Mandatory information regarding data protection pursuant to Article 12 ff. GDPR
Your personal data will only be processed if it is necessary for the initiation, establishment, implementation (content and modification) or termination of a legal relationship between you and us (Art. 6 (1) (b) GDPR), if you have consented to the data processing (Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR), there is a legitimate interest in the processing (Art. 6 (1) (f) GDPR) or other legal obligations or legal requirements permit the processing (Art. 6 (1) (c) GDPR). For further information on the handling of your personal data, please refer to our privacy policy below.
The overview can be found here: Approved affiliated companies and subcontractors
Privacy policy in accordance with the EU General Data Protection Regulation (GDPR)
Valid for customers, interested parties, suppliers as well as sales and cooperation partners of RegioHelden GmbH (hereinafter referred to as “Controller”).
With the following information in accordance with Art. 12 ff. GDPR, we provide you with an overview of the processing of your personal data and your rights under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Which data is processed in detail and how it is used depends largely on the products and services requested or commissioned.
1. Controller responsible for data processing
RegioHelden GmbH
Rotebühlstraße 50
70178 Stuttgart
Germany
Contact details:
Phone: +49 711 128-501 0
Fax: +49 711 128 501-99
E-mail: info@regiohelden.de
Internet: www.regiohelden.de
2. Data protection officer of the controller
Dr. Georg F. Schröder, LL.M.
legal data Schröder Rechtsanwaltsgesellschaft mbH
Prannerstraße 1
80333 Munich
Phone: +49 89 954 597 52
E-mail: datenschutz@legaldata.law
3. Data and data sources
a) Sources
We process personal data that we receive from you as part of our business relationship. In addition, we process (to the extent necessary for the provision of our products and services) personal data that we have legitimately received from other companies of the Ströer Group (regiohelden.de/stroeer) or from other third parties (e.g. for the execution of orders, for the fulfillment of contracts or on the basis of your consent). On the other hand, we process personal data that we have legitimately obtained from publicly accessible sources (e.g. commercial and association registers, press, media, internet) and are permitted to process.
b) Categories of personal data
The following personal data may be collected, processed and stored when initiating a business relationship or when creating master data:
address and communication data (name, address, telephone, email address, other contact data), personal master data (date/place of birth, gender, nationality, marital status, business capacity, professional group code), legitimation data (e.g. ID card data, authentication data (e.g. specimen signature), tax ID, usage data from online marketing activities).
When products and services are used within the scope of the contracts concluded with us, the following additional personal data may be collected, processed and stored in addition to the aforementioned data:
contract master data (order data, data from the fulfillment of our contractual obligations, information on any third-party beneficiaries), billing, service and payment data (direct debit data, tax information, other personal master data (profession, employer), documentation data (e.g. logs), product data (e.g. requested or booked services and products) and the following business creditworthiness documents: income statements, balance sheets, business management analysis, type and duration of self-employment.
c) Contact information
In the course of the business initiation phase and during the business relationship, in particular through personal, telephone or written contacts initiated by you or by RegioHelden, further personal data is generated. This includes, for example, information about the contact channel, date, occasion and result, (electronic) copies of correspondence and information about participation in direct marketing measures.
d) Information society services
When processing data in the context of information society services, you will receive further information on data protection in connection with the respective service.
4. Purpose and legal basis of the processing
We process the personal data mentioned under 3. in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):
a) For the fulfillment of contractual obligations (Art. 6 (1) (b) GDPR)
The processing of personal data is carried out for the establishment, performance (content design and amendment) and termination of a contract for the provision of products or services as well as for the implementation of pre-contractual measures for the preparation of offers, contracts or other requests aimed at the conclusion of a contract, which are made at your request.
The purposes of data processing are primarily based on the specific products and services and may include, among other things, needs analyses, advice and support. Further details on the purpose of data processing can be found in the respective (also pre-contractual) contractual documents of our cooperation.
Interested parties may be contacted during the initiation of the contract and customers, suppliers as well as sales and cooperation partners during the business relationship using the data they have provided, taking into account any restrictions that may have been expressed.
b) Based on your consent (Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR)
If you have given us your consent to process personal data for specific purposes (e.g. processing of leads in the evaluation system; transfer of data within the group of companies), this processing is lawful on the basis of your consent. Any consent given can be revoked at any time. This also applies to the revocation of declarations of consent given to us before the EU General Data Protection Regulation came into force, i.e. before May 25, 2018. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected by this. You can request an overview of the status of the consents you have given us at any time.
c) Based on your consent for special categories of personal data (Art. 9 (2) (a))
The processing of special categories of personal data (e.g. health data) is based on your consent in accordance with Art. 9 (2) (a) GDPR, unless legal permissions such as Art. 9 (2) (b) are relevant (see under d)).
d) Due to legal requirements (Art. 6 (1) (c) GDPR) or in the public interest (Art. 6 (1) (e) GDPR)
We are subject to various legal obligations and legal requirements and process data for the following purposes, among others: identity and age verification, the fulfillment of tax control and reporting obligations as well as the assessment and management of risks within the Group.
