This Privacy Policy informs you about which of your personal data (hereinafter “data”) are processed, to what extent and for what purpose as part of our online service and the associated websites, functions, content and external online presences, e.g. our social media profiles (hereinafter “online service”). With regard to the terms used such as “processing” or “data controller” we draw your attention to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
ZEITGEIST GROUP GmbH
Herdweg 59
70174 Stuttgart
Germany
E-mail address: info@zeitgeist.group
Managing Director/ Owner: Vincent Bodo Andrin & Timo Schönauer
Link to Legal Information https://zeitgeist.group/imprint
Data Protection Officer contact address: Datenschutz@zeitgeist.group
“Personal data” are all information that relates to an identified or identifiable natural person (hereinafter the “data subject”); a natural person will be considered identifiable if they can be identified directly or indirectly particularly through association with a designation such as a name, an ID number, location data, online identification (e.g. a cookie) or one or more specific features that indicate the physical, physiological, genetic, mental, economic, cultural or social identify of this natural person.
“Processing” is any automated or non-automated process or sequence effected in connection with personal data. The term is far-reaching and covers virtually every use of data.
The “data controller” is the natural or legal person, authority, establishment or other body that alone or with others decides on how and for what purpose personal data are processed.
In accordance with Art. 13 GDPR we are informing you of the legal bases on which we undertake data processing. Insofar as the legal basis is not specified in this Privacy Policy the following apply: Art. 6 (1) a) and Art. 7 GDPR form the legal basis for obtaining consent; the legal basis for processing for the purpose of providing our services, executing contractual measures and answering requests is Art. 6 (1) b) GDPR; the legal basis for processing to fulfill our legal obligations is Art. 6 (1) c) GDPR; and the legal basis for processing to pursue our legitimate interests is Art. 6 (1) f) GDPR. In the event that processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, the legal basis is Art. 6 (1) d) GDPR.
We would ask you to regularly read our Privacy Policy from time to time. We modify our Privacy Policy whenever changes arising out of our data processing render this necessary. We will inform you as soon as such changes require some action on your part (e.g. consent) or where personal notification is otherwise necessary.
Insofar as we disclose data to other individuals and businesses (data processors and third parties), transfer data to them or otherwise give them access to the data within the scope of our processing, this is effected only where this is legally permissible (e.g. where transfer of the data to a third party such as payment service providers is necessary for contract performance in accordance with Art. 6 (1) b) GDPR), where you have given your consent, where a legal obligation exists, or where it is on the basis of our legitimate interests (e.g. in the event that agents, web hosters, etc. are used).
Insofar as we instruct third parties to process data on the basis of a data processing contract, this is done on the basis of Art. 28 GDPR.
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or do so by using the services of a third party and/or disclose and/or transfer data to third parties, this is only done in order to fulfill our precontractual and/or contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to statutory or contractual permissions, we process data or have data processed in a third country only where the special conditions set out in Art. 44 ff. GDPR exist. This means that processing is effected on the basis of special guarantees such as the officially recognized establishment of a EU-compliant level of data protection (e.g. the Privacy Shield in the USA) or observation of officially recognized special contractual obligations (what are known as “standard contractual clauses”).
Under the provisions of Art. 15 GDPR you have the right to request information about which data are being processed, and the right to information about these data as well as to further information and a copy of the data.
Under the provisions of Art. 16 GDPR you have the right to request the completion of your personal data and/or rectification of incorrect personal data.
Under the provisions of Art. 17 GDPR you have the right to request the immediate erasure of your personal data and/or to request that the processing of your personal data be restricted under the provisions of Art. 18 GDPR.
Under the provisions of Art. 20 GDPR you have the right to receive the personal data that you have provided to us, and the right to have that data transferred to another data controller.
Furthermore, Art. 77 GDPR gives you the right to lodge a complaint with the competent supervisory authority.
Under the provisions of Art. 7 (3) GDPR you have the right to withdraw any consents you have given with future effect.
Under the provisions of Art. 21 GDPR you may object at any time to the future processing of your personal data. This objection may most notably be exercised against processing for the purposes of direct advertising.
Cookies are small files that are stored on your computer. Various information may be stored on cookies. The main purpose of a cookie is to store information about you, as a user (such as the device on which the cookie is stored) during and/or after your visit to an online service. Cookies that are deleted after you have left the online service and closed your browser are known as temporary, session, or transient cookies. This kind of cookie may, for example, store the contents of your shopping cart in an online store or your login status. Permanent or persistent cookies are those cookies that remain stored on your device even after the browser is closed. This means that your login status can be stored when you return to the service at some later date. Equally, this kind of cookie can store your interests and this information is used to measure audience reach or for marketing purposes. Third-party cookies are those cookies that are placed by providers other than the party providing the online service (that party’s cookies are known as first-party cookies).
We may use temporary and permanent cookies and explain their use in our Privacy Policy.
If you do not wish cookies to be stored on your computers, you should deactivate them by adjusting your browser settings accordingly. Browser settings can be used to deleted cookies that are already stored. Blocking cookies may reduce the functionality of this online service.
You may make a blanket objection to the use of cookies for the purposes of online marketing for a wide range of services, and particularly tracking, via the US web page www.aboutads.info/choices/ or the EU page www.youronlinechoices.com. The storage of cookies may furthermore be prevented by adjusting the browser settings to block them. Please note that if you do so, you may not be able to use all the functions of this online service.
The data we process are erased in accordance with Art. 17 and 18 GDPR or their processing is restricted. Insofar as not explicitly specified in this Privacy Policy, the data we have stored are erased as soon as they are no longer required for the purpose for which they were collected, and where no statutory retention periods conflict with such erasure. Where the data are not erased because they are required for other, lawful purposes, their processing is restricted. This means that the data are blocked and are not processed for other purposes. This applies, for example, to data that must be retained under the provisions of commercial or fiscal law.
Under the provisions of German law, the most notable retention periods are 10 years in accordance with Art. 147 (1), Art. 257 (1) 1) and 4) AO (German Tax Code), Art. 4 HGB (German Commercial Code) (books, records, situation reports, booking receipts, account books, documents relevant for tax purposes, etc.), and 6 years in accordance with Art. 257 (1) 2) and 3), and (4) HGB (business correspondence).
Under the provisions of Austrian law, the most notable retention periods are 7 years (accounting documents, receipts/invoices, accounts, vouchers, business papers, records of income and outgoings, etc.) in accordance with Art. 132 (1) BAO (Austrian Tax Code), 22 years in connection with real estate lots, and 10 years for documentation connected with services provided electronically, telecommunications, radio and television services provided to non-entrepreneurs in EU member states, and those services for which the Mini-One-Stop-Shop (MOSS) is used.
We also process
– contractual data (e.g. subject matter of the contract, contract term, customer category)
– payment data (e.g. bank details, payment history)
of our customers, leads and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising, and market research.
The hosting services we use serve the provision of the following services: infrastructure and platform services, computing capacity, storage and database services, security services, and technical maintenance services that we use for the purpose of operating this online service.
In doing so we process, for example, our hosting provider’s user data, contact data, content data, contractual data, usage data, meta data and communication data of customers, leads, and visitors to this online service on the basis of our legitimate interests in an efficient and secure provision of this online service in accordance with Art. 6 (1) f) GDPR in conjunction with Art. 28 GDPR (conclusion of a processing contract).
We and/or our hosting provider collect data in what are known as log files every time the server on which this service is located is accessed, on the basis of our legitimate interest in the sense of Art. 6 (1) f) GDPR. These access data include the name of the web page visited, file, date and time of the visit, transferred data volume, report on successful retrieval, browser type and version, the user’s operating system, the referrer URL (the previously visited page), IP address and the name of the internet services provider.
Log file information is stored for a maximum 7 days for security reasons (e.g. to establish misuse or fraudulent acts) and then erased. Data which need to be retained for longer for evidence are not erased until the respective incident has been finalized.
We process your data when you place an order in our online store so that we can enable you to select and order your chosen products and services, and to enable payment and delivery and/or execution.
The data processed includes user data, communication data, contractual data, payment data and the data subjects include our customers, leads and other business partners. Processing is effected for the purpose of providing contractual services within the scope of operating an online store, invoicing, delivery, and customer service. In doing so, we use session cookies to store the contents of shopping carts, and permanent cookies to store the user’s login status.
Processing is effected on the basis of Art. 6 (1) b) (handling order processes) and c) (legally obligatory processing) GDPR whereby the details designated as mandatory are required for the establishment and performance of the contract. We only disclose the data to third parties within the scope of delivery, payment or within the scope of legal permissions and obligations to legal consultants and authorities. The data are only processed in third countries where this is necessary for contract performance (e.g. for delivery or payment at the customer’s request).
If you wish, you may if create a user account where, most notably, you can view your orders. During registration, you are notified about mandatory information. User accounts are not public and cannot be indexed by search engines. If you cancel your account, your data are erased in terms of the user account subject to their retention being required under commercial or fiscal law as set out in Art. 6 (1) c) GDPR. Data in the customer account are retained until the account is deleted and subsequently archived in the event of a legal obligation. You are obliged to secure your data when you close your account prior to the end of the contract.
Within the scope of first registration and subsequent registrations, and the use of our online services, we store your IP address and the time of your respective user activity. Storage is on the basis of our and your legitimate interest in protection against misuse or other unauthorized use. These data are not disclosed to third parties save where this is necessary to pursue our claims or where a legal obligation exists as set out in Art. 6 (1) c) GDPR.
Data are erased after any statutory warranty and similar retention periods have elapsed. The necessity of retaining data is checked every three years; in the event of statutory archiving obligations, erasure is effected once they have lapsed (6-year obligatory retention period under commercial law and 10 years under fiscal law).
We process our customers’ data within the scope of our contractual services which include conceptual and strategic consultancy, campaign planning, software and design development/consultancy or maintenance, implementation of campaigns and processes/handling, server administration, data analysis / consultancy services and training services.
In doing so we process user data (e.g. customer user data such as names or addresses), contact data (e.g. e-mail addresses, telephone numbers), content data (e.g. text input, photographs, videos), contractual data (e.g. subject matter of the contract, contract term), payment data (e.g. bank details, payment history), usage and meta data (e.g. within the scope of analyzing and measuring the success of marketing measures). We do not process special categories of personal data save where these form part of a contracted processing. The data subjects include our customers, leads, and their customers, users, website visitors or employees, and third parties. The purpose of processing lies in the provision of contractual services, invoicing, and our customer service. Art. 6 (1) b) GDPR (contractual services) and Art. 6 (1) f) GDPR (analysis, statistics, optimization, security measures) form the legal basis for processing. We process data that are necessary to establish and provide contractual services and we draw attention to the need to provide these data. They are only disclosed to third parties where this is necessary within the scope of a contract. When processing data within the scope of a contract, we act on the instruction of the client and we comply with the statutory requirements for contracted processing as set out in Art. 28 GDPR, and we do not process the data for any purpose other than that specified in the contract.
We erase the data once statutory warranty and similar retention obligations have lapsed. The necessity of retaining data is checked every three years; in the event of statutory archiving obligations, erasure is effected once they have lapsed (6-year obligatory retention period under the provisions of Art. 257 (1) of the German Commercial Code; 10 years under the provisions of Art. 147 (1) of the German Tax Code). In the case of data that are disclosed to us by the client within the scope of a contract, we erase the data in accordance with the terms of the contract, and always once the contract has ended.
We process data within the scope of administrative duties and the organization of our business, accounting, and complying with legal obligations such as archiving. In doing so we process the same data that we process within the scope of providing our contractual services. Art. 6 (1) c) GDPR and Art. 6 (1) f) GDPR form the legal basis for processing. This processing affects customers, leads, business partners and website visitors. The purpose of and our interest in processing lies in administration, accounting, office organization, and archiving of data. In other words, tasks that serve the maintenance of our business activities, administration of our duties, and provision of our services. The erasure of the data with regard to contractual services and contractual communication corresponds with the details specified for these processing activities.
In the course of processing we disclose or transfer data to financial authorities, consultants such as tax consultants or auditors, and other billing centers and payment service providers.
On the basis of our commercial interests we furthermore store data about suppliers, event organizers and other business partners for the purpose of, say, making contact in future. We permanently store these data, the majority of which are business-related.
We only process job candidate data for the purpose of and within the scope of handling job application processes in compliance with the statutory requirements. The processing of candidates’ data is effected to fulfill our precontractual and contractual obligations within the scope of the job application process in the sense of Art. 6 (1) b) GDPR and Art. 6 (1) f) GDPR insofar as the data processing is necessary to us within the scope of legal processes (in Germany, Art. 26 BDSG – Data Protection Act – also applies).
The job application process presupposes that candidates share their details with us. Insofar as we provide an online form, the required candidate data are specifically indicated, and can otherwise be recognized from the given job descriptions. These data include information about the individual, mail and contact addresses, and the documentation for the individual’s application such as a letter, resumé, and certificates. Candidates may also share additional information with us voluntarily.
By sending us their application, candidates give their consent to the processing of their data for the purposes of handling the job application process in the manner and within the scope set out in this Privacy Policy.
Insofar as special categories of personal data in the sense of Art. 9 (1) GDPR are shared voluntarily within the scope of the job application process, the processing of these data is also in accordance with Art. 9 (2) b) GDPR (e.g. health data such as the existence of severe disability, or ethnic origin). Insofar as special categories of personal data in the sense of Art. 9 (1) GDPR are solicited from applicants, these data are also processed in accordance with Art. 9 (2) a) GDPR (e.g. health data where these are necessary for the performance of the respective job).
Candidates may send us their applications by using an online form on our website, where available. The data will be transferred to us in encrypted form in keeping with the latest technological standard.
Candidates may furthermore send us their applications by e-mail. In this case, however, we would point out that e-mails are not sent in encrypted form and that candidates must themselves arrange encryption. We can therefore accept no responsibility for the application’s journey from the sender to our server. We would thus recommend the use of an online form or a mail application because instead of sending applications via the online form and e-mail, candidates still have the option of sending us their application by mail.
The data provided to us by candidates may be processed further by us in the event of a successful application for purposes relating to an employment relationship. Otherwise, where the job application is not successful, the candidate’s data are erased. Candidates’ data are also erased if they withdraw their application, which candidates are entitled to do at any time.
Subject to a justified objection by the candidate, data are erased after a period of six months has elapsed, so that we can respond to any follow-up questions about the application, and can meet our obligation to provide proof arising out of the Equal Opportunities Act. Invoices for any reimbursement of travel expenses are archived in accordance with the provisions of fiscal law.
Within the scope of application, we offer candidates the opportunity to be listed in our “Talent Pool” for a period of two years on the basis of their consent in the sense of Art. 6 (1) b) and Art. 7 GDPR.
The application documentation contained in the Talent Pool is solely processed in connection with future job vacancies and sourcing candidates, and is erased at latest on expiry of the retention deadline. Candidates are informed that their consent to inclusion in the Talent Pool is voluntary, that it has no influence on the ongoing job application process, that their consent may be withdrawn at any time with future effect, and that they may object in the sense of Art. 21 GDPR.
When you make contact with us (e.g. by contact form, e-mail, telephone, or via social media) your data are processed for the purpose of dealing with the contact request and resolving it in accordance with Art. 6 (1) b) GDPR. Your data may be stored in a customer relationship management system (CRM system) or some similar request organization system.
We erase queries once they are no longer required. We examine their necessity every two years. The statutory archiving retention periods also apply.
The following informs you about the content of our newsletter, subscription, dispatch, and statistical analysis procedures, and your rights to object. By subscribing to our newsletter you consent to receiving the newsletter and to the procedures described. Content of the newsletter: We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter “newsletter”) only with the consent of the recipient or on the basis of legal permission. Where, in the course of subscription to the newsletter, its contents are concretely outlined, those contents shall be material to the user’s consent. Otherwise our newsletter contains information about us and our services. Double opt-in and logging: A double opt-in procedure is used for subscription to our newsletter. This means that after you subscribe, you will receive an e-mail in which you will be asked to confirm your subscription. This confirmation is necessary to ensure that nobody can subscribe using someone else’s e-mail address. Subscription to the newsletter is logged in order to prove that the subscription process has been effected in accordance with legal requirements. This logging includes storage of the time of the subscription and confirmation and your IP address. The changes to your data stored with the dispatch service provider will also be logged.
Subscription data: In order to subscribe to the newsletter you only need to provide your e-mail address. So that we can address you by name in the newsletter, we may ask you to optionally state your name.
Germany: The dispatch of the newsletter and the success measurement associated with it are effected on the basis of the recipient’s consent in accordance with Art. 6 (1) a) and Art. 7 GDPR in conjunction with Art. 7 (2) 3) UWG (Act against Unfair Competition) and/or on the basis of legal permission in accordance with Art. 7 (3) UWG.
The logging of the subscription process is effected on the basis of our legitimate interests under the provisions of Art. 6 (1) f) GDPR. Our interest lies in the use of a user-friendly and secure newsletter system that both serves our business interests and meets users’ expectations, and furthermore provides us with proof of consent.
Unsubscribing/Withdrawal: You may unsubscribe from our newsletter at any time, i.e. you may withdraw your consent. You will find a link to unsubscribe from the newsletter at the end of every newsletter. We may store removed e-mail addresses for up to three years on the basis of our legitimate interests before we erase them so that we can prove that consent has previously been granted. The processing of these data is restricted to possible defense against claims. An individual application for erasure may be made at any time provided that the existence of a previous consent is confirmed at the same time.
The newsletter is sent out by the e-mail marketing service provider “MailChimp” a newsletter mailing platform provided by the US company Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can read the e-mail marketing service provider’s privacy policy here: mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp has certified its compliance with the Privacy Shield Framework thus offering the guarantee that it complies with the European privacy standard (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). The e-mail marketing service provider is used on the basis of our legitimate interests in the sense of Art. 6 (1) f) GDPR, and a data processing contract as set out in Art. 28 (3) 1) GDPR.
The e-mail marketing service provider may use the recipient’s data in pseudonymized form, i.e. without associating them with a specific user, to optimize or improve its own services, e.g. for the technical optimization of mailing and displaying the newsletter, or for statistical purposes. The e-mail marketing service provider does not however use the newsletter recipient’s data to write to the latter, nor does it share the data with third parties.
Our newsletters contain what is known as a web beacon. This is a pixel-size file that is accessed by our server and/or insofar as we use an e-mail marketing service provider, the latter’s server when you open the newsletter. This retrieval initially results in the collection of technical information such as details about the browser and system you are using, as well as your IP address and the time you opened the newsletter.
This information is used for the technical improvement of the service on the basis of the technical data or the target groups and their reading behavior on the basis of the places in which they opened the newsletter (that can be identified with the help of the IP address) or their access times. Statistical data collected also includes details of whether the newsletter is opened, when it is opened and which links are clicked. Although, for technical reasons, this information can be associated with the individual newsletter recipient, neither we nor the e-mail marketing service provider if we use one, has any interest in observing individual users. Rather, these evaluations serve to help us identify our users’ reading habits, and to modify our content or to send users different content related to their interests.
On the basis of our legitimate interests (i.e. our interest in the analysis, optimization and cost-effective operation of our online service in the sense of Art. 6 (1) f) GDPR) we use Google Analytics, a web analysis service provided by Google LLC (“Google”). Google uses cookies. As a rule, the information generated by the cookie about your use of the online service is transmitted to a Google server in the USA and stored there.
Google has signed up to the Privacy Shield Network which provides a guarantee that it complies with European privacy laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google uses this information on our behalf to analyze the use of our online service by users, to produce reports about activities relating to this online service, and to provide us with further services related to the use of this online service and of the internet. Pseudonymized user profiles of the users may be generated out of the data processed.
We only use Google Analytics with activated IP anonymization. This means that user IP addresses are abbreviated by Google within the member states of the European Union or in other countries that are signatories to the Agreement on the European Economic Area. Only in exceptional cases is the complete IP address transmitted to a Google server in the USA and abbreviated there.
The IP address that is transmitted by your browser is not associated with other data held by Google. You may prevent the storage of cookies by adjusting your browser settings; you may also prevent the collection by Google of data relating to your use of the online service generated by the cookie and the processing of these data by Google by downloading and installing the browser plugin that is available here: tools.google.com/dlpage/gaoptout.
Further information about how Google uses data, the browser settings you can use, and your refusal options is contained in Google’s privacy policy (https://policies.google.com/technologies/ads) and in the settings for how Google advertising is displayed (https://adssettings.google.com/authenticated).
Users’ personal data are erased or anonymized after 14 months.
On the basis of our legitimate interests in the analysis, optimization and cost-effective operation of our online service and for those purposes, our online service uses the “Facebook Pixel” provided by the social network Facebook which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, and/or if you are based in the EU by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
Facebook has signed up to the Privacy Shield Network which provides a guarantee that it complies with European privacy laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
With the help of the Facebook Pixel, Facebook can on the one hand identify visitors to our online service as a target group for the display of advertising (“Facebook ads”). Accordingly, we use the Facebook Pixel to display our Facebook ads only to those Facebook users who have shown an interest in our online service or who possess certain characteristics (e.g. an interest in specific subjects or products that are identified on the basis of the websites visited) that we transmit to Facebook (“Custom Audiences”). With the help of the Facebook Pixel we also wish to ensure that our Facebook ads are of potential interest to you and do not cause you annoyance. With the help of the Facebook Pixel we can moreover assess the effectiveness of Facebook advertising for statistical and market research purposes, as we can see whether a user is transferred to our website (“conversion”) after clicking on a Facebook ad.
Facebook processes data in keeping with its data usage guideline. General information about the display of Facebook ads is available in Facebook’s privacy policy: www.facebook.com/policy.php. Specific information and details about the Facebook Pixel and how it works are available in Facebook’s Help section: www.facebook.com/business/help/651294705016616.
You may refuse the collection of your data by the Facebook Pixel and their use for the display of Facebook ads. To set the type of advertising that you see when on Facebook, you can visit the corresponding Facebook page and follow the instructions about user-based advertising: www.facebook.com/settings. The settings are platform-independent. This means that they will apply across all your devices such as desktop computers or mobile devices.
You can furthermore refuse the use of cookies that are used for measuring audience reach and for advertising purposes, using the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) as well as the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).
We maintain an online presence on social networks and platforms so that we can actively communicate there with customers, leads and users and inform them about our services. When you visit the respective networks and platforms the Terms and Conditions and the privacy policies of the respective operators apply.
If not specified elsewhere in this Privacy Policy, we only process your data if you communicate with us on these social networks or platforms, e.g. make comments on our pages on these networks or platforms, or send us messages.
On the basis of our legitimate interests (i.e. interest in the analysis, optimization and cost-effective operation of our online service in the sense of Art. 6 (1) f) GDPR) within our online service we use the content or services of third-party providers in order to integrate their content and services such as videos or fonts (hereinafter “content”).
Such integration presupposes that the third-party provider of this content recognizes the your IP address as they cannot send their content to your browser without your IP address. This means that the IP address is necessary in order to display that content. We endeavor to use only content whose respective providers only use the IP address to deliver that content. Third-party providers may also use what are known as pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. Pixel tags allow information such as visitor traffic to a website’s pages to be analyzed. This pseudonymized information can also be stored on cookies on your device and may include technical information about your browser and operating system, the referring websites, time of the visit and other details, and may also be associated with such information from other sources.