Data Privacy Statement

and also information about the people involved in accordance with Articles 13 and 14 of the EU-DA General Data Protection Regulation

General information

The protection of your personal details and compliance with legislative regulations governing data protection are important to us. You can always use this website without having to divulge your personal details. Personal details are defined as the information that can be used to disclose your identify, e.g. your name, your postal address or your e-mail address.

No personal evaluation of this information takes place that our providers obtain when calling up this website. Any provision of personal details on this website by yourself is made on a purely voluntary basis. Without exception, your details, which you may provide on forms, will be transmitted to us securely in encrypted form. This eliminates any possibility of unauthorised third parties gaining access to them. For this, we use the SSL process.

Please contact our Data Protection Officer with any questions you may have about data privacy:
Robert Aumiller
Tel. +49 9431 716027
aumiller@iitr.de

The party named below is responsible for the processing activities named in the next section:

OBERMEYER Holding GmbH
Hansastrasse 40
80686 Munich
info@obermeyer-group.com

In the following section, we wish to inform you of the data categories that we capture, how we process the details that you provide to us, and what rights you have in relation to them.

Use of cookies

Our website uses cookies. Cookies are text files that are placed by a web server on a computer system where they are stored. They are used for web analysis (cf. Google Analytics, see below).

You can adapt the processing of cookies on this website at any time to suit your preferences, for example by refusing to accept third-party cookies or all cookies. Here, we use the Borlabs-Cookie-Banner from Borlabs (borlabs.io).

Please be aware that you may not then be able to use all the features of this site. Please also note: If you originally approved a few types of cookies (e.g. analysis cookies), you must actively delete from your browser the cookies already set after changing settings. You can set your browser so that you are informed about the placement of cookies and only allow cookies in individual cases, exclude the acceptance of cookies in certain cases or generally, or can activate the automatic deletion of cookies when closing the browser. Deactivating cookies may limit the functionality of this website.

Change cookie settings

Log files for internal system and statistical reasons

Every time our website is called up by a person affected or by an automated system, it records a range of general data and information. This general data and information is stored in log files on the server.

Examples of what is recorded include the types and versions of browsers that are used, the operating system used by the accessing system, the website from which another system is accessing our website (known as Referrers), the sub-websites that are activated on our website by an accessing system, the date and time of access to our website, the anonymised Internet Protocol address (IP address) and other similar data and information that serve to avert danger in the event of attacks on our IT systems. We draw no conclusions from this about the person affected.

Instead, this information is used to provide the contents of our website correctly and to optimise it, to assure the lasting functional capability of our IT systems and our website technology and to provide law enforcement agencies with the information they require in the event of a cyber attack.

This anonymised data and information is statistically evaluated by ourselves and also with the aim of increasing data protection and data security in our facility, in order ultimately to ensure an optimum level of protection for the personal data processed by us. The anonymous data in the server logfiles is stored separately from all the personal details provided by an affected person.

Use of data from contact forms

The Website uses contact forms that are used at several locations on the website. The contents and contact details communicated in this way are encrypted without intermediate storage and then forwarded to the internal company e-mail address stored in the system. Encryption is performed by the receiving e-mail server (OBERMEYER). This uses Version 1.2 of TLS. This means that the OBERMEYER e-mail server takes encrypted contents (TLS-1) that are then encrypted analogously before being transmitted to the e-mail address on file.

It is only possible to submit your details using the contact form if you confirm on a check box that you have read and accepted the terms of the Data Privacy Statement.

The personal details that you provide to us in connection with this contact enquiry shall only be used by us to answer your enquiry and/or to contact you, and for the technical administration work associated with this. The data will not be passed on to third parties.

You have the right to revoke your consent at any time, effective into the future. In this case, your personal details are deleted immediately. Your personal details are also deleted after the stipulated storage period, even if you do not revoke them.

Web Analysis Tools (statistics-tracker)

We use various web analysis services on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 Para. 1 lit. f. GDPR).

We understand web analysis as a component of our internet service. We want to use it to further improve the website and adapt it more to the needs of the users. Data on the behavior of users is collected to identify and improve possible problems such as pages not found, crawling problems by search engine bots or particularly popular or unpopular content.

