I. Name and address of the data controller
The data controller as defined in the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions, is:
INSTART Consult GmbH
Eichstätter Straße 40
85117 Eitensheim
Germany
Mail: info@instartconsult.de
Website: www.instartconsult.de
II. Name and address of the Data Protection Officer
The Controller’s Data Protection Officer is:
Herr Felix Heim
Ludwig-Erhard-Straße 6
84034 Landshut
E-Mail: datenschutzbeauftragter@instart-group.com
III. General information about data processing
- Scope of personal data processing
We only collect and use personal data of our users insofar as this is necessary to provide a functional website as well as our content and services. The collection and use of our users’ personal data takes place routinely upon users’ consent. An exception applies in cases where it is not possible to obtain consent in advance for practical reasons, and where data processing is permitted by the statutory provisions.
- Legal basis for processing personal data
Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 (1) clause 1 (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.
In the processing of personal data required for the performance of a contract to which the data subject is a party, Art. 6 (1) clause (b) of the GDPR serves as the legal basis. This also applies to the processing operations required to carry out pre-contractual measures.
Insofar as the processing of personal data is required to fulfill a legal obligation to which our company is subject, Art. 6 (1) clause 1 (c) of the GDPR serves as the legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.
Insofar as the processing is necessary to safeguard a legitimate interest of our company or a third party and to the extent that the interests, fundamental rights and freedoms of the data subject do not override this legitimate interest, Art. 6 (1) clause (1) (f) GDPR serves the legal basis for processing.
- Data erasure and storage period
The personal data of the data subject will be erased or blocked as soon as the purpose of the storage ceases to apply. In addition, such storage may take place if provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. The data can also be blocked or erased when a storage period prescribed by the aforementioned standards expires, unless there is a requirement for the continued storage of the data to conclude or perform a contract.
IV. Availability of the website and creating log files
- Description and scope of data processing
Whenever you visit our website, our system automatically collects data and information from the visitor’s computer system.
The following data is collected:
information about the type of browser and the applied version/li>
operating system of the user
the internet service provider of the user
the IP adress of the user
date and time of access
websites that lead the system of the user to our homepage
websites that are accessed by the system of the user through our homepage
The data is also stored in our system’s log files. The data is not stored in conjunction with the user’s other personal data.
- Legal basis for data processing
The legal basis for temporary storage of the data and log files is Art. 6 (1) clause 1 (f) GDPR.
- Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. For this the IP address of the user must remain stored for the duration of the session. The data is stored in log files to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. In this context, no data is evaluated for marketing purposes. This also constitutes our legitimate interest in data processing as per Art. 6 (1) clause 1(f) GDPR.
- Storage period
The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected. In the event that data is collected in order to make the website available, this is the case once each session has ended. If the data is stored in log files, this will happen after seven days at the latest. Storage period may be extended. In this case, the IP addresses of the users are deleted or alienated to ensure that the calling client can no longer be traced back.
- Right to objection and removal
Collecting the data in order to make the website available, and saving this data in log files, is necessary in order to operate the website. The user is therefore not entitled to object to this.
V. Usage of cookies
- Description and scope of data processing
This website uses cookies. Cookies are text files that are saved in the user’s internet browser and/or by the Internet browser on the user’s computer system. When a user calls up a website, a cookie can be stored in the user’s operating system. This cookie contains a unique string of characters that allow the browser to be clearly identified the next time it calls up the website.
We use cookies to make our website more user-friendly. Some components of our website require that the calling browser be identified after going to a new page.
The cookies save and transmit the following data:
the IP address of the user
date and time of access
log-in information
data volume transferred
requesting domain
In addition, this website uses cookies that allow us to analyze the user’s surfing behavior.
This allows the following data to be transmitted:
device type, model, brand, screen resolution
operating system, versions, families
browser, version, configuration, engines, plugins, language, voice code
location data
provider details
pages per visit, number of visits, recurring Visits, visiting time, visiting day
home pages, exit pages, page URL, page titles, search terms, downloads
search engines, search term, websites, social networks
campaign, campaign keywords
On accessing our website, the user is informed of the use of cookies for analysis purposes and his/her consent to the processing of the personal data used in this connection is obtained. At the same time, reference is made to this privacy statement.
- Legal basis for data processing
The legal basis for processing personal data using cookies is Art. 6 (1) clause 1 (f) GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes with the relevant user’s consent is Art. 6 para. (1) clause 1 (a) GDPR.
- Purpose of data processing
The purpose of implementing technically necessary cookies is to make it easier for users to use the websites. Some of our website features may be unavailable without the use of cookies. It must be possible to recognize the browser even after the user goes to a new page on the site. The user data collected by technically necessary cookies are not used to create user profiles.
