Data protection
Privacy policy
The provisions set out in the EU General Data Protection Regulation (hereinafter referred to as GDPR) apply throughout Europe. We hereby inform you of our company’s processing of personal data in line with this regulation (see Articles 13 and 14 of the GDPR).
You can find our complete privacy policy here for download:
If you have any questions or comments on this privacy policy, do not hesitate to direct them to the e-mail address stated in section 2 or 3.
I. Overview
- Scope
- Controller
- Data protection officer
- Data security
II. The data processing in detail
- General information concerning data processing
- Accessing the website/application
- Newsletter
- Application
- Customer Service
- Organisation consulting with regard to the implementation of psychosocial risk assessments
- Sales and customer management
- Tracking
III. Rights of those affected (data subjects)
- Right to object
- Right to information
- Right of rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to withdraw consent
- Right to complain
IV. Glossary
I. Overview
In this section of the privacy policy, you will find information on the scope, the controller for data processing, the data protection officer and data security.
Data processing by Fürstenberg Institut GmbH can essentially be divided into two categories:
- For the purpose of contract processing, all data required for the execution of a contract with Fürstenberg Institut GmbH will be processed. If external service providers are also involved in the processing of the contract, your data will be passed on to them to the extent required.
- When you access the website/application of Fürstenberg Institut GmbH, various information is exchanged between your device and our server. This may also include personal data. The information collected in this manner is used, among other things, to optimize our website or to display advertising in the browser of your end device.
This privacy policy also always applies if elsewhere from one of our offerings (e.g. webinars) reference is made to this privacy policy, regardless of how you access or use it.
All these offerings are also collectively referred to as “Services”.
The controller for data processing – i.e. the party that decides on the purposes and means of processing personal data – in conjunction with the services is
Fürstenberg Institut GmbH
Gorch-Fock-Wall 3 20354 Hamburg
Telephone: +49 (0)40-380820-0
E-Mail: info@fuerstenberg-institut.de
You can contact our data protection officer as follows:
Contact form: https://www.dsextern.de/anfragen
DS EXTERN GmbH
Dipl.-Kfm. Marc Althaus
Frapanweg 22
22589 Hamburg
In order to develop the measures required in Art. 32 of the GDPR and thus achieve a level of protection commensurate with the risk, we have established an information security management system in our company.
II. The data processing in detail
In this section of the privacy policy, we inform you in detail concerning the processing of personal data within the framework of our services. For better clarity, we structure this information according to certain functionalities of our services. In the normal use of the services, different functionalities, and thus also different processes, can come into effect successively or simultaneously.
Unless otherwise stated, the following applies to all processing operations described below:
a. No obligation to provide data
There is no contractual or legal obligation to provide personal data. You are not obliged to provide data.
b. Consequences of not providing data
Failure to provide the required data (data marked as mandatory during entry) means that the service in question cannot be provided. Otherwise, not providing data can result in the situation that our services cannot be provided in the same form and quality.
c. Consent
In various cases, you also have the option of giving us your consent (possibly for part of the data) to further processing in conjunction with the processing operations described below. In this case, we will inform you separately in conjunction with the submission of the respective declaration of consent of all modalities and the scope of the consent and of the purposes that we pursue with these processing operations.
d. Transfer of personal data to third countries
If we transfer data to third countries, i.e. countries outside the European Union, then the transfer takes place exclusively in compliance with the legally regulated conditions governing admissibility. The conditions governing admissibility are regulated by Art. 44-49 of the GDPR.
e. Hosting with external service providers
Our data processing takes place to a large extent with the involvement of so-called hosting service providers, who provide us with storage space and processing capacities in their data centers and also process personal data on our behalf in accordance with our instructions. These service providers process data either exclusively in the EU or we have guaranteed an adequate level of data protection with the aid of the EU standard data protection clauses.
f. Transmission to government authorities
We transfer personal data to government authorities (including law enforcement agencies) if this is necessary to fulfill a legal obligation to which we are subject (legal basis: sentence 1 of Art. 6(1)(c) of the GDPR) or if it is necessary for asserting, exercising or defending legal claims (legal basis: sentence 1 of Art. 6(1)(f) of the GDPR).
g. Duration of storage
We do not store your data longer than we need it for the respective processing purposes. If the data is no longer required for fulfillment of contractual or legal obligations, it will be regularly deleted, unless its temporary storage is still necessary. Reasons for this could be, for example, the following:
- Fulfillment of commercial law and tax law retention obligations
- Obtaining evidence for legal disputes within the framework of the statutory statute of limitations
Likewise it is also possible for us to continue to store your data in our facilities if you have given your express consent.
