Record of Processing Activities

This Record of Processing Activities, in line with Article 30(1) of the General Data Protection Regulation (GDPR), offers a compilation of processes where personal data is processes by the controller, alongside the technical and organizational measures in accordance with Article 35 GDPR.

Controller:

Elaraby Germany GmbH

Markt 9

Aufgang B/3. OG

04109 Leipzig

Date: October 10, 2025

Created with Datenschutz-Generator.de by Dr. jur. Thomas Schwenke

Index

Information on the controller

II.

General procedural rules and information

Preamble

Security Precautions

2.1.

Securing online connections through TLS/SSL encryption technology (HTTPS)

Transmission of Personal Data

3.1.

Data Transmission within the Group of Companies

3.2.

Data Transfer within the Organization

International data transfers

4.1.

Data Processing in Third Countries

General Information on Data Retention and Deletion

5.1.

Data Retention and Deletion

5.2.

Start of the period at the end of the year

5.3.

Review and compliance with deletion periods

Changes and Updates

Rights of Data Subjects

7.1.

Rights of the Data Subjects under the GDPR

Terminology and Definitions

III.

Records of Processing Activities

Business processes and operations

1.1.

Contact management and contact maintenance

1.2.

General Payment Transactions

1.3.

Accounting, accounts payable, accounts receivable

1.4.

Financial Accounting and Taxes

1.5.

Marketing, advertising, and sales promotion

1.6.

Public Relations

1.7.

Legal and Compliance

1.8.

IT system management and security

1.9.

Use of the Internet, Email, Telephone, and Other Means of Communication

1.10.

Device Management

Provision of online services and web hosting

2.1.

Provision of online offer on rented hosting space

2.2.

Collection of Access Data and Log Files

Use of Cookies

3.1.

Processing Cookie Data on the Basis of Consent

Contact and Inquiry Management

4.1.

Contact form

Communication via Messenger

5.1.

Facebook-Messenger

Cloud Services

6.1.

Microsoft 365 and Microsoft Cloud Services

Newsletter and Electronic Communications

7.1.

Measurement of opening rates and click rates

Profiles in Social Networks (Social Media)

8.1.

Instagram

8.2.

Facebook Pages

Organisational Measures

9.1.

Data protection management system, or data protection concept

9.2.

Organizational structure for data security and data protection

9.3.

Es existieren interne Sicherheitsricht- bzw. Leitlinien

9.4.

Regular and random system and safety tests

9.5.

Observation of the state of the art and necessary implementation

9.6.

Concept for safeguarding the rights of data subjects

9.7.

Emergency protocol

9.8.

Documentation for security incidents (security reporting)

9.9.

Careful selection of service providers/freelancers and, if necessary, obligation to confidentiality

9.10.

Data protection by design

9.11.

Current status of hardware and software

9.12.

Purchase of standard software and updates from trustworthy sources

9.13.

Appropriate disposal, erasure and deletion concept

9.14.

Classification notes / segregation of data, when no deletion

10.

Data Protection at Employee Level

10.1.

Employee commitment to data protection confidentiality

10.2.

Training and awareness raising of employees

10.3.

Withdrawal of access and entry authorisations of departing employees

10.4.

Clean Desk Policy

11.

Physical Access Control

11.1.

Identity check at the gatekeeper or reception

11.2.

Logging Output of keys and/or access cards

11.3.

Locking devices and securing the working environment when leaving

11.4.

Files and documents are stored safely and securely

11.5.

Data carriers are stored securely

12.

Electronic Access Control

12.1.

Password concept according to the state of the art

12.2.

Password protection of all data processing systems

12.3.

Passwords are not stored or transmitted in plain text

12.4.

Deletion of access information of departing employees

12.5.

Use of up-to-date anti-virus software

12.6.

Use of software firewall(s)

13.

Internal Access Control (permissions for user rights of access to and amendment of data)

13.1.

Appropriate authorisation concept

13.2.

Regular check of the authorisation concept

13.3.

Control of the administrators

13.4.

General traceability of data access

14.

Transmission Control

14.1.

Remote access / remote maintenance via VPN

14.2.

Transit encryption of e-mails

14.3.

Encrypted transmission of data via websites (TLS)

15.

Adherence to Instructions, Purpose Limitation and Separation Control

15.1.

Separate documentation of the Processing

15.2.

Careful selection of sub-processors and service providers

15.3.

Forwarding of instructions to employees and sub-processors

15.4.

Verification of compliance with instructions

15.5.

Adherence to the deletion periods

15.6.

Logical separation of the client's data

15.7.

Separation of productive, test and development environment

16.

Ensuring the integrity and availability of data as well as the resilience of processing systems

16.1.

Use of fail-safe, redundant server systems and services

16.2.

Storage of Data with external and reliable hosting providers

16.3.

Regular and documented patch management

16.4.

Fail-safe power supply of server systems

16.5.

Fire protection of the server systems

16.6.

Protection of server systems against moisture damage

16.7.

Protection of data records against accidental modification or deletion

16.8.

Adequate, reliable and controlled backup & recovery

IV.

Annex: Technical and Organisational Measures (TOMs)

Relevant legal bases

1.1.

Relevant legal bases according to the GDPR

1.2.

National data protection regulations in Germany

1.3.

Reference to the applicability of the GDPR and the Swiss DPA

Preamble

I. Information on the controller

CONTROLLER

___________________Name and Address:

Elaraby Germany GmbH

Markt 9

Aufgang B/3. OG

04109 Leipzig

Email Address:

gdpr@tornadohome.com

Authorised representatives:

Marwan Elkott

II. General procedural rules and information

1. Preamble

___________________Preamble text:

With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as "data") we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").

The terms used are not gender-specific.

2. Security Precautions

___________________Description:

In accordance with legal requirements and taking into account the state of technology, implementation costs, as well as the nature, scope, circumstances, and purposes of processing alongside the different probabilities of occurrence and the extent of threat to the rights and freedoms of natural persons, the controller implements appropriate technical and organisational measures to ensure a level of protection commensurate with the risk.

These measures specifically include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to data as well as access to it, its input, transfer, securing availability, and its separation. Furthermore, the controller has established procedures that enable the exercise of data subject rights as well as the deletion of data and responses to threats to data. In addition, from the outset of developing or selecting hardware, software, and processes, consideration is given by the controller to protect personal data in accordance with the principles of privacy by design and privacy-friendly default settings.

2.1.

Securing online connections through TLS/SSL encryption technology (HTTPS)

Description:

To protect the data transmitted via our online services from unauthorized access, the controller employs TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) ensure that information transmitted between the website or app and the user's browser, or between two servers, is encrypted. This protects the data against unauthorised access. TLS, as an advancement of SSL, provides higher security for data transmission and ensures that all transmissions comply with current security standards. The securing of a website with an SSL/TLS certificate is indicated by the presence of HTTPS in the URL, which signals secure and encrypted data transmission.

