1 Introduction to Data Protection
We are delighted by your interest in our services. Protecting your personal data during your visit to our website is a matter of great importance to us.
We safeguard your privacy and your private data. We collect, process, and use your personal data in accordance with the content of these data protection provisions and the applicable data protection rules, especially the General Data Protection Regulation, the Federal Data Protection Act, and the Telemedia Act.
These data protection provisions regulate which personal data we collect, process, and use about you. Therefore, we kindly ask you to carefully read the following explanations.
Notice regarding the Data Controller
Contact Information for the Data Controller
If you have any questions about data protection, you will find below the contact details of the responsible person or entity:
represented by: Oliver Graf (Managing Director)
The responsible Party is the natural or legal person who, alone or jointly with others, decides on the purposes and means of processing personal data (e.g., names, email addresses, etc.).
Contact Information for the Data Protection Officer
You can reach our data protection officer, Mr. Markus Vatter, at the above postal address with the addition “the data protection officer” or at: Datenschutz@bitbasegroup.com
2.1 Storage Duration
Unless a more specific storage period is mentioned in this data protection declaration, your personal data will remain with us until the purpose for data processing ceases. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted, unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial retention periods); in the latter case, deletion will occur upon the expiration of these reasons
3 Data Collection on These Web Pages – Summarized
3.1 Who is responsible for data collection on this website?
3.2 What do we use your data for?
Some of the data is collected to ensure the proper functioning of the website. Other data may be used to analyze your user behavior.
3.3 What rights do you have regarding your data?
You have the right to obtain information about the origin, recipient, and purpose of your stored personal data at any time, free of charge. You also have the right to request the correction or deletion of this data. If you have given consent for data processing, you can revoke this consent at any time for the future. Additionally, you have the right, under certain circumstances, to request the restriction of the processing of your personal data.
Furthermore, you have the right to lodge a complaint with the relevant supervisory authority. For this and other questions related to data protection, you can always contact us.
3.4 Third-party Analysis Tools and Services
Your usage behavior is not statistically evaluated when visiting this website.
4 General Notes and Mandatory Information
When you use these pages, various personal data is collected.
We would like to point out that data transmission over the Internet (e.g., when communicating by email) may have security vulnerabilities. Complete protection of data from access by third parties is not possible.
4.2 Legal Basis for Data Processing on this Page
If you have given your consent to data processing, we process your personal data based on Art. 6 para. 1a GDPR or Art. 9 para. 2a GDPR, if special categories of data are processed under Art. 9 para. 1 GDPR. In the case of explicit consent to the transfer of personal data to third countries, data processing also takes place based on Art. 49 para. 1a GDPR. If you have consented to the storage of cookies or access to information on your device (e.g., via device fingerprinting), data processing also takes place based on Art. 25 para. 1 TTDSG. Consent can be revoked at any time. If your data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, we process your data based on Art. 6 para. 1b GDPR. Furthermore, we process your data if it is necessary to fulfil a legal obligation based on Art. 6 para. 1c GDPR.
4.3 Notice Regarding Data Transfer to the USA and Other “Unsafe Third Countries”
We use services from companies based in the USA or other data-related unsafe third countries outside the EEA. When these tools are active, your personal data may be transferred to and processed in these third countries. We would like to point out that in these countries, a data protection level comparable to that of the EU cannot be guaranteed.
For example, US companies are required to disclose personal data to security authorities without the possibility for you, as the data subject, to challenge this in court. Therefore, it cannot be ruled out that US authorities (e.g., intelligence agencies) process, evaluate, and permanently store your data located on US servers for surveillance purposes.
