The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. Detailed information on the subject of data protection can be found in our data protection declaration listed below this text.
Detailed information on the subject of data protection can be found in our privacy policy listed below this text. The privacy policy is the basis of our actions and part of the business relationship with customers, contractual partners, users and/or third parties and applies to our website, mobile applications and all our external online presences (e.g. our social media profiles) as well as in the context of the provision of our services.
Data collection on this website
Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator, basebox GmbH (basebox for short). Contact details can be found in the
imprint.
How do we collect your data?
On the one hand, your data is collected when you provide it to us. This may, for example, be data that you enter in a contact form.
Other data is collected automatically by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of page view). This data is collected automatically as soon as you enter this website.
Data is also collected when you register for our services, such as your e-mail address and your name, as well as any billing and payment data.
What do we use your data for?
Some of the data is collected to ensure that the website is provided without errors. Other data may be used to analyze your user behavior. We process the data that we collect as part of your registration in order to provide our contractual services.
What rights do you have with regard to your data?
You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. You can contact us at any time at the address given in the legal notice if you have any further questions on the subject of data protection. You also have the right to lodge a complaint with the competent supervisory authority.
You also have the right to request the restriction of the processing of your personal data under certain circumstances. For details, please refer to the privacy policy under “Right to restriction of processing”.
When you visit this website, your surfing behavior may be statistically evaluated. This is mainly done using cookies and so-called analysis programs. The analysis of your surfing behavior is usually anonymous; the surfing behavior cannot be traced back to you.
You can object to this analysis or prevent it by not using certain tools. You can find detailed information on these tools and on your options to object in the following privacy policy.
Hosting
External hosting
This website is hosted by an external service provider (hoster). Personal data collected on this website is stored on the hoster’s servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.
The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). Our hoster will only process your data to the extent necessary to fulfill its performance obligations and follow our instructions with regard to this data.
Conclusion of a contract for data processing order
In order to guarantee data protection-compliant processing, we have concluded an order processing contract with our hoster.
Services used and service providers
Provider: Telekom Deutschland GmbH, Landgrabenweg 151, 53227 Bonn
Website:
https://www.open-telekom-cloud.com
Privacy policy:
https://www.open-telekom-cloud.com/de/datenschutz
Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Website:
https://www.hetzner.com/
Privacy policy:
https://www.hetzner.com/de/legal/privacy-policy
Data protection
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. When you use this website, various personal data is collected. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.
We would like to point out that data transmission over the Internet (e.g. when communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.
Person responsible
The controller responsible for data processing on this website is:
basebox GmbH
Bahnhofplatz 3
D-86919 Utting am Ammersee
Phone: +49 8806 9590600
E-mail:
support@basebox.ai
The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).
We have appointed a data protection officer for our company. The company data protection officer of basebox can be contacted at the above address, for the attention of the data protection officer, or by email at
datenschutz@basebox.ai.
Revocation of your consent to data processing
Many data processing operations are only possible with your express consent. You can withdraw your consent at any time. All you need to do is send us an informal e-mail. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR)
IF THE DATA PROCESSING IS BASED ON ART. 6 ABS. 1 LIT. E OR F GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA CONCERNED UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 PARA. 1 GDPR).
IF YOUR PERSONAL DATA ARE PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING; THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT MARKETING (OBJECTION PURSUANT TO ART. 21 PARA. 2 GDPR).
Right to lodge a complaint with the competent supervisory authority
In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to other administrative or judicial remedies.
Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible. SSL or TLS encryption
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of the data processing and, if necessary, a right to correction or deletion of this data. You can contact us at any time at the address given in the legal notice if you have further questions on the subject of personal data.
Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. To do so, you can contact us at any time at the address given in the legal notice. The right to restriction of processing exists in the following cases:
- If you dispute the accuracy of your personal data stored by us, we generally need time to check this. For the duration of the review, you have the right to request that the processing of your personal data be restricted.
- If the processing of your personal data was/is carried out unlawfully, you can request the restriction of data processing instead of erasure.
- If we no longer need your personal data, but you need it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
- If you have lodged an objection in accordance with Art. 21 (1) GDPR, your interests and our interests must be weighed up. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
Objection to advertising e-mails
We hereby object to the use of contact data published as part of our obligation to provide a legal notice for the purpose of sending unsolicited advertising and information material. The operators of this website expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.
Data collection on this website
Cookies
Some of the Internet pages use so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies are used to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.
Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. Other cookies remain stored on your end device until you delete them. These cookies enable us to recognize your browser on your next visit.
You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.
Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested (e.g. shopping cart function) are stored on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimized provision of its services. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.
Insofar as other cookies (e.g. cookies to analyze your surfing behavior) are stored, these are treated separately in this privacy policy.
Server log files
The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are
- Browser type and browser version
- Operating system used
- Referrer URL
- Host name of the accessing computer
- Time of the server request
- IP address
This data is not merged with other data sources.
This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website – the server log files must be recorded for this purpose.
The log files are deleted after 90 days.
If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We will not pass on this data without your consent.
This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested.
We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions – in particular retention periods – remain unaffected.
Request by e-mail or telephone
If you contact us by e-mail or telephone, we will store and process your inquiry, including all personal data (name, inquiry), for the purpose of processing your request. We will not pass on this data without your consent.
This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent (Art. 6 para. 1 lit. a GDPR) and/or on our legitimate interests (Art. 6 para. 1 lit. f GDPR), as we have a legitimate interest in the effective processing of the inquiries addressed to us.
The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.
Processing of data (customer and contract data)
We collect, process and use personal data only insofar as it is necessary for the establishment, content or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures. We collect, process and use personal data about the use of this website (usage data) only insofar as this is necessary to enable or charge the user for the use of the service.
The customer data collected will be deleted after completion of the order or termination of the business relationship. Statutory retention periods remain unaffected.
Transfer and disclosure of personal data
As part of our processing of personal data, the data may be transferred to other bodies, companies, legally independent organizational units or persons or disclosed to them. The recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and in particular conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data. Data processing in third countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.
Subject to express consent or transfer required by contract or law, we only process or have the data processed in third countries with a recognized level of data protection, including US processors certified under the “Data Privacy Framework”, or on the basis of special guarantees, such as contractual obligations through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission:
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
Umami Analytics
We use the open source program Umami Analytics on our website, which is hosted on our local server, to track general trends in the use of our website. This is open source software that enables us to analyze the use of our website. Your IP address, the website(s) you visit on our website, the website from which you came to our website (referrer URL), the time you spend on our website and the frequency with which you visit one of our websites are processed. All data is collected anonymously so that no conclusions can be drawn about your person. The data is stored on our local server in Germany and is not passed on.
Umami Analytics only collects aggregated information that does not allow us to identify a visitor to our website. Further information can be found in the Umami Analytics documentation at:
https://umami.is/.
The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the analysis and optimization of our website.
Semrush
For analysis and optimization, especially for SEO optimization, we use Semrush from the service provider: Semrush Inc, 800 Boylston Street, Suite 2475, Boston, MA 02199, USA. In particular, the following information is processed IP address and device ID.
