Information in accordance with Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR) and other data protection legislation
1./ Who is responsible for data processing (the controller) and whom can I contact?
Our controller is:
Name: novomind AG, Mr. Mark Moeken
Address: Bramfelder Chaussee 45, 22177 Hamburg, Germany
Telephone: +49 (0) 40 808071-0
Our Data Protection Officer is:
Name: Markus Blunk
TÜV Rheinland i-sec GmbH
Am Grauen Stein
51105 Cologne, Germany
2./ For what purpose do we process your data and what is the legal basis for that? / Can I refuse consent to my data being collected?
Whenever it is called by you or an automated system, our website records a number of items of general data and information. This general data and information is stored in our server’s log files. The following may be recorded: The types of browser used and their versions, the operating system used by the system accessing our website, the website from which a system accesses our website, the subpages accessed by a system on our website, the date and time our website was accessed, an Internet Protocol address (IP address), the Internet service provider of the system accessing our website, and other similar data and information that helps repel threats in the event that our IT systems are attacked.
We do not use this general data and information to identify the data subject. This information is required instead to deliver our website’s content correctly, to optimise our website’s content and advertising for it, to ensure that our IT systems and our website’s technology keep running properly, and to provide the law-enforcement authorities with the information required to prosecute any cyberattacks that occur. This data and information, which is collected anonymously, is therefore analysed by us statistically, as well as with the objective of increasing data protection and data security at our company and so ultimately ensuring an ideal level of protection for the personal data we process. The anonymous data in the server log files is stored separately from all personal data provided by a data subject.
2.1. To perform contractual obligations
We use personal data (e.g. your name and address) you provide us with voluntarily in connection with conclusion of a contract or steps prior to entering into a contract (e.g. by means of our contact form) on the basis of the related consent to that (Article 6 (1) point (a) GDPR). We then process this data in accordance with statutory requirements (such as under the German Federal Data Protection Act (BDSG), the German Telemedia Act (TMG) and the General Data Protection Regulation (GDPR)). The personal data sent to the controller is defined in the input screen used for registration.
We process the data required to perform a contract or steps prior to entering into a contract (such as replying to your questions) (Article 6 (1) point (b) GDPR).
If you do not provide the personal data, we cannot fulfil our contractual obligations (such as replying to your questions), nor can we reply to any of your inquiries.
2.2. To comply with legal obligations
If processing of personal data is necessary for compliance with a legal obligation on the part of our company, the legal basis for processing the data is Article 6 (1) point (c) GDPR.
2.3. On the basis of a weighing of interests (Article 6 (1) point (f) GDPR)
Where necessary, we process your data, above and beyond what is required to merely perform the contract, in order to safeguard the legitimate interests pursued by us or a third party, such as:
• Consultation of and exchange of data with credit reporting agencies (e.g. SCHUFA) to ascertain information on creditworthiness or risks of default and the needs relating to the account that is exempt from attachment or basic account;
• Examination and optimisation of processes for analysing needs and direct addressing of customers;
• Advertising or market and opinion research, if you have not objected to use of your data;
• Establishing legal claims and defending ourselves in legal disputes;
• Ensuring IT security and IT operation at our company;
• Preventing and investigating criminal acts;
• Video surveillance enables evidence to be gathered in the event of criminal acts. It therefore helps us protect customers and employees, keep out trespassers and enforce the house rules;
• Measures related to business controlling and further development of products and services.
Processing of the above data is necessary to safeguard our legitimate interests (in accordance with Article 6 (1) point (f) GDPR) and is justified on account of our overriding interests. We cannot send you any direct marketing without using this data. We use your data for direct marketing of our services only if you have first consented to that (or have not objected) and have not withdrawn your consent. We also select the communications channels used for marketing (such as post, e-mail) so as to ensure that they cause you the least possible inconvenience.
3./ Who uses the data?
The personal data is used solely by the persons and departments involved in handling the contract. The processors we engage (Article 28 GDPR) may also obtain data for said purposes (e.g. through hosting companies). They are companies in the categories IT services, logistics, printing services, telecommunications, debt collection, advice and consulting, and sales and marketing. We predominantly store the data we receive on our firm’s own servers, but in some cases also on servers of specialised service providers in Germany. They are:
DTS Systeme Münster GmbH
Soester Str. 13
48155 Münster, Germany
50672 Cologne, Germany
Data is not transferred to third parties who are not involved in performing the contract. In particular, personal data is not transferred to a third country or an international organisation.
4./ For how long is your data stored?
Where necessary, we process and store your personal data only for the period of time which is required to achieve the purpose for which it is stored or which is authorised by European Directives or Regulations or other laws or provisions of another legislator to which the controller is subject.
