In this privacy policy we (ISiCO Datenschutz GmbH, “we”) inform you about the processing of personal data when using our website und the other offers described below.

Personal data means any information relating to an identified or identifiable person. In particular, this includes information that enables us to draw conclusions about your identity, such as your name, your telephone number, your address or email address. But also certain identifiers such as your IP address or the device ID of your used end device belong to personal data..

  1. Contact
  2. Data processing on our website
  3. Online presences in social networks
  4. Online meetings via „Teams“
  5. Disclosure of data
  6. Data transfer to third countries
  7. Storage period
  8. Your rights
  9. Right of withdrawal and objection
  10. Changes to this privacy policy

1. Contact

The point of contact and so-called controller for the processing of your personal data when visiting this website within the meaning of the EU General Data Protection Regulation (GDPR) is
ISiCO Datenschutz GmbH,
Am Hamburger Bahnhof 4,
10557 Berlin.

T: +49 (0)30-213002850
F: +49 (0)30-213002899

info@isico-datenschutz.de
www.isico-datenschutz.de

If you have any questions about data protection in connection with our products and services or the use of our website, you can also contact our data protection officer at any time. The data protection officer can be contacted at the above postal address or by sending an email to the address provided (please mark all correspondence with: “F.A.O. data protection officer”). We expressly point out that when using this e-mail address, the contents are not exclusively acknowledged by our data protection officer. If you wish to exchange confidential information, please contact us directly via this e-mail address at first.

2. Data processing on our website

2.1. Visiting our website /connection data
Every time you use our website, we collect the connection data automatically transmitted by your browser in order to make visiting the website possible. This connection data includes the so-called HTTP header information, including the user agent, and contains in particular:

  • IP address of the requesting device;
  • method (e.g. GET, POST), date and time of the request;
  • address of the website visited and the path of the requested file;
  • if applicable, the previously accessed or requested website
  • information about the browser used and the operating system;
  • HTTP protocol version, HTTP status code, size of the delivered file;
  • request information such as language, type of content, encoding of content, character sets.

It is strictly necessary to process this connection data to make it possible to visit the website and to guarantee the long-term functionality and security of our systems and to maintain our website administratively in general. The connection data is also stored temporarily and limited to the necessary content in internal log files for the purposes described above, for example in order to find the cause of repeated or criminal calls that endanger the stability and security of our website and to take action against them.

The legal basis for this is Art. 6(1)(b) GDPR, if the page view occurs in the course of the initiation or performance of a contract, and otherwise Art. 6(1)(f) GDPR due to our legitimate interest in enabling website access and permanent functionality and security of our systems.

For data protection reasons, we do not permanently store or analyse log files.

2.2. Making contact
There are a number of ways for you to contact us. This includes in particular the contact form, a phone call or an e-mail by means of the contact addresses mentioned above. In this context we process data exclusively for the purpose of communicating with you.

The legal basis for this is Art. 6(1)(b) GDPR, insofar as your information is required to answer your inquiry or to initiate or perform a contract, and otherwise Art. 6(1)(f) GDPR due to our legitimate interest that you contact us and that we can answer your inquiry.

The data we collect when you contact us will be automatically erased once we have finished processing your enquiry, unless we still require your enquiry to fulfill contractual or legal obligations (see „Storage period“).

2.3. Newsletter
We use our newsletter primarily to keep you informed about current developments in the world of data protection and news concerning legislation and case law as well as economic and political aspects from our specialist fields. To subscribe to the newsletter, we collect your e-mail address and, in the case of events, also your name and, if applicable, the company name.

For newsletter subscriptions we use the so-called double opt-in procedure, which means that we will only send you newsletters by email if you click on a link in our notification email to confirm that you are the owner of the email address provided. If you confirm your email address, we will store your email address, the time of registration and the IP address you used when registering until you unsubscribe from the newsletter. The sole purpose of storing this data is to be able to send you the newsletter and prove that you registered. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. It is of course also sufficient if you notify us using the contact details provided above or in the newsletter (e.g. by email or letter).

We use so-called pixels (tiny, invisible image files) in our newsletters, which can be used to measure the opening rate, as well as links, where we can measure the click on the link before the forwarding to the target page. This data processing takes place exclusively on an aggregated basis for statistical evaluation and for the optimization and further development of our content and customer communication. A usage analysis at the level of individual recipients of the newsletter does not take place. In addition, it is also recorded whether newsletters could be delivered and for which e-mail addresses delivery was not possible. A link with other data does not take place. You can prevent the measurement of the opening rate by deactivating the loading of images in your e-mail client.

