Privacy

In this privacy policy we (ISiCO Datenschutz GmbH, “we”) inform you about the processing of personal data when using our website und the other offers described below. Personal data means any information relating to an identified or identifiable person. In particular, this includes information that enables us to draw conclusions about your identity, such as your name, your telephone number, your address or email address. But also certain identifiers such as your IP address or the device ID of your used end device belong to personal data.

1. Contact

The point of contact and so-called controller for the processing of your personal data when visiting this website within the meaning of the EU General Data Protection Regulation (GDPR) is
ISiCO Datenschutz GmbH,
Am Hamburger Bahnhof 4,
10557 Berlin.

T: +49 (0)30-213002850
F: +49 (0)30-213002899

info@isico-datenschutz.de
www.isico-datenschutz.de

If you have any questions about data protection in connection with our products and services or the use of our website, you can also contact our data protection officer at any time. The data protection officer can be contacted at the above postal address or by sending an email to the address provided (please mark all correspondence with: “F.A.O. data protection officer”). We expressly point out that when using this e-mail address, the contents are not exclusively acknowledged by our data protection officer. If you wish to exchange confidential information, please contact us directly via this e-mail address at first.

2. Data processing on our website

2.1. Visiting our website /connection data
Every time you use our website, we collect the connection data automatically transmitted by your browser in order to make visiting the website possible. This connection data includes the so-called HTTP header information, including the user agent, and contains in particular:

  • IP address of the requesting device;
  • method (e.g. GET, POST), date and time of the request;
  • address of the website visited and the path of the requested file;
  • if applicable, the previously accessed or requested website
  • information about the browser used and the operating system;
  • HTTP protocol version, HTTP status code, size of the delivered file;
  • request information such as language, type of content, encoding of content, character sets.

In addition, we store the security cookie "csrf_https-contao_csrf_token" on your terminal device for the duration of the session in order to prevent cyberattacks in the context of so-called cross-site request forgery (CSRF).

It is strictly necessary to process this connection data and to store the security cookie to make it possible to visit the website and to guarantee the long-term functionality and security of our systems and to maintain our website administratively in general. The connection data is also stored temporarily and limited to the necessary content in internal log files for the purposes described above, for example in order to find the cause of repeated or criminal calls that endanger the stability and security of our website and to take action against them.

The legal basis for this is Art. 6(1)(b) GDPR, if the page view occurs in the course of the initiation or performance of a contract, and otherwise Art. 6(1)(f) GDPR due to our legitimate interest in enabling website access and permanent functionality and security of our systems. In this case, access to and storage of information in the device is strictly necessary and based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 (2) No. 2 TDDDG.

For data protection reasons, we do not permanently store or analyse log files.

2.2. Making contact
There are a number of ways for you to contact us. This includes in particular the contact form, a phone call or an e-mail by means of the contact addresses mentioned above. In this context we process data exclusively for the purpose of communicating with you.

The legal basis for this is Art. 6(1)(b) GDPR, insofar as your information is required to answer your inquiry or to initiate or perform a contract, and otherwise Art. 6(1)(f) GDPR due to our legitimate interest that you contact us and that we can answer your inquiry.

The data we collect when you contact us will be automatically erased once we have finished processing your enquiry, unless we still require your enquiry to fulfill contractual or legal obligations (see „Storage period“).

2.3. Newsletter
We use our newsletter primarily to keep you informed about current developments in the world of data protection and news concerning legislation and case law as well as economic and political aspects from our specialist fields. To subscribe to the newsletter, we collect your e-mail address and, in the case of events, also your name and, if applicable, the company name.

For newsletter subscriptions we use the so-called double opt-in procedure, which means that we will only send you newsletters by email if you click on a link in our notification email to confirm that you are the owner of the email address provided. If you confirm your email address, we will store your email address, the time of registration and the IP address you used when registering until you unsubscribe from the newsletter. The sole purpose of storing this data is to be able to send you the newsletter and prove that you registered. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. It is of course also sufficient if you notify us using the contact details provided above or in the newsletter (e.g. by email or letter).

