Data Privacy Statement
Certified data privacy with INSITE
INSITE-Interventions GmbH has been distinguished with the “Data Privacy Certificate" since 2013. Each year, the renowned certification body VdS GmbH inspects all company processes for aspects of data privacy and security. This helps us ensure that our company guards and protects personal data as much as possible. INSITE fulfils not only the criteria of the Federal Data Protection Act and General Data Protection Regulation, but continually installs new protective measures to offer state-of-the-art data privacy.
What does a “Data Privacy Certificate” mean?
To award a “Data Privacy Certificate”, a VdS auditor monitors compliance with all statutory requirements of the Federal Data Protection Act and the General Data Protection Regulation, as well as aspects of information technology, privacy rights, commissioned data processing, and IT security. To this end, the specialists of VdS data privacy audits perform thorough internal and external security analyses. During those analyses, our employees, corporate processes and systems are intensively checked for whether the confidentiality and integrity of the processed data satisfy the high security requirements, the stipulations of data privacy documents are effectively implemented, and personal data are effectively protected according to the current German Federal Data Protection Act and the European General Data Protection Regulation (for example, by technically securing all systems against unauthorised use).
The validity of the VdS certificate lasts three years and is reviewed in an annual monitoring audit. The review checks for whether the protection and safety of the data continues to be ensured and how processes can be continually optimised. After three years, a complete recertification will be pending, with which the continual improvement processes can be continued regarding data protection and data security. This cycle requires building trust and guarantees that the security precautions are always current.
Was does data privacy mean when it comes to consultation?
As a general principle, employees and their families can use all consultation services anonymously by giving a nickname, with no need to provide their name or personal data such as their email address or telephone number. If people decide to trust us with their data, they can be assured that we will protect those data and handle them with the greatest care, exclusively to perform consultation services.
Do you have questions about our approach to data privacy? Then please call us (+49 69 90 555 29 - 0) or send your question to firstname.lastname@example.org and speak with our Data Protection Officer, Deborah Schütt.
1. General information regarding
Name and address of the controller
For the purposes of the General Data Protection Regulation, other national data protection laws of the member states, and other data protection provisions, the controller is:
Managing Director: Dr. Matthias Conradt, Dr. Maren Kentgens
60487 Frankfurt am Main
Phone: +49 69 90555 290
We are serious about protecting your personal data. We treat your personal data confidentially, according to statutory data protection provisions and this data privacy statement.
As a rule, you can use our websites without providing personal data. Any personal data collected on our sites (such as your name, address or email addresses) is provided voluntarily as much as possible. These personal data will not be forwarded to third parties without your express consent.
Please note that data transmission in the internet (such as during communication by email) can contain security flaws. Data cannot be absolutely protected from third-party access.
The following regulations will inform you to that extent about the type, scope and purpose of the collection, use and processing of personal data by the provider.
2. Basic information about data processing
We collect, process and use the personal data or our users only in compliance with relevant data protection provisions. Therefore, that data will be used only if we are permitted to do so by law or with your consent.
We take state-of-the-art organisational, contractual and technical security measures to ensure that the provisions of data privacy laws will be complied with and to protect the data we manage against accidental or intentional manipulation, loss or destruction, and against unauthorised access.
The purpose of the collection, processing and use of personal data
The users’ personal data will be used to offer our websites and associated services. We will forward the data to third parties to fulfil our contractual obligations toward users, if this is permitted by law or we have your consent.
When contact with us is established, the information provided will be stored to handle the request and in case of follow-up questions. The personal data will be erased if they are no longer needed and such erasure does not oppose any statutory retention requirements.
3. Collecting access data
We collect data on every server access on which this service is located (server log files). Access data include the name of the accessed website, files, data and time of access, the quantity of transmitted data, a message about the successful access, browser type and version, the user’s operating system, referrer URL (the previously visited site), the IP address and the requesting provider.
We use the log data only for statistical evaluation to operate, secure and optimise our services, in accordance with statutory provisions. We do not allocate that data to the user personally or otherwise create any profiles. However, we reserve the right to check the server log files at a later time if there are specific indications of illicit use.
The internet sites use what are known as “cookies”. Cookies do not damage your computer and contain no viruses. Cookies are small text files that are placed on your computer and stored by your browser. The cookies we use are “session cookies”. They are deleted automatically after your session is over. Other cookies remain on your end device until you delete them. You can set your browser to inform you about the placement of cookies and decide to accept them on a case-by-case basis, exclude their acceptance for individual cases or in general, and erase the cookies automatically when you close your browser.
