Data protection notice

We at PPI AG and our subsidiaries take the protection of your personal data seriously and would like to inform you about the collection, processing and use of your data in our company.

Insofar as we decide either alone or jointly with others on the purposes and means of the data processing, we will inform you transparently about the nature, scope, purpose, duration and legal basis of the processing (see Art. 13 and 14 GDPR).

1. General information

This general section provides you with general information about your rights regarding the protection of your personal data as well as the contact information to us. This part is always relevant for you.

2. Visiting our websites

This part is relevant for you if you use our Internet offers.

3. Social media presences

This section provides you with information on the processing of your data on our social media presences.

4. Business customers and partners

This part is relevant for you if you want to work with us as a customer, service provider, supplier or similar partner, are already in an ongoing business relationship with us or have been in the past.

5. Participants of seminars / webinars / events

In this section we provide specific information on the processing of your data as a participant in seminars, webinars or other events.

6. Use of collaboration tools

This section contains information about the processing of your data when using certain collaboration tools.

7. Applicants

This part is relevant for you if you apply for employment as an employee with us.

 

1.   General information

Responsible entity
Responsible entity for the provision of the website on behalf of the PPI group is
PPI AG
Moorfuhrtweg 13
22301 Hamburg
Germany
+49 40 227 433 0
info@ppi.de 
www.ppi-group.eu

If you contact our subsidiaries, e.g. as a customer, interested party, supplier or applicant, the subsidiaries you contact are themselves responsible. This concerns the following subsidiaries: 

  • PPI AG, Moorfuhrtweg 13, 22301 Hamburg, Germany
  • PPI Financial Services GmbH, Wilhelm-Leuschner-Straße 79, 60329 Frankfurt am Main
  • crossnative GmbH, Moorfuhrtweg 13, 22301 Hamburg, Germany
  • cysmo Cyber Risk GmbH, Moorfuhrtweg 13, 22301 Hamburg, Germany
  • Paycy-one GmbH, Moorfuhrtweg 13, 22301 Hamburg, Germany
  • PPI Italia, Viale Famagosta 75, IT-20142 Milano, Italy
  • PPI France, 17 Route de la Reine, FR-92100 Boulogne-Billancourt, France
  • PPI Schweiz, Weberstr 9, CH-8004 Zürich, Switzerland

Data protection officer
If you have questions regarding the processing of your personal data on this website, you can contact our data protection officer directly. Our data protection officer is also available to you should you wish to request information, request that an action be taken or make a complaint:

PPI AG
Data protection officer
Moorfuhrtweg 13
22301 Hamburg
datenschutz@ppi.de/en 

If you have any questions about the processing of your data within individual subsidiaries, you can contact the respective subsidiary directly:

In the following, we explain essential terms of data protection, which will be used regularly in the further course. These all result from the General Data Protection Regulation (GDPR), which provides the regulatory framework for the protection of your data alongside the German Federal Data Protection Act (BDSG).

  • "Personal data" is any information relating to an identified or identifiable natural person ("data subject") (Art. 4 (1) GDPR).
  • "Data subject" of a data processing is the natural person whose personal data are processed.
  • "Processing" means any operation which is performed on personal data, whether or not by automated means. This includes, in particular, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data (Art. 4 (2) GDPR). 
  • "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 (7) GDPR).
  • "Processors" process personal data on behalf of the controller. This may be a natural or legal person, authority, institution or other body. Here, the processors are always bound by the instructions of the controller and may not use the data for their own purposes. The basis for the processing is always a processing contract. Therefore, processors are not third parties in the sense of data protection law (Art. 4 (8) GDPR).
  • "Third party" means any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; this also includes other group-affiliated legal persons (Art. 4 (10) GDPR).

We only process your data if there is a permissible legal basis for doing so. The GDPR offers six possible legal bases for this:

  • Consent: if the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous affirmative act that they consent to the processing of personal data relating to them for one or more specific purposes (Art. 6 para. 1 sent. 1 lit. (a) GDPR)
  • Contract performance: if the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 para. 1 sent. 1 lit. (b) GDPR)
  • Legal obligation: if the processing is necessary for compliance with a legal obligation to which the controller is subject, e.g. a legal obligation to keep records (Art. 6 para. 1 sent. 1 lit. (c) GDPR)
  • Protection of vital interests: if the processing is necessary to protect the vital interests of the data subject or another natural person (Art. 6 para. 1 sent. 1 lit. (d) GDPR)
  • Carrying out a task in the public interest: if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 para. 1 sent. 1 lit. (e) GDPR)
  • Legitimate interests: if the processing is necessary for the purposes of the legitimate (especially legal or commercial) interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (in particular where the data subject is a child). Before using this legal basis, a balancing of interests is always carried out (Art. 6 para. 1 sent. 1 lit. (f) GDPR). 

For the processing operations carried out by us, we indicate below the applicable legal basis in each case. Processing may also be based on several legal bases.

If you contact us (e.g. by contact form, e-mail, telephone or via social media), the information of the inquiring persons is processed. As a matter of course, we will use the personal data transmitted to us in this way exclusively for the purpose you provide it for when contacting us.

The answering of contact requests in the context of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to answer (pre-)contractual requests (Art. 6 para. 1 sent. 1 lit. (b) GDPR) and otherwise on the basis of legitimate interest in answering the requests (Art. 6 para. 1 sent. 1 lit. (f) GDPR).

For the processing operations we carry out, we indicate below in each case how long the data will be stored by us and when it will be deleted or blocked. Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. Your data will only be stored on servers in Europe, subject to any transfer in accordance with the regulations of the individual tools. However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings or if storage is stipulated by legal regulations to which we are subject as the responsible party. If the storage period prescribed by legal regulations expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for it.

We protect your data using technological and organisational security measures to prevent accidental or wilful manipulation, loss, destruction or access by unauthorised persons. Our security measures, such as data encryption, are regularly enhanced in accordance with the newest technological developments.

We use external domestic and foreign service providers to process our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). They will only act on our instructions and have been contractually obliged to comply with the data protection provisions in accordance with Art. 28 GDPR.

If personal data from you is disclosed by us to our subsidiaries or is disclosed to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. (f) GDPR, on the basis of existing data processing relationships or on the basis of a joint controller agreement.

1.8.1   Right to access information

According to Article 15 GDPR, you always have the right to receive information about the origin, recipient, purpose and duration of data processing of the data retained by us in respect of you. You can submit a request by mail or e-mail to the addresses provided above.

1.8.2   Right to request the rectification of inaccurate data

You have the right to demand the rectification of your personal data without undue delay if it is inaccurate (Article 16 GDPR). In this regard, please contact your contact persons at our company or use the contact addresses indicated above.

1.8.3   Right to erasure

You have a right to the erasure (“right to be forgotten”) of your personal data without undue delay if one of the legal grounds in terms of Article 17 GDPR applies. Such grounds are, for example, if the personal data are no longer necessary for the purposes for which it was originally processed, if you have withdrawn your consent and there is no other legal basis for the processing, if you object to the processing and there are no overriding reasons for processing. In order to assert your right to erasure, please contact us via the contact addresses provided above.

1.8.4   Right to data portability

You have the right to data portability in terms of Article 20 of the GDPR. You have the right to receive the data concerning you, which you provided us with, in a conventional, structured and machine-readable format and to have these data transferred to another controller, such as another service provider. This is subject to the conditions that the processing is based on consent or on a contract and can be carried out using automated procedures. In order to assert your above-mentioned right, please contact us via the contact addresses provided above.

1.8.5   Right to the restriction of processing

You have the right to restrict processing if one of the conditions applies in accordance with the provisions of Article 18 GDPR. Thereafter, the restriction of processing may be required, in particular, if the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of the use of the personal data instead or if the data subject objects to the processing pursuant to Article 21 para. 1 GDPR pending verification of whether our legitimate grounds override your rights. In order to assert your above-mentioned right, please contact us via the contact addresses provided above.

1.8.6   Right to object

You have the right to object, at any time, in terms of Article 21 GDPR on grounds relating to your particular situation to the processing of your personal data which is based i. a. on Art. 6 para. 1 lit. (e) or (f) GDPR. In which event, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the purpose of asserting, pursuing or defending a legal claim. In order to assert your above-mentioned right, please contact us via the contact addresses provided above.

1.8.7   Right to lodge a complaint

You have the right to lodge a complaint in terms of Article 77 GDPR with the competent supervisory authority if you are of the opinion that the processing of your personal data is unlawful:
Free and Hanseatic City of Hamburg
The Hamburg Commissioner for Data Protection and Freedom of Information

2.   Visiting our websites

Personal data is processed in the course of providing the website. Below we provide you with an overview of which personal data we collect for which purposes during your visit to our website and how these data are used. This information applies to the following websites:

  • ppi.de
  • karriere.ppi.de
  • banking-experts.ppi.de
  • insurance-experts.ppi.de
  • ppi-schweiz.ch
  • ppi-group.eu
  • cysmo.de

When you visit our websites, our web servers automatically save the following data:

  • Information about the browser type and version used
  • The operating system of the user
  • The IP address of the user
  • Date and time of when the site was accessed
  • External websites from which the system of the user accesses our website
  • External websites accessed by the system of the user from our website

The data are saved to ensure the functionality of the website. The data are also used to optimise the website and to safeguard the security of our IT systems. We also process these data to detect and track misuse. In this regard, the legal basis is Art. 6 para. 1 lit. (f) GDPR. Our legitimate interest in processing the data is to ensure that our website functions properly and to safeguard the transactions processed by means thereof.

Your personal data will however be processed if you provide it to us, for example, in the context of a request or placing an order for information material or registering for a newsletter. The legal basis in this respect is Art. 6 para. 1 lit. (b) GDPR or Art. 6 para. 1 lit. (a) GDPR.

The data are stored in the log files of our servers for 30 days and then deleted automatically. In this regard, the data are not evaluated for marketing purposes.

2.2.1   Cookies

We use cookies on our websites. Cookies are small text files that are assigned to the browser you are using and stored on your hard disk by means of a specific string of characters, and through which the body that sets the cookie receives certain information. Cookies cannot run programs or transmit viruses to your computer and therefore cannot cause any damage. They serve to make the Internet offer as a whole more user-friendly and effective, i.e. more pleasant for you. Cookies may contain data that makes it possible to recognise the device used. In some cases, cookies only contain information on certain settings that cannot be related to a specific person. However, cookies cannot directly identify a user. A distinction is made between session cookies, which are deleted again as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is made between cookies:

  • Technical cookies: These are mandatory in order to navigate the website, use basic functions and ensure the security of the website. They do not collect information about you for marketing purposes, nor do they store which websites you have visited.
  • Performance cookies: These collect information about how you use our website, which pages you visit and, for example, whether errors occur during the website use. They do not collect any information that could identify you – all information collected is anonymous and is only used to improve our website and find out what interests our users.
  • Advertising cookies, targeting cookies: these cookies are used to offer the website user tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers. The storage period of the advertising cookies is determined by the providers. We have no influence on this. 
  • Sharing cookies: these cookies are used to improve the interactivity of our website with other services (e.g. social networks). The storage period of the sharing cookies is determined by the providers. We have no influence on this.

Any use of cookies that are not absolutely technically necessary constitutes data processing that is only permitted with your express and active consent pursuant to Art. 6 para. 1 sent. 1 lit. (a) GDPR. This applies in particular to the use of advertising, targeting or sharing cookies. Furthermore, we will only pass on your personal data processed by cookies to third parties if you have given your express consent to do so in accordance with Art. 6 para. 1 sent. 1 lit. (a) GDPR.

2.2.2   Consent Manager

We use the Consent Manager tool from consentmanager GmbH, Eppendorfer Weg 183, 20253 Hamburg, Germany, to inform website users about the cookies used and to obtain consent for the setting of cookies that are not absolutely necessary. Consent Manager offers you the possibility to give or refuse your consent for all or individual cookies. You can also change the settings you have made afterwards. The purpose of the integration is to allow the users of our website to decide on the use of non-functional cookies and to offer the possibility of changing settings already made in the course of the further use of our website.

When you visit our website, a connection is established to Consent Manager's servers in order to obtain your consents and other declarations regarding the use of cookies. Consent Manager then stores a cookie in your browser in order to be able to allocate the consents granted or their revocation to you. The data collected in this way will be stored until you request us to delete it, delete the Consent Manager cookie yourself or at the latest one year after the last processing. 

The following categories of data are processed on a regular basis: IP address, time and duration of the visit, device data such as operating system, browser version, screen resolution, web pages visited and consent information.

The legal basis for the processing of your data is our legitimate interest (Art. 6 para. 1 sent. 1 lit. (f) GDPR) to use non-functional cookies on our website as well as the fulfilment of the legal requirements from the GDPR as well as the TTDSG to set cookies that are not absolutely necessary only after your explicit consent.

The Consent Manager is used within the scope of the commissioned processing pursuant to Art. 28 GDPR, so that consentmanager GmbH may only use your data on our behalf bound by instructions.

2.2.3   Google Tag Manager

We use the Google Tag Manager on our website. Google Tag Manager is a service provided by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a solution that allows website operators to manage website tags via an interface. The tool itself (which implements the tags) is a cookieless domain and does not store any personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access these data. If a deactivation has been made at domain or cookie level, it remains in place for all tracking tags implemented with Google Tag Manager.

In order for us to monitor the stability, performance and installation quality of the system and to obtain data for diagnosis, certain aggregated tag triggering data are collected using Google Tag Manager. These data do not contain IP addresses or measurement IDs that are linked to a specific person. Unlike data in standard HTTP request logs, which are all deleted within 14 days of receipt, and the diagnostic data described above, Google Tag Manager does not collect, store or share information about visitors to our customers' properties. This also applies to the URLs of visited pages.

The use of the Google Tag Manager is based on Art. 6 para. 1 lit. (f) GDPR. As the website operator, we have a legitimate interest in the quick and uncomplicated integration and administration of various tools on our website.

If a deactivation has been made at domain or cookie level, it remains in place for all tracking tags, insofar as these are implemented with the Google Tag Manager. These processing operations are only carried out when explicit consent is given in accordance with Art. 6 para. 1 lit. (a) GDPR.

In addition, you can find more detailed information about the Google Tag Manager on the website https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/.

The associated privacy policy of the Google Tag Manager can be found at: https://policies.google.com/privacy?hl=en.

2.2.4   Tracking with Google Analytics

Insofar as you have given your consent, this website uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Google Analytics uses cookies that enable an analysis of your use of our websites. During your visit to the website your user behaviour is recorded in the form of "events". Events can be: page views, first visit to the website, start of the session, your "click path", interaction with the website, scrolls (whenever a user scrolls to the bottom of the page [90%]), clicks on external links, internal searches, interaction with videos, file downloads, ads seen / clicked on and language settings.

In addition, the following is recorded: Your approximate location (region), your IP address (in abbreviated form), technical information about your browser and the end devices you use (e.g. language setting, screen resolution), your Internet provider and the referrer URL (via which website/advertising medium you came to our website).

On behalf of the PPI AG, Google will use this information for the purpose of evaluating the use of the website and compiling reports on the website activity. The reports provided by Google Analytics are used to analyse the performance of our website.

We also use the extension Google Signals. This allows Google Analytics to capture additional information about users who have activated personalised ads (interests and demographics) and ads can be delivered to these users in cross-device remarketing campaigns. If you do not wish to use Google Signals, please deactivate the "ad personalisation" option in your Google account settings.

The use of Google Analytics requires your consent, which you can give via our cookie consent manager when you access our site. According to Art. 6 para. 1 lit. (a) GDPR (consent), this consent constitutes the legal basis for the processing of personal data, as may occur during the collection by web analytics tools. In addition to consent, we have a legitimate interest in analysing the behaviour of website visitors in order to improve our services technically and economically. With the help of Google Analytics we can detect website errors, identify attacks and improve economic efficiency. This is based on the provisions of Art. 6 para. 1 lit. (f) GDPR (legitimate interests). Nevertheless, we only use Google Analytics if you have given your consent.

Users can refuse cookies by making the appropriate adjustments to the settings of their browser. In addition, users can also prevent the transmission of the data generated by the cookie to Google and their use of the online content as well as the processing of such data by Google by downloading and installing the browser plug-in that is available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

We have concluded a processing contract with Google within the meaning of Article 28 of the General Data Protection Regulation (GDPR). It clarifies that Google may only process data received from us bound by our instructions and that Google must comply with the GDPR. You can find the link to the data processing conditions at https://business.safety.google/intl/en/adsprocessorterms/.

The information collected by means of cookies about your use of our websites is transferred to a Google server in the USA and stored there, e.g. by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA as well as Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

In order to anonymise your IP address already in Germany without the aid of Google services, we use our own proxy server operated by us in a German data centre, which anonymises the IP address of the users of our website before it is passed on to Google Analytics. In addition, Google Analytics activates the anonymisation of IP addresses by default.

Insofar as data are processed outside the EU/EEA and there is no level of data protection that corresponds to the European standard, we have concluded standard EU contractual clauses with the service provider in order to establish an appropriate level of data protection. The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found at: https://privacy.google.com/businesses/controllerterms/mccs/.

The parent company of Google Ireland, Google LLC, is based in California, USA. A transmission of data to the USA and access by US authorities to the data stored by Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not be entitled to legal remedies against access by authorities.

For more information on the use of data by Google, the setting options and opportunities to raise objections, please read Google's Privacy Policy (https://policies.google.com/technologies/ads?hl=en) as well as the settings for the insertion of ads by Google (https://adssettings.google.com/authenticated).

The personal data of users will be deleted or anonymised after 14 months.

2.2.5   Google Ads & Google Ads remarketing

Our website uses Google Ads conversion tracking and the remarketing service of Google LLC. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). If you have accessed our website via an ad placed by Google, Google Ads will set a cookie on your computer.

If the user visits certain pages of our website and the cookie has not yet expired, we and Google can recognise that the user has clicked on the ad and been redirected to this page. Each Google Ads customer receives a different cookie. Cookies can therefore not be tracked via the websites of Google Ads customers. The information collected using the conversion cookie is used to create conversion statistics for us as Google Ads customers. We ourselves do not collect and process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google regarding the number of users who clicked on our ad and were redirected to a page tagged with a conversion tracking tag. We do not receive any information that personally identifies users.

In addition, we also use Google Ads remarketing. The function is used to present interest-based advertisements to website visitors within the Google advertising network. A cookie is stored in the browser of the website visitor, which makes it possible to recognise the visitor when they visit websites that belong to Google's advertising network. On these pages, the visitor may be presented with advertisements that relate to content that the visitor has previously accessed on other websites that use Google's remarketing function.

According to its own information, Google does not collect any personal data during this process. If you still do not wish to use the Google remarketing function, you can deactivate it by making the appropriate settings at https://support.google.com/adspolicy/answer/143465?hl=en&sjid=2589359139727938611-EU. Alternatively, you can disable the use of cookies for interest-based advertising via the advertising network initiative by following the instructions at http://www.networkadvertising.org/managing/opt_out.asp.

The legal basis for the integration of Google Ads and Google Ads remarketing and the associated data transfer to Google is your consent (Art. 6 para. 1 lit. (a) GDPR).

We have concluded a processing contract with Google. You can find more details at https://business.safety.google/intl/en/adscontrollerterms/. You can find out more about the conditions and type of data processing at https://business.safety.google/intl/en/adsservices/

The information collected by means of cookies about your use of our websites is transferred to a Google server in the USA and stored there, e.g. by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA as well as Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. To ensure an appropriate level of data protection, we have concluded standard EU contractual clauses with the service provider. Details can be found at: https://privacy.google.com/businesses/controllerterms/mccs/.

If you do not wish to participate in the tracking, you can refuse the setting of a cookie required for this – for example, via the cookie banner, via a browser setting that generally deactivates the automatic setting of cookies or by setting your browser so that cookies from the domain googleleadservices.com are blocked. Please note that you must not delete the opt-out cookies as long as you do not want any measurement data to be recorded. If you have deleted all your cookies in the browser, you must set the respective opt-out cookie again.

The provision of your personal data is voluntary and based solely on your consent.

2.2.6   Tracking with SalesViewer

"On this website, data are collected and stored for marketing, market research and optimization purposes using the SalesViewer® technology of SalesViewer® GmbH on the basis of legitimate interests of the website operator (Art. 6 para. 1 lit. (f) GDPR).

For this purpose, a JavaScript-based code is used for the collection and corresponding use of company-related data. The data collected with this technology are encrypted via a non-reversible one-way function (so-called hashing). The data are immediately pseudonymised and not used to personally identify the visitor to this website.

The data stored within the scope of SalesViewer® are deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention obligations.

You can object to the collection and storage of data at any time with effect for the future by clicking on the link https://www.salesviewer.com/en/opt-out/ to prevent the collection by SalesViewer® on this website for the future. This places an opt-out cookie for this website on your device. If you delete your cookies in this browser, you must click this link again.

You can view the data protection information of SalesViewer® at the link https://www.salesviewer.com/en/platform/data-protection/.

2.2.7   Friendly Captcha

To optimise the security of our forms, we use the Friendly Captcha service (www.friendlycaptcha.com) of Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. The function of the tool is to distinguish whether the data entered in the contact form was entered by a natural person or whether there has been misuse by a machine and automated processing. By using Friendly Captcha, we can block automated software. For this purpose, Friendly Captcha processes the following information: Anonymised IP address of the requesting computer (in hashed form), information about the browser and operating system used, anonymised counter per IP address to control the cryptographic tasks, website from which the access took place (so-called referrer URL) and, if applicable, possible entries that the service prompts you to make. The service does not set or read any cookies on your end device.

If personal data are stored, these data are deleted within 30 days. The legal basis for the processing is our legitimate interest in protecting our website against abusive access by bots, spam protection and protection against attacks (e.g. mass requests) (Art. 6 para. 1 lit. (f) GDPR). More information on data protection when using Friendly Captcha can be found at https://friendlycaptcha.com/legal/privacy-end-users/.

3.   Social media presences

We maintain publicly accessible profiles on various social networks. Your visit to these profiles initiates a variety of data processing operations. Below we provide you with an overview of which of your personal data are collected, used and stored by us when you visit our profiles.

If you visit one of our social media channels, we alone or in each case jointly with the operator of the social media platform are responsible for the data processing operations triggered during this visit. Joint responsibility means that there are common purposes for the processing and data subjects can enforce their rights under Art. 12-22 GDPR including Art. 77 GDPR with both controllers.

This means that you can generally assert your rights (information, correction, erasure, restriction of processing, data portability and complaint) both against us and the operator of the respective social media portal. You will find a more comprehensive description of your rights at point 1.8.

Visiting our social media channels triggers numerous processing operations relevant to data protection, which we would like to explain to you in more detail:

If you are logged into your social media account and visit our social media channel, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising may be displayed on all devices on which you are or were logged in.

Please also note that we are not able to track all processing processes on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

We have no influence on the storage period of your data, which is stored by the operators of the social networks for their own purposes.

We maintain an online presence on YouTube to present our company and our services and to communicate with customers/interested parties. YouTube is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA.

YouTube records your usage behaviour during use by setting cookies and similar technologies. The information generated with cookies about your use of this website is transferred to a Google server in the USA and stored there. This can lead to increased risks for users in that, for example, later access to user data can be made more difficult. We also do not have access to these user data. The access option lies exclusively with YouTube.

PPI has no influence on the type and scope of the data processed by YouTube, the way in which it is processed and used or the transfer of these data to third parties. PPI also has no effective means of control. Accordingly, we would like to point out that you use YouTube on your own responsibility. This applies in particular to the use of interactive functions (e.g. rating, commenting).

Information on which data are processed by YouTube and for what purposes the data are used can be found in YouTube's privacy policy at https://policies.google.com/privacy?hl=en.

We as PPI AG are responsible for the content of the YouTube channel and the content published via this communication channel. Insofar as a user communicates directly with us via private messages or the comment function, we are responsible for processing your data. Furthermore, if you have an account with the respective platform, it is possible for us to view your public information on your user profile. Please note that using the interactive functions of YouTube is only possible after registration. Data relating to this is also processed by Google but does not fall within our area of responsibility.

The described data processing is carried out on the basis of our legitimate interests according to Art. 6 para. 1 lit. (f) GDPR. You can object to this data processing on the part of Google at any time by no longer subscribing to our YouTube channel (by selecting the function "No longer subscribe to this page" you will disconnect your user profile from our channel).

We as PPI AG would like to explain to you in the following which personal data we process from you as the operator of our LinkedIn presence.

The presentation of the company and interaction with our users are the purpose of the data processing with LinkedIn. The purpose of our LinkedIn presence is therefore to provide information about our company, our products and services, combined with the possibility for users to interact with us in a targeted manner. Legal basis for the data processing is Art. 6 para. 1 lit. (f) GDPR.

If we publish images of individuals, this is done via consent (legal basis: Art. 6 para. 1 lit. (a) GDPR) on the basis of a contractual agreement (legal basis: Art. 6 para. 1 lit. (b) GDPR) and in exceptional cases on the basis of legitimate interests (legal basis: Art. 6 para. 1 lit. (f) GDPR in conjunction with § 23 para. 1 no. 3 Kunsturhebergesetz (German Law on the Protection of Copyright in Works of Art and Photographs)).

For some processing operations we are not solely responsible but jointly responsible with one or more other controllers. For the processing of personal data with Page Insights on LinkedIn we determine the purposes and means jointly with

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2 (Ireland), https://www.linkedin.com/legal/impressum.

You can find a contact option for LinkedIn's data protection officer at the link https://www.linkedin.com/help/linkedin/ask/TSO-DPO.

The terms of use of LinkedIn as well as the other conditions and guidelines listed at the end of them https://www.linkedin.com/legal/user-agreement are authoritative.

Furthermore, there is a data processing agreement between us and LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. You can view the Joint Controller Addendum at https://www.linkedin.com/legal/l/dpa.

LinkedIn transfers personal data to the USA on the basis of the standard contractual clauses https://www.linkedin.com/help/linkedin/answer/a1343190/datenubertragung-aus-der-eu-dem-ewr-und-der-schweiz?lang=en.

The data protection policy of LinkedIn can be found at https://www.linkedin.com/legal/privacy-policy.

Use of Insight data

With the help of the LinkedIn Insight Tag we receive information about the visitors to our website. If a website visitor is registered with LinkedIn, we can i.a. analyse the key professional data (e.g. career level, company size, country, location, industry and job title) of our website visitors and thus better tailor our site to the respective target groups. Furthermore, we can use LinkedIn Insight Tags to measure whether visitors to our websites make a purchase or take any other action (conversion measurement). Conversion measurement can also be carried out across devices (e.g. from PC to tablet). LinkedIn Insight Tag also offers a retargeting function that allows us to display targeted advertisements outside the website to visitors of our website, whereby, according to LinkedIn, no identification of the advertising addressee takes place.

LinkedIn itself also collects so-called log files (URL, referrer URL, IP address, device and browser properties and time of access). The IP addresses are shortened or (if they are used to reach LinkedIn members across devices) hashed (pseudonymised). The direct IDs of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymised data are then deleted within 180 days.

The data collected by LinkedIn cannot be assigned to specific individuals by us as the website operator. LinkedIn will store the collected personal data of website visitors on its servers in the USA and use it in the context of its own advertising measures. For details, see LinkedIn's privacy policy at https://www.linkedin.com/legal/privacy-policy#choices-oblig.

Insofar as consent has been obtained, the above-mentioned service is used exclusively on the basis of Art. 6 para. 1 lit. (a) GDPR and § 25 TTDSG. The consent can be revoked at any time. Insofar as consent has not been obtained, the use of this service is based on Art. 6 para. 1 lit. (f) GDPR; the website operator has a legitimate interest in effective advertising measures including social media.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found at www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

If your rights need to be asserted against LinkedIn, we will forward your request to LinkedIn. Further information regarding the exercise of your data subject rights vis-à-vis LinkedIn can be found in LinkedIn's privacy policy in section 4.2 https://www.linkedin.com/legal/privacy-policy.

Further information on how you can assert or implement your data protection rights directly against LinkedIn (e.g. account settings, downloads or requests) can be found at: https://www.linkedin.com/help/linkedin/answer/50191.

Objection to the use of LinkedIn Insight Tag:

Object to the analysis of usage behaviour and targeted advertising by LinkedIn at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

To advertise our products and services and to communicate with interested parties, customers or applicants, we operate a company presence on the platforms Facebook & Instagram.

On these social media platforms we are jointly responsible with Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.

The Facebook & Instagram data protection officer can be reached via a contact form at https://www.facebook.com/help/contact/540977946302970.

Furthermore, there is a data processing agreement between us and Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland. The joint controller agreement can be found at https://www.facebook.com/legal/terms/page_controller_addendum.

The legal basis for the processing of personal data that takes place as a result and is described below is Art. 6 para. 1 lit. (f) GDPR. Our legitimate interest is in the analysis, communication, sales and promotion of our products and services. The legal basis may also be the user's consent pursuant to Art. 6 para. 1 lit. (a) GDPR vis-à-vis the platform operator. Pursuant to Art. 7 para. 3 GDPR the user may revoke the consent to this for the future at any time by notifying the platform operator. If our online presence is called up on the Facebook platform, the user's data (e.g. personal information, IP address, etc.) is processed by Facebook Ireland Ltd. as the operator of the platform in the EU.

These user data are used for statistical information about the use of our company presence on Facebook. Facebook Ireland Ltd. uses these data for market research and advertising purposes and to create profiles of users. On the basis of these profiles, it is possible for Facebook Ireland Ltd., for example, to advertise users within and outside Facebook according to their interests. If the user is logged into his or her account on Facebook at the time of calling up the website, Facebook Ireland Ltd. can also link the data to the respective user account.

In the event of the user contacting us via Facebook or Instagram, the user's personal data entered on this occasion will be used to process the enquiry. The user's data will be deleted by us as soon as the user's enquiry has been conclusively answered and there are no legal data retention obligations to the contrary, e.g. for the subsequent processing of a contract. Facebook Ireland Ltd. may also set cookies to process the data. If the user does not agree to this processing, it is possible to prevent the installation of cookies by setting the browser accordingly. Cookies that have already been stored can also be deleted at any time.

For more details on the processing activities, how to stop them and how to erase the data processed by Facebook/Instagram, please refer to the Facebook/Instagram data policy:

Facebook: https://www.facebook.com/privacy/explanation

Instagram: https://help.instagram.com/155833707900388

It is not excluded that the processing by Facebook Ireland Ltd. also takes place via Facebook Inc., 1601 Willow Road, Menlo Park, California 94025 in the USA.

Glassdoor is a platform of Glassdoor Inc., 300 Mission Street, 16th Floor, San Francisco, CA 94105, USA. It combines current job ads with millions of employer reviews, salary information and testimonials from companies to make it easier for job seekers to find a job that specifically suits them. All this content is shared by those who know a company best – its employees. Job seekers on Glassdoor are therefore fully informed about the jobs and companies they apply to. Glassdoor serves as an evaluation platform for PPI AG. This means that employees / external candidates can anonymously leave comments about the company on this platform. You can evaluate both the company itself and the application process.

If we receive an anonymous comment from you via our Glassdoor page, we generally do not process any personal data unless you have provided your personal data in a comment/review yourself. In this case, we may use this information to respond to your comment personally.

Beyond the processing of personal data described above, PPI AG has no control over the processing of personal data in connection with your use of the PPI AG Glassdoor account. We would like to point out that you use our Glassdoor account and its functions under your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, liking). As a US company, Glassdoor also transfers personal data to the US. You agree to this transfer if you enter your data on the website. The data protection policy of Glassdoor can be found at https://hrtechprivacy.com/brands/glassdoor#privacypolicy.

We maintain an online presence on XING to present our company and our services and to communicate with applicants/interested parties.

Some of the XING applications may appear under other brand names or using other XING websites, such as Kununu.

XING is an Internet-based social network that allows users to connect with existing business contacts and make new business contacts. Individual users can create a personal profile of themselves on XING. We as a company can, for example, create a company profile or publish job offers. The operating company of the platform is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany.

When you visit our company profile, XING collects i.a. your IP address and other information that is present in the form of cookies on your end device. XING uses this information primarily to provide and maintain the security of the service. Furthermore, these data are used by XING to evaluate user behaviour and to measure and optimise advertising. XING & Kununu provide more detailed information on this at https://privacy.xing.com/en/privacy-policy/information-we-automatically-receive-through-your-use-of-xing.

The data collected about you in this context will be processed by New Work SE and may be transferred outside the European Union. XING describes in general terms in its privacy policy what information XING receives and how it is used. There you will also find information on how to contact XING. The privacy policy is available at the following link: https://privacy.xing.com/en/privacy-policy.

4.   Business customers and partners

If you or your organisation have a business relationship with us (in particular customers, prospective customers, partners, service providers and suppliers), we retain the relevant data about you. We would like to inform you about this in the following.

As a matter of principle, we only process data that we receive from you directly or from your employer. In exceptional cases we receive data about you from third parties. This is the case, for example, if a contractual service is provided to you together with a business partner and you have transmitted your data to them.

The data processed by us especially includes the contact data, such as your name, company, position, address, telephone number, e-mail address, as well as information about the respective business relationship, such as the contractual relationship and its processing (current and completed orders, invoices, payments).

Your data are processed for different purposes and the data processing is based on various legal grounds. Insofar as the processing of your personal data is necessary for the initiation or implementation of a contractual relationship or in the context of the implementation of pre-contractual measures, processing is lawful pursuant to Art. 6 para. 1 lit. (b) GDPR. The processing includes in particular the communication for the planning, implementation, administration and billing of the contractually defined services. If necessary and required by law, we process your data beyond the actual contractual purposes for the fulfilment of legal obligations pursuant to Art. 6 para. 1 lit. (c) GDPR, e.g. for the fulfilment of retention obligations pursuant to the Commercial Code and the Fiscal Code of Germany.

If you give us your express consent to process personal data for specific purposes (e.g. transfer to third parties, evaluation for marketing purposes or advertising), this processing is lawful on the basis of your consent pursuant to Art. 6 para. 1 lit. (a) GDPR. Consent that was given can be revoked any time with effect for the future.

In addition, processing may be carried out to protect our legitimate company interests, the interests of our customers and, if applicable, the interests of third parties in accordance with Art. 6 para. 1 lit. (f) GDPR. This concerns, for example, the following cases: Communication with business partners, customers, suppliers, direct advertising for similar products within the scope of our business relationships, ensuring IT security and IT operations, for conducting customer satisfaction surveys, for fulfilling accountability and/or verification obligations towards our business partners / customers or supervisory authorities as well as for the prevention and clarification of criminal offences / regulatory offences. If necessary, we will inform you separately, stating the legitimate interest, insofar as this is required by law.

Your data will only be stored in our systems for as long as this is permissible under applicable law, in particular as long as this is necessary for the performance of the contract in connection with the applicable retention obligations. Furthermore, we will delete your data if you request this or revoke your consent to the processing. In these cases, we will check whether the data can be deleted or only a restriction of processing can be made due to legal requirements.

We only disclose your personal data within our company to those areas and persons who need these data to fulfil contractual and legal obligations or to implement our legitimate interests.

The use of service providers as well as contractual and legal obligations require the disclosure of your data to the following categories of public or internal bodies as well as external service providers:

  • Business partners/service providers to whom the disclosure of data is necessary for the fulfilment of tasks such as our ordering parties/customers, payment service providers/banking institutions, postal/parcel services, external consultants, IT service providers, other processors, etc.
  • Statutory auditor, tax consultant, lawyer
  • Authorities in the course of fulfilling legal obligations to provide information or evidence (e.g. tax authorities, police and public prosecutors, supervisory authorities)
  • Other third parties, provided you have given us permission to transfer data, e.g. partner companies
  • Subsidiaries of PPI AG

When using external service providers, we ensure that necessary contractual agreements are concluded, that the processing is carried out in accordance with the applicable data protection regulations and that the protection of the rights of the data subject is guaranteed. Under no circumstances will the collected data be sold. Our employees are obliged to maintain and safeguard the confidentiality of the personal data provided to us.

As a matter of principle, there is no regular transfer of personal data to a third country (states outside the European Union [EU] or the European Economic Area [EEA]) or an international organisation. However, we may use service providers who process data outside the EU / EEA. In these cases, we will ensure that an adequate level of data protection comparable to the standards within the EU is established at the recipient before transferring your personal data. This can be achieved, for example, through standard EU contracts or binding corporate rules or special agreements to the rules of which the company may be subject. Furthermore, there may be cases in which a transfer is necessary for the fulfilment of the contract or, at your request, for the implementation of pre-contractual measures, the transfer is required by law or you have given us your consent.

5.   Participants of seminars / webinars / events

As part of our activities, we also offer to conduct seminars, webinars and other events (hereinafter referred to collectively as events), both for a fee and free of charge.

In the course of booking an event, we collect data for the realisation of the event. This is contact information such as name, company, position, address, telephone number, e-mail address and, in the case of paid events, invoice information.

As a rule, we receive the collected data directly from the participating persons. However, it is possible that you or your employer may instruct someone else to transfer the data to us.

We use Microsoft Teams for the realisation of online events. Microsoft Teams is a service of the Microsoft Corporation. (see 6.4)

The collection of participants' contact information is necessary for the realisation of the event. The legal basis for this is, in the case of free events, our legitimate interest in hosting the event (Art. 6 para. 1 sent. 1 lit. (f) GDPR) and, in the case of webinars subject to charge, additionally, the contractual obligation pursuant to Art. 6 para. 1 sent. 1 lit. (b) GDPR.

Online events are sometimes recorded by us for quality purposes. You will be informed about this prior to the event. Statistical data are collected during and after the webinar. This gives us information about the length of your participation, the questions asked and the answers given.

After an event we may send you important information from the event as well as further information on our services. The legal basis for this is our legitimate interest (Art. 6 para. 1 sent. 1 lit. (f) GDPR) in further developing the customer relationship with you.

We store your personal data as long as it is necessary for the fulfilment of our legal and contractual obligations, e.g.:

  • Invoices: fulfilment of e.g. retention obligations under commercial and tax law. These include i.a. retention periods pursuant to the German Commercial Code (Handelsgesetzbuch) or the German Fiscal Code (Abgabenordnung). The retention periods are up to 10 years.
  • The attendance lists of paid webinars are subject to the 3-year retention period pursuant to the German Civil Code (BGB). There are no legal retention periods for the attendance lists of free webinars. These participant lists are deleted as soon as they are no longer required.

For the realisation of online events it is mandatory that your data are disclosed to the online service used. This is either an independently responsible telecommunications service provider or a processor contractually obligated by us. In the course of the use, the following data are often disclosed: meta data of the meeting (title, time, participant IP addresses, browser data, location data, etc.).

If materials are sent to you for participation in the event, shipping or postal service providers are used for the postal delivery.

If you participate in an event for which a fee is charged, your data are also disclosed to other public or internal bodies as described in the section "Business customers and partners". This also applies to the disclosure of data to certification service providers when participating in corresponding events.

We make a point of processing your data within the EU / EEA. However, we may use service providers who process data outside the EU / EEA. In these cases, we will ensure that an adequate level of data protection comparable to the standards within the EU is established at the recipient before transferring your personal data. This can be achieved, for example, through standard EU contracts or binding corporate rules or special agreements to the rules of which the company may be subject.

6.   Use of collaboration tools

To make an online appointment, we use the Microsoft Bookings service as part of Microsoft Office 365 provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 (hereinafter "Microsoft"). The software allows you to book an appointment with one of our employees, for example, for consulting on our services and products.

The connection to the service is only established if you access the online booking function via a link or button on our website, in an e-mail or in the newsletter. To make an appointment, your entries in the form will be sent to Microsoft. For more information on the handling of your data, see Microsoft's privacy statement at: https://privacy.microsoft.com/en-gb/privacystatement.

The legal basis for the processing of your data in relation to the Microsoft Bookings service is Art. 6 para. 1 sent. 1 lit. (f) GDPR (legitimate interest in data processing). The legitimate interest arises from our claim to offer you a user-friendly website with a wide range of functions and to give you the opportunity to make an appointment quickly and easily if necessary. Please note that you are not required to use Microsoft Bookings to make an appointment. If you do not wish to use the service, please use another of the available contact options for arranging appointments.

In principle, data processing outside the European Union (EU) is not performed, as we have restricted our storage location to data centres within the European Union. However, we cannot rule out the possibility that data will be transmitted to Microsoft Corp. in the USA in this context. Microsoft can also perform remote maintenance access from other third countries. That is why we have concluded the standard data protection clauses of the European Commission with Microsoft Corp.

To conduct surveys, we use the Microsoft Forms service as part of Microsoft Office 365 provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 (hereinafter "Microsoft").

In the course of conducting surveys, personal data can be processed and stored on Microsoft's European cloud servers. There is the possibility of an anonymous survey or a confidential survey. An anonymous survey does not store contact information and cannot be traced back to you. In the case of confidential surveys, it is possible for the survey owner to attribute the answers to you. In addition, it is possible that personal data is requested within a survey. These data can also only be viewed and evaluated by the owner of the survey. The processed data are not used for automated decisions, including profiling.

The legal basis for the processing of your data in relation to the Microsoft Forms service is Art. 6 para. 1 sent. 1 lit. (a) GDPR (presence of consent). Participation in the surveys is voluntary. Unless there is a legitimate interest in long-term storage, the owner will delete all responses within two years after the completion of the survey. As a respondent, you can ask the owner how long your answers will be stored in Forms.

In principle, data processing outside the European Union (EU) is not performed, as we have restricted our storage location to data centres within the European Union. However, we cannot rule out the possibility that data will be transmitted to Microsoft Corp. in the USA in this context. Microsoft can also perform remote maintenance access from other third countries. That is why we have concluded the standard data protection clauses of the European Commission with Microsoft Corp. For more information on the handling of your data, see Microsoft's privacy statement at https://privacy.microsoft.com/en-gb/privacystatement.

We use the tool Microsoft Teams to conduct conference calls, video conferences, online meetings, webinars or online trainings (hereinafter: "online meetings"). Microsoft Teams is part of Microsoft Office 365 provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 (hereinafter "Microsoft").

The controller for the data processing directly related to the realisation of online meetings is PPI AG. However, if you access the Microsoft website, the respective provider is responsible for the data processing. Accessing the website is only necessary to download the software for the use of Microsoft Teams. If you do not want to or cannot use the Microsoft Teams app, you can also use Microsoft Teams via your browser. The service will then be provided via the Microsoft Teams website. You can find more information about Microsoft Corporation's data protection here https://privacy.microsoft.com/en-gb/privacystatement.

When using Microsoft Teams, different types of data are processed. The scope of the data also depends on the information you provide prior to or during the participation in an online meeting. The following personal data are subject to the processing:

  • User details: first name, surname or display name, e-mail address if applicable, profile picture (optional), preferred language 
  • Meeting metadata: topic, description (optional), date, time, meeting ID, phone numbers, location, participant IP addresses, device/hardware information
  • Text, audio and video data: You may have the option of using the chat function in an online meeting. In this respect, the text entries you make are processed in order to display them in the online meeting. To enable the display of videos and the playback of audio files, data from your device's microphone and video camera is processed accordingly for the duration of the meeting. You can switch off the camera or mute the microphone yourself at any time via the online meeting applications.
  • Recording of the online meeting (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file for the online chat
  • Dialling in with the telephone: information on the incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.

For more information on what data are processed by Microsoft Teams, please visit https://learn.microsoft.com/en-gb/microsoftteams/teams-privacy.  

Insofar as personal data of PPI AG employees are processed, § 26 BDSG is the legal basis for the data processing. If, in connection with the use of the online services, personal data are not required for the establishment, performance or termination of the employment relationship but are nevertheless an elementary component in the use of the online services, Art. 6 para. 1 lit. (f) GDPR is the legal basis for the data processing. Our interest in these cases is in the effective realisation of online meetings.

Furthermore, the legal basis for the data processing when conducting online meetings is Art. 6 para. 1 lit. (b) GDPR, insofar as the meetings are conducted within the framework of contractual relationships. If no contractual relationship exists, the legal basis is Art. 6 para. 1 lit. (f) GDPR. Again, our interest is in the effective realisation of online meetings.

Personal data processed in connection with the participation in online meetings will not be disclosed to third parties as a matter of principle, unless the data are specifically intended to be disclosed. Please note that the content from online meetings, as well as face-to-face meetings, is often intended to communicate information with customers, prospects or third parties and is therefore intended to be disclosed.

In principle, data processing outside the European Union (EU) is not performed, as we have restricted our storage location to data centres within the European Union. However, we cannot rule out the possibility that data will be transmitted to Microsoft Corp. in the USA in this context. Microsoft can also perform remote maintenance access from other third countries. That is why we have concluded the standard data protection clauses of the European Commission with Microsoft Corp.

We sometimes use Cisco Webex (hereinafter referred to as "Webex") to conduct webinars. Webex is a service of Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134 USA.

Note: If you access the Microsoft or Webex website, the respective provider is responsible for the data processing. Accessing the website is only necessary to download the software for the use of Webex. If you do not want to or cannot use the Webex app, you can also use Webex via your browser. The service will then be provided via the Webex website. Further information on the data protection of Cisco Systems, Inc. can be found at https://www.cisco.com/c/en_uk/about/legal/privacy-full.html.

The following personal data are subject to the processing:

  • User details: first name, surname or display name, e-mail address if applicable, profile picture (optional), preferred language
  • Meeting metadata: topic, description (optional), date, time, meeting ID, phone numbers, location, participant IP addresses, device/hardware information
  • Text, audio and video data: You may have the option of using the chat function in an online meeting. In this respect, the text entries you make are processed in order to display them in the online meeting. To enable the display of videos and the playback of audio files, data from your device's microphone and video camera is processed accordingly for the duration of the meeting. You can switch off the camera or mute the microphone yourself at any time via the online meeting applications. 
  • Recording of the online meeting (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file for the online chat
  • Dialling in with the telephone: information on the incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.

We use Microsoft Teams and Webex to conduct online meetings. If we want to record online meetings, we will tell you transparently in advance and – where necessary – ask for consent. The online meeting application will also show that a recording is taking place. If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will usually not be the case.

Insofar as personal data of PPI AG employees are processed, § 26 BDSG is the legal basis for the data processing. If, in connection with the use of the online services, personal data are not required for the establishment, performance or termination of the employment relationship but are nevertheless an elementary component in the use of the online services, Art. 6 para. 1 lit. (f) GDPR is the legal basis for the data processing. Our interest in these cases is in the effective realisation of online meetings. Furthermore, the legal basis for the data processing when conducting online meetings is Art. 6 para. 1 lit. (b) GDPR, insofar as the meetings are conducted within the framework of contractual relationships. If no contractual relationship exists, the legal basis is Art. 6 para. 1 lit. (f) GDPR. Again, our interest is in the effective realisation of online meetings.

Personal data processed in connection with the participation in online meetings will not be disclosed to third parties as a matter of principle, unless the data are specifically intended to be disclosed. Please note that the content from online meetings, as well as face-to-face meetings, is often intended to communicate information with customers, prospects or third parties and is therefore intended to be disclosed.

Webex is a service provided by a provider from the USA. A processing of personal data thus also takes place in a third country. We have concluded a processing contract with the provider that complies with the requirements of Art. 28 GDPR. An adequate level of data protection is guaranteed for one thing by the conclusion of the so-called standard EU contractual clauses. As complementary security measures we have also configured our online meetings to use only data centres in the EU.

During some conference calls, video conferences, online meetings, webinars or online trainings we use Conceptboard by Conceptboard Cloud Service GmbH, Mansfelder Str. 56, 06108 Halle (Saale), Germany as an interactive workspace (hereinafter "Conceptboard"). It is an interactive whiteboard that is used between participants to visualise ideas and document the respective workshop.

As a participant you can work on and take part in the concept boards directly via the browser without having to register with the provider. To participate only a username is required so that contributions and comments can be assigned in the concept boards. This can be the first and last name or a pseudonym.

Further information on the data protection of Conceptboard Cloud Service GmbH can be found at https://conceptboard.com/privacy/.

Depending on the scope of use, different types of data are collected and processed. These include in particular:

  • Personal details (e.g. first and last name)
  • Meeting metadata (e.g. IP address, date and duration of the communication via session cookie)
  • Device/hardware data (e.g. MAC address)
  • Text data (e.g. comments in the whiteboards/post-its)

All information shared on the concept boards during the online meeting is processed at least for the duration of the meeting.

The legal basis for the processing of your data in relation to the Conceptboard service is Art. 6 para. 1 sent. 1 lit. (a) GDPR (presence of consent).

The data will not be disclosed. Conceptboard is provided by a German company with servers in the area of the EU and is subject to the GDPR. We have concluded a processing contract with the provider that complies with the requirements of Art. 28 GDPR.

7.   Applicants

With the following information we would like to give you an overview of the processing of your personal data as an applicant for a job offer or in the context of a speculative application.

In the application process we only process the personal data that you send us with your application. The categories of personal data processed include the first name, surname, name affixes, date of birth, nationality, contact data (such as private address, [mobile] phone number, e-mail address), log data generated during the use of the IT systems and other data from the applicant management (e.g. CV, data on education and work experience, data on severe disability, skills and competences). 

If your application documents contain special categories of personal data pursuant to Art. 9 para. 1 GDPR, we will process them in the context of the application procedure for the exercise of rights or the fulfilment of obligations arising from labour law, social security law and social protection. The legal basis in this respect is Art. 6 para. 1 sent. 1 lit. (c) GDPR in conjunction with Art. 9 para. 2 lit. (b) GDPR.

If we have not collected the data directly from you, it is possible that we have obtained it from third parties based on your consent, e.g.:

  • Personnel service provider/recruitment agency or
  • From publicly accessible sources (e.g. professional social networks or search engines) 

If you use our website to submit your application online via our career portal, (www.ppi.de/karriere), your data will be securely transmitted to us.

We process your data to realise the application process. The data are submitted voluntarily by you and are used to decide on the establishment of an employment relationship in accordance with § 26 (1) BDSG.

If you have agreed to be included in the applicant pool, this processing is based on your consent (Art. 6 para. 1 sent. 1 lit. (a) GDPR). In these cases, we store your application documents so that we can consider you again in subsequent application procedures.

Furthermore, we store the data after the conclusion of an application procedure to protect our legitimate interests for the defence of legal claims in proceedings under the German General Act on Equal Treatment (Allgemeines Gleichbehandlungsgesetz). In the event of a dispute we have a legitimate interest in processing the data for evidence purposes.

Your application data is generally stored by us for the duration of the application process. If an employment relationship, apprenticeship or trainee relationship is established following the application process, your data will initially continue to be stored insofar as this is necessary and permissible and will then be transferred to the personnel file.

Should we be unable to offer you employment within the scope of the application process, we will delete your data six months after the conclusion of the application process. This storage period is required for us in accordance with Art. 6 para. 1 sent. 1 lit. (f) GDPR to be able to defend ourselves, if necessary, against claims in terms of the German General Act on Equal Treatment.

If you would like to be included in our pool of applicants, you thereby consent to your data being retained by us beyond this period in order for us to be able to contact you for vacancies in the future. In this case the erasure takes place after two years.

Your applicant data is only disclosed to the departments or persons in the company who need it to carry out the application process and to check the applicants. In addition, your application data may be disclosed to processors in accordance with Art. 28 GDPR.

No data is transferred to a third country. As a matter of principle, there is no regular transfer of personal data to a third country (states outside the European Union (EU) or the European Economic Area (EEA)) or an international organisation. However, we may use service providers who process data outside the EU / EEA. In these cases, we will ensure that an adequate level of data protection comparable to the standards within the EU is established at the recipient before transferring your personal data. This can be achieved, for example, through standard EU contracts or binding corporate rules or special agreements to the rules of which the company may be subject.

Status and amendment of the data protection information

Please note that we update this data protection policy from time to time so that it always complies with the most recent legal requirements and covers all our content. The latest version applies subject to the following update notice.

Your statutory rights to information, rectification, restriction, erasure and to raise an objection shall remain unaffected by any such amendment.

Last update: 04/05/2023