We have no direct influence on these processing activities, but the risk can be minimized through appropriate contractual arrangements (EU standard contractual clauses). The EU has established these standard contractual clauses, which you can find here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en
In a data protection impact assessment for third countries (third-country impact assessment, TCIA), we regularly assess whether the risk is adequately controlled. If you have any questions about the technical and organizational measures, you can contact our data protection officer. Since July 11, 2023, there is also an adequacy decision by the EU Commission under Art. 45 GDPR, the so-called Transatlantic Data Privacy Framework (TADPF) with the USA. Only in cases where a US company certifies itself in the associated database and joins this network, has the EU determined that the USA is considered a safe third country for these companies. We will note this for the respective processor. You can then check for yourself whether the company is registered there at http://www.dataprivacyframework.gov
4.4 Revocation of Your Consent for Data Processing
Many data processing operations are only possible with your explicit consent. You can revoke consent that has already been granted at any time. The legality of data processing carried out until the revocation remains unaffected by the revocation.
4.5 Right to Object to Data Collection in Special Cases and Against Direct Marketing Pursuant to Article 21 GDPR
IF DATA PROCESSING IS BASED ON ART. 6 PARA. 1E OR 1F GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION, INCLUDING PROFILING BASED ON THESE PROVISIONS. YOU CAN FIND THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED IN THIS DATA PROTECTION DECLARATION. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR THE PROCESSING SERVES THE ASSERTION, EXERCISE, OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 PARA. 1 GDPR).
IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR THE PURPOSE OF SUCH ADVERTISING, INCLUDING PROFILING RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT MARKETING (OBJECTION PURSUANT TO ARTICLE 21(2) GDPR).
4.6 Right to Lodge a Complaint with the Competent Supervisory Authority
In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. The right to lodge a complaint is without prejudice to other administrative or judicial remedies.
4.7 Right to Data Portability
You have the right to receive the data that we process automatically on the basis of your consent or in fulfillment of a contract in a common, machine-readable format or to have it transmitted to a third party. If you request the direct transfer of the data to another controller, this will only be done to the extent technically feasible.
4.8 SSL/TLS Encryption
For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the website operator, this site uses SSL/TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.
When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.
4.9 Information, Deletion, and Correction
You have the right, in accordance with applicable legal provisions, to receive free information at any time about your stored personal data, their origin and recipients, the purpose of data processing, and, if applicable, the right to correction or deletion of this data. For this purpose, as well as for any further questions regarding personal data, you can contact us at any time.
4.10 Right to Restrict Processing
You have the right to request the restriction of the processing of your personal data. For this purpose, you can contact us at any time. The right to restrict processing exists in the following cases:
- If you dispute the accuracy of your personal data stored with us, we usually need time to verify this. During the verification period, you have the right to request the restriction of the processing of your personal data..
- If the processing of your personal data was/is unlawfully conducted, you can request the restriction of data processing instead of deletion.
- If we no longer need your personal data, but you require them for the exercise, defence, or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
- If you have objected pursuant to Art. 21 para. 1 of the General Data Protection Regulation (GDPR), a balance must be made between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to request the restriction of the processing of your personal data.
- If you have restricted the processing of your personal data, these data may, apart from their storage, only be processed with your consent or for the assertion, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a member state.
4.11 Objection to Promotional Emails
The use of contact information published within the framework of the legal notice requirements for sending unsolicited advertising and information materials is hereby objected to. The operators of these pages expressly reserve the right to take legal action in the event of unsolicited sending of advertising information, such as through spam emails.
5 Provision of Web Content
Here, we describe the provision of web content (hosting) according to Art. 6 para. 1f GDPR. In simple terms, a web page is transmitted from one computer to another location. To counter specific attacks, accelerate and optimize access, content delivery networks (CDNs) are used. These networks serve the efficient and secure provision of a web presence worldwide by directing your page request to the country and computer that can process it most efficiently. Therefore, when using a CDN, we necessarily process your data in insecure third countries, such as the USA. See the note on data transfer to the USA and other “insecure third countries” for more information.
5.1 External Hosting at Hetzner
We host our website with Hetzner. The provider is Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.
The engagement of this provider is based on Art. 6 para. 1 f GDPR. We have a legitimate interest in the most reliable representation of our web page. If appropriate consent is requested, processing is carried out solely on the basis of Art. 6 para. 1 a GDPR and Art. 25 para. 1 TTDSG, to the extent that consent includes the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) within the meaning of TTDSG. Consent can be revoked at any time.
