GENERAL PRIVACY POLICY

DATA PRIVACY STATEMENT

The following data privacy statement is intended to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This data privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online websites, such as our social media profiles (hereinafter collectively referred to as “online services”).

All terms used are not gender-specific.

INTRODUCTION

CONTROLLER

W² Group GmbH
c/o Mindspace
Rosental 7
80331 Munich
Germany
E-mail: privacy@wagawin.com
Directors: Nicolas Leonhardt, Andreas Merold
Imprint: https://www.wagawin.com/imprint/

DATA PROTECTION CONTACT DETAILS

E-Mail: datenschutz@wagawin.com / privacy@wagawin.com

RELEVANT LEGAL GROUNDS

Below you will find the legal grounds of the General Data Protection Regulation (GDPR) that form the basis for the way in which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may also apply in your and our home state. Furthermore, we will inform you in the data privacy statement if more specific legal grounds apply in individual cases.

SECURITY MEASURES

We undertake appropriate technical and organizational measures in accordance with legal requirements, and take into account the state of the art, implementation costs and the nature, scope, circumstances, and purposes of processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection commensurate with the risk.

These measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, safeguarding of availability, and the separation of data. Furthermore, we have established procedures to ensure that the rights of data subjects are observed, that data is erased, and that we respond to any threat to the data. We also consider the protection of personal data as early as in the development or selection of hardware, software, and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings.

IP address truncation: Wherever it is possible for us, or if it is not necessary to store your IP address, we will truncate your IP address or have it truncated. In the event that your IP address is truncated, which is also known as “IP masking”, the last octet will be deleted (the IP address in this context is an identifier individually assigned to an Internet connection by the online access provider). The reason for truncating an IP address is to prevent or significantly inhibit the identification of a person based on their IP address.

SSL encryption (https): We use SSL encryption to protect the data transmitted via our online services. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.

TRANSMISSION AND DISCLOSURE OF PERSONAL DATA

When we process personal data, it may happen that the data is transferred to, or disclosed to, other bodies, companies, legally independent organizational entities, or individuals. The recipients of such data may include, for example, payment institutions in connection with payment transactions, service providers commissioned to perform with IT-related tasks, or providers of services and content that are integrated into a website. We observe the statutory provisions in such cases and in particular conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data transmission within the organization: We may transfer, or grant access to, personal information to other people within our organization. Where such transfer is for administrative purposes, the transfer of the data is based on our legitimate commercial and business interests, or is performed in order to meet our contractual obligations, or is based on the consent of the data subjects, or legal authorization, that has been obtained.

DATA PROCESSING IN THIRD COUNTRIES

We will only process data in a third country (i.e. outside of the European Union (EU), the European Economic Area (EEA)), or if processing takes place in connection with the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, in accordance with legal requirements.

We only process, or allow data to be processed, in third countries that offer a recognized level of data protection, or on the basis of special guarantees – such as contractual obligations based on so-called standard protection clauses of the EU Commission, the existence of certifications, or binding internal data protection regulations – subject to express consent or if transfer is contractually or legally required (Articles 44 to 49 GDPR; please refer to the information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

ERASURE OF DATA

The data we process will be deleted in accordance with statutory provisions as soon as the consent granted for processing is withdrawn or other authorizations cease to apply (e.g. if the purpose for which the data was processed ceases to apply or if it is no longer necessary for such purpose).

The processing of the data will be limited to these purposes, unless the data is not erased because it is required for other, legally permissible purposes. This means that the data is blocked and not available for processing for other purposes. This applies, for example, to data that needs to be retained for commercial or tax law reasons, or that needs to be stored to assert, exercise, or defend legal claims, or to protect the rights of another natural or legal person.

You can find further information on the erasure of personal data in the individual data protection information of this privacy statement.

USE OF COOKIES

Cookies are text files that contain data from websites or domains visited and are stored by the browser on a user’s computer. The primary purpose of a cookie is to store information about a user during or after their visit to a website. Stored information may include, for example, the language settings for a website, login status, a shopping cart, or the location where a video was viewed. The term “cookies” also covers other technologies that perform the same functions as cookies (e.g. when user information is stored using pseudonymous online identifiers, also known as “user IDs”).