The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the analysis and optimization of our website.
Website:
https://de.semrush.com, privacy policy:
https://de.semrush.com/company/legal/privacy-policy/
Google Tag Manager
Google Tag Manager is a solution with which we can manage so-called website tags via an interface (and thus integrate Google Analytics and other Google marketing services into our online offering, for example). The Tag Manager itself (which implements the tags) does not process any personal user data. With regard to the processing of users’ personal data, please refer to the following information on Google services. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website:
https://marketingplatform.google.com; Privacy Policy:
https://policies.google.com/privacy; Privacy Shield (Safeguarding the level of data protection when processing data in the USA):
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Google Analytics
This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and enable your use of the website to be analyzed. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.
The storage of Google Analytics cookies and the use of this analysis tool are based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the analysis of user behavior in order to optimize both its website and its advertising. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.
The following table describes all cookies that are set by gtag.js. Further information on the data collected in Analytics can be found at
https://support.google.com/analytics/answer/6004245.
Cookie Name |
Standard Expiry Time |
Description |
_ga |
2 years |
Used to differentiate between individual users. |
_ga_<container-id> |
2 years |
Used to save the session status. |
IP anonymization
We have activated the IP anonymization function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
Browser plugin
You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=de.
Objection to data collection
You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this website:
Deactivate Google Analytics.
You can find more information on how Google Analytics handles user data in Google’s privacy policy:
https://support.google.com/analytics/answer/6004245?hl=de.
Order processing
We have concluded an order processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.
Demographic characteristics in Google Analytics
This website uses the “demographic characteristics” function of Google Analytics. This allows reports to be created that contain statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google and from visitor data from third-party providers. This data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as described in the section “Objection to data collection”.
Storage duration
Data stored by Google at user and event level that is linked to cookies, user IDs or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) is anonymized or deleted after 14 months. Details can be found at the following link:
https://support.google.com/analytics/answer/7667196?hl=de;
https://support.google.com/analytics/answer/6004245/ and
https://support.google.com/analytics/answer/11397207
Name |
Runtime |
Domain |
Description |
_ga |
2 years |
basebox.ai |
Used to differentiate between individual users. |
_ga_<container-id> |
2 years |
basebox.ai |
Used to save the session status. |
If you have given your consent to the use of cookies for marketing purposes, Google Ads is used on this website. Google Ads enables us to display advertisements in the Google search engine or on third-party websites when the user enters certain search terms on Google (keyword targeting). Furthermore, targeted advertisements can be displayed based on the user data available at Google (e.g. location data and interests) (target group targeting). We can evaluate this data quantitatively, for example by analyzing which search terms have led to the display of our advertisements and how many advertisements have led to corresponding clicks. Insofar as data is processed outside the EU/EEA, we have also concluded the applicable
standard contractual clauses of the European Union with Google as part of our order processing agreement in order to establish an adequate level of data protection.
Google Ads is provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google may use sub-processors who process data outside the EU/EEA, where the level of data protection may not meet European standards.
The legal basis is your consent in accordance with § 25 Para. I S. 1, 2 TTDSG, Art.6 Para.1 S.1 lit. a) GDPR.
You can withdraw your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. This does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
We have not stored any personal data in this context.
Posthog
We use the services of PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114, USA (hereinafter referred to as “PostHog”). Posthog collects certain data to analyze the behavior of users on our website and to provide us with information on how we can improve our website. The data collected by Posthog includes the user’s IP address, date and time of access, browser type and version, the user’s operating system, referrer URL, host name of the accessing computer and event data that we define ourselves (e.g. clicks, visits).
PostHog transfers and stores the data exclusively on servers in the EU, but is a US company. We have therefore concluded standard contractual clauses of the European Commission with Posthog as suitable guarantees, so that an appropriate level of protection is ensured when processing your data. You can access the standard contractual clauses at
https://docs.google.com/document/d/1xfpP1SCFoI1qSKM6rEt9VqRLRUEXiKj9_0Tvv2mP928/edit and at
https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_de.
The processing of the data is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke this consent at any time. The data collected by Posthog will be stored for as long as necessary to fulfill the purpose for which it was collected. The data will not be passed on to third parties unless this is required by law or necessary for the performance of a contract.
You have the right to information about the data stored by us, the correction of incorrect data and the deletion of your data, provided that there are no statutory retention requirements. You also have the right to request the restriction of the processing of your data and to object to the processing of your data. If you wish to exercise your rights, please contact us.
Tawk (live support chat system)
We utilize tawk.to, Inc., located at 187 E Warm Springs Rd, SB298, Las Vegas, Nevada 89119, USA (hereinafter referred to as “tawk.to”) to manage user inquiries through our support channels or live chat systems. Messages you send to us may be stored in the tawk.to ticket system or addressed in the live chat by our team. Additionally, with the assistance of tawk.to, we can determine the region from which the inquirer originates, how long they have been communicating with us, and how satisfied they are with the communication process, among other things. The messages sent to us are retained by us until you request us to delete them or the purpose for storing the data no longer applies (e.g., after your query has been resolved). Mandatory legal requirements, such as retention periods, remain unaffected. The use of tawk.to is based on Article 6(1)(f) of the GDPR. We have a legitimate interest in processing your requests as quickly, reliably, and efficiently as possible. In cases where corresponding consent has been requested, the processing is carried out exclusively on the basis of Article 6(1)(a) of the GDPR; consent may be revoked at any time. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. More information can be found here:
https://www.tawk.to/privacy-policy/ and
https://www.tawk.to/data-protection/gdpr/. For further details, please refer to the privacy policy of tawk.to:
https://www.tawk.to/privacy-policy/ and
https://www.tawk.to/data-protection/.
Agreement on commissioned data processing
We have entered into a commissioned data processing agreement with tawk.to. This is a required agreement under data protection law that ensures tawk.to only processes the personal data of our website visitors according to our instructions and in compliance with the GDPR.
Newsletter
Newsletter data
If you subscribe to our company’s newsletter, the data in the respective input mask will be transmitted to the controller. Subscription to our newsletter takes place in a so-called double opt-in procedure. This means that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no-one can register with other people’s email addresses. When registering for the newsletter, the user’s IP address and the date and time of registration are stored. This serves to prevent misuse of the services or the e-mail address of the person concerned. The data is not passed on to third parties. An exception is made if there is a legal obligation to pass on the data. The data is used exclusively for sending the newsletter. Subscription to the newsletter can be terminated by the data subject at any time. Consent to the storage of personal data can also be revoked at any time. There is a corresponding link for this purpose in every newsletter. The legal basis for the processing of data after registration for the newsletter by the user is Art. 6 para. 1 lit. a) GDPR if the user has given consent. The legal basis for sending the newsletter as a result of the sale of goods or services is Section 7 (3) UWG.