6 Data Collection on These Web Pages in Detail
6.1 Server Log Files
The provider (host) of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us with each request. These include:
- Browser type, language and version of the browser,
- Operating system used and its interface,
- Page from which the request comes (referrer),
- Host name of the accessing computer,
- Date and time of the request, time zone difference to Coordinated Universal Time (UTC),
- IP address,
- Content of the request (specific page),
- Access status/HTTP status code,
- Amount of data transferred in each case.
This data is not merged with other data sources.
The collection of this data is based on Art. 6 para. 1 f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website – for this purpose, the server log files must be collected.
6.2 Contact Form
If you send us inquiries via the contact form, your information from the inquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the inquiry and for any follow-up questions. We do not share this data without your consent.
The processing of this data is based on Art. 6 para. 1b GDPR, provided your inquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of inquiries directed to us according to Art. 6 para. 1f GDPR, or on your consent according to Art. 6 para. 1a GDPR if it has been requested.
The data you enter in the contact form will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after the completion of processing your inquiry). Mandatory legal provisions – especially retention periods – remain unaffected.
6.3 Inquiry via Email, Telephone, or Fax
If you contact us via email, telephone, or fax, your inquiry, including all resulting personal data (name, inquiry), will be stored and processed by us for the purpose of handling your request. We do not share this data without your consent.
The processing of this data is based on Art. 6 para. 1 b) GDPR, provided your inquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of inquiries directed to us (Art. 6 para. 1 f) GDPR) or on your consent (Art. 6 para. 1 a) GDPR) if it has been requested.
The data you send to us via contact inquiries will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after the completion of processing your request). Mandatory legal provisions – especially legal retention periods – remain unaffected.
7 “Social Media” – Collaborative Media
7.1 General Information
We maintain publicly accessible profiles on so-called “social” networks. The specific networks we use are listed below. Networks such as LinkedIn, Twitter, etc., can generally comprehensively analyse your user behaviour when you visit their website or a website with integrated social media content (e.g., Like buttons or advertisements). Visiting our social media presences triggers numerous data protection-related processing operations. Specifically: When you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. Your personal data may also be collected in some cases even if you are not logged in or do not have an account with the respective social media portal. In this case, data collection may occur, for example, through cookies stored on your device or by capturing your IP address.
With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. This allows interest-based advertising to be displayed to you both within and outside the respective social media presence. If you have an account with the respective social network, interest-based advertising may be displayed on all devices on which you are or have been logged in.
Our social media presences are intended to ensure the most comprehensive presence on the Internet. This represents a legitimate interest within the meaning of Art. 6 para. 1f GDPR. The analysis processes initiated by social networks may be based on different legal bases, which are to be specified by the operators of the social networks (e.g., consent within the meaning of Art. 6 para. 1a GDPR).
Data Controller and Exercise of Rights
When you visit one of our social media presences (e.g., LinkedIn), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can exercise your rights (information, correction, deletion, restriction of processing, data portability, and complaint) both with us and with the operator of the respective social media portal (e.g., LinkedIn).
Please note that despite our shared responsibility with the social media portal operators, we do not have full influence over the data processing operations of the social media portals. Our options are largely determined by the company policy of the respective provider.
The data directly collected by us through the social media presence will be deleted from our systems as soon as you request deletion, revoke your consent to storage, or the purpose of data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal provisions, especially retention periods, remain unaffected.
We have no influence on the storage duration of your data, which is stored by the operators of the social networks for their own purposes. For details, please refer directly to the operators of the social networks (e.g., in their data protection declaration, see below).
7.2 Networks in Detail
7.2.1 LinkedIn Profile
We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies. If you wish to deactivate LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Data transfer to the USA is based on the standard contractual clauses of the European Commission. Details can be found here: https://de.linkedin.com/legal/l/dpa? and https://www.linkedin.com/legal/l/eu-sccs.
8 Audio and Video Conferences
For communication with our customers, we use various online conference tools among others. The specific services used by us are listed below. When you communicate with us via internet video or audio conferences, your personal data is collected and processed by us and the provider of the respective conference tool.
The conference services collect all data that you provide or use for using the tools (email address or your phone number). Furthermore, the conference services process the duration of the conference, start and end times (time) of participation in the conference, the number of participants, and other “contextual information” related to the communication process (metadata). Additionally, the tool provider processes all technical data required for online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, and the type of connection.
If content is exchanged, uploaded, or otherwise provided within the tools, it is also stored on the servers of the tool providers. Such content includes, in particular, cloud recordings, chat or instant messages, voicemails, uploaded photos and videos, files, whiteboards, and other information shared during the use of the service.
Please note that we do not have full control over the data processing operations of the tools used. Our options largely depend on the corporate policies of the respective providers. For further information on data processing by the conference tools, please refer to the privacy policies of the tools used, which we have listed below this text.
Purpose and Legal Basis
The conference tools are used to communicate with prospective or existing contract partners or to offer specific services to our customers (Art. 6 para. 1 b GDPR). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us or our company (legitimate interest within the meaning of Art. 6 para. 1 f GDPR). If consent has been obtained, the use of the respective applications is based on this consent; the consent can be revoked at any time with future effect. Then the application can no longer be used.
The data directly collected by us via the video and conference tools will be deleted from our systems as soon as you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal retention periods remain unaffected.
We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please inquire directly with the operators of the conference services.
Conference Services Used
We use the following conference applications:
8.2 Microsoft Teams Ireland
We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, The Atrium Building, Block B, Carmanhall Road, Sandyford Business Estate, Dublin 18, registered office: 70 Sir Rogerson’s Quay, Dublin 2, Ireland. In rare support cases, the parent company, Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, may have access to your data as a subcontractor. The USA is an insecure third country. This access is secured by standard data protection clauses.
9 Our Own Services
9.1 Handling of Applicant Data
We offer you the opportunity to apply to us (e.g., by email, post, or via an online application form). Below, we inform you about the scope, purpose, and use of your personal data collected in the context of the application process. We assure you that the collection, processing, and use of your data are in accordance with applicable data protection law and all other legal requirements, and your data will be treated strictly confidentially.
Scope and Purpose of Data Collection
If you send us an application, we will process your associated personal data (e.g., contact and communication data, application documents, notes from job interviews, etc.) to the extent necessary to decide on the establishment of an employment relationship. The legal basis for this is Art. 26 BDSG [Federal Data Protection Act] according to German law (initiation of an employment relationship), Art. 6 para. 1b GDPR (general initiation of a contract), and – if you have given your consent – Art. 6 para. 1a GDPR. The consent can be revoked at any time. Your personal data will only be passed on within our company to persons involved in the processing of your application.
If the application is successful, the data you submit will be stored in our data processing systems for the purpose of carrying out the employment relationship based on Art. 26 BDSG and Art. 6 para. 1b GDPR.
Storage Duration of Data
If we cannot offer you a job, you reject a job offer, or you withdraw your application, we reserve the right to retain the data you have submitted to us on the basis of our legitimate interests (Art. 6 para. 1 f) GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). After that, the data will be deleted, and physical application documents will be destroyed. The retention serves as evidence in the event of a legal dispute, in particular. If it is apparent that the data will be required after the 6-month period has expired (e.g., due to a pending or imminent legal dispute), deletion will only take place when the purpose for further storage no longer applies.
Longer storage may also occur if you have given your consent for it (Art. 6 para. 1 a) GDPR) or if statutory retention obligations prevent deletion.
Inclusion in the Applicant Pool
If we cannot offer you a job, there may be the possibility of including you in our applicant pool. In the event of inclusion, all documents and information from the application will be transferred to the applicant pool to contact you in case of suitable vacancies. Inclusion in the applicant pool is exclusively based on your explicit consent (Art. 6 para. 1 a) GDPR). Giving consent is voluntary and has no relation to the ongoing application process. You can revoke your consent at any time. In this case, the data from the applicant pool will be irrevocably deleted unless there are legal retention reasons.
Data from the applicant pool will be deleted no later than two years after the consent is given.