Due to legal requirements, in particular in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO), the responsible party is obliged to retain and store business documents and data for several years. In addition, to comply with legal requirements and to ensure information security, all access to the communication systems is logged, stored and, if necessary, evaluated.
In the event of disclosure for reasons of data protection, freedom of information or other laws, legal proceedings or investigations by supervisory authorities, data subjects must assume that e-mails, text messages, voice messages or other electronic communications can be accessed, read, listened to or disclosed by third parties if they are relevant to the issues under investigation.
e) To safeguard legitimate interests (Art. 6 (1) (f) GDPR)
Further processing of the data provided by you may be necessary for the following purposes in order to safeguard our legitimate interests or those of third parties:
- Testing and optimization of procedures for needs analysis and direct customer approach; incl. segmentation and calculation of closing probabilities
- Advertising or market and opinion research, unless you have objected to the use of your data
- Assertion of legal claims, defense in legal disputes, defense against liability claims
- Comparison with the so-called EU terror lists in accordance with the European Anti-Terrorism Regulation 2580/2001 and 881/2002 to ensure that no funds or other economic resources are made available for terrorist purposes
- Consultation of and data exchange with credit agencies to determine creditworthiness and default risks
- Prevention and investigation of criminal offenses
- Video surveillance to safeguard domiciliary rights, for the collection of
- Evidence in criminal offenses
- Building and office security measures
- Measures to safeguard domiciliary rights
- Measures for business management and further development of
- Services and products
- Risk management in the Group
- Own statistical purposes with anonymized data
- Ensuring IT security and IT operations: The personal data collected when using the IT systems, e-mail, Internet and telephony services is not used to monitor performance and behavior. The legal basis for the processing of personal data to ensure the proper operation of the e-mail/Internet services is the legitimate interest of the controller. The log and connection data collected is used exclusively for the purpose of billing Internet usage, ensuring system security, preventing and/or analyzing cybercrime, controlling load distribution in the network and optimizing the network, analyzing and correcting technical errors and malfunctions, monitoring misuse and in the event of suspected criminal offenses. The processing of stored personal data is restricted after approx. 6 months, with the exception of the data required by law to be archived. The data is only part of the long-term archiving.
5. Recipient of the data
Within the controller, those departments that require your data to fulfill our contractual and legal obligations will have access to it. Service providers used by us may also receive data for these purposes if they comply with our written instructions under data protection law.
With regard to the transfer of data to recipients outside the controller, it should first be noted that we are obliged to maintain confidentiality about all personal information of which we become aware. We may only pass on information if this is required by law, if you have given your consent and/or if processors commissioned by us guarantee the requirements of the EU General Data Protection Regulation and the Federal Data Protection Act in the same way.
Under these conditions, recipients of personal data may be, for example:
- Public bodies and institutions in the event of a legal or official obligation.
- Processors to whom we transfer personal data for the purposes mentioned under 4. In detail: Support/maintenance of EDP/IT applications, archiving, document processing, call center services, compliance services, controlling, data destruction, purchasing/procurement, space management, recovery, customer administration, lettershops, marketing, media technology, reporting, research, risk controlling, expense accounting, telephony, video legitimation, website management, auditing services, payment transactions.
Other data recipients may be those bodies for which you have given your consent to the transfer of data.ligung zur Datenübermittlung erteilt haben.
The overview can be found here: Approved affiliated companies and subcontractors
6. Data transfer to third countries or international organizations
Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the execution of your orders, is required by law (e.g. tax reporting obligations), if you have given us your consent or as part of order processing. If service providers are used in a third country, they are obliged to comply with the level of data protection in Europe in addition to written instructions by agreeing the EU standard contractual clauses.
7. Duration of data storage
We process your personal data as long as it is necessary for the fulfillment of our contractual and legal obligations. If the data are no longer required for the fulfillment of contractual or legal obligations, they are regularly deleted, unless you have consented to longer storage or their (temporary) further processing is necessary for the following purposes:
- Compliance with retention periods under commercial and tax law in accordance with Section 257 of the German Commercial Code (HGB) and the German Fiscal Code (Abgabenordnung) with the retention and documentation periods of two to ten years specified therein.
- Preservation of evidence for the defense against possible legal claims within the scope of the statute of limitations. According to Section 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.
8. Data protection rights of the data subject
Every data subject has the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure (“right to be forgotten”) under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to data portability under Article 20 GDPR and the right to object under Article 21 GDPR. The restrictions under Sections 34 and 35 BDSG apply to the right to erasure and the right to information. In addition, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 13 (2) (d) GDPR and Art. 77 GDPR in conjunction with Section 19 BDSG.
You can revoke your consent to the processing of personal data at any time in accordance with Art. 7 (3) GDPR. This also applies to the revocation of declarations of consent that were given to us before the EU General Data Protection Regulation came into force, i.e. before May 25, 2018. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Obligation to provide data
In order to carry out the purposes mentioned under 4., you must provide the personal data that is necessary for the establishment and execution of a business relationship and the fulfillment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract, provide products and render services or will no longer be able to perform an existing contract and may have to terminate it.
