DATA PROTECTION

The data privacy policy satisfies the duty to supply information in accordance with the requirements of Art. 12 et seq. of the EU General Data Protection Regulation (hereinafter “GDPR”) and provide you with an overview of the processing of your personal data (hereinafter “data”) on the Arvato website (hereinafter “website”).

1. Who is responsible for processing my data?

Arvato SE
Reinhard-Mohn-Straße 22
33333 Gütersloh
Germany

Phone +49 5241 80-70136
E-Mail Contact
https://arvato.com

is responsible for processing your data on the website. You can contact the data protection officer of Arvato SE using the above postal address with the addition “To the data protection officer” or using the email address data-privacy@arvato.com.

Arvato SE (hereinafter “we” or “us”) process personal data in accordance with the provisions of GDPR and the German Federal Data Protection Act (hereinafter “BDSG”).

2. Which data is recorded?

In connection with your visit to the website and exclusively where technically, contractually or legally required, your data will be processed in order to display the desired content and to facilitate your use of the website’s features.

When you visit the website, information is collected automatically from the computer used to access it (hereinafter “access data”). This access data includes details about the content you request on the website and your usage behavior as well as information about the browser type and version, operating system, internet service provider, the date and time of the use of the website, the websites visited previously and websites newly accessed via our website and the IP address of the computer (also referred to as “server log files”). Pseudonymous usage profiles are created from the access data using web tracking and are analyzed. It is therefore not possible for us to identify you personally.

In principle, you can use the website’s features, such as finding out about us, without entering your data. However, it is necessary to enter data such as your name, address, email address or telephone when using certain features, such as contacting us or signing up to a newsletter. Mandatory information is usually marked with an *.

3. Which cookies are used?

Cookies are used on the website. Cookies are small text files that are stored on your computer when you visit a website. The cookies saved are determined by the browser you use. When the relevant website is accessed again, the web browser sends the content of the cookies back and allows the user to be recognized. Cookies are limited to a certain time period (e.g. once the browser session ends). In addition, you can configure and delete cookies as you desire using your browser’s settings. Deleting them prematurely can however lead to the features of the website only being available to a limited extent.

The website distinguishes between two types of cookies: functional cookies and optional cookies. Functional cookies are used to provide the website in a technically and functionally flawless way (e.g. identification and authentication of the user, language settings, display of images). Without the functional cookies, the features of the website are only available to a limited extent. The optional cookies help to optimize features of the website by recording user behavior and analyzing it in the form of statistics.

In principle, cookies serve as online recognition only and are not personalized. Cookies can include personal data if the information created by the cookies is combined with further data, such as the access data in accordance with Section 2 (e.g. when using web tracking). In principle, such combination only takes place in pseudonymized form. A personal combination is only permitted if you have consented to it or where allowed by law.

4. Which data is collected and for what purposes?

The purposes of data processing can be based on technical, contractual or legal requirements or be based on permission granted if applicable. We use your data for the following purposes:

  • Provision of the website and guaranteeing of technical security, especially the rectification of technical errors and to ensure that unauthorized parties do not gain access to the website systems;
  • Coverage measurements and web analyses in order to design the website to be more efficient and interesting for you and to carry out market research;
  • Communication, contract initiation and customer care;
  • to contact us;
  • Provision of free downloads; and
  • Advertising communication.

You can find information about these purposes of data protection in the following sections of this data privacy policy.

4.1 Technical provision of the website

4.1.1 Description and scope of data processing
For the functionality of the website, the implementation of security analyses and to defend against attacks, the server log files are collected automatically as part of the access data in accordance with Section 2 accrued by the computer system accessing it and during the use of the website and are stored temporarily. The server log files are not stored alongside other data. We use the server log files for statistical analyses, to analyze and rectify technical disruptions, to combat attempts at attacks and fraud, as well as to optimize the functioning of the website.

4.1.2 Purposes and legal basis for data processing
The legal basis for the collection of server log files is Art. 6 (1) (f) GDPR. Legitimate interests lie in the functionality of the website, the performance of security analyses and the defense against dangers.

