1. contact

Responsible for M1 Select in the sense of the Data Protection Regulation (DSGVO) is:


Organization: M1 Aesthetics GmbH


Address: Lilienthalstr. 3A, 12529 Schönefeld, Germany


Contact e-mail: info@m1-select.de / Phone number: 0800-1114321

For questions about data protection, you can also contact our data protection officer directly: E-mail: datenschutz@m1-select.de / Phone number: 030 347 47 44 92

2. your rights in general

DSGVO with regard to your personal data processed by us. For an explanation of the legal terms, please refer to the applicable definitions in the GDPR (see Article 4 there). If anything remains incomprehensible, please do not hesitate to ask us.

(1) You may revoke any consent you have given us to process or share your data at any time for the future (Article 7(3) DSGVO).

(2) If the legal basis for processing your data is a legitimate interest pursuant to Article 6(1)(f) of the GDPR, you may lodge an objection to the data processing pursuant to Article 21 of the GDPR. Insofar as the relevant data processing is direct marketing, you do not have to justify your objection in any way; in all other cases, you would have to provide reasons for your objection that arise from your particular situation.

(3) If we have stored incorrect information about you, you can request us to correct your data (Article 16 DSGVO).

(4) You can request information from us about which of your data we process (Article 15 DSGVO, Section 34 BDSG).

(5) You may request that we delete your data or restrict its processing, provided that your request does not conflict with any higher-ranking retention obligations (Article 17 or 18 DSGVO, Section 35 BDSG).

(6) You may request that we provide you with the data you have provided to us yourself in a machine-readable format for disclosure to third parties (Article 20 DSGVO).

(7) You may complain to a supervisory authority for data protection, e.g. the Brandenburg State Commissioner for Data Protection and for the Right to Inspect Files, about facts relating to data protection law with us.

3. data processing at our company in general

Any form of processing of personal data requires a legal basis that allows us to do so. The legal basis primarily results from the purpose for which the data is processed. The lawfulness within a legal basis is regularly measured according to the specific scope of the data processing and the measures we have taken to protect your data.

Legal bases for data processing arise from Article 6(1) DSGVO and for data requiring special protection, such as health data, from Article 9(2) DSGVO. These two regulations name the preparation or fulfillment of contractual, legal or even social obligations as the most important legal bases for data processing. In addition, many data processing operations are carried out in our legitimate interest, unless, in view of the specific circumstances, the interests of the data subjects prevail. If one of the previously mentioned types of legal basis is relevant, the processing does not require any further consent from you.

In addition, data processing may be carried out on the basis of consent from you (Article 7 of the GDPR) or for persons under 16 years of age when using information society services (e.g. websites, online games, social media platforms) by the children or adolescents in conjunction with the consent of a legal guardian (Article 8 of the GDPR).

We would like to expressly point out at this point that none of our offers are directed at persons under the age of 16.

This means that our obligation to ask for your consent does not, or not solely, arise from the GDPR but from the stricter law under the EU ePrivacy Directive of 2002 (often called the “Cookie Directive”). The provisions of this directive apply in Germany via the German Telemedia Act (TMG) and the Unfair Competition Act (UWG). We have taken into account the obligations arising from these laws without expressly referring to them below.

If a data transfer to a state outside the European Economic Area (EEA) takes place, we ensure that data protection is secured in the sense of Articles 44 – 49 DSGVO.

4. Our group of companies

We offer our services in association with M1 Med Beauty Berlin GmbH and other companies of our group, M1 Kliniken AG and various service providers. In principle, each of these organizations / group units is solely responsible for the data it processes.

In the case of various data processing operations, one organization acts for other affiliated companies in a data protection-compliant manner as a processor in accordance with Article 28 DSGVO.

In some constellations, several parties also access shared data, each with their own interests. Such data sharing occurs on the basis of a joint responsibility contract under Article 26 GDPR. Wherever processing takes place in the form of shared responsibility, we will point this out to you in the following description of the individual processing operations.

5. general information about cookies

Our Internet pages use so-called cookies. These are text files that are stored by your browser on your device when you visit a website. Different information can be stored in a cookie. Sometimes a cookie only stores a yes or no (“true” or “false”), sometimes a string of characters is stored that enables the browser to be uniquely identified when the website is called up again (a so-called cookie ID).

The right to set cookies is not determined solely by the GDPR, but also by the EU ePrivacy Directive and Section 15 of the German Telemedia Act (TMG). The ePrivacy Directive distinguishes between cookies that are absolutely necessary (essential) for the operation of the online offer and those that are not. Essential cookies may also be set without consent, but non-essential cookies always require consent – even if this is not required under the GDPR (and, for example, there is a legitimate interest as a legal basis).

Due to the strict requirements of the ePrivacy Directive, we ask for your consent to set non-essential cookies when you access our website.

The purpose of each cookie and the legal basis for its use under the GDPR can be found in the following description of the individual data processing.

There are various ways for you to prevent the acceptance of cookies on your device:

a) The standard case is likely to be that you decide which cookies you allow and which you do not allow via our consent manager when you call up one of our Internet pages. In some cases, we can only offer you a blanket acceptance or rejection of all cookies or cookie groups.

b) In principle, you can set your browser so that it never accepts cookies. By such a complete exclusion, you will most likely lose functions that are based on cookies and that you would actually like to allow or that do not require consent at all.

c) You can access Internet pages in the private mode of your browser. Private mode also blocks the setting of cookies in your browser memory or automatically deletes all cookies at the end of the session.

d) Some browsers or browser plug-ins offer you the possibility to make more differentiated default settings as to which cookies you generally want to accept by default and which you do not.

e) A special case: Google offers a browser plug-in that prevents the setting of the various cookies from Google. You can find the corresponding plug-in here: https://tools.google.com/dlpage/gaoptout?hl=de

6. concrete data processing at our company

6.1 Your customer relationship with us

6.1.1 Personal user account (webshop)

Description: You can create a personal user account on our website. Through this account you can manage your purchases from us. We will send you ordered goods and invoices to the addresses stored for this purpose.

For the “Stay logged in” function, which saves you having to enter your login data again on your next visit, we set a cookie called codexToken. This is an essential cookie, the setting of which does not require consent.

Data categories: Login data (name, email address, password), contact data (phone number, address), orders (goods/services, payment and delivery conditions, invoices), date of birth/age, activity history (login, logout, ratings, …), status auto-login.

Data recipient (if applicable, third country transfer): Our service provider for the operation of the customer database, which is obligated to data protection via an order processing agreement, is located in the EEA. Data transfer outside the EEA does not take place.

Purpose + legal basis: The operation of your user account serves the fulfillment of our corresponding user agreement. The legal basis is the fulfillment of our contractual obligations to you.

Storage period: Your customer data remains active until your customer relationship with us ends. After that, we store the data depending on the respective retention obligations that affect our business relationship.

6.1.2 Shopping cart function

Description: Our website offers a shopping cart function, through which services selected by you can be collected and stored before the order process is completed and also without logging in via a personal user account. This function serves to make the use of the ordering process as convenient as possible for you.

The shopping cart function works via a so-called function cookie woocommerce_cart_hash. This means that the shopping cart is not stored in our systems but with you. As soon as the cookie is deleted from your browser, the content of the shopping cart is also deleted. This is an essential cookie, the setting of which does not require consent.

Data categories: User ID (assigned via the cookie in your browser) and activity history (specifically: contents in the shopping cart).

Data recipient (if applicable, third country transfer): None

Purpose + legal basis: The shopping cart cookie is used to recognize you during your movements through our pages and in the event of an interruption of the visit when you return and, if necessary, to read out the contents of the shopping cart and display them to you again or continuously in the ordering process. The legal basis is the preparation of a contract.

