of availability of and segregation of the data. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, deletion of data, and response to data compromise. Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings.

Cooperation with processors, joint controllers and third parties

If, in the course of our processing, we disclose data to other persons and companies (order processors, jointly responsible persons or third parties), transmit it to them or otherwise grant them access to the data, this shall only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as to payment service providers, is necessary for the fulfillment of the contract), users have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we disclose or transfer data to other companies in our group of companies or otherwise grant them access, this is done in particular for administrative purposes as a legitimate interest and, in addition, on a basis that complies with the legal requirements.

Rights of the persons concerned

• You have the right to obtain confirmation as to whether or not data concerning you is being processed and to obtain information about such data, as well as further information and a copy of the data in accordance with the law.
• You have the right, in accordance with the law, to request that the data concerning you be completed or that inaccurate data concerning you be corrected.
• You have the right, in accordance. with the legal requirements, to demand that data concerning you be deleted without delay, or alternatively, in accordance with the legal requirements, to demand restriction of the processing of the data.
• You have the right to demand that the data concerning you that you have provided to us be received in accordance with the legal requirements and to demand that it be transferred to other persons responsible.

Right of objection

If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) p. 1 lit. f DSGVO, you have the right to object to the processing of your personal data pursuant to Art. 21 DSGVO, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right of objection, which is implemented by us without specifying a particular situation. If you wish to exercise your right of revocation or objection, you can contact us at any time using the contact details provided in the imprint.

Consent

If we process your personal data on the basis of consent, you have the right to revoke your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.

Right of complaint to a supervisory authority

For the CONCEPT X Rheine GmbH & Co. KG respectively Cologne is the responsible supervisory authority:

Die Landesbeauftragte für den Datenschutz NRW
Kavalleriestraße 2 – 4
40213 Düsseldorf
Germany

Website with further contact details: www.ldi.nrw.de

For the CONCEPT X Koblenz GmbH & Co. KG is the responsible supervisory authority:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Postfach 30 40
55020 Mainz
Germany

Website with further contact details: www.datenschutz.rlp.de

Data deletion

The data processed by us will be deleted or restricted in its processing in accordance with the legal requirements. Unless expressly stated within the scope of this data protection declaration, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations.

If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

Services

We process the data of our customers within the scope of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services.

In this context, we process inventory data (e.g., customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., text entries, photographs, videos), contract data (e.g., subject matter of contract, term), payment data (e.g., bank details, payment history), usage data and metadata (e.g., in the context of evaluating and measuring the success of marketing measures).

As a matter of principle, we do not process special categories of personal data, unless these are components of commissioned processing. Data subjects include our customers, prospective customers as well as their customers, users, website visitors or employees as well as third parties. The purpose of the processing is the provision of contractual services, billing and our customer service. The legal basis for the processing results from Art. 6 para. 1 lit. b DSGVO (contractual services), Art. 6 para. 1 lit. f DSGVO (analysis, statistics, optimization, security measures).

We process data that are required for the justification and fulfillment of contractual services and indicate the necessity of their disclosure. Disclosure to external parties only takes place if it is necessary within the scope of an order. When processing the data provided to us as part of an order, we act in accordance with the instructions of the client as well as the legal requirements of a contract processing pursuant to Art. 28 DSGVO and do not process the data for any other purposes than those specified in the order.

We delete the data after the expiry of legal warranty and comparable obligations. The necessity of keeping the data is reviewed every three years; in the case of legal archiving obligations, the deletion takes place after their expiry (6 years, according to § 257 para. 1 HGB, 10 years, according to § 147 para. 1 AO). In the case of data disclosed to us by the client as part of an order, we delete the data in accordance with the specifications of the order, generally after the end of the order.

Administration, financial accounting, office organization, contact management

We process data in the context of administrative tasks as well as organization of our operations, financial accounting and compliance with legal obligations, such as archiving. In this context, we process the same data that we process in the course of providing our contractual services. The processing bases are Art. 6 para. 1 lit. c DSGVO, Art. 6 para. 1 lit. f DSGVO. Customers, interested parties, business partners and website visitors are affected by the processing.