If the purpose for which the data is stored no longer applies or a storage period prescribed by European Directives or Regulations or another competent legislator expires, the personal data is routinely blocked or erased in accordance with the statutory provisions, if it is no longer required to perform a contract or steps prior to entering into a contract.
Moreover, we are subject to various statutory retention and documentation obligations, among other things pursuant to the General Commercial Code (HGB)*, the German Fiscal Code (AO)*, the German Banking Act (KWG)*, and the German Money Laundering Act (GwG)*.
If you have consented to processing of your personal data (Article 6 (1) point (a) GDPR), we erase your personal data at the latest as soon as you withdraw your consent and there is no other legal ground for processing the data.
5./ Data protection as part of applications and in the application process
We collect and process personal data from job applicants so as to handle the application process. The data may also be processed electronically. That is the case in particular when applicants send their application documents to the controller electronically, such as by e-mail or using a form on the website. If you conclude an employment contract with us, the data provided is stored for use as part of the employment relationship in compliance with statutory provisions. If an employment contract is not concluded with an applicant, the application documents are automatically erased two (2) months after a decision to reject the applicant is communicated, unless the controller has other legitimate interests for not erasing it. Another legitimate interest here is, for example, the requirement to furnish proof in the event of legal action under the German General Act on Equal Treatment (AGG).
We do not take any decision within the meaning of Article 22 GDPR which is based solely on automated processing, including profiling, and/or which produces legal effects concerning you or similarly significantly affects you.
6./ Is automated processing used?
We process your personal data in our firm’s own IT facilities, automatically and in accordance with the above comments.
7./ What data protection rights do you have?
You have the right to access personal data and obtain information on it (Article 15 GDPR), the right to rectification of data (Article 16 GDPR), the right to erasure of data (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), the right to data portability (Article 20 GDPR) and the right to object to processing of your data (Article 21 GDPR).
You also have a right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR); please refer to Section 7./.
Please send your withdrawal of consent or your request to:
Name: Mark Moeken
Address: Bramfelder Chaussee 45, 22177 Hamburg, Germany
Telephone: +49 40 808071-0
Alternatively, you can contact our Data Protection Officer directly:
Name: Markus Blunk
TÜV Rheinland i-sec GmbH
Am Grauen Stein
51105 Cologne, Germany
8./ Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority, in particular in the country in which you are currently residing or where your place of work is located or at the place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority responsible for Hamburg is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
(Hamburg Commissioner for Data Protection and Freedom of Information)
Klosterwall 6 (Block C), 20095 Hamburg, Germany
Phone: (040) 4 28 54 - 40 40
Fax: (040) 4 279 – 11811
10./ Use of Google Analytics
In light of the current discussion about the use of analysis tools with full IP addresses, we would like to point out that this website uses Google Analytics with the “_anonymizeIp()” extension. This truncates IP addresses to prevent any direct association with specific persons.
This website also uses social plugins (“Facebook plugins”) of the social network facebook.com, which is operated by Facebook Inc. (“Facebook”). The Facebook plugins can be identified from the Facebook logo or are indicated by the addendum “Facebook Social Plugin”. When you call a page on our website that contains such a Facebook plugin, your browser establishes a direct connection to Facebook’s servers. The Facebook plugin’s content is transmitted by Facebook directly to your browser and integrated by the latter in the website. We therefore have no influence on the scope of data Facebook gathers using the Facebook plugin and so can only provide you with the information we currently have on this subject. By integrating the plugins, Facebook is informed that you have visited the relevant page of our Internet presence. If you are logged on to Facebook, Facebook can assign your visit to your Facebook account. When you interact with the Facebook plugins, such as by pressing the “Like” button or leaving a comment, the information is likewise sent by your browser directly to Facebook and stored there. If you are not a member of Facebook, it is still possible for Facebook to learn your IP address and store it. Please refer to Facebook’s Data Policy for details of the purpose and scope of data collection, how the data is processed and used further by Facebook, your related rights and settings you can make to protect your privacy.
If you are a member of Facebook and do not want Facebook to collect data on you through our Internet presence and link it to member data stored on Facebook, you must log out of Facebook before you visit our Internet presence.