A distinction is made between the following cookie types and functions:

  • Temporary cookies (also called session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their browser.
  • Permanent cookies: Permanent cookies remain stored even after the browser is closed. For example, a user’s login status can be saved, or preferred content can be displayed directly when the user revisits a website. Similarly, users’ interests, which are used to measure reach or for marketing purposes, can be stored in such a cookie.
  • First-party cookies: First-party cookies are set by us.
  • Third-party cookies: Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
  • Necessary (essential or absolutely necessary) cookies: Cookies may be absolutely necessary for the operation of a website (e.g. to store logins or other user entries, or for security reasons).
  • Statistical, marketing and personalization cookies: In addition, cookies are also generally used in connection with reach measurement and when the interests of a user or their behavior (e.g. viewing certain content, using functions, etc.) on individual websites are stored in a user profile. Such profiles are used, for example, to display content to users that corresponds to their potential interests. This process is also known as “tracking”, i.e. monitoring the potential interests of users. We will inform you separately in our data privacy statement when we use cookies or “tracking” technologies, or at the time we obtain your consent.

Notes on legal basis: The legal basis on which we process your personal data using cookies depends on whether we ask you for your consent. If this is the case, and you consent to the use of cookies, the legal basis for processing your data is declared consent. Otherwise, data processed using cookies will be processed on the basis of our legitimate interests (e.g. for the commercial operation of our website and its improvement) or if the use of cookies is necessary to meet our contractual obligations.

Storage duration: Please assume that the storage duration can be up to two years unless we provide you with explicit information on the storage duration of permanent cookies (e.g. In connection with a so-called cookie opt-in).

General information on withdrawal and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you may at any time withdraw any consent you may have given or object to the processing of your data by cookie technologies (collectively referred to as an “opt-out”). You can initially declare your objection by means of your browser settings, e.g. by deactivating the use of cookies (this may also limit the functionality of our website). An objection to the use of cookies for online marketing purposes can also be lodged through a number of services, especially in the case of tracking, via websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can receive further information on objections as part of the information on service providers and the cookies they use.

Processing cookie data based on consent: Before we process, or allow data to be processed, in connection with the use of cookies, we ask users for their consent, which can be withdrawn at any time. Until consent has been explicitly given, only those cookies will be used that are absolutely necessary for the operation of our website.

  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Legal grounds: Consent (Article 6 (1) (a) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

COMMERCIAL AND BUSINESS SERVICES

We process data of our contractual and business partners, e.g. customers and prospective customers (collectively referred to as “contractual partners”), within the scope of contractual and comparable legal relationships, as well as associated measures, and within the scope of communication with the contractual (or pre-contractual) partners, e.g. In order to answer inquiries.

We process this data in order to meet our contractual obligations, to safeguard our rights, and for the purposes of the administrative tasks associated with this data, and for the purposes of the business organization. We will only disclose the data of contractual partners to third parties within the scope of applicable legislation to the extent that this is necessary for the aforementioned purposes, to meet legal obligations, or with the consent of data subjects, (e.g. to telecommunications, transport, and other auxiliary service companies involved, as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Contractual partners will be informed about other forms of processing, e.g. for marketing purposes, as part of this data privacy statement.

We inform our contractual partners about what data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by special labeling (e.g. colors) or symbols (e.g. asterisks), or personally.

We will delete the data after expiry of legal warranty and comparable obligations, i.e. as a matter of principle after 4 years, unless the data is stored in a customer account, e.g. for as long as they have to be kept for legal archiving reasons (e.g. 10 years legal obligation to retain data for tax purposes, contract documents). We will delete data that has been disclosed to us by the contractual partner in connection with an order in accordance with the specifications of the order, generally after completion of the order.

Where we use third-party providers or platforms to deliver our services, the terms and conditions and privacy policies of the particular third-party provider or platform will apply in the relationship between users and providers.

