DATA PROTECTION DECLARATION
ERGO personnel services
ERGO personnel services
Data protection declaration
This data protection declaration explains the way, the extent and the purpose of the processing of personal data (in the following part shortened to ‘data’) in our online offer and related websites, functions and contents, as well as external online presence, such as e.g. our social media profiles (in the following part described collectively as ‘online offer’). With regards to the previously used terms such as ‘processing’ or ‘person responsible’ we refer to definitions in Art. 4 of the General Data Protection Regulation GDPR (DSGVO).
Types of data processed:
– Inventory data (e.g. names, addresses).
– Contact data (e.g. email, telephone numbers).
– Content data (e.g. text entries, photos, videos).
– Usage data (e.g. websites visited, interest about the content, access time).
– Meta/communications data (e.g. information about devices, IP address).
Categories of data subjects
Visitors and users of the online offer (in the following part we collectively describe the persons concerned as “users”).
The purpose of processing
– Making available of the online offer, its functions and contents.
– Answering of contact forms and communication with users.
– Security measures.
– Reach measurement/marketing
“Personal data” refers to all information related to an identified or identifiable natural person (hereinafter “data subject”); a natural person is regarded as identifiable, if he/she can be directly or indirectly identified, especially by means of association with an identifier such as a name, with an identification number, with location data, with an online ID (e.g. cookies) or with one or several special features reflecting the physical, physiological, genetic, psychic, economic, cultural or social identity of that natural person.
“Processing” means any operation carried out with or without the aid of automated procedures or any such series of operations in connection with personal data. The term is broad and covers virtually every aspect of dealing with data.
“Pseudonymization” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately and is subject to technical and organisational measures ensuring that the personal data are not attributed to an identified or an identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Data controller” refers to the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
A “processor” is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller.
Applicable legal bases
In accordance with art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis in the privacy statement is not called, the following applies: The legal basis for the obtaining of consent is article 6 par. 1 lit. a and article 7 of GDRP, the legal basis for the processing to provide our services and contractual measures, as well as answering questions on article 6 par. 1 lit. b of GDRP, the legal basis for the processing to fulfil our legal obligations is article 6 par. 1 lit. c of GDRP, and the legal basis for the processing to preserve our legitimate interests is article 6 par. 1 lit. f of GDRP. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 Para. 1 lit. d GDPR applies as the legal basis.
In accordance with art. 32 of GDPR, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account current technology, implementation costs, the nature, scope, context and purposes of processing and the varying likelihood and severity of the risk to the rights and freedoms of natural persons.
The measures include, in particular, the ensuring of confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, security of availability and separation that relate to it. Furthermore, we have established procedures that guarantee the exercise of data subjects’ rights, deletion of data and reaction to data risks. In addition, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data protection-friendly defaults (art. 25 GDPR).
Cooperation with processors and third parties
If we disclose information to other persons and companies (subcontractors or third parties) during our processing, send these to them or otherwise provide them with the access to the data, this is done only on the basis of a legal permit (e.g. if a transmission of data to third parties, such as to payment providers, pursuant Article 6 par. 1 lit. b of GDRP is required in order to fulfil the contract), in the case when have given your consent, on the basis of a legal obligation or on the basis of our legitimate interests (e.g. for the use of agents, web hosting providers, etc.).
If we commission third parties with the processing of data on the basis of a so-called “order processing contract”, this is done on the basis of art. 28 of GDPR.
Transfers to third countries
If we process data in a third-party country (i.e. outside the European Union (EU) or the European Economic Area (EEA) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to third parties, this only takes place if it serves the fulfilment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process the data in a third country or have the data processed in a third country if the particular requirements of art. 44 ff. GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognised determination of a data protection level corresponding to the EU (e.g. for the USA by the “Privacy Shield”) or compliance with officially recognised special contractual obligations (called “standard contractual clauses”).
Rights of data subjects
You have the right to request confirmation as to whether the data concerned are being processed and to request information about these data as well as further information and a copy of the data in accordance with art. 15 GDPR.
According to art. 16 GDPR, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.
In accordance with art. 17 of GDPR, you have the right to demand that relevant data be deleted immediately or, alternatively, to demand a restriction on the processing of the data in accordance with art. 18 of GDPR.
