Data Protection Policy

Contents:

I. Controller within the meaning of data protection laws
II. Data protection officer
III. General information about data processing
IV. Automatic data processing when accessing the website www.vindelici.com
V. Use of cookies
VI. Processing personal data via e-mail
VII. Processing personal via telephone
VIII. Processing personal data acquired by handing over business cards
IX. Processing personal data within job application procedures
X. Supplementary Information on online social media presence
XI. Matomo
XII. Google Maps
XIII. Rights of the data subject

Our data processing
When you use the website www.vindelici.com and its functions, make contact and send a request, you send us personal data which we process for the purpose of responding to your requests. We handle these data in accordance with data protection laws strictly for the intended purpose only.

I. The controller within the meaning of data protection laws is

Vindelici Advisors AG
Au­stra­ße 35
D-86153 Augs­burg

Telefon-Nr.: +49 (0) 821 / 20 70 80 – 0
E-Mail: info@vindelici.com

Represented by:
Ul­rich Hug­gen­ber­ger, Dr. Michael Hofmann, Mar­tin Hug­gen­ber­ger, Leonis Petschmann

II. Data protection officer

We have appointed a data protection officer for our company:

Fly-tech IT GmbH & Co. KG
Winterbruckenweg 58
86316 Friedberg
datenschutz@xitaso.com

III. General information about data processing

Scope of processing of personal data in general

As a basic principle, we only process personal data if this is necessary to provide a functional website along with our content and services.

Legal basis for processing personal data

The legal basis for processing this personal data can be found in the General Data Protection Regulation, Article 6(1)(a)-(f) GDPR.

If the data subject has given consent, the legal basis is Article 6(1)(a) GDPR.

Article 6(1)(b) GDPR is the legal basis for processing personal data as required for the performance of a contract to which the data subject is party or in ordert o take steps at the request of the data subject prior to entering into a contract.

If processing is necessary for compliance with a legal obligation of the controller, the legal basis is Article 6(1)(c) GDPR.

If vital interests of the data subject or another natural person make it necessary to process data, the legal basis is Article 6(1)(d) GDPR.

If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, the legal basis is Article 6(1)(e) GDPR.

If processing is necessary to protect a legitimate interest of our company and overrides the interests, fundamental freedoms or fundamental rights of the data subject, the legal basis is Article 6(1)(f) GDPR.

Provision of personal data required to conclude a contract or based on statutory retention obligations

When you contact us, we collect personal data. We store these data partly due to legal requirements and partly for the purpose of concluding a contract. If you want to conclude a contract with us, you must provide us with your data so that we can provide our services to you. Tax and commercial law considerations also result in statutory retention obligations which we have to meet. Otherwise, we may be unable to provide you with our service.

Before providing your personal data, you can feel free to get in touch with your contact person in our company to find out whether we will need your data to conclude a contract and/or to meet our statutory retention obligations and what will happen if you do not provide us with the data.

Data erasure and storage period

We will store your personal data as long as this is necessary to fulfill a purpose or the storage of the data is mandatory based on legal requirements according to Article 6(1)(c) GDPR.
If the purpose for storing personal data no longer applies, these data will be erased after 6 months or processing will be restricted unless it is necessary to continue storing the data in order to conclude or fulfill a contract.
These data will only be stored otherwise if this has been stipulated by the European or national legislator.

SSL or TLS encryption

We use SSL or TLS encryption on the entire website for security reasons on the one hand and to protect your confidential data on the other.
Confidential data such as, for example, requests or orders that you have sent to us cannot be viewed by third parties as a result of this encryption.
You can recognize an encrypted connection from the address bar of the browser changing from “http://” to “https://” and a green padlock icon being displayed in the address bar.