5. Server log files
The provider of the sites collects and saves information automatically in server log files, which your browser transmits to use automatically. This information includes:
- Browser type and browser version
- Operating system used
- Referrer URL
- Hostname of the accessing computer
- Time of server request
These data cannot be allocated to a certain person. These data will not be combined with other data sources.
6. Contact data
Our website gives you the option of contacting us via email, a contact form, or both. In this case, the data provided by users will be stored to process the user contact. The data are not forwarded to third parties. And the data collected in this way will not be compared with data collected with other components of our site. The contact can be erased at any time (see “rights of the data subject”). The legal basis for collecting and processing the data is Art. 6 (1) GDPR.
7. Newsletter data: Subscribing to our Newsletter
Our website gives you the option of subscribing to our company newsletter. We use that newsletter to periodically inform our customers and interested parties about our company offers. We use Maileon to send our newsletters. The provider is XQueue GmbH, Christian-Pleß-Straße 11–13, 63069 Offenbach am Main, Germany. Maileon is a service which helps to organise and analyse the sending of our newsletter. The data you provide to receive the newsletter (such as your email address) will be stored on XQueue servers in Germany. INSITE and XQueue GmbH have concluded an agreement for inspection and commissioned data processing.
To send the newsletter, we need you to give us a valid email address, as well as information that allows us to check whether you are the holder of the indicated email address and agree to receive the newsletter. We will collect no further data to that end unless you provide them voluntarily. When a data subject first enters an email address to have the newsletter sent, a confirmation email will be sent to that address using a “double opt-in procedure” for legal reasons. We will use these data only to send the newsletter and will not forward them to third parties. The legal basis for collecting and processing the data is Art. 6 (1) GDPR.
When someone registers for the newsletter, we also store the IP address (provided by the Internet Service Provider (ISP)) of the computer system used by the data subject at the time of registration, as well as the date and time of the registration. These data must be collected to subsequently track any misuse of a data subject’s email address, so their collection benefits our security.
You can withdraw your consent to have your data or email address stored or used to send the newsletter at any time, by using the “Deregister” link included in every newsletter. You can also email your request to be deregistered to email@example.com at any time. Withdrawing your consent will not affect the legality of data processing operations that have already transpired.
We will store the data you provide to us so you can receive the newsletter until you deregister from the newsletter. After the newsletter is cancelled, those data will be erased.
The newsletters contain what are known as “tracking pixels”. A tracking pixel is a miniature graphic embedded in emails sent in HTML format, to allow log files to be recorded and analysed. This allows the success or failure of online marketing campaigns to be statistically evaluated. We can use the embedded tracking pixel to recognise whether and when the person concerned opens an email and the links it contains.
We store and evaluate the personal data collected by the tracking pixels contained in the newsletter based on our legitimate interest in optimising the sending of the newsletter and adapting the contents of future newsletters to the data subject’s interests. The legal basis is Art. 6 (1) GDPR. These personal data will not be forwarded to third parties. Data subjects may at any time withdraw their separate declaration of consent, which they provided in this regard via the double opt-in procedure. After such withdrawal, those personal data will be erased by the controller. Deregistering from receiving the newsletter will be deemed an automatic withdrawal.
8. Use of Google AdWords
Our website also uses the Google advertising tool “Google AdWords”. As part of this, on our website we also use the “conversion tracking” analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (“Google”). A cookie will be placed on your computer if you have arrived at our website through a Google ad. Cookies are small text files that your browser places and stores on your computer. These “conversion cookies” will become ineffective after thirty days, and unable to identify you personally. If you visit certain pages of this site and the cookie has not yet expired, we and Google can recognise that you as the user have clicked on one of our ads placed with Google and have been forwarded to that page.
The information gained by using the “conversion cookies” helps Google to create visitor statistics for our website. These statistics show us the total number of users who have clicked on our ad, and which pages of our website were subsequently accessed by the respective users. However, neither we nor other parties advertising through “Google AdWords” receive any information that can personally identify a user.
You can prevent “conversion cookies” from being installed by changing your browser settings appropriately, possibly to deactivate the automatic placement of cookies in general or block cookies only from the domain “googleadservices.com”.
You can obtain Google’s data privacy statement in this regard under the following link: https://policies.google.com/privacy?hl=en.
9. Google Analytics with anonymisation function
Our website uses Google Analytics with an IP anonymisation function. In this case, Google will truncate (and therefore, anonymise) your IP address within member states of the European Union, or in other Contracting Parties to the EEA Agreement. Google will use this information to evaluate your use of our site, create reports for us about website activities, and render additional services related to website use and internet use. Google might also transmit the information to third parties if this is prescribed by law or if third parties process these data on Google’s behalf.
You may prevent the storing of cookies by appropriately adjusting your browser software; however, we would like to point out that, in that case, you may not be able to use all of the features of this website to their full extent.
Moreover, Google offers a deactivation option for commonly used browsers, which gives you more control over which data Google will record and process. If you activate this option, no information about your website visit will be transmitted to Google Analytics. However, the activation will not prevent information from being transmitted to us or to other web analysis services we might use. The following link will provide additional information about the deactivation option Google offers and how to activate it: https://tools.google.com/dlpage/gaoptout?hl=en.
10. Data privacy during applications and application procedures
We collect and processes applicants’ personal data to handle the application procedure. That processing can be done electronically or in writing. In particular, if the application is sent electronically (such as through email), special data protection laws apply.
Please note once more that data transmission in the internet (such as via email) can contain security flaws. Data cannot be absolutely protected from third-party access.
If the controller concludes an employment contract with an applicant, the transmitted data will be stored to process the employment relationship under observance of statutory provisions. If no such contract is formed, the application documents will be deleted automatically two months after the notification of the rejection decision is sent, unless such deletion would oppose other legitimate interests of the controller. One example of another legitimate interest in this sense is a burden of proof in proceedings under the General Equal Treatment Act (AGG).
The legal basis for collecting and processing the data is Art. 6 (1) GDPR.
11. Rights of the data suject
If your personal data are processed, you are the data subject as defined by the GDPR and are entitled to the following rights toward the controller:
a. Right of access
You can demand that the controller confirm whether we are processing personal data concerning you. If this is the case, you can demand access to the following information from the controller:
(1) the purposes for which the personal data are being processed;
(2) the categories of personal data being processed;
(3) the recipient or categories of recipients to whom the personal data concerning you were or will be disclosed;
(4) the planned duration of the storage of the personal data concerning you, or if no specific information is available to this end, the criteria for determining the storage period;
(5) the existence of a right to have the personal data concerning you rectified or erased, a right to restrict its processing through the controller, or a right to object to that processing;
(6) the existence of a right to complain to a supervisory authority: https://datenschutz.hessen.de/
(7) all available information on the origin of the data, if the personal data was not collected from the data subject;
(8) the existence of automated decision-making, including profiling under Art. 22 (1) and 4 GDPR and—at least in these cases—meaningful information about the logic involved, as well as the implications and sought-after effects such processing would have for the data subject.
You have the right to demand whether the personal data concerning you are transmitted to a third country or international organisation. In this context, you may demand to be informed about the appropriate guarantees under Art. 46 GDPR in connection with such transmission.
b. Right to rectification
If the processed personal data that concerns you is incorrect or incomplete, you have the right against the controller to have it corrected, deleted, or both. The controller must undertake such correction without undue delay.
c. Right to restriction of processing
You can demand that the processing of the personal data concerning you be restricted, under the following conditions:
(1) if you dispute that the personal data concerning you is incorrect, for a duration which enables the controller to check its correctness;
(2) the processing is incorrect and you waive your right to have it deleted, instead demanding that its use be restricted;
(3) the controller of the personal data no longer needs it for the purposes of its processing, but you need it to assert, exercise or defend against legal claims, or
(4) if you have filed an objection against the processing under Art. 21 (1) GDPR and it has not yet been established whether the legitimate reasons of the controller outweigh your reasons.
If the processing of the personal data concerning you has been restricted, these data – regardless of their storage – may be processed only (1) with your consent, (2) to assert, exercise or defend against legal claims, (3) to protect the rights of another natural person or legal entity, or (4) for reasons of an important public interest of the EU or a member state.
If the processing has been restricted according to the aforementioned conditions, the controller will inform you before that restriction is lifted.
d. Right to erasure
Obligation to erase
You may demand from the controller that the personal data concerning you be erased without undue delay, and the controller will be obligated to do so provided one of the following grounds applies:
(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed;
(2) You withdraw your consent on which the processing is based under Art. 6 (1) a or Art. 9 (2) a GDPR, and there is no other legal basis for the processing;
(3) You object to the processing under Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing under Art. 21 (2) GDPR.
(4) The personal data concerning you was illegally processed.
(5) The personal data concerning you must be deleted to fulfil a legal obligation under EU or member state law to which the controller is subject.
(6) The personal data concerning you was collected in regard to information society services offered pursuant to Art. 8 (1) GDPR.
Information to third parties
If the controller has publicised the personal data and is obligated under Art. 17 (1) GDPR to erase that data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure does not exist if the processing is necessary:
(1) to exercise the right to information and freedom of expression;
(2) to fulfil a legal obligation which requires the processing under EU or member state law to which the controller is subject, or to carry out a task in the public interest or in the exercise of public authority vested in the controller;
(3) for reasons of the public interest in the area of public health under Art. 9 (2) h and i as well as Art. 9 (3) GDPR;
(4) for purposes of archiving, academia or historical research which lie in the public interest, or for statistical purposes under Art. 89 (1) GDPR, insofar as the right mentioned in section a) is expected to prevent or seriously impair the realisation of the objectives of this processing, or
(5) to assert, exercise or defend against legal claims.
e. Right to information
If you have asserted your right to rectification, erasure or restriction of the processing toward the controller, that controller is obligated to communicate such correction or deletion of the data or restriction of its processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or would entail a disproportionate effort.
You have the right to be informed by the controller about those recipients.
f. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit these data to another controller without hindrance from the controller to which the personal data were provided, as long as
(1) the processing is based on consent pursuant to Art. 6 (1) a GDPR or Art. 9 (2) a GDPR or on a contract pursuant to Art. 6 (1) b GDPR and
(2) the processing occurs with the help of automated procedures.
In exercising this right, you may also effect that the personal data concerning you are transmitted directly from one controller to another, insofar as this is technically feasible. Doing so must not impair the rights and freedoms of others.
The right to data portability does not apply if personal data must be processed to carry out a task in the public interest or in the exercise of public authority vested in the controller.
g. Right to object
You have the right to object at any time, for reasons arising from your particular situation, if personal data concerning you are processed based on Art. 6 (1) e or f GDPR. This also applies to profiling based on these provisions.
The controller will cease processing the personal data concerning you unless the controller can verify compulsory legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is done to assert, exercise or defend against legal claims.
If the personal data concerning you are processed for direct marketing purposes, you may object to that processing at any time. This also applies to any profiling connected to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
In connection with the use of information society services, you may exercise your right to object using an automatic procedure in which technical specifications are used (regardless of Directive 2002/58/EC).
h. Right to withdraw the declaration of consent granted under data protection laws
You have the right to withdraw your declaration of consent under data protection laws at any time. Withdrawing your consent will not affect the legality of processing that has already occurred based on your consent.
i. Automatic ecision-making in individual cases, including profiling
You have the right not to be subject to a decision based exclusively on automated processing—including profiling—which legally affects or otherwise significantly impairs you. This does not apply if that decision
(1) is necessary to conclude or fulfil a contract between you and the controller,
(2) is permitted under EU or member state law to which the controller is subject and which stipulate reasonable measures for guarding your rights, freedoms and legitimate interests, or
(3) is made with your express consent.
However, these decisions may not be based on special categories of personal data under Art. 9 (1) GDPR unless Art. 9 (2) a or g GDPR apply and reasonable measures have been taken to protect your rights, freedoms and legitimate interests.
Regarding the cases mentioned in (1) and (3), the controller shall take reasonable measures to guard your rights, freedoms and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to present your own point of view, and to contest the decision.
j. Right to complain to a supervisory authority
If you believe that the processing of the personal data concerning you breaches the GDPR, you have the right to complain to a supervisory authority—especially in the member state of your abode, your workplace, or the place of the suspected breach—without prejudice to other administrative rights or judicial remedies.
The supervisory authority to which the complaint is submitted shall inform the complainant about the status and results of that complaint, including the possibility for judicial remedy under Art. 78 GDPR.
j. Name and address of the data protection officer
The controller’s data protection officer is:
Ms Deborah Schütt
60487 Frankfurt am Main
Phone: +49 69 90555 29-0, extension -20
13. Amendments to the data privacy statement
We reserve the right to amend the data privacy statement, to adjust it to altered legal situations, or to changes in services or data processing. Therefore, users are asked to inform themselves periodically about its contents.
Frankfurt am Main, May 2018