PROVISION OF ONLINE SERVICES AND WEB HOSTING

In order to make our website available in a secure and efficient manner, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the website can be accessed. To this end, we may call on infrastructure and platform services, computing capacity, storage space, database services, security services, and technical maintenance services.

The data processed as part of the provision of the hosting service may include all the data relating to the users of our website that arise during usage and communication. This regularly includes the IP address, which is necessary to deliver the website content to browsers, and all entries made on our website or from websites.

Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). Server log files may include the address and name of the web pages and files accessed, date and time of access, data volume transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited website) and, as a general rule, IP addresses and the requesting provider.

Server log files can be used for security purposes, e.g. to avoid overloading servers (especially in the case of abusive attacks, so-called DDoS attacks) and to safeguard server capacity utilization and stability.

  • Types of data processed: Content data (e.g. text input, photographs, videos), usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), master data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Contact requests and communication, reach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behavior-related profiling, use of cookies), remarketing, visitor action evaluation, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures).
  • Legal grounds: Legitimate interests (Article 6 (1) (f) GDPR), consent (Article 6 (1) (a) GDPR).

MAKING CONTACT

When contacting us (e.g. via a contact form, by e-mail, by telephone, or via social media), the data of the requesting persons will be processed to the extent necessary to answer the contact requests and provide any requested measures.

The response to contact requests within the context of contractual or pre-contractual relations is made in order to meet our contractual obligations or to respond to (pre-)contractual inquiries and otherwise on the basis of a legitimate interest in responding to such inquiries.

  • Types of data processed: Master data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text input, photographs, videos).
  • Data subjects: Communication partners.
  • Purposes of processing: Contact requests and communication.
  • Legal grounds: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legitimate interests (Art. 6 (1) (f) GDPR).

VIDEO CONFERENCES, ONLINE MEETINGS, WEBINARS, AND SCREEN SHARING

We use platforms and applications of other providers (hereinafter referred to as “third-party providers”) for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings. We observe statutory provisions when selecting third-party providers and their services.

In this regard, data of communication participants will be processed and stored on the servers of third-party providers insofar as they are part of communication processes with us. Such data may include, in particular, registration and contact data, visual and vocal contributions, as well as entries on chats and shared screen content.

Third-party providers, their software, and platforms may process usage data and metadata for security, service optimization, or marketing purposes where users are referred to them in the course of communication, business, or other relationships with us. We would therefore ask you to note the data protection information of the relevant third-party providers.

Notes on legal basis: The legal basis for processing is consent, where we ask users for their consent to the use of third-party providers or certain functions (e.g. consent to a recording of conversations). Furthermore, such use may form part of our (pre-contractual) services, provided that the use of third-party providers has been agreed in this respect. Otherwise, user data are processed on the basis of our legitimate interest in efficient and secure communication with our communication partners. We would also refer you in this context to the information on the use of cookies in this data privacy statement.

  • Types of data processed: Master data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text input, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Communication partners, users (e.g. website visitors, users of online services).
  • Purposes of processing: Contractual performance and service, contact requests and communication, office and organizational procedures.
  • Legal grounds: Consent (Article 6 (1) (a) GDPR), performance of the contract and pre-contractual inquiries (Article 6 (1) (b) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

Services Used and their Providers:

APPLICATION PROCESS

The application procedure requires that applicants provide us with the data necessary in order to perform an assessment and make a selection. You can find out what information is required from the job description or, in the case of online forms, from the information provided there.

As a general rule, the information required includes personal details, such as name, address, a contact option, and proof of the qualifications required for the position. We will also be happy to inform you on request about the information required.

Applicants can send us their applications using an online form where available. The data will be encrypted according to the state of the art and transmitted to us. Applicants can also send us their applications by e-mail. Please note, however, that e-mails over the Internet are generally not sent in encrypted form. E-mails are generally encrypted in transit, but not on the servers from which they are sent and where they are received.

Application documents relating to applications for advertised vacancies will be deleted six months after the end of the selection procedure; unsolicited applications will be deleted six months after receipt of the application, provided that there are no statutory retention obligations that prevent deletion.

You can find further information at https://www.wagawin.com/about-us/

You will also find information on your rights as a data subject at the end of this data privacy statement.