IV. Automatic data processing when accessing the website www.vindelici.com

IP adress

1. Description and scope of data processing
   When accessing this website, requests are sent to the server which it must answer. Your IP address must be collected and processed for this purpose in order to enable the server to respond to the corresponding requests.
2. Legal basis for data processing
   The legal basis for processing these data is Article 6(1)(f) GDPR.
3. Purpose of data processing
   The purpose of processing your IP address is to ensure that the website functions correctly and to enable you to access it.
4. Legitimate interest
   The legitimate interest in the temporary storage of the IP address is that the website cannot function and access to the website is not possible without it.
5. Duration of storage
   The data will be erased again as soon as it is no longer necessary for them to be stored due to fulfillment of the purpose.
   Where the collection of data for providing the website is concerned, this is the case when the access procedure is completed.
6. Recipients of personal data
   The IP address is processed by the following hosting provider as subcontractor based on a processing agreement pursuant to Article 28(2) and (4) GDPR:

MXP GmbH
Ulmer Landstraße 333
86391 Stadtbergen near Augsburg

Hosting

1. Description and scope of data processing
   We use the services of our hosting provider for the technical implementation and accessibility of the website and for the technical maintenance thereof.
   This includes the provision of storage and database services and the maintenance and updating thereof.
2. Legal basis for data processing
   The legal basis for processing these data is Article 6(1)(f) GDPR.
3. Purpose of data processing
   The purpose of processing is the implementation of the website and the detection of malfunctions and intrusion attempts.
4. Legitimate interest
   The legitimate interest in mandating the hosting provider is the external technical expertise and the provision of a functional and uncompromised technical website environment.
5. Recipients of personal data and data categories:

The following hosting provider is active for us as a subcontractor based on a processing agreement pursuant to Article 28(2) and (4) GDPR:

MXP GmbH
Ulmer Landstraße 333
86391 Stadtbergen near Augsburg

The data categories concerned are:

User data
Communikation data
Contact data
Contract data

Server log files

1. Description and scope of data processing
   The IP addresses collected when accessing this website are also stored in what are referred to as server log files in order to discover and eliminate technical faults and/or attempts to manipulate and break into the server structure.

The hosting provider of this website also automatically collects, stores and processes information in server log files that is sent automatically by your browser.

This information comprises:

IP adress
Browser type und browser version
Operating system used
Referrer URL
Host name of the accessing computer
Time of server request

However, this information is not merged with other data sources.

2. Legal basis for data processing
   The legal basis for processing these data is Article 6(1)(f) GDPR.
3. Purpose of data processing
   The purpose of processing your IP address and the aforementioned information is to detect malfunctions and intrusion attempts.
4. Legitimate interest
   The legitimate interest in processing the IP address and the aforementioned information is the provision of a functional and uncompromised technical website environment.
5. Duration of storage
   The data will be erased again within 7 days.
6. Recipients of personal data
   The IP address and the aforementioned information are processed by the following hosting provider as subcontractor based on a processing agreement pursuant to Article 28(2) and (4) GDPR:

MXP GmbH
Ulmer Landstraße 333
86391 Stadtbergen near Augsburg

V. Use of cookies

1. Description and scope of data processing
   The website www.vindelici.com uses “cookies”. Cookies are text files that are stored in the memory and/or on a data carrier of the device you use to visit the site and that are processed by your Internet browser in accordance with the settings stored therein.
2. Legal basis for data processing
   The legal basis for processing is Article 6(1)(f) GDPR.
3. Purpose of data processing
   These cookies contain technical information enabling the website functions to be provided within the scope of using the website. This ensures the technical implementation of the website.
4. Legitimate interest according to Article 6(1)(f) GDPR
   The cookies used contain technical data only. The use of these cookies is necessary for ensuring that our website functions in a way that meets the user’s expectations.
5. Duration of storage as well as objection and removal options
   The cookies used on this website are “session cookies”. They will be automatically deleted from the browser cache/memory by your computer after you have finished visiting the website and/or closed your browser provided you have activated this function in your browser.
   Please also check the settings of your Internet browser (e.g. Firefox, Internet Explorer, Edge, Chrome, Opera, Safari). Your Internet browser also gives you the option of controlling how the cookies are handled or of deactivating them entirely. Cookies that have already been stored may be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all functions of the website in their entirety.

VI. Processing personal data via e-mail

1. Description and scope of data processing
   In the case of e-mail inquiries, personal data are processed depending on the content of your e-mail:

This always includes your e-mail address and the date, time and content of the message. The following personal data may also be processed depending on the content of your e-mail:

First name, last name
Telephone number

The data are used solely for processing the conversation and/or executing and/or initiating a contractual relationship.

2. Legal basis for data processing
   Based on the express request from the user by e-mail, the legal basis for processing data is Article 6(1)(f) GDPR. If the aim of making contact by e-mail is also to conclude and/or to execute a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.
3. Purpose of data processing
   The processing of personal data from your e-mail request only serves the purpose of establishing contact and enabling the company to provide the customer with information on the initiative of the customer.
   Depending on the intention and content of your request, the purpose may also be to initiate and/or execute a contractual relationship.
4. Legitimate interest
   The legitimate interest in data processing is the capability of handling your request and being able to respond to it accordingly. The data collected are processed on the basis of a request sent by you. This processing is also in your interests in order to enable us to respond to your request in a way that meets your expectations.
5. Duration of storage
   The data will be deleted within 6 months after they are no longer required to achieve the purpose for which they were collected or are not subject to any other statutory retention obligations (e.g. 10 years pursuant to the German Tax Code, 6 years pursuant to the German Commercial Code). For your e-mail, this is the case when the respective conversation with the user has ended.
   The conversation is ended when it is evident from the circumstances that the situation has been finally clarified.

VII. Processing personal data via telephone

1. Description and scope of data processing
   In the case of telephone inquiries, personal data are processed depending on the content of the conversation:

Depending on the information you provide during the telephone call, this may also include the following personal data:

First name, last name
Telephone number
Customer number
Payment data
Contract data

The data are used solely for processing the conversation and/or executing and/or initiating a contractual relationship.

2. Legal basis for data processing
   Based on the express request from the user by telephone, the legal basis for processing data is Article 6(1) (f) GDPR. If the aim of making contact by telephone is also to conclude and/or to execute a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.
3. Purpose of data processing
   The processing of personal data from the telephone conversation only serves the purpose of establishing contact and enabling the company to provide the customer with information on the initiative of the customer.
   Depending on the intention and content of your request, the objective may also be to initiate and/or execute a contractual relationship and to maintain the customer relationship.
4. Legitimate interest
   The legitimate interest in data processing is the capability of handling your request and being able to respond to it accordingly. The data collected are processed on the basis of a request sent by you. This processing is also in your interests in order to enable us to respond to your request in a way that meets your expectations.
5. Duration of storage
   The data will be deleted within 6 months after they are no longer required to achieve the purpose for which they were collected or are not subject to any other statutory retention obligations (e.g. 10 years pursuant to the German Tax Code, 6 years pursuant to the German Commercial Code). For your e-mail, this is the case when the respective conversation with the user has ended.
   The conversation is ended when it is evident from the circumstances that the situation has been finally clarified.

VIII. Processing personal data acquired by handing over business cards

1. Description and scope of data processing
   By handing over your business card to us on initial contact, you provided us with your personal data. These are:

Last name, first name
Company
Address of company
Contact data

We process these data in our CRM system.

2. Legal basis for data processing
   The legal basis is contained in Article 6(1)(f) GDPR insofar as you have consented to the data being processed.
3. Purpose of / legitimate interest in data processing
   We process these data to enable business communication and to determine shared business interests and for maintaining a customer relationship.
   We process your personal data only for this purpose and only insofar as you have communicated them to us.
4. Duration of storage
   The data will be deleted within 6 months after they are no longer required to achieve the purpose for which they were collected or are not subject to any other statutory retention obligations (e.g. 10 years pursuant to the German Tax Code, 6 years pursuant to the German Commercial Code).

1. Description and scope of data processing
   We provide information about the current vacancies to be filled on a regular basis in job advertisements or on our website. You have the opportunity to apply for these jobs. You can send us your application data either by post or by e-mail.

Data that you send us by post as part of the application procedure may include:

o Name, address and contact details
o Resume including any further details
o Personal letter
o Qualifications
o Interests

If you send us your data by e-mail, we will also process your e-mail address and the date, time and content of the message. The following personal data may also be processed depending on the content of your e-mail:

o First name, last name
o Telephone number

The data are used solely to reach a decision on the vacancy to be filled as part of the application procedure.

