Privacy Policy
Privacy Policy
Information according to Art. 13, 14 GDPR
As a controller within the meaning of Art. 4 No. 7 GDPR, we process personal information of natural persons (personal data). Compliance with applicable data protection law, in particular the European General Data Protection Regulation (GDPR), is not only a legal obligation for us as a specialized consulting company. With this privacy policy, we would like to contribute to providing data subjects with a meaningful overview of the processing of their data by us in an easily perceivable, understandable and clearly comprehensible form.
1. Controller & Contact Details
IBS Schreiber GmbH
Zirkusweg 1
20359 Hamburg
Phone: +49 40 69 69 85-0
Email: info@ibs-schreiber.de
Data Protection Officer
Marc Neumann
IBS data protection services and consulting GmbH
Zirkusweg 1, 20359 Hamburg
Email: datenschutz@ibs-schreiber.de
2. Purposes and Legal Bases
2.1. Providing our websites and IT systems
When you visit one of our websites, we collect pseudonymized connection data required to display the requested website (e.g. IP address, referer URL,
target page, timestamp) and store this data in so-called server log files. If you use IT systems provided by us, we additionally process
pseudonymized (e.g. IP address) or personalized data (e.g. e-mail, user name)for the purposes intended in each case, in order to protect our systems by
means of technical equipment and to store access to the systems as well as any activities in our systems in so-called log files.
In the case of any communication by email, these are examined by technical facilities for unwanted content (e.g. viruses, spam).In addition, we store pseudonymized information in certain cases in your browser, in so-called cookies or local storage, insofar as these are necessary to display our website or to enable necessary functions on our website (so-called technically necessary cookies / essential).
You must provide this data without any legal or contractual obligation. However, a visit to our websites, the use of a contact form or the use of our
IT systems is not possible or only possible with restrictions without the provision of this information. The processing for the purpose of providing our websites and IT systems is carried out for the exercise of overriding legitimate interests pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interests are ensuring the functionality and security of our information technology systems and the assertion, exercise and defense of legal claims.
The storage of information in the end user’s device or access to information already stored in the end user’s device (essential cookies / local
storage) is absolutely necessary pursuant to Section 25 (2) No. 2 TTDSG so that we can provide the telemedia service you expressly requested.
2.2. Consent Management
We use the Consent Management plugin Borlabs Cookies to manage consent to the use of web analytics & third-party services on our websites. Pseudonymous information (e.g. UID, timestamp) is stored in your browser and accessed by us to ensure that we only allow cookies and server connections to third parties that have been explicitly permitted by you.
You must provide this data without any legal or contractual obligation. However, a visit to our websites is not possible or only possible with restrictions without the provision of this information.
The processing for the purpose of consent management is based on a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR as well as for the exercise of overriding legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. Pursuant to Art. 5 (2) GDPR, we are obliged to provide evidence of compliance with the data protection principles, so that we must provide evidence of consent given. In addition, our legitimate interests are the assertion, exercise and defense of legal claims.
The storage of information in the end user’s device or access to information already stored in the end user’s terminal equipment (essential cookies / local storage) is absolutely necessary pursuant to Section 25 (2) No. 2 TTDSG so that we can provide the telemedia service expressly requested by you.
Show Consent Management:
2.3. Web Analytics & Third-Party Services
2.3.1. Matomo Webanalytics
Insofar as you have given your consent in the context of consent management (see 2.2) in the category “Statistics” or for all cookies, we use the open source software Matomo to analyze and statistically evaluate the use of our websites. Pseudonymized information (IP masking) is stored in your browser and accessed by us in order to evaluate the usage data and to enable us to design the websites according to your needs.
You do not have to provide this data, nor is there any legal or contractual obligation to do so. A visit to our websites is possible without the provision of this information.
The processing for the purpose of web analysis and statistical evaluation is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. You have the right to withdraw this consent at any time with future effect by adjusting your settings in the Consent Management and deselecting the category “Statistics” or allowing only essential cookies.
