I. Name and address of the person responsible
The controller within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is
Ideabay GmbH / Agnes-Pockels Bogen 1 / 80992 Munich
Phone: +49 89 21544639 / E-mail: [email protected]
II. General information on data processing
1. Scope of the processing of personal data
As a matter of principle, we only process personal data of our users as far as this is necessary to provide a functional website and our contents and services. The processing of personal data of our users regularly only takes place with the user’s consent. An exception is made in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.
2. Legal basis for the processing of personal data
Insofar as we obtain your consent for the processing of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis.
Insofar as the processing of personal data is necessary for the performance of a contract to which you are a party, Art. 6 para. 1 letter b GDPR serves as the legal basis. This also applies to processing operations carried out at your request to implement pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.
3. Data deletion and storage duration
We store your data for as long as this is necessary for the provision of our online offer and the associated services or for the provision of our services or we have a justified interest in further storage. In all other cases, we delete your personal data with the exception of those data which we must continue to keep in order to fulfil contractual or statutory (e.g. tax or commercial law) retention periods (e.g. invoices). Contractual retention periods may also result from contracts with third parties (e.g. holders of copyrights and ancillary copyrights). We block data that is subject to a retention period until the expiry of the period.
III. Transfer of data to third parties; service providers
1. Transfer of data to third parties
Your personal data will only be passed on to third parties by us if this is necessary for the fulfilment of the contract, if we or the third party have a legitimate interest in passing on the data or if we have your consent to do so. If data is transferred to third parties on the basis of a legitimate interest, this is explained in these data protection provisions. In addition, data may be transferred to third parties if we should be obliged to do so by law or by an enforceable official or court order.
2. Service provider
We reserve the right to use service providers for the collection or processing of data. Service providers only receive the personal data from us that they need for their specific activities. For example, your e-mail address may be passed on to a service provider so that they can deliver a newsletter you have ordered. Service providers may also be commissioned to provide server capacity. Service providers are usually integrated as so-called processors, who may only process the personal data of the users of this online offer in accordance with our instructions.
3. Transfer of data to non-EEA countries
We also provide personal data to third parties or processors based in non-EEA countries. In this case, we ensure that the recipient either has an adequate level of data protection (e.g. by self-certification of the recipient for the EU-US Privacy Shield or the agreement of so-called EU standard contractual clauses of the European Union with the recipient) or that there is sufficient consent from our users prior to disclosure. You can obtain from us an overview of recipients in third countries and a copy of the specifically agreed regulations to ensure an adequate level of data protection. Please use the information in the Contact section for this purpose.
IV. Data collection when visiting our website
If you use our website for informational purposes only, i.e. if you do not register or provide us with information in any other way, we only collect the data that your browser sends to our server (so-called “server log files“). When you call up our website, we collect the following data, which are technically necessary for us to display the website:
(1) Browser type and version
(2) Operating system used
(3) Referrer URL
(4) Host name of the accessing computer
(5) Time of the server request
(6) IP address
The data may also be stored in the log files of our system. This data is not stored together with other personal data of the user. The legal basis for the temporary storage of data and log files is Art. 6 Para. 1 lit. f GDPR. The temporary storage of the IP address by the system is necessary to enable the website to be delivered to your computer. For this purpose, your IP address must remain stored for the duration of the session. It is saved in log files to ensure the functionality of the website. In addition, the data serves us to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. These purposes also constitute our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.
The data will be deleted as soon as they are no longer necessary for the purpose for which they were collected. In the case of the collection of data for the purpose of providing the website, this is the case when the relevant session has ended. The collection of the data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. Consequently, there is no possibility of objection on the part of the user.
Our Internet pages use so-called “cookies”. Cookies are small text files and do not cause any damage on your end device. They are either stored temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your end device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your terminal device until you delete them yourself or until they are automatically deleted by your web browser.
In some cases, cookies from third-party companies may also be stored on your terminal device when you enter our site (third-party cookies). These enable us or you to use certain services of the third party company (e.g. cookies for the processing of payment services).
Cookies have various functions. Numerous cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping basket function or the display of videos). Other cookies are used to evaluate user behaviour or display advertisements.
Cookies that are required to carry out the electronic communication process (necessary cookies) or to provide certain functions that you have requested (functional cookies, e.g. for the shopping basket function) or to optimise the website (e.g. cookies to measure the web audience) are stored on the basis of Art. 6 para. 1 letter f GDPR, unless another legal basis is given. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimised provision of his services. If consent to the storage of cookies has been requested, the storage of the cookies in question will take place exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR); consent may be revoked at any time.