2. Legal basis for data processing
   The legal basis for processing the data within job application procedures is Article 6(1)(b) GDPR, § 26(1) BDSG (Federal Data Protection Act).

If you provide us with special categories of personal data within the application procedure such as information on an existing severe disability or health data that are required to assess the possibility of employing you in a certain position, these data provided on your initiative are processed according to Article 9(2)(b), (h) GDPR, Article 26(3) BDSG (Federal Data Protection Act).

3. Purpose of data processing
   The processing of personal data within job application procedures is solely for the purpose of personnel planning and to establish employment relationships.
4. Legitimate interest
   The legitimate interest in data processing is the necessity to fill open vacancies with qualified applicants as part of sustainable personnel planning and company management.
5. Duration of storage
   If an application is rejected, the data will be erased within 6 months of the rejection. Data from successful applications are subject to retention obligations which result from the labor and social law provisions, the German Tax Code (AO) and the German Commercial Code (HGB).

X. Supplementary Information on online social media presence

We maintain online presence within social networks and platforms in order to communicate with customers, interested parties and users active in social media and to inform them about our services.

We would like to point out that this might cause user data to be processed outside the European Union, which can pose risks for users because this might hinder the enforcement of users’ rights, for example. With regard to US providers certified under the Privacy Shield, we would like to point out that they commit themselves to comply with EU data protection standards.

Furthermore, user data are generally processed for market research and advertising purposes. Thus, for example, user profiles can be created from the user behaviour and the associated user interests. The usage profiles can in turn be used, for example, to display advertisements that presumably correspond to the interests of the users both within and outside of the platforms. For these purposes, cookies are usually stored on the user’s computer, in which the user’s usage behavior and interests are stored. Furthermore, data can also be stored in user profiles separate from the devices used by the users (especially if the users are members of the respective platforms and are logged in).

The processing of users’ personal data is carried out on the basis of our legitimate interests to effectively offer users information and communicate with users. Article. 6 (1)(f) GDPR. If the users are requested by the respective providers of the platforms for consent to the above-mentioned data processing, the legal basis of the processing is Article 6 (1)(a) and Article 7 GDPR.

For a detailed description of the respective processing and the possibilities of objection (opt-out), we refer to the information provided by the providers linked below.

We would like to point out that requests for information and the assertion of user rights are also directed most effectively to the providers. Only the providers have access to the user data and can directly take appropriate measures as well as provide information. If you still need further assistance, you can contact us.

– Google / YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy Policy: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated , Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

– Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – Privacy Policy: https://twitter.com/privacy, opt-out: https://twitter.com/personalization , Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.

– LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – Privacy Policy https://www.linkedin.com/legal/privacy-policy, opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.

– Xing (XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany) – Privacy Policy / Opt-Out: https://privacy.xing.com/de/datenschutzerklaerung.

XI. Matomo

1. 1. Description, scope and purpose of data processing
      This website uses Matomo (formerly Piwik), an open-source software for the statistical evaluation of visitor access. The supplier of Matomo software is InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand.Matomo uses so-called cookies, text files which are stored on your computer and allow your use of the website to be analysed.

      The information that the cookies generate about your use of the website is stored according to under V. above.

      The IP address is anonymised immediately after processing and prior to storage. You can prevent the installation of cookies by changing the settings in your web browser. Please be advised that the adjusted settings may mean that some website functions may no longer be available.

      You may decide whether an explicit web analytics cookie may be stored on your browser to allow the website provider to collect and analyse various statistical data.

      For more information on the privacy settings of the Matomo software, please visit the following link: https://matomo.org/docs/privacy/.

   2. Legal basis for datat processingThe processing is to safeguard the legitimate interests of the controller (Article 6 (1)(f) GDPR).
   3. Duration of StorageThe deletion of the data takes place as soon as it is no longer necessary for our recording purposes.
   4. Use of Cookies, Opt-Out
      You can prevent the use of cookies by selecting the corresponding settings on your browser; however, we would like to point out that if you do this, you may not be able to fully utilise all functions provided on this website.