We use so-called pixels (tiny, invisible image files) in our newsletters, which can be used to measure the opening rate, as well as links, where we can measure the click on the link before the forwarding to the target page. This data processing takes place exclusively on an aggregated basis for statistical evaluation and for the optimization and further development of our content and customer communication. A usage analysis at the level of individual recipients of the newsletter does not take place. In addition, it is also recorded whether newsletters could be delivered and for which e-mail addresses delivery was not possible. A link with other data does not take place. You can prevent the measurement of the opening rate by deactivating the loading of images in your e-mail client.

As soon as you unsubscribe from the newsletter, your registration data will be deleted. A deletion also takes place promptly if you have not confirmed the subscription to the newsletter.

We use Brevo, a service provided by Sendinblue GmbH, Datenschutzbeauftragter, Köpenicker Straße 126, 10179 Berlin, Germany (“Brevo”), for sending our newsletter. We use Brevo for email marketing in the case of registration for the newsletter on our website and for transactional emails, e.g. when downloading a white paper. We have concluded a data processing agreement with Brevo. Your data is stored by Brevo in Germany or the European Union and transmitted in encrypted form. Where Brevo works with sub-processors whose parent company is not based in the European Union, the adequacy decision for the USA applies to US companies certified under the EU-US Data Privacy Framework and/or Brevo and its sub-processors have entered into standard contractual clauses and have taken additional measures to protect the data. In the context of the operation of Brevo, anonymised data on the use of the newsletter (e.g. clicks, openings) is used for aggregated statistical analysis.

The legal basis for the delivery of the newsletter, the aggregated usage analysis and the determination of deliverability is your consent pursuant to Art. 6(1)(a) GDPR.

2.4. Google Maps
On the contact page we use the map service Google Maps, which is offered to users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other users by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”). In order for the Google map information we use to be integrated and displayed in your web browser, when you visit our contact page your web browser must connect to a Google server, which may also be located in the USA. Google thus receives the information that the contact page of our website has been accessed from the IP address of your device.

The legal basis is your consent, which you may have given in the consent banner for data processing in accordance with Art. 6(1)(a) GDPR. Without your consent for external content there will be no connection to the servers of Google. You can withdraw your consent at any time or adjust your selection (see 2.8.). Access to and storage of information in the device is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 (1) TDDDG. In the event that personal data is transferred from Google Ireland Limited to Google LLC in the USA, the data transfer takes place on the basis of the adequacy decision for the USA due to the certification of Google LLC according to the EU-US Data Privacy Framework.

If you retrieve a map service from Google on our website and are simultaneously logged in to your Google profile, Google can link this event to your Google profile. If you do not want this information to be associated with your Google profile, you must log out of Google before visiting our contact page. Google stores your data and uses it for purposes of advertising, market research and the personalised display of Google Maps. You may object to this data collection by Google.

For further information, please refer to Google’s Privacy Policy and the Additional Terms of Service for Google Maps.

2.5. Integration of Vimeo videos
We have embedded videos on our website that are stored on the Vimeo video platform and can be played directly on our website. Vimeo is a multimedia service provided by Vimeo, Inc., 555 West 18th Street, New York 10011, USA (“Vimeo”). In order for videos to be integrated and displayed in your web browser, your web browser must connect to a Vimeo server, which may also be located in the USA, when you access subpages of our website with Vimeo videos.

The legal basis for the embedding is your consent, which you may have given in the consent banner for data processing in accordance with Art. 6(1)(a) GDPR. Without your consent for external content, there will be no connection to the servers of Vimeo. You can withdraw your consent at any time or adjust your selection (see 2.8). Access to and storage of information in the device is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 (1) TDDDG. The data transfer to the USA takes place on the basis of the adequacy decision for the USA due to the certification of Vimeo Inc. in accordance with the EU-US Data Privacy Framework.