Storage period: Until you delete the cookie from your browser or until the expiration date of the cookie, which we have preset to 5 days.

6.1.3 Billing your order

Description: As far as your order is not ordered online from us and paid via credit card or PayPal, we will settle with you via invoice or direct debit (direct debit). Invoices are created and sent internally. We collect direct debit via our house bank. Your payment data is transmitted to us from our webshop in encrypted form and passed on by us in encrypted form to our bank.

Data categories: Your name, your bank details, invoice number, invoice amount.

Data recipient (if applicable, third country transfer): Our house bank, which as a financial service provider is subject to banking secrecy. A transfer to third countries does not take place.

Purpose + legal basis: Payment processing. The legal basis for us is contract fulfillment and is carried out by our house bank within the framework of a legitimate interest, as it is a service provider under the control of banking supervision.

Storage period: Accounting vouchers must be kept for 10 years in accordance with the requirements of tax law (§ 147 AO).

6.1.4 Shipping your order

Description: We send ordered goods by mail, courier service, freight forwarding or a comparable logistics company. Compliance with data protection by these service providers is regulated in the Postal Act as a supplement to the GDPR and is monitored by the Federal Data Protection Commissioner.

In addition to the postal address, shipping service providers nowadays require the e-mail address of the recipient in order to be able to independently transmit notifications about the expected delivery date and an individual tracking code for shipment tracking. The communication established in this way between the logistics company and the consignee facilitates the delivery process for both parties. The logistics companies provide us with the tracking ID so that our service team can answer questions about the shipping status in the event of difficulties with the delivery.

Data categories: Name + address; e-mail address, tracking ID of the logistics company.

Data recipients (if applicable, transfer to third countries): logistics companies that are subject to postal secrecy. A transfer to third countries only takes place if the shipment goes to an address outside the European Economic Area. In these cases, data protection is guaranteed by international agreements on postal secrecy.

Purpose + legal basis: delivery of ordered goods. The legal basis for handing over the postal address is contract fulfillment. The handover of the e-mail address follows a legitimate interest, as a communication of tracking IDs for shipment tracking has become the norm.

Storage period: The documentation of the shipping process must be stored for six years as a business letter in accordance with the requirements of commercial law.

6.1.5 Payment service provider (PayPal)

Description: In our webshop you can pay your order via the financial service provider PayPal. For this purpose, an encrypted connection is established from our webshop to PayPal, via which we communicate a transaction number, a service description as well as the invoice amount to PayPal and forward you to PayPal for the release of your payment. We do not receive any information from PayPal about your bank account or credit card. PayPal only reports back to us when the invoice amount for a transaction number generated by us could be credited to us.

With regard to all processes at PayPal, data protection results from your independent contractual relationship with PayPal.

As a financial service provider, PayPal is subject to European banking supervision. Details on data protection at PayPal can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

Data categories: Transaction number, service description (booking text) and invoice amount.

Data recipient (if applicable, third country transfer): PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg. A transfer to third countries does not take place.

Purpose + legal basis: Processing of your payment via your PayPal account. The legal basis for both PayPal and us is contract fulfillment.

Storage period: Accounting records must be kept for 10 years in accordance with the requirements of tax law.

6.1.6 Payment service provider Sofortüberweisung (Sofort GmbH)

Description: In our webshop you can pay your order via the service Sofortüberweisung of the financial service provider Sofort GmbH. For this purpose, an encrypted connection is established from our webshop to Sofort GmbH, via which we communicate a transaction number, a service description as well as the invoice amount and forward you to Sofort GmbH for verification of your bank connection data.

We do not record or store any data on your bank connection with us, but only store the corresponding transaction confirmation from Sofort GmbH if the invoice amount for a transaction number generated by us could be credited to us.

With regard to all transactions at Sofort GmbH, data protection results from your independent contractual relationship with Sofort GmbH. In this respect, we only provide the transfer to this independent service provider as a payment option for you.

Sofort GmbH is subject to European banking supervision as a financial service provider. Details on data protection at Sofort GmbH can be found at: https://www.sofort.com/payment/wizard/getCmsContent/data_protection/DE/0/de

Data categories: Transaction number, service description (booking text) and invoice amount.

Data recipient (if applicable, third country transfer): Sofort GmbH, Theresienhöhe 12, 80339 Munich, Germany. A transfer to third countries does not take place.

Purpose + legal basis: Processing of your payment via the Sofortüberweisung service. The legal basis for both Sofort GmbH and us is contract fulfillment.

Storage period: Accounting records must be kept for 10 years in accordance with the requirements of tax law.

6.1.7 Payment service provider credit cards (Saferpay)

Description: In our webshop you can pay your order with credit cards. For the processing of credit card payments we use the service Saferpay of the financial service provider Six Payment Services. For this purpose, an encrypted connection is established from our web store to Saferpay, via which we communicate a transaction number, service description and the invoice amount to Saferpay and forward you to Saferpay for verification of your credit card details. We do not collect or store any data on your credit card with us, but only store the corresponding transaction confirmation from Saferpay if the invoice amount was paid for a transaction number generated by us.

As a financial service provider, Six Payment Services is subject to Swiss banking supervision. Details on data protection at Six Payment Services can be found at: https://www.six-payment-services.com/de/services/legal/privacy-statement.html

Data categories: Transaction number, service description (booking text) and invoice amount.

Purpose + legal basis: processing of your payment via credit card. The legal basis for both Klarna and us is contract fulfillment.

Storage period: Booking receipts must be stored for 10 years in accordance with the requirements of tax law.

6.2 Direct communication with us

6.2.1 E-mail communication

Description: When you send us an email, it arrives in at least one of our email inboxes. The content of your e-mail and the metadata accompanying it (sender, time of sending, etc.) are stored on the e-mail servers of our hosting provider. In addition, after retrieval from the server, they may be stored in the email programs on the devices that have access to the mailbox (computers, smartphones, tablets). The same applies to e-mails that we send to you.

The specific processing of personal data in an e-mail depends on the thematic content of the e-mail. It is obvious that we include your data in our contact directory for customers, business partners and other contacts.

Data categories: Name, e-mail address; time of delivery or sending; other metadata that typically arise in e-mail communication; other personal information in the content of the e-mail, such as other contact data in e-mail signatures, inquiries, orders, offers or complaints by e-mail.

Data recipient (third country transfer, if applicable): our service provider for email hosting, which is bound to data protection via an order processing agreement, is located in the EEA, in Germany. Data transfer outside the EEA does not take place in this respect. Insofar as you use a hosting service provider outside the EEA for your mailbox or retrieve our emails from outside the EEA, this is not our responsibility.

Purpose + legal basis: communication by e-mail. Depending on the content of the correspondence, the legal basis is preparation or fulfillment of a contract or a legitimate interest in answering your e-mail.

Storage period: Depending on the content of the correspondence; for example, commercial law requires business letters to be stored for six years, but other documentation requirements may result in longer storage periods.

6.2.2 Telephone calls

Description: When we make a phone call to each other, our telephone system or our cell phones record your number and the time of the call. This data in the call lists is continuously deleted from subsequent calls.

If the content of the call suggests that this is the case, we create a call note and document it in the appropriate place (e.g. in the customer database or for applicants and employees in the HR department). It is conceivable that we will include your data in our contact directory for further communication.

Audio recordings of conversations only take place in exceptional cases and after we have obtained your express consent to do so.

Data categories: Telephone number; time of conversation; content of conversation, if applicable.

Data recipients (if applicable, transfer to third countries): Telecommunications providers covered by telecommunications secrecy. There is no transfer to third countries.

