PRIVACY POLICY

Information on Data Protection

This privacy policy provides you with information about how we handle your personal data and about your rights under the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). MTM ASSOCIATION e. V. (hereinafter referred to as “we” or “us”) is the data controller.

List of contents

1. General information

1.1.

Contact details

If you have any questions or suggestions about this information or would like to contact us to assert your rights, please submit your request to

 

MTM ASSOCIATION e. V.

Elbchaussee 352

22609 Hamburg

Telephone: +49 40 822 779 0

Email: contact@mtm.org

 

or

 

Deutsche MTM-Gesellschaft Industrie- und Wirtschaftsberatung mbH

Elbchaussee 352

22609 Hamburg

Telephone: +49 40 822 779 0

Email: contact@mtm.org

 

1.2.

Legal basis

Under data protection law, the term “personal data” refers to any information that relates to an identified or identifiable individual. We process personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. Our data processing is carried out only on the basis of legal permission. We process personal data only with your consent (Section 15(3) of the German Telemedia Act (TMG) and Art. 6(1) point (a) GDPR), for the performance of a contract to which you are a party or at your request to take steps prior to entering into a contract (Art. 6(1) point (b) GDPR), to fulfil a legal obligation (Art. 6(1) point (c) GDPR) or if the processing is necessary for the pursuit of our legitimate interests or the legitimate interests of a third party, unless such interests are overridden by your interests or fundamental rights and freedoms which require the protection of personal data (Art. 6(1) point (f) GDPR).

 

If you apply for a vacant position in our company, we also process your personal data for the purpose of deciding whether to establish an employment relationship with you (Section 26(1) sentence 1 BDSG).

1.3.

Duration of storage

Unless otherwise stated in the information below, we store the data only as long as is necessary to achieve the purpose of processing or to fulfill our contractual or legal obligations. Such statutory retention requirements may arise in particular from commercial or tax regulations. From the end of the calendar year in which the data were collected, we shall retain personal data contained in our accounting records for ten years and retain personal data contained in commercial letters and contracts for six years. In addition, we shall retain data in connection with the demonstration of consent and with complaints and claims for the duration of the statutory limitation periods. We shall erase data stored for marketing purposes if you object to processing for this purpose.

1.4.

Categories of recipients of the data

We use commissioned data processors to process your data. Processing operations carried out by such processors include, for example, hosting, maintenance and support for IT systems, customer and order management, order processing, accounting and billing, marketing measures and file and data carrier destruction. A commissioned data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller. Processors do not use the data for their own purposes, but perform data processing exclusively for the controller and are contractually obliged to ensure appropriate technical and organizational data protection measures are in place. In addition, we may transfer your personal data to bodies such as postal and delivery services, our bank, our tax advisor/auditor or the tax authorities. Transmission to the appropriate health department may be carried out for infection tracking purposes. Other recipients may result from the following information.

1.5.

Data transfer to third countries

Visiting our website may involve transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable law. Such a transfer is permissible if the European Commission has determined that an adequate level of data protection is provided in such a third country. In the absence of such an adequacy decision by the European Commission, a transfer of personal data to a third country shall only take place if appropriate safeguards are in place pursuant to Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met.

 

Unless stated otherwise below, we use the EU standard contractual clauses for the transfer of personal data to processors in third countries as appropriate safeguards: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087. If you consent to the transfer of personal data to third countries, the transfer takes place on the legal basis of Art. 49(1) point (a) GDPR.

1.6.

Processing if you exercise your rights

If you exercise your rights under Art. 15 to 22 GDPR, we process the personal data provided for the purpose of implementing those rights and to demonstrate that we have done so. We shall process data stored for the purpose of providing information and preparing it only for that purpose and for data protection control purposes, and otherwise restrict processing in accordance with Art. 18 GDPR. This processing takes place on the legal basis of Art. 6(1) point (c) GDPR in conjunction with Art. 15 to 22 GDPR and Section 34(2) BDSG.

1.7.