3. Transmission of Personal Data

___________________Description:

In the course of processing personal data by the controller, it may be necessary to transfer this data to other entities such as companies, legally independent organizational units, or individuals, or to disclose it to them. Recipients of this data often include service providers who take on IT tasks, or providers of services and content that are integrated into websites. The controller always ensures compliance with legal data protection regulations and secures data protection at the recipients by concluding appropriate contracts or agreements.

3.1.

Data Transmission within the Group of Companies

Description:

Data transfer within the corporate group: The controller may transfer personal data to other companies within the corporate group or grant them access to it. This data sharing is based on the legitimate business and economic interests of the controller. These include, for example, the improvement of business processes, ensuring efficient and effective internal communication, optimal use of personnel and technological resources, as well as the ability to make informed business decisions. In certain cases, data sharing may also be necessary to fulfil the contractual obligations of the controller or may be based on the consent of the data subjects or a legal permission.

3.2.

Data Transfer within the Organization

Description:

The controller may transfer personal data to other departments or units within the organisation or grant them access to it. If the data is shared for administrative purposes, it is based on the legitimate business and economic interests of the controller or occurs if it is necessary to fulfil the contractual obligations of the controller, or if consent from the data subjects or a legal permission exists.

4. International data transfers

___________________4.1.

Data Processing in Third Countries

Description:

If the controller transfers data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of using third-party services or disclosing or transmitting data to other persons, entities, or companies (which can be identified by the postal address of the respective provider or when explicitly indicated in the records of processing activities regarding data transfer to third countries), this is always carried out in compliance with legal requirements. For data transfers to the USA, the controller primarily relies on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by an adequacy decision of the EU Commission on 10.07.2023. Additionally, the controller has concluded standard contractual clauses with the respective providers that comply with EU Commission requirements and establish contractual obligations for protecting personal data. This dual safeguard ensures comprehensive protection of personal data: The DPF forms the primary level of protection, while standard contractual clauses serve as additional security. Should changes occur within the DPF framework, standard contractual clauses act as a reliable fallback option. Thus, the controller ensures that personal data remains adequately protected even amidst potential political or legal changes. For individual service providers, the controller informs data subjects whether they are certified under the DPF and whether standard contractual clauses are in place. Data subjects can find further information on the DPF and a list of certified companies on the U.S. Department of Commerce website at https://www.dataprivacyframework.gov/ (in English). For data transfers to other third countries, corresponding security measures apply, particularly standard contractual clauses, explicit consents, or legally required transfers. Information about third-country transfers and applicable adequacy decisions can be obtained from information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

5. General Information on Data Retention and Deletion

___________________Description:

Personal data processed by the controller will be deleted in accordance with legal requirements once the underlying consents have been revoked or no further legal bases for processing are present. This applies to cases where the original purpose of processing no longer exists or the data is no longer needed. Exceptions to this rule apply if legal obligations or special interests of the controller necessitate a longer retention or archiving of data.

In particular, data that must be retained for commercial or tax law reasons, or whose retention is necessary for legal action or to protect the rights of other natural or legal persons, should be archived accordingly.

The controller's privacy notices provide additional information on the retention and deletion of data specifically relevant to certain processing processes.

If there are multiple details regarding the retention period or deletion deadlines for a date, the longest period always prevails.

If a period does not explicitly start on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred.

Data that can no longer be processed for its originally intended purpose but must be retained due to legal requirements or for other reasons will only be processed by the controller for reasons justifying their retention.

5.1.

Data Retention and Deletion

Description:

The following general deadlines apply for the retention and archiving according to German law:

10 Years - Fiscal Code/Commercial Code - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet as well as the necessary work instructions and other organisational documents (Section 147 Paragraph 1 No. 1 in conjunction with Paragraph 3 of the German General Tax Code (AO), Section 14b Paragraph 1 of the German VAT Act (UStG), Section 257 Paragraph 1 No. 1 in conjunction with Paragraph 4 of the German Commercial Code (HGB)).
8 years - Accounting documents, such as invoices, booking and expense receipts (Section 147 Paragraph 1 No. 4 and 4a in conjunction with Paragraph 3 of the German General Tax Code (AO), Section 257 Paragraph 1 No. 4 in conjunction with Paragraph 4 of the German Commercial Code (HGB))
6 Years - Other business documents: received commercial or business letters, copies of dispatched commercial or business letters, and other documents to the extent that they are significant for taxation purposes, for example, hourly wage slips, operating accounting sheets, calculation documents, price tags, as well as payroll accounting documents, provided they are not already accounting vouchers and cash register tapes Section (Section 147 Paragraph 1 No. 2, 3, 5 in conjunction with Paragraph 3 of the German General Tax Code (AO), Section 257 Paragraph 1 No. 2 and 3 in conjunction with Paragraph 4 of the German Commercial Code (HGB)).
3 Years - Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experiences and common industry practices, will be stored for the duration of the regular statutory limitation period of three years. This period begins at the end of the year in which the relevant contractual transaction took place or the contractual relationship ended in the case of ongoing contracts (Sections 195, 199 of the German Civil Code).

5.2.

Start of the period at the end of the year

Description:

If a period does not expressly start on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in the context of which data is stored, the event triggering the deadline is the time at which the termination or other termination of the legal relationship takes effect.

5.3.

Review and compliance with deletion periods

Description:

Compliance with legal and internal requirements regarding the deletion of personal data is regularly reviewed. It is ensured that all personal data no longer needed or whose storage period has expired are deleted in accordance with relevant data protection regulations, or, in the case of archiving and retention obligations, processing is restricted to these purposes. These reviews of deletion processes and compliance with established deletion periods occur regularly, at least once a year. The results of the review are documented and evaluated by the person(s) responsible for the deletion review. Upon identification of deviations, corrective actions are immediately initiated, and the effectiveness of these measures is evaluated in subsequent reviews to ensure ongoing compliance.

6. Changes and Updates

___________________Description:

The directory of processing activities will be updated as soon as changes in the processing processes require it, or when legal provisions or other compelling reasons make an adjustment necessary. Regardless of such events, a regular review of the directory takes place at least once a year to ensure that the directory always corresponds to the current processing activities and legal requirements.

7. Rights of Data Subjects

___________________7.1.

Rights of the Data Subjects under the GDPR

Description:

Data subjects are comprehensively informed about their rights in accordance with the GDPR. This information is provided either through a public privacy statement or on a case-by-case basis in a precise, transparent, understandable, and easily accessible manner. Communication is carried out in clear and simple language. The key rights include: a) the right to object, b) the right to withdraw consent, c) the right of access, d) the right to rectification, e) the right to erasure and restriction of processing, f) the right to data portability, and g) the right to lodge a complaint with a supervisory authority.