You have the right to request that the data concerning you that you have provided to us be received in accordance with art. 20 of GDPR and to request its transmission to other persons responsible.
You have also the right, You also have the right, according to art. 77 GDPR, to lodge a complaint with the competent supervisory authority.
Right to revocation
You have the right to revoke your consent with future effect, according to 3 GDPR.
Right of objection
You can at any time object to the future processing of the data concerning you in accordance with art. 21 GDPR. The objection may be lodged in particular against processing for direct advertising purposes.
Cookies and right of objection to direct advertising
Cookies are small files that are stored on the user’s computer. Different data can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his/her visit of the online offer. Temporary cookies, “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online offer and closes his/her browser. For example, the content of a shopping cart in an online shop or a login status can be stored in a cookie of this nature. Cookies are referred to as “permanent” or “persistent” if they remain saved even after the browser is closed. For example, the login status can be saved if users visit it after several days have passed. Likewise, the interests of users may be stored in a cookie of this nature and used for range measurements or marketing purposes. “Third-party cookies” are cookies that are offered by providers other than the data controller who manages the online offer (otherwise, if the only cookies are run by the data controller, they are referred to as “first-party cookies”).
We may use temporary and permanent cookies and clarify this within the framework of our Data Protection Declaration.
Deletion of Data
According to legal requirements in Germany, the storage for 10 years in accordance with § 147 ABS. 1 AO, 257 par. 1 No. 1 and 4, par. 4 HGB (books, records, reports, accounting records, books, for taxation-related documents, etc.) and 6 years according to article 257, paragraph 1 No. 2 and 3, par. 4 HGB (commercial letters).
1 BAO (accounting documents, receipts/invoices, accounts, receipts, business papers, statement of income and expenditure, etc.), for 22 years with regards tow properties and for 10 years for documents with regards to electronically provided services, telecommunications, radio and television services provided to non-entrepreneurs in EU Member States and for which the Mini-One-Stop-Shop (MOSS) is used.
Brokerage services We process the data of our customers, clients and interested parties (uniformly referred to as “customers”) in accordance with art. 6 para. 1 lit. b. GDPR to provide our contractual or pre-contractual services to them. The data processed here, the type, scope and purpose and the necessity of its processing, are determined by the underlying contract. This basically includes the portfolio and master data of the customers (name, address, etc.), as well as the contact data (e-mail address, telephone, etc.), the contract data (content of the order, premiums, terms, information on the brokered companies/insurers/benefits) and payment data (commissions, payment history, etc.). Furthermore, we can process the information on the characteristics and circumstances of persons or items belonging to them if this is part of the subject of our order. These can be, for example, information on personal living conditions, mobile or immovable property.
Within the scope of our assignment, it may also be necessary for us to collect special categories of data in accordance with Art. 9 par. 1 of GDPR, in particular information on a person’s health. For this purpose, we will, if necessary, and in accordance with Article 6 par. 1 lit a., article 7, article 9 para 2 lit. a GDPR, ask for the customer’s explicit consent.
To the extent required by law or for the fulfilment of the contract, we disclose or transmit the customer’s data to providers of the brokered services/properties, insurers, re-insurers, broker pools, technical service providers, other service providers, such as cooperating associations, as well as financial service providers, credit institutions and investment companies, social insurance carriers, tax authorities, tax consultants, legal advisers, auditors, insurance ombudsmen and the Federal Financial Supervisory Authority (BaFin) within the scope of coverage requests, conclusion and processing of contracts. Furthermore, we can commission subcontractors, such as sub-brokers. We obtain the customer’s consent if this is required for disclosure/transmission (e.g. in the case of special categories of data in accordance with Art. 9 of GDPR)
The data will be deleted after the expiry of statutory warranty and comparable obligations, whereby the necessity of storing the data is checked every three years; in all other respects, the statutory storage obligations apply.
In the case of statutory archiving obligations, deletion shall take place after their expiry. According to German law in the insurance and financial sector in particular, consulting protocols for 5 years, brokerage notes for 7 years and broker contracts for 5 years as well as generally 6 years for documents relevant under commercial law and 10 years for documents relevant under tax law are required to be kept.