Your rights

As the data subject, you are entitled to assert your rights toward us. In particular you have the following rights:

 

  • -In accordance with Art. 15 GDPR and Section 34 BDSG, you have the right to request information about whether and, if so, to what extent we process personal data relating to you.
  • -You have the right to demand that we correct your data in accordance with Art. 16 GDPR.
  • -You have the right to demand that we erase your personal data in accordance with Art. 17 GDPR and Section 35 BDSG.
  • -You have the right to have the processing of your personal data restricted in accordance with Art. 18 GDPR.
  • -You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format and to transfer the data to another controller.
  • -If you have given us separate consent to data processing, you may revoke that consent at any time in accordance with Art. 7(3) GDPR. Such revocation shall not affect the lawfulness of the processing that took place up to the time of revocation on the basis of the consent.
  • -If you believe that processing of personal data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.
1.8.

Right to object

In accordance with Art. 21(1) GDPR, you have the right to object to processing on the legal basis of Art. 6(1) point (e) or (f) GDPR on grounds relating to your particular situation. Where personal data about you is processed for purposes of direct marketing, you may object to this processing as described in article 21 (2) and (3) GDPR.

1.9.

Data protection officer

You can reach our data protection officer using the following contact information:

 

Email: datenschutz@mtm.org

Herting Oberbeck Datenschutz GmbH

Hallerstr. 76, 20146 Hamburg, Germany

https://www.datenschutzkanzlei.de

2. Data processing on our website

When you use the website, we collect the information that you have provided yourself. In addition, during your visit to the site we automatically collect specific information about your use of the site. Under data protection law, an IP address is also considered to be an item of personal data. An IP address is assigned to every internet-connected device by the ISP so that it can send and receive data.

2.1.

Processing of server logfiles

If you use our website purely for information purposes, general information that your browser transmits to our server is initially stored automatically (i.e. not via registration). These include as standard: browser type/version, operating system used, page visited, the previously visited page (referrer URL), IP address, the date and time of the server request, and the HTTP status code. Processing is carried out to pursue our legitimate interests and is on the legal basis of Art. 6(1) point (f) GDPR. The purpose of this processing is the technical management and security of the website. The stored data are deleted after ten days unless there is a justified suspicion of unlawful use based on concrete evidence and further examination and processing of the information is necessary for this reason. We are not able to identify you as a data subject from the information stored. Art. 15 to 22 GDPR therefore do not apply pursuant to Art. 11(2) GDPR unless, in order to exercise your rights as set out in those articles, you provide additional information that enables your identification.

2.2.

Cookies

We use cookies and similar technologies (“cookies”) on our website. Cookies are small text files that are stored by your browser when you visit a website. This identifies the browser used and can be recognized by web servers.
 

The use of cookies is partly necessary for the technical operation of our website and is thus permissible without the consent of the user. We may also use cookies to provide special functions and content and for analytics and marketing purposes. These may also include cookies from third-party providers (so-called third-party cookies). We only use such technically unnecessary cookies with your consent, pursuant to Section 15(3) TMG or Art. 6(1) point (a) GDPR. We request consent before you enter our site by means of a cookie consent banner. See paragraph 2.3 Consent management tool in this connection.
 

You have full control over the use of cookies through your browser. You can delete the cookies at any time by means of your browser’s security settings. You can object to the use of cookies through your browser settings in principle or in certain cases. Further information on this subject is available from the Federal Office for Information Security: https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/Sicherheitsmassnahmen/Cookies/cookies_node.html

2.3.

Consent management tool

This website uses the consent management of cookiebot by Cybot (Cybot A/S, Haynegade39, 1058 Copenhagen, Denmark). The consent banner allows users of our website to give consent to certain data processing operations or to withdraw consent that they have already given. In addition, cookiebot helps us to demonstrate that consent has been given. For this purpose, cookiebot processes information about the declaration of consent and further log data about this declaration.

 

By clicking on the “Allow all cookies” button, you give us your consent to process the selected cookie categories. You can view details about individual cookies under “Show details”. The legal basis is Art. 6(1) point (a) GDPR. You can withdraw your consent by clicking on the “Withdraw your consent” button provided below. Once the cookie consent banner has closed, you can delete the cookies at any time in the security settings of your browser. Please see 2.2. Cookies in this connection.

 

All cookies in the “Essential” category are technically necessary for the operation of our website and therefore do not require explicit consent.

2.4.

