Privacy Policy

DGTAL GmbH (hereinafter “DGTAL” or “we”) would like to thank you for visiting our website. We take the protection of personal data very seriously when processing your personal data pursuant to the data protection legislation. The following statement provides you (hereinafter also “Client”, “Data subject”, “Applicant” or “User”) with an overview of how we provide this protection and what sort of data is collected for what purpose.

I. Name and address of the Controller

The Controller, within the meaning of the EU General Data Protection Regulation (hereinafter “GDPR”) and other data protection laws [the Federal Data Protection Act (Bundesdatenschutzgesetz) in Germany, hereinafter “BDSG”, and the Ordinance to the Federal Act on Data Protection (Verordnung zum Bundesgesetz über den Datenschutz) in Switzerland, hereinafter “VDSG”] of the Member States and other data protection regulations, is the company:

DGTAL GmbH

Hohe Bleichen 8

20345 Hamburg

info@dgtal.io

II. Contact details of the Data Protection Officer

Grant Thornton AG

Auditing company

Commercial lawyer Sebastian Barg

Johannstraße 39

D-40476 Düsseldorf

Telephone: +49 211 95248548

You may contact our Data Protection Officer by email at sebastian.barg@de.gt.com or by post to our company (see address under section I above) with the remark “Data Protection Officer”.

III. Terms and definitions

The terms and definitions are consistent with the GDPR, the BDSG, the VDSG and other data protection regulations. In particular, the terms of Article 4 and Article 9 of the GDPR apply.

IV. General principles and rights of the Data subject

1. Scope of the processing of personal data

We process your personal data only within the following scope if the processing is necessary for the provision of our web and online offerings, including the functionality of our website:

  • The user of our website, client, prospect, applicant, attendee of (online) events
  • Contact requests

2. Legal bases

If personal data is processed based on the data subject’s consent, the legal basis for the processing is point (a) of Article 6(1) of the GDPR.

During the processing of personal data for the performance of a contract to which the data subject is a party, the legal basis is point (b) of Article 6(1) of the GDPR; the same applies to processing which is necessary to take steps before entering into a contract.

If processing is necessary to comply with a legal obligation to which we are subject, the legal basis is point (c) of Article 6(1) of the GDPR.

If the processing of personal data is necessary to protect the vital interests of the data subject or another natural person, the legal basis is point (d) of Article 6(1) of the GDPR.

If the processing occurs for the protection of the legitimate interests pursued by us or by a third party, where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, the legal basis for such processing is point (f) of Article 6(1) of the GDPR.

All legal bases are equally and analogously valid for Germany and Switzerland according to local legal provisions, if applicable.

3. Potential recipients of personal data

To provide our web and online offerings, as well as to provide our services in general, we partially employ IT service providers, IT developers, external consultants, and cloud or archiving service providers, who may act on our behalf within the scope of the provision of services according to our instructions (so-called processors). Such service providers may receive and/or access personal data within the scope of the service provision and constitute third parties or recipients according to the GDPR.

In such a case, we are responsible for making sure that our service providers implement adequate safety measures to ensure the availability of appropriate technical and organizational measures and that the processing meets the requirements of the relevant data protection regulations and protects the rights of the data subjects (cf. Article 28 of the GDPR).

In addition, we process your personal data within several specialized departments of DGTAL which participate in the respective business processes; to the extent processing is permitted, we additionally process personal data for promotional purposes outside our business premises. We may also be required to submit the collected data to public authorities due to legal regulations (e.g. financial authorities, criminal investigation authorities, and social security authorities). We process personal data with cooperation partners, sponsors, and business conference participants to the extent permitted by law.

4. Processing of personal data in third countries

Your personal data is, in principle, processed within the European Union (hereinafter “EU”) or the European Economic Area (hereinafter “EEA”). Information can be transmitted to third countries only in exceptional cases (e.g. when service providers for web analysis services are required). Third countries are countries outside the EU and/or the EEA where an adequate data protection level following the European requirements cannot be assumed.

If the transferred information also includes personal data that is not transferred pseudonymized or anonymized, we ensure that there is an appropriate data protection level in the respective third country or that the respective recipient in the third country implements an appropriate data protection level. This may derive from the European Commission’s so-called “adequacy decision” or can be ensured using the so-called “EU standard contractual clauses”.

5. Data erasure and storage duration

The personal data of the data subjects is erased as soon as it is no longer necessary for the respective processing purposes or the legal basis for the data storage no longer exists. If applicable, data might be stored under the restriction of processing instead of being erased if the European or national legislator has provided this in EU regulations, laws or other provisions, in particular, e.g.,

  • to comply with legal retention obligations and/or
  • if there are legitimate interests in data storage.

The data erasure occurs the latest when the storage duration prescribed by the norms as mentioned above expires, unless we must keep this data longer and there is a legal basis for this storage.

6. Data categories

Personal data can be divided into the following categories according to the type of data concerned:

  • a) Operational master data: Master data is the data you provide to us concerning your company and/or yourself. In particular, this data includes your company, first name, last name, email address and telephone number.
  • b) Metafiles and log files: Metafiles and log files include, for example, IP addresses, session IDs, browser types, information about the operating system and the time of the enquiry.
  • c) Applicant data: Applicant data is data about yourself that you provide to us within the scope of the application process. In particular, this data includes your first name, last name, date of birth, marital status, professional qualifications, and certificates.

7. Rights of the data subject

The data subjects have certain rights according to the GDPR, the BDSG and the VDSG concerning processing of their personal data. If you want to exercise one or more of the following rights, do not hesitate to contact us anytime. In particular, as a data subject, you have the following rights:

  • a) Right of access: You have the right to request confirmation from the Controller whether personal data concerning you has been or is being processed.
  • b) Right of rectification: You have the right to request the Controller to rectify or complete inaccurate or incomplete personal data concerning you. The Controller must proceed with the correction without undue delay.
  • c) Right to erasure: You may request the Controller to erase the personal data concerning you without undue delay if there is no other legitimate interest or legal obligation to retain it.
  • d) Right to restriction of processing: Under certain conditions, you may request the restriction of processing of your personal data.
  • e) Right to data portability: You have the right to receive the personal data concerning you, which you have provided to a controller, the processing of which is based on consent or on a contract with you, in a structured, commonly used, and machine-readable format.
  • f) Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on those provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; the same applies to profiling to the extent that it is related to such direct marketing purposes. In case you object, your personal data will no longer be processed for such purposes.
  • g) Right to withdraw a consent: You can withdraw your declaration of consent under the data protection legislation at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. This also applies to the withdrawal of declarations of consent provided before the application of the GDPR, i.e. before 25 May 2018.
  • h) Right to lodge a complaint: In the event of suspected and committed infringements of the data protection regulations, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to other administrative or judicial remedies.

8. No obligation to provide personal data

The conclusion of contracts, the fulfilment of our online offerings or the possibility of submitting applications for open job positions do not require that you provide us with personal data beforehand. As a client, prospect, website visitor, applicant or other participant, there is no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide specific offerings to a limited extent or not at all if you do not provide us with the necessary data.

V. Data collection during informational use of our website

1. Data processing description and scope

Every time you visit our website, our systems automatically record data and information from the computer system of the device you use to access our website. The following log files are processed:

  • IP address (anonymized)
  • Date and time
  • Pages viewed
  • Referrer URL
  • Accessed host name

2. Purpose and legal basis of the data processing

The temporary storage of the IP address and other log files, if applicable, by the systems every time you visit our website is necessary to make our website available on your computer. This is necessary to address the communication traffic between the user and our web and/or online offerings or for the use of our web and/or online offerings. The legal basis for this data processing – i.e. during your website visit – is point (b) or (f) of Article 6(1) of the GDPR.

Any processing and storage of the IP address and log files beyond the communication process serves the purpose of ensuring the functionality of our web and online offerings, the optimization of such offerings, and the security of our information technology systems. The legal basis for storing the IP address for purposes beyond the communication process is point (f) of Article 6(1) of the GDPR.

The service provider or provider uses the log data only for statistical evaluations for operation, security and optimization of the offering. However, the provider reserves the right to check the log data retrospectively if there is justified suspicion of illegal use based on concrete indications.

3. Duration of storage

The data shall be stored as long as necessary to attain the processing purposes mentioned above. Concerning the data collection to make the website available, this occurs when the individual session, i.e. the website visit, ends. Any further storage of the log files mentioned above, including the anonymized IP address for system security and optimization of our web and online offerings, does not exceed 60 days from the user’s access to the website.

4. Possibility to object

The recording of the log files to make our website available, including storing log files within the above limits, is essential for the website’s operation and the individual capabilities available. Hence, the website user cannot object. This does not apply to the processing of log files for analysis purposes. Here, the possibility to object – depending on the respective web analysis tools and the type of data analytics (personal/anonymous/pseudonymous) used – is governed by point (f) of section IV(7) of this Privacy Statement.