Analysis cookies are used to improve the quality of our website and its content. The analysis cookies tell us how the website is being used, which allows us to continuously improve our offerings. This allows us to offer you optimized user guidance and with repeated use to present you with a website which is as varied as possible and which contains new content.
This also constitutes our legitimate interest in personal data processing as per Art. 6 (1) clause 1(f) GDPR.
- Storage period, right to objection and removal
Cookies are saved on the user’s computer and transmitted by the computer to our site. Therefore you as a user also have complete control over the use of cookies. You can adjust your web browser’s settings in order to disable or limit the transmission of cookies. Previously saved cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, you may not be able to use all of the website’s features to their fullest extent.
VI. Online application
- Description and scope of data processing
The user’s consent to the processing of this data will be obtained in the course of the registration process. In addition, a further declaration of consent of the user is obtained to specifically process the submitted applicant data with a reference made to this Privacy Policy.
As part of their application, we offer users the opportunity to apply on our website by providing personal data. In doing so, the data will be entered into a contact form, transmitted to us, and stored. The following data will be collected as part of the registration process:
last name
first name
E-mail address
application documents(e.g., CV, cover letter, etc.)
The following data will also be stored when you get registered:
IP address of the user
date and time of registration
The user’s consent to the processing of this data will be obtained in the course of the registration process.
- Legal basis for data processing
The legal basis for the processing of data when the user’s consent has been obtained is Article 6(1) clause 1 (a) GDPR.
- Purpose of data processing
The data will be processed primarily for the establishment of an employment relationship. The overriding legal basis here is Art. 88 (1) GDPR in conjunction with Section 26 (1) of the new Federal Data Protection Act [BDSG-neu].
Your data will be used solely in the course of the application procedure.
Where applicable to the position to be filled, the processing of health data for the assessment of your ability to work in accordance with. Art. 9 (2) (h) in conjunction with Section 22 (1) (b) of the new Federal Data Protection Act [BDSG-neu].
If the user wishes to be included in our talent pool in the event of a rejection in order to consider him/her for job openings, he/she would have to provide a declaration of consent.
In addition, pursuant to the EU anti-terror regulations (EC regulations: Regulation (EC) 881/2002 and Regulation (EC) 2580/2001), we are obligated to compare the data against the so-called ‘EU terrorist lists’ to ensure that no funds or other economic resources are provided for terrorist purposes.
- Storage period
The data will be erased once it is no longer necessary to achieve the purpose for which it was collected.This is the case for those during the registration process to fulfill a contract or to carry out pre-contractual measures when the data is no longer required for the execution of the contract. Even after conclusion of the contract, it may still be necessary to store personal data of the contractual partner in order to fulfil contractual or legal obligations.
- Right to objection and removal
The user can have the stored data erased at any time. The stored data can be amended at any time on the user’s request. If the data is required to fulfil a contract or to carry out pre-contractual measures, premature deletion of the data is only possible insofar as there are no contractual or statutory obligations to the contrary.
VII. Contact form and contact via email
- Description and scope of data processing
This website has a contact form that can be used for establishing contact electronically. If a user accepts this option, the data entered in the contact form will be transmitted to us and stored. The following data is mandatory:
first and last name
E-mail address
subject
message
The following data will also be stored when the message is sent:
the IP address of the user
date and time of registration
When you submit the form, we ask your consent to process your data, with a link to this Privacy Policy.
Alternatively, you can contact us via the e-mail address provided. In this case, the user’s personal data transmitted with the e-mail will be stored. In this context, no data will be disclosed to third parties. The data will be used exclusively to process your inquiry.
- Legal basis for data processing
The legal basis for the processing of data when the user’s consent has been obtained is Article 6 (1) clause 1 (a) GDPR. The legal basis for processing the data transmitted via an email is Art. 6 (1) clause 1 (f) GDPR. If your contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 (1) clause 1 (b) GDPR.
- Purpose of data processing
We only use personal data provided on contact forms to make the requested contact. If we do contact you by e-mail, this also constitutes the necessary interest in the processing of the data.
The other personal data processed during the sending procedure is used to prevent misuse of the contact form and to ensure the security of our IT systems.
- Storage period
The data will be erased once it is no longer necessary to achieve the purpose for which it was collected. The personal data from the contact form’s input dialog and the data sent by e-mail will be erased when the respective conversation with the user has been completed. The conversation will have been completed when it is evident from the circumstances that the matter at hand has been conclusively resolved.