Purpose + legal basis: communication by telephone call. Depending on the content of the conversation, the legal basis is preparation or fulfillment of a contract or a legitimate interest in exchanging information with you.

Storage period: Depending on the content of the conversation. Individual call notes may fall under the commercial law retention obligation for business letters of six years.

6.2.3 Letter post

Description: If you send us a letter, we regularly respond to it with a letter that we create on the computer and save as a file. We often scan your letter in order to archive it as part of digital office management. The specific processing of personal data in our correspondence depends on the thematic content of the letters and the resulting retention obligations. It is conceivable that we will include your data in our contact directory for further communication.

Data categories: Name + address; personal data in the content of the letters such as further contact data in your letterhead, inquiries, orders, offers, complaints or other topics.

Data recipient (if applicable, transfer to third countries): postal service provider. A transfer to third countries only takes place if the shipment goes to an address outside the European Economic Area. In these cases, data protection is guaranteed by international agreements on postal secrecy.

Purpose + legal basis: communication by letter. Depending on the content of the correspondence, the legal basis is preparation or fulfillment of a contract or a legitimate interest in exchanging information with you.

Storage period: Depending on the content of the correspondence; in principle, commercial law requires business letters to be stored for six years.

6.2.4 Fax (classic)

Description: We use a classic fax machine in the form of a telecopier. If you send us a fax, the document is provided by our receiving device as a printout. The device records the sender data you transmit and documents it together with the time of receipt both on the printout and in the device’s journal. If we send you a fax, the journal records the recipient number, time of transmission, number of pages and transmission success.

The security of the transmission corresponds to the security of modern telephone networks, which also transmit fax data as so-called voice/fax over IP. Within the network of a single network provider (e.g. Deutsche Telekom), the data is encrypted; at the network transfer points, transmission is unencrypted.

Data categories: Telephone number, sender name (if applicable), time of transmission or receipt, number of pages, success of transmission; if applicable, personal content of the document sent.

Data recipients (if applicable, transfer to third countries): Telecommunications providers that are subject to telecommunications secrecy. Transfer to third countries does not take place or falls under international laws on telecommunications secrecy.

Purpose + legal basis: Communication by fax. Depending on the content of the conversation, the legal basis is preparation or fulfillment of a contract or a legitimate interest in exchanging information with you.

Storage period: Depending on the content of the document sent; in principle, commercial law requires business letters to be stored for six years.

6.2.5 Business cards

Description: If you give us your business card, we will add your data to our contact directory.

Data categories: Name, contact details (address, telephone, fax, e-mail), your company, your company’s business area, your job title, your area of responsibility, place, time and circumstance of contact, as well as any special notes on your availability or the business topics addressed.

Data recipient (if applicable, third country transfer): Our service provider for the operation of the contact directory, who is obligated to data protection via an order processing agreement, is located in the EEA.

Purpose + legal basis: maintenance of contacts. Legal basis is a legitimate interest, as you have voluntarily given us your business card.

Storage period: We store your data until you ask us to delete it – unless a business relationship has arisen between us in the meantime, from which independent storage obligations arise for us regarding your contact data.

6.3 Visiting our Internet pages

6.3.1 Providing our Internet pages

Description: In order for a web server to provide our website to your browser, the server must collect technical data about your device used for this purpose, your browser and your Internet access. This is referred to as the log file or web log. This is the same data that you necessarily leave behind with every Internet page that you call up. At the center is the IP address from which you call up our pages. To this internet address the web server sends you the data you want to see.

As an editorial system, we use WordPress, which sets a so-called session cookie in your browser for the technical delivery of the pages (PHPSESSID; storage period: end of the current visit to our pages).

Data categories: IP address from which our site was accessed; date and time of access; objects on our website accessed in the browser; type and version of Internet browser; type and version of operating system.

Data recipient (if applicable, third country transfer): our hosting service provider, which is bound to data protection via an order processing agreement, is located in the EEA. In the event of attacks on our pages, transfer to forensic experts and investigating authorities commissioned by us. A transfer to third countries does not take place in this case.

Purpose + legal basis: Provision of our website as well as investigations in the event of unlawful access to our websites (e.g. a hacker attack). Legal basis is a legitimate interest, as the operation of a website is not possible without the collection of the weblog. In the specific case of an attack on our website, we have a legitimate interest in being able to provide investigators with circumstantial evidence of how the attack took place. The session cookie is an essential cookie that does not require consent, even according to the ePrivacy Directive.

Storage period: 72 hours // 7 days

Description: For all cookies requiring consent, we ask for your consent before storing them in your browser cache. The decisions you make will in turn be stored in a cookie on your device, so that we do not have to ask for your consent again when you visit our websites again. You can revise your decision at any time by deleting the corresponding cookie (borlabs-cookie, storage period 1 year) from your device via your browser settings.

Data categories: Consent status (yes/no per cookie for which we need your consent).

Data recipient (third country transfer, if applicable): None.

Purpose + legal basis: legally compliant consent management for cookies. Legal basis is a legitimate interest, as storing the cookie decision only slightly restricts the rights of visitors and at the same time simplifies the use of the pages on repeated visits. This cookie may also be set without your consent according to the ePrivacy Directive, as the language choice is considered an essential function.

Storage duration: Until the corresponding cookie is deleted from your browser cache or until the cookie expiration date is reached.

Description: For all cookies requiring consent, we ask for your consent before storing them in your browser cache. The decisions you make will in turn be stored in a cookie on your device, so that we do not have to ask for your consent again when you visit our websites again. You can revise your decision at any time by deleting the corresponding cookie (borlabs-cookie) from your device via your browser settings.

Data categories: Consent status (yes/no)

Data recipient (third country transfer, if applicable): None.

Purpose + legal basis: legally compliant consent management for cookies. Legal basis is a legitimate interest, as storing the cookie decision only slightly restricts the rights of visitors and at the same time simplifies the use of the pages on repeated visits. This cookie may also be set without your consent according to the ePrivacy Directive, as the language choice is considered an essential function.

Storage duration: Until the corresponding cookie is deleted from your browser cache or until the cookie expiration date is reached.

6.3.4 Language setting (Polylang)

Description: We offer our website in multiple languages. For this purpose, we use the WordPress service Polylang, which recognizes your preferred language choice via the settings of your device and accordingly enables the provision of our website in the language that suits you. So that we do not have to go through the analysis of the language choice again when calling up each individual page, Polylang sets a corresponding cookie (pll_language, storage period 1 year).

Data categories: Language choice stored in the device

Data recipient (if applicable, third country transfer): None

Purpose + legal basis: providing the website in your preferred language. Legal basis is a legitimate interest, as we may assume that you want to see the pages in the language that suits you. This cookie may also be set without your consent according to the ePrivacy Directive, as the choice of language is considered an essential function.

Storage duration: Until the corresponding cookie is deleted from your browser cache or until the cookie expiration date is reached.

6.3.5 Contact form

Description: Our Internet pages have a contact form. You can use it to send us messages, e.g. if you do not have your own e-mail address or do not want to use it for the message to us. Your voluntary input is technically sent to us as an e-mail (even if you yourself have not stored an e-mail address as sender).

As soon as you send your message, the data processing corresponds to sending an e-mail to our central contact address. While you are on the website and enter your information in the form, the data processing corresponds to calling up any of our websites.

Data categories: See the processing operations “Provision of a website” and “E-mail communication”.

Data recipients (transfer to third countries, if applicable): See the processing operations “Provision of a website” and “E-mail communication”.

Purpose + legal basis: Provision of a contact form as an additional way to contact us. Depending on the content of your contact, the legal basis is the preparation of a contract performance or a legitimate interest.