The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e. tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information mentioned in these processing activities.

In this context, we disclose or transfer data to the tax authorities, consultants, such as tax advisors or auditors, as well as other fee offices and payment service providers.

Furthermore, based on our business interests, we store information about suppliers, event organizers and other business partners, e.g. for the purpose of contacting them at a later date. This data, most of which is company-related, is generally stored permanently.

Business analyses and market research

In order to operate our business economically, to be able to recognize market trends, wishes of contractual partners and users, we analyze the data we have on business transactions, contracts, inquiries, etc.. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 Para. 1 lit. f DSGVO, whereby the persons concerned include contract partners, interested parties, customers, visitors and users of our online offer.

The analyses are carried out for the purpose of business evaluations, marketing and market research. In doing so, we may take into account the profiles of registered users with details, for example, of the services they have used. The analyses serve us to increase the user-friendliness, the optimization of our offer and the business management. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with aggregated values.

If these analyses or profiles are personal, they will be deleted or anonymized upon termination of the users, otherwise after two years from the conclusion of the contract. Otherwise, the macroeconomic analyses and general tendency determinations are created anonymously, if possible.

Data protection information in the application process

We process the applicant data only for the purpose and within the scope of the application procedure in accordance with the legal requirements. Applicant data is processed for the fulfillment of our (pre)contractual obligations within the scope of the application procedure within the meaning of Art. 6 (1) lit. b DSGVO, Art. 6 (1) lit. f DSGVO insofar as data processing becomes necessary for us, e.g. within the scope of legal proceedings (in Germany, Section 26 BDSG also applies).

The application procedure requires applicants to provide us with applicant data. The necessary applicant data are marked, if we offer an online form, otherwise result from the job descriptions and basically include the personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, resume and the certificates. In addition, applicants may voluntarily provide us with additional information.

By submitting their application to us, applicants consent to the processing of their data for the purposes of the application process in the manner and to the extent set out in this privacy policy.

Insofar as special categories of personal data within the meaning of Art. 9 (1) DSGVO are voluntarily communicated within the scope of the application procedure, their processing shall additionally be carried out in accordance with Art. 9 (2) lit. b DSGVO (e.g. health data, such as severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 (1) DSGVO are requested from applicants as part of the application process, their processing is additionally carried out in accordance with Art. 9 (2) a DSGVO (e.g. health data, if this is necessary for the exercise of the profession).

If provided, applicants can submit their applications to us using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art.

Furthermore, applicants can send us their applications via e-mail. However, please note that e-mails are generally not encrypted and applicants must ensure encryption themselves. We cannot therefore accept any responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend rather using an online form or sending by post. This is because instead of applying via the online form and e-mail, applicants still have the option of sending us their application by post.

In the event of a successful application, the data provided by the applicants may be processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Subject to a justified withdrawal by the applicants, the deletion will take place after the expiry of a period of six months so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.

Talent Pool

As part of the application process, we offer applicants the opportunity to be included in our “talent pool” for a period of two years on the basis of consent within the meaning of Art. 6 (1) a and Art. 7 DSGVO.

The application documents in the talent pool will be processed solely in the context of future job advertisements and employee searches and will be destroyed at the latest after the expiry of the period. Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future and declare their objection within the meaning of Art. 21 DSGVO.

Contact

When contacting us (e.g. by e-mail, telephone or via social media), the user’s details are processed for the purpose of handling the contact request and its processing pursuant to Art. 6 (1) lit. b (in the context of contractual/pre-contractual relationships), Art. 6 (1) lit. f (other requests) DSGVO. The user’s details may be stored in a customer relationship management system (“CRM system”) or comparable inquiry organization.

We delete the inquiries if they are no longer necessary. We review the necessity every two years; Furthermore, the legal archiving obligations apply.

