In the following we inform you of our processing of your personal data and of the claims and rights to which you are entitled under the pertinent data protection regulations.
Personal data means all data that refer to you personally, e.g. name, address, email addresses, user behaviour. Which data are specifically processed and the way in which they are used depends largely on the services used.
1. Who is responsible for data processing and whom can I contact?
You can contact our company’s Data Protection Officer here:
mip Consult GmbH
Rechtsanwalt Asmus Eggert
030 / 74 73 33 - 0
2. What sources and data do we use?
We process personal data that we receive as part of your use of our website and as part of any business relationship we may have with you.
If you use the website for information purposes only, i.e. if you do not sign up or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. When you visit our website, we collect the following access data, which are technically necessary for us to display our website to you and to guarantee stability and security. The access data include the IP address, date and time of the request, time zone difference from Greenwich Mean Time (GMT) content of the request (i.e. name of the specifically retrieved webpage), access status/HTTP status code, the amount of data transmitted in each case, referrer URL (previously visited page), browser type and version, operating system and its interface, language and version of the browser software, message regarding successful retrieval. We anonymise the IP address in the web server logfile by replacing the last three numbers of the IP address with random values.
We also receive your personal data if you contact us using the contact form or by email. Personal data in this case include name and email, and any additional data that you provide us with in the text of your contact request or in the signature of your email (hereinafter referred to as “contact data”).
3. What do we process your data for (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), for the following purposes and on the following legal bases:
|If you have given us your consent to process personal data for different purposes, in particular for the purpose of establishing contact (e.g. via our contact form or by email for processing and handling the request, mailing newsletters, advertising by telephone, email, SMS, etc.), the legitimacy of such processing derives from your consent. You may revoke your consent at any time. Please note that such revocation only has future effect. Processing that took place before the revocation is not affected by this.
|Consent, Art. 6 (1a) GDPR
|When contacting us (via contact form or by email), in addition to any consent granted to the processing and handling of the contact request, your details are also processed on the basis of actions taken prefatory to conclusion of contract, Art. 6 (1b) GDPR.
|Performance of pre-contractual measures at the request of the person, Art. 6 (1b) GDPR
We process your access data (see paragraph 2 above) in order to safeguard our own legitimate interests or those of third parties. In so doing we pursue the following legitimate interests in particular:
|In the context of balancing interests, for safeguarding legitimate interests, Art. 6 (1f) GDPR
|When you contact us by email in connection with your application, we will process your data to assess your suitability for the position (or any other vacant position in our companies, where relevant) and for the recruitment process. Your application data are reviewed by the HR department after receipt of your job application. Suitable applications are then transmitted in-house to the departmental heads responsible for the respective vacant positions. They will decide about the further procedure. In our company, in principle only persons who require your data for the proper conduct of the recruitment process have access to your data.
|Establishment of an employment relationship, section 26 of the German Data Protection Act (BDSG) and after completion of the recruitment process, should an application not be successful, for safeguarding legitimate interests, Article 6(1f) GDPR (defence against claims), provided consent has been granted, Article 6(1a) GDPR
4. Who will receive my data?
Within the company, the departments that need access to your data in order to fulfil our contractual and legal obligations are granted access to it.
The processors that we use (Art. 28 GDPR) may also receive data for the above purposes. These include companies involved in IT services, logistics, payment services, printing services, telecommunications, debt collection, advisory services and consulting, as well as sales and marketing. If we use processors in order to provide our services, we take appropriate legal precautions as well as appropriate technical and organisational measures in order to ensure that the personal data are protected in accordance with the applicable legal provisions.
We will only pass on data to third parties within the scope of legal requirements. We will only pass on user data to third parties if so doing is required for contractual purposes e.g. on the basis of Art. 6 (1) (b) GDPR or on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR in the commercial and effective operation of our business, or if you have consented to the data transmission. If the website is used for informational purposes only, we do not pass on data to third parties as a general rule.
5. How long will my data be stored?
Log file information is stored for a maximum of four weeks for security reasons (e.g. to investigate instances of misuse or fraud) and then deleted (see paragraph 2 above). Data whose further retention is required for evidentiary purposes are exempted from deletion until the relevant incident has been clarified with final effect.
If necessary, we process and store your personal data for the duration of our business relationship, which also includes, for instance, the initiation and processing of a contract via the contact form or by email.
If an application is not successful, the applicant’s data are deleted after six months. If you have consented to the further storage of your personal data, we will include your data in our pool of applications. The data in this pool will be deleted as soon as you withdraw your consent, but after five years at the latest. If we decide to appoint you to the vacant position, your data will be saved in our HR management system.
In addition, we are subject to various retention and documentation obligations that derive from the German Commercial Code (HGB) and the German Tax Code (AO), among other sources. The period for retention/documentation specified therein can range from two to ten years.