You can set your browser so that you are informed about the setting of cookies and allow cookies only in individual cases, exclude the acceptance of cookies for specific cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited.
Insofar as cookies are used by third-party companies or for analysis purposes, we will inform you separately about this within the framework of this data protection declaration and, if necessary, request your consent.
VI. Contact form and enquiries by e-mail, telephone or fax
On our website there is a contact form which can be used for electronic contact. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and stored. These data are:
First name, surname, e-mail address, message text
The following data is also saved at the time the message is sent:
(1) The IP address of the user
(2) Date and time of registration
For the processing of the data, your consent will be obtained during the sending process and reference will be made to this data protection declaration.
Alternatively, it is possible to contact us via the provided e-mail address, telephone or fax. In this case, the personal data of the user transmitted by e-mail, telephone or fax will be stored.
In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the conversation.
The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if the user has given his consent. The legal basis for the processing of the data transmitted in the course of the contact is Art. 6 para. 1 letter f GDPR. If the purpose of the contact is to conclude a contract, the additional legal basis for processing is Art. 6 para. 1 letter b GDPR.
The processing of the personal data from the input mask serves us solely to process the contact. In the case of contacting us by e-mail, telephone or fax, this is also the necessary legitimate interest in the processing of the data. The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
The data will be deleted as soon as they are no longer necessary for the purpose for which they were collected. For personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be concluded from the circumstances that the matter in question has been conclusively clarified. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.
The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case the conversation cannot be continued.
The user can object to the storage of his personal data at any time by contacting us via the e-mail address provided in section I above. All personal data stored in the course of the contact will be deleted in this case.
VII. Web analysis services and tools
1. Google Analytics
This website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google“). Google Analytics uses so-called cookies and similar technologies which are stored on your computer and which enable an analysis of your use of the website. The information generated by the cookie about your use of this website (including the shortened IP address) is usually transferred to a Google server in the USA and stored there.
This website uses Google Analytics exclusively with the extension “_anonymizeIp()”, which ensures anonymisation of the IP address by shortening it and excludes any direct personal reference. Through the extension, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. In these exceptional cases, this processing is carried out in accordance with Art. 6 para. 1 letter f GDPR on the basis of our justified interest in the statistical analysis of user behaviour for optimisation and marketing purposes.
On our behalf, Google will use this information to evaluate your use of the website, to compile reports on website activities and to provide us with further services related to website and internet use. The IP address transmitted by your browser within the framework of Google Analytics is not combined with other data from Google.
As an alternative to the browser plugin or within browsers on mobile devices, please click on the following link to set an opt-out cookie which will prevent Google Analytics from collecting data within this website in the future (this opt-out cookie only works in this browser and only for this domain, if you delete your cookies in this browser, you will have to click this link again): Google Analytics deactivate Google LLC, based in the USA, is certified for the US-European data protection agreement “Privacy Shield”, which guarantees compliance with the data protection level applicable in the EU.
2. Google Web Fonts
This site uses so-called web fonts, which are provided by Google, for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.
For this purpose, the browser you use must connect to Google’s servers. This enables Google to know that this website has been accessed via your IP address. The use of Google WebFonts is based on Art. 6 Para. 1 lit. f GDPR. The website operator has a legitimate interest in the uniform presentation of the typeface on his website. If the relevant consent has been requested (e.g. consent to the storage of cookies), processing will be carried out exclusively on the basis of Art. 6 para. 1 letter a GDPR; consent may be revoked at any time.
If your browser does not support web fonts, a default font from your computer is used.
3. Google Maps
This site uses the Google Maps map service via an API. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
To use the functions of Google Maps it is necessary to save your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission.
The use of Google Maps is in the interest of an attractive presentation of our online offers and to make it easy to find the places we have indicated on the website. This represents a legitimate interest in the sense of Art. 6 Para. 1 lit. f GDPR. If the relevant consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 letter a GDPR; consent may be revoked at any time.
4. Google reCAPTCHA
We use “Google reCAPTCHA” (hereinafter “reCAPTCHA“) on this website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The purpose of reCAPTCHA is to check whether the data input on this website (e.g. in a contact form) is done by a human being or by an automated program. For this purpose, reCAPTCHA analyses the behaviour of the website visitor on the basis of various characteristics. This analysis starts automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, duration of the website visitor’s stay on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The reCAPTCHA analyses run completely in the background. Website visitors are not notified that an analysis is taking place.