When you visit our website, Vimeo receives the information that you have retrieved the corresponding subpage. This may happen regardless of whether you are logged in to Vimeo or not. Vimeo may use this data for purposes of advertising, market research and the demand-oriented design of its websites. If you view videos on our website and are simultaneously logged in to your Vimeo profile, Vimeo can also link this event to your Vimeo profile. If you do not want this information to be associated with your Vimeo profile, you must log out of Vimeo before visiting our website.

For further information, please refer to Vimeo’s Privacy Policy.

2.6. Applications
You can apply to us for advertised vacancies by email or via our career portal. The purpose of data collection here is the selection of applicants for potential employment. In order to process your application, we collect the data provided by you (usually: your first and last name; email address; application such as curriculum vitae and cover letter; earliest possible date you could start work; channel through which you became aware of the job advertisement; phone number, if applicable; salary expectations; profile of Xing or LinkedIn). We would like to point out that we cannot guarantee confidentiality if applications are sent unencrypted by email. Usually, you can also apply for our positions by post.

To provide our career portal at isico-datenschutz.jobs.personio.de and to manage applications, we use the Personio software of Personio GmbH, Rundfunkplatz 4, 80335 Munich. We have concluded an data processing agreement with Personio. Your application data is stored by Personio in encrypted form in Germany or the European Union and transmitted in encrypted form. Where Personio works with sub-processors whose parent company is not based in the European Union, the adequacy decision for the USA applies to US companies certified under the EU-US Data Privacy Framework and/or Personio and its sub-processors have entered into standard contractual clauses and have taken additional measures to protect the data. This includes, in particular, the encryption of the data by means of a self-created master encryption key which remains in the sphere of Personio.

The legal basis for the processing of your application documents is Art. 6(1)(b) and Art. 88(1) GDPR in conjunction with § 26(1) Sentence 1 of the German Federal Data Protection Act (BDSG).

When visiting the career portal, log files (server logs, error logs) are also created (see section 2.1), which Personio processes on its own responsibility. For this, we refer to the explanations of Personio at the end of the privacy policy on the career portal. The legal basis for this is Personio’s legitimate interests in providing the career portal, Art. 6 (1)(f) GDPR. Insofar as information is read or stored on your terminal device when you call up our career portal (e.g. the storage of the language in a cookie), this is strictly necessary in order to provide the career portal and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with § 25 (2) TDDDG.

We store your personal data upon receipt of your application. If we accept your application and an employment relationship is established, we will store your application data for as long as it is necessary for the employment relationship and to the extent that legal regulations require us to retain it.

If we reject your application, we will store your application data for a maximum of three months after rejecting your application, unless you give us your consent to store it for a longer period. If you have given us your consent separately, we will store the data you submitted as part of your application in our pool of applicants for a further twelve months after the end of the application process in order to identify any other positions that may be of interest to you and, if necessary, to approach you again. After this period, the data will be deleted. You can withdraw this consent for the future at any time by sending us an e-mail to karriere@isico-datenschutz.de.

2.7. Embedding fonts and icons
We embed fonts and style files from Adobe Typekit of Adobe Systems Software Ireland Limited, 4-6 Riverwalk, City West Business Campus, Saggart D24, Dublin, Ireland, as well as icons and style files from Font Awsome of Fonticons Inc, 307 S Main St Ste 202 Bentonville, AR, 72712-9214 USA, to display our website content. The embedding takes place externally in order to comply with the licence terms and to enable the billing of the costs associated with the use of the fonts and icons. Only the usual connection data is automatically transmitted and no information is stored or read on your terminal device.

The legal basis is Art. 6 (1)(f) GDPR due to our legitimate interest in optimally embedding our website content and displaying it in the desired manner.

In the event that personal data is transferred from Adobe Systems Software Ireland Limited to Adobe Inc. in the USA, the data transfer takes place on the basis of the adequacy decision for the USA due to the certification of Adobe Inc. according to the EU-US Data Privacy Framework.

2.8. Use of cookies and similar technologies for usage analysis and marketing
In order to improve the presentation of the content on our website, we use cookies and similar technologies (e.g. local storage, fingerprints, pixel, web beacons) for statistical recording and analysis of general usage behavior based on access data. In addition, we use services from external service providers who process the access data generated when using our website in order to enable the display of interest-based advertising, for example in the context of search queries.

We only use optional cookies and similar technologies for marketing and analysis purposes if you have given your consent for data processing in accordance with Art. 6 (1)(a) GDPR Access to and storage of information in the device is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 (1) TDDDG.

2.8.1. Usercentrics
Our website uses the Usercentrics of the Usercentrics GmbH, Sendlinger Str. 7, 80331 München, Deutschland to record and manage your consent and any withdrawals. If you make a decision in the consent banner, information on the device are set on the device and transferred to Usercentrics which records your consent or rejection. On your device the following cookies or elements in local or session storage are stored:

  • uc_user_interaction: Storage of the interaction with Usercentrics;
  • uc_ui_version: Storage of the version of Usercentrics;
  • uc_settings: Storage of information on the consent decision and history;
  • uc_user_country: Storage of the country, region or city;
  • uc_gcm: Storage of the consent decision in relation to the various categories of Google for the use of analysis and advertising services.

The data processing is carried out on the basis of Art. 6(1)(f) GDPR to record your consent. Access to and storage of information in the device is strictly necessary in these cases and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with § 25 (2) TDDDG. If you delete your cookies or elements of the web storage or the storage period has expired, we will ask you for your consent again when you visit the site later.

You can withdraw your consent at any time or adjust the selection of tools by clicking on the following link: Data Privacy Settings

2.8.2. Google Tag-Manager
Our website uses Google Tag Manager, a service provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

The Tag Manager is used to manage the tools and external services we use on our website and allows the use of so-called tags. A tag is a code element that is stored in the source code of the website, for example to control which page or service elements and tools are activated and loaded in which order. The tool triggers other tags, which in turn may collect data and which are further explained in this privacy notice. Some of the data is processed on a Google server in the USA.

We have concluded a data processing agreement with Google Ireland Limited for the use of Google Tag Manager. In the event that personal data is transferred from Google Ireland Limited to Google LLC in the USA, the data transfer takes place on the basis of the adequacy decision for the USA due to the certification of Google LLC according to the EU-US Data Privacy Framework.

You can find more information about this in Google’s information about Tag Manager.

2.8.3. Google Analytics 4
Our website uses the web analytics service Google Analytics 4, provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). We integrate Google Analytics 4 via the Google Tag Manager. If you have not consented to the use of the analytics tools, your data will not be collected as part of Google Analytics 4.

Google Analytics 4 uses JavaScript and pixels to read information on your device and cookies to store information on your device. This is done to analyze your usage behavior and improve our website. On our behalf, the access data is combined by Google into pseudonymous user profiles and transmitted to a Google server in the USA. We will use the information to evaluate the use of our website and to compile reports on website activities.

As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of the data. For example, Google Analytics 4 models conversions to the extent that not enough data is available to optimize the evaluation and reports. Information on this can be found in the associated Google documentation. The data evaluations are carried out automatically with the help of artificial intelligence or on the basis of specific, individually defined criteria. You can find more about this in the associated Google documentation.

The data collected as part of the usage analysis of Google Analytics 4 is enriched with data from the Google Search Console and linked with data from Google Ads, in particular to measure the success of our advertising campaigns (so-called conversions).

Processed data: The following data can be processed by Google Analytics 4:

  • IP address;
  • User ID and device ID;
  • referrer URL (previous visited page);
  • Pages viewed (date, time, URL, title, duration of visit);
  • downloaded files;
  • clicked links to other websites;
  • Achievement of specific goals (Conversions);
  • Technical information (operating system; browser type, version and language; device type, brand, model and resolution);
  • approximate location (country, region and city, if applicable, based on anonymized IP address).