Storage period: See the processing operations “Provision of a website” and “E-mail communication”.

6.3.6 Comment function

Description: Our website offers a comment function that allows you to publish your own comments on articles on our pages. The comment function is only available to you if you have previously registered as a user for our site. You can only publish comments if you provide a user name for this purpose.

Data categories: IP address of the device from which the comment was published; time and date of publication; text/content of the published comment.

Data recipients (third country transfer, if applicable): None.

Purpose + legal basis: the purpose of the comment publication is to provide you with a forum for your comments. Legal basis is contract fulfillment; we understand the comment function as a service that we offer you to use. The purpose of logging the IP address and time of publication is to be able to take action, if necessary, against the author of an abusive, specifically discriminatory, statement. In this respect, there is a legitimate interest.

Storage period: We delete your comments at the latest when we delete the article you commented on. However, we also reserve the right to remove your comments at an earlier point in time.

We store the copyright details for at least as long as the comment is published with us; in the event of improper publication, for one year beyond the deletion of the comment.

6.3.7 Online fonts (Google Fonts)

Description: To enable an individual design of our web pages, we use so-called web fonts. Your browser loads these fonts to display our pages from the web server used by us, if the fonts have not yet been loaded in your browser’s memory from a previous visit to a page with this font.

In this respect, it is not an independent processing that goes beyond the processing “providing our Internet pages”. In some cases, we access fonts from external servers, in our case when using the YouTube player or Google Maps on fonts from Google (Google Fonts). Google enables an outstandingly fast provision of the font files and guarantees a provision of the currently optimal font set.

For the download of the fonts from the Google font servers (gstatic.com), your IP address must be transmitted to Google, as otherwise a transmission of the data package is not possible. Google does not receive any other data from you in connection with this processing.

Data categories: IP address from which your device accesses the internet, time

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The data collected as part of Google Fonts is transferred to Google servers in the USA and processed there. In order to be able to guarantee that the data is handled at EU data protection level, Google is currently preparing standard data protection clauses.

Purpose + legal basis: Provision of Google Fonts in a fast and up-to-date form. The legal basis is a legitimate interest, since only the IP address of your device is transmitted as part of this processing, without any further references to your use of the Internet.

Storage period: The storage period is the responsibility of Google. Data deletion on our part is not possible, as we do not collect any data from you through the use of Google Fonts.

6.3.8 Video streaming (YouTube)

Description: Our website shows movies via a video player from YouTube, a subsidiary of Google. When you visit a page equipped with a YouTube player, a connection to YouTube’s servers is established and cookies from Google are set in your browser. This tells Google which of our pages you have visited and which film you have watched. Google sets the following cookies via the YouTube player: CONSENT, GPS, Visitor_Info1_Live, YSC, IDE.

We do not receive any data about your usage behavior regarding this data collection from Google.

If you are logged into your YouTube or Google account while visiting our site, you enable Google to associate your usage behavior directly with your personal profile. You can prevent this by logging out of your account.

For more information on how Google handles your data, please see Google’s privacy policy at https://www.google.de/intl/de/policies/privacy.

Data categories: IP address from which our site was accessed; date and time of access; films accessed; sharing functions used to recommend the film; type and version of internet browser; type and version of operating system; Google ID stored in cookies.

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The data collected in the context of YouTube use is transferred to Google servers in the USA and processed there. In order to be able to guarantee that the data is handled at EU data protection level, Google is currently preparing standard data protection clauses.

Purpose + legal basis: We use the YouTube player to offer you powerful video streaming. The legal basis for the data transfer to Google is your cookie consent for the YouTube player.

Storage period: The storage period is the responsibility of Google. It is not possible for us to delete data, as we do not collect any data from you through the use of YouTube.

6.3.9 ReCaptcha (Google)

Description: For online registrations on our site, we use the ReCaptcha service from Google to check whether you are a human or a so-called bot. ReCaptcha makes it possible to distinguish between human and automated, abusive entries. By using the ReCaptcha service, data about you is transferred to Google. For this purpose, Google sets the cookie NID (expiration time: 6 months) in the memory of your browser.

Data processing by ReCaptcha is carried out in accordance with Google’s data protection information: https://policies.google.com/privacy.

We do not receive any data from Google about your usage behavior.

Data categories: IP address from which the page is accessed; date and time of access; type and version of internet browser; type and version of operating system; Google ID stored in cookies, but also mouse movements in the ReCaptcha checkbox area.

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The data collected as part of the ReCaptcha use is transferred to Google servers in the USA and processed there. In order to be able to guarantee that the data is handled at EU data protection level, Google is currently preparing standard data protection clauses.

Purpose + legal basis: Securing our offer against attacks by bots. The legal basis regarding the data transfer is a legitimate interest, as there is a high interest in securing our infrastructure.

Storage period: The storage period is the responsibility of Google. We do not need to delete any data, as we do not collect any data from you through the use of ReCaptcha.

6.3.10 Analysis of usage behavior (Google Analytics)

Description: We use the web analytics service Google Analytics. On our behalf, Google creates statistical reports about the activities on our website, the regional origin of visitors and technical parameters of the devices used to visit our pages.

We use Analytics with the extension “anonymizeIP” so that the IP addresses are only processed in abbreviated form in order to exclude direct personal references. Through IP anonymization, the end of your IP address is replaced by zeros by Google within the European Union before the data is transferred to the USA. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.

We do not link the data we collect via Google Analytics with personal data we collect in other ways. Google is also prohibited from using the data for its own purposes or from combining it with data collected elsewhere. Google only provides us with the data in an anonymized and statistical form, so that we ourselves do not have our own access to data characteristics that could enable the identification of individual persons. We have linked our Analytics account with our marketing account at Google and thus enable Google to play out ads for us in a more target group-specific manner. In addition, we can thus better understand which advertising measure had which success. See the processing “Google Ads” and there the corresponding note on our joint responsibility with Google within the meaning of Article 26 DSGVO.

Google Analytics uses cookies to bundle the usage data from your browser. This gives us the opportunity to determine the quota of returning visitors or to be able to trace usage paths within our websites.

The Analytics cookies are named _ga (to recognize returning visitors), _gid (to be able to form statistical groups) and _gat (to reduce data matching with advanced Google features).

For comprehensive information about how Google uses the data it collects, see Google’s privacy information (https://policies.google.com/privacy) and Google’s information about cookies (https://policies.google.com/technologies/cookies).

Data categories: IP address through which the device goes online; location or country linked to the IP address and Internet service provider for Internet access; date and time of access; objects on our website called up (clicked on) in the browser; type and version of Internet browser; type and version of operating system; websites from which the user has accessed our website; websites that the user calls up from our website; Google ID stored in the cookie.

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google is obligated to us to observe data protection via an order processing contract in accordance with Article 28 DSGVO. The information collected by the cookies is transferred to Google servers in the USA and stored there. For the cases in which personal data is transferred to the USA despite the restrictions made, such as the anonymization of IP addresses: In order to be able to guarantee that the data is handled at EU data protection level, Google is currently preparing standard data protection clauses.

Purpose + legal basis: The purpose of this usage analysis is to enable us to further improve our Internet offering based on the analysis findings.

The legal basis is a legitimate interest arising from the fact that the personal reference of the collected data is greatly reduced, for example, by anonymizing the IP addresses, that the data is not combined by us with other data collections, and that visitors to our Internet pages have various options for preventing the collection by Google Analytics cookies. Regardless of this, in view of the requirements of the ePrivacy Directive, we ask for your consent for the setting of Google cookies via our cookie manager.

Storage period: 14 months (Reason: This storage period allows us to export annual reports).

6.3.11 Analysis of usage behavior (Facebook)

Description: Our web pages set cookies from Facebook, which are often also called Facebook Pixel. By doing so, we provide Facebook with data about your use of our site. In this way, we enable Facebook to provide ads for us within Facebook and Instagram in a more targeted manner.

The corresponding data is only transferred to Facebook if you consent to the setting of the corresponding cookies. The names of the Facebook cookies are: AA003, ATN, _fbp, fr.

For comprehensive information about the use of data collected by Facebook, please refer to Facebook’s privacy information: https://www.facebook.com/policy.php

Data categories: IP address through which the device goes online; location or country linked to the IP address, as well as Internet service provider for Internet access; date and time of access; objects on our website accessed (clicked on) in the browser; type and version of Internet browser; type and version of operating system; websites from which the user accessed our website; websites that the user accesses from our website; Facebook ID stored in the cookie.

Data recipient (if applicable, third country transfer): Facebook Inc., addressable to us as a European organization via Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Facebook is obligated to us to observe data protection via a contract for commissioned processing in accordance with Article 28 DSGVO. Insofar as data is transferred to the USA, Facebook is still working on standard data protection clauses in order to guarantee that the data is handled at EU data protection level.

Purpose + legal basis: The purpose of the data transfer to Facebook is to be able to provide ads on Facebook and Instagram that are as target group-specific as possible. The legal basis is your consent, which you have given via our Cookie Manager.

Storage period: The storage period is the responsibility of Facebook. It is not necessary for us to delete your data, as we do not collect any data from you ourselves through the use of the Facebook pixel.

6.3.12 Analysis of usage behavior (Microsoft Bing)

Description: Our web pages set cookies from Microsoft’s search engine Bing. By doing so, we provide Microsoft with data about your use of our site. In this way, we enable Microsoft to provide ads for us on Bing hit lists in a more targeted manner and to document the success of the ads.

The corresponding data is only transferred to Microsoft if you agree to the setting of the corresponding cookies. The names of the cookies for Bing Ads are: MUID (storage time: 1 year), MUIDB, MR.

For comprehensive information about the use of data collected by Microsoft, please refer to Microsoft’s privacy information: https://privacy.microsoft.com/de-de/privacystatement

Data categories: IP address through which the device goes online; location or country linked to the IP address, as well as Internet service provider for Internet access; date and time of access; objects on our website called up (clicked on) in the browser; type and version of Internet browser; type and version of operating system; websites from which the user accessed our website; websites that the user calls up from our website; Bing ID stored in the cookie.

Data recipient (if applicable, third country transfer): Microsoft Corp, contactable for us as a European organization via Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is committed to data protection via a data processing contract.

Purpose + legal basis: The purpose of passing on data to Microsoft is to be able to provide advertisements on Bing that are as appropriate to the target group as possible and to document the success of the advertising media. The legal basis is your consent, which you have given via our Cookie Manager.

Storage period: Microsoft is responsible for the storage period, which is 18 months. It is not necessary for us to delete your data, as we do not collect any data from you ourselves through the use of Microsoft cookies.

6.4 Marketing communications

6.4.1 Newsletter registration

Description: You can subscribe to our email newsletter. To do this, you only need to provide an e-mail address. Other information, such as your name, is voluntary and is used so that we can personalize the sending of the e-mails with a direct salutation.

If you register online for the newsletter, you will receive a one-time e-mail from us to the e-mail address you provided, in which we ask you to confirm your registration. This is to prevent you from being signed up for our newsletter by someone who does not or should not have access to this address at all. This two-step process is called double opt-in for double consent.

By subscribing to our newsletter, you consent, both under data protection law and competition law, to us sending you emails on the subject matter described on the subscription page.

You can revoke your registration and thus your consent at any time for the future. This is possible via the corresponding function on our website as well as via the corresponding link at the end of each newsletter sent by us.

We record the use of our newsletter via so-called counting pixels and campaign URLs for the internet links in the newsletter. The counting pixel calls our newsletter server when you open the e-mail. The call of the internet links in the newsletter is recorded via the campaign mapping in our web analytics.

Data categories: Email address, documentation of email verification (double opt-in), time of your registration; your name (voluntary), your date of birth (voluntary); usage data (opening the email + clicking on internet links).

Data recipient (third country transfer, if applicable): our service provider for newsletter dispatch, who is bound to data protection via an order processing agreement. The service provider is located in the EEA, data transfer outside the EEA does not take place.

Purpose + legal basis: Provision of an email newsletter and optimization of our newsletter content. Legal basis is your consent.

Storage period: After revocation of your consent, your data will be deleted immediately.

6.4.2 Telemarketing (B2C)

Description: Insofar as a consumer (B2C) has given consent for promotional calls by us, we also offer you our services by telephone call (telemarketing). The calls are made by a call center on our behalf.

The details of the calls follow the processing “Customer database (CRM)” and “Telephone calls”.

Data categories: Name, telephone number, existence of consent telemarketing, time of contact.

Data recipient (third country transfer if applicable): none. Our service provider for the calls, who is obligated to data protection via an order processing agreement. The service provider is located in Germany, there is no data transfer outside the EEA.

Purpose + legal basis: Personal presentation of the service portfolio and its conditions in a telephone conversation with potential customers whose consent for a call has been obtained. Legal basis is consent.

Storage period: see processing operations “Customer database (CRM)” and “Telephone calls”.

6.4.3 Telemarketing (B2B)

Description: Insofar as a potential business customer (B2B) has given their presumed consent for us to make promotional calls, we will also offer you our services by telephone call (telemarketing). In the case of business customers, we assume corresponding presumed consent if you have contacted us and provided us with your telephone number, for example, as part of a whitepaper download or newsletter registration. The calls are made by a call center on our behalf.

The details of the calls follow the processing “Customer database (CRM)” and “Phone calls”.

Data categories: Name, phone number, company/organization, existence of marketing consent, order whitepaper, time of contact.

Data recipient (if applicable, third country transfer): None Our service provider for the calls, who is obligated to data protection via an order processing agreement. The service provider is located in Germany, there is no data transfer outside the EEA.

Purpose + legal basis: Personal presentation of the service portfolio and its conditions in a telephone conversation with potential customers whose consent for a call has been given explicitly or presumably. The legal basis is presumed consent within the meaning of Section 7 (2) No. 2 UWG.

Storage period: see processing operations “Customer database (CRM)” and “Telephone calls”.

6.4.4 Dispatch of catalogs and other information documents

Description: We send information about the products and services of our company publishing house in the form of catalogs, publishing previews and other advertising material by mail to various groups of recipients. The address data for this is partly printed for us by so-called lettershops, which in this respect act for us as order processors within the meaning of the GDPR.

The recipients include private individuals who have requested to receive such information. In addition, recipients include individuals who work for bookstores or institutions in the field of education whose area of expertise coincides with the subject area of our specialist publishing house, who are authors of our publishing house or who have a business relationship with our publishing house in some other way (so-called business-to-business contacts, B2B).

If you wish to stop receiving such company information, we recommend that you have an advertising block set up with us instead of requesting data deletion. If we delete your data, it is possible that your data will be entered into our database again. If we provide your data with an advertising block, we can stop the mailing.

Data categories: Name + address, marketing consent, organization + function/position, business field.

Data recipient (if applicable, third country transfer): None of our service providers for address printing and dispatch (lettershop), who are obligated to data protection via an order processing agreement. The service provider is located in Germany; there is no data transfer outside the EEA.

Postal service provider. A transfer to third countries only takes place if the shipment goes to an address outside the European Economic Area. In these cases, data protection is guaranteed by international agreements on postal secrecy.

Purpose + legal basis: Information about new publications of the publisher Offers of our company. The legal basis is a legitimate interest, since company information by mail is generally permitted under the relevant competition law provisions. However, direct advertising based on a legitimate interest can be objected to in the future without giving reasons. In some cases, the legal basis is a consent given to us.

Storage period: The address data will no longer be stored for sending advertising material as soon as consent is revoked or sending is objected to on the basis of legitimate interest and data deletion is requested.

6.4.5 Sweepstakes participation

Description: We regularly invite people to participate in sweepstakes. Invitations go both to followers on our social media profiles and to recipients of our newsletters.

We record all participants in a list in order to be able to conduct a raffle. The list of participants will be destroyed after notification of the winner.

The winner will be selected without recourse to legal action. Winners will be notified by us via message on Facebook or Instagram or via email or will receive their prize by mail.

For tax reasons, we store the name and contact of the recipient in order to be able to prove correct use of our prize. There will be no further use of the winning addresses.

Data categories: Name, e-mail address, address

Data recipient (if applicable, third country transfer): None

Purpose + legal basis: selection of a raffle winner. Legal basis for the raffle is fulfillment of the free raffle contract. Legal basis for sending digital invitations is the consent given to receive electronic advertising (newsletter registration).

Storage period: For the participant data until notification of the winners; for the winner data six years.

6.4.6 Reviews (Trusted Shops)

Description: We are pleased when our services are evaluated. For this reason, we send all customers who have given us their consent to electronic communication a rating invitation from the service provider Trusted Shops GmbH.

If you follow the invitation to rate our services on the Trusted Shops platform, the rating is submitted as part of a direct relationship between you and Trusted Shops. If you subsequently have questions about the ratings you have submitted, you must contact Trusted Shops directly, as we cannot influence the content of the rating platform.

Information on data protection at Trusted Shops can be found here: https://www.trustedshops.de/impressum/#datenschutz

Data categories: E-mail address, name, assessable service (product or treatment).

Data recipient (if applicable, third country transfer): Trusted Shops Ltd, Markgrafenstraße 11, 10969 Berlin. Trusted Shops is bound to data protection by an order processing contract. A third country transfer does not take place.

Purpose + legal basis: Invitation to evaluation platform to assess our performance. The legal basis is the consent given to Trusted Shops.

Storage period: The storage period is the responsibility of Trusted Shops.

6.4.7 Google Ads

Description: We place ads via Google Ads. To optimize our marketing activities, Google Ads accesses personal data available to Google via cookies and its various analytics services for websites, apps, and the Android and Chrome OS operating systems provided by Google. We ourselves do not have access to the personal data underlying the playout of our ads. We only select general parameters for the target group to which our ads are to be made available. In this respect, we do not process any personal data.

By linking our Google Ads account with our Google Analytics account, we make it easier for Google to recognize interested parties who have already visited our website.

Our internet pages set cookies from Google’s advertising services (Google Ads, Doubleclick). The cookie names are: NID, SID, IDE, DSID, FLC, AID, TAID, exchange_uid, test_cookie, _gads, _gac, _gcl.

The linking of the accounts and the setting of Google’s advertising cookies constitutes a processing of personal data. In this respect, a joint responsibility within the meaning of Article 26 DSGVO arises with regard to the personal data, for which we have concluded a corresponding “controller-controller” contract with Google (https://support.google.com/analytics/answer/9012600).

The contract divides the responsibility between Google and us in such a way that we are responsible for the collection of the analysis data and Google is responsible for the use of the data for advertising purposes. As a result, you should exercise all of your rights with respect to the use of your data within Google Analytics with us and exercise all of your rights with respect to the use of your data for the provision of targeted ads directly with Google.

We cannot provide any information on the details of data processing at Google. Google’s privacy information applies in this regard (https://policies.google.com/privacy).

Data categories: Usage data from Google’s various services, via the cookies to our websites and from our Google Analytics account; target grouping by gender, age groups, regions, areas of interest.

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The data collected as part of Google Analytics is transferred to servers in the USA for Google Ads and processed there. In order to be able to guarantee that the data is handled at EU data protection level, Google is currently preparing standard data protection clauses.

Purpose + legal basis: Target group-specific publication of ads. Legal basis is consent, as Google’s cookies are only set in the browser after consent.

Storage period: The storage period is the responsibility of Google. We do not need to delete any data, as we do not collect any data from you through the use of Google Ads.

6.4.8 Facebook Ads

Description: We serve ads through Facebook Ads. To optimize our marketing activities, Facebook accesses personal data that is available to Facebook on its own platform (facebook.com, instagram.com and the associated apps and other Facebook services), via its analytics services for websites and apps, and WhatsApp metadata. We ourselves do not have access to the personal data on which the playout of our ads is based. We only select general parameters for the target group to which our ads are to be made available. In this respect, no processing of personal data takes place by us.

By linking our Facebook Ads account with our company profiles on Facebook and Instagram, we make it easier for Facebook to recognize interested parties who have visited our profiles. In addition, we enable Facebook to make our ads available to people who have a similar usage profile to typical visitors to our pages (so-called lookalike campaigns).

Our own web pages also set cookies from Facebook. See the processing “Analysis of usage behavior (Facebook)”.

We cannot provide any information on the details of data processing at Facebook. In this regard, the data protection information of Facebook applies: https://www.facebook.com/about/privacy

Data categories: Usage data from Facebook’s various services; targeting by gender, age groups, regions, areas of interest.

Data recipient (if applicable, third country transfer): Facebook Inc, for us as a European organization addressable via Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Insofar as data is transferred to the USA, Facebook is still working on standard data protection clauses in order to thus guarantee that the data is handled at EU data protection level.

Purpose + legal basis: Target group-specific publication of ads. The legal basis is the user agreement that you concluded with Facebook when you registered with Facebook.

Storage period: The storage period is the responsibility of Facebook. It is not necessary for us to delete your data, as we do not collect any data from you through the use of Facebook Ads.

6.4.9 Microsoft Ads

Description: We display ads via Microsoft Ads, which are primarily played on the Bing search engine. We ourselves do not have access to the personal data on which the display of our ads is based. We only select general parameters for the target group to which our ads are to be made available. In this respect, we do not process any personal data.

Since our website uses cookies from Microsoft Bing, we make it easier for Microsoft to recognize interested parties who have visited our pages. See the processing “Analysis of user behavior (Microsoft Bing)”.

In addition, we enable Microsoft to make our ads available to people who have a similar usage profile to typical visitors to our sites (so-called lookalike campaigns).

All processing of personal data mentioned here is the sole responsibility of Microsoft.

We are not able to provide any information on the details of data processing at Microsoft. In this regard, the data protection information from Microsoft applies: https://privacy.microsoft.com/de-de/privacystatement

Data categories: Usage data from Microsoft’s various services; targeting by gender, age groups, regions, areas of interest.

Data recipient (if applicable, third country transfer): Microsoft Corp., in Europe addressable via Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland.

Purpose + legal basis: Targeted publication of advertisements. A legal basis is not required, as we do not process any personal data.

Storage period: Not applicable

6.5 Our social media profiles

6.5.1 Facebook and Instagram

Description: We operate company profiles (also called fan pages) on Facebook and Instagram. Such a fan page enables us to present our organization on Facebook or Instagram, to get in touch with you on this social media platform and to refer to our services and offers via ads on these platforms.

Facebook provides us with analytics data about the use of our Fanpage (called Page Insights or Page Insights). This gives us an impression of how successful each of our communication measures is.

For details of data processing by Facebook, please refer to Facebook’s data protection information: https://www.facebook.com/about/privacy.

In accordance with a ruling of the European Court of Justice, the use of this analytics data is carried out under shared responsibility with Facebook pursuant to Article 26 DSGVO. Facebook has provided a shared responsibility agreement accordingly (https://www.facebook.com/legal/terms/page_controller_addendum). In the agreement, Facebook has assumed sole responsibility for all data processing issues. If you wish to exercise your rights under the GDPR with respect to data processed in Page Insights, you should contact Facebook directly through your Facebook account. However, in accordance with the legal rules on shared responsibility, you are also free to contact us with your concern. We would then pass your concern on to Facebook.

Data categories: Facebook username; comments, likes and page views within Facebook or Instagram, as well as time of action.

Data recipient (if applicable, third country transfer): Facebook Inc, for us as a European organization addressable via Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Insofar as data is transferred to the USA, Facebook is still working on standard data protection clauses in order to thus guarantee that the data is handled at EU data protection level.

Purpose + legal basis: Analysis of usage behavior on our fan page or Instagram profile. The legal basis is the consent that you have given in the context of your Facebook registration.

Storage period: The storage period is the responsibility of Facebook.

6.5.2 Twitter

Description: We operate a company profile on Twitter. Such a Twitter profile enables us to present our organization on Twitter, to get in touch with you on this social media platform and to refer to our services and offers via advertisements on these platforms.

Twitter provides us with analytics data about the use of our profile page (Twitter Analytics). This gives us an impression of how successful each of our communication measures is.

For details of data processing at Twitter, please refer to Twitter’s data protection information: https://twitter.com/de/privacy

Data categories: Twitter user name; comments, likes and page views within Twitter as well as time of action.

Data recipient (if applicable, third country transfer): Twitter Inc, for us as a European organization addressable via Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. Insofar as data is transferred to the USA, Twitter is still working on standard data protection clauses in order to thus guarantee that the data is handled at EU data protection level.

Purpose + legal basis: Analysis of usage behavior on our Twitter profile. The legal basis is the consent that you have given as part of your Twitter registration.

Storage period: The storage period is the responsibility of Twitter.

6.5.3 LinkedIn

Description: We operate a company profile on LinkedIn. Such a LinkedIn profile enables us to present our organization on LinkedIn, to contact you on this social media platform and to refer to our services and offers via advertisements on these platforms.

LinkedIn provides us with analytics data about the use of our profile page. This gives us an impression of how successful each of our communication measures is.

The data protection information of LinkedIn applies to the details of data processing at LinkedIn: https://www.linkedin.com/legal/privacy-policy

Data categories: LinkedIn username; comments, likes and page views within LinkedIn as well as time of action.

Data recipient (if applicable, third country transfer): LinkedIn Corp, for us as a European organization addressable via LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. If data is transferred to LinkedIn servers in the USA, LinkedIn has concluded standard contractual clauses with us and thus guarantees that the data is handled at EU data protection level.

Purpose + legal basis: Analysis of usage behavior on our LinkedIn profile. The legal basis is the consent you have given as part of your LinkedIn registration.

Storage period: The storage period is the responsibility of LinkedIn.

6.5.4 Xing

Description: We operate a company profile on Xing. Such a Xing profile enables us to present our organization on Xing, to get in touch with you on this social media platform and to refer to our services and offers via advertisements on these platforms.

Xing provides us with analytics data about the use of our profile page. This gives us an impression of how successful each of our communication measures is.

For details of data processing at Xing, please refer to Xing’s data protection information: https://privacy.xing.com/de/datenschutzerklaerung

Data categories: Xing username; comments, likes and page views within Xing as well as time of action.

Data recipient (if applicable, third country transfer): New Work SE (operator of xing.com), Dammtorstraße 30, 20354 Hamburg. A third country transfer does not take place.

Purpose + legal basis: Analysis of usage behavior on our Xing profile. The legal basis is the consent that you have given as part of your Xing registration.

Storage period: Xing is responsible for the storage period.

6.5.5 TikTok

Description: We operate a company profile at TicToc. Via TicToc we publish information about us, TicToc provides us with statistical data about the usage of our information published there. In addition, you can contact us publicly directly through TicToc – for example, by liking or commenting on our content. When you contact us or comment on our profile, TicToc provides us with data about you, such as your TicToc username that you used to log in to TicToc during your interaction.

We have no possibility to influence the data processing at TicToc. Legally, as the operator of the TicToc profile, we are considered jointly responsible for these data processing operations, so we have entered into standard contractual clauses with TicToc (see: https://www.tiktok.com/legal/privacy-policy?lang=de).

The contract divides the responsibility between TicToc and us in such a way that we are responsible for the creation of a relationship between your data and our TicToc profile and TicToc is responsible for the further processing of the data. You should exercise all your rights with respect to TicToc’s processing of your data directly with TicToc. You should contact us regarding the processing of your data in direct communication with us. Legally, you are free to contact both TicToc and us with any of your concerns at any time, and the recipient will forward your request to the appropriate party as appropriate.

For details of data processing at TicToc, please refer to TicToc’s Privacy Policy (1.: https://www.tiktok.com/legal/privacy-policy?lang=de and the Additional Provisions for Users Residing in the Federal Republic of Germany, available at 2.: https://www.tiktok.com/legal/additional-provisions?lang=de-DE).

We use the personal data we receive from you via TicToc to respond to your comments.

Data categories: We process your name or the username you provide to TicToc, your contact requests, and the content you post on TicToc, such as comments, photos, and videos. For the categories of data processed by TicToc, see TicToc’s privacy statements under the links above.

Data recipients (third country transfer, if applicable): TicToc, with its parent company Beijing Bytedance Technology Ltd, can be contacted by us as a European organization through TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. TikTok is committed to data protection via the standard contractual clauses. To the extent that the EU subsidiary transfers data to the Chinese parent, TikTok has entered into standard data protection clauses with us and thus guarantees that the data will be handled at EU data protection levels.

Purpose + legal basis: The purpose is the legitimate interest in advertising measures, answering your inquiries and responding to your comments on TikTok. The legal basis for the processing by us is a legitimate interest, since you yourself have visited our TikTok -profile and have entered into an exchange with us there.

Storage period: The storage period is the responsibility of TikTok. It is not necessary for us to delete your data, as we do not store any of your data independently through the use of TikTok.

6.6 Suppliers and service providers

6.6.1 Business relationship

Description: From our suppliers and service providers who are self-employed or partnerships, or our contacts at such organizations, we process personal data as a customer in order to be able to communicate with you about the processing of the order.

In addition to the substantive communication, your data is typically processed in the separately described processing operations for “communication with us” (see there).

Data categories: Contact, contract and invoice data

Data recipients (if applicable, third country transfer): tax consultants, auditors, lawyers in their function as professional secrecy holders.

Purpose + legal basis: Proper business management. Legal bases are contract fulfillment as well as legal obligations and legitimate interests.

Storage period: In accordance with tax law, invoice data must be stored for 10 years; contract data must be stored for different periods depending on the type of contract. In the case of copyrights, such periods extend up to 70 years beyond the death of the author.

6.6.2 Mention in publications

Description: In publications published by us, we name authors in accordance with the authors’ right to be named. The naming also extends to the accompanying marketing and public relations work. Where authors represent an institution relevant to the publication, their affiliation with that institution is also mentioned. For some publications, professional contact information for authors is also published as a service to readers.

Data categories: Name, academic title; in some cases institution and professional contact details.

Data recipients (if applicable, transfer to third countries): none

Purpose + legal basis: to make authorship recognizable. For the name, the legal basis is fulfillment of the author contract. For the contact data, the legal basis is a legitimate interest, as only professional contact data for relevant contacts are published here.

Storage period: After delivery of printed publications, subsequent deletion by us is not possible.