h. Categories of data
- Personal master data: Title, form of address/gender, first name, last name, date of birth, position
- Address data: Street, house number, address extensions (if applicable), postcode, city, country
- Contact data: Telephone number(s), fax number(s), e-mail address(es)
- Organisation data (only in the case of organisation consulting projects): Area of activity/location/business unit
- Registration data: Information about the service through which you have registered; times and technical information concerning registration, confirmation and cancellation; data provided by you when you registered
- Access data: Date and time of the visit to our service; the page from which the accessing system came to our site; pages accessed during use; session ID data; also the following information about the accessing computer system: Internet protocol address used (IP address), browser type and version, device type, operating system, and similar technical information.
- Application data: Curriculum vitae, references, supporting documents, work samples, certificates, photos
- Data according to Art. 9 of the GDPR: Health data
This section describes how we process your personal data when you access our services. We would particularly like to point out that the transmission of access data to external content providers (see under b.) is unavoidable due to the technical functionality of information transmission on the internet.
a. Information on processing
Category of data: Access data
Purpose: Connection set-up, displaying the service’s contents, detecting attacks on our site by unusual activities, error diagnosis
Legals basis: Art. 6(1)(f) of the GDPR
Legitimate interest (if applicable): Proper function of services, security of data and business processes, preventing misuse, preventing damage caused by interference with information systems
Duration of storage: 7 days
b. Recipients of personal data
Recipient category: External content providers who provide content (such as images, videos, embedded posts from social networks, ad banners, fonts, update information) that is necessary to display the service
Affected data: Access data
Legal basis for the data transfer: Order processing (Art. 28 of the GDPR)
Legitimate interest (if applicable): Proper function of services, (accelerated) display of content
Recipient category: IT security service providers
Affected data: Access data
Legal basis for the data transfer: Order processing (Art. 28 of the GDPR)
Legitimate interest (if applicable): Preventing attacks that exploit weaknesses or gaps in security
Here we describe what happens with the personal data you provide when subscribing to our newsletter:
a. Information on processing
Category of data: E-mail address
Purpose: Registration verification (double opt-in), newsletter dispatch
Legals basis: Art. 6(1)(b) of the GDPR
Duration of storage: Duration of newsletter subscription
Category of data: Personal master data
Purpose: Customization of the newsletter
Legals basis: Art. 6(1)(b) of the GDPR
Duration of storage: Duration of newsletter subscription
Category of data: Registration data
Purpose: Traceability of newsletter subscription/confirmation/unsubscription
Legals basis: Art. 6(1)(b), (f) of the GDPR
Legitimate interest (if applicable): Evidence of newsletter subscription/confirmation/unsubscription
Duration of storage: Duration of newsletter subscription
Category of data: Newsletter user profile data
Purpose: Designing the newsletter to suit individual interests
Legals basis: Art. 6(1)(f) of the GDPR
Legitimate interest (if applicable): Improving our service, advertising purposes
Duration of storage: Duration of newsletter subscription
b. Recipients of personal data
Recipient category: Service provider for sending newsletters
Affected data: All data stated under a.
Legals basis for the data transfer: Order processing (Art. 28 of the GDPR)
Recipient category: Service provider for postal dispatch
Affected data: All data stated under a.
Legal basis for the data transfer: Order processing (Art. 28 of the GDPR)
Legitimate interest (if applicable): For transferring printed invitation cards, sending the winnings after taking part in competitions, or similar
During an ongoing application process, we process your personal data in the following manner:
a. Information on processing
Category of data: Address data, contact data
Purpose: Identification, contact initiation, communication regarding contract initiation
Legals basis: Art. 6(1)(b) of the GDPR
Duration of storage: 6 months
Category of data: Personal master data
Purpose: Identification, contact initiation, age check
Legals basis: Art. 6(1)(b) of the GDPR
Duration of storage: 6 months
Category of data: Application data
Purpose: Applicant selection
Legals basis: Art. 6(1)(b) of the GDPR
Duration of storage: 6 months
b. Recipients of personal data
Recipient category: Responsible office
Affected data: All data stated under a.