8. Terminology and Definitions

___________________Description:

In this section, you will find an overview of the terminology used in this privacy policy. Where the terminology is legally defined, their legal definitions apply. The following explanations, however, are primarily intended to aid understanding.

III. Records of Processing Activities

1. Business processes and operations

___________________Description:

Personal data of service recipients and clients - including customers, clients, or in specific cases, mandates, patients, or business partners as well as other third parties - are processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relations. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting, and project management.

The collected data is used to fulfil contractual obligations and make business processes efficient. This includes the execution of business transactions, the management of customer relationships, the optimisation of sales strategies, and ensuring internal invoicing and financial processes. Additionally, the data supports the protection of the rights of the controller and promotes administrative tasks as well as the organisation of the company.

Personal data may be transferred to third parties if necessary for fulfilling the mentioned purposes or legal obligations. After legal retention periods expire or when the purpose of processing no longer applies, the data will be deleted. This also includes data that must be stored for longer periods due to tax law and legal obligations to provide evidence.

Data categories:

Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Payment Data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.); Contract data (e.g. contract object, duration, customer category); Log data (e.g. log files concerning logins or data retrieval or access times.); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties.

Data subjects:

Service recipients and clients; Prospective customers; Communication partner (Recipients of e-mails, letters, etc.); Business and contractual partners; Third parties; Users (e.g. website visitors, users of online services); Employees (e.g. employees, job applicants, temporary workers, and other personnel.

Purposes/interest:

Provision of contractual services and fulfillment of contractual obligations; Office and organisational procedures; Business processes and management procedures; Communication; Marketing; Sales promotion; Public relations; Financial and Payment Management; Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.

Data sources:

Receipt through transmission or other communication by business partners and clients; Collection from data subjects; Data collection from other sources; Data collection through interfaces to services of other providers; Collection in connection with advertising and marketing campaigns; Collection from users; Collection from customers.

Retention and deletion:

Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".

Legal bases:

Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR.

1.1.

Contact management and contact maintenance

Description:

Processes required in the context of organizing, maintaining, and securing contact information (e.g., setting up and maintaining a central contact database, regular updates of contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, conducting backups and restorations of contact data, training employees in effective use of contact management software, regular review of communication history and adjustment of contact strategies.

Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.), Contact data (e.g. postal and email addresses or phone numbers), Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Contract data (e.g. contract object, duration, customer category), Log data (e.g. log files concerning logins or data retrieval or access times.
Data subjects: Service recipients and clients, Prospective customers, Communication partner (Recipients of e-mails, letters, etc.), Business and contractual partners, Third parties.
Purposes of processing: Communication, Office and organisational procedures.
Data sources: Collection from data subjects, Receipt through transmission or other communication by business partners and clients, Data collection from other sources.

1.2.

General Payment Transactions

Description:

Procedures required for carrying out payment transactions, monitoring bank accounts, and controlling payment flows (e.g., creation and verification of transfers, processing of direct debit transactions, checking of account statements, monitoring of incoming and outgoing payments, management of chargebacks, account reconciliation, cash management).

Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.), Payment Data (e.g. bank details, invoices, payment history), Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Contract data (e.g. contract object, duration, customer category), Log data (e.g. log files concerning logins or data retrieval or access times.
Data subjects: Service recipients and clients, Prospective customers, Communication partner (Recipients of e-mails, letters, etc.), Business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations, Office and organisational procedures, Financial and Payment Management.
Data sources: Collection from data subjects, Receipt through transmission or other communication by business partners and clients, Data collection from other sources.

1.3.

Accounting, accounts payable, accounts receivable

Description:

Procedures required for the collection, processing, and control of business transactions in the area of accounts payable and receivable accounting (e.g., creation and verification of incoming and outgoing invoices, monitoring and management of outstanding items, execution of payment transactions, handling of dunning processes, account reconciliation within the scope of receivables and payables, accounts payable accounting, and accounts receivable accounting).

Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.), Payment Data (e.g. bank details, invoices, payment history), Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Contract data (e.g. contract object, duration, customer category), Log data (e.g. log files concerning logins or data retrieval or access times.
Data subjects: Service recipients and clients, Prospective customers, Communication partner (Recipients of e-mails, letters, etc.), Business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations, Office and organisational procedures, Financial and Payment Management.
Data sources: Collection from data subjects, Receipt through transmission or other communication by business partners and clients, Data collection from other sources.

1.4.

Financial Accounting and Taxes

Description:

Procedures required for the collection, management, and control of finance-related business transactions as well as for the calculation, reporting, and payment of taxes (e.g., accounting and posting of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, handling of dunning processes, account reconciliation, tax consulting, preparation and submission of tax returns, management of tax affairs).

Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.), Payment Data (e.g. bank details, invoices, payment history), Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Contract data (e.g. contract object, duration, customer category), Log data (e.g. log files concerning logins or data retrieval or access times.
Data subjects: Prospective customers, Communication partner (Recipients of e-mails, letters, etc.), Business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations, Office and organisational procedures, Financial and Payment Management.
Data sources: Collection from data subjects, Receipt through transmission or other communication by business partners and clients, Data collection from other sources.

1.5.

Marketing, advertising, and sales promotion

Description:

Processes required in the context of marketing, advertising, and sales promotion (e.g., market analysis and audience targeting, development of marketing strategies, planning and execution of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade show participation, customer loyalty programs, sales promotion measures, performance measurement and optimisation of marketing activities, budget management and cost control.

Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.), Contact data (e.g. postal and email addresses or phone numbers), Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Contract data (e.g. contract object, duration, customer category), Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features.
Data subjects: Prospective customers, Communication partner (Recipients of e-mails, letters, etc.), Users (e.g. website visitors, users of online services), Business and contractual partners, Third parties.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations, Marketing, Sales promotion.
Data sources: Collection from data subjects, Receipt through transmission or other communication by business partners and clients, Data collection from other sources.

1.6.

Public Relations

Description:

Processes required in the context of public relations and public relations activities (e.g., development and implementation of communication strategies, planning and execution of PR campaigns, creation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media response, organisation of press conferences and public events, crisis communication, creation of content for social media and corporate websites, management of corporate branding).

Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.), Contact data (e.g. postal and email addresses or phone numbers), Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features), Log data (e.g. log files concerning logins or data retrieval or access times.
Data subjects: Prospective customers, Communication partner (Recipients of e-mails, letters, etc.), Business and contractual partners, Third parties.
Purposes of processing: Public relations, Sales promotion, Business processes and management procedures.
Data sources: Collection from data subjects, Receipt through transmission or other communication by business partners and clients, Data collection from other sources, Data collection through interfaces to services of other providers, Collection in connection with advertising and marketing campaigns.