PROMOTIONAL COMMUNICATION BY E-MAIL, POST, OR TELEPHONE

We process personal data for the purposes of promotional communication, which can take place over a number of different channels, such as e-mail, telephone, post, in accordance with statutory provisions.

Recipients have the right to withdraw their consent at any time or to object to promotional communication at any time.

After withdrawal or objection, we may store the data required to prove consent for up to three years on the basis of our legitimate interests before deleting it. The processing of this data is limited to the purpose of a possible defense against claims that may be asserted. An individual request for erasure is possible at any time, provided that the former existence of consent is confirmed at the same time.

  • Types of data processed: Master data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers).
  • Data subjects: Communication partners.
  • Purposes of processing: Direct marketing (e.g. by e-mail or by post).
  • Legal grounds: Consent (Article 6 (1) (a) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

WEB ANALYSIS AND OPTIMIZATION

Web analysis (also known as “reach measurement”) is used to evaluate the streams of visitors to our website and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. We can use reach analysis, for example, to identify at what time our website or its functions and content are most frequently used or accessed for reuse. We can also identify which areas require optimization.

In addition to web analytics, we can also use test procedures, e.g. to test and optimize different versions of our online service or its components.

To this end, so-called user profiles may be created and stored in a file (a “cookie”), or similar procedures may be used for the same purpose. This information may include, for example, content viewed, web pages visited, the elements used on those pages as well as technical information such as the browser and computer system used, and information on usage times. Where users have consented to the collection of their location data, these data may also be processed, depending on the provider.

Users’ IP addresses are also stored. However, we use an IP masking technique (i.e. pseudonymization by truncating the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) are stored as part of web analysis, A/B testing, and optimization – instead, pseudonyms. This means that we as well as the providers of the software used do not know the actual identity of users, but only the information stored in their profiles for the purposes of the procedures in question.

Notes on legal basis: Where we ask users to give their consent to the use of third-party providers, the legal basis for processing data is consent. Otherwise, user data are processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). We would also refer you in this context to the information on the use of cookies in this data privacy statement.

  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behavior-related profiling, use of cookies), visitor action evaluation, profiling (creation of user profiles).
  • Security measures: IP-masking (pseudonymization of the IP address).
  • Legal grounds: Consent (Article 6 (1) (a) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

Services Used and their Providers:

  • Matomo: Web analysis/range measurement. The information generated by the cookie about your use of this website is not disclosed to any third party.
    • Service provider: Matomo
    • Website: https://matomo.org
    • Deletion of data: The cookies have a maximum storage period of 13 months.

If you wish to prevent processing for analysis purposes, you can object at any time at the click of a mouse. In this case, an opt-out cookie without usage data will be stored in your browser, meaning that no session data will be collected for analysis.

Note: deleting cookies will result in the removal of the opt-out cookie, which may then need to be reactivated.

CLOUD SERVICES

We use software services accessible over the Internet and running on the servers of their providers (“cloud services”, also referred to as “software-as-a-service”) for the following purposes: document storage and management, calendar management, e-mailing, spreadsheets and presentations, sharing documents, content and information with designated recipients or publishing web pages, forms and other content and information, chatting, and participating in audio and video conferences.

This may involve the processing and storage of personal data on the servers of the providers, insofar as these are part of communication processes with us or are otherwise processed by us as set out in this data privacy statement. These data may include, in particular, master data and contact details of users, data on activities, contracts, other processes and their contents. Cloud service providers also process usage data and metadata that they use for security purposes and service optimization.

Where we use cloud services to provide other users or publicly accessible websites with forms etc. or other documents and content, providers may store cookies on users’ devices for web analysis purposes or to remember user settings (e.g. in the case of media management).

Notes on legal basis: Where we ask for consent to use cloud services, the legal basis for processing is consent. Furthermore, their use can be a component of our (pre-)contractual services, provided that the use of cloud services has been agreed in this regard. Otherwise, user data are be processed on the basis of our legitimate interests (i.e. interest in efficient and secure administration and collaboration processes).