As soon as you unsubscribe from the newsletter, your registration data will be deleted. A deletion also takes place promptly if you have not confirmed the subscription to the newsletter.

We use CleverReach, a service provided by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany (“CleverReach”), for sending our newsletter. We have concluded a data processing agreement with Cleverreach. Your data is stored by CleverReach in encrypted form in Germany or the European Union and transmitted in encrypted form. Where CleverReach works with sub-processors whose parent company is not based in the European Union, CleverReach and its sub-processors have entered into standard contractual clauses and have taken additional measures to protect the data.

The legal basis for the delivery of the newsletter, the aggregated usage analysis and the determination of deliverability is your consent pursuant to Art. 6(1)(a) GDPR.

2.4. Google Maps
On the contact page we use the map service Google Maps, which is offered to users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other users by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”). In order for the Google map information we use to be integrated and displayed in your web browser, when you visit our contact page your web browser must connect to a Google server, which may also be located in the USA. Google thus receives the information that the contact page of our website has been accessed from the IP address of your device.

The legal basis is your consent, which you may have given in the consent banner for data processing in accordance with Art. 6(1)(a) GDPR and for data transfer in accordance with Art. 49(1)(a) GDPR. Please refer to point 5, Data transfer to third countries, for the risks the data transfer involved. Without your consent there will be no connection to the servers of Google. You can withdraw your consent at any time or adjust your selection (see 2.7.). Access to and storage of information in the device is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 (1) TTDSG.

If you retrieve a map service from Google on our website and are simultaneously logged in to your Google profile, Google can link this event to your Google profile. If you do not want this information to be associated with your Google profile, you must log out of Google before visiting our contact page. Google stores your data and uses it for purposes of advertising, market research and the personalised display of Google Maps. You may object to this data collection by Google.

For further information, please refer to Google’s Privacy Policy and the Additional Terms of Service for Google Maps.

2.5. Integration of Vimeo videos
We have embedded videos on our website that are stored on the Vimeo video platform and can be played directly on our website. Vimeo is a multimedia service provided by Vimeo, Inc., 555 West 18th Street, New York 10011, USA (“Vimeo”). In order for videos to be integrated and displayed in your web browser, your web browser must connect to a Vimeo server, which may also be located in the USA, when you access subpages of our website with Vimeo videos.

The legal basis for the embedding is your consent, which you may have given in the consent banner for data processing in accordance with Art. 6(1)(a) GDPR and for data transfer in accordance with Art. 49(1)(a) GDPR. Please refer to point 5, Data transfer to third countries, for the risks the data transfer involved. Without your consent, there will be no connection to the servers of Vimeo. You can withdraw your consent at any time or adjust your selection (see 2.7). Access to and storage of information in the device is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 (1) TTDSG.

When you visit our website, Vimeo receives the information that you have retrieved the corresponding subpage. This may happen regardless of whether you are logged in to Vimeo or not. Vimeo may use this data for purposes of advertising, market research and the demand-oriented design of its websites. If you view videos on our website and are simultaneously logged in to your Vimeo profile, Vimeo can also link this event to your Vimeo profile. If you do not want this information to be associated with your Vimeo profile, you must log out of Vimeo before visiting our website.

For further information, please refer to Vimeo’s Privacy Policy.

2.6. Applications
You can apply to us for advertised vacancies by email or via our career portal. The purpose of data collection here is the selection of applicants for potential employment. In order to process your application, we collect the data provided by you (usually: your first and last name; email address; application such as curriculum vitae and cover letter; earliest possible date you could start work; channel through which you became aware of the job advertisement; phone number, if applicable; salary expectations; profile of Xing or LinkedIn). We would like to point out that we cannot guarantee confidentiality if applications are sent unencrypted by email. Usually, you can also apply for our positions by post.

To provide our career portal at isico-datenschutz.jobs.personio.de and to manage applications, we use the Personio software of Personio GmbH, Rundfunkplatz 4, 80335 Munich. We have concluded an data processing agreement with Personio. Your application data is stored by Personio in encrypted form in Germany or the European Union and transmitted in encrypted form. Where Personio works with sub-processors whose parent company is not based in the European Union, Personio and its sub-processors have entered into standard contractual clauses and have taken additional measures to protect the data. This includes, in particular, the encryption of the data by means of a self-created master encryption key which remains in the sphere of Personio.