Our Internet presence uses social plugins (“XING plugins”) of the social network xing.com (“XING”), which is operated by XING AG, Hamburg, Germany. The XING plugins can be identified from the XING logo or are indicated by the addendum “XING”. When you call a website on our web presence that contains such a XING plugin, your browser establishes a direct connection to XING’s servers. The plugin’s content is transmitted by XING directly to your browser and integrated by the latter in the website. By integrating the XING plugins, XING is informed that you have visited the relevant page of our Internet presence. If you are logged on to XING, XING can assign your visit to your XING account. For details of the purpose and scope of data collection, how the data is processed and used further by XING, your related rights and settings you can make to protect your privacy, please refer to: https://www.xing.com/privacy.
If you are a member of XING and do not want XING to collect data on you through our Internet presence and link it to your member data stored on XING, you must log out of XING before you visit our Internet presence.
13./ Google AdWords
We use the online advertising program “Google AdWords” and, as part of Google AdWords, conversion tracking. Google conversion tracking is an analytics service from Google. If you click on an advertisement placed by Google, a cookie for conversion tracking is set on your computer. These cookies lose their validity after 30 days, do not contain any personal data and so are not used to identify users personally. If you visit specific pages of our website and if the cookie has not yet expired, we and Google will be able to tell that you have clicked on the ad and so were forwarded to that page.
We also use the social plugin from the social network of Instagram (“Instagram plugins”), which is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA (“Instagram”).
When you call a page on our web presence that contains such an Instagram plugin, your browser establishes a direct connection to Instagram’s servers. The Instagram plugin’s content is transmitted by Instagram directly to your browser and integrated in the page. Integration of it means Instagram is informed that your browser has called the page on our web presence, even if you do not have an Instagram profile or are not currently logged on to Instagram. This information (including your IP address) is transmitted by your browser directly to an Instagram server in the USA and stored there. If you are logged on to Instagram, Instagram can directly assign your visit to our website to your Instagram account. When you interact with the Instagram plugins, such as by pressing the “Instagram” button, this information is likewise sent directly to an Instagram server and stored there. The information is also published on your Instagram account and shown there to your contacts. For details of the purpose and scope of data collection, how the data is processed and used further by Instagram, your related rights and settings you can make to protect your privacy, please refer to Instagram’s Data Policy: https://help.instagram.com/155833707900388/.
If you do not want Instagram to assign the data collected through our web presence directly to your Instagram account, you must log out of Instagram before you visit our website.
If you are a member of YouTube and do not want YouTube to collect data on you through our Internet presence and link it to your member data stored on YouTube, you must log out of YouTube before you visit our Internet presence.
Our Internet presence uses social plugins (“LinkedIn plugins”) of the social network linkedin.com (“LinkedIn”), which is operated by LinkedIn Ireland Unlimited Company, Ireland. The LinkedIn plugins can be identified from the LinkedIn logo or are indicated by the addendum “LinkedIn”. When you call a website on our web presence that contains such a LinkedIn plugin, your browser establishes a direct connection to LinkedIn’s servers. The plugin’s content is transmitted by LinkedIn directly to your browser and integrated by the latter in the website. By integrating the LinkedIn plugins, LinkedIn is informed that you have visited the relevant page of our Internet presence. If you are logged on to LinkedIn, LinkedIn can assign your visit to your LinkedIn account. For details of the purpose and scope of data collection, how the data is processed and used further by LinkedIn, your related rights and settings you can make to protect your privacy, please refer to: https://www.linkedin.com/legal/privacy-policy.
If you are a member of LinkedIn and do not want LinkedIn to collect data on you through our Internet presence and link it to your member data stored on LinkedIn, you must log out of LinkedIn before you visit our Internet presence.
This website also uses social plugins of the social network Twitter. Twitter is operated by Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA. When you call our pages that have Twitter plugins, a connection is established between your browser and the Twitter servers and data is already transmitted to Twitter. If you have a Twitter account, this data can be linked to it. If you do not want the data to be assigned to your Twitter account, please log off from Twitter before you visit our site. Interactions, in particular when you click on a “Retweet” button, are likewise transmitted to Twitter. For details of the purpose and scope of data collection, how the data is processed and used further by Twitter, your related rights and settings you can make to protect your privacy, please refer to: https://twitter.com/privacy.
I/we have taken note of the “Information on Data Protection”. I am/we are aware that my/our data required for processing, administration and handling is processed in compliance with the GDPR and that the data collected as part of performance of a contract is passed on to the above persons/departments.
DSGVO - General Data Protection Regulation
BDSG - German Federal Data Protection Act
TMG - German Telemedia Act
GwG - German Money Laundering Act
HGB - German Commercial Code
KWG - German Banking Act
AO - German Fiscal Code
Our website uses the geolocation service visitor.js
We have no influence over the scope of the data collected by the geolocation service. For details of the data that is collected and how it is processed and used, please refer to the provider’s Privacy Statement: