SST'23 — Software and Systems Traceability > Data Privacy
Data Privacy
Our data processing
When you use the website xitaso.com and its functions, make contact and send a request or as part of an application process, you send us personal data which we process for the purpose of responding to your requests. We handle these data in accordance with data protection laws strictly for the intended purpose only.
I. The controller within the meaning of data protection laws is
XITASO GmbH IT & Software Solutions
Austraße 35
D-86153 Augsburg
Telephone: +49 821 885 882-0
E-Mail: info@xitaso.com
Represented by:
Ulrich Huggenberger, Martin Huggenberger, Dr. Michael Schackert, Andreas Beirer
II. Data protection officer
Statutory data protection officer:
We have appointed a data protection officer for our company.
Fly-tech IT GmbH & Co. KG
Winterbruckenweg 58
86316 Friedberg
datenschutz@xitaso.com
III. General information about data processing
Scope of processing of personal data in general
As a basic principle, we only process personal data if this is necessary to provide a functional website along with our content and services.
Legal basis for processing personal data
The legal basis for processing this personal data can be found in the General Data Protection Regulation, Article 6(1)(a)-(f) GDPR.
o If the data subject has given consent, the legal basis is Article 6(1)(a) GDPR.
o Article 6(1)(b) GDPR is the legal basis for processing personal data as required for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
o If processing is necessary for compliance with a legal obligation of the controller, the legal basis is Article 6(1)(c) GDPR.
o If vital interests of the data subject or another natural person make it necessary to process data, the legal basis is Article 6(1)(d) GDPR.
o If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, the legal basis is Article 6(1)(e) GDPR.
o If processing is necessary to protect a legitimate interest of our company and overrides the interests, fundamental freedoms or fundamental rights of the data subject, the legal basis is Article 6(1)(f) GDPR.
Provision of personal data required to conclude a contract or based on statutory retention obligations
When you contact us, we collect personal data. We store these data partly due to legal requirements and partly for the purpose of concluding a contract. If you want to conclude a contract with us, you must provide us with your data so that we can provide our services to you. Tax and commercial law considerations also result in statutory retention obligations which we have to meet. Otherwise, we may be unable to provide you with our service.
Before providing your personal data, you can feel free to get in touch with your contact person in our company to find out whether we will need your data to conclude a contract and/or to meet our statutory retention obligations and what will happen if you do not provide us with the data.
Data erasure and storage period
We will store your personal data as long as this is necessary to fulfill a purpose or the storage of the data is mandatory based on legal requirements according to Article 6(1)(c) GDPR.
If the purpose for storing personal data no longer applies, these data will be erased after 6 months or processing will be restricted unless it is necessary to continue storing the data in order to conclude or fulfill a contract.
These data will only be stored otherwise if this has been stipulated by the European or national legislator.
SSL or TLS encryption
We use SSL or TLS encryption on the entire website xitaso.com for security reasons on the one hand and to protect your confidential data on the other.
Confidential data such as, for example, requests or orders that you have sent to us cannot be viewed by third parties as a result of this encryption.
You can recognize an encrypted connection from the address bar of the browser changing from “http://” to “https://” and a green padlock icon being displayed in the address bar.
IV. Automatic data processing when accessing the website xitaso.com
IP address
1. Description and scope of data processing
When accessing the website xitaso.com, requests are sent to the server which it must answer. Your IP address must be collected and processed for this purpose in order to enable the server to respond to the corresponding requests.
2. Legal basis for data processing
The legal basis for processing these data is Article 6(1)(f) GDPR.
3. Purpose of data processing
The purpose of processing your IP address is to ensure that the website xitaso.com functions correctly and to enable you to access it.
4. Legitimate interest
The legitimate interest in the temporary storage of the IP address is that the website xitaso.com cannot function and access to the website is not possible without it.
5. Duration of storage
The data will be erased again as soon as it is no longer necessary for them to be stored due to fulfillment of the purpose.
Where the collection of data for providing the website is concerned, this is the case when the access procedure is completed.
6. Recipients of personal data
The IP address is processed by the following hosting provider as subcontractor based on a data processing agreement pursuant to Article 28(2) and (4) GDPR:
RAIDBOXES GmbH
Friedrich-Ebert-Straße 7
48153 Münster
Hosting
1. Description and scope of data processing
We use the services of our hosting provider for the technical implementation and accessibility of the website xitaso.com and for the technical maintenance thereof.
This includes the provision of storage and database services and the maintenance and updating thereof.
2. Legal basis for data processing
The legal basis for processing these data is Article 6(1)(f) GDPR.
3. Purpose of data processing
The purpose of processing is the implementation of the website xitaso.com or planfox.de and the detection of malfunctions and intrusion attempts.
4. Legitimate interest
The legitimate interest in mandating the hosting provider is the external technical expertise and the provision of a functional and uncompromised technical website environment.
5. Recipients of personal data and data categories:
The following hosting provider is active for us as a subcontractor based on a data processing agreement pursuant to Article 28(2) and (4) GDPR:
RAIDBOXES GmbH
Friedrich-Ebert-Straße 7
48153 Münster
The data categories concerned are:
o User data
o Communication data
o Contact data
o Contract data
Server log files
1. Description and scope of data processing
The IP addresses collected when accessing the website xitaso.com or planfox.de are also stored in what are referred to as server log files in order to discover and eliminate technical faults and/or attempts to manipulate and break into the server structure.
The hosting provider of the website xitaso.com or planfox.de also automatically collects, stores and processes information in server log files that is sent automatically by your browser.
This information comprises:
o IP address
o Browser type und browser version
o Operating system used
o Referrer URL
o Host name of the accessing computer
o Time of server request
However, this information is not merged with other data sources.
2. Legal basis for data processing
The legal basis for processing these data is Article 6(1)(f) GDPR.
3. Purpose of data processing
The purpose of processing your IP address and the aforementioned information is to detect malfunctions and intrusion attempts.
4. Legitimate interest
The legitimate interest in processing the IP address and the aforementioned information is the provision of a functional and uncompromised technical website environment.
5. Duration of storage
The data will be erased again within 7 days.
6. Recipients of personal data
The IP address and the aforementioned information are processed by the following hosting provider as subcontractor based on a data processing agreement pursuant to Article 28(2) and (4) GDPR:
RAIDBOXES GmbH
Friedrich-Ebert-Straße 7
48153 Münster
V. Use of cookies
1. Description and scope of data processing
The website sst23.xitaso.com does not use “cookies”. Cookies are text files that are stored in the memory and/or on a data carrier of the device you use to visit the site and that are processed by your Internet browser in accordance with the settings stored therein.
VI. Processing personal data via e-mail
1. Description and scope of data processing
In the case of e-mail inquiries, personal data are processed depending on the content of your e-mail:
This always includes your e-mail address and the date, time and content of the message. The following personal data may also be processed depending on the content of your e-mail:
o First name, last name
o Telephone number
The data are used solely for processing the conversation and/or executing and/or initiating a contractual relationship.
2. Legal basis for data processing
Based on the express request from the user by e-mail, the legal basis for processing data is Article 6(1)(f) GDPR. If the aim of making contact by e-mail is also to conclude and/or to execute a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.
3. Purpose of data processing
The processing of personal data from your e-mail request only serves the purpose of establishing contact and enabling the company to provide the customer with information on the initiative of the customer.
Depending on the intention and content of your request, the purpose may also be to initiate and/or execute a contractual relationship.
4. Legitimate interest
The legitimate interest in data processing is the capability of handling your request and being able to respond to it accordingly. The data collected are processed on the basis of a request sent by you. This processing is also in your interests in order to enable us to respond to your request in a way that meets your expectations.
5. Duration of storage
The data will be deleted within 6 months after they are no longer required to achieve the purpose for which they were collected or are not subject to any other statutory retention obligations (e.g. 10 years pursuant to the German Tax Code, 6 years pursuant to the German Commercial Code). For your e-mail, this is the case when the respective conversation with the user has ended.
The conversation is ended when it is evident from the circumstances that the situation has been finally clarified.
VII. Processing personal data via telephone
1. Description and scope of data processing
In the case of telephone inquiries, personal data are processed depending on the content of the conversation:
Depending on the information you provide during the telephone call, this may also include the following personal data:
o First name, last name
o Telephone number
o Customer number
o Payment data
o Contract data
The data are used solely for processing the conversation and/or executing and/or initiating a contractual relationship.
2. Legal basis for data processing
Based on the express request from the user by telephone, the legal basis for processing data is Article 6(1) (f) GDPR. If the aim of making contact by telephone is also to conclude and/or to execute a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.