As a digital agency, we also have an interest in understanding how web analytics programs work and how we can report usage data in a privacy-compliant and effective manner. Therefore, we have installed different variants of web analyitcs programs on our own servers in parallel, which we explain individually below.

Some of these analysis services set cookies on the end devices of the users in order to recognize sessions. This data storage is only carried out after consent has been given in the consent banner (see detailed information on use).

Google Analytics

If you have given your consent to tracking for web analysis services, Google Analytics, a web analysis service provided by Google LLC, is used on this website. The responsible body for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).

Google Analytics Universal
In our implementation of Google Analytics Universal, the anonymization of IP addresses is activated. Due to IP anonymization, your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Google Analytics 4 (GA4)
In Google Analytics 4, the anonymization of IP addresses is activated by default. Due to IP anonymization, your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Scope of processing
Google Analytics uses cookies that enable an analysis of your use of our websites. The information collected by means of the cookies about your use of this website is usually transerred to a Google server in the USA and stored there.

During your website visit, your user behavior is recorded in the form of “events”. Events can be:

  • pageviews
  • first visit of the website
  • start of session
  • click path and interaction with the website
  • scroll events
  • clicks on external links
  • internal search queries
  • interaction with videos
  • file downloads
  • ads viewed / clicked
  • language setting

In addition, the following is recorded:

  • your approximate location (region)
  • your IP address (in shortened form)
  • technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
  • your internet service provider
  • the referrer URL (via which website/advertising medium you came to this website)
  • purposes of the processing

Recipients of the data are/could be:

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Art. 28 GDPR)
  • Google LLC, 1600 Amphitheater Parkway Mountain View, CA 94043, USA
  • Alphabet Inc., 1600 Amphitheater Parkway Mountain View, CA 94043, USA

It cannot be ruled out that U.S. authorities will access the data stored by Google.

Third country transfer
Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection.

The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by U.S. authorities to the data stored by Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.

Storage duration
The data sent by us and linked to cookies are automatically deleted after 2 months. The deletion of data whose retention period has been reached occurs automatically once a month.

Legal basis
The legal basis for this data processing is your consent pursuant to Art. 6 Para.1 p.1 lit.a GDPR and Art. 49a GDPR.

Google Tag Manager
The Google Tag Manager is only there to administer website tools by including what are known as website tags. The legal basis for using these services is your consent using the Cookie Consent Layer.

Google Analytics opt-out for all devices

Alternatively to the browser add-on or within browsers on mobile devices, please click this link to prevent Google Analytics from recording anything on this website in future (the Opt Out only functions on this browser and only for this domain). For this, an opt-out cookie is placed on your device. To delete your cookies in this browser, you must click this link again.

Webserver logfiles

IP addresses are unmasked for a period of seven days to detect, define and remedy any stored faults or errors. After this period of time, IP masking is introduced. After 30 days, the saved IP address, now masked, is finally deleted.

Shariff bar (Share function)

We use the ‘Shariff’ buttons, for secure data protection. ‘Shariff’ was developed to allow for more of a private sphere on the network and to replace the usual ‘Share’ buttons on social networks. This means that it is the server on which the online offer is being presented, and not the user’s browser, that establishes a link with the server of the relevant social media platform. These portals are then shown: Xing, LinkedIn and YouTube

The Shariff bar is used on applications such as news messages or on the contact form.

Credit rating and credit worthiness information

In the context of the contractual relationship, we communicate personal details about the application, execution and termination of the business relationship with CRIF Bürgel GmbH, Radlkoferstrasse 2, 81373 Munich.

The legal foundation for these data transfers are Article 6 par. 1 letter b and Article 6 par. 1 letter f of the GDPR. Transfers of data based upon Article 6 par. 1 letter f of the GDPR may only be carried out insofar as that is required for safeguarding legitimate interests of our company or of third parties and where the interests or fundamental rights and fundamental freedoms of the affected person do not prevail where protection of personal details is required. The exchange of data with CRIFBÜRGEL also serves to comply with legislative obligations relating to the carrying out of creditworthiness checks by customers (Sections 505a and 506 of the Bürgerliches Gesetzbuch [Civil Law Book]).