Contact form

Our website includes contact forms through which you can send us messages and request us to call you (“Callback”). Your data is encrypted for transfer (recognizable by the “https” in the address bar of the browser). All data fields marked as mandatory are necessary for us to process your request. Failure to provide this information will mean that we are unable to process your request. The provision of additional data to this is voluntary. Alternatively, you can send us a message via the contact email. We process the data for the purpose of responding to your inquiry. If your inquiry relates to the conclusion or performance of a contract with us, Art. 6(1) point (b) GDPR is the legal basis for the data processing. Otherwise, we process the data based on our legitimate interest in contacting persons who submit inquiries. The legal basis for the data processing is then Art. 6(1) point (f) GDPR.

2.5.

Registration

In order to use certain features of the website, registration on the website is necessary. The information required can be found on the registration screen. Provision of the information marked as mandatory is essential to complete the registration. The data provided are processed for the purpose of performing the service. Processing is on the legal basis of Art. 6(1) point (b) GDPR.

2.6.

Google Tag Manager

We use Google Tag Manager of Google Ireland Limited (Ireland/EU). Google Tag Manager is used to manage our website tags via an interface. Google Tag Manager is a cookie-less domain that does not collect or store any personal data. Google Tag Manager merely ensures that other tags are triggered, which in turn may collect data, without accessing those data itself. If tags have been disabled at domain or cookie level (e.g. via the consent management tool), this remains in place for all tracking tags implemented with Google Tag Manager.

2.7.

Analysis of our website

 

a) Google Analytics

We use the Google Analytics service of the provider Google Ireland Limited (Google Ireland/EU) on our website.

 

Google Analytics is a web analytics service that allows us to collect and analyze data about the behavior of visitors to our website. Google Analytics uses cookies for this purpose, which enable an analysis of the use of our website. This involves processing personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about interaction with our website.

 

Some of this data is information that is stored on the end device that you are using. Other information is also stored on your end device via the cookies used. Such storage of information by Google Analytics and access to information already stored on your end device takes place only with your consent.

 

 

b) Tracking & retargeting

Google Ads

We use the online advertising program Google Ads of Google Ireland Limited (Ireland/EU), through which we place advertisements on the Google search engine. If you access our website via a Google ad, Google sets a cookie on your end device (“conversion cookie”). A different conversion cookie is assigned to each Google Ads customer, so that the cookies cannot be tracked across the websites of different Ads customers. The information obtained with the help of the cookie is used to create conversion statistics. This tells us the total number of users who clicked on one of our Google ads. However, we do not receive any information that identifies users in person.

 

For more information about these processing activities, the technologies used, stored data and the storage period, please refer to the settings of our consent management tool. Processing takes place only with your consent in accordance with Section 15(3) TMG or Art. 6(1) point (a) GDPR. You can revoke your consent via our consent management tool. Please see 2.3. Consent management tool in this connection.

 

Facebook pixel

On our website we use the Facebook pixel, a Facebook business tool from Facebook Ireland Limited (Ireland, EU). For Facebook Ireland’s contact details and the contact details for Facebook Ireland’s data protection officer, please see Facebook Ireland’s privacy policy at https://www.facebook.com/about/privacy.

 

The Facebook pixel is a snippet of JavaScript code that allows us to track visitors’ activity on our website. This tracking is called conversion tracking. The Facebook pixel collects and processes the following information (so-called event data) for this purpose:

 

  • - Information about actions and activities of visitors to our website, such as searching for and viewing a product or purchasing a product;
  • - Specific pixel information such as the pixel ID and the Facebook cookie;
  • - Information about buttons clicked on by visitors to the website;
  • - Information present in the HTTP header, such as IP addresses, web browser information, page location, and referrer;
  • - Information about the status of disabling/restricting ad tracking.

 

Some of these event data are information that is stored on the end device you are using. In addition, cookies are also used via the Facebook pixel through which information is stored on the end device you are using. Such storage of information by the Facebook pixel and access to information already stored on your end device will only occur with your consent.

 

Tracked conversions appear on the dashboard of our Facebook ads manager and of Facebook Analytics. We can use the tracked conversions to measure the effectiveness of our ads, to set custom audiences for ad targeting, for dynamic ad campaigns and to analyze the effectiveness of our website’s conversion funnels. The functions we use via the Facebook pixel are described in more detail below.