2. 3.2. Google ReCaptcha, Google Maps, YouTube Videos
Insofar as you have given your consent in the context of consent management (see 2.2) in the category “External media” or for all cookies, we use
a. the Google reCAPTCHA service to prevent automated software (so-called bots) from carrying out abusive activities on our websites.
b. the online mapping service Google Maps to display our business address on a map embedded in the website.
c. the online video service YouTube for embedding videos from our YouTube channel.
In the process, information about your visit to our website (e.g. IP address, input behavior, mouse and touch events) as well as the use of the interactive map services or videos is stored in your browser in pseudonymized form. As the operator of these third-party services, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA stores this information in your browser and accesses it in order to
a. as part of the ReCAPTCHA service, evaluate this together with data from other sources (e.g. Gmail, Search, Analytics) and determine whether the website visitor is a real person. In the event if this is not confirmed, the ReCAPTCHA Service blocks the submission of the contact form.
b. provide functions of the Google Maps service,
c. play our videos and pursue their own purposes of analysis and marketing.
For more information about Google LLC privacy information, please see the external link: https://www.google.com/policies/privacy/.
You do not have to provide this data to visit any of our websites. There is also no legal or contractual obligation to provide it, but the use of certain functions (e.g. contact form, display of map content or videos) is not possible or only possible to a limited extent without the provision of the information.
The processing for anti-spam (Google ReCAPTCHA service) and the display of the online map service (Google Maps) and our videos (YouTube) is based on your consent pursuant to Art. 6 (1) lit. a GDPR. You have the right to withdraw this consent at any time with effect for the future by adjusting your settings in Consent Management and deselecting the category “External Media” or allowing only essential cookies.
The consent also includes the transfer of data to the USA in accordance with Art. 49 (1) lit. a GDPR. The European Court of Justice (ECJ) classifies the USA as a country with an insufficient level of data protection under the GDPR. For example, there is a risk that U.S. authorities process personal data in surveillance programs without any possibility of legal action for data subjects. This results in risks to your rights and freedoms, which you are willing to accept when you
consent to the processing and activate these services.
2.4. Customer Area
If you work for a company that is a customer of our GRC solutions (e.g. CheckAud), you have the option to register for the customer area on our website. We process personal data (e.g. e-mail address, licence data) to enable you to access the secure customer area, to provide appropriate product information and to correctly assign support requests.
You do not have to provide this data, nor is there any legal or contractual obligation to do so. It is possible to visit our websites without providing this information, but access to the protected customer area requires the provision of the information.
The processing for the purpose of registration and provision of the protected customer area based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. You have the right to withdraw this consent at any time with future effect by sending us a simple message. We will then delete your access to the customer area.
2.5. Automated Notifications
If you work for a company that is a customer of our GRC solution CheckAud, you have the option within the software CheckAud to activate automatic update notifications and automatic news (RSS feed).
In this case, CheckAud connects to our web server and checks for available updates as well as current news (e.g. product information, security information, usage information).
In addition to the general information of a website visit, (see 2.1) we also process information about the installed CheckAud version (e.g. version of the operating system, licence number). The check for updates is either repeated or one-time, depending on the selection within CheckAud.
You do not have to provide this data, nor is there any legal or contractual obligation to do so. The automatic update notification and the RSS feed also require an existing Internet connection and cannot be used without providing the information.
The processing for the purpose of the automatic update notification is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. You have the right to withdraw this consent at any time with effect for the future by deactivating the automatic update notification and news in CheckAud respectively.
2.6. Newsletter
If you would like to receive our newsletter once a month and register on our website using the form provided for this purpose, we process the personal data provided by you, but at least the e-mail address as a mandatory field, in order to first send you a confirmation e-mail.
If you confirmed the newsletter registration, we process your data to send the newsletter. Otherwise, the registration will be revoked and your data deleted. The processing for the purpose of sending the newsletter is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. You have the right to withdraw this
consent at any time with effect for the future by clicking the unsubscribe link in a newsletter or by contacting us informally with reference to your email
address.
2.7. Seminars, Webinar and Events
When you register as a participant for one of our seminars, events, online seminars or webinars, we process personal data (e.g. name, contact details, associated company, event booked) in order to process your registration and to manage and invoice your participation.
If you do not book your attendance yourself, but your employer or another third party does this, we receive the aforementioned information from another person who books the attendance on your behalf. If you book an overnight stay at one of our partner hotels for an on-site seminar or event, we process the information (e.g., name, arrival, departure, number of nights) to enable you to receive the discount at the partner hotel.
Further details are also available in the terms and conditions of participation, available at: https://ibs-schreiber.de/akademie/teilnahmebedingungen/.
If you activate the checkbox while registering for an event, you consent to be contacted via phone or email within 6 weeks after this event. We will provide you with information about our products and services as well as upcoming events and latest news of the SAP Security area.
You are obliged to provide the information insofar as this is necessary for the booking and implementation of the event, without any direct legal or contractual
obligation. Otherwise, participation in seminars, other events or webinars is not possible. The required information for register forms is marked as
mandatory. Furthermore, there is no obligation to provide personal data.
Processing for the purpose of booking and participation in seminars, webinars and events is based on the fulfillment of a contract with you pursuant to Art. 6 (1) lit. b GDPR. In the event that you are not our contractual partner, processing is carried out to safeguard overriding legitimate interests pursuant to Art. 6 (1)
lit. f GDPR. Our legitimate interests are the fulfillment of a contract with a third party who books the participation for you. Processing for the purpose of contacting you via phone or email is based on your consent pursuant to Art. 6 (1) lit. a GDPR. You have the right to withdraw this consent at any time with effect for the future by informing us informally with reference to the event.
2.8. Business Communication
If you, as a natural person, conclude a contract directly with us, we collect all personal data required for the establishment, performance or termination of the contract. This also applies if you negotiate or conclude a contractual agreement on behalf of another natural person or legal entity.
Insofar as we do not collect the data directly from you, we receive information about you (name, position), contact data (e.g. e-mail, telephone) and contractual data (e.g. performance obligations) from third parties whom you have named as contact persons or persons responsible for the establishment, execution or termination of the contractual relationship.
We process personal data to the extent necessary for the execution of the contract, the management of the customer relationship, the processing of inquiries and the verification and billing of services provided. In addition, we process this data to enable appropriate risk management as well as controlling and compliance with other legal requirements (e.g. commercial and tax law) as a legal entity.
You are obliged to provide the information insofar as this is necessary for business communication, contract initiation, contract performance or termination,
without any direct legal or contractual obligation. Otherwise, the processing of requests and the establishment, performance and termination of the
contractual relationship is not possible.
Processing for the purpose of providing our services and business communication is carried out for the fulfilment of the contract pursuant to Art. 6 para. 1 lit. b as well as for the exercise of overriding legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. Our legitimate interests are the performance of the contract,
insofar as we have concluded the contract with a third party for whom you are acting, as well as the assertion, exercise and defence of legal claims.
2.9. Job Application
When you apply to us, we collect all personal data that you provide to us as part of the application. You may submit an application on your own initiative or on the basis of a job advertisement published by us. We then process your personal data in the application process in order to invite you to a personal interview if necessary and to decide whether to establish an employment relationship.
If your application is rejected, we process the data in the event of a legal dispute. Alternatively, with your express consent, we may also retain and consider the
application documents for a later date. If you are hired after the application process has been completed, we will collect further personal data (e.g. certificate of good conduct, social security data, tax data) from the relevant authorities (e.g. government agencies, social insurance carriers, tax authorities) in order to be able to establish the employment relationship. This may also include special categories of personal data, insofar as this relates to religious affiliation, for tax purposes.
You are neither contractually nor legally obligated to provide the data for the application with us. However, it is not possible or only possible to a limited extent to carry out an application procedure without the provision of certain data relating to you. When establishing an employment relationship, however, you are legally obligated to provide certain information (e.g. registration with social security) in order to comply with the legal obligations to register and
cooperate. The establishment of the employment relationship is otherwise not possible.
Processing for the purpose of carrying out application procedures is carried out for the decision on the establishment of an employment relationship and, after the establishment of the employment relationship, for its implementation in accordance with Section 26 (1) BDSG. In addition, in the event of a rejected application, processing may be carried out to safeguard overriding legitimate interests pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest is the assertion,
exercise or defense of legal claims. Insofar as you expressly agree in the event of rejection of the application to retain and consider it for a later
date, the processing is based on your consent pursuant to Art. 6 (1) lit. a GDPR. You have the right to withdraw this consent at any time with effect for the
future by informing us informally with reference to your application. The withdrawal has no effect on a renewed application at a later date.