1.7.

Legal and Compliance

Description:

Procedures required for the verification, assurance, and enforcement of compliance with legal regulations and internal company policies (e.g., legal advice and representation, drafting and reviewing contracts and legal documents, conducting compliance checks, handling legal disputes, training and raising awareness among employees, creating and maintaining a compliance management system).

Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.), Payment Data (e.g. bank details, invoices, payment history), Contact data (e.g. postal and email addresses or phone numbers), Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Contract data (e.g. contract object, duration, customer category.
Data subjects: Service recipients and clients, Prospective customers, Communication partner (Recipients of e-mails, letters, etc.), Business and contractual partners, Third parties.
Purposes of processing: Office and organisational procedures, Business processes and management procedures.
Data sources: Collection from data subjects, Collection from customers, Receipt through transmission or other communication by business partners and clients, Data collection from other sources.

1.8.

IT system management and security

Description:

Processes required in the context of installation, operation, maintenance, and protection of IT systems, networks, and data (e.g., server maintenance, network planning and monitoring, implementation of security protocols and strategies, management of firewall and antivirus programs, data backup and recovery, IT helpdesk and user support, software installation and updates).

Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features), Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties), Log data (e.g. log files concerning logins or data retrieval or access times.
Data subjects: Service recipients and clients, Prospective customers, Communication partner (Recipients of e-mails, letters, etc.), Business and contractual partners.
Purposes of processing: Office and organisational procedures, Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.)), Business processes and management procedures.
Data sources: Collection from data subjects, Collection from users, Receipt through transmission or other communication by business partners and clients, Data collection from other sources, Data collection through interfaces to services of other providers.

1.9.

Use of the Internet, Email, Telephone, and Other Means of Communication

Description:

Processes required for the use of the internet, email, telephone, and other communication methods with consideration to data protection (e.g., setting up and maintaining secure communication networks, implementation of privacy policies for email traffic, secure configuration of telephone systems, regular review and updating of security protocols, training employees in handling communication tools in compliance with data protection, monitoring and analysis of communication traffic to adhere to privacy requirements, secure storage and archiving of communication data).

Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.), Contact data (e.g. postal and email addresses or phone numbers), Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Contract data (e.g. contract object, duration, customer category), Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties), Log data (e.g. log files concerning logins or data retrieval or access times.
Data subjects: Service recipients and clients, Prospective customers, Communication partner (Recipients of e-mails, letters, etc.), Business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations, Office and organisational procedures, Business processes and management procedures.
Data sources: Collection from data subjects, Receipt through transmission or other communication by business partners and clients, Data collection from other sources.

1.10.

Device Management

Description:

Processes required for the use of devices, machinery, and associated equipment with consideration for data protection (e.g., device maintenance and repair in compliance with data protection requirements, secure inventory management, planning and scheduling of devices with data protection compliant documentation, energy and resource management with a focus on data protection, data protection training and security measures, management of device equipment taking into account data protection, coordination of device deployments with data protection assessments, data protection compliant procurement, maintenance, servicing, and sale of devices).

Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.), Contact data (e.g. postal and email addresses or phone numbers), Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Contract data (e.g. contract object, duration, customer category), Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features.
Data subjects: Employees (e.g. employees, job applicants, temporary workers, and other personnel.), Business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations, Office and organisational procedures.
Data sources: Collection from data subjects, Receipt through transmission or other communication by business partners and clients, Data collection from other sources.

2. Provision of online services and web hosting

___________________Description:

The data of the users is processed in order to provide them with the online services of the controller. For this purpose, the IP address of the users is also processed, which is necessary to transmit the contents and functions of the controller's online services to the user's browser or device.

Data categories:

Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties); Log data (e.g. log files concerning logins or data retrieval or access times.

Data subjects:

Users (e.g. website visitors, users of online services.

Purposes/interest:

Provision of our online services and usability; Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.)); Security measures.

Data sources:

Collection from users; Collection from data subjects.

Retention and deletion:

Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".

Legal bases:

Legitimate Interests (Article 6 (1) (f) GDPR.

2.1.

Provision of online offer on rented hosting space

Description:

To provide our online services, storage space, computing capacity, and software are used, which are rented or otherwise obtained from a corresponding server provider (also referred to as "web host").

Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features), Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties.
Data subjects: Users (e.g. website visitors, users of online services.
Purposes of processing: Provision of our online services and usability, Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.

2.2.

Collection of Access Data and Log Files

Description:

Access to the online service provided by the responsible party is logged in the form of so-called "server log files". The server log files can include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, notification of successful retrieval, type of browser along with version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. The server log files are used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, known as DDoS attacks), and also to ensure the servers' load management and stability.

Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR.
Retention period: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data, the further storage of which is necessary for evidence purposes, are excluded from deletion until the respective incident has been finally clarified.;
Processed data types: Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features), Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties.
Data subjects: Users (e.g. website visitors, users of online services.
Purposes of processing: Security measures, Provision of our online services and usability, Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.

3. Use of Cookies

___________________Description:

The controller uses cookies in accordance with legal regulations. Accordingly, prior consent is obtained from users unless it is not required by law. Permission is particularly unnecessary when the storage and reading of information – including cookies – are absolutely necessary to provide a telemedia service (i.e., the online offer of the controller) explicitly requested by the users. The revocable consent is clearly communicated to users and contains information on the specific use of cookies.

Regarding the legal basis for data protection: The legal basis for processing personal data of users with the help of cookies by the controller depends on whether consent is obtained. If users give their consent, the processing of their data is based on this declared consent. Otherwise, the processing of data collected through cookies is based on legitimate interests of the controller (e.g., in an economic operation of his online offer and its improvement) or as part of fulfilling contractual obligations of the controller, if the use of cookies is necessary for this purpose.

Retention Period: A distinction is made between the following types of cookies:

Temporary Cookies (also known as session or session cookies): These are deleted at the latest after a user has left an online offer and closed his terminal device (e.g., browser or mobile application).

Permanent Cookies: These remain stored even after closing the terminal device and can be used e.g., to display login status directly upon revisiting a website or to hold preferred content as well as being used for reach measurement. Unless explicit information on the type and storage duration of cookies is provided by the controller (e.g., in obtaining consent), users should assume that these are permanent and may have a storage duration of up to two years.

General notes on revocation and objection (Opt-out): Users can revoke their given consents at any time and also declare an objection against processing their data according to legal provisions.

Within this Records of Processing Activities, files or other storage notes that store information on terminal devices and read it from them are understood as cookies. They can serve e.g., to save login status in a user account or content accessed or functions used in an online offer. In addition, cookies can be used for various purposes such as ensuring functionality, security, comfortability of online offers, as well as creating analyses of visitor flows.