The storage and analysis of the data is based on Art. 6 para. 1 letter f GDPR. The website operator has a legitimate interest in protecting his web offers from abusive automated spying and from SPAM. If the relevant consent has been requested, processing will be carried out exclusively on the basis of Art. 6 para. 1 letter a GDPR; consent may be revoked at any time.
You have the possibility to order our newsletter, in which you will regularly receive free information about our services. You can revoke your corresponding consent at any time. We use the so-called double opt-in procedure for ordering our newsletters, i.e. we will only send you newsletters by e-mail if you confirm in our notification e-mail by clicking on a link that you wish to receive our newsletters. If you confirm your wish to receive the newsletter, we will save your e-mail address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The sole purpose of this storage is to send you the newsletter and to provide proof of your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscription link is included in every newsletter. A message to the contact details given above or in the newsletter (e.g. by e-mail or letter) is of course also sufficient for this. The legal basis for the aforementioned data processing is your consent in accordance with Art. 6 Para. 1 a) GDPR.
Our e-mail newsletters are sent via the technical service provider The Rocket Science Group, LLC d/b/a MailChimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA (www.mailchimp.com), to whom we pass on the data you provided during the newsletter registration process. This disclosure is made in accordance with Art. 6 Para. 1 lit. f GDPR and serves our legitimate interest in using an effective, secure and user-friendly newsletter system. Please note that your data is usually transferred to a MailChimp server in the USA and stored there. You can find more information about this in the data protection information of MailChimp at https://mailchimp.com/legal/privacy/.
IX. Use of Social Plugins
We use social plugins (hereinafter referred to as “social plugins” or “plugins“) from the following providers for our website:
Twitter plugins; Twitter is operated by Twitter Inc, 1355 Market St, Suite 900, San Francisco, CA 94103, USA (“Twitter”). An overview of the Twitter plugins and their appearance can be found here: https://twitter.com/about/resources/buttons; information on data protection on Twitter can be found here: https://twitter.com/privacy.
Plugins from LinkedIn; LinkedIn is operated by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (“LinkedIn”). An overview of LinkedIn’s plug-ins and their appearance can be found here: https://www.linkedin.com/developers/; information on Twitter privacy can be found here: https://www.linkedin.com/legal/privacy-policy.
Plugins from Xing; Xing is operated by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany (“Xing “). An overview of the LinkedIn plugins and their appearance can be found here: https://dev.xing.com/; information on data protection at Xing can be found here: https://privacy.xing.com/de.
4. Basically how plugins work
Only when you activate the plugins, your internet browser will establish a direct connection to the servers of the respective plugin provider. This informs the plugin provider that your internet browser has called up the corresponding page of our online offer, even if you do not have a user account with the provider or are not logged in at the moment. Log files (including the IP address) are transmitted by your Internet browser directly to a server of the respective plug-in provider and stored there if necessary. This server may be located outside the EU or EEA (e.g. in the U.S.A.).
The plugins are independent extensions of the plugin providers. We therefore have no influence on the extent of the data collected and stored by the plugin providers via the plugins. If you do not want the plugin providers to receive the data collected via this Internet portal and, if necessary, save or re-use it, you should not use the respective plugins. In principle, you can also completely prevent the loading of the plug-ins by using add-ons for your browser, so-called script blockers.
Further information about the purpose and scope of the collection and the further processing and use of your data by plugin providers as well as your rights and setting options for the protection of your data can be found in the data protection information of the respective providers.
X. Handling of applicant data and documents
We offer you the opportunity to apply for a job with us (e.g. by e-mail or post). In the following we will inform you about the scope, purpose and use of your personal data collected during the application process. We assure you that the collection, processing and use of your data will be in accordance with the applicable data protection laws and all other legal requirements and that your data will be treated in strict confidence.
1. Scope and purpose of data collection
If you send us a job application, we process your associated personal data (e.g. contact and communication data, application documents, notes taken during job interviews, etc.) to the extent that this is necessary to make a decision on the establishment of an employment relationship. The legal basis for this is Section 26 BDSG-neu [German Federal Data Protection Act – new] according to German law (initiation of an employment relationship), Art. 6 para. 1 lit. b GDPR (general contract initiation) and – if you have given your consent – Art. 6 para. 1 lit. a GDPR. Consent may be revoked at any time. Within our company, your personal data will only be passed on to persons involved in processing your application.
If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Section 26 BDSG-neu and Art. 6 Para. 1 lit. b GDPR for the purpose of carrying out the employment relationship.
2. Data retention period
If we are unable to offer you a job, you reject a job offer or withdraw your application, we reserve the right to keep the data you have submitted with us for up to 6 months from the end of the application procedure (rejection or withdrawal of the application) on the basis of our legitimate interests (Art. 6 para. 1 letter f GDPR). The data will then be deleted and the physical application documents destroyed. This storage is particularly for the purpose of providing evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g. due to an imminent or pending legal dispute), the data will only be deleted when the purpose for further storage no longer applies.
Longer storage may also take place if you have given your consent (Art. 6 para. 1 letter a GDPR) or if statutory storage obligations prevent deletion.
XI. Rights of the data subject
The applicable data protection law grants you comprehensive data protection rights (rights of information and intervention) vis-à-vis the person responsible for processing your personal data, about which we inform you below:
1. Right to information according to Art. 15 GDPR
In particular, you have the right to be informed about your personal data processed by us, the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned storage period or the criteria for determining the storage period, the existence of a right of rectification, erasure, restriction of processing, opposition to processing, complaint to a supervisory authority, the origin of your data if it was not collected from you by us, the existence of automated decision making including profiling and, where applicable, meaningful information on the logic involved and the scope and intended effects of such processing on you, as well as your right to be informed of the guarantees provided under Art. 46 DPA when your data is transferred to third countries;
2. Right of rectification according to Art. 16 GDPR
You have the right to have incorrect data concerning you corrected and/or incomplete data stored by us corrected and/or completed without delay;
3. Right of deletion according to Art. 17 GDPR
You have the right to request the deletion of your personal data if the requirements of Art. 17 para. 1 GDPR are met. However, this right does not apply in particular if the processing is necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
4. Right to restrict processing under Art. 18 GDPR
You have the right to demand the restriction of the processing of your personal data as long as the accuracy of your data which you dispute is checked, if you refuse to have your data deleted due to unlawful data processing and demand instead the restriction of the processing of your data, if you require your data for the assertion, exercise or defence of legal claims, after we no longer require this data after the purpose has been achieved, or if you have lodged an objection for reasons of your particular situation, as long as it has not yet been established whether our justified reasons outweigh the objection;
5. Right to information under Art. 19 GDPR
If you have asserted the right to rectify, erase or limit the processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or limitation of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed of these recipients.
6. Right to data transferability according to Art. 20 GDPR
You have the right to receive your personal data that you have provided us with in a structured, common and machine-readable format or to request that it be transferred to another responsible party, insofar as this is technically feasible;
7. Right to revoke consents granted under Art. 7 para. 3 GDPR
You have the right to revoke your consent to the processing of data at any time with effect for the future. In the event of revocation, we will immediately delete the data concerned, unless further processing cannot be based on a legal basis for processing without consent. Revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation;
8. Right of appeal under Art. 77 GDPR
If you believe that the processing of personal data relating to you is in breach of the GDPR, you have the right – without prejudice to any other administrative or judicial remedy – to complain to the supervisory authority responsible for us. Alternatively, you can contact the data protection authority in your place of residence, which will then forward your complaint to the competent authority.
Due to our headquarters location in Munich, the following institution is the supervisory authority responsible for us:
Bayerisches Landesamt für Datenschutzaufsicht [Bavarian State Office for Data Protection Supervision] (BayLDA), Promenade 27, D-91522 Ansbach
9. RIGHT OF CONTRIBUTION against data collection in special cases and against direct advertising (Art. 21 GDPR)
IF WE PROCESS YOUR PERSONAL DATA IN THE CONTEXT OF A BALANCING OF INTERESTS DUE TO OUR PREDOMINANT LEGITIMATE INTEREST, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THIS PROCESSING WITH EFFECT FOR THE FUTURE FOR REASONS ARISING FROM YOUR SPECIAL SITUATION.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO FURTHER PROCESSING IF WE CAN PROVE THAT THERE ARE COMPELLING REASONS FOR PROCESSING WORTHY OF PROTECTION WHICH OUTWEIGH YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES TO ASSERT, EXERCISE OR DEFEND LEGAL CLAIMS.
IF YOUR PERSONAL DATA IS PROCESSED BY US FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR THE PURPOSE OF SUCH MARKETING. YOU MAY EXERCISE YOUR RIGHT TO OBJECT AS DESCRIBED ABOVE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED FOR DIRECT MARKETING PURPOSES.
XII. Further information and contacts
If you have any further questions on the subject of data protection, please contact us at the contact address given in section I above.