  • Types of data processed: Master data (e.g. names, addresses), contact details (e.g. e-mail addresses, phone numbers), content data (e.g. text input, photographs, video clips), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Customers, employees (e.g. employees, applicants, former employees), interested parties, communication partners.
  • Purposes of processing: Office and organizational procedures.
  • Legal grounds: Consent (Article 6 (1) (a) GDPR), Performance of the contract and pre-contractual inquiries (Article 6 (1) (b) GDPR), Legitimate interests (Article 6 (1) (f) GDPR).

Services Used and their Providers:

PRESENCE IN SOCIAL NETWORKS (SOCIAL MEDIA)

We maintain an online presence within social networks and process user data in this respect in order to communicate with users who are active there or to offer information about us.

We would point out that users’ data may be processed outside the EU. This may entail risks for users, for example by making it more difficult to enforce users’ rights. We would also point out that US providers who offer comparable guarantees of a secure level of data protection undertake to comply with EU data protection standards.

Furthermore, user data in social networks are generally processed for market research and advertising purposes. This may result in the creation of usage profiles based on user behavior and user interests derived from this. The usage profiles may in turn be used, for example, to place advertisements within or outside of the networks that are likely to match the interests of users. To this end, cookies are generally saved on user devices that store user behavior and interests. Furthermore, data may also be stored in usage profiles independently of the user devices (in particular when users are members of the platforms in question and are logged in there).

We would direct you to the data privacy statements and information of the operators of the networks in question for a more detailed description of the relevant forms of processing and the options to object (opt-outs).

We would also point out that any requests for information and the claims to assert data subject rights should be best addressed to the providers themselves. Only the providers have access to the relevant user data and are able to take corresponding measures directly and provide information. Should you still require assistance, please do not hesitate to contact us.

  • Types of data processed: Master data (e.g. names, addresses), contact details (e.g. e-mail addresses, phone numbers), content data (e.g. text input, photographs, video clips), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Contact requests and communication, tracking (e.g. interests-/behavior-based profiling, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of repeat visitors).
  • Legal grounds: Legitimate interests (Article 6 (1) (f) GDPR).

Services Used and their Providers:

RIGHTS OF DATA SUBJECTS

As a data subject, you are entitled to various rights under the GDPR that arise in particular from Articles 15 to 21 GDPR:

  • Right of objection: You have the right to lodge an objection at any time for reasons arising from your specific situation against the processing of personal data relating to you based on Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to processing of the personal data relating to you for the purpose of such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw consent that you have already given at any time.
  • Right to information: You are entitled to request confirmation as to whether relevant data are processed and to information about these data as well as to additional information and a copy of the data in accordance with statutory provisions.
  • Right to rectification: You are entitled to request the completion of the data relating to you or the rectification of inaccurate data relating to you in accordance with statutory provisions.
  • Right to erasure and restriction of processing: In accordance with statutory provisions, you are entitled to request that data relating to you be immediately erased or, as an alternative, that the processing of your data be restricted in accordance with statutory provisions.
  • Right to data portability: You have the right to request to receive the personal data relating to you that you provided to us, in a structured, commonly used, and machine-readable format, or to request transmission of those data to another controller in accordance with statutory provisions.
  • Complaint to a supervisory authority: Furthermore, you have the right in accordance with statutory provisions to lodge a complaint with a supervisory authority, especially in the Member State of your usual place of residence, place of work or place of the alleged breach, if you think that the processing of the personal data relating to you breaches the GDPR.
    The regulatory agency responsible for us: Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Supervisory Office for Data Protection – BayLDA), Promenade 18, 91522 Ansbach.

CHANGES AND UPDATES TO OUR DATA PRIVACY STATEMENT

We would ask you to keep yourself up to date with the content of our Data Privacy Statement on a regular basis. We amend our data privacy statement whenever changes to the data processing that we perform make this necessary. We will inform you as soon as such changes require your cooperation (e.g. consent) or necessitate some other form of personal notification.

Where we provide addresses and contact information of companies and organizations in this data privacy statement, please note that these addresses may change over time and so please check the information before contacting us.

Updated: Monday, December 18, 2023