Use of rapidmail
Description and purpose: We use rapidmail to send newsletters. The provider is rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg, Germany. Among other things, rapidmail is used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter is stored on rapidmail’s servers in Germany. If you do not wish to be analyzed by rapidmail, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. For the purpose of analysis, the emails sent with rapidmail contain a so-called tracking pixel, which connects to the rapidmail servers when the email is opened. In this way, it can be determined whether a newsletter message has been opened. We can also use rapidmail to determine whether and which links in the newsletter message have been clicked on. Optionally, links in the email can be set as tracking links, with which your clicks can be counted.
Legal basis: The legal basis for data processing is Art. 6 para. 1 lit. a) GDPR.
Recipient: The recipient of the data is rapidmail GmbH.
Transfer to third countries: Data is not transferred to third countries.
Duration: The data stored by us as part of your consent for the purpose of the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from both our servers and the servers of rapidmail after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the member area) remain unaffected by this.
Revocation option: You have the option to revoke your consent to data processing at any time with effect for the future. The legality of the data processing operations that have already taken place remains unaffected by the revocation.
We have profiles on social networks. Our social media accounts complement our website and offer you the opportunity to interact with us. As soon as you access our social media profiles in the social networks, the terms and conditions and data processing guidelines of the respective operators apply. The data collected about you when you use the services is processed by the networks and may also be transferred to countries outside the European Union where there is no adequate level of protection for the processing of personal data. In principle, we have no influence on data processing in the social networks, as we, like you, are users of the network. Information on this and on what data is processed by the social networks and for what purposes the data is used can be found in the privacy policy of the respective network listed below. We use the following social networks:
Facebook
Our website is available at:
https://www.facebook.com/profile.php?id=61555336381194
The operator of the network is: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
Privacy policy of the network:
https://www.facebook.com/about/privacy Privacy policy of the network:
https://privacycenter.instagram.com/
LinkedIn
Our website is available at:
https://www.linkedin.com/company/basebox/
The operator of the network is: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
Privacy policy of the network: www.linkedin.com/legal/privacy-policy
Reddit
Our website is available at:
https://www.reddit.com/user/baseboxio/
The operator of the network is: Reddit, Inc., 1455 Market Street, Suite 1600, San Francisco, CA 94103, United States
Privacy policy of the network:
https://www.reddit.com/policies/privacy-policy
X
Our website is available at:
https://twitter.com/basebox_io
The operator of the network is: Twitter International Unlimited Company, One Cumberland Place, Fenian Street Dublin 2
Privacy policy of the network:
https://twitter.com/de/privacy
Shared responsibility
Purposes:</h3The customer – as defined in the terms of use – hereinafter referred to as the “Client”- and basebox GmbH, Bahnhofplatz 3, 86919 Utting am Ammersee -hereinafter referred to as “basebox” – one of them hereinafter referred to as “the Party”; both together hereinafter referred to as “the Parties” – have concluded the following data processing agreement (DPA) in order to fulfill your obligations under Art. 28 para. 3 GDPR.
Preamble
The parties have agreed on the provision of services in connection with the provision and use of AI models and have concluded a contractual agreement in the form of terms of use (the “Agreement”). In order to provide the services in accordance with the Agreement, it is necessary for basebox to process personal data on behalf of and on the instructions of the Customer. The purpose of this Data Processing Agreement (the “Agreement”) is to define the obligations of the parties in connection with the processing of personal data by basebox as processor on behalf of the Customer as controller.
1. Standard contractual clauses
1.1 The parties agree on the
standard contractual clauses attached in
Annex 1 in accordance with the implementing decision of the European Commission of June 4, 2021 [C(2021) 3701 final].
1.2 Insofar as the transfer of personal data by basebox to the Customer constitutes a transfer of personal data to a third country outside the EU, e.g. because the Customer is based outside the EU, the parties agree to the Standard Contractual Clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679, as agreed by the European Commission in its Implementing Decision (EU) 2021/914 of June 4, 2021 and attached to this Agreement as
Annex 2 (the “International Standard Contractual Clauses”). Annexes I (I.A “SCC International”), II (I.B. “SCC International”), III (II. “SCC International”) and IV (III. “SCC International”) of Annex 1 shall apply accordingly.
1.3 The standard contractual clauses and the international standard contractual clauses are supplemented by the provisions of this data processing agreement.
1.4 Insofar as a provision in this data processing agreement or other terms and conditions between the parties contradicts the provisions in the standard contractual clauses or the international standard contractual clauses, the provisions of the standard contractual clauses or the international standard contractual clauses shall take precedence over the other provisions. Insofar as a provision of the standard contractual clauses from section 1.1 contradicts the international standard contractual clauses from section 1.2, the international standard contractual clauses shall take precedence.
2. Supplementary regulations
2.1 Instructions and obligations of the client
2.1.1 The instructions are initially determined by the Contract and this Agreement (including annexes and appendices) and can be amended, supplemented or replaced by the Customer in writing or in an electronic format (text form, e.g. via e-mail) to basebox by individual instructions (individual instruction). Instructions that are not provided for in the underlying contract shall be treated as a request for a change in performance. Verbal instructions must be confirmed immediately in writing or in text form.
2.1.2 basebox has the right to supplement or amend the technical and organizational measures set out in the Data Processing Agreement and its appendices and annexes at any time, although the level of security may not fall below the level originally agreed.
2.1.3 The Customer must inform basebox immediately and completely if it discovers errors or irregularities in the processing of personal data with regard to data protection regulations.
2.1.4 The person who is registered as Admin for the Customer assumes the role of contact person for basebox for data protection issues arising within the scope of the Contract and the Agreement.
2.2 Transfers of data to a third country
An instruction within the meaning of section 7.8 also includes, in particular, the authorization to appoint a subprocessor.
2.3 Inspections
2.3.1 Should inspections by the client or an inspector commissioned by the client be necessary in individual cases, these will be carried out during normal business hours without disrupting operations after notification and taking into account a reasonable lead time.
2.3.2 Should basebox decide to engage a competent, independent external inspector or auditor, the client agrees to this engagement on the condition that he receives a copy of the report.
2.4 Liability and indemnification
2.4.1 The liability provisions of the contract shall apply unless expressly agreed otherwise.
2.4.2 In the event of a claim against the Customer by a data subject with regard to any claims under Art. 82 GDPR, the Customer shall indemnify basebox insofar as basebox is not responsible for the underlying breach of data protection regulations.
2.5 Miscellaneous
2.5.1 Amendments and supplements to this DPA and all their components including any assurances made by the Contractor – require a written agreement, which may also be made in an electronic format (text form), and an express reference to the fact that it is an amendment or supplement to these terms and conditions. This also applies to the waiver of this formal requirement.
2.5.2 The law chosen in the underlying contract shall apply.
Appendix 1
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope of application
a) These standard contractual clauses (hereinafter referred to as “clauses”) are intended to ensure compliance with: Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC].
b) The controllers and processors listed in Annex I have agreed to these clauses to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.
c) These clauses apply to the processing of personal data in accordance with Annex II.
d) Annexes I to IV are an integral part of the clauses.
e) These clauses are without prejudice to the obligations to which the controller is subject under Regulation (EU) 2016/679.
f) These clauses do not in themselves ensure that the obligations relating to international data transfers under Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725 are fulfilled.