 

Processing of event data for advertising purposes

Event data collected through the Facebook pixel are used to target our ads and improve ad delivery, personalize features and content, and improve and secure Facebook products.

 

Event data is collected on our website by means of the Facebook pixel and transmitted to Facebook Ireland for these purposes. This will be done only if you have previously given your consent. The legal basis for the collection and transmission of personal data by us to Facebook Ireland is therefore Art. 6(1) point (a) GDPR.

 

This collection and transmission of event data is carried out by us and Facebook Ireland as joint controllers. We have entered into a joint controller agreement with Facebook Ireland, which sets out the allocation of data protection obligations between us and Facebook Ireland. In this agreement, we and Facebook Ireland have agreed, among other things,

 

  • - that we are responsible for providing you with all information according to Art. 13, 14 GDPR about the joint processing of personal data;
     
  • - that Facebook Ireland is responsible for facilitating the rights of data subjects under Art. 15 to 20 GDPR with respect to personal data stored by Facebook Ireland after joint processing.

 

You can access the agreement concluded between us and Facebook Ireland at https://www.facebook.com/legal/controller_addendum.

 

Facebook Ireland is solely responsible for subsequent processing of the transmitted event data. For more information about how Facebook Ireland processes personal data, including the legal basis on which Facebook Ireland relies and how you can exercise your rights in respect of Facebook Ireland, please see Facebook Ireland’s privacy policy at https://www.facebook.com/about/privacy.

 

Processing of event data for analysis purposes

We have also engaged Facebook Ireland to prepare reports on the impact of our advertising campaigns and other online content based on the event data collected through the Facebook Pixel (campaign reports) and to provide analytics and insights about users and their use of our website, products and services (analytics). For this purpose, we transmit personal data contained in the event data to Facebook Ireland. The personal data submitted are processed by Facebook Ireland as our commissioned data processor to provide us with campaign reports and analytics.

 

Personal data are processed for the creation of analytics and campaign reports only if you have given your prior consent to this. The legal basis for this processing of personal data is therefore Art. 6(1) point (a) GDPR.

 

Transmission of data to Facebook Inc. in the USA cannot be ruled out. The legal basis for this transfer is the standard contractual clauses for the transfer of personal data to processors in third countries. Please note the information in the section “Data transfer to third countries”.

 

LinkedIn Marketing Solutions

 

On our website we use the LinkedIn Insight tag, a marketing service provided by LinkedIn Ireland Unlimited Company (Ireland/EU). The LinkedIn Insight tag is a snippet of JavaScript code that is triggered by LinkedIn when you visit our website and stores a cookie on the device you are using.

 

Via the LinkedIn Insight tag, we can perform various functions, which we describe in detail below.

 

LinkedIn conversion tracking is an analytics function powered by the LinkedIn Insight tag. The LinkedIn Insight tag allows us to collect data about visits to our website, including URL, referrer URL, IP address, device and browser properties (user agent) and timestamp. IP addresses are truncated or hashed (if used to reach members across devices). LinkedIn does not provide us with any personally identifiable information, but only provides reports (in which you are not identified) about site audience and ad performance. This allows us to track the effectiveness of LinkedIn ads for statistical and market research purposes. Members’ direct identifiers are removed by LinkedIn within seven days to pseudonymize the data. LinkedIn then erases this remaining pseudonymized data within 180 days.

 

We also use LinkedIn Matched Audiences to target our advertising campaigns to specific audiences. LinkedIn Matched Audiences and related data integrations allow us to target advertising to specific audiences based on data we provide to LinkedIn (e.g. company lists, hashed contact information, device identifiers and event data such as websites visited). This processing is carried out for the purpose of marketing our services via targeted display of advertising.

 

For more information about these processing activities, the technologies used, stored data and the storage period, please refer to the settings of our consent management tool. LinkedIn services are used only with your consent pursuant to Section 15 (3) TMG or Art. 6(1) point (a) GDPR.

 

In connection with LinkedIn services, transmission of data to LinkedIn Inc. in the USA cannot be ruled out. Please note the information in the section “Data transfer to third countries”. For more information about data protection at LinkedIn, please see LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy.

3. Data processing for newsletter registration on www.mtm.org

3.1.