Finally, the retention period is also assessed on the basis of statutory limitation periods, which are generally three years according to §§ 195 et seqq. of the German Civil Code (BGB), yet in certain cases range up to thirty years; the regular limitation period is three years.
6. Are data transmitted to a third country or an international organisation?
The data provided are processed within the European Union and in the United States. Please note that for recipients of your data in countries lacking an adequacy decision by the Commission according to Article 45 of the GDPR, as is the case for the United States, we either ensure that they are certified according to the EU-US Privacy Shield (as is the case for e.g. Google), or have entered into EU standard data protection clauses with these recipients. This is done in order to protect your data and to achieve an adequate level of protection for your personal data. You have the opportunity to obtain or view a copy of the EU standard data protection clauses. If necessary, please contact us using the contact details provided in paragraph 1 above.
7. What data protection rights do I have?
Every data subject has
- the right to information according to Art. 15 GDPR,
- the right to correction according to Art. 16 GDPR,
- the right to deletion according to Art. 17 GDPR,
- the right to restrict processing according to Art. 18 GDPR and
- the right to data portability according to Art. 20 GDPR.
You may also revoke consents given, in principle with future effect.
In addition, there is a right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG).
We would also like to point out your right to object according to Art. 21 GDPR:
Information about your right to object according to Art. 21 GDPR
You have the right to lodge an objection to the processing of personal data concerning you at any time for reasons arising from your particular situation where such processing occurs on the basis of Article 6 (1) (e) of the GDPR (data processing in the public interest) and Article 6 (1) (f) of the GDPR (data processing based on a balancing of interests); the foregoing also applies to any profiling based on this provision within the meaning of Article 4 (4) GDPR that we use for purposes of questionnaire evaluation or advertising purposes.
If you lodge an objection, we will no longer process your personal data unless we are able to demonstrate compelling grounds worthy of protection for such processing that override your interests, rights and freedoms, or where the processing serves the assertion, exercise or defence of legal claims.
In individual cases, we process your personal data in order to engage in direct marketing. You have the right to lodge an objection at any time against the processing of personal data concerning you for purposes of such advertising; the foregoing also applies to profiling insofar as it is related to such direct marketing. If you object to the processing of your personal data for direct marketing purposes, we will no longer process your personal data for these purposes.
The objection need not observe any formalities and no costs are incurred other than the transmission costs based on standard rates.
If possible, the objection should be addressed to:
ifp Privates Institut für Produktqualität GmbH
Data Protection Officer
Wagner-Régeny-Str. 8 12489 Berlin
or by email to:
8. To what extent is there automated decision-making, including profiling, in individual cases?
When accessing our website or as part of establishing contact via a form or email, we generally do not utilise any fully automated decision-making pursuant to Article 22 of the GDPR. Should we utilise these procedures in individual cases, we will inform you separately, insofar as doing so is required by law. We do not engage in automated processing of your data with the objective of evaluating certain personal aspects (profiling).
9. Is there an obligation for me to provide data?
As part of our website, you must provide the personal data necessary for the use of our website for technical or IT security reasons. Unless you provide the aforementioned data, you cannot use our website.
When establishing contact using a form or by email, you need only provide the personal data required in order to process your request. Without these data, we are unable to process your request.
The following is to inform you of our newsletter as well as the sign-up, mailing and evaluation procedure, and to provide clarification regarding your right to object. If you subscribe to our newsletter, you agree to receive the newsletter and to the procedures described.
Newsletter content: We send newsletters, emails and other electronic notifications containing advertising information (hereinafter “newsletters”) only on the basis of the recipients’ consent or where allowed by law. If we specifically describe individual newsletters as part of the sign-up, this description is material to the consent of a newsletter customer. If no separate description is provided, in our newsletters you will receive information about our products, offers and promotions, as well as information about our company.
Double opt-in: Subscribing to our newsletter takes place via what is referred to as a double opt-in procedure. This means that after signing up for our newsletter, we will send you an email in which we ask you to confirm your subscription. This confirmation serves to ensure that only those who in fact have access to the specified email address sign up for our newsletter. We keep a log of newsletter subscriptions in order to be able to document the sign-up process in accordance with legal requirements. This includes storing the time of sign-up and confirmation, as well as the IP address. Changes made to your data stored by the mailing provider will also be logged.
The newsletter is distributed via AcyMailing, a newsletter mailing platform owned by Acyba, 12 Avenue Tony Garnier, 69007 Lyon, France. The data protection regulations of the mailing provider can be viewed here: https://www.acyba.com/privacy-policy.html.
