Skip to main content

Privacy Policy

This privacy policy clarifies the nature, scope and purpose of processing personal data (hereafter referred to as ‘data’) within our online offering, including associated websites, functions and content, as well as our external online presences, such as social media profiles (hereafter collectively referred to as ‘online offering’). With regard to the terms used, such as “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Person responsible

Pro54 Produkt- und Projektentwicklung GmbH
Bavariaring 25
80336 Munich
Germany

E-mail: info@pro54.com
Managing Director: Johannes D. Mariano

Data Protection Officer

2B Advice GmbH
Joseph-Schumpeter-Allee 25
53227 Bonn

E-mail: pro54@2b-advice.com

Types of data processed:

– Inventory data (e.g., names, addresses).
– Contact details (e.g., e-mail, telephone numbers).
– Content data (e.g., text entries, photographs, videos).
– Usage data (e.g., websites visited, interest in content, access times).
– Meta/communication data (e.g., device information, IP addresses).

Categories of affected persons

Visitors and users of the online service (hereinafter referred to collectively as ‘users’).

Purpose of processing

– Provision of the online offer, its functions and content.
– Answering contact enquiries and communicating with users.
– Safety measures.
– Reach measurement/marketing

Terminology used

‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’); an identifiable natural person is someone who can be identified, either directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier (e.g. cookie) or one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity. ‘Processing’ means any operation or set of operations performed on personal data, whether or not by automated means.

The term is broad and encompasses practically any handling of data.

‘Pseudonymisation’ means processing personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and be subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

‘Profiling’ means any form of automated processing of personal data used to evaluate personal aspects relating to a natural person. This includes analysing or predicting aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

The ‘controller’ is the natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data, either alone or jointly with others.

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant legal bases

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not mentioned in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6(1) a and Art. 1 lit. a and Art. 7 GDPR. The legal basis for processing in order to fulfil our services, implement contractual measures, and respond to enquiries is Art. 6(1)(b) GDPR. (b) GDPR. The legal basis for processing in order to fulfil our legal obligations is Art. 6(1)(c) GDPR. 1 lit. c GDPR. The legal basis for processing to protect our legitimate interests is Art. 6(1)(f) GDPR. 1 lit. f GDPR. If vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) applies. 6(1)(d) GDPR. 1 lit. d GDPR serves as the legal basis.

Security measures

We take appropriate technical and organisational measures in accordance with Art. 32 GDPR. These measures are taken in light of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The aim is to ensure a level of security that is appropriate to the risk.

These measures include safeguarding the confidentiality, integrity and availability of data by controlling physical access to it, as well as controlling access to, input to, and transfer of, and safeguarding the availability and separation of, the data. Furthermore, we have established procedures to ensure that data subjects’ rights are exercised, data is deleted, and threats to data are responded to. We also take the protection of personal data into account when developing and selecting hardware, software and processes, in accordance with the principles of data protection by design and by default (Art. 25 GDPR).

Cooperation with processors and third parties

If we disclose data to other persons or companies (processors or third parties) as part of our processing activities, transfer it to them, or otherwise grant them access to the data, we will only do so on the basis of legal authorisation (e.g. if the transfer of data to third parties, such as payment service providers, is necessary for the fulfilment of a contract in accordance with Art. 6(1) lit. b GDPR), if you have given your consent, if there is a legal obligation to do so, or if it is in our legitimate interests (e.g. when using agents or web hosts).

If we commission third parties to process data on the basis of an “order processing contract”, this is done on the basis of Art. 28 GDPR.

Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services, disclosing or transferring data to third parties, this will only take place if it is necessary to fulfil our contractual obligations, with your consent, due to a legal obligation, or for our legitimate interests. Subject to legal or contractual authorisations, we will only process data or have it processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. This means that processing takes place on the basis of special guarantees, such as an officially recognised determination of a level of data protection corresponding to that in the EU (e.g. for the USA through the ‘Privacy Shield’), or compliance with officially recognised special contractual obligations (‘standard contractual clauses’).

Rights of the data subjects

You have the right to request confirmation as to whether the data in question is being processed, and to request further information and a copy of this data in accordance with Art. 15 GDPR.

In accordance with Art. 16 GDPR, you have the right to request the completion or correction of data concerning you.

In accordance with Art. 17 GDPR, you have the right to demand the immediate deletion of the data in question or, alternatively, to request that its processing be restricted in accordance with Art. 18 GDPR.