Clause 2
Unalterability of the clauses
a) The parties undertake not to amend the clauses except to supplement or update the information provided in the annexes.
(b) This shall not prevent the parties from incorporating the standard contractual clauses set out in these clauses into a wider contract and adding further clauses or additional safeguards, provided that these do not directly or indirectly conflict with the clauses or infringe the fundamental rights or freedoms of data subjects.
Clause 3
Interpretation
a) Where terms defined in Regulation (EU) 2016/679 are used in these clauses, those terms shall have the same meaning as in that Regulation.
b) These clauses are in the light of the provisions of Regulation (EU) 2016/679.
c) These clauses shall not be interpreted in a manner contrary to the rights and obligations provided for in Regulation (EU) 2016/679 or in a manner that restricts the fundamental rights or freedoms of data subjects.
Clause 4
Priority
In the event of any conflict between these clauses and the provisions of any related agreements existing or subsequently entered into or concluded between the parties, these clauses shall prevail.
Clause 5 {discontinued)
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 6
Description of the processing
The details of the processing operations, in particular the categories of personal data and the purposes for which the personal data are processed on behalf of the controller, are set out in Annex II.
Clause 7
Obligations of the parties
7.1 Instructions
a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In such a case, the processor shall inform the controller of these legal requirements prior to processing, unless the law in question prohibits this due to an important public interest. The controller may issue further instructions for the entire duration of the processing of personal data. These instructions must always be documented.
b) The processor shall inform the controller immediately if it believes that instructions issued by the controller violate Regulation (EU) 2016/679 or applicable Union or Member State data protection provisions.
7.2 Earmarking
The processor shall process the personal data only for the specific purposes set out in Annex II, unless it receives further instructions from the controller.
7.3 Duration of the processing of personal data
The data shall only be processed by the processor for the duration specified in Annex II.
7.4 Security of processing
a) The Processor shall implement at least the technical and organizational measures listed in Annex III to ensure the security of the Personal Data. This shall include the protection of data against a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of or access to the data, whether accidental or unlawful (hereinafter “Personal Data Breach”). In assessing the appropriate level of protection, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing and the risks presented to the data subjects.
b) The Processor shall grant its personnel access to the personal data subject to processing only to the extent strictly necessary for the performance, management and monitoring of the Contract. The Processor shall ensure that the persons authorized to process the personal data received have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
7.5 Sensitive data
If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or containing genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning an individual’s health, sex life or sexual orientation, or data relating to criminal convictions and offenses (hereinafter “sensitive data”), the Processor shall apply specific restrictions and/or additional safeguards.
7.6 Documentation and compliance with the clauses
a) The parties must be able to prove compliance with these clauses.
b) The Processor shall deal promptly and appropriately with requests from the Controller regarding the processing of data under these Clauses.
c) The processor shall provide the controller with all information necessary to demonstrate compliance with the obligations set out in these Clauses and arising directly from Regulation (EU) 2016/679. At the request of the controller, the processor shall also allow and contribute to an audit of the processing activities covered by these clauses at appropriate intervals or where there are indications of non-compliance. When deciding on an inspection or audit, the controller may take into account relevant certifications of the processor.
d) The controller may carry out the audit itself or commission an independent auditor. The audits may include inspections of the processor’s premises or physical facilities and shall be carried out with reasonable prior notice where appropriate.
e) The parties shall make the information referred to in this clause, including the results of audits, available to the competent supervisory authority upon request.
7.7 Use of sub-processors
a) The Processor has the Controller’s general authorization to engage sub-processors included in an agreed list. The Processor shall expressly inform the Controller in writing at least 3 weeks in advance of any intended changes to this list by adding or replacing sub-processors, thereby giving the Controller sufficient time to object to these changes before engaging the sub processor(s) concerned. The Processor shall provide the Controller with the necessary information to enable the Controller to exercise its right to object.
b) Where the Processor engages a sub-processor to carry out certain processing activities (on behalf of the Controller), such engagement shall be by way of a contract which imposes on the sub-processor substantially the same data protection obligations as those applicable to the Processor under these Clauses. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject under these Clauses and under Regulation (EU) 2016/679.
c) The Processor shall provide the Controller with a copy of any such subcontracting agreement and any subsequent amendments at the Controller’s request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may redact the wording of the agreement before providing a copy.
d) The Processor shall be fully liable to the Controller for ensuring that the Sub-Processor fulfills its obligations under the contract concluded with the Processor. The Processor shall notify the Controller if the Sub-Processor fails to fulfill its contractual obligations.
e) The processor agrees a third-party beneficiary clause with the sub processor, according to which the controller – in the event that the processor factually or legally ceases to exist or is insolvent – has the right to terminate the subcontracting agreement and instruct the sub-processor to delete or return the personal data.
7.8 International data transfers
a) Any transfer of data by the processor to a third country or an international organization shall take place exclusively on the basis of documented instructions from the controller or to comply with a specific provision under Union law or the law of a Member State to which the processor is subject and shall comply with Chapter V of Regulation (EU) 2016/679.
b) The controller agrees that in cases where the processor uses a sub processor pursuant to clause 7.7 for the performance of certain processing activities (on behalf of the controller) and that these processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor may ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission pursuant to Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the application of these standard contractual clauses are met.
Clause 8
Support of the person responsible
a) The processor shall inform the controller without undue delay of any request received from the data subject. It shall not respond to the request itself unless it has been authorized to do so by the controller.
b) Taking into account the nature of the processing, the processor shall assist the controller in fulfilling the controller’s obligation to respond to requests from data subjects to exercise their rights. In fulfilling its obligations under points (a) and (b), the processor shall follow the instructions of the controller.
c) In addition to the Processor’s obligation to assist the Controller pursuant to Clause 8(b), the Processor shall also assist the Controller in complying with the following obligations, taking into account the nature of the data processing and the information available to the Processor:
1) Obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (hereinafter “data protection impact assessment”) if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;
2) Obligation to consult the competent supervisory authority(ies) prior to processing if a data protection impact assessment indicates that the processing would result in a high risk, unless the controller takes measures to mitigate the risk;
3) Obligation to ensure that the personal data is accurate and up to date by the processor informing the controller without undue delay if it becomes aware that the personal data it is processing is inaccurate or out of date;
4) Obligations under Article 32 of Regulation (EU) 2016/679].
d) The Parties shall set out in Annex III the appropriate technical and organizational measures to assist the Controller by the Processor in the application of this Clause, as well as the scope and extent of the assistance required.
Clause 9
Notification of personal data breaches
In the event of a personal data breach, the Processor shall cooperate with and assist the Controller to enable the Controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679, taking into account the nature of the processing and the information available to the Processor.
9.1 Violation of the protection of data processed by the controller
In the event of a personal data breach in connection with the data processed by the controller, the processor shall assist the controller as follows:
(a) the notification of a personal data breach to the competent supervisory authority without undue delay after the controller has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
(b) when obtaining the following information to be included in the controller’s notification pursuant to Article 33(3) of Regulation (EU) 2016/679, which shall include at least the following information:
1) the nature of the personal data, where possible, indicating the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2) the likely consequences of the personal data breach;
3) the measures taken or proposed to be taken by the controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.