The legal basis for the processing of your application documents is Art. 6(1)(b) and Art. 88(1) GDPR in conjunction with § 26(1) Sentence 1 of the German Federal Data Protection Act (BDSG).

When visiting the career portal, log files (server logs, error logs) are also created (see section 2.1), which Personio processes on its own responsibility. For this, we refer to the explanations of Personio at the end of the privacy policy on the career portal. The legal basis for this is Personio’s legitimate interests in providing the career portal, Art. 6 (1)(f) GDPR. Insofar as information is read or stored on your terminal device when you call up our career portal (e.g. the storage of the language in a cookie), this is strictly necessary in order to provide the career portal and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with § 25 (2) TTDSG.

We store your personal data upon receipt of your application. If we accept your application and an employment relationship is established, we will store your application data for as long as it is necessary for the employment relationship and to the extent that legal regulations require us to retain it.

If we reject your application, we will store your application data for a maximum of three months after rejecting your application, unless you give us your consent to store it for a longer period. If you have given us your consent separately, we will store the data you submitted as part of your application in our pool of applicants for a further twelve months after the end of the application process in order to identify any other positions that may be of interest to you and, if necessary, to approach you again. After this period, the data will be deleted. You can withdraw this consent for the future at any time by sending us an e-mail to karriere@isico-datenschutz.de.

2.7. Use of cookies and similar technologies for usage analysis and marketing
In order to improve the presentation of the content on our website, we use cookies and similar technologies (e.g. local storage, fingerprints, pixel, web beacons) for statistical recording and analysis of general usage behavior based on access data. In addition, we use services from external service providers who process the access data generated when using our website in order to enable the display of interest-based advertising, for example in the context of search queries.

We only use optional cookies and similar technologies for marketing and analysis purposes if you have given your consent for data processing in accordance with Art. 6(1)(a) GDPR and for data transfer in accordance with Art. 49(1)(a) GPDR via our consent banner. Please refer to point 5, Data transfer to third countries, for the risks the data transfer in third countries involved. Access to and storage of information in the device is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 (1) TTDSG.

Our website uses the WordPress plugin “Borlabs Cookie” to record and manage your consent and any withdrawals. If you make a decision in the consent banner, a cookie is set (“borlabs-cookie”) which records your consent or rejection. We set this technically required cookie on the basis of Art. 6(1)(f) GDPR to record your consent. Access to and storage of information in the device is strictly necessary in these cases and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with § 25 (2) TTDSG. If you delete your cookies, we will ask you for your consent again when you visit the site later.

You can withdraw your consent at any time or adjust the selection of tools by clicking on the following link: Data Privacy Settings

2.7.1. Google Tag-Manager
Our website uses Google Tag Manager, a service provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

The Tag Manager is used to manage the tools and external services we use on our website and allows the use of so-called tags. A tag is a code element that is stored in the source code of the website, for example to control which page or service elements and tools are activated and loaded in which order. The tool triggers other tags, which in turn may collect data and which are further explained in this privacy policy. Some of the data is processed on a Google server in the USA.

We have concluded a data processing agreement with Google Ireland Limited for the use of Google Tag Manager. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46(2)(c) GDPR. In addition, we also obtain your explicit consent for the transfer of your data to third countries in accordance with Art. 49(1)(a) GDPR.

You can find more information about this in Google’s information about Tag Manager.

2.7.2. Google Analytics 4
Our website uses the web analytics service Google Analytics 4, provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). We integrate Google Analytics 4 via the Google Tag Manager. If you have not consented to the use of the analytics tools, your data will not be collected as part of Google Analytics 4.

Google Analytics 4 uses JavaScript and pixels to read information on your device and cookies to store information on your device. This is done to analyze your usage behavior and improve our website. On our behalf, the access data is combined by Google into pseudonymous user profiles and transmitted to a Google server in the USA. We will use the information to evaluate the use of our website and to compile reports on website activities.

As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of the data. For example, Google Analytics 4 models conversions to the extent that not enough data is available to optimize the evaluation and reports. Information on this can be found in the associated Google documentation. The data evaluations are carried out automatically with the help of artificial intelligence or on the basis of specific, individually defined criteria. You can find more about this in the associated Google documentation

The data collected as part of the usage analysis of Google Analytics 4 is enriched with data from the Google Search Console and linked with data from Google Ads, in particular to measure the success of our advertising campaigns (so-called conversions).

Processed data: The following data can be processed by Google Analytics 4:

  • IP address;
  • User ID and device ID;
  • referrer URL (previous visited page);
  • Pages viewed (date, time, URL, title, duration of visit);
  • downloaded files;
  • clicked links to other websites;
  • Achievement of specific goals (Conversions);
  • Technical information (operating system; browser type, version and language; device type, brand, model and resolution);
  • approximate location (country, region and city, if applicable, based on anonymized IP address).

Privacy settings: We have made the following privacy settings for Google Analytics 4:

  • Anonymization of the IP address;
  • deactivated advertising function;
  • deactivated personalized advertising;
  • deactivated remarketing;
  • retention period of 2 months (and no reset of retention period with new activity);
  • deactivated cross-device and cross-page tracking (Google Signals);
  • deactivated data shares (especially Google products and services, benchmarking, technical support, account specialist).

Used cookies: Google Analytics 4 sets the following cookies for the specified purpose with the respective storage period:

  • “_ga” (2 years), “_gid” (24 hours): recognizing and distinguishing website visitors by a user ID;
  • „_ga_[GA4-ID]“ (2 years): Keeping the information of the current session;
  • „_gac_gb_[GA4-ID]“ (90 days): Storage of campaign-related information and, if applicable, linking with Google Ads conversion tracking.

We have concluded a data processing agreement with Google Ireland Limited for the use of Google Analytics 4. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46(2)(c) GDPR. In addition, we also obtain your explicit consent for the transfer of your data to third countries in accordance with Art. 49(1)(a) GDPR.

You can find more information about Google Analytics 4 in Google’s privacy statement and in the Google Analytics privacy policy.

2.7.3. Google Universal Analytics
Our website uses temporarily in parallel operation with Google Analytics 4 the web analytics service Google Universal Analytics, provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). We integrate Google Universal Analytics via the Google Tag Manager. The aim of the parallel operation with Google Analytics 4 is to understand the different processing of the collected usage information between Google Universal Analytics and Google Analytics 4. If you have not consented to the use of the analytics tools, your data will not be collected as part of Google Universal Analytics.

Google Universal Analytics uses cookies and similar technologies to analyse and improve our website based on your user behaviour. On our behalf, the access data is combined by Google into pseudonymous user profiles and transmitted to a Google server in the USA. Google will use the information obtained on our behalf to evaluate the use of our website, compile reports on website activities and to provide us with further services associated with website and Internet use.

The data collected as part of the usage analysis of Google Universal Analytics is enriched with data from the Google Search Console and linked with data from Google Ads, in particular to measure the success of our advertising campaigns (so-called conversions).

Processed data: The following data can be processed by Google Universal Analytics:

  • IP address;
  • referrer URL (previous visited page);
  • Pages viewed (date, time, URL, title, duration of visit);
  • downloaded files;
  • clicked links to other websites;
  • Achievement of specific goals (Conversions);
  • Technical information (operating system; browser type, version and language; device type, brand, model and resolution);
  • approximate location (country, region and city, if applicable, based on anonymized IP address).

Privacy settings: We have made the following privacy settings for Google Universal Analytics:

  • Anonymization of the IP address;
  • deactivated advertising function;
  • deactivated personalized advertising;
  • deactivated remarketing;
  • retention period of 14 months (and no reset of retention period with new activity);
  • deactivated cross-device and cross-page tracking (Google Signals);
  • deactivated data shares (especially Google products and services, benchmarking, technical support, account specialist).

Used cookies: Google Universal Analytics sets the following cookies for the specified purpose with the respective storage period:

  • “_ga” (2 years), “_gid” (24 hours): recognizing and distinguishing website visitors by a user ID;
  • “_gat” (1 minute): reduce queries to the Google servers.

We have concluded a data processing agreement with Google Ireland Limited for the use of Google Universal Analytics. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46(2)(c) GDPR. In addition, we also obtain your explicit consent for the transfer of your data to third countries in accordance with Art. 49(1)(a) GDPR.

You can find more information about Google Universal Analytics in Google’s privacy statement and in the Google Analytics privacy policy.