CRIFBÜRGEL processes the data it receives and uses it for profile creation (‘scoring’) to provide its contractual partners in the European Economic Area and in Switzerland and where necessary in other third countries (provided that an Adequacy Agreement exists between then and the European Commission) with information, also including details needed to assess the creditworthiness of natural people. Further information about the activity of CRIFBÜRGEL can be viewed on the CRIFBÜRGEL Informationsblatt or online at www.crifbuergel.de/de/datenschutz.

Job vacancies & speculative applications

We capture personal details if you apply to us in relation to one of our job vacancies or with a speculative application. We use umantis software from Haufe-Lexware GmbH & Co. KG, Munzinger Strasse 9, 79111 Freiburg. With it, we capture your name, nationality and date of birth as well as your address and contact details. We also ask about your interest in a given vacancy or, in the case of speculative applications, for details of the company division and work location that is of interest to you. For applications via WhatsApp, where the same data is collected, the software PitchYou from PitchYou GmbH, Campusallee 9, 51379 Leverkusen, is also used. The imprint and privacy policy of www.obermeyer-group.com apply to the job vacancies market.

Finally, we capture your qualifications, curriculum vitae, testimonials and supporting documents, a covering letter and an application photo, your e-mail address as a username for accessing the applications portal and the user language together with your consent to remaining in the Obermeyer Talent Pool after the application process, or if you instead wish for your application details to be deleted.

  • Situations Vacant subscription
    If you wish to subscribe to the Situations Vacant section on the website, we take a note of your e-mail address, your choice of password and the language in which you would to be notified by us of any job vacancies we may have.
    We use umantis software from Haufe-Lexware GmbH & Co. KG, Munzinger Strasse 9, 79111 Freiburg.
    To assure your consent to us sending you notifications, we use what it is known as the Double Opt-in procedure. This involves recording potential addressees in the cc list, then inviting them by e-mail to confirm their wish to subscribe. The address is only included actively in the cc list if confirmation is provided.
    You may revoke your consent to the storage of data, your email address and its use to send you newsletters at any time via the Unsubscribe link in the notification e-mail.
  • Purpose of processing
    The purpose of processing is to gain talented new people as employees at Obermeyer and therefore to initiate employment relationships and to conduct the application and applicant management procedures.
    Another purpose of processing is to obtain your consent to our sending you information about job vacancies on a regular basis.
  • Legal basis for processing
    The legal basis for processing is your consent to our processing of the personal details you submitted to us.
  • Recipients of data
    After submission, your applications are forwarded to our HR department for appraisal. If necessary, the managers of the technical departments with vacancies to which you are applying need to be provided with access to your application which involves granting them the legal right to do so. Transfers of data to an EEA third country or to an International Organisation do not take place.
  • Duration of storage
    Your data is stored throughout the processing time of your application and/or if you consent to this, thereafter for inclusion in our Talent Pool and until no later than the date you revoke your consent. Unless you consent to us storing your details for longer, all data will be deleted after between three and six months.
    Compliance with any additional legal storage periods that might exist and/or for periods during which the storage of data is necessary for the application of legal claims shall not be affected by this.

Automated decision-making and/or profiling

We do not engage in automated decision-making and/or profiling as defined in Article 22 paras. 1 and 4 GDPR.

Technical and organisational measures

We use technical and organisational security measures to protect your personal data against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. This also applies if external services are used. When entering personal details, these are always encrypted before being transmitted.

Procedure for dealing with business cards

As part of the procedure for handing out and exchanging business cards, you communicate personal details to us, e.g. your phone number and/or e-mail address. We only use these details for the purpose of remaining in contact with you. In addition, we provide you with more information about the services we provide. If you do not source any services and/or products from us, we shall delete your contact details after 5 years.

