Data privacy statement

We protect your information!

Data Protection Notice

This notice explains how personal data are processed in the context of accessing our online offering and the websites, functions and content associated with it as well as any external online presence, such as our social media profiles (hereinafter referred to jointly as “online offering”). Our online offering is accessible via the domains/URLs


Service provider responsible for the content

Am Söldnermoos 17
85399 Hallbergmoos 
Tel.: +49 811 9595-0
Fax: +49 811 9595-199

CEO Jörg Fürbacher

Data Protection Officer
Johannes Gabler
Tel.: +49 811 9595-127


Types of data processed

  • Basic data (e.g. names, addresses).
  • Contact data (e.g. email, telephone numbers).
  • Content data (e.g. text input, photographs, videos).
  • Usage data (e.g. websites visited, interest in content, access times).
  • Meta/communication data (e.g. device information, IP addresses).

Categories of data subjects

Visitors and users of the online offering (hereinafter we also refer to the data subjects collectively as “users”).

Purpose of processing

  • Provision of the functions and content of our aforementioned online offering
  • Dealing with users’ contact requests
  • Guaranteeing information security
  • Measuring the success of our advertising

Terms used (similar to Article 4 of the General Data Protection Regulation (GDPR)

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as a “data subject” or, in the context of using the aforementioned online offering as a “user”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51.

Relevant legal bases

In accordance with Article 13 GDPR, we advise you of the legal bases of our data processing. Unless the legal basis is specified in the Data Protection Notice, the following shall apply: The legal basis for obtaining consent is Article 6 (1) lit. a and Article 7 GDPR, the legal basis for processing to supply our services and to execute contractual measures as well as to respond to enquiries is Article 6 (1) lit. b GDPR, the legal basis for processing to comply with our legal obligations is Article 6 (1) lit. c GDPR and the legal basis for processing to protect our legitimate interests is Article 6 (1) lit. f GDPR. In the event that vital interests of the data subject or another natural person make processing necessary, Article 6 (1) lit. d GDPR will serve as the legal basis.

Security measures

In accordance with Article 32 GDPR and taking into account state of the art technology, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

In particular, the measures include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data as well as access pertaining to the data, input, transfer, securing availability and their separation. We have also set up processes, which guarantee data subjects’ rights are exercised, data are deleted and there is a reaction to any threat to the data. We also take account of the protection of personal data in the development or selection of hardware, software as well as processes in line with the principle of protecting data through technology design and privacy by default settings (Article 25 GDPR).

Working with processors and third parties

If, as part of our processing, we disclose data to other persons and companies (processors or third parties), transmit data to them or otherwise grant access to data, this will only take place on the basis of a legal permission (e.g. if transmission of the data to third parties, such as a payment services provider, is necessary for the performance of a contract pursuant to Article 6 (1) lit. b GDPR), you have given your consent, a legal obligation envisages this or on the basis of our legitimate interests (e.g. when using agents, web hosting services, etc.). 

If we task third parties with processing data on the basis of a so-called order processing contract, this will take place on the basis of Article 28 GDPR.

Transmissions to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA) or this occurs as part of the utilisation of third parties’ services or disclosure or transmission of data to third parties, this will only take place if it occurs to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we shall process the data or have them processed in a third country only if the special conditions of Article 44 et seq. GDPR apply. I.e. processing shall take place, for example, on the basis of special guarantees, such as the recognition by the authorities that the level of data protection corresponds to that of the EU (through the “Privacy Shield” for the USA, for instance) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).

Users’ rights

In accordance with Article 15 et seq. GDPR, users have the right

  • to demand confirmation as to whether personal data concerning them are being processed,
  • to information (including in the form of a copy) about these personal data,
  • to information about appropriate safeguards pursuant to Article 46 in connection with transmission to a third country or an international organisation,
  • to rectification and, if applicable, integration of the personal data concerning them,
  • to erasure (subject to the conditions specified in Article 17 GDPR) or alternatively to restriction in accordance with Article 18 GDPR,
  • to receive the personal data concerning them, which they provided, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (subject to the conditions of Article 20 GDPR),
  • to object to further processing of their personal data in accordance with Article 21 GDPR

Users also have a right pursuant to Article 77 GDPR to lodge a complaint with a supervisory authority and to withdraw consent previously given with effect for the future pursuant to Article 7 (3) GDPR.

Cookies and right to object to direct advertising

Small files stored on users’ computers are referred to as “cookies”. Different information can be stored within cookies. A cookie serves primarily to store information about users (or the device on which the cookie is stored) during or after their visit within an online offering. Cookies, which are deleted after users leave an online offering and close the browser are referred to as temporary cookies or session cookies or transient cookies. The content of a basket in an online shop or login status can be stored in such a cookie. Cookies, which are stored even after the browser closes, are referred to as permanent or persistent cookies. Accordingly, users’ login status can be stored when they visit the site after several days. Likewise, users’ interests, which are used for reach measurement or marketing purposes, can be stored in such a cookie. Cookies that are offered by providers other than the Controller, who is operating the online offering, are referred to as third-party cookies (otherwise, if they are only the Controller’s cookies, they are referred to as first-party cookies).

We can use temporary and permanent cookies and make users aware of these in the context of our Data Protection Notice.

If users do not wish to have cookies stored on their computer, they are asked to deactivate the relevant option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. The exclusion of cookies can lead to functions in the online offering being restricted.

A general objection to the use of cookies placed for the purposes of online marketing can be declared for a large number of services, especially in the case of tracking, via the US website the EU site Storage of cookies can also be achieved by switching them off in the browser settings. Please note that this may result in users not being able to use all functions of this online offering.

Erasure of data

Data processed by us are deleted or processing thereof is restricted in accordance with Articles 17 and 18 GDPR. Unless explicitly stated within the framework of this Data Protection Notice, data stored by us are deleted as soon as they are no longer needed for their intended purpose and deletion will not violate any legal storage obligations. If data are not deleted because they are needed for other, legally permissible purposes, processing thereof is restricted. I.e. the data are blocked and not used for other purposes.   This is true, for instance for data, which must be stored for reasons related to the German Commercial Code or the German Tax Code.

Legal requirements in Germany mean that data are stored for 10 years pursuant to sections 147 (1) of the German Tax Code (AO), 257 (1) Nos. 1 and 4, (4) of the German Commercial Code (HGB) (accounts, records, management reports, vouchers, trading books, documents of relevance for taxation, etc.) and 6 years pursuant to section 257 (1) Nos. 2 and 3, (4) HGB (commercial papers).

Business-related processing

In addition, we process

  • contract data (e.g. subject matter of the contract, term, customer category).
  • payment data (e.g. bank details, payment history)

of our customers, interested parties and business associates for the purpose of supplying contractual services, service and customer care, marketing, advertising and market research.

Agency services

We process our customers’ data within the framework of our contractual services, which include conceptual and strategic advice, campaign planning, software and design development/advice or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consultancy services and training services.

In this connection, we process basic data (e.g. customer master data, such as names or addresses), contact data (e.g. email, telephone numbers), content data (e.g. text input, photographs, videos), contract data (e.g. subject matter of the contract, term), payment data (e.g. bank details, payment history), use and meta data (e.g. as part of the evaluation of marketing measures and measuring their success). In principle, we do not process special categories of personal data unless they are components of specially commissioned processing. Data subjects include our customers, interested parties and their customers, users, website visitors or employees and third parties. The purpose of processing consists of the provision of contractual services, billing and our customer service. The legal bases of processing arise from Article 6 (1) lit. b GDPR (contractual services), Article 6 (1) lit. f GDPR (analysis, statistics, optimisation, security measures). We process data, which are needed to establish and fulfil contractual services and point to the necessity of your information. Data are only disclosed to external parties, if this is required as part of an order. In processing the data disclosed to us as part of an order, we act in accordance with the client’s instructions and the legal requirements for order processing pursuant to Article 28 GDPR and do not process data for any purposes other than in accordance with the order.

We delete the data following the expiry of warranty and comparable obligations. The need to store data is reviewed every three years; in cases where there is a legal obligation to archive data, data are deleted once these expire (6 years, pursuant to section 257 (1) HGB, 10 years, pursuant to section 147 (1) AO). In the case of data, which are disclosed to us by the client as part of an order, in principle, we delete the data in accordance with the requirements of the order when the order ends.

Administration, financial accounting, office organisation, contact management

We process data as part of administrative tasks and the organisation of our business, financial accounting and compliance with legal obligations, such as archiving. In this connection, we process the same data as the data processed in supplying our contractual services. Processing is based on Article 6 (1) lit. c. GDPR, Article 6 (1) lit. f. GDPR. Customers, interested parties, business associates and website visitors are affected by processing. The purpose and our interest in processing lies in the administration, financial accounting, office organisation, archiving of data, i.e. tasks that serve to maintain our business activities and to supply our services. The deletion of data with respect to contractual services and contractual communication corresponds to the information mentioned in the case of these processing activities.

Here, we disclose or transmit data to the tax authorities, advisors, such as tax advisors or auditors and other charges offices and payment service providers.

On the basis of our economic interests, we also store information on suppliers, organisers and other business associates, for the purposes of contacting them subsequently, for instance. In principle, we store these data, the majority of which are company related, permanently.

Data protection information in the application process

We only process applicant data for the purpose of and within the framework of the application process in compliance with the legal requirements. Applicant data are processed to comply with our contractual and precontractual obligations as part of the application process within the meaning of Article 6 (1) lit. b. GDPR Article 6 (1) lit. f. GDPR and section 26 of the German Data Protection Act (BDSG) if data processing is necessary for us as part of legal procedures, for instance.

The application process requires applicants to disclose applicant data to us.  The necessary applicant data are indicated if we offer an online form, otherwise, they are clear from the job descriptions and, in principle, include personal details, postal and contact addresses and the documents associated with the application, such as a covering letter, curriculum vitae and references. Applicants may also disclose additional information to us voluntarily.

By transmitting the application to us, applicants give their consent to having their data processed for the purposes of the application process in accordance with the type and scope set out in this Data Protection Notice.

If special categories of personal data within the meaning of Article 9 (1) GDPR are disclosed voluntarily as part of the application process, processing thereof shall also take place in accordance with Article 9 (2) lit. b GDPR (e.g. health data, such as a serious disability or ethnic origin). If special categories of personal data within the meaning of Article 9 (1) GDPR are requested from applicants as part of the application process, processing thereof shall also take place in accordance with Article 9 (2) lit. a GDPR (e.g. health data, if these are required to carry out the job).

If made available, applicants may transmit their applications to us using an online form on our website. The data are encrypted using state of the art technology and transferred to us.
Applicants may also transmit their applications via email. However, we ask applicants to note that emails are, in principle, sent without encryption and applicants must ensure they are encrypted themselves. We can therefore not assume any responsibility for the transmission route of the application between the sender and its being received on our server and therefore recommend applicants use an online form or send their applications by post. Applicants still have the option of sending the application by post instead of applying via the online form and email.

The data provided by applicants may, in the event of a successful application, be subjected to further processing by us for the purposes of the employment relationship. Otherwise, if the application for a job is unsuccessful, the applicant’s data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Deletion takes place, subject to a justified withdrawal by the applicant, once a period of six months has elapsed so that we can answer any follow-up questions to the application and can comply with our burden of proof under the German Equal Treatment Act. Invoices for any reimbursement of travel expenses are archived in accordance with the requirements of the German Fiscal Code.

Making contact

If users make contact with us (e.g. via the contact form, email, telephone or via social media), their details are processed to deal with the contact enquiry and to handle it in accordance with Article 6 (1) lit. b) GDPR. Details of the users may be stored in a customer relationship management system (CRM system) or comparable enquiry system.

We delete enquiries if they are no longer needed. We review the necessity of keeping them every two years; the legal archiving obligations also apply.


The following notes provide you with information about the content of our newsletter and the registration, despatch and statistical evaluation process as well as your rights to object. By subscribing to our newsletter, you give your consent to receiving it and to the processes described.

Content of the newsletter: We only send out newsletters, emails and other electronic notifications containing promotional information (hereinafter “newsletter”) with the consent of the recipients or legal permission. If, as part of any registration for the newsletter, its contents are specifically described, they are of relevance for users’ consent.  Otherwise, our newsletters contain information about our services and us.

Double opt-in and logging: Registration for our newsletter takes place using a so-called double opt-in process. I.e. users and newsletter subscribers receive an email following registration in which they are asked to confirm their registration. This confirmation is needed to avoid anybody registering with third party email addresses. Registrations for the newsletter are logged to be able to document the registration process in line with the legal requirements. These include storing the registration and confirmation times and also the IP address. Changes to your data stored with the delivery service provider will also be logged.

Registration data: To register for the newsletter, it is sufficient to provide your email address. We ask users to disclose their name to allow us to address them personally in the newsletter.

The despatch of the newsletter and the measurement of success associated therewith takes place on the basis of the recipient’s consent pursuant to Article 6 (1) lit. a, Article 7 GDPR in conjunction with section 7 (2) No. 3 of the German Unfair Competition Act (UWG) of if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Article 6 (1) lit. f. GDPR in conjunction with section 7 (3) UWG. 

The registration process will be logged on the basis of our legitimate interests pursuant to Article 6 (1) lit. f GDPR. Our interest is based on the use of a user-friendly and secure newsletter system, which both serves our interests and meets users’ expectations and also allows us to document consents.

Cancellation/termination – the subscription to our newsletter can be cancelled at any time. Users find a link to cancel the newsletter at the end of each edition of the newsletter. We can store email addresses of those who have cancelled for up to three years on the basis of our legitimate interests before deleting them to ensure that we can document any consent that was previously given. Processing of this data is restricted to the purpose of a possible defence against claims. An individual application to have data deleted may be submitted at any time if confirmation is provided at the same time that consent was given previously.

Newsletter - delivery service provider

The newsletter is despatched by means of the delivery service provider mailingwork GmbH, Birkenweg 7, 09569 Oederan. You can view the data protection provisions of the delivery service provider here: The delivery service provider is used on the basis of our legitimate interests pursuant to Article 6 (1) lit. f GDPR and a contract for order processing pursuant to Article 28 (3) s. 1 GDPR.

The delivery service provider may use users’ data in pseudonymised form, i.e. without assignment to the users, to optimise or improve its own services, such as to optimise the technical aspects of delivery and the presentation of the newsletter or for statistical purposes. The delivery service provider shall, however, not use the data of our newsletter recipients to write to them himself or to pass the data to third parties.

Newsletter - measurement of success

The newsletters contain a so-called web beacon, i.e. a pixel sized file, which is retrieved from our server on opening the newsletter or, if we use a service provider, from its server. In the context of this retrieval, technical information, such as information on the browser and your system and your IP address and the time the file was retrieved are collected initially. 

This information is used to improve the technical aspects of the services by means of technical data or the target groups and their reading behaviour by means of their retrieval locations (which can be determined with the help of the IP address) or the access times. The statistics collected also include determining whether the newsletter is opened, when it is opened and which links are clicked. This information can be assigned to individual newsletter recipients for technical reasons.  However, it is neither our aspiration nor that, if used, of the service delivery provider to observer individual users. The evaluations help us far more to recognise the reading habits of our users and to adjust our content to them or to send different content in line with the interests of our users.

Unfortunately it is not possible to withdraw from the measurement of success separately, in this case the entire newsletter subscription must be cancelled.

Collection of access data and log files

We collect data on each access to the server on which this service is located (so-called server log files) on the basis of our legitimate interests within the meaning of Article 6 (1) lit. f. GDPR. Access data include the name of the website accessed, file, date and time it was retrieved, quantity of data transferred, report of a successful retrieval, browser type plus version, the operating system, referrer URL (the site previously visited), IP address and the requesting provider.

Log file information are stored for security reasons (e.g. to clarify misuse or fraud) for an appropriate period and subsequently deleted. Data, which must be held for longer for the purposes of evidence, are exempt from deletion until the respective case is finally clarified.

Google Analytics

On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and cost-effective operation of our online offering within the meaning of Article 6 (1) lit. f. GDPR), we use Google Analytics, a web analysis service provided by Google LLC (“Google”). Google uses cookies. The information about use of the online offering by users generated by the cookie is usually transferred to a Google server in the USA and stored there.

Google is certified under the Privacy Shield Framework and as a result offers a guarantee that it will comply with European data protection legislation (

Google will use this information on our behalf to analyse use of our online offering by users, to compile reports about activities within this online offering and to provide additional services associated with use of this online offering and Internet use for us. Pseudonymised usage profiles of users can be created from the processed data.

We only use Google Analytics with activated IP anonymisation. This means that users’ IP addresses are abbreviated by Google within member states of the European Union or in other signatory countries to the Agreement on the European Economic Area. The full IP address is only transferred to a Google server in the USA and abbreviated there in exceptional cases.

The IP address transmitted from the users’ browser is not combined with other data by Google. Users may prevent the storage of cookies by setting their browser software accordingly; users may also prevent Google from recording the data concerning their use of the online offering generated by the cookie and from processing these data by downloading and installing the browser plugin available from the following link:

More information on Google’s use of data, the options for settings and opt-out options can be found in Google’s Data Protection Notice ( and in the settings for presentation of advertising by Google (

Users’ personal data will be deleted or anonymised after 14 months.

Google Universal Analytics

We use Google Analytics in its form as “Universal-Analytics”. “Universal Analytics” means a process by Google Analytics, by which use is analysed on the basis of a pseudonymised user ID and consequently a pseudonymised profile of users is created with information on the use of various devices (so-called cross-device tracking).

Google AdWords and conversion measurement

On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and cost-effective operation of our online offering within the meaning of Article 6 (1) lit. f. GDPR), we use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

Google is certified under the Privacy Shield Framework and as a result offers a guarantee that it will comply with European data protection legislation (

We use the online marketing process Google "AdWords", to place advertisements in the Google Display Network (e.g. in search results, in videos, on websites, etc.), to ensure that they are displayed to users, who are likely to be interested in the advertisements. This allows us to display advertisements for and within our online offering in a more targeted manner, to present users only with advertisements that may match their interests. If, for example, users are shown advertisements for products, in which he has been interested in other online offerings, this is referred to as “remarketing”. For these purposes, when our and other websites on which the Google Display Network is active are accessed, Google immediately executes a Google code and so-called remarketing tags (invisible graphics or code, also referred to as web beacons) are incorporated in the website. They allow an individual cookie, i.e. a small file, to be installed on the users’ device (comparable technologies can also be used instead of cookies). This file notes which websites the user visits, which content interests him and which offerings the user has clicked, also technical information on the browser and operating system, linking websites, visit time and other details of use of the online offering.

We also receive an individual conversion cookie. The information obtained with the help of the cookie helps Google create conversion statistics for us. However, we only discover the anonymous total number of users, who have clicked on our advertisement and were passed to a site equipped with a conversion tracking tag. We do not receive any information with which users can be personally identified.

Users’ data are processed on a pseudonymised basis within the framework of the Google Display Network. I.e. Google does not, for instance, store the and process the name or email address of the users but processes the relevant data on a cookie-related basis within pseudonymised usage profiles. I.e. from Google’s perspective, the advertisements are not managed and displayed for a specific, identified person but for the cookie holder, regardless of who the cookie holder is. This is not the case if users have explicitly permitted Google to use the data without pseudonymising them. The information collected about the users is transmitted to Google and stored on Google’s servers in the USA.

More information on Google’s use of data, the options for settings and opt-out options can be found in Google’s Data Protection Notice ( and in the settings for presentation of advertising by Google (

Online presence in social media

We maintain an online presence within social networks and platforms to communicate with the customers, interested parties and users that use these networks and to be able to inform them about our services there. On accessing the respective networks and platforms, the conditions of business and data processing guidelines of their respective operators shall apply. 

Unless stated otherwise within the framework of our Data Protection Notice, we shall process users’ data if they communicate with us within the social networks and platforms, e.g. by posting content on our online presence or sending us messages.

Inclusion of third parties’ services and content

On the basis of legitimate interests (i.e. interest in the analysis, optimisation and cost-effective operation of our online offering within the meaning of Article 6 (1) lit. f GDPR) we use content or service offerings from third party providers to include their content and services such as videos or fonts (hereinafter referred to uniformly as “content”). 

This always presupposes that the third party providers of this content are aware of Users’ IP addresses since they could not send the content to their browsers without the IP address. The IP address is therefore needed for this content to be displayed. We endeavour only to use such content for which the respective provider uses the IP address only to deliver the content. Third party providers can also use so-called pixel tags (invisible graphics, also referred to as web beacons) for statistical or marketing purposes. The pixel tags allow information such as visitor traffic to the pages of this website to be evaluated. The pseudonymised information can also be stored on the users’ device in cookies and can, among other things, contain information on the browser and operating system, linking websites, visit time and other information on the use of our online offering, and be combined with such information from other sources.


We include videos from the YouTube platform provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data Protection Notice:, Opt-Out:

Cookie Settings

We use cookies to provide functionality on our websites, to personalize function for your convinience, to provide social media features, and to compile access statistics. Various techniques may be used to share information about your use of our site with our social media and advertising partners. For more information, please see our Privacy Policy.