Cookies and right to object to direct advertising

Storage of cookies on the terminal device

Cookies are small text files that are usually stored in the browser of the user’s terminal device for the duration of the current session, i.e. until the browser is closed, but in some cases also beyond this time. A more comprehensive overview of the cookies we use, as well as the possibility to object to data processing by cookies (“opt-out”) can be found in the listing in the Cookie Policy.

The user can also object to the use of cookies by third-party providers on the following website of the Digital Advertising Alliance: https://www.aboutads.info/choices

Deactivating cookies may lead to functional restrictions of the website.

To revise your cookie settings, please click this link: Change cookie settings

Third party services and tools

A more comprehensive overview of the third-party services we use can be found in the listing at the end of this privacy policy.

We would like to inform you separately about the following services in advance:

The website www.conceptx.de uses various services from Google Ireland Limited and from Google LLC (based in the USA). These include Google Analytics, Google Analytics Ads and Google Adwords.

Data processing outside the EU

Google LLC, based in the USA, is certified for the EU-US data protection agreement “Privacy Shield”, which ensures compliance with the level of data protection applicable in the EU. Of course, CONCEPT X has concluded an order processing agreement with Google for the use of the Google tools and services mentioned above.

Web analytics services

Based on our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f DSGVO), we use the following web analytics services:

Google Analytics

We use Google Analytics (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to measure and analyze the use of our online offer on the basis of a pseudonymous user identification number. This identification number does not contain any unique data (e.g. names or e-mail addresses). It is used to assign analysis information to a terminal device in order to recognize which content users have accessed within one or various usage processes, which search terms they have used, have accessed again or have interacted with our online offer. In addition, the time of use and its duration are stored as well as the sources of the users referring to our online offer and technical aspects of their end devices and browsers. In the process, pseudonymous profiles of users are created with information from the use of various devices, whereby cookies may be used.

Google Analytics does not log and store individual IP addresses for EU users. Analytics, however, provides coarse geographic location data by deriving the following metadata from IP addresses:

• Stadt (und der abgeleitete Breiten- und Längengrad der Stadt)
• Kontinent
• Land
• Region
• Subkontinent (und ID-basierte Gegenstücke)

For EU traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. They are not logged, are not accessible, and are not used for any other purpose.

When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing.

The legal basis for the processing is your consent pursuant to Art. 6 (1) p. 1 lit. a DSGVO. You have the option to object to the processing at any time via opt-out. You can find the opt-out plugin under the following link: http://tools.google.com/dlpage/gaoptout?hl=de as well as setting options for the display of advertisements: https://adssettings.google.com/authenticated.

We have concluded an order data processing contract with Google. You can find more information about this under the following link: https://business.safety.google/adsprocessorterms/.

The basis for the third country transfer is the following agreement: EU-US Data Privacy Framework (DPF) and standard contractual clauses.

For more information on how Google Analytics handles user data, please see Google’s privacy policy: https://policies.google.com/privacy/ as well as further information on types of processing as well as the processed data: https://privacy.google.com/businesses/adsservices/.

Location and device data with Google Analytics

This website uses the “Detailed Location and Device Data Collection” feature of Google Analytics. This allows reports to be generated that contain statements about the city, latitude (of the city), longitude (of the city), minor version of the browser, user agent string of the browser, device brand, device model, device name, minor version of the operating system, minor version of the platform and screen resolution of the page visitors. This data cannot be associated with any specific individual. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics via the aforementioned opt-out plugin.

Google Signals at Google Analytics

This website uses the Google Signals feature of Google Analytics. Google signals are session data from websites and apps that Google associates with users who are logged into their Google account and have activated personalized advertising. This allows reports to be generated that include statements about the age, gender, and interests of site visitors. By linking data with these logged-in users, cross-device reports are possible. This data cannot be assigned to a specific person. Data collected via Google signals are used exclusively for the Google Analytics and Google Ads service and are not shared.

The controller has integrated Google signals on this website for the use of Google Remarketing. Google Remarketing is a function of Google Ads that allows a company to display advertisements to Internet users who have previously visited the company’s website. The integration of Google Remarketing thus allows a company to create user-related advertising and consequently to display interest-relevant advertisements to the Internet user.