If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter;
(c) when complying with the obligation pursuant to Article 34 of Regulation (EU) 2016/679] to notify without undue delay the data subject of a personal data breach where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
9.2 Violation of the protection of data processed by the processor
In the event of a personal data breach in connection with the data processed by the processor, the processor shall notify the controller without undue delay after becoming aware of the breach. This notification must contain at least the following information:
(a) a description of the nature of the breach (where possible, specifying the categories and approximate number of data subjects concerned and the approximate number of data records concerned);
b) Contact details of a contact point where further information on the personal data breach can be obtained;
(c) the likely consequences and the measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects.
If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter.
The Parties shall specify in Annex III any other information to be provided by the Processor to assist the Controller in fulfilling its obligations under Articles 33 and 34 of Regulation (EU) 2016/679].
SECTION III – FINAL PROVISIONS
Clause 10
Breaches of the clauses and termination of the contract
a) Without prejudice to the provisions of Regulation (EU) 2016/679, if the Processor fails to comply with its obligations under these Clauses, the Controller may instruct the Processor to suspend the processing of personal data until it complies with these Clauses or the contract is terminated. The processor shall inform the controller immediately if, for whatever reason, it is unable to comply with these clauses.
b) The controller is entitled to terminate the contract insofar as it concerns the processing of personal data in accordance with these clauses if
1) the controller has suspended the processing of personal data by the processor in accordance with point (a) and compliance with these clauses has not been restored within a reasonable period and in any event within one month of the suspension;
2) the processor materially or persistently breaches these clauses or fails to comply with its obligations under Regulation (EU) 2016/679;
3) the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority relating to its obligations under these Clauses, Regulation (EU) 2016/679.
c) The Processor shall be entitled to terminate the Contract insofar as it relates to the Processing of Personal Data under these Clauses if the Controller insists on the fulfillment of its instructions after being informed by the Processor that its instructions violate applicable legal requirements under Clause 7.1(b).
d) Upon termination of the contract, the processor shall, at the choice of the controller, erase all personal data processed on behalf of the controller and certify to the controller that this has been done, or return all personal data to the controller and erase existing copies, unless there is an obligation to retain the personal data under Union or Member State law. Until the deletion or return of the data, the processor shall continue to ensure compliance with these clauses.
ANNEX I – LIST OF PARTIES
Controller: [
Identity and contact details of the controller(s) and, where applicable, of the controller’s data protection officer].
The client is responsible:
The customer, as defined in the terms of use
Processor: [
Identity and contact details of the processor and, if applicable, the processor’s data protection officer].
basebox GmbH
Contact details of the data protection officer of the processor:
Bahnhofsplatz 3
86919 Utting am Ammersee
Germany
Phone: +49 8806 9590600
E-Mail: contact@basebox.ai
ANNEX II – DESCRIPTION OF THE PROCESSING
Categories of data subjects whose personal data are processed
- The customer
- Users invited by the customer
- People whose data is contained in the input prompts that thecustomer or their users have processed by the AI model.
Categories of personal data that are processed
The processing of relevant personal data extends to:
- Names,
- Business addresses,
- E-mail addresses,
- Telephone numbers,
- Bank details,
- Other data contained in the prompts.
Sensitive data processed (if applicable) and restrictions or safeguards applied that take full account of the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for employees who have undergone specific training), recording of access to the data, restrictions on disclosure or additional security measures.
Sensitive data is not processed in connection with the provision of the agreed services.
Type of processing
The processor provides the controller with the agreed services. The type of processing of personal data includes any processing that is necessary to enable the processor to provide these services to the controller. It includes in particular the collection, organization, structuring, storage and provision of personal data, but may also include any other operation such as the adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction of personal data.
Purpose for which the personal data are processed on behalf of the controller
The processor processes personal data to provide its services as agreed with the controller. This includes in particular the provision of basebox for the use of the AI models offered and contract management.
Duration of processing
Processing continues for as long as the processor provides its services to the controller and ends with the termination of the contract.
ANNEX III – TECHNICAL AND ORGANIZATIONAL MEASURES, INCLUDING MEASURES TO ENSURE THE SECURITY OF DATA
Measures for pseudonymization and encryption of personal data
- Protection of secret keys with strong passwords
- State-of-the-art encryption (asymmetric/symmetric)
- Encryption of systems
- Encryption of storage media
- Encryption of data carriers
- Encryption of communication (e.g. e-mail encryption)
Measures to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services in connection with the processing
- Documentation of authorizations
- Use of authentication procedures
- Secure WLAN
- Individual log-in and password procedures
- Special protective measures for the server room (Hetzner, Telekom)
- Use of strong passwords (e.g. at least 10 digits)
- Preventing the selection of weak passwords for applications
- Confidentiality obligations of employees
- Administration activities on the servers are only carried out by competently trained persons
- Use of suitable firewalls
- Use of logging and evaluation systems that ensure the traceability and documentation of data management
- Use of two-factor or multi-factor authentication procedures for high-risk processing activities
- Creation of role profiles/definition of functional responsibilities*
- Use of access rights
Measures to ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident
- Back-up procedure
- Suitable measures for data backup: Backups are stored in different locations and kept for different lengths of time depending on the application
- Mirroring hard disks
- Substitution rules
Procedures for regularly reviewing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing
- Penetration tests (comprehensive security test of individual computers or networks)
- Regular sensitization of employees (at least annually)
- Regular test to ensure that all relevant data is included in the backup process and that the restore works
- Checking the effectiveness of the technical measures (at least annually)
Measures to identify and authorize users
- Instruction of all employees in the use of authentication procedures and mechanisms
- Regulated process for centralized management of user identities, in particular for creation (e.g. new employee), change (e.g. change of name after marriage) and deletion (e.g. employee leaves)
- Assignment of unique identifiers for each user
- Avoidance of group identifiers
Measures to protect data during transmission
- Provision via encrypted connections: e.g: Use HTTPS according to the state of the art
- SSL certificate from trusted certification authorities
- Data hashing (transformation of personal data into a specific character string)
- Use of cryptographic tools
Measures to protect data during storage
- Protection of secret keys with strong passwords
- State-of-the-art encryption (asymmetric/symmetric)
- Encryption of systems
- Encryption of storage media
- Encryption of data carriers
- Encryption of communication (e.g. e-mail encryption)
Measures to ensure the physical security of places where personal data is processed
- There is a concept for access regulations and physical access control (perimeter protection)
- Clear rules for dealing with visitors (e.g. escort, security zones, visitor passes, logging, employee responsible for visitors) as part of the concept
- Secure locking systems including documented key management
- Fire-retardant cabinets/safes for storing essential components (e.g. backup tapes, important original documents)
Measures to ensure the logging of events
- Logging and blocking of IOCs (Indicators of Compromise)
