Data Protection Notice – HINTBOX

We, lawcode GmbH, take data protection very seriously and would like to inform you in our following data protection information about how we process your personal data and in particular what rights you are entitled to.

Personal data is information with the help of which a person can be determined, i.e. information that can be traced back to a person. This typically includes the name, e-mail address or telephone number. In addition, purely technical data that can be assigned to a person is also considered personal data.

 

A. Data Protection Notice of lawcode GmbH / Data Protection Officer

1. Contact details of the responsible person / data protection officer

1.1 Contact details of the controller
lawcode GmbH
Universitätsstraße 3
56070 Koblenz
Germany

Managing directors:
Dr. Ubbo Assmus
Patrick Diede
Lukas Hoffmann
Dominik Lienen

Phone: +49 261 988 03 700
E-mail: contact@lawcode.eu

1.2 Contact details of the data protection officer

Andreas Weber

lawcode GmbH
Universitätsstraße 3
56070 Koblenz
Germany

Phone: +49 261 988 03 700
E-mail: datenschutz@lawcode.eu

2. Data to be processed and data categories
In the course of our business activities, we process the following personal data of customers and business partners in particular:

• Contact data of the customer and contact person, such as first and last name, business telephone as well as fax number, e-mail address as well as postal address;
• Bank account data, tax numbers, booking numbers, as well as other billing and accounting-related data of natural persons.

3. Purposes of data processing and legal basis
We process your personal data for the following purposes:

3.1. Data processing for the performance of the contract
We process personal data for the purpose of executing and fulfilling the contract concluded between the customer and us for the provision of the Hintbox and Ombuds Solution, the execution of orders in connection with the Hintbox and Ombuds Solution and for the performance of measures and activities in the context of pre-contractual relations, e.g. with interested parties.

The data processing is based on Art. 6 paragraph 1 lit b) General Data Protection Regulation (“GDPR”). According to this, data processing is lawful if the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures which are carried out at the request of the data subject.

3.2. Data processing within the legitimate interests
We may also process your personal data if data processing is necessary to protect our legitimate interests. The data processing is based on Art. 6 paragraph 1 lit. f) GDPR. According to this, data processing is lawful if the processing is necessary to protect the legitimate interests of the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. Our legitimate interests are:

• for advertising or opinion research, unless you have objected to the data processing;
• for statistical evaluations and/or market analysis;
• for evaluation and optimization of the Hintbox and the Ombuds Solution;
• for the execution of a contract with us.

3.3. Data processing for the fulfillment of legal obligations
We process your personal data because we are also partly obliged to do so by law. In particular, tax and commercial law regulations provide for a long storage period of up to 10 years. In such cases, the data processing is based on Art. 6 paragraph 1 lit. c) GDPR in conjunction with the tax and commercial (storage) regulations. According to Art. 6 paragraph 1 lit. c) GPDR, data processing is lawful if the processing is necessary for compliance with a legal obligation to which the controller is subject.

4. Recipients or categories of recipients of your data
We only transfer personal data to third parties if there is a legal basis for doing so, such as, in particular, consent to transfer to third parties, the performance of a contract requires this, a balancing of interests justifies this, or in order to comply with legal requirements under which we are obliged to provide information, report or pass on data. Otherwise, data is only transferred to external service providers who process the data exclusively on our behalf, such as our hosting provider. Within lawcode, only those persons receive the personal data that are required and necessary for the fulfillment of tasks.

5. Duration of the storage of personal data
We store your personal data for the duration of our business involvement, i.e. also for the implementation of pre-contractual measures up to the complete fulfillment of a contract. In addition, we store personal data in accordance with the statutory retention obligations under commercial and tax law of – depending on the requirement – 6 to 10 years. Furthermore, the personal data may also be stored longer if a legal basis allows this, such as when the personal data is required for the assertion, exercise or defense of legal claims beyond that.