Google Signals sets a cookie on the information technology system of the data subject. What cookies are has already been explained above. By setting the cookie, Google is enabled to recognize the visitor to our website if he or she subsequently visits websites that are also members of the Google advertising network. Each time a website is called up on which the Google Signals service has been integrated, the Internet browser of the person concerned automatically identifies itself to Google. Within the scope of this technical procedure, Google obtains knowledge about the user’s surfing behavior, which Google uses, among other things, to display interest-relevant advertising.

The data subject can prevent the setting of cookies by our website, as already described above, at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the information technology system of the data subject. In addition, a cookie already set by Google Analytics can be deleted at any time via the internet browser or other software programs.

Furthermore, the data subject has the option to object to interest-based advertising by Google. To do this, the data subject must call up the link from any of the internet browsers he or she uses https://www.google.de/settings/ads and make the desired settings there.

Notes on data processing in connection with the Facebook Fanpage

We use our Facebook fan page to inform about us and our products or services. And, of course, to contact and communicate with Facebook users. Technically, the data processing is provided by Facebook. In this respect, we refer to the data protection information of Facebook at https://www.facebook.com/privacy/explanation.

However, according to the case law of the ECJ, joint responsibility of Facebook and us may exist under certain circumstances for parts of the Facebook Fan Page. This processing then takes place on the basis of an agreement on joint processing, which can be accessed at https://www.facebook.com/legal/terms/page_controller_addendum.

Online presence in social media

We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users’ rights. With regard to U.S. providers certified under the Privacy Shield, we point out that they thereby undertake to comply with EU data protection standards.

Furthermore, user data is usually processed for market research and advertising purposes. For example, usage profiles can be created from the usage behavior and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users’ computers, in which the usage behavior and interests of the users are stored. Furthermore, data independent of the devices used by the users may also be stored in the usage profiles (especially if the users are members of the respective platforms and are logged in to them).

The processing of the users’ personal data is based on our legitimate interests in effective information of the users and communication with the users pursuant to Art. 6 (1) lit. f DSGVO. If the users are asked by the respective providers of the platforms for consent to the aforementioned data processing, the legal basis of the processing is Art. 6 (1) lit. a, Art. 7 DSGVO.

For a detailed description of the respective processing and the opt-out options, please refer to the information of the providers linked below.

Also in the case of requests for information and the assertion of user rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the users’ data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

Facebook, -pages, -groups

(Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland) on the basis of an agreement on joint processing of personal data.

• Privacy policy: https://www.facebook.com/about/privacy
• Especially for pages: https://www.facebook.com/legal/terms/information_about_page_insights_data
• Opt-Out: https://www.facebook.com/settings?tab=ads und https://www.youronlinechoices.com
• Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active

Google/ YouTube

(Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)

• Privacy policy: https://policies.google.com/privacy
• Opt-Out: https://adssettings.google.com/authenticated
• Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Instagram

(Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)

• Privacy policy/ Opt-Out: https://instagram.com/about/legal/privacy

LinkedIn

(LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland)

• Privacy policy: https://www.linkedin.com/legal/privacy-policy
• Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
• Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active

Xing

(XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany)

• Privacy policy/ Opt-Out: https://privacy.xing.com/de/datenschutzerklaerung

Data security

We would like to point out that for security reasons and to protect the transmission of confidential information, such as requests sent to us, our site uses a so-called SSL encryption. You can easily recognize such encryption by the fact that the address line of the browser changes from http:// to https://. In addition, you will find a lock symbol in the line of your browser. If SSL encryption is activated, the data you transmit to us cannot be read by third parties.

Actuality and change of the declaration

This privacy policy is currently valid since 08.09.2023.

In compliance with the applicable data protection laws, we will revise this privacy policy in the event of changes to this website or other occasions that make this necessary. You can always find the current version at https://conceptx.de/en/privacy-policy/.

As of: 08.09.2023