Registration and deregistration

We offer the option to subscribe to our newsletter on our website. Following registration, we will regularly inform you about the latest news on topics such as consulting, training, software, research and development. A valid email address is required to subscribe to the newsletter. To verify the email address, you will first receive a registration email which you must confirm via a link (double opt-in). If you subscribe to the newsletter on our website, we process personal data such as your email address and name on the basis of the consent you have given us. Processing is on the legal basis of Art. 6(1) point (a) GDPR. You can withdraw your consent at any time with effect from that point forward, via the “Unsubscribe” link in the newsletter, for example, or by contacting us using the channels mentioned above. The lawfulness of the data processing operations already carried out remains unaffected by the withdrawal. When registering for the newsletter, we also store the IP address and the date and time of registration. Processing of this data is necessary in order to be able to demonstrate that consent has been given. The legal basis arises from our legal obligation to document your consent (Art. 6(1) point (c) in conjunction with Art. 7(1) GDPR).

3.2.

Analysis

We also analyze the reading behavior and opening rates for our newsletter. For this purpose, we collect and process pseudonymized user data, which we do not combine with your email address or your IP address. The legal basis for the analysis of our newsletter is Art. 6(1) sentence 1 point (f) GDPR, and the processing serves our legitimate interest in optimizing our newsletter. You can object to this at any time by using one of the contact channels mentioned above.

4. Data processing on our website www.training.mtm.org

4.1.

Training courses and events


a) Booking on the website

You have the option to book training courses (e.g. e-learning, webinars, in-person courses), events (conferences) and webinars via our website. You have to register and create a user account for this purpose. The data provided are processed for the purpose of performing the service or delivering the courses you have booked. The information required can be seen on the input screen and we need, among other things, your contact and payment details and information about course participants.

The legal basis for the processing is Art. 6(1) sentence 1 point (b) GDPR.

 

b) On-site registration

If third parties have booked the training/event, it is necessary to collect further personal details from you for the purposes of organizing the training and for creating and sending the certificates. The required information can be seen on the input screen, and among other things, we need your contact and payment details.

The legal basis for the processing is Art. 6(1) sentence 1 point (b) GDPR.

 

c) Transmission to third parties

If we are commissioned by a third party to perform the service and this client assumes responsibility for both the booking and the costs of the training/event on your behalf, we reserve the right to forward the test result to the client. The transmission is limited to your name and the information as to whether you have passed or failed.

The legal basis for this is the legitimate interest of the third party, Art. 6(1) point (f) GDPR.

 

d) Special data processing for running webinars and online meetings

We use one of the following service providers to run webinars:

  • - Microsoft Teams, a service of the provider Microsoft Corporation (USA);
  • - CiscoWebex, a service of the provider Cisco WebEx LLC (USA);
  • - Zoom, a service of Zoom Video Communications, Inc. (USA).

In the process, personal data of the participants such as login name and communication content are processed on our behalf and stored on their servers. For data transfers to the USA, the appropriate level of data protection pursuant to Art. 46(2) GDPR is provided by concluding standard contractual clauses. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087

 

The legal basis for the processing carried out by the providers is Art. 6(1) sentence 1 point (b) GDPR.

 

During the webinar, the login names of all participants and the communication content generated are displayed and can be viewed by the other participants in the webinar. The communication content is stored for documentation purposes. The webinar is recorded and subsequently made available to participants.

 

The legal basis for the processing is our legitimate interest in an appealing design of our webinar service, Art. 6(1) point (f) GDPR.

4.2.

Login area of the MTM organization / download center / downloads

Our website contains a separate area for participants in events and members of the MTM Association, through which you can register for future courses, for example, or download certain materials.

 

If you provide data in the login area, we shall only use this data to provide you with the requested service or information. Processing is on the legal basis of Art. 6(1) sentence 1 point (b) GDPR.

 

We also offer digital content for download outside the separate area on our website. You are able to receive this from us if you consent to our contacting you by email for marketing purposes from that point forward. A valid email address is required to receive the digital content. To verify the email address, you will first receive a registration email which you must confirm via a link (double opt-in). We process your email address on the basis of the consent you have given us. The data are not transmitted to third parties. Processing is on the legal basis of Art. 6(1) point (a) GDPR. You can withdraw your consent at any time with effect from that point forward, for example via the link provided for this purpose at the end of every message from us or by contacting us in another way. The lawfulness of the data processing operations already carried out remains unaffected by the withdrawal.