Privacy settings: We have made the following privacy settings for Google Analytics 4:

  • Anonymization of the IP address;
  • deactivated advertising function;
  • deactivated personalized advertising;
  • deactivated remarketing;
  • retention period of 2 months (and no reset of retention period with new activity);
  • deactivated cross-device and cross-page tracking (Google Signals);
  • deactivated data shares (especially Google products and services, benchmarking, technical support, account specialist).

Used cookies: Google Analytics 4 sets the following cookies for the specified purpose with the respective storage period:

  • “_ga” (2 years), “_gid” (24 hours): recognizing and distinguishing website visitors by a user ID;
  • „_ga_82G0VM644S“ (2 years): Keeping the information of the current session.

We have concluded a data processing agreement with Google Ireland Limited for the use of Google Analytics 4. In the event that personal data is transferred from Google Ireland Limited to Google LLC in the USA, the data transfer takes place on the basis of the adequacy decision for the USA due to the certification of Google LLC according to the EU-US Data Privacy Framework.

You can find more information about Google Analytics 4 in Google’s privacy statement and in the Google Analytics privacy policy. Further information on the cookies used by Google Analytics 4 can also be found in Google's documentation.

2.8.4. Google Ads Conversion Tracking
Our website uses “Google Ads Conversion Tracking”, provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). We integrate Google Ads Conversion Tracking via the Google Tag Manager. If you have not consented to the use of the marketing tools, your data will not be collected as part of Google Ad Conversion Tracking.

The service is used to record and analyse customer actions defined by us (such as clicking on a button, accessing a page, downloading a file, submitting a form). We also record events (such as length of stay on the page, scrolling, interaction with the page and forms). This helps us to evaluate the success of campaigns and advertisements and to optimise the design of our website. We also use and analyse parameters in the URL (such as the source of the visitor (e.g. a domain), type of campaign, visit channel (e.g. email, search engine)) in order to better measure the campaigns and assign them to users.

The service uses cookies, JavaScript, pixels and other technologies for this purpose. Google also processes the data to improve the quality and accuracy of conversions. The data collected in this context may be transferred by Google to a server in the USA for analysis and stored there.

In the event that personal data is transferred from Google Ireland Limited to Google LLC in the USA, the data transfer takes place on the basis of the adequacy decision for the USA due to the certification of Google LLC according to the EU-US Data Privacy Framework.

Further information can be found in Google's privacy policy: https://policies.google.com/privacy.

2.8.5. Server-Side-Tracking
Our website uses the services of TAGGRS B.V., 8442 EZ Heerenveen, Coehoorn van Scheltingaweg 1P, Netherlands (“Taggrs”) for server-side tracking. The Taggrs services are used to collect usage, browser and device data, including the IP address and the User Agent, and to further process it on the server side. The purpose of the processing is to evaluate the usage data to create statistics as well as to measure and optimise conversions. This serves to adapt and improve our website and our content. Taggrs uses servers of the service provider TransIP B.V., Vondellaan 47, 2332 AA Leiden, Netherlands within the European Economic Area.

3. Online presences in social networks

We maintain various online presences in social networks in order to communicate with interested parties and to inform them about our products and services:

  • Facebook Fanpage of Meta Platforms Ireland Ltd., Serpentine Avenue, Block J, Dublin 4, Ireland („Facebook“)
  • Instagram Fanpage of Meta Platforms Ireland Ltd., Serpentine Avenue, Block J, Dublin 4, Ireland („Instagram“)
  • LinkedIn company page of LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland („LinkedIn“)
  • Xing company profile of XING SE, Dammtorstraße 30, 20354 Hamburg, Germany („Xing“)
  • X profile of Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland („Twitter“)

As part of the operation of our online presences in social networks, it is possible that we may access information such as statistics on the use of our online presences provided by the operator of the social network. These statistics are aggregated and may include, in particular, demographic information (e.g., age, gender, region, country), employment-related information (e.g., job, function, industry, work experience, company size), and data on interaction with our online presence (e.g., likes, shares, subscriptions, viewing of images and videos) and the posts and content distributed via it. This may also provide information about the interests of users and which content and topics are particularly relevant to them. This information may also be used by us to adapt the design and our activities and content on the online presences and to optimize them for our audience. The collection and use of these statistics is subject to joint controllership with the operator of the social network.

For more information on joint controllership, the nature and scope of these statistics, and how to contact the social network, please see:

The legal basis for this data processing is Art. 6(1)(b) GDPR, in order to stay in contact with our customers and to inform them as well as for the implementation of pre-contractual measures with interested parties, and Art. 6(1)(f) GDPR based on our legitimate interest in effective information and communication with users.

We have no control over the data that the social network processes on its own controllership in accordance with the terms of use. However, we would like to point out that when you visit the online presence, data about your usage behaviour is transferred to the operator of the social network. The operator of the social network itself processes the aforementioned information possibly in order to compile more detailed statistics and for its own market research and advertising purposes over which we have no control. For this purpose, cookies and other identifiers are stored on the computers of the data subjects. Based on these usage profiles, advertisements are then displayed within the social network, for example, but also on third-party websites. You can find more detailed information on this in the privacy policies of the socal networks:

If we receive your personal data while operating the online presence of the social network, you are entitled to the rights stated in this data protection statement. If you also wish to assert your rights against the operator of the social network, the easiest way to do this is to contact them directly. The operator knows the details of the technical operation of the platform and the associated data processing as well as the concrete purposes of data processing and can implement appropriate measures on request if you make use of your rights. We are happy to support you in asserting your rights to the extent possible and forward your requests to the operator of the social network.

4. Online meetings via „Teams“

We use „Teams“ to conduct online meetings, teleconferences and/or webinars (collectively, „Meetings“). Teams is software from Microsoft Ireland Operations Limited, South County Business Park, Leopardstown, Dublin 18, Ireland („Microsoft“), which is available as a desktop, web and mobile app. It is used by us, in particular, to run the digital office hours and breakfast workshops.

The legal basis for the processing of data to conduct meetings via teams is our legitimate interest in the effective and simple conduct of online meetings, discussion rounds and presentations pursuant to Art. 6(1)(f) GDPR. Insofar as the meetings are conducted in the context of existing contractual relationships with you, the legal basis is Art. 6(1)(b) GDPR. We are not responsible for any further data processing on the Teams product website, where the desktop software can be downloaded and the web app can be used.

During a meeting, the following data may be processed under certain circumstances:

  • Participant details: Display name, if applicable, first name, last name, phone, email address, password (encrypted for authentication), profile picture;
  • Metadata: Meeting topic and description, IP address, participant’s phone number, type of device/software (Windows/Mac/Linux/Web/iOS/Android Phone/Windows Phone), time of participant’s last activity on Teams, number of chat and channel messages, number of meetings attended, duration of time for audio, video, and screen sharing;
  • For chat, or channel message usage: text data for display and logging if necessary;
  • For audio usage: recording data of the microphone;
  • For video use: recording data of the video camera;
  • For recordings: Audio, video and screen sharing for storage in the cloud / Microsoft Stream;
  • For telephone use: incoming and outgoing phone numbers, country name, start and end time, possibly other connection data such as the IP address of the device.

Before a meeting, you must register via our website or by e-mail. Your registration data will be processed by us. Before the meeting you will receive a confirmation email with an invitation link or a calendar date.

To participate in a meeting, you must at least provide information on your name and – in the case of telephone use – your telephone number, unless we enable anonymous participation in meetings. In the latter case, we will inform you of this possibility of anonymous participation in the course of the invitation. You can deactivate the transmission via microphone and camera at any time via the corresponding settings. Only with your consent and prior notification do we record meetings or log text data. Microsoft stores and uses the metadata to enable us to analyze and report on the use of Teams.