Data categories:

Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties.

Data subjects:

Users (e.g. website visitors, users of online services.

Data sources:

Collection from users; Collection from data subjects.

Legal bases:

Legitimate Interests (Article 6 (1) (f) GDPR); Consent (Article 6 (1) (a) GDPR.

3.1.

Processing Cookie Data on the Basis of Consent

Description:

The controller implements a consent management solution, where users' consent for the use of cookies or for the processes and providers mentioned within the scope of the consent management solution is obtained. This process serves to acquire, log, manage, and revoke consents, particularly regarding the use of cookies and similar technologies deployed for storing, reading out, and processing information on users' end devices. Within this process, users' consents for the use of cookies and the associated information processing activities, including those specific processes and providers mentioned in the consent management procedure, are obtained. Users also have the option to manage and revoke their consents. The declarations of consent are stored to avoid repeated queries and to provide proof of consent in accordance with legal requirements. Storage occurs server-side and/or in a cookie (so-called Opt-In-Cookie) or by using comparable technologies to assign the consent to a specific user or their device. In absence of specific details about providers of consent management services, the following general notes apply: The duration of consent storage is up to two years. During this time, a pseudonymous user identifier is created, which is stored along with the time of consent, details on the extent of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, system, and used end device.

Legal Basis: Consent (Article 6 (1) (a) GDPR.

4. Contact and Inquiry Management

___________________Description:

When initiating contact with the responsible party (e.g., by mail, contact form, email, telephone, or via social media) as well as within the scope of existing user and business relationships, the information provided by the inquiring individuals is processed by the responsible party to the extent necessary for responding to contact requests and any requested actions.

Data categories:

Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties.

Data subjects:

Communication partner (Recipients of e-mails, letters, etc.

Purposes/interest:

Communication; Organisational and Administrative Procedures; Feedback (e.g. collecting feedback via online form); Provision of our online services and usability.

Data sources:

Collection from data subjects.

Retention and deletion:

Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".

Legal bases:

Legitimate Interests (Article 6 (1) (f) GDPR); Performance of a contract and prior requests (Article 6 (1) (b) GDPR.

4.1.

Contact form

Description:

When initiating contact via the contact form, by email, or through other communication channels, the controller processes the personal data transmitted to them for the purpose of responding to and processing the respective request. This typically includes details such as name, contact information, and possibly additional information provided that is necessary for appropriate processing. These data are used exclusively for the stated purpose of making contact and communication.

Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR.
Processed data types: Contact data (e.g. postal and email addresses or phone numbers), Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.), Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features), Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties.
Data subjects: Communication partner (Recipients of e-mails, letters, etc.
Purposes of processing: Communication, Organisational and Administrative Procedures.

5. Communication via Messenger

___________________Description:

For communication purposes, messengers are used, and attention is drawn to the following notes on the functionality of the messengers, encryption, use of communication metadata, and options for objection.

Contact can also be made via alternative means, such as telephone or email. The contact options have either been communicated or are specified within the online service.

In cases of end-to-end encryption of contents (i.e., the content of your message and attachments), it is noted that the communication contents (i.e., the content of the message and attached images) are encrypted from end to end. This means that the contents of messages are not visible, not even to the messenger providers themselves. It is recommended to always use an up-to-date version of the messenger with activated encryption to ensure encryption of message contents.

However, it is additionally noted that while messenger providers cannot see the content, they can ascertain that and when communication partners communicate with the responsible party as well as process technical information about the device used by communication partners and depending on their device settings also location information (so-called metadata).

Revocation, objection and deletion: A given consent can be revoked at any time; likewise, an objection to communication via messenger is possible at any time. In case of communication via messenger, messages are deleted according to the general deletion policies of the responsible party (i.e., as described above, after contractual relationships end or in context with archiving requirements etc.) and otherwise as soon as it can be assumed that any inquiries have been responded to; this also applies if no reference back to a previous conversation is expected and provided no legal retention obligations prevent deletion.

Reservation of referral to other means of communication: To ensure security, there is understanding on part of the responsible party that for certain reasons requests via messenger may not be answerable. This concerns situations where contract details need to be treated with particular confidentiality or a response via messenger does not meet formal requirements. In these cases, it is recommended to resort back to more suitable channels of communication.

Data categories:

Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties.

Data subjects:

Communication partner (Recipients of e-mails, letters, etc.

Purposes/interest:

Communication.

Data sources:

Collection from data subjects.

Retention and deletion:

Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".

Legal bases:

Consent (Article 6 (1) (a) GDPR); Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR.

5.1.

Facebook-Messenger

Description:

Sending and receiving text messages, making voice and video calls, creating group chats, sharing files and media, transmitting location information, synchronising contacts, encrypting messages.

Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR.
Website: https://www.facebook.com;
Privacy Policy: https://www.facebook.com/privacy/policy/;
Auftragsverarbeitungsvertrag: Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing;
Basis for third country transfers: Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum);
Processed data types: Contact data (e.g. postal and email addresses or phone numbers), Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features), Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties.
Data subjects: Communication partner (Recipients of e-mails, letters, etc.
Purposes of processing: Communication.

6. Cloud Services

___________________Description:

Software services accessible over the Internet and executed on their providers' servers (known as "Cloud Services", also referred to as "Software as a Service") are used for storing and managing content (e.g., document storage and management, exchanging documents, content, and information with certain recipients or publishing content and information).

Within this context, personal data may be processed and stored on the providers' servers, insofar as they are part of communication processes with the controller or are otherwise processed by the controller, as outlined in the Records of Processing Activities. This data may include, in particular, basic personal data and contact details of users, data related to transactions, contracts, other processes, and their contents. The providers of cloud services further process usage data and metadata for security purposes and service optimization.

If forms or other documents and content are made available for other users or publicly accessible websites through the use of cloud services, the providers may store cookies on the users' devices for web analytics purposes or to save user settings (e.g., in the case of media control).

Data categories:

Data subjects:

Prospective customers; Communication partner (Recipients of e-mails, letters, etc.); Business and contractual partners.

Purposes/interest:

Office and organisational procedures; Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.

Data sources:

Collection from data subjects.

Retention and deletion:

Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".

Legal bases:

Legitimate Interests (Article 6 (1) (f) GDPR.

6.1.

Microsoft 365 and Microsoft Cloud Services

Description:

Provision of applications, protection of data and IT systems, as well as the use of system-generated log, diagnostic, and metadata for contract execution by Microsoft. The data processed includes contact details (name, email address), content data (files, comments, profiles), software setup and inventory data, device connectivity and configuration data, work interactions (badge swipe), as well as log and metadata. The processing is carried out for purposes of improving efficiency and productivity, cost efficiency, flexibility, mobility, enhanced communication, integration of Microsoft services, IT security and business operations of Microsoft. Data retention is determined by the respective document and company policies: up to 12 months for Defender (protection of data and IT systems) and 10 days for print management. Additionally, diagnostic data is collected for product stability and improvement.

Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR.
Website: https://microsoft.com;
Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter;
Auftragsverarbeitungsvertrag: Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA;
Basis for third country transfers: Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA);

7. Newsletter and Electronic Communications

___________________Description:

Newsletters, emails, and other electronic notifications (hereinafter referred to as "newsletters") are sent exclusively with the consent of the recipients or on a legal basis. If the contents of the newsletter are specified at the time of subscription, these contents are decisive for the users' consent. Normally, providing an email address is sufficient for subscribing to the newsletter of the responsible party. However, in order to offer a personalized service, it may be necessary to request the name for personal salutation in the newsletter or further information if required for the purpose of the newsletter.

Email addresses that have been unsubscribed can be stored for up to three years on the basis of legitimate interests of the responsible party before being deleted in order to prove a previously given consent. The processing of this data is limited to the purpose of potentially defending against claims. An individual deletion request is possible at any time, provided that at the same time, former consent is confirmed. In case of obligations to permanently observe objections, the responsible party reserves the right to store email addresses solely for this purpose in a blocklist.

The logging of the registration process is based on legitimate interests of responsible parties to prove its proper execution. Email dispatch services are commissioned based on legitimate interests in an efficient and secure dispatch system by responsible parties.

Data categories:

Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features.

Data subjects:

Communication partner (Recipients of e-mails, letters, etc.

Purposes/interest:

Direct marketing (e.g. by e-mail or postal.

Legal bases:

Consent (Article 6 (1) (a) GDPR.

Contents:

Information about us, our services, promotions and offers.

7.1.

Measurement of opening rates and click rates

Description:

The controller uses newsletters that contain a so-called "web beacon." This is a pixel-sized file that is retrieved from the controller's server or from a dispatch service provider's server, if one is used, when the newsletter is opened. During this retrieval, technical information such as browser details and system information, as well as the IP address and the time of retrieval are collected. This data serves to technically optimise the newsletter based on technical data or audience analyses based on the locations of access (which can be identified through the IP address) or access times. The analysis also includes determining whether and when the newsletters are opened and which links are clicked. The collected information is assigned to individual recipients and stored in their profiles until deletion. These evaluations help to understand users' reading behaviour and adjust our content accordingly or send different content based on users' interests. The measurement of open and click rates, as well as the storage of these measurement results in user profiles, is based on users' consent.

Legal Basis: Consent (Article 6 (1) (a) GDPR.
Processed data types: Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features), Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties.
Data subjects: Communication partner (Recipients of e-mails, letters, etc.
Purposes of processing: Direct marketing (e.g. by e-mail or postal.

8. Profiles in Social Networks (Social Media)

___________________Description:

The controller maintains online presences within social networks and processes user data in this context to communicate with active users or to offer information about themselves.

The data controller informs the individuals concerned in the privacy notices that user data may be processed outside the European Union. This could pose risks to users because, for example, it could make it more difficult to enforce their rights.

Furthermore, the data controller typically processes user data within social networks for market research and advertising purposes. Based on user behavior and resulting interests, usage profiles can be created. These profiles may be used to place advertisements inside and outside of the networks that could match the interests of the users. Consequently, cookies are usually stored on the users' computers, which save their usage behavior and interests. In addition, data may be stored in the usage profiles regardless of the devices used by the users (especially if they are members of the respective platforms and logged in there).

For a detailed description of each processing activity and how to opt-out, the data controller refers to the privacy policies and information provided by the operators of the respective networks.

Regarding requests for information and exercising of subject rights, the data controller advises users that these can most effectively be made directly with the providers. Only these entities have access to user data and can take direct action as well as provide information. Should individuals still require assistance, the data controller is available to help.

Data categories:

Data subjects:

Users (e.g. website visitors, users of online services.

Purposes/interest:

Communication; Feedback (e.g. collecting feedback via online form); Public relations.

Data sources:

Collection from data subjects; Data collection through interfaces to services of other providers.

Retention and deletion:

Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".

Legal bases:

Legitimate Interests (Article 6 (1) (f) GDPR.

8.1.

Instagram

Description:

Social network, allows the sharing of photos and videos, commenting on and favouriting posts, messaging, subscribing to profiles and pages.

Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR.
Website: https://www.instagram.com;
Privacy Policy: https://privacycenter.instagram.com/policy/;
Basis for third country transfers: Basis for third-country transfers: Data Privacy Framework (DPF);

8.2.

Facebook Pages

Description:

Profiles within the social network Facebook - The controller is jointly responsible with Meta Platforms Ireland Limited for the collection and transmission of data from visitors to the controller's Facebook page ("Fanpage"). This includes, in particular, information about user behaviour (e.g., viewed or interacted content, actions taken) as well as device information (e.g., IP address, operating system, browser type, language settings, cookie data). Further details can be found in the Facebook Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide the controller with statistical evaluations via the "Page Insights" service that give insight into how people interact with the page and its content. This is based on an agreement with Facebook ("Information about Page Insights": https://www.facebook.com/legal/terms/page_controller_addendum), which regulates security measures and the exercise of data subjects' rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Data subjects can therefore direct requests for information or deletion directly to Facebook. The rights of data subjects (in particular access, deletion, objection, complaint to a supervisory authority) remain unaffected by this. The joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited alone is responsible for further processing, including any possible transmission to Meta Platforms Inc. in the USA.;

Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR.
Website: https://www.facebook.com;
Privacy Policy: https://www.facebook.com/privacy/policy/;
Basis for third country transfers: Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum);

9. Organisational Measures

___________________Description:

Organisational measures have been taken to ensure an adequate level of data protection and its maintenance.

9.1.

Data protection management system, or data protection concept

Description:

The Processor has implemented an appropriate data protection management system (also referred to as data protection concept) and ensures its implementation.

9.2.

Organizational structure for data security and data protection

Description:

A suitable organizational structure for data security and data protection is in place and information security is integrated into company-wide processes and procedures.

9.3.

Es existieren interne Sicherheitsricht- bzw. Leitlinien

Description:

A suitable organizational structure for data security and data protection is in place and information security is integrated into company-wide processes and procedures.

9.4.

Regular and random system and safety tests

Description:

System and security tests, such as code scans and penetration tests, are carried out regularly and also without cause.

9.5.

Observation of the state of the art and necessary implementation

Description:

The development of the state of the art as well as developments, threats and security measures are continuously monitored and derived in a suitable manner to the own security concept.

9.6.