- Right to objection and removal
The user may withdraw their consent to the processing of personal data at any time. A user who has contacted us by e-mail can object at any time to the storage of his or her personal data. In such a case, the conversation cannot be continued.
All personal data stored within the course of establishing contact will be erased in that case.
VIII. Integration of Google Maps
- Description and scope of data processing
We use Google Maps functions on this website. This allows us to display interactive maps directly on the website and enables you to conveniently use the map function.
When you visit this website, Google receives the information that you have accessed the corresponding sub-page of our website. In addition, the following data is transmitted:
the IP address of the visitor’s computer
date and time of request
This is done regardless of whether Google provides a user account that you are logged in to, or if there is no user account. When you’re logged in to Google, your data will be assigned directly to your account. If you do not wish to be associated with your profile on Google, you must log out before clicking the link. In addition, depending on the user’s setting, Google may even collect location data. However, this always requires your consent to the use of this information, which you may refuse denying the corresponding request with Google. For more information about the purpose and scope of data collection and its processing by the plug-in provider, please refer to the provider’s privacy policy. There, you will also find further information about your rights and setting options to protect your privacy:
http://www.google.de/intl/de/policies/privacy.
- Legal basis of data processing
The legal basis for the processing of your personal data is Art. 6 (1) clause 1 (f) GDPR. Where the user provides his/her consent, the legal basis for the data processing is Art. 6 (1) clause 1 (a) GDPR.
- Purpose of data processing
Google stores your data as user profiles and uses them for advertising, market research and/or user-friendly design of its website. Such evaluation also takes place (even for users who are not logged in) for customized advertising and informing other social network users about activities on our website.
- Storage period
We have no influence on the data collected and data processing processes, nor are we aware of the full extent of data collection, the purposes of processing, the storage periods. We have no information regarding the erasure of the data by Google.
- Right to objection and removal
You can prevent Google from associating the user with an existing profile by logging out before clicking the link. You have the right to object to the creation of these user profiles. If you want to do so, you must contact Google to exercise this right.
IX. Rights of the concerned person
Where your personal data is processed, you are deemed a data subject as defined in the GDPR and you have the following rights towards the controller:
- Right of access
You can ask the controller to confirm whether your personal data is being processed.
If such processing is taking place, you can request the following information from the data controller:
(1) the purposes for which the personal data is being processed;
(2) the categories of personal data being processed;
(3) the recipients and/or categories of recipients to whom your personal data has been or will be disclosed;
(4) the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) whether you have a right to have your personal data corrected or deleted, a right to limit processing by the responsible party, or a right to object to such processing;
(6) whether you have a right to lodge a complaint with a supervisory authority;
(7) any available information on the origin of the data if the personal data has not been collected from the data subject;
(8) whether there is an automated decision-making process, including profiling as per Art. 22 (1) and (4) GDPR, and – at least in these cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You are entitled to demand information on whether your personal data is transmitted to a third-party country or international organization. In this regard, you are entitled to be informed about the appropriate safeguards in connection with the transmission of data pursuant to Art. 46 GDPR.
- Right to rectification
You are entitled to have the controller rectify or complete you personal data insofar as your processed personal data is inaccurate or incomplete. The controller shall have your personal data rectified without undue delay.
- Right to restriction of processing
Under the following conditions, you may request that the processing of your personal data be restricted if:
(1) you contest the accuracy of the personal data for a period of time enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but you need this for the establishment, exercise or defense of legal claims;
(4) you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
If processing of your personal data has been limited, this data – aside from its storage – may only be processed with your consent or in order to assert, exercise or defend legal claims or to protect the rights of another natural or legal person, or for the sake of an important public interest of the Union or a member state.
If the processing restriction has been imposed according to the aforementioned conditions, you will be informed by the data controller before the restriction is lifted.
- Right to erasure
a) Obligation to erase
You are entitled to request that the controller erases your personal data without undue delay and the controller shall be obligated to erase personal data without undue delay where one of the following grounds applies:
(1) Your personal data is no longer needed for the purposes for which it was collected or otherwise processed.
(2) You withdraw any existing consent on which the processing was based as per to Art. 6 (1) clause 1 (a) or Art. 9 (2) (a) GDPR, and there is no other legal ground for the processing.
(3) You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
(4) Your personal data has been unlawfully processed.
(5) Your personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) Your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
b) Information disclosed for third parties
Where the controller has made the personal data public and is obligated pursuant to Article 17(1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Derogations
Your right to erasure does not apply where processing is required
(1) to exercise the right to freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the field of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
(4) for archival purposes, scholarly or historical research purposes that are in the public interest, or for statistical purposes as per Art. 89 (1) GDPR, to the extent that the right referred to in Section a) is likely to enable to fulfill the objectives of the processing or will significantly impair it, or
(5) in order to assert, exercise or defend legal claims.