4.3.

Sentry

Our website uses the Sentry service of Functional Software Inc. (USA). Sentry is used to monitor system stability and identify code errors in order to improve the website. Information about the device or time of the error is collected pseudonymously and then erased. There is no analysis for marketing purposes. For more information about Sentry’s privacy policy, please see the following page: https://sentry.io/privacy/. The legal basis for data processing in connection with the use of this service is Art. 6 (1) point (f) GDPR and the processing serves our legitimate interest in optimizing our website.

 

In connection with Sentry services, transmission of data to the USA cannot be ruled out. The data transfer takes place on the basis of appropriate guarantees according to Art. 46 GDPR and is ensured via EU standard contractual clauses. For more information, see: https://sentry.io/legal/dpa/2.0.0/

5. Data processing in the online store at www.summit.mtm.org

5.1.

Data processing for purchase transactions

If you order a ticket for one of our events via our website, we process personal data exclusively for the purpose of fulfilling the contract and to be able to provide you with the ticket you have ordered. During the booking process, we only process the data that you yourself have entered on the input screen and, if applicable, payment information if you pay by advance bank transfer. We use your email address to send you the ticket you have ordered. The legal basis for the processing in each case is Art. 6(1) point (b) GDPR. All data fields marked as mandatory are required to process your booking. Failure to provide this information will mean that we are not able to process your booking. The provision of additional data to this is voluntary.

5.2.

Customer account

a) Login on our website

In our online store you have the option to create a customer account by registering. If you have registered for a customer account, your stored data will be automatically entered in the order screen when you order a ticket in our store. It is not necessary to register for a customer account to place an order in our online store.

 

The information required for registration can be seen on the input screen. The provision of the information marked as mandatory by * is required to complete the registration. To confirm your registration, you will first receive a registration email, which you must confirm via a link (double opt-in). After registration, you can log in to your customer account by providing your email address and password.

 

Processing of the data provided in the context of registration and use of the customer account is on the legal basis of Art. 6(1) point (b) GDPR.

 

b) Login via XING

Through our website, you have the option to log in to our services using a simple registration from XING (XING Login). You can use your existing user account on XING for this purpose. Through the XING login, you can use this registration option on our portal. This requires you to be registered with XING already or to create a XING account.
 

If you want to register with us via your XING account, you will be redirected straight to XING as a first step. XING will then ask you to log in or register. We are never given your personal access details (username and password).

 

In the second step, you connect your profile on XING to the service for which you want to register. You are then also told which data from your XING profile will be transferred to us. As a rule, this includes your “public information” on XING and information that you make publicly available or share for the application in question. This usually includes your name, your profile and title picture, your gender, your networks, your username (XING URL) and your user ID (XING ID). In order to be able to contact you independently of XING, we also use your email address stored on XING. Please also note XING’s terms of use and privacy policy: https://privacy.xing.com/en/privacy-policy.

 

The legal basis for the data collection and storage is your consent within the meaning of Art. 6(1) point (a) GDPR.
 

If you would like to remove the connection from XING to our service, please log in to XING and make the necessary changes to your profile there (log in to XING/click on “Settings” in your own profile/then go to “Privacy”, “Data protection” and Remove service). Once the link has been removed, we are no longer authorized to use information from your XING profile.

5.3.

Payment by credit card

We offer you the option to pay by credit card. Please note that the relevant payment information is collected and processed by the payment service providers concerned on their own responsibility.

5.4.

Payment by PayPal

You also have the option to pay by PayPal. Please note that the relevant payment information is collected and processed by PayPal (Europe) S.à r.l. et Cie, S.C.A., based in Luxembourg, on its own responsibility. PayPal sends the address data you have set up with PayPal to us, which we process exclusively for fulfilment of the contract. The legal basis is Art. 6(1) point (b) GDPR.

 

For more information about PayPal’s privacy statement, please visit: https://www.paypal.com/us/webapps/mpp/ua/privacy-full.

5.5.