VI. Email communication and contact form

1. Data processing description and scope

You may use the email addresses available on our website or our contact form to contact us. We shall process and store personal data to respond to your request if you use the above contact options. In this context, we process your first name, last name, and email address. We will not share this data without your consent.

2. Purpose and legal basis of the data processing

This data processing is based on point (b) of Article 6(1) of the GDPR and/or our legitimate interests according to point (f) of Article 6(1) of the GDPR. The legal basis for processing data transmitted during a request is point (a) of Article 6(1) of the GDPR.

3. Duration of storage

The data will be generally erased as soon as it is no longer required for the purpose of its collection.

Any data that is no longer required to fulfil contractual or legal obligations, including retention requirements according to commercial and tax legislation, as well as to pursue legitimate interests, i.e. to preserve evidence within the scope of the statutory limitation periods, is regularly erased.

VII. Contractual obligations for our services

1. Data processing description and scope

We process personal data within the scope of the provision of our services. Data processing purposes depend on the specific order and the contract documents.

2. Purpose and legal basis of the data processing

To fulfil our contractual obligations within the scope of our services, we process your personal data based on point (b) of Article 6(1) of the GDPR.

3. Duration of storage

The data shall be stored as long as necessary to attain the aforementioned processing purposes. Generally, we retain our contract documents for ten years after contract termination.

VIII. Layout, social media, and direct links

1. Layout – web fonts

We use the so-called “web fonts” by Adobe Inc. (https://fonts.adobe.com/typekit) to display fonts consistently. When you visit our website, your browser loads the required web fonts in your browser cache to correctly display the page contents (e.g. texts and fonts). For this purpose, your browser must connect with Adobe Inc. servers. As a result, Adobe Inc. acquires knowledge that your IP address has accessed our website. The use of web fonts ensures the uniform presentation of our online offerings. This represents a legitimate interest according to point (f) of Article 6(1) of the GDPR. If your browser does not support web fonts and/or you block web fonts on your browser, your computer will use a default font instead.

More information about Adobe Inc. web fonts is available at: https://wwwimages2.adobe.com/content/dam/cc/de/legal/servicetou/Adobe_Fonts_Additional_Terms_de_DE_20200416.pdf

2. Social media and direct links via “Shariff”

Our website has integrated buttons for several social networks. These buttons have several functions allowing you to share information with your contacts on the respective third-party portals. The social network operators determine the subject matter and scope of such information.

We implement a technology developed by c’t called “Shariff” for enhanced protection of your personal data for technical and graphical aspects of the social media platforms and direct links listed below. Shariff replaces the usual social network (Share) buttons protecting the user’s behaviour during surfing. Shariff integrates our website’s social network (Share) buttons as graphics, where each graphic contains a link to the corresponding social network. You will be redirected to the respective network’s service when you click on the related graphic. The Shariff button does not establish direct contact between the social network and our website visitors unless they actively click the Share button. Only then is your data transferred to the respective social network. If you do not click the Shariff button, there is no information exchange between you and any social networks. Shariff supports the following browsers: Firefox, Google Chrome, Internet Explorer/Edge, and Safari.

The processing of this data rests on points (a) and (f) of Article 6(1) of the GDPR to provide you with the option to interact with social networks and other users, improve our offering and make it more interesting for you as a user.

Please note that we are not social network providers and do not have any influence on the data of the respective providers’ process. In addition, we are unaware of the transmitted data content or its use by the individual providers. More information on how your data is used is available in the respective social media providers’ privacy policy:

LinkedIn: The social network capability for LinkedIn is integrated into our website. This capability is offered by LinkedIn Ireland Limited, 77 Sir John Rogerson’s Quay, Dublin 2, Ireland. Data is also transferred to LinkedIn. Please note that, as website providers, we are unaware of the transmitted data content or its use by LinkedIn. If you are logged in on LinkedIn, LinkedIn can associate your visit with your LinkedIn account. Information about the purpose and scope of the data collection and any further processing and use of your data by LinkedIn, as well as about your respective rights and setting options to protect your privacy, is available in the LinkedIn Privacy Policy. You may find more information in the LinkedIn Privacy Policy available on http://www.linkedin.com/static?key=privacy_policy.

IX. Third-party cookies and analysis tools

1. Cookies

We use so-called “cookies” on our website. Cookies are small text files that your Internet browser stores on your computer containing certain information relating to the service that stores the cookie on your computer. Cookies help us optimize our website and our offerings.

These are mostly so-called “session cookies” that are deleted as soon as you close your browser. However, some cookies provide information to recognize you automatically if you revisit the website. This recognition occurs due to the IP address stored in the cookies; however, they cannot identify a user directly.

We additionally use web analysis tools (“performance cookies”) to analyse the online platform. With such tools, we can use cookies to process usage data of the online platform, gaining insights concerning our online platform (e.g. number of visits, number of users). Specifically:

  • _ga: The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. This cookie’s duration is 2 years.
  • _gid: Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website’s performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. This cookie’s duration is 1 day.
  • _gat_gtag_UA_252049010_1: Set by Google to distinguish users. This cookie’s duration is 1 minute.

Advertising cookies or targeting cookies provide the website user with demand-oriented advertising on our website or third-party offerings and measure the effectiveness of these offerings. Sharing cookies improve our website’s interactivity with other services (e.g. social networks).

2. Purpose and legal basis of the data processing

Any use of cookies which is not essential for technical reasons constitutes data processing that is only permitted with your explicit and active consent according to point (a) of Article 6(1) of the GDPR. This applies in particular to advertising, targeting or sharing cookies. In addition, we shall only share your personal data processed by cookies with third parties after obtaining your explicit and active consent according to point (a) of Article 6(1) of the GDPR.

You can prevent the installation of cookies by adjusting the respective browser settings; in this case, however, you might not be able to take advantage of all capabilities of our website. Our website uses transient (e.g. “session cookies”), persistent and third-party cookies. The duration of storage is explained below.

3. Duration of storage

Transient cookies are automatically deleted as soon as you close the browser. These include session cookies, in particular. Such cookies store a so-called session ID, which can be used to associate several requests of your browser with a joint session.

This allows us to recognize your computer when you return to our website. Session cookies are deleted as soon as you log out or close the browser.

Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time by adjusting the security settings of your browser.

X. Data processing during the application process

1. Data processing description and scope

When submitting application documents via email or any other communication pathway, personal data and, if applicable, special categories of personal data are processed during an application process. Within the scope of the application process, we receive, among others, the following personal data from you:

  • First name and last name
  • Address
  • Email address
  • Telephone number
  • Curriculum vitae
  • Certificates and evidence of qualification
  • If applicable, data about physical limitations (severe disability, voluntary disclosure)

In addition, the data you transmit may include special categories of personal data according to Article 9 of the GDPR, which is subject to special protection.

2. Purpose and legal basis of the data processing

We process your personal data to decide about entering into an employment relationship with you. At the same time, this data serves as a basis for establishing an employment relationship. If the processing of your personal data exceeds the purpose of the application process, individual consent is required for legitimization. If you have given us your consent to process your personal data, the individual consent is the legal basis for the processing mentioned therein. This applies in particular to your consent to:

  • the processing of your personal data for a period exceeding six months after completion of the application process (in case of rejection).

You can revoke your consent at any time with effect for the future. We process your personal data pseudonymized or anonymized if feasible for the specific purpose.

3. Recipients of personal data

Your personal data will only be shared confidentially and only if there is a legal basis. Only the controller departments which require your data during the application process shall receive it. This applies, in particular, to combined central departments that provide us with services within the scope of order processing according to Article 28 of the GDPR.

4. Obligation to provide personal data

Within the scope of the application process, we must process specific personal data to check a candidate’s professional and personal suitability for a particular position and ensure the application process is fair toward other candidates. The application process is, in general, impossible to carry out without this data. This does not apply to the data we process within the scope of consent.

5. Right to object and individual decision-making

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you based on points (e) and (f) of Article 6(1) of the GDPR. If you object, we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or those of the establishment, exercise or defence of legal claims.

6. Duration of storage

If necessary, we shall process your personal data only during the application process. As soon as the application process is complete, DGTAL will retain your personal data for six months based on legitimate interest. We shall also process your personal data beyond the specified period if you have provided your consent.

XI. Additional information

Your trust is important to us. Therefore, we remain at your disposal for any information or clarification regarding the processing of your personal data. If you have any questions that this Privacy Statement does not answer or if you require more detailed information on a particular point, please use the following email address to contact us at any time: xxx

We reserve the right to amend the Privacy Statement at irregular intervals within the scope of the data protection legislation development and to make any technological or organizational changes. We shall inform you about any material changes affecting the use of your personal data. This Privacy Statement is dated October 2022.