Data protection

Data protection policy

This data protection policy provides you with an explanation about the type, scope and purpose of processing personal data (hereinafter “data”) in the context of our online offering and related websites, functions and contents together with our social media profiles and similar (hereinafter “online offering”). With regard to the terms used in the policy, such as “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).


Julia Wardetzki
Bayernallee 18
14052 Berlin

Legal notices

Types of processed data

  • Master data (e.g. names, addresses).
  • Contact data (e.g. email, phone numbers).
  • Content data (e.g. text inputs, photos, videos).
  • Usage data (e.g. visited websites, interest in contents, access times)
  • Meta/communication data (e.g. device information, IP addresses)

Categories of data subjects

Visitors and users of the online offering (summarised hereinafter as “users”).

Scope of processing

  • Provision of the online offering, its functions and contents.
  • Answering contact queries and communication from users.
  • Security measures.
  • Reach measurement/marketing


‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data. The definition is very broad and covers practically every kind of handling of information.


‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant legal basis

Pursuant to the stipulations made in Art. 13 GDPR, we herewith stipulate the legal basis for our data processing. Unless stated otherwise in the data protection policy, the following applies: The legal basis for obtaining consent is Art. 6 (1) a. and Art. 7 GDPR. The legal basis for processing data to fulfil our services, perform contractual obligations and answer enquiries is Art. 6 (1) b. GDPR. The legal basis for processing data to fulfil our legal obligations is Art. 6 (1) c. GDPR, and the legal basis for processing data to protect our vital interests is Art. 6 (1) f. GDPR. Art. 6 (1) d. GDPR is the legal basis if processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Security measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with Art. 32 GDPR and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of risk for the rights and freedoms of natural persons.


The measures include in particular safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data as well as associated access, input, forwarding, safeguarding availability and segregation. We have also set up processes for warranting the protection of data subjects’ rights, for erasing data and for reacting to any threat to the data. Furthermore, we also give due consideration to protecting personal data already during the development respectively selection of hardware, software and methods, according to the principle of data protection by design and by default (Art. 25 GDPR).

Collaboration with processors and third parties

Insofar as our processing involves disclosing data to other people and companies (processors or third parties), sending data to them or giving them other access to the data, this only takes place on the basis of legal consent (e.g. when it is necessary to transmit data to a third party such as a payment service provider for performance of a contract pursuant to Art. 6 (1) b. GDPR), if you have given consent or if this is entailed in a legal obligation or on the basis of our vital interests (e.g. when using authorised representatives, website hosters, etc.).

Insofar as we have contracted third parties to process the data on the basis of a so-called “processing contract”, this takes place on the basis of Art. 28 GDPR.

Transfer to third countries

Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this happens in the context of using third-party services or the disclosure or transfer of data to third parties, this only takes place to fulfil our (pre-)contractual obligations, on the basis of your consent, on account of a legal obligation or on the basis of our vital interests. Subject to statutory or contractual consents, we process or have third parties process the data in a third country only when the special prerequisites of Art. 44 et seq. GDPR apply. In other words, processing is carried out on the basis of special guarantees, such as the official recognition of a data protection level corresponding to the EU (e.g. the Privacy Shield for the USA) or compliance with officially recognised special contractual obligations (so-called “standard contract clauses”).

Rights of the data subjects

You have the right to demand confirmation as to whether or not such data have been processed; you have the right of access to the personal data and to further information and copies of the data according to Art. 15 GDPR.

According to Art. 16 GDPR, you have the right to demand the completion of the data concerning you or the rectification of inaccurate personal data concerning you.

Pursuant to Art. 17 GDPR, you have the right to demand the erasure of personal data concerning you without undue delay, or alternatively the right to demand restriction of processing the data in accordance with Art. 18 GDPR.

You have the right to demand that you receive the personal data concerning you which you have provided to us pursuant to Art. 20 GDPR and to demand their transfer to another controller.

Furthermore, you have the right pursuant to Art, 77 GDPR to lodge a complaint with the responsible supervisory authority.

