This data protection is written to clarify about the type, size and purpose of processing personal data (referred to as “data”), all within our online offer and its related websites, features and contents as well as external online presences, such as our social media profile, for example. (hereafter referred to as “online offer”). In view to the used notions, such as e. g. “processing” or “person responsible” we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Esslinger Straße 83
Link to the legal disclosure: www.khoch3.de/en/service/legal-notice/
Types of processed data:
- Inventory data (e.g. name, address).
- Contact details (e.g. email, phone number).
- Content data (e.g. text input, videos, photographs).
- Usage data (e.g. visited websites, interest in contents, access times).
- Meta-/communication data (e.g. unit information, IP-address).
Categories of persons concerned
Visitor and users of the online offers (hereafter the persons concerned are called “users” also).
Purpose of processing
- Handing over of the online offer, its function and contents.
- Answering contact requests and communication with users.
- Safety measures.
- Range measurement/marketing.
“Personal data” are all information which are related to an identified or an identifiable natural person (in the following “person concerned”); A natural person is considered as an identifiable person who can be identified directly or indirectly, especially by assigning to an identification as a name, to an identification number, to location data, to an online identification data (e.g. Cookie) or to one or more special characteristics, physiological, genetical, mental, economical, cultural or social identification of the natural person.
“Profiling” all kind of automated processing of personal data which consist that the personal data are used to access certain personal aspects which are referred to a natural person, especially to analyze or predict aspects concerning job performance, economic situation, health, personal preferences, interests, reliability, behavior, residence or movements of that natural person.
“Processing” is every with or without help automated process performed operation or every set of operation in connecting with personal data. The term has a broad meaning and includes practically every dealing with data.
“Person responsible” is designated as the natural person or legal entity, authority, institution or another location that decides on the purpose and means of processing personal data.
“Pseudonymization” processing of personal data in a way that the personal data cannot be assigned to a person concerned, without consulting additional information, as long as that additional information are kept separately and are governed by technical and organizational measures which ensure that personal data are not assigned to an identified or identifiable natural person.
“Processor” a natural person or legal entity, authority, institution or another location that process personal data under contract from the person responsible.
Relevant legal basis
Referred to in Art. 13 GDPR we announce the legal bases of our data processing. As long as the legal base is not named in the data protection declaration, the following applies: the legal base for the use of consent is Art. 6 para 1 lit a and Art. 7 GDPR, the legal base for the process to entail our services and the implementation of contractual measures as well as answering to the questions is Art. 6 para 1 lit b GDPR, the legal base for the process to compliance with legal obligations is Art. 6 para 1 lit c GDPR and the legal base for safeguarding our entitled interests is Art. 6 para 1 lit f GDPR. In case vital interests of the affected person or another natural person requires processing personal data, have a look at Art. 6 para 1 lit d GDPR as legal base.
Pursuant to Art. 32 GDPR considering the state of the art, the implementation costs and type and extent, the circumstances and the purpose of processing as well as the different probabilities of occurrence and the seriousness of the risk for the rights and freedoms of natural persons, suitable technical and organizational measures for ensuring a reasonable level of protection for the risk.
Especially the safety of confidentiality, integrity and availability of data through supervision of the physical access to the data belonging to the measures as well as its relevant access, the input, transfer and securing the availability and its separation. Furthermore, we establish procedures that ensure the perception of rights of the individuals, the deletion of data and the reaction to the data in danger. Furthermore, the safety of personal data is considered in the development already or rather the selection of hardware and software as well as proceedings which are in accordance with the principle of data safety by designing technology and by privacy-friendly presets (Art. 25 GDPR).
Cooperation with processors and third parties
If we disclose data to other persons and companies (processors or third parties) within the framework of our processing and transmitting data to them or allow access to the data, it only takes place based on legal allowance (e.g. if the data are transmitted to third parties as well as payment providers in Art. 6 para 1 lit b GDPR it is necessary to fulfil the contract), they agreed a legal obligation provides for this or on basis of our legitimated interests (e.g. the development of agents, webhoster, etc.).
If we instruct third parties with processing data based on so-called “job processing contract” this happens because of the basis of Art. 28 GDPR.
Transfer to third countries
As long as we process data in a third country (viz. outside of the European Union (EU) or the European Economic Area (EEA)) or that happens in respect with services from third parties or disclosure, respectively the transmission of data to third parties is only happening if our (pre)contractual obligations are fulfilled, based on their consent, on the basis of a legal obligation or on the basis of our legitimated interests subject to legal or contractual allowances we process data or let process data in a third country only with special preconditions in Art. 44 et sep GDPR. That means processing must be made based on special guarantees, such as determine a corresponding level of protection in data that is officially recognized by one of the EU (e.g. for the USA by the “Privacy shield”) or it is based on considering officially recognized special contractual obligations (so-called “standard contractual clauses”).
Rights of persons concerned
You have the right to demand a confirmation, if the data concerned are processed and if you have the right to demand information about that data as well as about additional information and the copy of data according to Art. 15 GDPR.
You have the right to demand completion of data relating to you or the entitlement of inaccurate data relating to you according to Art. 16 GDPR.
Referred to in Art. 17 GDPR you have the right to demand about data concerning you will immediately be deleted or you have the right of restriction of processing data according to Art. 18 GDPR.
You have the right to receive data you made available for us and demand the transmission of them to other persons responsible according to Art. 20 GDPR.
You have also the right to lodge a complaint at the competent supervisory authority according to Art. 77 GDPR.
Right for revocation
You have the right to revoke your given consent with effect for the future under Art. 7 para 3 GDPR.
Right for objection
You can contradict the future processing of data relating to you at any time under Art. 21 GDPR. The opposition can especially be done against processing for direct marketing.
Cookies and right for objecting direct marketing
Small files referred to as Cookies are stored on computers of users. Within the Cookies different information can be stored. A Cookie can primarily be served to store the information of users (on the device the Cookie is stored on) during or also after visiting within an online offer. Temporary Cookies, also known as “session-Cookies” or “transient Cookies” are referred to as Cookies which are deleted after a user leaves an online offer and closes his browser. In such a Cookie it is possible to store e.g. the content of a shopping basket or a login status. Cookies that are also stored after closing the browser are called “permanent” or “persistent”. Therefore, it is possible that the login status can be stored when the users visit those after a few days, for example. It is also possible that the interests of users can be stored in such Cookies which are used for range measurement or advertising purposes. “Third-Party-Cookie” are called Cookies which are offered by other providers but the person responsible who is operating the online offer (otherwise it is called “First-Party-Cookie” if they are their Cookies).
If the users do not want their Cookies to be stored on their computers, then they are asked to disable the corresponding option in the system settings of their browsers. Stored Cookies can be deleted in the system settings of the browser. The exclusion of Cookies can lead to limited functions of the online offer.
Cancellation of data
The data processed by us will be deleted or restricted in its processing according to Art. 17 and 18 GDPR. If not explicitly indicated within the framework of this privacy police the data used by us will be deleted, as soon as they are not necessary for their purpose anymore and there are no legal safekeeping responsibilities, if the data will not be deleted because they are necessary for other legal permitted purposes, processing will be restricted. That means that the data will be blocked and not processed for other purposes. This applies for data from commercial reasons that need to be retained.
According to legal requirements in Germany and the storage is provided for 6 years fiscal law according to § 257 para 1 lit HGB (trading books, inventories opening balances, annual accounts, commercial letters, booking vouchers, etc.) as well as 10 years according to § 147 para 1 AO (books, booking vouchers, commercial- and business letters, records, situation reports, relevant documents for taxations, etc.).
According to legal requirements in Austria the storage is provided for 7 years in §132 para 1 BAO (accounting documents, receipts, invoices, accounts, commercial documents, list of income and expenditures associated with properties) for 22 years and associated with electronical rendered services, tele communicational, -broadcasted-and television services which are rendered to no entrepreneurs in EU-member states and the use of Mini-One-Stop-Shop (MOSS).
Business related processing
In addition, we process:
- Contract data (e.g. contractual object, term, customer category)
- Payment details (e.g. bank details, payment history)
Of our customers, interested parties and business partners for the purpose of providing contractual services and customer care, marketing, advertising and market research.
The hosting services we make use of serve as making following services available: infrastructure- and platform services, computing capacity, memory and database services, security services as well as technical maintenance services which we use for the purpose of operation of the online offer.
Here we, or our hosting providers process contact details, content data, contract data, inventory data, usage data, meta- and communication data of customers, interested parties and visitors of this online offer based on our legitimated interests in in making an efficient and safe online offer available according to Art. 6 para 1 lit f GDPR in conjunction with Art. 28 GDPR (conclusion job processing contract).
Collection of access data and logfiles
We or our hosting provider collect data upon each access on the server where this service is located (so-called server logfiles), on basis of our legitimated interests under Art. 6 para 1 lit f GDPR. Access data include the name of the accessed page, file, date and time of retrieval, volume of data transmitted, report about a successful retrieval, browser type together with the version, the operating system of the user, referrer URL (the page visited before), IP-address and the asking provider.
Logfile information will be stored for maximum 7 days and then be deleted because of safety reasons (e.g. for informing about misuse or defraudation). Data, that are necessary for safekeeping for evidence purposes are exempt from deleting until the final clarification of each incident.
Range measurement with Matomo
Within the framework of range measurement of Matomo the following data are processed based on our legitimated interests (that means interests in analysis, optimization and economical operation of our online offer according to Art.6 para 1 lit f GDPR): The browser type and the browser version you use, the operating system you use, its country of origin, date and time of the server request, the number of visits, its resting time on the website as well as external links you use. The IP-address of users will be anonymized before they are stored.
Users can contradict from the anonymized data collection through the program Matomo with effect for the future anytime by clicking the link below. In this case there will show up a so-called Opt-Out-Cookie on your browser which causes that Matomo do not collect data anymore. If users delete their Cookies, Opt-Out-Cookies will be deleted too and therefore users need to activate again.
The logs with users’ data will be deleted after 6 months at the latest.
We process data of our customers within the framework of our contractual services which include conceptual and strategical consultation, campaign planning, software- and design development-/ consultation or care, implementation of campaign and procedures/handling, server administration, data analysis/consultation services and training services.
Here we process inventory data (e.g. customer base data, such as names and addresses), contact data (e.g. email, phone numbers), content data (e.g. text input, photos, videos), contract data (e.g. contractual object, term), payment details (e.g. bank details, payment history), usage- and meta data (e.g. within the framework of evaluation and performance measurement of marketing measurements). Special categories of personal data we do not process fundamentally except if those are part of an instructed process. The parties concerned are our customers, interested parties and their customers, users, website visitors or employees as well as third parties. The purpose of our processing consists of performing of contract services, settlements and our customer service. The legal bases of processing result from Art. 6 para 1 lit b GDPR (contractual services), Art. 6 para 1 lit f GDPR (analysis, security measurements, statistics and optimization). We process data that are necessary for the reason and fulfilment of contractual services and point to the necessity of their information. A disclosure to externals can only be made if they are necessary within the framework of an order we act according to the instruction of the client as well as to the legal requirements under Art. 28 GDPR and we do not process data to others but as ordered purposes.
We delete data after expiry of legal warranty- and comparable obligations. The necessity of storing data will be checked every 3 years, in case of legal archiving obligations the deletion will be made after their expiry (6 years according to §257 para 1 HGB, 10 years under §147 para 1 AO). In case of data which are disclosed by the client within the framework of an order, we delete data according to the requirements of the order after the end of the order fundamentally.
Administration, financial accounting, office organization, contact management
We process data within the framework of administration tasks as well as organization of our business, financial accounting and following legal obligations, archiving, for example. Here we process the same data which we process within the framework of providing our contractual services. The processing basics are Art. 6 para 1 lit GDPR, Art. 6 para 1 lit f GDPR, customers, interested parties, business partner and website visitors are concerned of processing. The purpose and our interests in processing are administration, financial accounting, office organization, archiving of data, tasks which serve for maintenance of our business activities, perception of our tasks and providing our services. The deletion of data in view of contractual services and contractual communication are in accordance with those processing activities mentioned information.
We reveal or transmit data to financial management, consultants, such as tax consultants or auditors as well as further toll-gates and payment service provider, for example.
Furthermore, we store information based on our economic interests about suppliers, organizer and other business partners, e.g. for contacting at a later time. We storage this majoritarian business-related data fundamentally long-term.
For contacting with us (e.g. by contact form, email, phone or via social media), the information of users will be processed for the processing of contact request and its transaction under Art. 6 para 1 lit b GDPR. That information of users can be stored in a customer-relationship-management system (“CRM-system”) or in a comparable inquiry organization.
We delete that information if they are not necessary anymore. We check the necessity every 2 years; Furthermore, the legal archiving obligations are applying.
Online presence on social media
We maintain online presences within social networks and platforms to communicate with online customers, interested parties and users and to inform them about our services. When calling up the respective networks and platforms the terms and conditions and the data processing regulations of their respective operators apply.
So far as not mentioned within the framework of our privacy statement, differently we process data of our users, unless they communicate with us within social networks and platforms, e.g. writing contributions on our online presences or sending us messages.
Involvements of services and contents of third parties
We use content- or service offers of third-party providers within our online offer based on our justified interests (that means interests in analyzing, optimizing and economical business of our online offer according to Art. 6 para 1 lit GDPR), to integrate their contents and services, e.g. videos or fonts (hereafter uniformly called “content”).
This always requires that third party-providers of this content perceive the IP-address of users because they cannot send contents to the browser without the IP-address. The IP-address is necessary for accounting these contents. We endeavor to only use such contents, if respective providers use the IP-address only for delivering those contents. Furthermore, third parties can use so-called Pixel-tags (invisible graphics, also called “Web Beacons”) for statistic and marketing purposes. With the help of “Pixel-tags” information, such as traffic visitor on pages of this websites can be evaluated. Furthermore, pseudonymous information can be stored in Cookies on the devices of users and inter alia includes technical information for browser and operating systems, referring websites, visiting times as well as other information for using our online offer as well as connecting such information from other sources.
We integrate videos from the platform “Youtube” of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy statement: https://www.google.com/policies/privacy/ , Opt-Out: https://adssettings.google.com/authenticated.
We integrate the fonts (“Google Fonts”) from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy statement: www.google.com/policies/privacy/, Opt-Out: adssettings.google.com/authenticated.