Specific details on the use of video conferencing/webinar software

  • Relevant data: data provided for the use of the video conferencing software or webinar software (esp. first name, last name, e-mail address; optional: sound transmission; optional: image transmission; optional: questions when using chat functions); to the extent technically necessary, processing of data from your system to establish the connection with the provider of the conferencing software
  • Processing purpose: onducting video conferences or webinars
  • Categories of recipients: 
    • public bodies in the case of overriding legal provisions
    • external service providers or other contractors, among others for data processing and hosting
    • other external bodies, insofar as the data subject has given consent or a transfer is permissible for overriding interest
  • 3rd country transfers: only processors within the European Union are used; standard contractual clauses have been concluded with the service provider accordingly
  • Duration of data storage:  A recording of video conferences only takes place with the previously documented consent of the participants. The technical data is deleted if it is no longer required. The duration of data storage otherwise depends on the statutory retention obligations and is usually 10 years.

Specific details on the processing of details of customers and interested parties

  • Relevant data:  Data notified for contractual purposes and any additional data for processing can only be retained with your express consent.
  • Processing purpose: Implementation of contracts, including quotations, orders, contractual processing and invoicing, quality assurance
  • Categories of recipients:
    • Public bodies if priority legal stipulations are applicable
    • External service providers or other customers, including those involved in data processing and hosting, dispatch, transport and logistics, service providers for the printing and posting out of information and service providers involved in accounting.
    • Other external bodies subject to those affected granting their consent or where such a transfer is permitted on grounds of compelling interest, e.g. creditworthiness notification, for the electronic mailing of information and for quality assurance purposes.
  • 3rd country transfers: As part of the contractual implementation process, order processors outside the European Union can also get involved.
  • Duration of data storage: The duration of data storage shall be based on legal storage requirements which usually extend over a 10-year period.

Specific details for the processing of employee data

  • Relevant data:  Data notified for contractual purposes and any additional data for processing can only be retained with your express consent.
  • Processing purpose: Contractual execution in relation to an employment relationship
  • Categories of recipients:
    • Public bodies if priority legal stipulations are applicable, including the tax authorities, social security provider and trade association.
    • External service providers or other contractors, including for data processing and hosting, payroll accounts, accounting for travel expenses and for vehicle usage.
    • Other external departments, provided that the affected party has granted consent or where such a transfer is permitted on grounds of compelling interest, including for order acquisition and insurance services.
  • 3rd country transfers: As part of the contractual implementation process, order processors outside the European Union can also get involved, including by e-mail.
  • Duration of data storage: The duration of data storage shall be based on legal storage requirements which usually extend over a 10-year period.

Specific details for the processing of supplier data

  • Relevant data: Data notified for contractual purposes and any additional data for processing can only be retained with your express consent.
  • Processing purpose: Contractual execution, including enquiries, purchasing and quality assurance.
  • Categories of recipients:
    • Public bodies if priority legal stipulations are applicable, including the tax authorities and customs.
    • External service providers or other contractors, including for data processing and hosting, accounting and the processing of payments.
    • Other external departments, provided that the affected party has granted consent or where such a transfer is permitted on grounds of compelling interest.
  • 3rd country transfers: As part of the contractual implementation process, order processors outside the European Union can also get involved.
  • Duration of data storage: The duration of data storage shall be based on legal storage requirements which usually extend over a 10-year period.

Your rights as an affected person

In accordance with the European General Data Protection Regulation, you have the following rights as an affected person:

  • Revocation of consent: In all instances where the processing of your personal details is founded upon your consent, you can revoke your consent at any time in accordance with Article 7 para. 3 GDPR.
  • Information: You have the right to request confirmation from the party responsible that your details are being processed by them, and where applicable you are entitled to be informed about these personal details.
  • Correction: You have the right to demand from the party responsible the immediate correction of any inaccurate personal details relating to you.
  • Deletion: You may have the right to demand from the party responsible that your personal details are deleted with immediate effect.
  • Restriction of processing: You may have the right to demand from the party responsible the restriction of processing.
  • Protest against processing: You have the right at any time to protest against the processing of your personal details for reasons that arise from your particular situation.
  • Consequences of failure to provide data: You are not obliged to provide us with data. Any failure to provide data can, where applicable, lead to it not being possible to process your enquiry or to operate a customer account.
  • Right to data portability: You have the right to obtain the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format.
  • Right of appeal to a supervisory authority You have the right to complain to a supervisory authority;