We process the data of our contractual partners and interested parties as well as other principals, customers, clients, patrons or contractual partners (uniformly referred to as “contractual partners”) in accordance with art. 6 par. 1 lit. b. 1 lit. b. GDPR to provide our contractual or pre-contractual services to them. The data processed here, the type, scope and purpose and the necessity of its processing, are determined by the underlying contract.
The data processed includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. email addresses and telephone numbers) as well as contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).
We do not process special categories of personal data unless they are part of commissioned or contractual processing.
We process data which is necessary to justify and fulfil the contractual services and point out the necessity of its disclosure, unless this is evident for the contractual partners. It is only disclosed to external persons or companies if it is required within the framework of a contract. When processing the data provided to us within the framework of an order, we act in accordance with the instructions of the client as well as with the legal requirements.
When our online services are used, we may store the IP address and the time of the user action in question. The data is stored on the basis of our legitimate interests as well as the user’s interests regarding protection against misuse and other unauthorised use. In principle, this data is not passed on to third parties unless it is necessary for the pursuit of our claims according to Article 6 par. 1 lit. (f). of GDPR there is a legal obligation to do so in accordance with the GDPR pursuant to Article 6 par. 1 lit. (f). of GDPR.
The data will be deleted if the data is no longer required for the fulfilment of contractual or statutory duties of care or for the handling of any warranty or comparable obligations, whereby the necessity of storing the data is checked every three years; in all other respects, the statutory storage obligations apply.
Administration, financial accounting, office organisation, contact management
We process data within the framework of administrative tasks as well as the organisation of our company, financial accounting and compliance with legal obligations, e.g. archiving. In this regard, we process the same data that we process in the course of providing our contractual services. The processing fundamentals are Art. 6 par. 1 lit. (c). Article 6 par. 1 lit. (f). of GDPR. Customers, prospective customers, business partners and website visitors are affected by the processing. The purpose of and our interest in the processing lies in administration, financial accounting, office organisation, archiving of data, namely, tasks which serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the tasks specified in these processing activities.
In this regard, we disclose or transmit data to tax authorities, consultants, such as tax consultants or auditors, as well as other fee offices and payment service providers.
Furthermore, we store information regarding suppliers, event organisers and other business partners on the basis of our business interests, e.g. for the purpose of establishing contact at a later date. In principle, we store this data, which is mainly company-related, permanently.
Data protection information in the application process
We process the applicant’s data only for the purpose and in the context of the application procedure in accordance with the legal requirements. The processing of the applicant’s data takes place in order to fulfil our (pre)contractual obligations in the context of the application procedure within the meaning of art. 6 para. Article 6 par. 1 lit. (f). 1 lit. f. GDPR, provided data processing becomes necessary for us, e.g. within the framework of legal procedures (in Germany applies additionally § 26 Federal Data Protection Act).
The application procedure requires that applicants provide us with their data. The necessary applicant data are marked in the case of an online form, otherwise they arise from the job descriptions and basically belong to the particulars of the person, post, and contact addresses and documents pertaining to the application, such as cover letter, curriculum vitae and certificates. In addition, applicants may voluntarily provide us with additional information.
By submitting the application to us, applicants agree to the processing of their data for the purposes of the application procedure in accordance with the type and scope set out in this Data Protection Declaration.
as far as, in the course of the application process, special categories of personal data, as laid down in Art. 9 para 1 of GDPR, are transmitted voluntarily, their processing takes place according to article 9 para 2 lit. (b) of GDPR (e.g. health data, such as severe disability or ethnic origin). As far as, in the course of the application process, special categories of personal data, as laid down in Art. 9 para 1 of GDPR, are requested by candidates, their processing takes place additionally in accordance with article 9 para 2 lit. a of GDPR (e.g. health data, if these are necessary for the exercise of the profession).
If provided, applicants can submit their applications to us via an online form on our website. The data will be encrypted and transmitted to us according to the state of the art.
In addition, applicants can submit their applications to us via email. Please note, however, that emails are generally not sent in encrypted form and that the applicants themselves must ensure that they are encrypted. We cannot therefore accept any responsibility for the transmission of the application from the sender and to its receipt on our server and therefore recommend that post is used instead. Candidates still have to option to submit their application to us via post, instead of using an online form or email.
If the application is successful, the data provided by the applicants can be further processed by us for the purpose of employment. Otherwise, if the application for a job offer is not successful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which the applicants are entitled to do at any time.