Concept for safeguarding the rights of data subjects

Description:

An adequate procedure is in place to ensure that the rights of data subjects are respected (in particular as regards access, rectification, erasure or limitation of processing, data transfer, revocations & objections). The procedure includes informing employees of their duties to inform the Customer, setting up implementation procedures and designating people responsible, as well as regular monitoring and evaluation of the measures taken.

9.7.

Emergency protocol

Description:

An adequate procedure is in place to ensure an immediate and legally compliant response to threats and violations of data protection. The procedure includes informing employees of their duties to inform the Customer, setting up implementation procedures and designating people responsible, as well as regular monitoring and evaluation of the measures taken.

9.8.

Documentation for security incidents (security reporting)

Description:

Security incidents are consistently documented, even if they do not lead to an external notification (e.g. to the supervisory authority, affected persons) (so-called "security reporting").

9.9.

Careful selection of service providers/freelancers and, if necessary, obligation to confidentiality

Description:

Service providers who are engaged to perform ancillary tasks (maintenance, security, transport and cleaning services, freelancers, etc.) are carefully selected and it is ensured that they respect the protection of personal data. If the service providers are given access to the Data processed for the Customer in the course of their activities or if there is any other risk of access to the personal data, they have to be specifically bound to secrecy and confidentiality.

9.10.

Data protection by design

Description:

The protection of personal data shall be taken into account, taking into account the state of the art, implementation costs and the nature, scope, context and purposes of the Processing, as well as the varying likelihood and severity of risks for rights and freedoms of natural persons posed by the Processing, already at the stage of development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by using privacy friendly presets.

9.11.

Current status of hardware and software

Description:

Software and hardware used shall always be kept up to date and software updates shall be carried out without delay within a reasonable period of time in consideration of the degree of risk and any need for review. No software and hardware is used which is no longer updated by their providers or makers with regard to data protection and data security issues (e.g. expired operating systems).

9.12.

Purchase of standard software and updates from trustworthy sources

Description:

Standard software and corresponding updates are only obtained from trusted sources.

9.13.

Appropriate disposal, erasure and deletion concept

Description:

A erasure, deletion and disposal concept corresponding to the data protection requirements of the Processing and the state of the art is in place. The physical destruction of documents and data carriers is carried out in compliance with data protection regulations and in accordance with legal requirements, industry standards and state-of-the-art industry norms (e.g. DIN 66399). Employees have been informed about legal requirements, deletion periods and, where applicable, about specifications for data deletion or equipment destruction by appropriate service providers.

9.14.

Classification notes / segregation of data, when no deletion

Description:

The Processing of the Customer's Data that has not been deleted in accordance with the agreements of this DPA (e.g. as a result of statutory archiving obligations) shall be restricted to the extent necessary by restriction flags and/or segregation.

10. Data Protection at Employee Level

___________________Introduction Data protection at employee level:

Measures have been taken to ensure that employees involved in the processing of personal data have the necessary expertise and reliability required by data protection law.

10.1.

Employee commitment to data protection confidentiality

Description:

Employees are bound to confidentiality and secrecy with regard to data protection.

10.2.

Training and awareness raising of employees

Description:

Employees are made aware of and informed about data protection in accordance with the requirements of their function. The training and awareness raising is repeated at appropriate intervals or as and when required by circumstances.

10.3.

Withdrawal of access and entry authorisations of departing employees

Description:

The keys, access cards or codes issued to employees, as well as authorisations granted with regard to the processing of the Data, shall be collected or revoked after they leave the services of the Processor or after the change of their responsibilities.

10.4.

Clean Desk Policy

Description:

Employees are obliged to leave their working environment tidy and thus in particular to prevent access to documents or data carriers containing personal data (Clean Desk Policy).

11. Physical Access Control

___________________Introduction Physical Access Control:

Physical access control measures have been taken to prevent unauthorised persons from physically approaching the systems, data processing equipment or procedures by which the Data are processed.

11.1.

Identity check at the gatekeeper or reception

Description:

There will be an identity check at the gatekeeper or at reception.

11.2.

Logging Output of keys and/or access cards

Description:

The issue and return of keys and/or access cards is logged.

11.3.

Locking devices and securing the working environment when leaving

Description:

Employees are required to lock or specially secure equipment when they leave their work environment or the equipment.

11.4.

Files and documents are stored safely and securely

Description:

Records (files, documents, etc.) will be stored in a secure manner, e.g. in filing cabinets or other adequately secured containers and adequately protected against physical access by authorised persons.

11.5.

Data carriers are stored securely

Description:

Data carriers are stored securely and adequately protected against access by unauthorised persons.

12. Electronic Access Control

___________________Introduction Electronic Access control:

Electronic access control measures have been put in place to ensure that access (i.e. already the possibility of exploitation, use or observation) by unauthorised persons to systems, data processing equipment or procedures is being prevented.

12.1.

Password concept according to the state of the art

Description:

A password concept specifies that passwords must have a minimum length and complexity in line with the state of the art and security requirements.

12.2.

Password protection of all data processing systems

Description:

All data processing systems are password protected.

12.3.

Passwords are not stored or transmitted in plain text

Description:

Passwords are generally not stored in plain text and are only transmitted hashed or encrypted.

12.4.

Deletion of access information of departing employees

Description:

Access credentials are deleted or deactivated when their users have left the company or organization of the Processor.

12.5.

Use of up-to-date anti-virus software

Description:

Up-to-date anti-virus software is used.

12.6.

Use of software firewall(s)

Description:

Use of software firewall(s).

13. Internal Access Control (permissions for user rights of access to and amendment of data)

___________________Introduction internal Access, input, change and deletion control:

Internal access control measures have been put in place to ensure that persons authorised to use a data processing system can only access the Data covered by their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during the Processing. Furthermore, input control measures have been taken to ensure that it is possible to subsequently check and establish whether and by whom the Data have been input, modified, removed or otherwise processed in data processing systems.

13.1.

Appropriate authorisation concept

Description:

A rights and roles concept (authorisation concept) ensures that access to personal data is only possible for a group of people selected according to necessity and only to the extent necessary.

13.2.

Regular check of the authorisation concept

Description:

The rights and roles concept (authorisation concept) is evaluated regularly, within a reasonable time frequency and when required by an occasion (e.g. violations of access restrictions), and updated as necessary.

13.3.

Control of the administrators

Description:

The activities of the administrators are appropriately monitored and recorded to the extent permitted by law and to the extent technically feasible.

13.4.

General traceability of data access

Description:

It is ensured that it is traceable which employees or agents had access to which Data and when (e.g. by logging software usage or drawing conclusions from access times and the authorization concept).

14. Transmission Control

___________________Introduction Transmission control:

Measures have been taken to control the transmission of the Data to ensure that the Data cannot be read, copied, modified or deleted by unauthorised persons during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment.