2.10. Social Media
As a registered user on one of the following social networks, we collect the necessary personal data from the operators of the platforms when you contact us within the platform or access our content and profiles. In addition, we receive all information that you share with us based on your settings when we access your profile.
You are neither legally nor contractually obligated to provide us with this information. The use of social networks is independent of the provision of your data, however, contacting us or visiting our profile is not possible without providing us with this data. Further processing outside of the social networks does not take place as a matter of principle.
Processing for the purpose of business activity on the professional social networks XING and LinkedIn as well as the provision of videos on YouTube is carried out to safeguard overriding legitimate interests pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interests are the public presentation of our company as well as business networking with partners, interested parties and employees.
2.10.1. XING
We collect user data (e.g. name, location), qualification data (e.g. occupation, position, training) and communication data (e.g. message content) within the social network “XING” from New Work SE, Am Strandkai 1, 20457 Hamburg. For more information on the data protection information of New Work SE, please refer to the external link: https://privacy.xing.com/en.
2.10.2. LinkedIn
We collect user data (e.g. name, location), qualification data (e.g. occupation, position, education) as well as communication data (e.g. message content) within the social network “LinkedIn Germany” from LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. For more information on the privacy information of LinkedIn Ireland, please refer to the external link: https://www.linkedin.com/legal/privacy-policy.
2.10.3. YouTube
We collect user data (e.g. user name), communication data (e.g. comments) and preferences (e.g. subscription, like) within the video portal “YouTube” from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For more information on the privacy information of Google LLC, please refer to the
external link: https://www.google.com/policies/privacy/.
3. Recipients & Third-Country Transfers
Within our company, only those persons receive knowledge of personal data if they are responsible for the processing. Insofar as certain activities are not carried out by us ourselves, but by commissioned service providers as processors pursuant to Art. 28 GDPR, these are among the recipients of personal data. The use of processors and their sub-processors based outside the EU/EEA is currently not planned.
In certain individual cases, we disclose personal data to third parties (e.g. customers, communication partners, authorities, lawyers, courts) if this is necessary for the processing and permitted by law. A transfer to third countries outside the EU/EEA only takes place if the transfer is necessary for the purpose of the processing and the requirements according to Art. 44ff. are met.
Insofar as third-party services of Google LLC have been activated on this website, we transmit personal data to Google LLC in the USA. For more information, please refer to 2.3.2.
4. Storage Periods
To ensure the principle of storage limitation according to Art. 5 (1) lit. e GDPR, we store personal data in a form that allows identification of data subjects only as long as it is necessary for the respective legitimate purposes.
The following storage periods have been defined by us:
a. Server log files are stored for 1-90
days depending on the IT system and then automatically deleted.
b. Session cookies are automatically
deleted after the end of the session (e.g. closing the browser, logout);
persistent cookies are deleted automatically or manually by the user in advance
after the defined period (max-age, runtime) has been reached.
c. Application documents of rejected
applicants will be deleted 6 months after rejection without existing consent
for permanent storage.
Personal data processed on the basis of consent will be deleted after revocation of consent, unless continued storage is
required due to retention obligations or for the assertion, exercise or defense of legal claims.
Personal data that must be stored due to commercial or tax regulations in accordance with § 147 AO, § 257 HGB will not be deleted before the expiration of 6 years or 10 years. Further storage takes place for the assertion, exercise or defense of legal claims, e.g. in the case of incomplete tax, audit or administrative proceedings.
Personal data that we process for the assertion, exercise or defense of legal claims are generally deleted after 3 years (regular statute of limitations pursuant to Section 195 of the German Civil Code); in certain cases (e.g. claims for damages), the statute of limitations is 10 years or 30 years from the date the claim arose pursuant to Section 199 of the German Civil Code, with the maximum storage period being 30 years from the date of the damaging event.
5. Your Rights
When you request your data subject rights, we have taken appropriate measures to provide communication in a precise, transparent, understandable and easily accessible form in clear and simple language. We always try to make the communications as understandable as possible without neglecting the legal requirements. Our data protection officer will be happy to assist you in person or by telephone if you need support in understanding communications.