10. Automated decision-making (including profiling)
In principle, we do not use fully automated decision-making (including profiling) in accordance with Article 22 GDPR to justify and implement the purposes mentioned in 4. If we use these procedures in individual cases, we will inform you of this separately if this is required by law.
11. Profiling
We process your data partly automatically with the aim of evaluating certain personal aspects (profiling). We use profiling, for example, to provide you with targeted information and advice on products with the help of evaluation tools. These enable needs-based communication and advertising, including market and opinion research.
12. E-mail newsletter
1. Newsletter with registration
On our website you have the possibility to subscribe to our newsletter about current topics in the field of online marketing. If you register for our newsletter, we will use the data required for this or separately provided by you to send you our e-mail newsletter regularly on the basis of your consent in accordance with Art. 6 (1) (a) GDPR.
Further information on our newsletter can be found at https://stroeer-online-marketing.de/newsletter/.
Our newsletter will only be sent after the double opt-in procedure has been completed. If you decide to subscribe to our newsletter, you will receive a confirmation e-mail, which serves to prevent the misuse of false e-mail addresses and to prevent the newsletter from being sent by a simple, possibly accidental click.
We are also obliged to provide proof that our subscribers actually wanted to receive the newsletter. For this purpose, we collect and store the IP address and the time of subscription and unsubscription.
You can unsubscribe from our newsletter at any time with effect for the future and can either send a message to the contact option described below or via a link provided for this purpose in the newsletter.
The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes remains unaffected by this. After you unsubscribe from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings.
The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). Storage in our blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.
2. Newsletter dispatch and tracking
For the dispatch of our newsletter, we use the newsletter service provider CleverReach, an offer from Clever Reach GmbH & Co KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”), which acts on our behalf. CleverReach is a service that can be used to organize and analyze the sending of newsletters. Our newsletters sent with CleverReach enable us to analyze the behavior of newsletter recipients. Among other things, it is possible to analyze how many recipients have opened the newsletter message and how often which link in the newsletter was clicked on. Conversion tracking can also be used to analyze whether a predefined action (e.g. purchase of a product on this website) has taken place after clicking on the link in the newsletter.
Further information on data analysis by CleverReach newsletters can be found at: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/.
The data processing is based on your consent in accordance with Art. 6 (1) (a) GDPR. Unsubscribing from CleverReach analyses is possible at any time and can be done either by sending a message to the contact option described or via a link provided for this purpose in the newsletter.
For more information, please refer to CleverReach’s privacy policy at: https://www.cleverreach.com/de/datenschutz/.
Information about your right to object in accordance with Article 21 of the EU General Data Protection Regulation (GDPR)
1. Individual right of objection
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) (e) GDPR (data processing in the public interest) and Art. 6 (1) (f) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Art. 4 (4) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
2. Right to object to the processing of data for advertising purposes
In individual cases, we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be addressed to the controller in any form.
Approved affiliated companies and subcontractors
1. Approved affiliated companies of the contractor
| Company | Company headquarters | Purpose | Third country | Guarantees / Agreements |
|---|---|---|---|---|
| Ströer SE & Co. KGaA | Cologne | Supporting media services | – | – |
2. Approved subcontractors
| Company | Company headquarters | Purpose | Used for/in | Third country | Guarantees / Agreements |
|---|---|---|---|---|---|
| Mailgun Technologies, Inc. | 535 Mission St. San Francisco, CA 94105 | Sending e-mails | Customer communication | USA | EU standard contractual clauses |
| Yext Limited | 7th Floor, United Kingdom House, 2 Great Titchfield St, Fitzrovia, London W1D 1NN, UK | Data synchronization in online directories | Ströer Listing Ströer SEO | UK/USA | Adequacy decision of the EU Commission EU standard contractual clauses |
| matelso GmbH | Heilbronner Str. 150, 70191 Stuttgart | Phone number tracking | Ströer Campaign Tracking | – | – |
| http.net Internet GmbH | Franzstr. 51, 52064 Aachen | E-mail services, domain registration and administration | Ströer Website | – | – |
| T3 Premium (Samuel Heinz) | T3 Premium Internetagentur Raistinger Str. 60, 71083 Herrenberg | SEO optimization on websites | Ströer SEO | – | – |
| Medium Media | Schulstraße 18, 73061 Ebersbach | SEO optimization on websites | Ströer SEO | – | – |
| jamp internet solutions | Seelandstraße 14-16 23569 Lübeck | SEO optimization on websites | Ströer SEO | – | – |
| Schmidt Media GmbH | Aachener Str. 75 50931 Cologne | Entry in the “t-online industries” directory | Ströer Listing | – | – |
| local-classifieds.com | Seyfettin Cinar, Wacholderweg 14, 34125 Kassel | Processing SEO listing data | Ströer SEO | – | – |