4.1.3 Duration of storage or criteria to define this duration
After loading the websites, the server log files are stored on the web server and the IP address contained therein is deleted after seven days at the latest in accordance with the requirements of the Telecommunications Act (“TKG”). Other regulations apply if concrete suspicion exists and storage going beyond this is legally required for the purpose of evaluation and clarification.

4.1.4 Right to objection or elimination
You have the right, for reasons that result from your particular situation, to submit an objection to the processing of your data. If you would like to assert your right to object, please contact the contact address specified under point 1.

4.2 Contact Form

4.2.1 Description and scope of data processing
On the website, there is the option to contact us via a contact form. If you take this opportunity, you will provide us with your data such as your email address, telephone number, first name and surname and your query (also referred to as “contact details”). The contact details are only stored and used to process your query (e.g. questions about products and services).

4.2.2 Purposes and legal basis for data processing
The legal basis for the processing of your contact details is usually Art. 6 (1) (f) GDPR. There are legitimate interests in the processing of your specific query and further communication. If the purpose of you getting in contact is to enter into a contract (e.g. to avail of our services), the legal basis for the contract shall be Art. 6 (1) b GDPR.

4.2.3 Duration of storage or criteria to define this duration
After processing your query and ending further communication, your contact details will be deleted. Other regulations apply if the purpose of getting in contact is to enter into a contract. For this purpose, the data will only be stored until the contractual and/or legal storage periods (currently 6 to 10 years) are complete.

4.2.4 Right to objection or elimination
You have the right, for reasons that result from your particular situation, to submit an objection to the processing of your contact details. If you would like to assert your right to object, please contact the contact address specified under point 1. If you object, the processing of your query cannot continue. Other regulations apply if the storage of your contact details is required to initiate a contract or to execute a contract.

4.3 Assertion of data subject rights

4.3.1 Description and scope of data processing
This privacy policy informs you about the possibility of asserting the data subject rights under data protection law. In order to be able to answer your request comprehensively, we are obliged by law to verify your identity. This is to protect your data from unauthorized access. For this purpose, it may be necessary for you to provide a copy of your passport or similar information about yourself and the individual data processing. Within this provided information, you may omit information that is not necessary to prove your identity (for example, on a passport copy, eye color, height, or nationality may be blacked out). Without providing information, we are unable to fulfill your data subject rights.

4.3.2 Purposes and legal basis for data processing
We are legally obliged under GDPR to process your data in order to assert data subject rights. The legal basis for this is Art. 6 (1) (c) GDPR.

4.3.2 Duration of storage or criteria to define this duration
We store the correspondence held with you in relation to the assertion of data subject rights for a period of three years. This excludes evidence of identity such as a marked copy of your personal ID, if you provide us with one. This will be deleted once your identity has been confirmed.

4.3.3 Right to objection or elimination
The processing of your data is required in order to satisfy your data subject rights. In this respect, you have no right to object.

4.4 Downloading free content (e.g. studies, white papers)

4.4.1 Description and scope of data processing
Via the website, you can download content we have provided, such as studies or white papers on current topics from our areas of business. When you download, your contact details will be sent to us via the registration screen and stored. We will also record the date and time of your download when doing so. Downloading is voluntary, free of charge and generally independent from any other features of the website. You can see further details in the contractual provisions .

4.4.2 Purposes and legal basis for data processing
The download of free content is an online feature we offer you. The legal basis for the processing of your related data is the contract under Art. 6 (1) (b) GDPR.

4.4.3 Duration of storage or criteria to define this duration
Your data will be stored for as long as is necessary to execute the contract concerning the downloading of free content. The contract ends automatically once the download has completed successfully. After the end of the contract, your data will only be stored until the contractual and/or legal storage periods (currently 6 to 10 years) are complete.

4.4.4 Right to objection or elimination
The processing of your data is required in order to fulfil the contract governing the downloading of free content. In this respect, you have no right to object.

4.5 Registration for events

4.5.1 Description and scope of data processing
You can register for specific events via the website. In general, the events consist of presentations on current topics and developments in our areas of business. They may take place in rooms provided by us or as a virtual event (e.g. webinar). It is also possible to present our service portfolio and new products and services. Your personal data (title, first name, surname, company, enterprise), contact data (business e-mail address), date of participation as well as the information about your participation at dinner will be transmitted to us and processed for your participation. We will also process information about your participation in the programme, nutritional information and information about the need for accommodation and/or a hotel, if you provide us with this information optionally. We will also record the date and time of your registration. We also send information e-mails to the contact details you provide in order to inform you about (e.g. specifications of the event, updates) the respective event. Your data is only passed on to third parties (e.g. organizer, hotel) if it is necessary for your participation in the event.

4.5.2 Purposes and legal basis for data processing
We are processing your data for the organization and holding of the event organized by us. Participation in events represents a digital offer from us to you. The legal basis for the processing of your data collected within the scope of section 4.5.1 is the execution of the contract in accordance with Art. 6 (1) (b) DSGVO.

4.5.3 Duration of storage or criteria to define this duration
Your data will be stored as long as they are required for participation in the specific events. After your participation, your data will be stored until the contractual and/or legal retention periods (currently 6 to 10 years) have been fulfilled. If we are unable to send you a confirmation of participation due to our limited number of participants, the purpose for further processing of your data is no longer applicable and your data will be deleted within a period of three months, until the deletion is not opposed by legal retention periods.

4.5.4 Right to objection or elimination
The processing of your data is necessary in order for you to participate in the specific event. In this respect, you have no right to object.

4.6 Business customer survey

4.6.1 Description and scope of data processing
As part of our business customer relationships, we occasionally conduct customer surveys in order to record satisfaction and to improve our services. The customer survey is intended for our business customers, but we generally store your contact details in our customer database if you act as a contact person. We use your contact details to invite you to take part in the customer survey. Participation is voluntary and you have the option to communicate to us at any time that you would no longer like to receive invitations to take part in customer surveys in the future.

4.6.2 Purposes and legal basis for data processing
The legal basis for the processing of your contact details is Art. 6 (1) (f) GDPR. There are legitimate interests in customer care and retention and in the improvement of our services.

4.6.3 Duration of storage or criteria to define the duration
In principle, survey results will be stored for the duration of the business relationship. Other provisions apply in the event that the survey results consist of purely statistical data.

4.6.4 Right to objection or elimination
You have the right, for reasons that result from your particular situation, to submit an objection to the processing of your contact details. If you would like to assert your right to object, please contact the contact address specified under point 1.

4.7 Online Application/ Career

4.7.1 Description and scope of data processing
Job Applications are published on this website, which you can use to apply for a job at Arvato. You are forwarded to the Bertelsmann applicant portal via the job advert. Therefore the actual data processing for the application process for your online application does not take place on this website. Responsibility for the job adverts is borne by the company that has posted them. This company is also the one that regularly receives your data when receiving your online application. Your data is therefore not forwarded to any other parties

You can find further details about data processing for your online application during registration and when creating your applicant profile, and can be accessed via the following link: https://jobsearch.createyourowncareer.com/content/Privacy-Policy/?locale=en_US

4.7.2 Purposes and legal basis for data processing
When your online application for a specific job vacancy is received, your data will be processed for recruitment purposes. In the employment contract initiation phase, your potential employer has an interest in ensuring that you possess the specialist skills and personal qualities required for the vacant position. The legal basis for the processing of your data is the contract under Art. 6 (1) (b) GDPR.

4.7.3 Duration of storage or criteria to define this duration
Your data is only processed where required for the recruitment decision. After finishing the online application, your data will be deleted after the end of the statutory storage period (six months).

4.7.4 Right to object or elimination
The processing of your data is required for the recruitment decision, i.e. (pre-)contractual purposes. There is thus no option to object.

4.8 CV Matcher

4.8.1 Description and scope of data processing
You can use our CV Matching Tool on the website to receive keyword matching suggestions for suitable job advertisements based on your CV. Use the upload button to upload your CV. Only the information provided in your CV will be processed. It will not be merged with other data such as the IP address from log files. The purpose of processing your data is to suggest suitable job advertisements based on the uploaded CV.

4.8.2 Purpose and legal basis of data processing
Your data will be deleted immediately after your CV has been analyzed and suitable job advertisements have been presented. No further permanent storage takes place. The legal basis for the processing of the data is your consent in accordance with Art. 6 (1) a GDPR. In addition, when using the "CV Matcher" function, log data (e.g. IP address) is generated, the purpose of which is the secure operation of the website and the "CV Matcher". The legal basis for the processing of this data is the legitimate interest pursuant to Art. 6 (1) f GDPR.

4.8.3 Duration of storage or criteria for determining this duration
Your data will not be stored permanently.

4.8.4 Objection and removal options
You can revoke your consent at any time or object to the processing of your data by giving reasons at the contact address given in section 1. However, as the data will not be stored permanently and will be deleted immediately after the suitable job advertisements have been displayed, a revocation or objection will have no further effect.

4.9 Job Alert

4.9.1 Description and scope of data processing
On the website you can register for the "Job Alert". With the job alert, we can automatically inform you when a new job vacancy corresponding to your details is published. The data provided from the registration form will be processed by Arvato SE (and with the help of service providers) to send notifications to you at your desired and selected intervals (daily, weekly, monthly). Your data will first be used in a double opt-in procedure to verify the email address provided and then, if successful, for the purpose of sending the newsletter. The only mandatory information is your email address. Your email address is mandatory for receiving the notifications and newsletters.

In order to be able to prove that you have given your consent to receive our newsletter, we process your email address, the consent text, the confirmation email, the IP address of your registration, the IP address of the confirmation and the time and date of registration, confirmation and last update. Further data can be provided voluntarily in order to customize the selection of proposed vacancies to your profile.

4.9.2 Purpose and legal basis of data processing
This newsletter is sent by mail on the basis of your order and your consent to the processing of your personal data in accordance with Art. 6 (1) a GDPR. You can revoke your consent at any time and thus stop receiving this newsletter. Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 (1) c GDPR serves as the legal basis.

4.9.3 Duration of storage or criteria for determining this duration
Your data will be stored until you withdraw your consent or unsubscribe from the newsletter. Thereafter, we will store your data for a period of 3 years in order to prove that we have obtained your consent for sending newsletters.

4.9.4 Objection and removal options
If you have given your consent to receive communications, you can revoke this at any time with effect for the future by informing us of your revocation via data-privacy@arvato.com with the subject "Newsletter revocation" or by clicking on the unsubscribe button in your newsletter. An objection to data processing does not lead to the deletion of data that may be stored due to legal obligations.

4.10 Web tracking

This website incorporates services that optimize user-friendliness and measure the coverage of the website. For this purpose, your access data is recorded in accordance with Clause 2 and, with the use of cookies, usage behavior is analyzed in accordance with Clause 3. In principle, web tracking does not require you to be identified personally. The IP address included in your login details is either not used at all or is only use in abbreviated form, and therefore only pseudonymized usage profiles are created. When this happens, it is in principle not combined with other data and you have the right to revoke at any time. Personal usage profiles are only created in exceptional cases and only where you have given your permission.

The web tracking services are regularly provided by service providers who process the usage profile according to our instructions, and not for their own purposes. This is ensured based on order processing contracts. If the service providers have offices outside of the European Union or the European Economic area (hereinafter “EU/EEA”), then what is called a third-country transfer takes place. This is permitted if you have consented to it, we have provided guarantees for a level of data protection in line with the European standard or the European Commission has classified the third country as a secure third country. The third-country transfer of the respective service is detailed below. You can find further information about the recipients of your data and the third-country transfer in Sections 6 and 7.

4.10.1 Google Tag Manager
The website uses the Google Tag Manager. This service is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google Inc.). The Google Tag Manager can be used to manage the web tracking services integrated into this website and other services using so-called "tags" (placeholders for a website code). The Google Tag Manager only implements these tags. No cookies are used and no personal data is collected by the Google Tag Manager. The Google Tag Manager only triggers other tags, which in turn may collect data. However, the Google Tag Manager does not access this data.

4.10.2 Google Analytics
This website uses the Google Analytics service. Google Analytics is supplied by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). Google Analytics creates a pseudonymized usage profile in order to optimize the user-friendliness of the website. Pseudonymity is ensured by the IP address being shortened before your data is transmitted to Google and it not being possible for conclusions about your identity to be drawn. The pseudonymized usage profile is analyzed after transmission for the purpose of optimizing user-friendliness. It is not combined with other Google data. By means of an order processing contract, we ensure that Google only processes the data in line with our instructions.

Additional information about data processing by Google Analytics can be found in Google’s data privacy policy:  https://policies.google.com/privacy?hl=en.

4.10.3 Use of SalesViewer® technology:
This website uses SalesViewer® technology from SalesViewer® GmbH on the basis of the website operator’s legitimate interests (Art. 6 (1) (f) GDPR) in order to collect and save data on marketing, market research and optimisation purposes.

For this purpose, a javascript-based code is used to collect and use company-related data. The data captured using this technology are encrypted in a non-retrievable one-way function (so-called hashing). The data is immediately pseudonymised and is not used to identify website visitors personally

The data stored by Salesviewer will be deleted as soon as they are no longer required for their intended purpose and there are no legal obligations to retain them.

The data recording and storage can be repealed at any time with immediate effect for the future, by clicking on https://www.salesviewer.com/opt-out in order to prevent SalesViewer® from recording your data. In this case, an opt-out cookie for this website is saved on your device. If you delete the cookies in the browser, you will need to click on this link again.

4.10.4 LinkedIn Insight Tag
Our website uses the conversion tool "LinkedIn Insight Tag" from LinkedIn Ireland Unlimited Company. This tool creates a cookie in your web browser that allows the following information to be collected: IP address, device and browser characteristics, and page events (e.g., page views). This data is encrypted, anonymized within seven days and the anonymized data is deleted within 90 days. LinkedIn does not share any personal information with Arvato, but provides anonymized reports about the website target audience and display performance. In addition, LinkedIn offers the possibility of retargeting via the Insight Tag. Arvato may use this data to display targeted advertising outside its Web site without identifying you as a Web site visitor. For more information about LinkedIn's privacy policy, please refer to the LinkedIn privacy statement.

LinkedIn members can control the use of their personal information for promotional purposes in their account settings. To disable ("opt-out") the Insight tag on our website, click here.

The legal basis for the collection and analysis of pseudonymous usage profiles is Art. 6 (1) f GDPR/Section 15 (3) German Telemedia Act (TMG). We have legitimate interests in the optimization of the user-friendliness of the website and measuring coverage.

Data that is collected and analyzed when using web tracking services is generally stored until you object to its use. The storage duration of cookies is generally no longer than 24 months.

You can object to the use of Google Analytics at any time by changing your browser settings and/or clicking on the following link to download and install the available browser plug-ins: https://tools.google.com/dlpage/gaoptout?hl=en.

In addition, you can centrally deactivate web tracking by all providers who are part of the “Your Online Choices” self-regulatory initiative via the link http://www.youronlinechoices.eu.

4.11 Advertising
We also use your access data in accordance with section 2 to place interest-based advertising on our websites and the Arvato newsletter. This enables us to recognize click fraud and to place advertisements that are as relevant as possible for you. The advertising that is presented to you is selected taking into account your access data that is generated when you use the websites and the newsletter (so-called "re-targeting"). If you have given us your consent to individual advertising, we will process your data on this basis to the extent of your consent. Without your consent, we will only process your data using pseudonyms, i.e. your data collected in the context of online advertising will not be merged with your other data (e.g. contact data).

5. External service providers and content

We include external services and content on our website. If you use such a service or if you are shown third-party content, technical communication data will be shared between you and the provider in question. If we integrate services from other providers as part of our online offering in order to offer you certain content or functions (e.g. playing videos or route planning) and we process personal data in the process, this is done on the basis of Art. 6 (1) b and f GDPR. The data processing is then necessary to implement the functions you have selected or to protect our legitimate interest in an optimal range of functions of the online offer. If cookies are used in the context of these integrated third-party services, the explanations under sections 3 and 9 apply. Please also refer to the privacy policy of the respective provider with regard to the third-party services.

In addition, it may transpire that the provider of the services or content in question will process your data for its own further purposes. To the best of our knowledge, we have configured third-party services and content from providers who knowingly process data for their own purposes in such a way that either stops communication for purposes other than the presentation of content or services on our website, or communication only takes place if you actively decide to use the service. Since we have no influence on the data collected by third parties and its processing, we cannot provide any binding information about the process and scope of the processing of your data.

You can therefore find further information about the purpose and scope of the collection and processing of your data in the data protection information for the data controllers of the providers of the services and content we have integrated:

Unless otherwise stated, profiles on social media are generally only integrated into our online offering as a link to the corresponding third-party services. After clicking on the integrated text/image link, you will be redirected to the offer of the respective social media provider. After the redirect, personal data may be collected directly by the third-party provider. If you are logged into your user account with the respective social media provider during this time, the provider may be able to assign the information collected from the specific visit to your personal user account. If you interact via a "Share" button of the respective social media provider, this information can be saved in the personal user account and possibly published. If you want to prevent the collected information from being directly assigned to your user account, you must log out before clicking on the embedded text/image link.

6. Who receives my data?

In our company, the departments that require your data to fulfil the purposes presented under Section 4 will receive access to it. The service providers we commission may also receive access to your data (also referred to as “processors”). The requirement to observe instructions, data security and the confidential handling of your data by these service providers is ensured by means of processing contracts.

The forwarding of data to further recipients such as advertising partners, providers of social media services or law enforcement authorities (referred to as “third parties”) only takes place where required by statutory provisions or where you have given your permission. The confidential handling of your data and compliance with data protection regulations is ensured by means of internal data protection guidelines and joint data security management.

7. Is my data processed in a third country?

Insofar as the service providers and/or third parties named under Section 6 have branches outside of the EU/EEA, this can lead to your data being transmitted to a country where a level of data protection suitable for the EU/EEA cannot be guaranteed. Such a level of data protection can be ensured by means of a suitable guarantee, however. Standard contractual clauses provided by the EU Commission are an example of a suitable guarantee. Any guarantees may be waived by way of exception if you give your permission or the third-country transfer is necessary to execute our contractual relationship. The EU Commission has also recognized certain third countries as secure third countries, meaning that the company does not need to make suitable guarantees in these cases.

A third-country transfer takes place through the use of Google services for web tracking and online advertising. In principle, the data will be processed by Google within the EU. Google will only be able to access the data in the USA in exceptional cases, such as due to technical maintenance.

A third-country transfer may also take place via our newsletter in the case of targeted advertising. Some of our subsidiaries are based outside of the EU/EEA (e.g. USA or Shanghai). We have entered into standard contractual clauses with these subsidiaries in accordance with the EU Commission’s stipulations. You can find more information here https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0074:0084:DE:PDF.

8. What data protection rights do I have?

You have the right to be informed about the personal data we have stored about you at any time. Should data about you be incorrect or no longer up-to-date, you have the right to request its correction. You also have the right to request the deletion or restriction of processing of your data in accordance with Art. 17 and 18 GDPR. You may also have the right to receive the data you have provided in a common and machine-readable format (also known as “right to data portability”).

If you have granted consent to the processing of personal data for certain purposes, you can revoke this consent at any time with future effect. The withdrawal should be addressed to the company via the contract address specified under Section 1.

In accordance with Art. 21 GDPR, you have the right, for reasons that result from your particular situation, to submit an objection against the processing of your personal data in accordance with Art. 6 (1) f GDPR at any time. You have the right to object to the processing of your personal data for the purpose of direct advertising at any time. The same applies for automated procedures when using individual cookies, provided that these are not absolutely necessary for the provision of the website.

In addition, you have the option to contact a data protection authority and to submit your objections to it. The responsible authority is

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4
40213 Düsseldorf
Germany
Phone: +49 211/38424-0
Fax: +49 211/38424-10
E-Mail: poststelle@ldi.nrw.de.

You can also contact the data protection authorities responsible for your place of residence.