Microsoft may receive knowledge of the above data as part of the data processing in order to process it. All data traffic is encrypted (MTLS, TLS or SRTP) and data processing generally takes place on servers in the European Economic Area (EEA). Where possible, we also enable end-to-end encryption. In the event that data is nevertheless processed in the USA exceptional cases,  the adequacy decision of the USA applies due to the certification of the Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA according to the EU-US Data Privacy Framework.

For more information, see Microsoft’s privacy policy.

5. Disclosure of data

In principle, we will only pass on the data we collect if:

  • you have given your explicit consent pursuant to Art. 6(1)(a) GDPR;
  • disclosure is necessary pursuant to Art. 6(1)(f) GDPR in order to establish, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in your data not being disclosed;
  • we are legally obliged to do so under Art. 6(1)(c) GDPR; or
  • this is permitted by law and is required under Art. 6(1)(b) GDPR for the processing of contractual relationships with you or for taking steps at your request prior to entering into a contract.

Part of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, this may in particular include data centres that store our website and databases, IT service providers that maintain our systems, and consulting firms. If we pass data on to our service providers, they may use the data exclusively for the fulfillment of their tasks. We have carefully selected and commissioned the service providers. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects and are carefully monitored by us.

In addition, data may be disclosed in connection with official requests, court orders and legal proceedings if this is necessary to pursue or enforce rights.

6. Data transfer to third countries

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (such as the USA), i.e. countries whose data protection level does not correspond to that of the European Union. Insofar as this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include the standard contractual clauses of the European Union or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions of Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the fulfilment of the contract.

If a transfer to a third country is intended and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence agencies) may be able to gain access to the transferred data in order to record and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. You will also be informed of this if consent is obtained for the data transfer via the consent banner.

7. Storage period

In principle, we only store personal data for as long as necessary to fulfill the purposes for which we have collected the data. We then delete the data without delay, unless we still require the data until the end of the statutory limitation period for evidence purposes for claims under civil law or due to statutory retention obligations.

For evidence purposes, we must keep contract data for another three years after the end of the year in which the business relationship with you ends. After the standard statutory period of limitation, any claims become statute-barred at this point in time at the earliest.

Even after that, we are still required to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations, which may arise on the basis of the German Commercial Code, the Fiscal Code, the Banking Act and the Money Laundering Act. The periods specified there for retaining documents range from two to ten years.

8. Your rights

You have the right to information about how we process your personal data at any time. When providing this information, we will explain the data processing to you and provide you with an overview of the data stored about you. If data stored by us is incorrect or no longer up to date, you have the right to have this data corrected. You may also demand that your data be erased. Should the erasure not be possible in exceptional cases due to other legal regulations, the data will be blocked so that it is only available for that legal purpose. You are also entitled to have the processing of your data restricted, e.g. if you believe that the data we have stored is incorrect. You also have the right to data portability, which means that on request we will send you a digital copy of the personal data you have provided.

In order to assert your rights described here, you can contact us at any time using the contact details provided. This also applies if you wish to receive copies of safeguards in order to prove an adequate level of data protection. Provided that the respective legal requirements are met, we will comply with your data protection request.

Your requests for the enforcement of data subject rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, for a longer period if there are grounds for the enforcement, exercise or defense of legal claims. The legal basis is Art. 6 (1)(f) GDPR, based on our interest in defending against any civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability obligations under Art. 5(2) GDPR.

Finally, you have the right to lodge a complaint with a data protection supervisory authority. You can assert this right for example by contacting a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement. In Berlin, where ISiCO Datenschutz GmbH is headquartered, the competent supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.

9. Right of withdrawal and objection

You have the right to withdraw the consent you gave us at any time. As a result of this, we will cease the data processing based on this consent with future effect. This withdrawal of your consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If your objection is to data processing for direct marketing purposes, you have a general right of objection, which we will implement without requiring you to give reasons.

If you would like to make use of your right of withdrawal or objection, it is sufficient to simply notify us using the contact details provided above.

10. Changes to this privacy policy

We will update this privacy policy from time to time, for example if we adapt our website or there is a change in the legal or regulatory requirements.

Last amended: June 2024