According to its own disclosures, the mailing provider does not store any newsletter recipient data (https://www.acyba.com/acymailing/541-how-to-configure-acymailing-to-be-compliant-with-the-gdpr.html). The user data of our newsletter recipients are stored exclusively on our website and in our databases.
To subscribe to the newsletter, simply enter your email address. Optionally, we ask you to enter a name, title (Mr/Mrs) and your federal state so that we can address you personally in the newsletter.
The newsletters contain what are referred to as “web beacons”, i.e. a pixel-sized file that is downloaded from the server of the newsletter mailing platform when the newsletter is opened. As part of this download, initially technical information is collected, such as information about the browser and your system, as well as your IP address and the time of download. This information is used in order to technically improve the service on the basis of the technical data or the target groups and their reading behaviour, with reference to download locations (which can be determined using the IP address) or download times. Statistical data collection also includes determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be linked to individual newsletter recipients. However, neither the newsletter mailing platform nor we are interested in observing individual users. Rather, the evaluations serve to ascertain the reading habits of our users and to adapt our content to those habits.
Newsletter mailing and success metrics are carried out on the basis of recipient consent under data protection law pursuant to Art. 6 (1a), Art. 7 GDPR, and under competition law pursuant to § 7 (2) (3) German Law Against Unfair Competition (UWG) and on the basis of the statutory authorisation enshrined in § 7 (3) UWG.
The registration procedure is logged on the basis of our legitimate interests pursuant to Art. 6 (1f) GDPR and serves as proof of consent to receive the newsletter.
You may cancel your subscription to our newsletter at any time, i.e. revoke your consent. You will find an “unsubscribe” link at the end of each newsletter. If users have only subscribed to the newsletter and then cancelled this subscription, their personal data will be deleted.
11. Whistleblower System
Compliance with laws and internal regulations is a top priority for our company. Against this background, we have supplemented our compliance system with a whistleblower system. Employees, business partners and third parties can anonymously report irregular behavior at any time.
We use a whistleblower system developed in-house. Our whistleblower system allows anonymous reports to be made. To submit a report via our whistleblower portal, all you need to do is provide information on the location, time and circumstances of the reportable circumstance in the description of the facts. Your report will be transmitted in encrypted and anonymous form, i.e. without assignment to a user. Your IP address will only be used for the technically necessary communication and will be deleted after the end of the communication.
You can voluntarily disclose personal data about yourself as part of the reporting process. If you do not provide any personal data, the case handlers will not be able to establish a personal reference to you.
In order to receive and clarify serious suspected cases of rule violations, the following data may (optionally) be processed as part of the whistleblower system: Information about the accused person (e.g. surname, first name, position and employment details), information about the alleged breaches of conduct. We ask reporting individuals to refrain from providing sensitive information about the accused individuals unless it is necessary to describe their concerns. However, we cannot exclude the receipt and thus the processing of special category personal data as defined in Art. 9 DSGVO.
The establishment of the whistleblower portal serves to fulfill our legal obligations pursuant to Art. 6 (1) lit. c DSGVO in conjunction with. Directive (EU) 2019/1937. Furthermore, we base the processing of personal data on our legitimate interest in adequately preventing and combating corruption pursuant to Art. 6 (1) lit. f DSGVO. By submitting the reporting form, the persons providing information declare their consent to data processing relating to them, provided that they specify their personal data in the report (Art. 6 para. 1 lit. a DSGVO). This consent can be revoked at any time with effect for the future.
13. Google Analytics
Google is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law, see https://www.privacyshield.gov/.
Google will use this information on our behalf in order to evaluate our users’ use of our website, to compile reports on the activities occurring on the website and in order to provide us with additional services related to the use of this website. In so doing, pseudonymous usage profiles of users may be created from the data processed.
We use Google Analytics with activated IP anonymisation. This means that the IP address of the user is shortened by Google within the member states of the European Union or in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the United States and abbreviated there.
The IP address sent by your browser will not be merged with other data from Google. Users can prevent cookies from being stored by configuring their browser software accordingly; in addition, users can prevent Google from collecting the data generated by the cookie regarding their use of the website and can prevent Google from processing these data by downloading and installing the browser plugin available via the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
For more information about Google's use of data as well as configuration and objection options, please visit Google’s website: https://www.google.de
14. Other services
On our website we rely on services offered by third parties in the context of our legitimate interests within the meaning of Art. 6 (1f) GDPR, i.e. our interest in an optimal website. User IP addresses are transmitted to these third-party providers in so doing. The IP address is technically necessary in order to display the contents. Third-party providers may use what are referred to as web pixels (invisible graphics that are also referred to as “web beacons”) for evaluation or marketing purposes. The web pixels allow information, such as visitor traffic to the website, to be evaluated. The third parties may store information on user devices in the form of cookies.
We use the following third-party providers on our website: