Privacy

1 General Information

We take the protection of your personal data very seriously. We submit our online offers in compliance with the relevant European and German data protection regulations. This data protection notice informs you about the nature, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offer and the websites, functions and content associated with it, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”). With regard to the terms used, such as “processing” or “controller”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).


1.1 Responsible party

Responsible under data protection law is:

u-institut GmbH & Co. KG
Jägerstrasse 65
10117 Berlin

Phone: 030 212 33 66 8-0
E-mail: info@u-institut.com
Website: https://u-institut.com
Instagram: https://www.instagram.com/u_institut65

In the following, we set out how we process your data. Unless otherwise stated in the subsequent sections or in separate data protection notices, the information in this general section applies.


1.2 Data subject rights and supervisory authority

In principle, you have the following rights:

Right to information (Art. 15 DSGVO).

Right to rectification (Art. 16 DSGVO)

Right to erasure (Art. 17 DSGVO)

Right to restriction of processing (Art. 18f. DSGVO)

Right to data portability (Art. 20 DSGVO)

Right to object (Art. 21 DSGVO)

To do so, you can contact us in writing or send an email to datenschutz@u-institut.com.

We will examine your rights in each individual case. If, in our opinion, a data subject right asserted by you cannot be granted, we will also explain this in writing upon request.

We would like to point out that we may require further proof of identity from you in order to rule out any abuse of the data subject rights.

You have the right to lodge a complaint with the supervisory authority responsible for us in the state of Berlin. In addition to the Berlin supervisory authority, the supervisory authority in the state of your residence or place of work is also responsible.


1.3 Recipients of data

The transfer of data takes place exclusively within the framework of written contractual agreements, which clearly regulate the responsibilities for compliance with rights and obligations, or in accordance with the rules outlined below.

Occasionally, we use service providers based in other EU countries, in particular the USA. Please note that due to the legal situation in the USA, security authorities there may oblige US providers to hand over the processed personal data without informing the data subjects (see, among others, the so-called Cloud Act & Patriot Act). Effective legal protection for data subjects against such measures is also not guaranteed. In this respect, the USA is considered an insecure third country in terms of data protection law. In order to nevertheless ensure the highest possible level of data protection in accordance with the case law of the European Court of Justice, we have carried out a risk analysis and taken precautions. For more details, please refer to the respective explanations in our data protection information.


1.4 Changes to our data protection information

We will occasionally adapt and improve this data protection information, in particular if this is necessary due to changes in applicable law or our internal processes.


2 Website

As the hosting provider of our homepage, we use the following service provider as an order processor:

dogado GmbH
Antonio-Segni-Strasse 11
D-44263 Dortmund

We have concluded an order processing agreement (AVV) with this processor in order to protect your personal data in the best possible way and to comply with our legal obligations.

Within the scope of the reading use of our online offer, personal data is collected for the following purposes:
2.1 Transmission of online content
2.1.1 Purpose and data categories

For the purpose of transmitting the website you have accessed, your browser also transmits the following information (technical data), among other things:

Your IP address (a sequence of digits that identifies your computer connection on the Internet). Information about your terminal device, for example the browser used, connection speed or screen size Server log files, referrer information.

We use JavaScript to display certain information, unless you have disabled JavaScript in your browser or installed a JavaScript blocker.


2.1.2 Legal basis

This processing is based on our legitimate interest (Art. 6 para. 1 lit. f) DSGVO) to provide you with content in response to your request and to present it in an optimal way. Insofar as you are interested in our products and services, the processing is carried out for the initiation and implementation of a contractual relationship (Art. 6 para. 1 lit. b) DSGVO.


2.1.3 Storage period

The above-mentioned data will not be stored further for the purpose of the transfer after the transfer process has been completed.


2.1.4 Your rights

There is no right to rectification, information or deletion of the data stored in the context of the pure use of the online offer, as for the purpose of the pure transmission of the content, the storage of data is only temporary and it is deleted immediately afterwards.


2.2 Transmission of third-party content

On our websites, we use the following services, among others, to integrate third-party content:

YouTube

Spotify

If such services are used, the collection and use of data is also governed by their respective privacy policies. These are linked above, among other things.

Already in the context of the integration – unless we technically prevent this – you will be forwarded to the respective services, which will also learn in this way that you have visited our site.

If you are logged into your personal user account of the respective social network while visiting our website, this network can assign the visit to your account. In this respect, the responsible party has no influence on the processing, use or disclosure to third parties.

In addition to our own websites, we also maintain presences in various social media, which you can access directly or via corresponding buttons on our website. When you visit such a presence, personal data is transmitted to the provider of the social network.

The social media buttons used by us to share content do not automatically transmit any data to the provider of the service when you visit our website. You will only be forwarded to the respective social network by clicking on the corresponding plug-in in order to share the post in your network.


2.2.1 YouTube

YouTube is a video hosting company affiliated with Google, which is headquartered in the USA. Please also refer to the explanations under 1.3 – General information.


2.2.1.1 Purpose and data categories

In order to present our products and services to you in more detail, we use the YouTube platform on which we maintain an account. We embed the recordings hosted there on our website.

When you call up the page, technical data in particular, such as your IP address, is transmitted to YouTube or Google. If you click on the “play” button on the embedded player, further personal data may be transmitted to YouTube or Google.

For more information, please refer to Google’s privacy policy:

https://policies.google.com/privacy?hl=de&gl=de#infocollect


2.2.1.2 Legal basis

The integration of YouTube takes place in the context of contract initiation, insofar as you are interested in our products and/or services (Art. 6 para. 1 lit. b) DSGVO). In other cases, the integration is based on our legitimate interest (Art. 6 para. 1 lit. f) DSGVO) to transmit content upon your request and to inform you about our services in more detail.


2.2.1.3 Storage period

The storage period of the data with third parties is governed by Google’s privacy policy:

https://policies.google.com/privacy?hl=de&gl=de#infocollect


2.2.1.4 Your rights

Please refer to Google’s data protection information for your rights:

https://policies.google.com/privacy?hl=de&gl=de#infocollect


2.2.2 Spotify

We have linked some recordings, especially interviews, on Spotify for listening. Here, we have implemented a so-called two-click solution to protect your personal data.

To use Spotify, you must click on the respective button (Load content). Only then is a connection to Spotify established, the media player from Open Spotify is loaded and your personal data, such as your IP address, is transmitted.

The integration of Spotify takes place in the context of contract initiation, insofar as you are interested in our products and/or services (Art. 6 para. 1 lit. b) DSGVO). In other cases, the integration is based on our legitimate interest (Art. 6 para. 1 lit. f) DSGVO) to provide content in response to your request and to inform you about our offers in more detail.

More information, such as on the storage period and their rights, can be found in Spotify’s privacy policy:

https://www.spotify.com/de/legal/privacy-policy/


2.3 Improvement of the online offer through Matomo

This website collects personal data that serves as the basis for our website analytics.


2.3.1 Purpose and data categories

To improve our online offer, we evaluate how our site is used. For this purpose, we use the following information from the HTTP request:

Your IP address, anonymized by deleting the last two blocks of numbers (a sequence of digits that identifies your computer connection on the Internet). The web page you called up Information about the browser and operating system you are using The page from which you reached us (REFERER information).

We also use cookies that allow us to recognize our users. Cookies are text files with an identification number that are stored by your browser and transmitted to us when you return to the site.


2.3.2 Legal basis

The aforementioned data categories are processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f DSGVO) in improving our online presence.


2.3.3 Storage period

The personal data is anonymized immediately after collection.


2.3.4 Your rights

There is no right to rectification, information or deletion because the data is anonymized after collection and, as a rule, a reference to the person requesting information can no longer be established by us.

We respect the “Do not track” setting of your browser. If you have activated this setting, your data will not be stored for the purpose of improving our online services.


2.4 Securing our technical systems


2.4.1 Purpose and data categories

To secure our technical systems, we use the following information from the HTTP request:

Your IP address (a sequence of digits that identifies your current computer connection on the Internet). The web page you are accessing Information about the browser and operating system you are using The page from which you reached us (REFERER information).

2.4.2 Legal basis

The storage is based on our legitimate interest (Art. 6 para. 1 lit. f DSGVO) to be able to perform an analysis in the event of errors in and attacks on our technical systems.


2.4.3 Storage period

The data described will be deleted within seven days if no security incident is detected. If a security incident is detected, the data will be deleted as soon as there is no legitimate interest in further storage.


2.4.4 Your rights

In principle, you have the right to information and rectification with regard to the aforementioned data categories. However, as a rule, the personal reference can primarily be established via the IP address.

3 Communication

3.1 Newsletter

Within the scope of the use of this offer, personal data is collected for the following purposes:
We use CleverReach as a service provider for our newsletter dispatch. We have concluded an order processing agreement (AVV) for this purpose.

CleverReach GmbH & Co. KG
//CRASH Building
Schafjückenweg 2
26180 Rastede
Germany

You can find CleverReach’s privacy policy here. CleverReach claims that the data centers it uses meet the highest security standards and are ISO 27001 certified. More information on data security can be found here.
3.1.1 Purpose and data categories

Personal data is processed for the purpose of sending newsletters and improving them. This data includes:

Name

e-mail

Technical data (IP address, browser, operating system,… ).

3.1.2 Legal basis

Data storage is based on consent (Art. 6 para. 1 lit. a DSGVO) or on the basis of a legitimate interest (Art. 6 para. 1 lit. f DSGVO) of u-intitut GmbH to improve the presentation and performance of the newsletter.


3.1.3 Storage period

In the case of personal data in the CRM system, a check is made after two years at the end of the respective calendar year to determine whether further storage is necessary. If there is no need, the data will be deleted.

Unless there are other legal grounds, the personal data will be stored until the data subject objects to the use of the data, revokes consent, or requests deletion. An exception to this is data that is to be classified as business letters within the meaning of the German Commercial Code (HGB) or as accounting-relevant data. Here, the respective statutory retention obligations apply.

If consent is revoked, we restrict processing to the extent that we blacklist the e-mail address in order to effectively comply with the request not to receive a newsletter in the future, Art. 6 (1) f) DSGVO.


3.1.4 Disclosure to third parties

Your data will not be passed on to third parties outside of the order processing relationship. Insofar as CleverReach uses further processors as subcontractors, there is an obligation to oblige them by means of an order processing agreement. In doing so, the specifications from the contractual relationship between us and CleverReach must be complied with and may not be undercut within the framework of the subcontractor relationship.


3.1.5 Rights

You have the right to information on the aforementioned data categories as well as to their correction, deletion or restriction of processing.


3.2 Improvement of communication


3.2.1 Purpose and data categories

To improve our communication, we collect the following information in each case related to the mailing:

Successful sendings Undeliverable messages (so-called bounces) Unsubscriptions Anonymized opening rate of the mailing as well as the links contained in it Technical data (operating system, browser type, mail client, desktop/mobile view, …).

3.2.2 Legal basis

The aforementioned data categories are processed based on our legitimate interest (Art. 6 para. 1 lit. f DSGVO) in improving communication with our interested parties.


3.2.3 Storage period

Personalized newsletters and circulars sent by us are completely deleted after 3 years. An exception to this is data that is to be classified as business letters within the meaning of the German Commercial Code (HGB) or as accounting-relevant data. In this case, the respective statutory retention obligations apply.


3.2.4 Your rights

You have the right to information on the aforementioned data categories as well as to their correction or deletion, insofar as no anonymization took place at the time of collection.


3.3 Contact

You can contact us in a variety of ways, e.g. by e-mail, telephone, post or via the contact form on our website.


3.3.1 Purpose and data categories

For the purpose of communication, we process the following personal data:

Personal master data (name, email address, address, phone number, social media account name, position in the company, …). Billing-related data (company, account number, tax number, …) contract or project related data appointment-related data application-related data technical data (IP address, logs, …) personal data transmitted by you in the message content image/sound data contact history

3.3.2 Legal basis

The legal basis is consent pursuant to Art. 6 para. 1 lit. a) DSGVO. Insofar as the communication is in connection with the initiation or execution of a contract, the legal basis is Art. 6 para. 1 lit. b) DSGVO.


3.3.3 Storage period

Content data (e.g. data transmitted via a contact form) is stored for a period of 1 year. After the end of the year, a further need for storage is checked and a new check is provided for at the end of each calendar year. If content data is to be classified as a business letter, the retention obligations under commercial law apply.

Otherwise, your data will be deleted 3 years after the end of the year in which the contact was made, unless longer storage is required by law – e.g. in accordance with the German Tax Code – or is necessary for legal enforcement.


3.3.4 Transfer to third parties

We occasionally use service providers based outside the EU/EEA, e.g. the video conferencing provider Zoom is based in the USA. Standard contractual clauses have been concluded with the service provider to protect personal data. In addition, the service provider protects the data from access by the US authorities by means of encryption and other organizational measures. Please also refer to the information under 3.4 – Video conferencing.

Any transmission beyond this is not planned.

Nevertheless, when sending e-mails via the Internet, it can never be ruled out that they will be forwarded via a third country. As far as your mail provider supports this technically, we will send the e-mails via SSL/TLS encryption, so that the e-mails are encrypted during transport.


3.4 Video conferencing

For the purpose of conducting video conferences, webinars, telephone conferences and “online meetings”, we use the service provider “Zoom”.

“Zoom” is a service of Zoom Video Communications, Inc. which is based in the USA.

To protect the personal data, standard contractual clauses as well as an order processing agreement pursuant to Art. 28 DS-GVO have been concluded with the service provider. In addition, the service provider protects the data from access by the US authorities by means of encryption and other organizational measures. As server location, we have pre-selected exclusively servers in the European area or the territory of the FRG. In addition, encryption is activated by Zoom.


3.4.1 Purpose and data categories

For the purpose of organizing, conducting and following up the video conference, the following personal data, among others, are processed:

Name, e-mail address, user profile data (e.g. profile picture), telephone if applicable Technical data (IP address, logs, device/hardware information, dial-in times via telephone, country name, …) Meeting data: Topic, description if applicable, data transmitted by you in the message content Image/sound data Text input during chat, polls, etc.

If a recording takes place (optional), an MP4 file of all video, audio and presentation recordings, as well as an M4A file of all audio recordings and a text file of the online meeting chat will be saved.

Before the recording starts, we will transparently inform you about the fact of the recording and ask for your consent.


3.4.2 Legal basis

The legal basis is consent pursuant to Art. 6 (1) a) DSGVO.

Insofar as personal data is processed by employees of u-institut GmbH, Section 26 BDSG is the legal basis for data processing. If, in connection with the use of “Zoom”, personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component in the use of “Zoom”, Art. 6 para. 1 lit. f) DSGVO is the legal basis for data processing. In these cases, our interest is in the effective implementation of “online meetings”. Insofar as the communication is in connection with the initiation or execution of a contract, the legal basis is Art. 6 (1) lit. b) DSGVO.

If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f) DSGVO. Here, too, our interest is in the effective implementation of “video conferences”.


3.4.3 Storage period

The data is deleted after the end of the video conference. If a recording takes place, you will be informed of this separately.


3.4.4 Disclosure to third parties

There are no plans to pass on data to third parties. We will inform you separately in advance if any disclosure is planned, e.g. in the context of recordings. Please note that content from video conferences, as well as personal meetings, is often used to communicate information with customers, interested parties or third parties and is therefore intended to be passed on.

Other recipients: the provider of “Zoom” necessarily receives knowledge of the above-mentioned data, insofar as this is provided for in the context of our order processing agreement with “Zoom”.

For further information on the processing of personal data by Zoom, please refer to Zoom’s privacy policy, which can be found here:

https://explore.zoom.us/de/privacy/


4 Billing


4.1 Purpose and categories of data

For the purpose of billing, we process the following categories of data, among others:

Personal master data (name, email address, address, social media account name, phone number, fax number, position in the company, customer*number, …). Billing-related data (company, bank details, tax number, invoice number,data on purchased goods or services, …) personal data provided by you in the message content of commercial and business letters the meta-data contained in contract-related files technically necessary data (IP address, logs, …)

4.2 Legal basis

The legal basis for the processing is Art. 6 para. 1 b) DSGVO for the implementation of the contractual relationship, as well as the legitimate interest in enforcing our claims according to Art. 6 para. 1 lit. f) DSGVO.


4.3 Storage period

The storage period is based on the statutory retention periods (usually 6 years). After expiry of the statutory retention period (max. 10 years), your data will be deleted insofar as it is no longer required for the legal enforcement of our claims or another legal basis exists.


4.4 Transfer to third parties

Billing data may be passed on to third parties for the purposes of billing and legal enforcement. This includes in particular:

Tax advisor

Financial authorities

Persons entrusted with the accounting

Courts lawyers

Collection service providers

5 applicant management/personnel search

5.1 Purpose and data categories

We have established an applicant management system for the purpose of recruiting personnel. This includes finding suitable applicants and selecting the applicants with the best skills for the respective position.

The following data is stored for this purpose:

Personal master data

Postal and contact addresses

Application documents (curriculum vitae, information on degrees, knowledge, etc.)

Internal evaluations of the applications Data in answers to application questions

If you wish to be reimbursed for travel expenses, your account data will also be processed for this purpose.


5.2 Legal basis

Data collection and processing are based on Art. 6 para.1 lit. a and b DSGVO, if applicable Art. 9 para. 2 lit. b DSGVO, Art. 88 para.1 DSGVO, § 26 para. 1 BDSG.


5.3 Recipients of the data

We use the following service provider for the administration of the application process:

Homerun B.V.

Singel 542, 1017 AZ Amsterdam,

For this purpose, we have concluded an order processing agreement with Homerun in accordance with Art. 28 DSGVO. You can find Homerun’s privacy notice at:

https://www.homerun.co/privacy-statement


5.4 Storage period

After completion of the application process, the data will be deleted as soon as the assertion of claims resulting from the application process can be ruled out, usually within 6 months after completion of the application process.

This does not apply to the data of applicants who have given their consent to the further storage of their data in the applicant data pool.

The statutory retention periods apply to payment-related data.


5.5 Your rights

If you withdraw your application, we will delete your data with the exception of the notification to this effect, which we will retain for the above-mentioned retention period due to our legitimate interest in providing evidence of its withdrawal.