- Right to notification
If you have asserted your right to have the data rectified or erased or its processing restricted by the controller, the latter must inform all recipients to whom your personal data was disclosed about such rectification or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate effort.
You are entitled to be informed about the recipients by the controller upon request.
- Right to data portability
You are entitled to obtain the personal data that you provided to the controller, in a structured, commonly used and machine-readable format. In addition, you have the right to pass this data on to another controller without hindrance by the controller to whom the personal data was provided, as long as
(1) the processing is based on a declaration of consent in accordance with Art. 6 (1) clause (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract in accordance with Art. 6 (1) clause (1) (b) GDPR and;
(2) the processing is carried out using automated methods.
In exercising this right, you also have the right to request that your personal data be transferred directly from one data controller to another, insofar as this is technically feasible. In doing so, other people’s freedoms or rights may not be impaired.
The right to portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller.
- Right of objection
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6 (1) clause 1 (e) or (f) GDPR, including profiling based on these provisions.
The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms or for the establishment, or exercise or defense of legal claims.
Where your personal data is processed for direct marketing purposes, the you are entitled to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option to exercise your right to object by automated means using technical specifications.
- Right to withdraw data protection consent
You have the right to withdraw your declaration of consent under data protection law at any time. Revoking your consent will not affect the legality of any processing that took place before the revocation.
- Automated individual decision-making including profiling
You have the right not to be subject to a decision based exclusively on automated processing including profiling that has legal effect against you or significantly impairs you in a similar manner. This does not apply if the decision
(1) is necessary for the conclusion or performance of a contract between you and the controller,
(2) is admissible by law of the Union or of the Member States to which the controller is subject and that law contains appropriate measures to safeguard your rights, freedoms and legitimate interests, or
(3) is made with your express consent.
These decisions, however, shall not be based on special categories of personal data referred to in Article 9 (1), unless point (a) or (g) of Article 9 (2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
In the cases referred to in (1) and (3), the controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the controller, to state his or her point of view and to challenge the decision.
- Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of alleged infringement if you consider that the processing of data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
ANALYSIS TOOLS AND ADVERTISING
MATOMO
This website uses the open source web analytics service Matomo.
With the help of Matomo, we are able to collect and analyze data about the usage of our website by its visitors. This enables us, among other things, to determine when certain page views occurred and from which region they originate. Additionally, we gather various log files (such as IP addresses, referrers, browsers, and operating systems used) and can track whether our website visitors perform specific actions (such as clicks, purchases, etc.).
The use of this analysis tool is based on Article 6(1)(f) of the General Data Protection Regulation (GDPR). The website operator has a legitimate interest in analyzing user behavior in order to optimize both the website offering and its advertising.
IP anonymization
During the analysis with Matomo, we employ IP anonymization. This involves truncating your IP address before analysis, making it no longer uniquely identifiable to you.
Cookieless analysis
We have configured Matomo in a way that it does not store any cookies in your browser.
Hosting
We host Matomo with the following third-party provider:
Matomo.org
InnoCraft Ltd
7 Waterloo Quay
PO Box 625
6140 Wellington
New Zealand
Link to Matomo Cloud DPA: https://matomo.org/matomo-cloud-dpa/
Data processing agreement
We have entered into a data processing agreement (DPA) for the use of the aforementioned service. This is a legally required contract that ensures that the service provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.
GOOGLE FONTS (LOCAL HOSTING)
This site uses Google Fonts, provided by Google, for the consistent display of fonts. The Google Fonts are installed locally, and there is no connection to Google servers.
or more information about Google Fonts, you can visit the following link: https://developers.google.com/fonts/faq?hl=en and in the privacy policy of Google: https://policies.google.com/privacy?hl=en-US.
ITHEMES SECURITY
We have integrated iThemes Security on this website. The provider is iThemes Media LLC, 1720 South Kelly Avenue Edmond, OK 73013, USA (hereinafter referred to as “iThemes Security”).
iThemes Security is used to protect our website from unwanted access or malicious cyber attacks. For this purpose, iThemes Security collects, among other things, your IP address, the timing and source of login attempts, and log data (such as the browser used). iThemes Security is installed locally on our servers.
iThemes Security transmits IP addresses of recurring attackers to a central database of iThemes in the USA (Network Brute Force Protection) to prevent such attacks in the future.
The use of iThemes Security is based on Article 6(1)(f) of the General Data Protection Regulation (GDPR). The website operator has a legitimate interest in ensuring the most effective protection of their website against cyber attacks.