6.7 Staffing

6.7.1 Applications

Description: If you apply for a position with us, we will process your application documents until the application process is completed solely for the purpose of deciding whether to hire you. We restrict access to your documents to those persons whom we reasonably involve in the decision on your employment. If you are hired, your application documents will become part of your personnel file. If hiring does not occur, we will either ask for your consent to be included in our candidate pool or return or destroy your records as soon as it is no longer reasonable to expect opposition to our decision under anti-discrimination law.

Data categories: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); details in the letter of application, in the CV, in certificates and references, educational certificates and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests, if applicable.

Data recipient (if applicable, third country transfer): our service provider for an applicant database, who is bound to data protection via an order processing agreement. The service provider is located in the EEA; there is no data transfer outside the EEA.

Purpose + legal basis: Decision-making basis for filling vacancies. Legal basis is preparation for fulfillment of a contract (employment contract) and subsequently a legitimate interest in defending objections against negative decisions.

Storage period: 6 months after completion of the original application process.

6.7.2 Candidate pool

Description: If we are not currently able to offer you a suitable position, but would like to consider you again in the selection process for future vacancies, we ask for your consent to retain your application documents beyond the end of the current application process. If we are unable to get back to you for more than two years, we will ask for your consent to keep them again or return or delete your documents.

Data categories: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); details in the letter of application, in the CV, in certificates and references, training certificates and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests, if applicable.

Data recipient (if applicable, third country transfer): our service provider for an applicant database, who is bound to data protection via an order processing agreement. The service provider is located in the EEA, data transfer outside the EEA does not take place.

Purpose + legal basis: Decision-making basis for future staffing. Legal basis is consent.

Storage period: 2 years since last contact or last consent.

6.8 General infrastructure

6.8.1 Visitor WLAN

Description: Our cooperation partner provides visitors with access to our WLAN network and thus the Internet. During the required login at the access point for the WLAN network, the unique identifier of your device as well as the usage times are recorded.

For all services that you call up while using our network on the Internet, the IP address of the network is logged. Insofar as there are investigations into activities that originated from our IP address, we are partially obligated to provide the usage documentation in the so-called log file of our access points.

Data categories: MAC address of the device, usage times

Data recipients (if applicable, third country transfer): Normally no recipients besides our cooperation partner; in the case of investigations, competent authorities and, under certain circumstances, private holders of a right to information or forensic experts commissioned by us

Purpose + legal basis: Log files such as this are used to enable and strengthen IT security in our company. The legal basis is legitimate interest, as we only access the WiFi logfile when a security analysis is required. It is only possible for us to assign the WiFi data to specific devices and thus their owners with considerable effort and regularly only with the assistance of police investigations.

Storage period: Our WiFi log file is deleted regularly, at the latest once a year.

6.8.2 Video monitoring

Description: Video cameras are installed in the access area to the business premises of our cooperation partners and within our business premises. Appropriate signs are mounted to inform you about the use of the cameras before you enter the field of view of the lenses.

The cameras record what happens within their field of view around the clock.

Data categories: Video recordings

Data recipient (third country transfer if applicable): Our cooperation partner where the video recordings are stored The cooperation partner is located in the EEA, no data transfer outside the EEA takes place. Exception is if the location of the cooperation partner is outside the EEA.

Purpose + legal basis: Video surveillance serves to prevent and prosecute attacks against the health and life of employees as well as against the property of the organization as well as the employees. Video surveillance also serves to ward off unauthorized access to particularly security-relevant areas of our business premises or, in the event of unauthorized access, to resolve it. The legitimate interest in video surveillance results from the particular dangerous situation or the special security requirements for our organization.

Storage period: The video surveillance recordings are automatically deleted from our servers after 72 hours.

6.8.3 Financial accounting

Description: All payments are recorded in the financial accounting. The person of the payer or payee is documented. In the case of legal entities, this sometimes also includes the names and contact details of contact persons for the transaction. In some cases, the reason for payment also results in statements about persons or the activity of a person (e.g., in the case of salary/fee payments, travel bookings, expense reimbursements)

Data categories: Name, customer or supplier number, bank account or credit card data, reason for payment, travel data (time, destination, accommodation, means of transport, costs), hospitality (date, place/hospitality establishment, persons entertained, reason for hospitality, costs), information on other expenses (purchases, gifts)

Data recipients (if applicable, third country transfer): Our cooperation partner for financial accounting and the accounting database, who is, however, obligated to data protection via an order processing agreement, and our tax advisor as service provider for financial accounting, who is obligated to data protection as a professional secrecy holder by law. A third country transfer does not take place.

Purpose + legal basis: Administration of all payment transactions. Legal basis is contract performance or legal obligation (tax and commercial law).

Storage period: We keep the data in financial accounting for 10 years.

6.8.4 Payment transfers

Description: Payments made through a bank or credit card account from us are documented accordingly in the account statements.

Data categories: Name, bank details, payment date, payment amount, reason for payment (posting text).

Data recipient (if applicable, third country transfer): Our account-holding financial institutions, which are legally bound to data protection via banking secrecy and banking supervision. A third country transfer does not take place.

Purpose + legal basis: Cashless payment transactions; legal basis is contract fulfillment.

Storage period: We keep account statements for 10 years.

6.8.5 IT administration

Description: We use service providers for the administration, maintenance and care of our information technology. These service providers do not deal with the content of the personal data processed by us. But in the maintenance of databases and other system units, personal data may come to the attention of the service providers. All our service providers have been explicitly committed to confidentiality through appropriate contracts, in accordance with the sensitivity of the data to which they may have access.

Data categories: Any type of data

Data recipients (third country transfer, if applicable): IT service providers who have been committed to data protection via an order processing contract or another form of confidentiality obligation. A third country transfer does not take place.

Purpose + legal basis: Use of competent service providers for professional IT administration. The legal basis is a legitimate interest, as the service providers have been committed to data protection via adequate confidentiality obligations.

Storage period: Independent storage does not take place.

6.8.6 Disposal of data carriers and documents

Description: The deletion or destruction of data also constitutes data processing. Paper documents with personal data requiring corresponding protection are shredded by us or disposed of via the sealed garbage cans of a professional document shredder. The quality level of the shredder used and the level of document destruction agreed with the service provider correspond to the risk or confidentiality classification of the documents to be destroyed.

Storage media (hard drives e.g. from servers, computers, smartphones, tablets, USB sticks, memory cards) on which personal data worthy of protection was previously stored, if they are no longer to be used to store this data, will be securely erased by our cooperation partner’s IT administration by multiple, at least triple, complete overwriting or handed over to a professional storage media destroyer. The level of erasure or destruction will be commensurate with the risk or confidentiality rating of the data previously stored on the media.

Data Categories: Any type of data

Data recipients (third-country transfer, if applicable): Service providers for the professional destruction of paper documents and storage media who are obligated to comply with data protection via order processing contracts. A third country transfer does not take place.

Purpose + legal basis: Risk-compliant destruction or deletion of personal data. Legal basisis the legal obligation to minimize and delete data from the DSGVO:

Storage duration: Storage beyond the deletion/destruction does not take place.

Questions about data protection

If you have any questions about our data protection standards, or if you wish to request information or deletion, please send them in writing to M1 Aesthetics GmbH using one of the following methods:

  • by mail directly to datenschutz@m1-select.de
  • by telephone at +49 (0) 30 3474492
  • by letter to M1 Aesthetics GmbH, Lilienthalstr. 3A, 12529 Schönefeld, Germany

Of course you can also call our customer hotline at 0800-1114321.

You can reach us during the following service hours:
Monday – Friday: 9:00 a.m. – 5:00 p.m.

More information