Payment in advance or by invoice

You also have the option to pay in advance or by invoice. Please note that the relevant payment information is collected and processed by the payment service providers concerned on their own responsibility.

6. Data processing on our social media pages

We have a presence on several social media platforms with a company page. In this way, we want to offer further opportunities to obtain information about our company and interact with us. Our company has company pages on the following social media platforms:

 

  • - Facebook
  • - Instagram
  • - LinkedIn
  • - Xing
  • - YouTube

 

When you visit or interact with a profile on a social media platform, personal data about you may be processed. The information associated with a social media profile usually constitutes personal data. This also covers messages and posts made using the profile. When you visit to a social media profile, certain information is often collected automatically, which may also constitute personal data.

6.1.

Visiting a social media page

a) Facebook and Instagram page

When you visit our Facebook or Instagram page through which we present our company and individual products from our range, certain information about you is processed. The sole controller of this processing of personal data is Facebook Ireland Ltd (Ireland/EU – “Facebook”).

 

For more information about Facebook’s processing of personal data, please visit https://www.facebook.com/privacy/explanation. Facebook provides the option to object to certain data processing; information and opt-out options in this regard can be found at https://www.facebook.com/settings?tab=ads.

 

Facebook provides us with anonymized statistics and information about our Facebook and Instagram pages that help us gain insights into the types of actions people take on our page (so-called “Page Insights”). These Page Insights are created on the basis of certain information about people who have visited our site. This processing of personal data is carried out by Facebook and us as joint controllers. The processing serves our legitimate interest in evaluating the types of actions taken on our site and improving our site based on these findings.

 

The legal basis for this processing is Art. 6(1) point (f) GDPR. We cannot associate the information obtained through Page Insights with individual user profiles that interact with our Facebook and Instagram page. We have entered into a joint controller agreement with Facebook, which sets out the distribution of data protection obligations between us and Facebook.

 

For details about the processing of personal data for the creation of Page Insights and the agreement concluded between us and Facebook, please refer to https://www.facebook.com/legal/terms/information_about_page_insights_data. In relation to this data processing, you also have the option to assert your rights as a data subject in respect of Facebook (see “Your rights”).

 

Further information about this can be found in Facebook’s privacy policy at https://www.facebook.com/privacy/explanation.

 

Please note that, according to Facebook’s privacy policy, user data is also processed in the USA and other third countries. Facebook transfers user data only to countries for which an adequacy decision has been issued by the European Commission in accordance with Art. 45 GDPR or on the basis of appropriate safeguards in accordance with Art. 46 GDPR.

 

b) LinkedIn company page

LinkedIn Ireland Unlimited Company (Ireland/EU - “LinkedIn”) is the sole controller for processing of personal data when you visit our LinkedIn page. For further information about processing of personal data by LinkedIn, please visit https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

 

When you visit, follow or interact with our LinkedIn company page, LinkedIn processes personal data to provide us with anonymized statistics and information. This provides us with insights into the types of actions people take on our site (so-called Page Insights). For this purpose, LinkedIn processes in particular the data that you have already provided to LinkedIn via the information in your profile, such as data about your role, country, industry, seniority, company size and employment status. In addition, LinkedIn processes information about how you interact with our LinkedIn company page, such as whether you are a follower of our LinkedIn company page. LinkedIn does not provide us with any personally identifiable information about you through Page Insights. We only have access to the summarized Page Insights. It is also not possible for us to draw conclusions about individual members via the information in the Page Insights.

 

This processing of personal data in the context of Page Insights is carried out by LinkedIn and us as joint controllers. The processing serves our legitimate interest in evaluating the types of actions taken on our LinkedIn company page and improving our company page based on these findings. The legal basis for this processing is Art. 6(1) point (f) GDPR. We have entered into a joint controller agreement with LinkedIn, which sets out the allocation of data protection obligations between us and LinkedIn. The agreement can be accessed at: https://legal.linkedin.com/pages-joint-controller-addendum. According to the agreement, the following applies:

 

  • - We and LinkedIn have agreed that LinkedIn is responsible for enabling you to exercise your rights under the GDPR. You can contact LinkedIn about this via the following link (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=en) online or contact LinkedIn using the contact information in the privacy policy. You can contact the data protection officer at LinkedIn Ireland via the following link https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You may also contact us at the contact details we have provided regarding exercising your rights in connection with the processing of personal data in the context of Page Insights. In such a case, we will forward your request to LinkedIn.
  • - We and LinkedIn have agreed that the Irish Data Protection Commission is the lead supervisory authority overseeing processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see under www.dataprotection.ie) or with any other supervisory authority.