3. Online presences in social networks

We maintain various online presences in social networks in order to communicate with interested parties and to inform them about our products and services:

  • Facebook Fanpage of Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland („Facebook“)
  • Instagram Fanpage of Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland („Instagram“)
  • LinkedIn company page of LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland („LinkedIn“)
  • Xing company profile of XING SE, Dammtorstraße 30, 20354 Hamburg, Germany („Xing“)
  • Twitter profile of Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland („Twitter“)

As part of the operation of our online presences in social networks, it is possible that we may access information such as statistics on the use of our online presences provided by the operator of the social network. These statistics are aggregated and may include, in particular, demographic information (e.g., age, gender, region, country), employment-related information (e.g., job, function, industry, work experience, company size), and data on interaction with our online presence (e.g., likes, shares, subscriptions, viewing of images and videos) and the posts and content distributed via it. This may also provide information about the interests of users and which content and topics are particularly relevant to them. This information may also be used by us to adapt the design and our activities and content on the online presences and to optimize them for our audience. The collection and use of these statistics is subject to joint controllership with the operator of the social network.

For more information on joint controllership, the nature and scope of these statistics, and how to contact the social network, please see:

The legal basis for this data processing is Art. 6(1)(b) GDPR, in order to stay in contact with our customers and to inform them as well as for the implementation of pre-contractual measures with interested parties, and Art. 6(1)(f) GDPR based on our legitimate interest in effective information and communication with users.

We have no control over the data that the social network processes on its own controllership in accordance with the terms of use. However, we would like to point out that when you visit the online presence, data about your usage behaviour is transferred to the operator of the social network. The operator of the social network itself processes the aforementioned information possibly in order to compile more detailed statistics and for its own market research and advertising purposes over which we have no control. For this purpose, cookies and other identifiers are stored on the computers of the data subjects. Based on these usage profiles, advertisements are then displayed within the social network, for example, but also on third-party websites. You can find more detailed information on this in the privacy policies of the socal networks:

If we receive your personal data while operating the online presence of the social network, you are entitled to the rights stated in this data protection statement. If you also wish to assert your rights against the operator of the social network, the easiest way to do this is to contact them directly. The operator knows the details of the technical operation of the platform and the associated data processing as well as the concrete purposes of data processing and can implement appropriate measures on request if you make use of your rights. We are happy to support you in asserting your rights to the extent possible and forward your requests to the operator of the social network.

4. Online meetings via „Teams“

We use „Teams“ to conduct online meetings, teleconferences and/or webinars (collectively, „Meetings“). Teams is software from Microsoft Ireland Operations Limited, South County Business Park, Leopardstown, Dublin 18, Ireland („Microsoft“), which is available as a desktop, web and mobile app. It is used by us, in particular, to run the digital office hours and breakfast workshops.

The legal basis for the processing of data to conduct meetings via teams is our legitimate interest in the effective and simple conduct of online meetings, discussion rounds and presentations pursuant to Art. 6(1)(f) GDPR. Insofar as the meetings are conducted in the context of existing contractual relationships with you, the legal basis is Art. 6(1)(b) GDPR. We are not responsible for any further data processing on the Teams product website, where the desktop software can be downloaded and the web app can be used.

During a meeting, the following data may be processed under certain circumstances:

  • Participant details: Display name, if applicable, first name, last name, phone, email address, password (encrypted for authentication), profile picture;
  • Metadata: Meeting topic and description, IP address, participant’s phone number, type of device/software (Windows/Mac/Linux/Web/iOS/Android Phone/Windows Phone), time of participant’s last activity on Teams, number of chat and channel messages, number of meetings attended, duration of time for audio, video, and screen sharing;
  • For chat, or channel message usage: text data for display and logging if necessary;
  • For audio usage: recording data of the microphone;
  • For video use: recording data of the video camera;
  • For recordings: Audio, video and screen sharing for storage in the cloud / Microsoft Stream;
  • For telephone use: incoming and outgoing phone numbers, country name, start and end time, possibly other connection data such as the IP address of the device.

Before a meeting, you must register via our website or by e-mail. Your registration data will be processed by us. Before the meeting you will receive a confirmation email with an invitation link or a calendar date.

To participate in a meeting, you must at least provide information on your name and – in the case of telephone use – your telephone number, unless we enable anonymous participation in meetings. In the latter case, we will inform you of this possibility of anonymous participation in the course of the invitation. You can deactivate the transmission via microphone and camera at any time via the corresponding settings. Only with your consent and prior notification do we record meetings or log text data. Microsoft stores and uses the metadata to enable us to analyze and report on the use of Teams.