5.1.1. Access
Pursuant to Art. 15 (1) GDPR, you have the right to obtain confirmation from us as to whether your personal data is being processed. If this is the case, you will have the right to access to your data and the detailed information on the processing. This includes a copy of your data pursuant to Art. 15 (3) GDPR, provided that the rights of other persons are not violated. The right to access can be restricted or refused in accordance with Section 34 (1) BDSG. The
reasons for the refusal will be documented in accordance with Section 34 para. 2 BDSG and justified to you.
5.1.2. Rectification
Pursuant to Art. 16 p. 1 GDPR, you have the right to demand that we immediately correct any inaccurate personal data that is being processed. In addition, according to Art. 16 p. 2 GDPR, you have the right to request us to complete your personal data if they are incomplete and this is necessary in consideration of the purposes of the processing. You can make a supplementary declaration for this purpose.
5.1.3. Erasure
According to Art. 17 (1) GDPR, you have the right to demand that we delete your personal data immediately. However, we are only obliged to delete the data if one of the reasons mentioned there applies.
According to Art. 17 (3) GDPR, the right to erasure does not exist insofar as the processing of your personal data is necessary for reasons stated there. This applies in particular if the storage of your data is still required due to statutory retention obligations (Art. 17 (3) (b) GDPR) or your data is required for the assertion, exercise or defense of legal claims (Art. 17 (3) (e) GDPR).
5.1.4. Restriction
Pursuant to Art. 18 (1) GDPR, you have the right to demand that we restrict the processing of your personal data if one of the conditions specified therein applies. If your data has been restricted, you will receive a notification before the restriction is lifted.
5.1.5. Data Portability
Pursuant to Art. 20 (1) GDPR, you have the right to receive your personal data from us in a structured, common and machine-readable format (e.g. JSON, XML) and to provide it to another controller, provided that the rights and freedoms of other data subjects are not affected.
This right only applies to data that you have provided to us and that we process automatically on the basis of your consent (Art. 6(1)(a) GDPR, Art. 9(2)(a) GDPR) or a contract with you (Art. 6(1)(b) GDPR).
If you have the right to data portability, you may, pursuant to Art. 20 (2) GDPR, request that we transfer the data directly to another controller, insofar as this is
technically feasible.
5.1.6. Right to Object
Pursuant to Art. 21(1) GDPR, you have the right to object to processing if it is based on Art. 6 (1) (e) GDPR or Art. 6 (1) (f) GDPR and you provide reasons arising from your particular situation.
The right to object pursuant to Art. 21 (1) GDPR does not apply if we demonstrate that we have legitimate grounds for processing which override your interests, rights and freedoms, or if the processing is necessary for the assertion, exercise or defence of legal claims.
Irrespective of this, you have the right pursuant to Art. 21 (2) GDPR to object at any time to the processing of your data for the purpose of direct marketing, including profiling in connection with direct marketing. In this case, we will no longer process your data for the purpose of direct marketing.
5.1.7. Automated individual Decision-Making
Pursuant to Art. 22 (1) GDPR, you have the right not to be subject to a decision based solely on automated processing – including profiling – where such decision produces legal effects concerning you or similarly significantly affects you.
Pursuant to Article 22(2) GDPR, this right does not apply if the decision is necessary for the conclusion or performance of a contract with you or is made with your explicit consent. In addition, this right does not apply if a European law allows it and contains appropriate measures to protect your rights and freedoms as well as your legitimate interests.
We do not process personal data through automated decision in individual cases, including profiling, pursuant to Art. 22 (1), (4) GDPR.
5.1.8. Lodge a Complaint
Pursuant to Article 77 (1) GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data by us violates the General Data Protection Regulation. This right is without prejudice to any other administrative or judicial remedy.
The complaint may be lodged with any supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement.
5.1.9. Withdrawal of Consent
Pursuant to Art. 7 (3) GDPR, you have the right to withdraw any consent you have given for the processing of your personal data at any time. The lawfulness of processing based on your consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR remains unaffected until withdrawal.