The deletion will take place after a period of six months, reserving the justified withdrawal by the applicant, so that we can answer any follow-up questions regarding the application and meet our obligations under the Equal Treatment Act. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.
When contacting us (e.g. by contact form, email, telephone or via social media), the user’s details are processed for the processing of the contact enquiry and its handling according to the terms and conditions of this agreement. Article 6 par. 1 lit. (f). (in the course of contract-related relationships/relationships before the contract), article 6 par. 1 lit. (f). (other inquiries) GDPR User information can be stored in a Customer Relationship Management System (“CRM system”) or a comparable enquiry organisation system.
We delete the enquiries if they are no longer necessary. We review this necessity every two years; the statutory archiving obligations also apply.
Hosting and email delivery
the hosting services used by us are for the provision of the following services: Infrastructure and platform services, computing capacity, storage and database services, emailing, security services and technical maintenance services, we employ for the purposes of the operation of this website.
Hereby, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta data and communication data of customers, potential customers and visitors to this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer according to Article 6 par. 1 lit. (f). Article 28 GDPR (contract order processing).
Collection of access data and log files
We, or our hosting provider, collect data on the basis of our legitimate interests within the meaning of art. 6 para. 1 lit. f GDPR regarding each access to the server on which this service is located (known as server log files). Access data includes the name of the requested website, file, date and time of access, amount of data transferred, report whether the site was successfully retrieved, browser type and version, the user’s operating system, the referrer URL (the site visited before coming to our site), the user’s IP address, and the requesting internet service provider.
Log file information is stored for a maximum of seven days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data, the further storage of which is required for evidence purposes, is excluded from deletion until the relevant incident has been ultimately clarified.
Google Tag Manager
<g id=”1″>Google Tag Manager</g><bx id=”2″/> is a solution with which we can manage so-called website tags via an interface (and thus integrate Google Analytics and other Google marketing services into our online offer, for example). The Tag Manager itself (which implements the tags) does not process any personal user data. With regard to the processing of users’ personal data, reference is made to the following information on the Google services. Acceptable use policy:https://www.google.com/intl/de/tagmanager/use-policy.html.
Google has become subject to the Privacy Shield agreement, thereby offering a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active)
On our behalf, Google will use this information to evaluate the use of our online offer by the user, to compile reports on the activities within this online offer and to provide us with other services related to the use of this online offer and the internet. Pseudonymous usage profiles of users may be created from the processed data.
We use Google Analytics only with activated IP anonymization. This means that the IP address of the user is truncated by Google within the member states of the European Union or in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address sent to a Google server in the US and truncated there.
Users’ personal data will be deleted or made anonymous after 14 months.
Google (Universal) Analytics
we use Google Analytics in the configuration as “Universal-Analytics‘. “Universal Analytics” refers to a procedure by Google Analytics, where the user analysis is carried out based on a pseudonymous user ID and a pseudonymous profile of the user’s information from the use of various devices (so-called “cross-device-tracking”) is created.
Google AdWords and conversion measurement
We use, on the basis of our legitimate interests (i.e., interest in the analysis, optimization and economic operation of our website for the purposes of article 6 par. 1 lit. f. GDPR), the services of Google LLC, 1600 Amphitheatre Parkway, mountain view, CA 94043, United States. (“Google”).
Google has become subject to the Privacy Shield agreement, thereby offering a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active)
We use the online marketing process Google “AdWords” to place ads on the Google Advertising Network (e.g., in search results, videos, on websites, etc.) to show them to users who may find the ads interesting. This allows us to display ads for and within our online offer more specifically in order to only present ads that potentially correspond to the users interests. For example, if a user sees ads for products he has been interested in on other websites, this is referred to as “re-marketing”. For these purposes, when the user accesses our and other websites on which Google marketing services are active, Google directly executes a Google code and (re)marketing tags (invisible graphics or code, also known as “web beacons”) are integrated into the website. These store a unique cookie (a small file) on the user’s device. Comparable technology may also be used instead of cookies. This file keeps a record of which websites the user visited, which contents he/she is interested in and which offers he/she has clicked on, as well as technical information about the browser and operating system, referring websites, visiting time and further information about the use of the online offer.