3. Purpose of data processing
The processing of personal data from the telephone conversation only serves the purpose of establishing contact and enabling the company to provide the customer with information on the initiative of the customer.
Depending on the intention and content of your request, the objective may also be to initiate and/or execute a contractual relationship and to maintain the customer relationship.
4. Legitimate interest
The legitimate interest in data processing is the capability of handling your request and being able to respond to it accordingly. The data collected are processed on the basis of a request sent by you. This processing is also in your interests in order to enable us to respond to your request in a way that meets your expectations.
5. Duration of storage
The data will be deleted within 6 months after they are no longer required to achieve the purpose for which they were collected or are not subject to any other statutory retention obligations (e.g. 10 years pursuant to the German Tax Code, 6 years pursuant to the German Commercial Code). For your e-mail, this is the case when the respective conversation with the user has ended.
The conversation is ended when it is evident from the circumstances that the situation has been finally clarified.
VII. Processing personal data within job application procedures
1. Description and scope of data processing
In the job advertisements as they are posted in the career network LinkedIn or in the framework of our online presence we provide information about currently vacant positions on a regular basis for which you are invited to apply. Please forward to us your application papers either via our online application form or per e-mail or via LinkedIn.
Data that you send us using the online application form may include:
o First name*
o Last name*
o E-mail adress*
o Desired job category
o Link to XING or LinkedIn profile
o CV
Data that you send us by post as part of the application procedure may include:
o Name, address and contact details
o Resume including any further details
o Personal letter
o Qualifications
o Interests
If you send us your data by e-mail, we will also process your e-mail address and the date, time and content of the message. The following personal data may also be processed depending on the content of your e-mail:
o First name, last name
o Telephone number
When you apply for one of our job advertisements via LinkedIn, the site operator LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland) will provide us with the following data:
o the link to your LinkedIn profile
o your CV on LinkedIn
o the advertisement you are replying to
In the further course of the application procedure and for the purpose of sending you a confirmative e-mail that we received your application we also process the visible data in your LinkedIn profile that are contained in your CV.
You can change the visibility of your profile data in your profile settings at LinkedIn by following this link: https://www.linkedin.com/psettings/data-visibility)
In the “job search settings” of your LinkedIn profile you can select which data you want to provide in your application: https://www.linkedin.com/psettings/data-privacy
For further information on the data processing carried out by LinkedIn (https://de.linkedin.com/legal/privacy-policy) as well as your rights in this respect and setting options to protect your privacy please see the LinkedIn privacy statement.
The data are used solely to reach a decision on the vacancy to be filled as part of the application procedure.
To conduct online application interviews, we may use a collaboration tool that can process the following data:
o Text, audio, and video data.
o Content shared via the tool (e.g., whiteboard notes)
o User name, avatar, and profile picture
o Contact information (email address, phone number, address)
o IP address
2. Legal basis for data processing
The legal basis for processing the data within job application procedures is Article 6(1)(b) GDPR, § 26(1) BDSG (Federal Data Protection Act).
If you provide us with special categories of personal data within the application procedure such as information on an existing severe disability or health data that are required to assess the possibility of employing you in a certain position, these data provided on your initiative are processed according to Article 9(2)(b), (h) GDPR, Article 26(3) BDSG (Federal Data Protection Act).
The use of the collaboration tool for online application interviews is based on the legal basis of Art. 6 (1) f) GDPR (legitimate interests) and in our interest to provide a system for conducting online application interviews that enables an interactive exchange with our applicants.
3. Purpose of data processing
The processing of personal data within job application procedures is solely for the purpose of personnel planning, the selection of qualified applicants and to establish employment relationships.
4. Duration of storage
If an application is rejected, the data will be erased within 6 months of the rejection. Data from successful applications are subject to retention obligations which result from the labor and social law provisions, the German Tax Code (AO) and the German Commercial Code (HGB).
5. Categories of recipients
The access to the data we process for the above purposes is limited to the staff of our respective departments and any commissioned service providers.
To conduct online application interviews, we use the collaboration tool of InVision, Inc., 41 Madison Avenue, 25th Floor New York, NY 10010, USA (“InVision”).
To ensure an adequate level of data protection in the event of a possible transfer of your data to the USA, we have agreed with InVision on standard data protection clauses issued by the European Commission for this purpose. You may obtain a copy of this agreement from us upon request. To do so, please contact us using the contact details above.
IX. Processing personal data acquired by handing over business cards
1. Description and scope of data processing
By handing over your business card to us on initial contact, you provided us with your personal data. These are:
o Last name, first name
o Company
o Address of company
o Contact data
We process these data in our CRM system.
2. Legal basis for data processing
The data processing is carried out on the legal basis of Article 6 (1) (f) GDPR (legitimate interests) and in our interest to collect contact data of our business contacts and to be able to use them for subsequent communication.
3. Purpose of data processing
We process these data to enable business communication and to determine shared business interests and for maintaining a customer relationship.
We process your personal data only for this purpose and only insofar as you have communicated them to us.
4. Duration of storage
The data will be deleted within 6 months after they are no longer required to achieve the purpose for which they were collected or are not subject to any other statutory retention obligations (e.g. 10 years pursuant to the German Tax Code, 6 years pursuant to the German Commercial Code).
X. Supplementary Information on the Facebook Fan page
1. Joint Controllers
You have accessed the Facebook Fan page of:
XITASO GmbH
Austraße 35
D-86153 Augsburg
Telephone: +49 821 885 882 – 0
E-Mail: info@xitaso.com
In the framework of the information service provided on this page we use the technical platform facebook.com and the services of Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta“ in the following).
We, as fanpage operators, together with Meta, are jointly responsible for processing within the meaning of the data protection laws. Therefore, we have concluded an agreement with Meta pursuant to Art. 26 (1) DSGVO in which we have regulated who fulfils which obligations under data protection law. The essence of this agreement is provided to you by Meta under the following link:
https://www.facebook.com/legal/terms/information_about_page_insights_data
Under this link, you will also find information on the processing of your data both by Meta and by us when you call up and interact with our Facebook fan page. Furthermore, you will find information on your rights and setting options with regard to the processing of your data. The information contained in this section of our data protection information therefore only applies in addition to the information provided by Meta.
2. Contact data for data protection
The contact data of our data protection officer are listed under II. Data protection officer.
3. Collection, processing and use of your personal data by us
You can use our Facebook fan page to react to our content, make comments, provide input our page yourself or send us private messages. All data you provided and disclosed in this respect will used and thereby processed by us. The purpose of this data processing is exclusively the communication with the users based on our legitimate interest (Article 6 (1)(f) GDPR).
1. Categories of data subjects
The data subjects are registered and unregistered visitors of our Facebook fan page.
2. Data of registered visitors of our Facebook fan page which we process
o User identification (user name) by which you subscribed
o Authorized profile data (such as name specifications, profession, address, contact data, pictures, interests and – where required special categories of personal data – the confession, health data etc.)
o Data created in the course of the sharing of contents, messages and communications
o Data required in the framework of a contract execution on request of a subscribed visitor
Moreover, we only process pseudonymized data like:
Statistics and insights about interactions with our fan page, the content pages, videos and other content provided via our fan page (page view activities, page visits, “likes”, coverage, general demographic, site and interest-related information about age, sex, country, city, language). Even we ourselves are not able to connect these pseudonymized data to any personal data (identifying features like name specifications). Thus, it is impossible for us to identify individual visitors. They remain anonymous.
3. Data of unregistered visitors of our Facebook fan page which we process
Pseudonymized data like statistics and insights into interactions with our fan page, contributions, pages, videos and other content provided via our fan page (page view activities, page visits, “likes”, coverage, general demographic, site and interest-related information about age, sex, country, city, language). Even we ourselves are not able to connect these pseudonymized data to any personal data (identifying features like name specifications). Thus, it is impossible for us to identify individual visitors. They remain anonymous.
4. Origin of the data
We collect the data directly from the data subject or we receive them from the platform operator.
5. Purpose of data processing
We process the data mainly for the purpose of public image. Moreover, we process the data for the purpose of communication, data exchange and the organization of events. Finally, data can also be processed in order to initiate and conclude contracts.
6. Legal bases
Further information can be found under III. General information on data processing.
Data processing for the purpose of external presentation is carried out on the legal basis of Article (6) (1) ( f) GDPR (legitimate interests) and in our interest in providing a platform with up-to-date information, improving our offer as well as our website and the presentation of our company.
Data processing for communication with you via the Facebook Fanpage is carried out on the legal basis of Article (6) (1) p. 1 b) GDPR (contract initiation and implementation), as far as the content relates to an existing contractual relationship or you are interested in concluding a contract. Otherwise, the data processing is carried out on the legal basis of Article (6) (1) (f) GDPR (legitimate interests) and in our interest in effective communication with users in case of questions and other concerns.
7. Duration of storage
Based on the agreement concluded with the platform operator in accordance with Article 26 (1) GDPR it is the platform operator’s duty to store and delete the data. For further information please follow the link:
https://www.facebook.com/privacy/explanation
8. Categories of recipients
The data we process can only be accessed by our employees and service providers. But if data subjects post public content on our Facebook fan page it is accessible to other registered – and possibly also unregistered – visitors at any time.
XI. Additional information for the LinkedIn corporate presence
1. Joint controllers
We operate the LinkedIn corporate presence of Xitaso GmbH on the social media platform linkedin.com, which is provided to us by the service provider LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter “LinkedIn”).
When you visit or interact with our LinkedIn corporate presence, LinkedIn processes personal data from your profile, such as function, country, industry, seniority, company size and employment status data. In addition, LinkedIn processes information about how you interacted with our company page, such as whether you follow it.
Based on this data, LinkedIn provides us with statistics on the use of our corporate presence (so-called Page Insights). These statistics do not contain any personal data of visitors to our LinkedIn corporate presence, but only aggregated data. It is therefore not possible for us to assign information from the statistics to individuals.
We are responsible for data processing to produce these statistics, and together with LinkedIn for the processing within the meaning of the data protection laws. Therefore, we have concluded an agreement with LinkedIn in accordance with Article 26 (1) GDPR, in which we have regulated who fulfils which data protection obligations.This agreement can be viewed at the following link: https://legal.linkedin.com/pages-joint-controller-addendum
In essence, we have laid down the following obligations in this agreement:
- LinkedIn has committed itself to assume responsibility for the provision of Page Insights within the framework of the Data Protection-Regulation (GDPR) and to comply with all applicable obligations under the GDPR with regard to the data processing of Page Insights. This includes, among other things, that LinkedIn will inform you as the data subject about the processing of your data and provide you with options for exercising your rights. In addition, LinkedIn ensures the security of your personal data.
- We are committed to complying with applicable legal obligations, including any obligations arising from our use of Page Insights under the
LinkedIn’s information on the processing of your data and your rights in this regard can be found in LinkedIn’s privacy policy:
https://www.linkedin.com/legal/privacy-policy
The information contained in this section of our privacy policy is therefore only supplementary to the information provided by LinkedIn.
2. Contact details of the controller and data protection officer
The contact details of Xitaso GmbH and our data protection officer can be found under I. and II.
3. Processed data categories
You can react to our posts, write comments or send us messages, via our corporate presence on LinkedIn,
We process the following data categories from visitors to our LinkedIn corporate presence, depending on whether you are a registered user of the LinkedIn platform or an unregistered visitor.
Data that we process from registered visitors to our LinkedIn corporate presence:
- User ID (username), under which you registered
- Shared profile data (e.g., name, photo, profession, address, contact details, activities, professional experience, interests and possibly further profile information)
- Data, which arise during content sharing, message exchange and communication
- Data, which are required in the context of a contract initiation at your request or for the execution of the contract
In addition, we process pseudonymized data such as: statistics and insights on how to
interact with our LinkedIn corporate presence, the posts, pages, videos and other content provided by it (page activities, page views, “like” information, reach, general demographic, location, interest and activity related information). This pseudonymized data is provided to us by LinkedIn in the form of statistics and can usually not be combined by ourselves with the corresponding personal data (assignment features such as your name).
Data that we process from non-registered visitors to our LinkedIn corporate presence:
Pseudonymized data such as statistics and insights, how it interacts with our LinkedIn corporate presence, the posts, pages, videos and other content provided by it (page activities, page views, “like” information, reach, general demographic, location, interest and activity related information). This pseudonymized data cannot be merged by us with the corresponding personal data (assignment features such as name). This makes it impossible for us to identify individual visitors. These remain anonymous for us.
4. Origin of the data
We collect the data directly from you as the data subject or receive it from LinkedIn as a platform operator.
5. Purposes of data processing
We process the data for external presentation and to keep the offer on our LinkedIn corporate presence attractive and relevant for the community. In addition, we process the data for communication with you and, if necessary, also for the initiation or execution of the contract.
6. Legal bases
Further information on the legal bases can be found under III. General information on data processing.
The data processing for the purpose of external presentation as well as for the attractive and relevant design for our community takes place on the legal basis of Art. 6 para. 1 p. 1 f) GDPR (legitimate interests) and in our interest in providing a platform with up-to-date information, the improvement of our offer as well as our website and the presentation of our company.
The data processing for communication with you via our LinkedIn corporate presence takes place on the legal basis of Art. 6 para. 1 p. 1 b) GDPR (contract initiation and execution), insofar as the content refers to an existing contractual relationship or you are interested in concluding a contract. Otherwise, the data processing takes place on the legal basis of Art. 6 para. 1 p. 1 f) GDPR (legitimate interests) and in our interest in effective communication with users in case of questions and other concerns.
7. Storage period
The above-mentioned data is stored exclusively by the platform operator LinkedIn; we do not store it additionally. The data storage and deletion are therefore based on the specifications of LinkedIn. Further information can be found in the privacy policy of LinkedIn:
https://www.linkedin.com/legal/privacy-policy
8. Recipient categories
The data processed by us can only be accessed by our employees of the responsible departments and, if applicable, service providers commissioned by us for the above-mentioned purposes. If you post your data publicly on our LinkedIn corporate presence, it can be viewed worldwide at any time by other registered and possibly also unregistered visitors.
XII. Supplementary Information about YouTube Videos
1. Description and scope of data processing
We use YouTube videos and plug-ins on our website. In accordance with the YouTube Terms of Service (version: Jan. 05, 2022) the YouTube service is provided in the European Economic Area by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). In other countries, the YouTube service is provided by YouTube LLC (901 Cherry Ave., San Bruno, CA 94066, USA; “YouTube”). Google Ireland Limited and YouTube LLC are subsidiaries of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
In this framework we make use of the so-called “Extended Data Protection Mode” offered by YouTube. This means that when you access our websites only those technically required data are transmitted to the service provider of your area (YouTube LLC or Google Ireland Limited) which your browser requires for the YouTube video to be displayed (displayed video, date and time, IP-address, browser type and settings, operating system).
Only when you click on the video, further data are transmitted to the service provider of your area. At the same time, YouTube regularly stores data on your terminal device by means of cookies and similar technology. If you have a YouTube or Google account, additional data may be assigned to your account when you view the video, depending on your account settings.
For further information about purpose and scope of the collection and processing of data by YouTube and Google please refer to the Google Privacy Statement: https://www.google.com/intl/de_de/policies/privacy/. There, you will also find more details as to your relevant rights and setting options to protect your privacy.
Google LLC operates under a so-called EU-U.S. Privacy Shield Certification which also includes Google LLC’s wholly owned subsidiaries in the US and thus also YouTube LLC.
The EU-U.S. Privacy Shield Agreement is a data protection agreement that has been concluded to ensure an appropriate level of data protection of data transfers to accredited US-companies. In its resolution dated July 12, 2016, the EU Commission confirmed the adequacy of the level of data protection guaranteed by the EU-U.S. Privacy Shield Agreement (file no. C(2016) 4176).
The resolution of the EU-Commission can be viewed here: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=uriserv:OJ.L_.2016.207.01.0001.01.DEU.
The current status of Google LLC’s certification in accordance with the EU-U.S. Privacy Shield Agreement can be viewed here:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI.
2. Legal basis for data processing
The legal basis for processing data is Article 6 (1) (f) GDPR (legitimate interests).
3. Purpose of data processing
The data processing serves to grant you access to videos of the YouTube platform displayed on our websites.
4. Legitimate interest
Our legitimate interest in data processing consists in being able to show you videos on our website and at the same time to decrease the load on our servers.
XIII. Supplementary Information on online social media presence
We maintain online presence within social networks and platforms in order to communicate with customers, interested parties and users active in social media and to inform them about our services.
We would like to point out that this might cause user data to be processed outside the European Union, which can pose risks for users because this might hinder the enforcement of users’ rights, for example. With regard to US providers certified under the Privacy Shield, we would like to point out that they commit themselves to comply with EU data protection standards.
Furthermore, user data are generally processed for market research and advertising purposes. Thus, for example, user profiles can be created from the user behaviour and the associated user interests. The usage profiles can in turn be used, for example, to display advertisements that presumably correspond to the interests of the users both within and outside of the platforms. For these purposes, cookies are usually stored on the user’s computer, in which the user’s usage behavior and interests are stored. Furthermore, data can also be stored in user profiles separate from the devices used by the users (especially if the users are members of the respective platforms and are logged in).
The processing of users’ personal data is carried out on the basis of our legitimate interests to effectively offer users information and communicate with users. Article. 6 (1)(f) GDPR. If the users are requested by the respective providers of the platforms for consent to the above-mentioned data processing, the legal basis of the processing is Article 6 (1)(a) and Article 7 GDPR.
For a detailed description of the respective processing and the possibilities of objection (opt-out), we refer to the information provided by the providers linked below.
We would like to point out that requests for information and the assertion of user rights are also directed most effectively to the providers. Only the providers have access to the user data and can directly take appropriate measures as well as provide information. If you still need further assistance, you can contact us.
– Google/YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland) – Privacy Policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
– Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – Privacy Policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
– XING (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Deutschland) – Privacy Policy / Opt-Out: https://privacy.xing.com/de/datenschutzerklaerung.
XV. Rights of the data subject
If your personal data are being processed, you are the data subject within the meaning of the General Data Protection Regulation. This means you have the following rights against the controller.
In order to exercise your rights against us as the controller, please send an e-mail to the following address: datenschutz@xitaso.com
1. Right of access – Article 15 GDPR
You have the right to request confirmation from the controller as to whether personal data relating to you are being processed.
If such data are being processed, you have the right of access to these personal data and the following information:
o the purposes for which the personal data are processed;
o the categories of personal data that are processed;
o the recipients or categories of recipient to whom the personal data have been or will be disclosed;
o where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine the storage period;
o the existence of the right to request from the controller rectification or erasure of your personal data or the right to restrict their processing or to object to such processing;
o the right to lodge a complaint with a supervisory authority;
o any available information as to the source of the personal data where the data are not collected from the data subject;
o the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You are also entitled to request information about whether your personal data are transferred to a third country or to an international organization. In this context, you also have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
2. Right to rectification – Article 16 GDPR
You have the right to obtain from the controller without undue delay the rectification and/or completion of the data relating to you if the processed personal data are incorrect or incomplete.
3. Right to erasure – Article 17 GDPR
Erasure obligation:
You have the right to request the erasure of your personal data without undue delay where one of the following grounds applies:
o your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
o you have withdrawn your consent on which the processing was based according to Article 6(1)(a) or Article 9(2)(a) GDPR and there is no other legal ground the processing;
o you have objected to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing or you have objected to the processing pursuant to Article 21(2) GDPR;
o your personal data have been unlawfully processed;
o your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
o your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
Exceptions:
There is no right to erasure to the extent that processing is necessary
o for exercising the right of freedom of expression and information;
o for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
o for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
o for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)
GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
o for the establishment, exercise or defense of legal claims.
4. Right to restriction of processing – Article 18 GDPR
You have the right to request the restriction of processing of the personal data relating to you subject to the following conditions:
o if you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of the personal data;
o if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
o if the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims, or
o if you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where processing of your personal data has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If there is a restriction of processing based on the aforementioned conditions, you will be informed by the controller before the restriction is lifted.
5. Right to notification – Article 19 GDPR
If you have asserted one of your rights to rectification, erasure or restriction of processing, we must inform all recipients to whom your personal data have been disclosed of the rectification or erasure of the data or of the restriction of processing unless this proves impossible or involves disproportionate effort.
You also have the right to be notified of these recipients.
6. Right to data portability – Article 20 GDPR
You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which you have provided the personal data, where
a) the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR, and
b) processing is carried out by automated means.
In exercising this right to data portability, you also have the right to have your personal data be transmitted directly from one controller to another, where technically feasible.
7. Right to object – Article 21 GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.
The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing serves the purpose of establishing, exercising or defending legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object by automated means using technical specifications.
8. Right to withdraw the declaration of consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Right to lodge a complaint with a supervisory authority – Article 77 GDPR
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement if you consider that the processing of your personal data infringes the General Data Protection Regulation.
The supervisory authority with which you lodge the complaint must inform you as the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
Last update: April 2022.
This Data Privacy Policy is updated on a regular basis.
Only texts in German are legally binding. Other language versions are legally non-binding translations.
XITASO GmbH
Austraße 35
86153 Augsburg
+49 821 885882-0