You have the right to request the data that you have provided to us concerning you in accordance with Art. 20 GDPR, and to request that it be transferred to other data controllers. In accordance with Art. 77 GDPR, you also have the right to lodge a complaint with the relevant supervisory authority.

Right of cancellation

You have the right to withdraw your consent in accordance with Art. 7(3) GDPR, with effect for the future.

Right of objection

You can object to the processing of your data at any time in accordance with Art. 21 GDPR. You may in particular object to processing for direct marketing purposes.

Cookies and right to object to direct advertising

Cookies” are small files that are stored on users’ computers. Different information can be stored within cookies. Cookies are primarily used to store information about users (or the devices on which they are stored) during or after they visit an online service. ‘Temporary cookies’, ‘session cookies’ or ‘transient cookies’ are deleted when a user leaves an online service and closes their browser. The content of a shopping basket in an online shop or login status, for example, can be stored in such a cookie. The term ‘permanent’ or ‘persistent’ refers to cookies that remain stored even after the browser is closed. For example, the login status can be saved so that users can access it after several days. Interests can also be stored in these cookies and used for reach measurement or marketing purposes. “Third-party cookies” are cookies offered by providers other than the controller operating the online service. Otherwise, they are referred to as “first-party cookies”.

We may use temporary and permanent cookies, and we provide information about this in our privacy policy.

Users who do not want cookies to be stored on their computer are asked to deactivate the corresponding option in their browser’s system settings. Saved cookies can be deleted in the system settings of the browser. Excluding cookies may result in this online offer being restricted in terms of functionality.

You can object to the use of cookies for online marketing purposes can be for a large number of services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/ . Furthermore, you can prevent the storage of cookies by switching them off in your browser settings. Please note that you may then not be able to use all the functions of this website.

Data deletion

Any data processed by us will be erased or the processing thereof restricted in accordance with Art. 17 and 18 GDPR. Unless stated otherwise in this privacy policy, we will delete the data stored by us as soon as it is no longer required for its intended purpose and deletion does not conflict with any statutory retention obligations. If data cannot be deleted because it is required for other legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies to data that must be retained for commercial or tax law reasons, for example.

According to legal requirements in Germany, the retention period is 10 years in accordance with section 147 (1) AO, 257 (1) no. 1 and 4, (4) HGB (German Commercial Code) (books, records, management reports, accounting vouchers, commercial books, documents relevant for taxation, etc.), and six years in accordance with section 257, (1), no. 2 and 3, (4) HGB (commercial letters).

According to the legal requirements in Austria, the retention period is seven years in accordance with section 132, (1) BAO (operating and business equipment) (accounting documents, receipts/invoices, accounts, business papers, statements of income and expenses, etc.), 22 years for real estate, and 10 years for documents relating to electronically provided services, telecommunications, radio, and television services provided to non-entrepreneurs in EU member states for which the Mini One Stop Shop (MOSS) is used.

Business-related processing

In addition, we process
– contract data (e.g. subject matter, term and customer category);
– payment data (e.g. bank details, payment history).
We process this data from our customers, interested parties and business partners for the purpose of providing contractual services, servicing and customer care, marketing, advertising and market research.

Agency services

As part of our contractual services, we process our customers’ data, which includes conceptual and strategic consulting, campaign planning, software and design development/consultancy or maintenance, campaign and process implementation/handling, server administration, data analysis/consultancy services, and training services.

We process the following types of data: inventory data (e.g. customer master data such as names or addresses); contact data (e.g. e-mail addresses or telephone numbers); content data (e.g. text entries, photographs or videos); contract data (e.g. the subject matter or term of the contract); payment data (e.g. bank details or payment history); and usage and metadata (e.g. in the context of analysing and measuring the success of marketing measures).

In principle, we do not process special categories of personal data unless these are part of commissioned processing. Data subjects include our customers, interested parties, their customers, users, website visitors and employees, as well as third parties. The purpose of processing is to provide contractual services, billing and customer service. The legal basis for processing is Art. 6(1) lit. b GDPR (contractual services) and Art. 6(1) lit. f GDPR (analysis, statistics, optimisation and security measures). We process the data required to justify and fulfil the contractual services, and we highlight the necessity of its disclosure.