Microsoft may receive knowledge of the above data as part of the data processing in order to process it. All data traffic is encrypted (MTLS, TLS or SRTP) and encrypted data storage generally takes place on servers in the European Economic Area (EEA). Where possible, we also enable end-to-end encryption. In the event that data is nevertheless processed in the USA, Microsoft Ireland Operations Limited and Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, have concluded the EU standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46(2)(c) GDPR, and have taken additional measures. For more information, please refer to Section 6, Data transfer to third countries.

For more information, see Microsoft’s privacy policy.

5. Disclosure of data

In principle, we will only pass on the data we collect if:

  • you have given your explicit consent pursuant to Art. 6(1)(a) GDPR;
  • disclosure is necessary pursuant to Art. 6(1)(f) GDPR in order to establish, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in your data not being disclosed;
  • we are legally obliged to do so under Art. 6(1)(c) GDPR; or
  • this is permitted by law and is required under Art. 6(1)(b) GDPR for the processing of contractual relationships with you or for taking steps at your request prior to entering into a contract.

Part of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, this may in particular include data centres that store our website and databases, IT service providers that maintain our systems, and consulting firms. If we pass data on to our service providers, they may use the data exclusively for the fulfillment of their tasks. We have carefully selected and commissioned the service providers. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects and are carefully monitored by us.

In addition, data may be disclosed in connection with official requests, court orders and legal proceedings if this is necessary to pursue or enforce rights.

6. Data transfer to third countries

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (such as the USA), i.e. countries whose data protection level does not correspond to that of the European Union. Insofar as this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include the standard contractual clauses of the European Union or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions of Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the fulfilment of the contract.

If a transfer to a third country is intended and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence agencies) may be able to gain access to the transferred data in order to record and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. You will also be informed of this when you give your consent via the consent banner.

7. Storage period

In principle, we only store personal data for as long as necessary to fulfill the purposes for which we have collected the data. We then delete the data without delay, unless we still require the data until the end of the statutory limitation period for evidence purposes for claims under civil law or due to statutory retention obligations.

For evidence purposes, we must keep contract data for another three years after the end of the year in which the business relationship with you ends. After the standard statutory period of limitation, any claims become statute-barred at this point in time at the earliest.

Even after that, we are still required to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations, which may arise on the basis of the German Commercial Code, the Fiscal Code, the Banking Act and the Money Laundering Act. The periods specified there for retaining documents range from two to ten years.

8. Your rights

You have the right to information about how we process your personal data at any time. When providing this information, we will explain the data processing to you and provide you with an overview of the data stored about you. If data stored by us is incorrect or no longer up to date, you have the right to have this data corrected. You may also demand that your data be erased. Should the erasure not be possible in exceptional cases due to other legal regulations, the data will be blocked so that it is only available for that legal purpose. You are also entitled to have the processing of your data restricted, e.g. if you believe that the data we have stored is incorrect. You also have the right to data portability, which means that on request we will send you a digital copy of the personal data you have provided.

In order to assert your rights described here, you can contact us at any time using the contact details provided. This also applies if you wish to receive copies of safeguards in order to prove an adequate level of data protection. Provided that the respective legal requirements are met, we will comply with your data protection request.

Your requests for the enforcement of data subject rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, for a longer period if there are grounds for the enforcement, exercise or defense of legal claims. The legal basis is Art. 6 (1)(f) GDPR, based on our interest in defending against any civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability obligations under Art. 5(2) GDPR.

Finally, you have the right to lodge a complaint with a data protection supervisory authority. You can assert this right for example by contacting a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement. In Berlin, where ISiCO Datenschutz GmbH is headquartered, the competent supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.

9. Right of withdrawal and objection

You have the right to withdraw the consent you gave us at any time. As a result of this, we will cease the data processing based on this consent with future effect. This withdrawal of your consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If your objection is to data processing for direct marketing purposes, you have a general right of objection, which we will implement without requiring you to give reasons.

If you would like to make use of your right of withdrawal or objection, it is sufficient to simply notify us using the contact details provided above.

10. Changes to this privacy policy

We will update this privacy policy from time to time, for example if we adapt our website or there is a change in the legal or regulatory requirements.

Last amended: November 2022