We also receive an individual “conversion cookie”. The information collected with the help of cookies is used by Google to generate conversion statistics for us. However, we only see the total number of anonymous users who clicked on our ads and were redirected to a page with a conversion tracking tag. We do not obtain any information that can be used to identify users personally.
User data is processed pseudonymously within the Google advertising network. meaning This means that Google does not store and process the names or email addresses of users, but, for example, processes the relevant data cookie-related within pseudonymous user profiles. This means that, from Google’s point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymisation. The information collected about users is transmitted to Google and stored on Google’s servers in the USA.
Facebook Pixel, Custom Audiences and Facebook-Conversion
Based on our legitimate interest in the analysis, optimization and efficient operation of our online offer, we have decided to use the so-called “Facebook pixel”, for our online offerings, provided by the social network, Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, in case you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand canal Harbour, Dublin 2, Ireland.
Facebook has become a subject to the Privacy Shield agreement, thereby offering a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active)
With the help of Facebook Pixels, Facebook is able to determine the visitors of our online offer as a target group for the presentation of advertisements (so-called “Facebook ads”). Accordingly, we use the Facebook Pixel to display our Facebook ads only to Facebook users who have shown an interest in our website or who have certain traits (e.g. interests in certain topics or products that are determined by the websites visited) that we transmit to Facebook (so-called “custom audiences”). With the help of the Facebook Pixel, we want to make sure that our Facebook ads correspond to the potential interest of the users and are not bothersome. The Facebook Pixel also helps us understand the effectiveness of Facebook ads for statistical and marketing research purposes by showing and evaluating whether users are directed to our site after they have clicked a Facebook ad (so-called “conversion”).
Facebook processes the data in accordance with Facebook’s Data Usage Policy. Accordingly, general information on the display of Facebook ads can be found in the Facebook Data Usage Policy: https://www.facebook.com/policy.php. For specific information and details about the Facebook pixel and how it works, please visit the Facebook Help section: https://www.facebook.com/business/help/651294705016616.
You can object to the collection and use of your data by Facebook Pixels for Facebook ads. To set what types of ads you see within Facebook, go to the page set up by Facebook and then follow the information there about the settings for interest-based advertising: https://www.facebook.com/settings?tab=ads. The settings apply across platforms, i.e. they are applied to all devices, such as desktop computers or mobile devices.
Online social media presence
We maintain online presences on social networks and platforms in order to communicate with active customers, interested parties, and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply.
Integration of third-party services and content
We use within our online offer, on the basis of our legitimate interests (i.e., interest in the analysis, optimization and economic operation of our website for the purposes of article 6 par. 1 lit. f. GDPR) content or services by a third-party, to include their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”).
This always presupposes that the third-party providers of this content can see the IP address of users, since without the IP address they would not be able to send the content to the users’ browsers. The IP address is, therefore, necessary to display this content. We strive to only use content whose respective provider uses the IP address solely for the delivery of content. Third-party providers may also use so called pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offering. It may also be linked to such information from other sources.
we merge the character fonts (“Google Fonts”) of the offerer Google LLC, 1600 Amphitheatre Parkway, Mountain View, APPROX. 94043, the USA. Data security explanation: https://www.google.com/policies/privacy/, Opt Out: https://adssettings.google.com/authenticated.
we merge the character fonts (“Google Fonts”) of the offerer Google LLC, 1600 Amphitheatre Parkway, Mountain View, APPROX. 94043, the USA. In particular the IP addresses and location data of the users can be included in the processed data, they are however not collected without their consent (as a rule carried out in the context of the attitudes of their mobile devices). The data can be processed in the USA. Data security explanation: https://www.google.com/policies/privacy/, Opt Out: https://adssettings.google.com/authenticated.
Type kit character fonts of Adobe
We use, on the basis of our legitimate interests (i.e. Interest in the analysis, optimization and economical enterprise of our on-line offer in the sense kind. 6 exp. 1 lit. f. DSGVO) external “type kits” – character fonts of the offerer Adobe of system software Irish country Limited, 4-6 Riverwalk, town center west Business Campus, Dublin 24, Republic of OF Irish country. Adobe is certified under the Privacy Shield agreement and offers thereby a warranty to keep the European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TNo9AAG&status=Active).