14.1.

Remote access / remote maintenance via VPN

Description:

When accessing internal systems from outside (e.g. for remote maintenance), encrypted transmission technologies are used (e.g. VPN).

14.2.

Transit encryption of e-mails

Description:

E-mails are encrypted during transmission. E-mails are encrypted during transit, which means that the emails are protected against being read by someone with access to the networks through which the email is travelling, on its way from the sender to the destination.

14.3.

Encrypted transmission of data via websites (TLS)

Description:

The transmission and processing of the client's personal data via online offers (websites, apps, etc.) is protected by TLS or equivalent secure encryption.

15. Adherence to Instructions, Purpose Limitation and Separation Control

___________________Introduction Adherence to Instructions, Purpose Limitation and Separation control:

Measures have been taken to ensure that Data processed on behalf of the Customer are only processed in accordance with the instructions of the Customer. The measures ensure that the Data collected for different purposes are processed separately and that there is no merging, combining or other combined processing of the Data contrary to the instructions.

15.1.

Separate documentation of the Processing

Description:

The processing operations carried out on behalf of the Customer shall be separately documented to an appropriate extent in a record of processing activities.

15.2.

Careful selection of sub-processors and service providers

Description:

Careful selection of sub-processors and other service providers.

15.3.

Forwarding of instructions to employees and sub-processors

Description:

Employees and agents are informed in a clear and comprehensible manner about the instructions of the Customer and the permitted processing framework and are trained accordingly. Separate information and training is not required if compliance with the instructions can be reasonably expected in any event, e.g. due to other agreements or internal practice.

15.4.

Verification of compliance with instructions

Description:

Compliance with instructions of the Customer and the permissible scope of processing of personal data by employees and contractors of the Processor is reviewed at appropriate intervals.

15.5.

Adherence to the deletion periods

Description:

The deletion terms which apply to the Processing of the Customer's Data shall if necessary be separately documented within the deletion policy of the Processor.

15.6.

Logical separation of the client's data

Description:

The Data of the Customer shall be processed logically separated from data of other processing operations of the Processor and protected against unauthorised access or connection or combination or mixing with other data (e.g. by storage in different databases or by appropriate attributes).

15.7.

Separation of productive, test and development environment

Description:

Production and test data are stored strictly separately from each other in different systems. The productive systems are operated separately and independently of the development and test systems.

16. Ensuring the integrity and availability of data as well as the resilience of processing systems

___________________Description:

Measures have been taken to ensure that personal data are protected against accidental destruction or loss and can be quickly restored in an emergency.

16.1.

Use of fail-safe, redundant server systems and services

Description:

Fail-safe server systems and services are used, which are designed as redundant dual or multiple systems.

16.2.

Storage of Data with external and reliable hosting providers

Description:

The Data is stored with external hosting providers. The hosting providers are carefully selected and comply with the state of the art in terms of protection against damage caused by fire, moisture, power failures, disasters, unauthorized access, data backup and patch management as well as facility security.

16.3.

Regular and documented patch management

Description:

The Processing of Data is carried out on data processing systems which are subject to regular and documented patch management, i.e. in particular regularly updated.

16.4.

Fail-safe power supply of server systems

Description:

The server systems used for processing have an uninterruptible power supply (UPS), which is adequately secured against failures and ensures a controlled shutdown in emergencies without data loss.

16.5.

Fire protection of the server systems

Description:

The server systems used for processing have adequate fire protection (fire and smoke detection systems and appropriate fire extinguishing devices or fire extinguishing equipment).

16.6.

Protection of server systems against moisture damage

Description:

Server systems are used that have protection against moisture damage (e.g. moisture detectors).

16.7.

Protection of data records against accidental modification or deletion

Description:

The Customer's data records are protected by the system against inadvertent modification or deletion (e.g. by access restrictions, security checks and backups).

16.8.

Adequate, reliable and controlled backup & recovery

Description:

Server systems and services are used which have an appropriate, reliable and controlled backup & recovery concept.

III. Annex: Technical and Organisational Measures (TOMs)

Technical and Organisational Measures

___________________Description:

Introduction: Annex TOMs:

An adequate level of protection is ensured for the Processing and the Data processed, which is appropriate to the risks for the interests or fundamental rights and freedoms of data subjects concerned. To this end, especially the protection objectives of confidentiality, integrity and availability of the systems and services and their resilience with respect to the nature, extent, circumstances and purposes of the Processing shall be taken into account in such a way that the risk is mitigated on a lasting basis by appropriate technical and organisational remedial measures.

1. Relevant legal bases

___________________1.1.

Relevant legal bases according to the GDPR

Description:

The processing of personal data is carried out in accordance with the provisions of the General Data Protection Regulation (GDPR). This includes compliance with the principles of legality, processing in good faith, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality as set out in Article 5 GDPR. Primarily, data processing is based on the conditions for the legality of processing defined in Article 6 GDPR or on more specific permission norms. Additionally, where necessary, national data protection regulations of the country of residence or domicile of the individuals concerned are observed. More specific legal bases that apply in certain cases are explicitly listed in these Records of Processing Activities.

1.2.

National data protection regulations in Germany

Description:

In addition to the data protection regulations of the GDPR, national regulations apply to data protection in Germany. This includes in particular the Law on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). In particular, the BDSG contains special provisions on the right to access, the right to erase, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated individual decision-making, including profiling. Furthermore, data protection laws of the individual federal states may apply.

1.3.

Reference to the applicability of the GDPR and the Swiss DPA

Description:

This Records of Processing Activities serves both to provide information pursuant to the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). For this reason, it is important to note that due to the broader spatial application and comprehensibility, the terms used by the GDPR are utilized. In particular, instead of the terms "processing" of "personal data", "predominant interest", and "particularly sensitive personal data" used in the Swiss FADP, the terms used by the GDPR, namely "processing" of "personal data", as well as "legitimate interest" and "special categories of data" are applied. However, the legal significance of these terms will continue to be determined according to the Swiss FADP within its scope of application.

2. Preamble

___________________

The Records of Processing Activities includes a collection of general information relevant to all the processing processes described below, as well as specific details on individual processing activities, in which personal data (hereinafter also referred to briefly as "data") is processed. This structure aims to maintain clarity and provide precise information. The general information explains fundamental principles and guidelines applicable to all processing activities, such as adherence to data protection principles, the legal bases of data processing, and handling the rights of the individuals concerned. In the specific part of the records, detailed information on individual processing activities is listed, including the purpose of data processing, the categories of data affected, the recipients of the data, and where applicable, the transfer of data to third countries. This record serves as a central document to ensure transparency and traceability of data processing and is an essential element in fulfilling documentation obligations under the General Data Protection Regulation (GDPR).