Right to withdraw consent

You have the right to withdraw consent with effect for the future pursuant to Art. 7 (3) GDPR.

Right to object

You can object at any time to future processing of data concerning you in accordance with Art. 21 GDPR. The objection can apply particularly to processing for the purposes of direct marketing.

Cookies and right to object for direct marketing

‘Cookies’ means little files saved on the user’s computer. Cookies save various different information. A cookie is used primarily to save information about a user (or the device on which the cookie is saved) during or also after the user’s visit to an online offering. Temporary cookies, session cookies or transient cookies are cookies that are erased once users leave an online offering and close their browser. These cookies store information such as the contents of a shopping cart in an online shop or a log-in status. Permanent or persistent cookies remain saved even after the browser has been closed. For example, the log-in status can be saved when users return to a website after several days. Similarly, these cookies can save the users’ interests that are then used for reach measurement or marketing purposes. Third-party cookies come from other providers than the controller operating the online offering (otherwise the cookies are called first-party cookies).

We can use temporary and permanent cookies and provide corresponding information in our data protection policy.

If users do not want cookies to be saved on their computer, they are asked to disable the corresponding options in the system settings of their browser. Saved cookies can be erased in the system settings of the browser. Disabling cookies may restrict some of the functions in this online offering.

A general objection to the use of cookies for online marketing can be declared for a large number of services, above all in the case of tracking, on the US American website or the EU website Please note that in this case, not all functions of this online offering can be used. This website uses only technically necessary cookies.

Business-related processing

We also process

  • contract data (e.g. contractual object, term, customer category)
  • payment data (e.g. bank account details, payment history)

from our customers, potentially interested parties and business partners in order to provide contractual services, support and customer care, marketing, advertising and market research.

Erasing data

The data processed by us are erased or their processing is restricted pursuant to Art. 17 and 18 GDPR. Unless stated explicitly in this data protection policy, data that we have saved are erased as soon as they are no longer needed for their intended purpose and there are no statutory storage obligations preventing their erasure. If data are not erased because they are needed for other legally permitted purposes, their processing is restricted. In other words, the data are blocked and not processed for other purposes. This applies e.g. to data that have to be stored under commercial or fiscal law.

According to statutory requirements in Germany, data are stored for 10 years pursuant to § 147 (1) Tax Code, § 257 (1) 1 and 4 in Book 4 Commercial Code (ledgers, records, status reports, bookkeeping receipts, books of account, documents relevant to taxation, etc.) and for 6 years pursuant to § 257 (1) 2 and 3 in Book 4 Commercial Code (commercial papers).

According to the statutory requirements in Austria, data are stored for 7 years pursuant to § 13 (1) Austrian Tax Code (bookkeeping documents, receipts/invoices, accounts, receipts, business papers, list of income and expenditure, etc.) for 22 years in the context of immovable property and for 10 years with regard to documents related to electronic services, telecommunication/radio and television services provided for non-entrepreneurs in EU Member States using the Mini-One-Stop-Shop (MOSS).

Agency services

We process the data of our customers in the context of our contractual services, including conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementing campaigns and processes/ handling, server administration, data analysis/consulting services and training services.

In doing so, we process inventory data (e.g. customer master data such as names or addresses), contact data (e.g. email, phone numbers), content data (e.g. text inputs, photos, videos), contract data (e.g. contractual object, term), payment data (e.g. bank account details, payment history), usage and meta data (e.g. in the context of evaluating and assessing the success of marketing measures). In principle we do not process special categories of personal data unless these are part of ordered processing. Those affected include our customers, potentially interested parties and their customers, users, website visitors or employees and third parties. The purpose of processing consists in providing the contractual services, invoicing and our customer service. The legal principles for processing result from Art. 6 (1) b GDPR (contractual services) and Art. 6 (1) f GDPR (analysis, statistics, optimisation, security measures). We process data needed to justify and fulfil the contractual services and draw attention to the need for them to be stated. Such data are only disclosed to externals if necessary in the context of an order. When processing the data made available to us in the context of an order, we act according to the instructions given by the client and the statutory regulations for order processing pursuant to Art. 28 GDPR and process the data for none other than order-related purposes.

We erase the data on expiry of statutory warranty obligations and similar obligations. The need to store the data is reviewed every three years. In terms of statutory archiving obligations, data are erased after the corresponding periods have expired (6 years as per § 257 (1) Commercial Code, 10 years as per § 147 (1) Tax Code). With regard to data disclosed to us by the client in the context of an order, we erase the data as stipulated in the order, in principle at the end of the order.

Contractual services

We process the data of our contract partners and potentially interested parties together with other principals, customers, clients or contract partners (hereinafter “contract partners”) pursuant to Art. 6 (1) b GDPR in order to provide our contractual or pre-contractual services on their behalf. The processed data and the type, scope, purpose and necessity of their processing are governed by the basic contractual relationship.

The processed data include the master data of our contract partners (e.g. names and addresses), contact data (e.g. email addresses and phone numbers) together with contract data (e.g. services used, contract contents, contractual communication, names of contacts) and payment data (e.g. bank account details, payment history).

In principle we do not process special categories of personal data unless these are part of ordered or contractual processing.

We process data needed to justify and fulfil the contractual services and draw attention to the need for them to be stated, insofar as this is not evident for the contract partners. Such data are only disclosed to external people or companies if necessary in the context of an order. When processing the data made available to us in the context of an order, we act according to the instructions given by the clients and the statutory requirements.

When use is made of our online services, we save the IP address and the point in time of respective user action. The data are saved on the basis of our vital interests and the interests of the user to be protected from misuse and any other unauthorised use. These data are basically not forwarded to third parties unless necessary to pursue our claims pursuant to Art. 6 (1) f. GDPR or a corresponding statutory obligation applies pursuant to Art. 6 (1) c. GDPR.

The data are erased when no longer necessary to fulfil contractual or statutory fiduciary obligations or for dealing with possible warranty obligations and similar obligations, whereby the need to store the data is reviewed every three years; otherwise the statutory storage obligations apply.

Administration, accounting, office organisation, contact management

We process data as part of administrative tasks as well as of the organisation of our company, accounting and complying with statutory obligations, e.g. archiving. To this end, we process the same data processed in the context of providing our contractual services. The legal principles for processing are Art. 6 (1) c. GDPR, Art. 6 (1) f. GDPR. The processing affects customers, potentially interested parties, business partners and visitors to our website. The purpose and our interest in such processing lies in our administration, accounting, office organisation and data archiving, in other words, tasks that serve to uphold our business activities, fulfil our tasks and provide our services. The erasure of data related to contractual services and contractual communication takes place in line with the information outlined for these processing activities.

We disclose or transfer data to the tax authorities, advisors such as tax consultants or chartered accounts together with other billing offices and payment service providers.

Furthermore, on the basis of our business interests we store data about suppliers, organisers and other business partners, e.g. for contacting them at a later point in time. These predominantly business-related data are always stored permanently.

Hosting and sending emails

The hosting providers that we use perform the following services: infrastructure and platform services, computing capacity, memory space and database services, sending e-mails, security services and technical maintenance for the operation of this online offering.

In this context, we or our hosting provider process master data, contact data, content data, contract data, usage data, meta and communication data of customers, potentially interested parties and visitors to this online offering on the basis of our vital interests in efficient, secure provision of this online offering, pursuant to Art. 6 (1) f. GDPR in conjunction with Art. 28 GDPR (concluding a processing contract).

Collecting access data and logfiles

On the basis of our vital interests pursuant to Art. 6 (1) f. GDPR, we or our hosting provider collect data every time someone accesses the server hosting this service (so-called server logfiles). The access data include the name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, user’s operating system, referrer URL (previously visited website), IP address and querying provider.

Logfile information is stored for security reasons (e.g. for investigating misuse or fraud) for maximum 7 days and is then erased. Data that need to be stored for longer as evidence are exempt from erasure until conclusive clarification of the respective incident.

Produced with by Dr. Thomas Schwenke.