 

Please note that according to LinkedIn’s privacy policy, personal data may also be processed by LinkedIn in the USA or other third countries. LinkedIn transfers personal data only to countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 GDPR or on the basis of appropriate safeguards pursuant to Art. 46 GDPR.

 

c) Xing

New Work SE (Germany/EU) is the sole controller for the processing of personal data when visiting our Xing profile. For further information about the processing of personal data by New Work SE, please see

https://privacy.xing.com/en/privacy-policy.

 

d) YouTube

Google Ireland Limited (Ireland/EU) is the sole controller for the processing of personal data when visiting our YouTube channel. Further information about the processing of personal data by YouTube or Google Ireland Limited can be found at https://policies.google.com/privacy.

6.2.

Comments and direct messages

We also process information that you have provided to us via our company page on any social media platform. Such information may include the username, contact details or a message to us. This processing is carried out by us as the sole controller. We process this data based on our legitimate interest in contacting persons who make inquiries to us. The legal basis for the data processing is Art. 6(1) point (f) GDPR. Further data processing may take place if you have consented (Art. 6(1) point (a) GDPR) or if this is necessary for the fulfillment of a legal obligation (Art. 6(1) point (c) GDPR).

 

We use software to manage our company pages. If a user asks a question which is dealt with in more detail in the software via the comment function on one of our company pages, the text is displayed via the software together with the user’s username. In the process, this data is also transmitted to the provider of the software. The text and username transmitted are erased as soon as the request is answered.

7. Other data processing

7.1.

Contacting us by email or phone

If you send us a message via the contact email provided or contact us by telephone, we will process the data transmitted for the purpose of responding to your inquiry. We process this data based on our legitimate interest in contacting persons who make inquiries to us. The legal basis for the data processing is Art. 6(1) point (f) GDPR.

7.2.

Customer and prospective customer data

If you contact our company as a customer or potential customer, we process your data to the extent necessary to establish or implement the contractual relationship. This usually includes processing of personal master data, contract data and payment data provided to us and contact and communication data for our contacts at commercial customers and business partners. The legal basis for this processing is Art. 6(1) point (f) GDPR. We also process customer and prospective customer data for evaluation and marketing purposes. This processing is carried out on the legal basis of Art. 6(1) point (f) GDPR and serves our interest in further developing our service and informing you specifically about our services. Further data processing may take place if you have consented (Art. 6(1) point (a) GDPR) or if this is necessary for the fulfillment of a legal obligation (Art. 6(1) point (c) GDPR).

7.3.

Use of the email address for marketing purposes

We may use the email address you provide when you register or place an order to contact you about similar products and services that we offer. The legal basis is Art. 6(1) point (f) GDPR in conjunction with Section 7(3) of the German Act Against Unfair Competition (UWG). You may object to this at any time without incurring any costs other than the transmission costs at the basic rates. To do so, you can unsubscribe by clicking on the unsubscribe link included in each mailshot or by sending an email to contact@mtm.org.

7.4.

Applications

If you apply to our company, we process your application data exclusively for purposes related to your interest in current or future employment with us and processing of your application. Your application will only be processed and examined by the relevant contact persons. All employees involved in processing the data are obliged to protect the confidentiality of your information. If we are unable to offer you employment, we will retain the information you have provided for up to six months following any rejection for the purpose of answering questions related to your application and rejection. This does not apply if statutory provisions preclude deletion, if further storage is necessary for purposes of providing evidence or if you have expressly consented to a longer storage period. The legal basis for the data processing is section 26 (1) sentence 1 BDSG. If we retain your applicant data for longer than six months and you have expressly consented to this, we wish to point out that this consent can be withdrawn at any time in accordance with Art. 7(3) GDPR. Such revocation shall not affect the lawfulness of the processing that took place up to the time of revocation on the basis of the consent.

 

 

QG-DAT-10 07/21 [KUHP]