- Logging at firewall level to detect and analyze unauthorized access between the networks
- Logging of visitors
- Logging the entry, modification and deletion of data
Measures to ensure the system configuration, including the default configuration
- Automatic installation of security updates for the operating system and installed software
- Carrying out regular data recovery tests and logging the results
- Regular evaluation of information on security gaps in the software used
- Regular evaluation of log files without cause to detect unusual entries
Measures for the internal governance and management of IT and IT security
- Role profiles for employees, including the entries in the record of processing activities
- Regular review (once a year) of whether the role assignments comply with the specifications and whether the roles still meet the requirements of the business activity
- No administrator IDs for users who do not perform administrative tasks
- The use of superuser (e.g. root under Linux) is not used as far as possible
- Determination of contact persons and responsible project managers for the specific order
- Conducting data protection training for all employees (including regular refresher training for existing staff)
- Implementation of internal company data protection guidelines
- Consistent involvement of the data protection officer (DPO) in security issues
- Knowledge of the competent data protection supervisory authority and knowledge of the reporting obligation pursuant to Art. 33 and 34 GDPR
- Relevant guidelines (e.g. on e-mail/Internet use, use of encryption technologies) are kept up to date and are easy to find
- Obligation of employees to maintain data secrecy
- Existence of a suitable organizational structure for information security
Measures for certification/quality assurance of processes and products
- Regular sensitization of employees (at least annually)
- Regular tests to ensure that all relevant data is included in the backup process and that the recovery works
- Checking the effectiveness of the technical measures (at least annually)
Measures to ensure data minimization
- Reduction of attributes
- Reduction of processing options in processing steps
- Definition of default settings for data subjects that limit the processing of their data to what is necessary for the processing purpose. Default settings)
- Definition and implementation of an extinguishing concept
Measures to ensure data quality
- Removing or correcting incorrect, duplicate and incomplete data records
- Use of software tools that check data entries to ensure that they comply with certain standards or formats
- Application of standardized formats and conventions across all data sources to ensure consistency
- Training and sensitization of employees regarding the importance of data quality and correct data management
Measures to ensure limited data retention
- Collecting and storing only the data that is absolutely necessary for the intended purpose
- Definition of a clear expiry time for the storage of data, after which the data is automatically deleted or anonymized
- Conducting regular audits to ensure that data is reliably deleted after its retention period has expired.
- Ensure that all data storage measures comply with local data protection laws and regulations.
Measures to ensure accountability
- A processing directory is kept.
- Deletion and storage concepts are maintained.
- Regular review of the effectiveness of technical and organizational measures according to the PDCA cycle (Plan-Do-Check-Act).
- Conducting data protection training for all employees (including regular refresher training for existing staff)
- Implementation of internal company data protection guidelines.
- Consistent involvement of the data protection officer (DPO) in security issues.
- Knowledge of the competent data protection supervisory authority and knowledge of the reporting obligation pursuant to Art. 33 and 34 GDPR.
- Relevant guidelines (e.g. on e-mail/Internet use, use of encryption technologies) are kept up to date and are easy to find.
- Obligation of employees to maintain data confidentiality.
Measures to enable data portability and to ensure erasure
- Deletion and storage concepts are maintained.
- Definition of a clear expiry time for the storage of data, after which the data is automatically deleted or anonymized
- Conducting regular audits to ensure that data is reliably deleted after its retention period has expired.
- No storage of archive data in production databases, but transfer of archive data from production systems to the archive systems
- Archive data must be effectively deleted after the retention period has expired.
- Implementation of data protection training for all employees
TOM of the sub-processors used:
The Processor uses sub-processors to provide its services (see Annex IV). All sub-processors rely on appropriate technical and organizational measures. Further information can be found at:
ANNEX IV – LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors:
Subcontractor |
Type of Processing |
Hetzner Online GmbH Industriestr. 25
91710 Gunzenhausen |
Hosting and provision of the basebox product, including the customer data processed therein. |
Telekom Deutschland GmbH
Landgrabenweg 151
53227 Bonn |
Hosting of the model and processing of the prompts entered as well as creation and transmission of the responses. |
Appendix 2
MODULE FOUR: Transmission from processors to controllers
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope of application
a) These standard contractual clauses are intended to ensure that the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
1 are complied with when transferring personal data to a third country.
b) The parties:
i) the natural or legal person(s), public authority(ies), agency(ies) or other body(ies) listed in Annex I.A (hereinafter “entity(ies)”) that transfers the personal data (hereinafter “data exporter”), and
ii) the entity or entities in a third country listed in Annex I.A that receive the personal data directly or indirectly through another entity that is also a party to these Clauses (each a “data importer”), have agreed to these standard contractual clauses (hereinafter referred to as “clauses”).
c) These clauses apply to the transfer of personal data in accordance with Annex I.B.
d) The appendix to these clauses and the annexes contained therein form an integral part of these clauses.
Clause 2
Effect and unalterability of the clauses
a) These Clauses shall contain appropriate safeguards, including enforceable data subject rights and effective legal remedies in accordance with Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, in relation to data transfers from controllers to processors and/or from processors to processors, standard contractual clauses in accordance with Article 28(7) of Regulation (EU) 2016/679, unless amended, except for the selection of the module or modules or the addition or update of information in the Annex. This does not prevent the parties from including the standard contractual clauses set out in these clauses in a more comprehensive contract and/or adding further clauses or additional safeguards, provided that they do not directly or indirectly conflict with these clauses or restrict the fundamental rights or freedoms of the data subjects.
b) These clauses are without prejudice to the obligations to which the data exporter is subject under Regulation (EU) 2016/679.
Clause 3
Third party beneficiaries
a. Data subjects may invoke and enforce these clauses as third-party beneficiaries against the data exporter and/or the data importer, with the following exceptions:
i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7
ii) Clause 8 – Module One: Clause 8.5(e) and Clause 8.9(b) Module Two: Clause 8.1(b), Clause 8.9(a), (c), (d) and (e) Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g) Module Four: Clause 8.1(b) and Clause 8.3(b)
iii) Clause 9 – Module two: Clause 9 (a), (c), (d) and (e) Module three: Clause 9 (a), (c), (d) and (e)
iv) Clause 12 – Module one: Clause 12(a) and (d) Modules two and three: Clause 12(a), (d) and (f)
v) Clause 13
vi) Clause 15.1 letters c, d and e
vii) Clause 16 letter e
viii) Clause 18 – Modules one, two and three Clause 18 letters a and b Module four: Clause 18
b) The rights of data subjects under Regulation (EU) 2016/679 remain unaffected by point (a).
Clause 4
Interpretation
a) Where terms defined in Regulation (EU) 2016/679 are used in these clauses, these terms shall have the same meaning as in this Regulation.
b) These clauses must be interpreted in light of the provisions of Regulation (EU) 2016/679.
c) These clauses may not be interpreted in a way that conflicts with the rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Priority
In the event of any conflict between these clauses and the terms of any related agreements between the parties existing at the time these clauses are agreed or entered into, these clauses shall prevail.
Clause 6
Description of the data transfer(s)
The details of the data transfer(s), in particular the categories of personal data transferred and the purpose(s) for which they are transferred, are set out in Annex I.B.