      Opt-out for vindelici.com:

1. Profiling
   With the help of the Matomo tracking tool the behaviour of the visitors of the website can be evaluated and the interests analysed. For this we create a pseudonymous user profile.

XII. Google Maps

1. Description and scope of data processing
   This website uses the map service Google Maps through an API. The provider is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

Your IP address has to be stored to enable you to use the functions of Google Maps. This information is generally transferred to a Google server in the USA and stored there. The provider of this website has no influence over this data transfer.

Google Maps is used in the interests of making our website more appealing and to make it easier to find the locations specified on the website. This is a legitimate interest within the meaning of Article 6(1)(f) GDPR.

More information on the handling of user data can be found in the Google privacy policy: https://www.google.de/intl/de/policies/privacy/

2. Legal basis for data processing
   The legal basis for data processing is Article 6(1)(f) GDPR.
3. Purpose of data processing
   The purpose of data processing is to make our website more appealing.
4. Legitimate interest
   Our legitimate interest in data processing results from the purpose of offering an appealing web presence and providing you with engaging content on our websites.

XII. Rights of the data subject

If your personal data are being processed, you are the data subject within the meaning of the General Data Protection Regulation. This means you have the following rights against the controller.

In order to exercise your rights against us as the controller, please send an e-mail to the following address: info@vindelici.com

1. Right of access – Article 15 GDPR
   You have the right to request confirmation from the controller as to whether personal data relating to you are being processed.

If such data are being processed, you have the right of access to these personal data and the following information:

the purposes for which the personal data are processed;
the categories of personal data that are processed;
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine the storage period;
the existence of the right to request from the controller rectification or erasure of your personal data or the right to restrict their processing or to object to such processing;
the right to lodge a complaint with a supervisory authority;
any available information as to the source of the personal data where the data are not collected from the data subject;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You are also entitled to request information about whether your personal data are transferred to a third country or to an international organization. In this context, you also have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

2. Right to rectification – Article 16 GDPR
   You have the right to obtain from the controller without undue delay the rectification and/or completion of the data relating to you if the processed personal data are incorrect or incomplete.
3. Right to erasure – Article 17 GDPR
   Erasure obligation:
   You have the right to request the erasure of your personal data without undue delay where one of the following grounds applies:

your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
you have withdrawn your consent on which the processing was based according to Article 6(1)(a) or Article 9(2)(a) GDPR and there is no other legal ground the processing;
you have objected to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing or you have objected to the processing pursuant to Article 21(2) GDPR;
your personal data have been unlawfully processed;
your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

Exceptions:
There is no right to erasure to the extent that processing is necessary

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)
GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
for the establishment, exercise or defense of legal claims.

4. Right to restriction of processing – Article 18 GDPR
   You have the right to request the restriction of processing of the personal data relating to you subject to the following conditions:

if you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of the personal data;
if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
if the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims, or
if you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.

Where processing of your personal data has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If there is a restriction of processing based on the aforementioned conditions, you will be informed by the controller before the restriction is lifted.

5. Right to notification – Article 19 GDPR
   If you have asserted one of your rights to rectification, erasure or restriction of processing, we must inform all recipients to whom your personal data have been disclosed of the rectification or erasure of the data or of the restriction of processing unless this proves impossible or involves disproportionate effort.

You also have the right to be notified of these recipients.

6. Right to data portability – Article 20 GDPR
   You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which you have provided the personal data, where
7. a) the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR, and
   b) processing is carried out by automated means.

In exercising this right to data portability, you also have the right to have your personal data be transmitted directly from one controller to another, where technically feasible.

7. Right to object – Article 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.

The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing serves the purpose of establishing, exercising or defending legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object by automated means using technical specifications.

8. Right to withdraw the declaration of consent under data protection law
   You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Right to lodge a complaint with a supervisory authority – Article 77 GDPR
   Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement if you consider that the processing of your personal data infringes the General Data Protection Regulation.

The supervisory authority with which you lodge the complaint must inform you as the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

Last update: July 2019.

This Data Protection Policy is updated on a regular basis.