6. Data processing within the European Union
We process your personal data exclusively within the European Union.

7. Your rights
You have the following rights against us regarding the personal data concerning you:

• Right of access (Art. 15 GDPR);
• Right to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR);
• Right to restriction of processing (Art. 18 GDPR);
• Right to data portability (Art. 20 GDPR);
• Right to object to processing (21 DSGVO), in particular with regard to the specified procedures based on a legitimate interest or a balance of interests;
• Right to withdraw your consent at any time (Art. 7 paragraph 3 sentence 1 GDPR). The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

You can exercise your rights, among other things, by writing an e-mail to the e-mail address given in section 1 or to datenschutz@lawcode.eu.

Furthermore, you have the right to complain to a data protection supervisory authority about the processing of your personal data by us (Art. 77 GDPR). For this purpose, you can contact the supervisory authority at our registered office. You can find the address under the following link on the Internet: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

8. Your obligation to provide personal data (Art. 13 paragraph 2 lit. e) GDPR)
There is no legal obligation to provide us with your personal data. However, if you wish to conclude a contract with us, we require the necessary personal data for the purpose of concluding and executing the contract. Without this required personal data, it is not possible to conclude and execute a contract.

B. Supplementary Data Protection Information for applications / application data

1. Data to be processed and data categories

As part of the application process, we process in particular the following personal data provided by you (“Application Data“):

  • Personal data (in particular title, first and last name, street, postal code, city, country, cell phone number, telephone number and e-mail address);
  • Information in additional file attachments to your application (cover letter, CV, and references). 

2. Purposes of data processing and legal basis

We process your application data exclusively for the purpose of deciding whether to establish an employment relationship, i.e. to carry out the entire application process with us.

The application data provided to us is processed on the basis of Section 26 (1) Sentence 1 of the German Federal Data Protection Act (BDSG). According to this, personal data of applicants within the meaning of Section 26 (8) Sentence 2 of the German Federal Data Protection Act (BDSG) may be processed for purposes of the employment relationship if this is necessary for the decision on the establishment of an employment relationship.

3. Duration of the storage of personal data

If no employment relationship is established, the application data provided by you and stored by us will be deleted after 6 months following notification of a rejection.

If you make use of the option to withdraw your application at any time, your application data will be deleted immediately and completely.

4. Information according to Art. 13 Abs. 2 lit. e GDPR

The provision of your application data is voluntary. You are also not obliged to provide us with your application data. Provision is neither legally nor contractually required. However, in order to actually process your application, it is necessary to process your application data.

C. Supplementary Privacy Policy for our website www.hintbox.de

1. Purposes of data processing, legal basis and duration of data storage
We process personal data on the website www.hintbox.de operated by us for the following purposes:

1.1. Contact

1.1.1. Contact form an e-mail
When contacting us (for example, by e-mail or by using the contact form), the information you provide will be processed for the purpose of processing the request and in the event that follow-up questions arise.

The data processing is based on Art. 6 paragraph 1 lit. f) GDPR. According to this, data processing is lawful if the processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data override these, in particular if the data subject is a child. Our legitimate interest is to process the contact. You can object to this data processing at any time if there are reasons relating to your particular situation. For this purpose, it is sufficient to send an e-mail to the e-mail address given under A. item 1 or to datenschutz@lawcode.eu.

The personal data stored in the context of contacting us will be deleted when the matter related to the contact has been fully clarified and it is also not expected that the specific contact will be relevant again in the future.

1.1.2. Chat (Freshchat)
We use the Freshchat tool as a communication tool on our website. This allows you as a user of our website to contact us medially about the Hintbox or Ombuds Solution and make inquiries. We can answer or chat with you immediately via this chat or communication tool.

Freshworks GmbH (Freshworks), Neue Grünstrasse 17, 10179 Berlin, a provider for a chat tool Freshworks automatically processes the chat session data required to provide the chat service with the requestor when using the chat tool. On our behalf, Freshworks will perform analyses to improve our website offering, our Hintbox / Ombuds Solution as well as our service and provide us with statistics. In this respect, Freshworks acts as our processor in accordance with Art. 28 GDPR.

The data processing is based on Art. 6 paragraph 1 lit. f) GDPR. According to this, data processing is lawful if the processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data override these, in particular if the data subject is a child. Our legitimate interest consists in processing the contact via chat. In addition, our legitimate interest in processing data for the purpose of statistical evaluation is to be able to improve our website offering. You can object to this data processing at any time if there are reasons relating to your particular situation. For this purpose, it is sufficient to send an e-mail to the e-mail address specified under A. item 1 or to datenschutz@lawcode.eu.

The personal data stored in the course of contacting us will be deleted when the matter relating to the contact has been fully clarified and it is not expected that the specific contact will be relevant again in the future.

For more information on the chat service, please visit https://www.freshworks.com/de/cookie-liste/, for more information on data protection, please visit the privacy policy at https://www.freshworks.com/de/datenschutz/.

1.2. Server-log files
In the case of mere informational use of the website, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. The so-called server log files include:

• IP address
• Date and time of the request
• Time zone difference from Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• Amount of data transferred in each case
• Website from which the request comes
• Browser
• Operating system and its interface
• Language and version of the browser software.

This data is not merged with other personal data that you may actively provide as part of the website. We collect server log files for the purpose of displaying and administering the website, ensuring stability and security, and detecting and preventing unauthorized access.

The personal data in log files are processed on the basis of Art. 6 paragraph 1 lit. f) GDPR. According to this, data processing is lawful if the processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data override these, in particular if the data subject is a child.

Our “legitimate interest” is to provide our website, easier administration and the ability to detect and track hacking. You can object to this data processing at any time if there are reasons relating to your particular situation. For this purpose, it is sufficient to send an e-mail to the e-mail address given under A. item 1 or to datenschutz@lawcode.eu.

The server log files with the above data are automatically deleted after 7 days at the latest. We reserve the right to store the server log files longer if facts exist that suggest the assumption of an unauthorized access (such as the attempt of hacking or a so-called DDOS attack).

1.3. Cookies
We use various cookies on our website. Cookies are small text files that are stored on your hard drive, assigned to the browser you are using, and through which the body that sets the cookie (here by us), certain information flows. Cookies cannot execute programs or transfer viruses to your computer. They serve to make the Internet offer as a whole more user-friendly, more effective and more administrable.

We use transient and persistent cookies on our website: Transient cookies are automatically deleted when you close the browser. These include in particular the session cookies. These store a so-called session ID, with which various requests of your browser can be assigned to the common session. This allows your computer to be recognized when you return to our website. Session cookies are deleted when you log out or close the browser. Persistent cookies are deleted automatically after a specified duration, which may differ depending on the cookie.

Before visiting our website, you will be asked by means of a cookie box to control or manage the use of cookies (see “Borlabs cookies” below). In addition, you can delete the cookies in the security settings of your browser at any time. You can configure your browser settings according to your wishes and, for example, refuse to accept cookies. We would like to point out that you may then not be able to use all functions of this website.

In addition to our own cookies, we also use cookies from third-party providers on our website that help us to make our website more interesting for you. Information about the cookies, such as the purpose of the individual cookies, the data processed in each case, the providers of the cookies and the recipients of the data collected, the privacy notices of third-party providers and the storage period of the respective cookie can be found on the “Cookie details” and “Individual privacy settings” page in the cookie box.

1.3.1. Borlabs Cookie
We use a so-called Borlabs cookie on our website. This cookie is a tool for administering the use of so-called first-party cookies and third-party cookies. You can control the use of cookies before you visit our website via this – generally referred to as – “cookie banner” or “cookie box”.

The Borlabs cookie stores the settings of visitors to our website selected by you in the cookie box for a period of 1 year. Your IP address is not stored. Beyond that, we only process the stored data for statistical evaluations.

The processing of user data within the scope of this paragraph is based on legitimate interests according to Art. 6 paragraph 1 lit. f) GDPR. According to this provision, data processing is lawful if the processing is necessary to protect the legitimate interests of the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Our “legitimate interest” is the legally compliant implementation of the requirements of the GDPR for the use of cookies on our website. The use of various cookies, for example third-party or marketing cookies, require the express prior consent of the user of the website. The Borlabs cookie is intended to implement these requirements accordingly. Our legitimate interest also lies in the statistical evaluation for the purpose of improving our website offering.

You can object to this data processing at any time if there are reasons relating to your particular situation. For this purpose, it is sufficient to send an e-mail to the e-mail address given under A. item 1 or to datenschutz@lawcode.eu.

1.3.2. Essential Cookies
In order to ensure the secure and trouble-free operation of the website and to be able to offer you certain functions, we store the cookies that are displayed in the cookie box under “Cookie details” and “Individual privacy settings”. Use of some functions of our website is not possible without these cookies.

These cookies are stored by us on the basis of Art. 6 paragraph 1 lit. f) GDPR, which allows the processing of personal data in the context of our “legitimate interests”, unless your fundamental rights, freedoms or interests prevail. Our legitimate interests consist in the technically error-free and optimized provision of our website.

1.3.3. Google Analytics (statistics)
We use Google Analytics to regularly analyze and evaluate the use of our website. The statistics obtained enable us to design our website and its offers in a more needs-oriented, user-friendly, effective and interesting manner and thus permanently improve and optimize them. Further information on data processing and the storage period within the framework of Google Analytics can be found under “Cookie details” and “Individual privacy settings” in the cookie box.

Google Analytics is a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses methods that enable an analysis of your use of the website, such as cookies. The information collected by Google Analytics about the use of this website is usually transferred to a Google server in the USA and stored there. By activating IP anonymization on this website, your IP address will be truncated by Google before being transmitted to the USA within the member states of the European Union or other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On our behalf, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing us with other services relating to website activity and internet usage. In this respect, Google acts as our processor in accordance with Art. 28 GDPR. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Data processing within the scope of Google Analytics takes place only if you give us your consent to do so. The legal basis for the use of Google Analytics is Art. 6 paragraph 1 lit. a) GDPR, which permits the processing of personal data with the consent of the data subject. After giving your consent, you can stop the collection by Google Analytics at any time by revoking your consent.

Further information on the terms of use of Google Analytics can be found at http://www.google.com/analytics/terms/de.html, and further information on data protection can be found in Google’s privacy policy at https://policies.google.com/privacy?hl=de.

1.3.4. Recaptcha v3
We use the Google service reCaptcha (version 3) to determine whether a human or a computer or bot makes a certain entry in our contact or newsletter form. For more information on data processing and storage duration within Recaptcha, see “Cookie details” and “Individual privacy settings” in the cookie box.

Google reCaptcha is a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).Google uses the following data to verify whether you are a human or a computer or bot namely the IP address of the terminal device used, our website that you visit and on which Google reCaptcha is embedded, the date and duration of the visit, the recognition data of the browser and operating system type used, a Google account if you are logged in to Google, mouse movements on the reCaptcha areas and website behavior.

The data collected by Google reCaptcha is usually transferred to a Google server in the USA and stored there. By activating IP anonymization on this website, your IP address will be shortened by Google before being transmitted to the USA within the member states of the European Union or other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On our behalf, Google will use this information to evaluate the use of the website and provide us with statistics on suspected computer or bots. In this respect, Google acts as our processor in accordance with Art. 28 GDPR. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

These cookies are stored by us on the basis of Art. 6 paragraph 1 lit. f) GDPR, which allows the processing of personal data in the context of our “legitimate interests”, unless your fundamental rights, freedoms or interests prevail. Our legitimate interest is to ensure the IT security of our website and to protect ourselves from automated input from computers or bots (IT security).

Further information on Google reCaptcha can be found at https://www.google.com/recaptcha/, further information on data protection in Google’s data protection declaration at https://policies.google.com/privacy?hl=de.

1.3.5. Hotjar
We use the cookie Hotjar, which allows us to evaluate user behavior on our website so that we can improve our website offering. With Hotjar, for example, your movements of the mouse and clicks can be stored and evaluated. This enables us to analyze which areas of our website tend to be clicked on and viewed preferentially by users and for how long. Areas of the websites in which personal data of you or third parties are displayed are automatically hidden by Hotjar and are therefore not traceable at any time. Furthermore, Hotjar makes it possible to determine at which point you abandoned the information you entered in our contact form

In addition, Hotjar can be used to obtain direct feedback from website visitors. This function serves to improve the website operator’s web offerings.

Hotjar is a service provided by Hotjar Ltd Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 141 Malta, Europe. We have entered into an order processing agreement with Hotjar, according to which Hotjar only processes the data on our behalf.

Data processing within the scope of Hotjar takes place only if you give us your consent to do so. The legal basis for data processing is Art. 6 paragraph 1 lit. a) GDPR, which permits the processing of personal data with the consent of the data subject. After giving your consent, you can stop the processing of data by Hotjar at any time by revoking your consent. For more information about Hotjar, please visit www.hotjar.com. You may also opt-out of data processing by Hotjar by following the instructions on the following link: https://www.hotjar.com/privacy/do-not-track/. For more information about Hotjar, please visit https://www.hotjar.com/privacy/.

The cookies from Hotjar are stored in your terminal device until you delete them. The stored data is deleted after 12 months at the latest.

1.3.6 LinkedIn Insight Tag

We use the conversion tool “LinkedIn Insight Tag” so that we can improve our website offering. It allows us to display targeted advertising outside of our website without identifying you as a user of our website. This tool creates a cookie in your web browser that allows the collection of, among other things, the following data: IP address, device and browser characteristics, and page events (e.g., page views). This data is encrypted, anonymized within seven days, and the anonymized data is deleted within 90 days. This tool is provided by LinkedIn Ireland Unlimited Company (“LinkedIn”). LinkedIn does not transmit any personal data to us. LinkedIn only provides us with anonymized reports on website audience and ad performance. LinkedIn offers the possibility of retargeting. 

For more information on data protection at LinkedIn, please refer to LinkedIn’s privacy policy.

Data processing in the context of the conversion tool “LinkedIn Insight Tag” takes place only if you give us your consent to do so. The legal basis for this data processing is Art. 6 para. 1 lit. a) GDPR, which permits the processing of personal data with the consent of the data subject.

LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To deactivate the Insight tag on our website again or to revoke your consent, please do so via our cookie settings.

1.4. Newsletter
We process the information you enter on our website www.hintbox.de to send you newsletters with news about the Hintbox / Ombuds solution and compliance. To register, it is sufficient to enter an e-mail address. The other information, such as first name, last name and gender, on the other hand, are voluntary and serve to personalize the newsletter.

For the registration to our newsletter, we will send you after your registration on our website an e-mail to the entered e-mail address, in which we ask you for a confirmation by clicking on the link there. Only after this confirmation, you are registered for the newsletter and you will receive our newsletter from now on (so-called double opt-in procedure). This double opt-in procedure is necessary so that no third party can register with a foreign e-mail address. If you do not confirm your registration within 24 hours, your entered data will be deleted. In addition, we store your IP addresses used in each case and the times of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

This data processing takes place only on the basis of consent that you have given with the complete registration of the newsletter. According to Art. 6 paragraph 1 lit. a) in conjunction with Art. 7 GDPR, data processing is permitted if you have given your consent for data processing for one or more specific purposes. Furthermore, the sending of the newsletter is based on § 7 paragraph 2 no. 3 German Unfair Competition Act (UWG).

The storage of the registration data is based on Art. 6 paragraph 1 lit. f) GDPR. Our legitimate interest is the proof of consent to send the newsletter.

Your consent to receive the newsletter and information can be revoked at any time. To do so, you can click on an unsubscribe link at the end of a newsletter sent to you. In addition, you can send an e-mail to the e-mail address specified in section A item 1 or to datenschutz@lawcode.eu. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

The personal data stored as part of the newsletter registration will be deleted if you have successfully unsubscribed from the newsletter or revoked your consent.

2. Your obligation to provide personal data (Art. 13 paragraph 2 lit. e) GDPR)
The provision of your personal data on this website is generally neither legally nor contractually required. You are not obliged to provide personal data on this website, unless we refer to this in individual cases in this data protection notice. Nevertheless, the provision of the functions of this website and the implementation requires the processing of your personal data.

3. Our company pages on LinkedIn, Xing and Facebook
We maintain company pages on social networks such as LinkedIn, Xing and Facebook. On these company pages, we offer interested parties, business partners and customers information about Hintbox / Ombuds Solution and the topic of compliance. We would like to point out that the terms of use and also data protection notices of the respective service providers of the social networks apply to the use of these social networks. If you contact us via such social networks and provide us with your personal data, the information provided in this data protection notice will apply to further data processing.