Clause 7 – optional
Tying clause
a) An entity that is not a party to these Clauses may accede to these Clauses as either a data exporter or a data importer at any time with the consent of the Parties by completing the Appendix and signing Annex I.A.
b) After completing the Appendix and signing Annex I.A, the acceding entity becomes a party to these Clauses and has the rights and obligations of a data exporter or a data importer according to its designation in Annex I.A.
c) No rights or obligations shall accrue to the acceding entity under these clauses for the period prior to its accession as a party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection guarantees
The data exporter represents that it has satisfied itself, to the extent reasonably practicable, that the data importer is able to comply with its obligations under these clauses by implementing appropriate technical and organizational measures.
8.1 Instructions
a) The data exporter processes the personal data only on the documented instructions of the data importer, who acts as its controller.
b) The data exporter shall inform the data importer without undue delay if it is unable to comply with such instructions, including where such instructions are contrary to Regulation (EU) 2016/679 or other Union or Member State data protection law.
c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in relation to subprocessing or cooperation with the competent supervisory authorities.
d) At the choice of the data importer, the data exporter shall, upon completion of the data processing services, either erase all personal data processed on behalf of the data importer and certify to the data importer that this has been done, or return to the data importer all personal data processed on its behalf and erase existing copies.
8.2 Security of processing
a) The parties shall implement appropriate technical and organizational measures to ensure the security of the personal data, including during transmission, and to protect against any breach of security which, whether accidental or unlawful, results in the destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data (hereinafter “Personal Data Breach”). In assessing the appropriate level of protection, they shall take due account of the state of the art, the cost of implementation, the nature of the personal data
2 , the nature, scope, context and purpose(s) of the processing and the risks to the data subjects posed by the processing, and in particular consider encryption or pseudonymization, including during transmission, where this enables the purposes of the processing to be fulfilled.
b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with point (a). In the event of a personal data breach involving personal data processed by the data exporter pursuant to these Clauses, the data exporter shall notify the data importer of the breach without undue delay after becoming aware of it and assist the data importer in remedying the breach.
c) The data exporter warrants that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
8.3 Documentation and compliance with the clauses
a) The parties must be able to prove compliance with these clauses.
b) The data exporter shall provide the data importer with all information necessary to demonstrate compliance with its obligations under these Clauses and shall facilitate and contribute to audits.
Clause 9 [deleted]
Clause 10
Rights of data subjects
The Parties shall assist each other in responding to requests and inquiries made by data subjects in accordance with the local law applicable to the data importer or, in the case of data processing by the data exporter in the Union, in accordance with Regulation (EU) 2016/679.
Clause 11
Legal remedy
a) The data importer shall inform the data subjects in a transparent and easily accessible manner by means of individual notification or on its website of a contact point authorized to handle complaints. It shall immediately process all complaints it receives from a data subject.
Clause 12
Liability
a) Each party shall be liable to the other party(ies) for any damage caused to the other party(ies) by a breach of these clauses.
b) Each party shall be liable to the data subject and the data subject shall be entitled to compensation for any material or non-material damage caused by the party to the data subject by infringing its rights as a third party beneficiary under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
c) If more than one party is responsible for damage caused to the data subject as a result of a breach of these clauses, all responsible parties shall be jointly and severally liable and the data subject shall be entitled to take legal action against any of the parties.
d) The parties agree that a party that is held liable pursuant to subparagraph c) shall be entitled to recover from the other party/parties that part of the compensation that corresponds to their responsibility for the damage.
e) The data importer cannot rely on the conduct of a processor or sub-processor to avoid its own liability.
Clause 13 [deleted]
SECTION III – LOCAL LEGISLATION AND OBLIGATIONS IN THE CASE OF ACCESS TO DATA BY PUBLIC AUTHORITIES
Clause 14
Local laws and customs that affect compliance with the clauses
a) The parties warrant that they have no reason to believe that the laws and practices applicable to the processing of personal data by the data importer in the third country of destination, including requirements to disclose personal data or measures allowing public authorities access to such data, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of fundamental rights and freedoms and do not go beyond measures that are necessary and proportionate in a democratic society to ensure one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 are not in conflict with these clauses.
b) The parties declare that they have duly considered the following aspects in particular with regard to the assurance in letter a):
i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used, intended data onward transfers, the nature of the recipient, the purpose of the processing, the categories and format of the personal data transferred, the economic sector in which the transfer takes place, the location of the transferred data,
ii) the relevant laws and practices of the third country of destination in view of the specific circumstances of the transfer (including those requiring disclosure of data to public authorities or permitting access by public authorities to such data) and the applicable restrictions and safeguards,
3
iii) any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during the transfer and processing of personal data in the country of destination.
c) The data importer represents that it has used its best efforts to provide the data exporter with relevant information in the context of the assessment referred to in point (b) and agrees that it will continue to cooperate with the data exporter to ensure compliance with these Clauses.
d) The parties agree to document the assessment in accordance with letter b and to make it available to the competent supervisory authority on request.
e) The data importer agrees to notify the data exporter without undue delay during the term of the contract if, after agreeing to these clauses, it has reason to believe that it is subject to laws or practices that are inconsistent with the requirements in point (a), including a change in the laws of the third country or an action (e.g. a disclosure request) relating to an application of those laws in practice that is inconsistent with the requirements in point (a). Following a notification under point (e) or if the data exporter otherwise has reason to believe that the data importer can no longer comply with its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to be taken by the data exporter and/or the data importer to remedy the situation. The data exporter shall suspend the data transfer if it considers that appropriate safeguards for such a transfer cannot be ensured or if it is instructed to do so by the competent supervisory authority. In this case, the data exporter is entitled to terminate the contract as far as the processing of personal data under these clauses is concerned. If more than two parties are involved in the contract, the data exporter may exercise this right of termination only against the responsible party, unless the parties have agreed otherwise. If the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in the event of access to the data by authorities
15.1 Notification
a) The data importer agrees to notify the data exporter and, where possible, the data subject (where appropriate with the assistance of the data exporter) without undue delay,
i) when it receives a legally binding request from a public authority, including judicial authorities, under the law of the country of destination for disclosure of personal data transmitted pursuant to these clauses (such notification shall include information about the personal data requested, the requesting authority, the legal basis of the request and the response provided), or
ii) if it becomes aware that an authority under the law of the country of destination has direct access to personal data transferred pursuant to these Clauses; such notification shall include all information available to the data importer.
b) Where the law of the country of destination prohibits the data importer from notifying the data exporter and/or the data subject, the data importer agrees to use its best efforts to lift the prohibition so that as much information as possible can be communicated as soon as possible. The data importer undertakes to document its efforts in order to be able to demonstrate them at the request of the data exporter.
c) To the extent permitted by the laws of the country of destination, the data importer agrees to provide the data exporter at regular intervals during the term of the contract with as much relevant information as possible about the requests received (in particular, number of requests, type of data requested, requesting authority or authorities, whether requests have been challenged and the outcome of such challenges, etc.).
d) The data importer agrees to retain the information referred to in points (a) to (c) for the duration of the contract and to make it available to the competent supervisory authority upon request.
e) Points (a) to (c) are without prejudice to the data importer’s obligation under Clause 14(e) and Clause 16 to inform the data exporter without undue delay if it is unable to comply with these clauses.
15.2 Verification of legality and data minimization
a) The data importer agrees to review the legality of the disclosure request, in particular whether the request is within the scope of the powers conferred on the requesting authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to believe that the request is unlawful under the laws of the country of destination, under applicable obligations under international law and under the principles of international jurisdiction. Subject to the above conditions, the data importer may seek legal remedies. When challenging a request, the data importer shall obtain interim measures to suspend the effect of the request until the competent judicial authority has decided on its merits. It shall only disclose the personal data requested if this is required by the applicable procedural rules. These requirements are without prejudice to the data importer’s obligations under Clause 14(e).
b) The data importer agrees to document its legal assessment and any challenge to the disclosure request and to make these documents available to the data exporter to the extent permitted by the laws of the country of destination. Upon request, it shall also make these documents available to the competent supervisory authority.
c) The data importer agrees to provide the minimum amount of information permitted based on a reasonable interpretation of the request when responding to a disclosure request.
SECTION IV – FINAL PROVISIONS
Clause 16
Breaches of the clauses and termination of the contract
a) The data importer shall inform the data exporter immediately if it is unable to comply with these clauses for any reason whatsoever.
b) If the data importer breaches or is unable to comply with these clauses, the data exporter shall suspend the transfer of personal data to the data importer until the breach is remedied or the contract is terminated. This is without prejudice to Clause 14(f).
c) The data exporter shall be entitled to terminate the contract insofar as it relates to the processing of personal data under these Clauses if i) the data exporter has suspended the transfer of personal data to the data importer pursuant to point (b) and compliance with these clauses has not been restored within a reasonable period of time and in any event within one month of the suspension,
ii) the data importer materially or persistently breaches these clauses, or
iii) the data importer fails to comply with a binding decision of a competent court or competent supervisory authority relating to its obligations under these Clauses.
In such cases, the data exporter shall notify the competent supervisory authority of such breaches. If more than two parties are involved in the contract, the data exporter may only exercise this right of termination against the responsible party, unless the parties have agreed otherwise.
d) Personal data collected by the data exporter established in the EU and transferred before the termination of the contract referred to in point (c) shall be erased immediately and completely, including any copies thereof. The data importer shall certify the erasure to the data exporter. Until the deletion or return of the data, the data importer shall continue to ensure compliance with these Clauses. Where the data importer is subject to local law prohibiting it from returning or deleting the personal data transferred, the data importer warrants that it will continue to ensure compliance with these Clauses and process such data only to the extent and for as long as is necessary under such local law.
e) Either party may withdraw its consent to be bound by these Clauses if (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 relating to the transfer of personal data to which these Clauses apply, or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data are transferred. This is without prejudice to other obligations applicable to the processing in question under Regulation (EU) 2016/679.
Clause 17
Applicable law
These clauses shall be governed by the law of a country that allows rights as a third party beneficiary. The parties agree that this is the law of the Federal Republic of Germany.
Clause 18
Jurisdiction and competence
Disputes arising from these clauses shall be settled by the courts of the Federal Republic of Germany.
1: Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, the use of these clauses when engaging another processor (subprocessor) not covered by Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), insofar as these clauses and the data protection obligations laid down in the contract or other legal instrument between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This is particularly the case where the controller and the processor rely on the standard contractual clauses contained in Decision […].
2: This includes whether the transfer and further processing includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation, or data relating to criminal convictions or offenses.
3: Various elements may be included in the overall assessment to determine the impact of such legislation and practice on compliance with these clauses. These elements may include relevant and documented practical experience as to whether there have been previous requests for disclosure from authorities covering a sufficiently representative timeframe or whether there have been no such requests. This includes, in particular, internal records or other evidence that has been compiled with due diligence on an ongoing basis and confirmed by senior management, provided that this information can be lawfully disclosed to third parties. Where it is concluded on the basis of this practical experience that it is not impossible for the data importer to comply with these clauses, this must be supported by other relevant objective elements; it is for the parties to carefully consider whether all these elements are sufficiently reliable and representative to support the conclusion reached. In particular, the parties must consider whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible reliable information on the existence or non-existence of requests within the same industry and/or on the application of the legislation in practice, such as case law and reports of independent supervisory bodies.>
We process personal data as our own controller when you send us inquiries via the social media profiles. We process this data in order to respond to your inquiries. In addition, we are joint controllers with the following networks and jointly responsible for the following processing operations (Art. 26 GDPR). As part of visiting our profile on the LinkedIn network as well as Facebook and Instagram, the network collects aggregated statistics (“Insights data”) created from certain events logged by their servers when you interact with our profiles and related content. We receive these aggregated and anonymous statistics from the network about the use of our profile. We are generally not in a position to assign the data to specific users. To a certain extent, we can define the criteria according to which the network compiles these statistics for us. We use these statistics to make our profiles more interesting and informative for you.
Further information on this data processing at LinkedIn can be found in the Joint Controller Agreement at
https://legal.linkedin.com/pages-joint-controller-addendumlegal.linkedin.com/pages-joint-controller-addendum. Otherwise, the network is solely responsible for the processing of your data.
Further information on this data processing by Facebook and Instagram can be found in the joint controller agreement at:
https://www.facebook.com/legal/terms/information_about_page_insights_data
Legal basis:
The processing is carried out on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR). The interest lies in the respective purpose.
Storage period:
We do not store any personal data ourselves within the scope of joint responsibility. With regard to contact requests outside the network, the above information on contacting us applies accordingly.
YouTube with enhanced data protection
This website integrates videos from YouTube. The operator of the pages is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. For example, YouTube establishes a connection to the Google DoubleClick network regardless of whether you watch a video.
As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, YouTube can store various cookies on your end device after starting a video. With the help of these cookies, YouTube can obtain information about visitors to this website. This information is used, among other things, to record video statistics, improve user-friendliness and prevent fraud attempts. The cookies remain on your device until you delete them.
After the start of a YouTube video, further data processing operations may be triggered over which we have no influence.
The use of YouTube is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.
You can find more information about data protection at YouTube in their privacy policy at:
https://policies.google.com/privacy?hl=de.
Own services
Handling applicant data
We offer you the opportunity to apply to us (e.g. by e-mail, post or via the online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that your data will be collected, processed and used in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.
Scope and purpose of data collection
If you send us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes taken during job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG under German law (initiation of an employment relationship), Art. 6 para. 1 lit. b GDPR (general contract initiation) and – if you have given your consent – Art. 6 para. 1 lit. a GDPR. Consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.
If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of § 26 BDSG-new and Art. 6 para. 1 lit. b GDPR for the purpose of implementing the employment relationship.
Data retention period
If we are unable to make you a job offer, you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. The retention serves in particular as evidence in the event of a legal dispute. If it is apparent that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for further storage no longer applies.
Data may also be stored for longer if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if statutory retention obligations prevent deletion.