X-Act Agentur für Kommunikation GmbH
Managing directors: André Rossi, Stefan Wilke
Link to legal notice: www.xactwerbung.de/impressum
Types of processed data
- Basic data (e.g. names, addresses)
- Contact data (e.g. email, telephone numbers)
- Content data (e.g. text input, photos, videos)
- Usage data (e.g. visited websites, content interests, access times)
- Meta/communication data (e.g. device information, IP addresses)
Categories of data subjects
Visitors to, and users of our online services (in the following, we generally also refer to data subjects as “users”).
Purpose of processing
- Provide the online services, functions, and content
- Reply to contact queries and other communication with users
- Security measures
- Reach measurement/marketing
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means. The term is wide-ranging and covers practically all usage of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Applicable legal bases
Under the terms of Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In particular, these measures include protecting the confidentiality, integrity, and availability of data by controlling physical access to the data and their entry, disclosure, protection of availability, and separation. We have also put in place processes to allow data subjects to exercise their rights, erase data, and respond to potential data breaches. Beyond this, we take the protection of personal data into account when developing and selecting hardware, software, and processes in accordance with the principle of data protection by design and by default (Article 25 of the GDPR).
Cooperation with processors and third parties
If, during processing, we disclose, transmit, or otherwise provide data to other persons and companies (processors or third parties), this is done only as permitted by law (e.g. if transmission of data to third parties such as payment providers is required for performance of contract as set out in Article 6(1)(b) of the GDPR), you have provided your consent, we have a legal obligation to do so, or we have a legitimate interest in doing so (e.g. when employing contractors, web hosting services, etc.). If we contract third parties to process data on the basis of a “processing contract”, this is done on the basis of Article 28 of the GDPR.
Data transfer to third countries
If we process data in a third country (e.g. outside the European Union (EU) or the European Economic Area (EEA)) or have data processed in a third country under our right to engage another processor or disclose/transmit data to another processor, this is only done if necessary to perform a contract or take steps prior to entering into a contract, on the basis of your consent, where we have a legal obligation to do so, or where we have a legitimate interest in doing so. Subject to statutory or contractual permissions, we process or have data processed in a third country only if the specific conditions set out in Article 44ff. of the GDPR apply. In other words, processing here may be on the basis of specific safeguards such as the official recognition of a level of data protection that meets EU standards (e.g. the “Privacy Shield” for the USA) or the official recognition of specific contractual obligations (“standard contractual clauses”).
Rights of data subjects
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and to obtain access to these data, a copy of the data, and further information as set out in Article 15 of the GDPR. Under Article 16 of the GDPR, you have the right to obtain the rectification of inaccurate personal data concerning you or to have incomplete data completed. Article 17 of the GDPR gives you the right to obtain the erasure of personal data concerning you without undue delay, while Article 18 of the GDPR gives the right to obtain restriction of processing of your personal data. You have the right to receive the personal data concerning you which you have provided to us and the right to have your personal data transmitted to other controllers under Article 20 of the GDPR. You further have the right, set out in Article 77 of the GDPR, to lodge a complaint with a competent supervisory authority.
Right to withdraw consent
Under Article 7(3) of the GDPR, you have the right to withdraw any consent you have given with effect for the future.
Right to object to processing
Under the terms of Article 21 of the GDPR, you have the right to object to processing of personal data concerning you at any time. In particular, you may object to processing for direct marketing purposes.
Direct marketing: cookies and right to object
We process our clients’ data as part of our contractual services, including concept development and strategic consulting, campaign planning, software and design development/consulting or support, implementation of campaigns and processes/handling, server administration, data analysis/consulting services, and training services. When we do this, we process basic data (e.g. client master data such as names and addresses), contact data (e.g. email, telephone numbers), content data (e.g. text input, photos, videos), contract data (e.g. subject of contract, term), payment data (e.g. bank details, payment history), and usage data and metadata (e.g. when evaluating and gauging the success of marketing activities). We generally do not process special categories of personal data unless they form part of a contracted processing activity. Data subjects include our customers, potential customers, and their own customers, users, website visitors, employees, and third parties. The purpose of processing is to provide contractual services, billing services, and our own customer service. The legal bases of processing are Article 6(1)(b) of the GDPR (performance of contract) and Article 6(1)(f) of the GDPR (analysis, statistics, optimisation, security measures). We process data that are required to initiate and perform contractual services and inform users of the necessity to provide us with these data. Data are only disclosed to third parties if this is required as part of an order. When processing data provided to us as part of an order, we act in accordance with the client’s instructions and the statutory regulations regarding processing as set out in Article 28 of the GDPR, and do not process the data for any purpose other than that required for the order. We erase the data on the expiry of statutory warranty and related obligations. We review the need to retain data every three years; in the event of statutory archiving obligations, the data are erased on their expiry (6 years in accordance with Section 257(1) of the Commercial Code, 10 years in accordance with Section 147(1) of the Fiscal Code). We erase data that has been disclosed to us by a client as part of an order in accordance with the requirements of the order, and generally on completion of the order.
Administration, financial accounting, office organisation, contact management
We process data as part of administrative tasks and the organisation of our company, in financial accounting, and in compliance with statutory obligations, e.g. archiving. When we do so, we process the same data that we process when performing our contractual services. The legal bases of processing are Article 6(1)(c) of the GDPR and Article 6(1)(f) of the GDPR. Processing applies to customers, potential customers, business partners, and website visitors. The purpose of and our interest in processing is administration, financial accounting, office organisation, and data archiving, i.e. tasks we perform to maintain our business activities, fulfil our duties, and provide our services. Data regarding contractual services and contractual communications are erased in compliance with the information provided relating to these processing activities. In this context, we disclose or transfer data to the fiscal authorities, advisers (e.g. accountants or auditors), and other billing centres and payment providers. On the basis of our business interests, we also save information on suppliers, event organisers, and other business partners, e.g. for the purpose of maintaining contact with them in the future. We generally save this largely business-related information permanently.
Business analyses and market research
We analyse the data we hold on business processes, contracts, enquiries, etc. in order to run our business effectively and identify market trends and the requirements of our contract partners and users. When we do so, we process basic data, communication data, contract data, payment data, usage data, and metadata on the basis of Article 6(1)(f) of the GDPR, and data subjects may be contract partners, potential customers, customers, visitors, and users of our online service. We carry out these analyses for the purpose of evaluating our business, marketing, and market research. Here, we may use the profiles of registered users and the information they contain, e.g. on services they have used. We use the analyses to boost user-friendliness and optimise both our website and our business. The analyses are used by us alone and are not disclosed to any third parties, provided the analyses are not anonymous and do not make use of merged data. If these analyses or profiles are related to specific persons, they will be erased or anonymised when the user gives notice of termination, or otherwise two years following conclusion of contract. Overall business analyses and general trend analyses are created anonymously wherever possible.
When making contact with us (e.g. on the contact form, by email, telephone, or on social media), users’ information is processed for the purpose of addressing and handling their request in accordance with Article 6(1)(b) of the GDPR. Information provided by users may be saved in a customer relationship management (CRM) system or similar system. We erase requests when they are no longer required. We review the necessity to retain them every two years; statutory archiving obligations also apply.
The hosting services we use are employed to ensure the availability of the following services: infrastructure and platform services, computing capacity, memory and database services, security services, and technical maintenance services that we use for the purpose of operating this online service. In this context, we, or our hosting provider, process the basic data, contact data, content data, contract data, usage data, metadata, and communication data of customers, potential customers, and visitors of this online service on the basis of our legitimate interest in ensuring the efficient and secure availability of this website in accordance with Article 6(1)(f) of the GDPR in conjunction with Article 28 of the GDPR (contracts for processing).
Collection of access data and log files
We, or our hosting provider, collect data on all access to the server on which this service is located (log files) on the basis of our legitimate interest in accordance with Article 6(1)(f) of the GDPR. These access data includes the name of the requested website, confirmation of successful request, browser type and version, the user’s operating system, the referral URL (the website last visited), the IP address, and the requesting provider. For security reasons (e.g. to investigate misuse or fraudulent actions), log file information is saved for a maximum of 7 days and then erased. Data that must continue to be retained as evidence are exempted from erasure until the incident in question has been fully resolved.
Google AdWords and conversion measurement
Visual Website Optimizer
Social media profiles
Integration of third-party services and content
We use third-party content and services on our online services on the basis of our legitimate interests (i.e. interest in analysis, optimisation, and effective operation of our website under the terms of Article 6(1)(f) of the GDPR) to integrate their content and services, e.g. videos or fonts (in the following referred to as “content”). This always presupposes that the third-party provider of this content knows the user’s IP address, as the content cannot be sent to their browser without an IP address. The IP address is thus required to display this content. We endeavour to use only content supplied by providers who use IP addresses only to deliver content. Third-party providers may also use pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. Pixel tags make it possible to evaluate information such as visitor numbers on the various pages of this website. The pseudonymised information may also be saved in cookies on a user’s device and contain technical information on the browser and operating system, referrer websites, time of visit, and other information on the use of our online services, as well as be associated with information from other sources.
Created using Datenschutz-Generator.de provided by Dr. Thomas Schwenke