Data protection declaration

I. General information

1. Contact data of the responsible party (“the controller”)
zwei.7 Holding GmbH
Heger-Tor-Wall 26
49078 Osnabrück
+49 541 933979-0
info@zweipunkt7.com

II. Specific information concerning the processing of personal data

1. Visiting the website

a) Purposes of data processing
Every time that a user accesses a page on our website and each time that a file is requested from our internet presence, this information is saved in a log file. This record of data includes the following:
(1) the page from which the file was requested,
(2) the name of the file,
(3) the date and time of the request,
(4) the amount of data transferred,
(5) the access status (file transferred, file not found, etc.),
(6) a description of the type of operating system and web browser,
(7) the host name of the computer accessing the site,
(8) and the client IP address.
We use this data to operate our website, particularly to determine how the website is used and to make modifications or improvements. The client IP address is used for the purpose of transferring requested data; after it is no longer required for functional purposes, it is anonymized by deleting either the last block of digits (IPv4) or the last octet (IPv6).

b) Retention Period
Every time a user accesses a page from our internet presence, data is saved and is erased as soon as it is no longer necessary for technical purposes, which is the case at the latest in the course of ten weeks after the visit to the website.

c) Legal basis
The temporary storage of the aforementioned data is permitted based on the legal basis of Article 6(1)f of the European Union’s General Data Protection Regulation (hereafter “GDPR”). The legitimate interest lies in the proper functioning and operation of our website and the monitoring of unauthorized abuse.

d) Objecting to these conditions and erasure of data
Those affected (hereafter referred to as the “data subject”) may object to the processing of their data by refraining from using this website and, subject to the terms and conditions stipulated in the section entitled “Your Rights” below, request the erasure of their personal data obtained from the use of this website through a form-free declaration.

2. Cookies

a) Purposes of data processing
To make visits to our website and information requests technically feasible, we place so-called “cookies” on the end device of the data subject. Cookies are small text files which allow data subject’s end device to be identified, usually by recording the name of the domain from which the cookie data was sent, information about the age of the cookie, and an alphanumeric identifier. By storing the cookie on the end device – without affecting the operating system – the device can be recognized again and allows us to make any previous settings immediately available. We use this information to customize our internet presence to your needs and to improve the performance of our website.

b) Retention Period
The retention period of different cookies varies, up to a maximum of two (2) years. These are stored on your local device and not on our server, which means that the actual period before erasure will vary depending on how your browser software is configured. To find out how to remove cookies from your browser automatically or regularly, refer to the customer support page of your browser software.

c) Legal basis
The storage of the aforementioned data is permitted based on the legal basis of Art. 6 (1) f of the GDPR. The legitimate interest for the use of cookies lies first in the ability to optimize our website through analysis and secondly to facilitate the visit to our website; particularly, some functions of our website are not possible without cookies, as the user and his or her previously entered settings cannot be recognized when navigating through different pages, language settings are lost, and the search function cannot be executed. Further storage is permitted based on the legal basis of Art. 6 (1) b of the GDPR regarding contract performance.

d) Objecting to these conditions and erasure of data
The data subject can block the use of cookies in the device used or erase them after access. Under certain conditions, however, individual functions of our internet presence are then not usable. To find out how to block cookies and remove previously saved cookies from your browser, refer to the customer support page of your browser software.

3. Contact with us

a) Purposes of data processing
The data subject can contact us via email, the contact form, fax, and/or telephone. We store the data shared and provided by the data subject to process these requests. Such data includes name, address, email address, telephone and/or fax number, date and time of the request as well as the description of the content, as well as contract information in cases concerning the contents or processing of a contract.

These data will not be transmitted to a third party. They serve to process the requests of the data subject.

b) Retention Period
As soon as the data is no longer necessary for the purpose for which it has been transmitted, it will be erased, which is the case when the conversation has been concluded and the contents have been adequately clarified, and no contractual or tax-related retention periods prevent the erasure of such records. This period shall be five (5) years for personal data relevant according to para. 147 of the German Abgabeordnung (Tax Code), and ten (10) years for personal data relevant according to para. 257 of the German Handelsgesetzbuch (Commercial Code). This period shall commence at the end of the calendar year in which the data were transmitted.

c) Legal basis
The storage of the aforementioned data is permitted based on the legal basis of Art. 6 (1) b of the GDPR regarding the initiation or performance of a contract as well as Art. 6 (1) f of the GDPR regarding legitimate interest. The legitimate interest of the controller lies in the ability to properly process contact requests and prevent abuse of the contact form.

d) Objecting to these conditions and erasure of data
The data subject has the option to object to the storage of these data at any time. The data stored for this shall then be erased. In the event that a contract is to be closed, the statements above related to “Closing of Contracts” shall apply.

4. Google Analytics

a) Purposes of data processing
The client IP address is used for Google Analytics. This website uses Google Analytics, a web analysis service from Google, Inc. (“Google”). Google Analytics uses cookies – small text files – that are stored on the end device of a data subject and allow analysis of the use of a website. The information provided by cookies is generally transmitted to and stored on a Google server in the USA. However, the IP addresses of data subjects within the Member States of the European Union or other treaty signatories of the Agreement on the European Economic Area are partially deleted (truncated) beforehand during the anonymization of client IP addresses on this website (see Section II. 1. A. “Purposes of data processing” above). Only in exceptional cases shall the complete IP address be transmitted to a Google server in the USA and truncated there. At the request of the operator of this website, Google will use this data to evaluate website use, generate website activity reports, and provide other services in relation to website activity and use of the internet to the website operator (zwei.7 Holding GmbH). The IP address transmitted by your browser for Google Analytics will not be compiled with other data from Google.

b) Retention Period
As soon as the data is no longer necessary for the purpose for which it has been transmitted, it will be erased, which is the case when the anonymization, which takes place within the European Union, is completed. This period is less than one second.
The data transmitted by us and associated with cookies, user data (e.g., user IDs,) or advertising IDs are automatically erased after fourteen (14) months. Erasure of data that have lasted for the retention period are automatically erased every month. More information is available at https://www.google.com/analytics/terms/de.html (in German) and https://policies.google.com.

c) Legal basis
The storage of the aforementioned data is permitted based on the legal basis of Art. 6 (1) f of the GDPR. The legitimate interest lies in the ability to optimize our website and internet presence through the analysis of the aggregated use of our website by all users without recourse to drawing conclusions about the behavior of identifiable data subjects.

d) Objecting to these conditions and erasure of data
The data subject can prevent the storage of cookies by customizing the settings of the respective browser software; we nevertheless notify the data subject that in such cases it is possible that not all functions of this website can be fully utilized. The data subject can nevertheless prevent the collection and subsequent processing by Google of data retrieved by the cookie and related to the use of the website by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout.

III. Your Rights

Insofar as personal data of the user is processed on our website, the affected user (i.e., the data subject) has the following rights vis-à-vis the responsible party (the controller) according to the GDPR.

1. Right of Access according to Art. 15 of the GDPR

The data subject has a right to the following information:
a) the purposes of the processing;
b) the categories of personal data being processed;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) of the GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
i) where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Art. 46 of the GDPR relating to the transfer.
We shall provide the data subject with a copy of the a personal data undergoing processing. For any further copies requested by the data subject, we may charge a reasonable fee based on administrative costs.

2. Right to rectification according to Art. 16 of the GDPR

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to erasure (“Right to be forgotten”) according to Art. 17 of the GDPR

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Art. 6 (1), or point (a) of Art. 9 (2), and where there is no other legal ground for the processing; the data subject withdraws consent on which the processing is based according to point (a) of Art. 6 (1), or point (a) of Art. 9 (2), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Art. 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Art. 8 (1).

4. Right to restriction of processing according to Art. 18 of the GDPR

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
d) the data subject has objected to processing pursuant to Art. 21 (1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

5. Right to notification regarding rectification or erasure of personal data or restriction of processing according to Art. 19 of the GDPR

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Art. 16, Art. 17 (1) and Art. 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

6. Right to data portability according to Art. 20 of the GDPR

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Art. 6 (1) or point (a) of Art. 9 (2) or on a contract pursuant to point (b) of Art. 6 (1); and
b) the processing is carried out by automated means.
The rights referred to above shall not adversely affect the rights and freedoms of others.
In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from us to another controller, where technically feasible.
The exercise of the right referred to in paragraph 1 of Art. 20 shall be without prejudice to Art. 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to Object according to Art. 21 of the GDPR

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Art. 6 (1), including profiling based on those provisions.
We shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Consent provided by the data subject can be revoked at any time. The data collection and processing up until that point nevertheless remains lawful.

8. Automated individual decision-making, including profiling, according to Art. 22 of the GDPR

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
This shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) is based on the data subject’s explicit consent.

These decisions shall not be based on special categories of personal data referred to in Art. 9 (1), unless point (a) or (g) of Art. 9 (2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
In the cases referred to in points (a) and (c) above, we shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

9. Right to lodge a complaint with a supervisory authority according to Art. 77 of the GDPR

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work, or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 of the GDPR.

10. Right to an effective judicial remedy against a controller or processor according to Art. 79 of the GDPR

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Art. 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR.
Proceedings against us or a processor shall be brought before the courts of the Member State where we or our processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless we or our processor is a public authority of a Member State acting in the exercise of its public powers.

IV. Primacy of German version

This English translation of the zwei.7 Holding GmbH Data Protection Declaration has been offered for informational purposes only. While every attempt has been made to ensure its accuracy, in the case of a legal dispute, the German version shall nonetheless prevail. Please visit https://www.zweipunkt7.com/impressum/datenschutzerklaerung/ for any additional questions.