Disclosure to external parties only takes place if necessary for an order. When processing data provided to us as part of an order, we act in accordance with the client’s instructions and the legal requirements for order processing under Art. 28 GDPR, and we do not process the data for any purposes other than those specified in the order. We delete the data after the expiry of statutory warranty and comparable obligations. We review the necessity of storing the data every three years. In the case of statutory archiving obligations, we delete the data after they expire (six years in accordance with section 257(1) HGB (German Commercial Code) and 10 years in accordance with section 147(1) AO). If we receive data from a client as part of an order, we delete it in accordance with the order specifications, usually once the order has ended.

Administration, financial accounting, office organisation, contact management

We process data as part of administrative tasks, the organisation of our business and financial accounting, and to comply with legal obligations such as archiving. In doing so, we process the same data that we process when providing our contractual services. The legal bases for processing are Art 6(1) lit. c GDPR and Art. 6 (1) lit. f GDPR. The processing affects customers, interested parties, business partners and website visitors.

We process data for administrative purposes, financial accounting, office organisation and archiving, i.e. tasks that serve to maintain our business activities, perform our tasks and provide our services. Data deletion with regard to contractual services and communication is in line with the information specified in these processing activities. We disclose or transmit data to tax authorities, consultants (such as tax advisors or auditors), other fee centres, and payment service providers.

We also store information on suppliers, event organisers and other business partners based on our legitimate interests, e.g. to contact them at a later date. We store this data, most of which is company-related, permanently.

Data protection information in the application process

We only process applicant data for the purpose of the application process and in accordance with legal requirements. Processing applicant data enables us to fulfil our pre-contractual and contractual obligations within the application process, as defined in Art. 6(1) lit. b GDPR. 6(1) lit. f GDPR if the data processing is necessary for us, e.g. in the context of legal proceedings (in Germany, section 26 BDSG (Federal Data Protection Act) also applies).

The application procedure requires applicants to provide us with their application data. If an online form is offered, the necessary applicant data is labelled; otherwise, it can be found in the job descriptions and includes, at a minimum, personal details, postal and contact addresses, and application documents such as a cover letter, CV, and certificates.

Applicants can also voluntarily provide us with additional information. By submitting their application, applicants consent to us processing their data for the purposes of the application process, in accordance with the nature and scope set out in this privacy policy. Insofar as special categories of personal data within the meaning of Art. 9(1) GDPR are voluntarily communicated as part of the application process, this processing will also be carried out in accordance with Art. 9(2)(b) GDPR (e.g. health data, such as severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9(1) GDPR are requested from applicants as part of the application process, this processing is carried out in accordance with Art. 9(2)(a) GDPR (e.g. health data, if necessary for the performance of the profession).

Applicants can send us their applications using an online form on our website, if they wish (if available). The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form, so applicants must ensure they encrypt them themselves. We cannot accept responsibility for the transmission of applications between the sender and our server, and therefore recommend using an online form or sending applications by post. Applicants still have the option of sending us their application by post instead of applying via the online form and e-mail. If an application is successful, we may process the data provided by the applicant for the purposes of the employment relationship.

Otherwise, if an application is unsuccessful, the applicant’s data will be deleted. Data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Following a justified cancellation by the applicant, deletion will take place after six months to allow time to answer any follow-up questions about the application and meet our obligations under the Equal Treatment Act to provide evidence. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.

Contacting us

When you contact us (e.g. via the contact form, e-mail, telephone or social media), we process your details to handle your enquiry in accordance with Art. 6(1) lit. b) GDPR. User data may be stored in a customer relationship management system (CRM) or similar enquiry organisation system.

We delete the requests if they are no longer required. We review the necessity every two years; furthermore, the statutory archiving obligations apply.

Hosting and e-mail dispatch

The hosting services used by us serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services, and technical maintenance services for operating this online service.

We or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta data and communication data relating to customers, interested parties and visitors to this online service, based on our legitimate interest in providing this online service efficiently and securely, in accordance with Art. 6(1) lit. f GDPR. Art. 28 GDPR (conclusion of order processing contract).

Collection of access data and log files

We or our hosting provider collect this data on the basis of our legitimate interests as defined in Art. 6(1) lit. f GDPR. We collect data about every access to the server on which this service is located (so-called server log files). This access data includes the name of the accessed website or file, the date and time of access, the amount of data transferred, a notification of successful access, the browser type and version, the user’s operating system, the referrer URL (i.e. the previously visited page), the IP address, and the requesting provider.

Log file information is stored for security reasons (e.g. to investigate misuse or fraud) for a maximum period of seven days and then deleted. Data whose further retention is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.