Legal basis for the data transfer: Art. 6(1)(b) of the GDPR
Here we describe how we process your personal data when you contact our Client Services team:
a. Information on processing
Category of data: Personal master data, contact data, content of queries/complaints
Purpose: Processing customer queries and user complaints
Legals basis: Art. 6(1)(b), (f) of the GDPR
Legitimate interest (if applicable): Custome retention, improving our service
Duration of storage: For processing the query
b. Recipients of personal data
Recipient category: Counsellors/law firm
Affected data: Personal master data/contact data/content of queries/complaint
Legitimate interest (if applicable): Processing customer queries and user complaints
The following information describes how we process your personal data when you undergo a psychosocial risk assessment at the Fürstenberg Institute.
a. Information on processing
Category of data: Employee lists
Purpose: Implementing the psychosocial risk assessment within the scope of quantitative surveys
Legals basis: § 4 of the German Safety and Health at Work Act (ArbeiSchG)
Legitimate interest (if applicable): Sending e-mails to employees in companies, with a link to an employee survey
Duration of storage: Length of the project
Category of data: Participation lists for workshops
Purpose: Implementing the psychosocial risk assessment within the scope of quantitative surveys or steering committee meetings
Legals basis: See above
Duration of storage: See above
b. Recipients of personal data
Recipient category: Responsible office
Affected data: All data stated under a.
The following information describes how we process your personal data when you are interested in our services or when a customer relationship exists.
a. Information on processing
Category of data: Personal master data, address data, contact data
Purpose: Interested parties/acquisition: preparing an offer, arranging personal acquisition meetings
Legals basis: Art. 6(1)(a), (b) of the GDPR
Legitimate interest (if applicable): The condition of the occurrence of a possible customer relationship
Duration of storage: For as long as an interactive exchange takes place, or provided there is no objection from the interested party
Category of data: Personal master data, address data, contact data
Purpose: Existing customers: agreeing the starter package, customer concerns, complaints, contract creation and management, arranging appointments
Legals basis: Art. 6(1)(a), (b) of the GDPR
Legitimate interest (if applicable): Voraussetzung zur Erfüllung des Vertrages, gute Kundenbetreuung bzw. Pflege Kundenbeziehung
Duration of storage: Duration of the customer relationship
b. Recipients of personal data
Recipient category: KabelDruck (service provider for custom flyers)
Affected data: Address data, personal master data (name, title)
Legal basis for the data transfer: Order processing (Article 28 of the GDPR)
Legitimate interest (if applicable): Delivery of starter package (custom flyers)
Below, we describe how your personal data is processed using tracking technologies to analyse and optimise our services as well as for promotional purposes.
The description of the tracking process also includes information on how you can contest or prevent data processing. Please note that any “opt out” decision regarding processing is generally saved in the form of cookies. If you use our services via a new end device or a different browser, or if you delete the cookies saved to your browser, you will have to opt out again.
These tracking processes only process personal data in pseudonymised form. No connection is made with a specific, identified natural entity, i.e. the data is not combined with information about the person behind the pseudonym.
a. Tracking to analyse and optimise our services and their use as well as measure the success of advertising campaigns and optimise the display of advertising
(1) Purposes of processing
Analysing user behaviour using tracking lets us review the effectiveness of our services, optimise them and adapt them to suit user needs as well as rectify errors. Furthermore, it facilitates the establishing of key values regarding the use of our services (reach, usage intensity, user behaviour) in a statistical manner, based on uniform standard processes, providing us with comparable values across the market.
Tracking to measure the success of advertising campaigns serves to optimise our advertising in the future and let advertisers also suitably optimise their advertisements. Tracking to optimise the display of advertising intends to show users advertising to suit their interests, increasing the success of advertising and therefore advertising income.
(2) Legal basis of the processing
For services that explain the behaviour of affected parties on the internet and for the creation of user profiles, informed consent in the sense of the GDPR is required.
(3) Individual tracking processes used
Name of service: Google Analytics
Function: Web analysis
Possibility to opt out: tools.google.com/dlpage/gaoptout?hl=de
Data transfer outside the EU? No
Name of service: Google AdWords
Function: Web analysis
Possibility to opt out: tools.google.com/dlpage/gaoptout?hl=de
Data transfer outside the EU? No
Name of service: Google Remarketing
Function: Marketing
Possibility to opt out: https://support.google.com/ads/answer/7395996?hl=de
Data transfer outside the EU? No
If you would like to opt out of interest-based advertising, you can also go to http://www.youronlinechoices.com, click on ‘Preference Management’ and follow the instructions to prevent the use of data for interest-based advertising by all or a selection of the service providers listed there. You will continue to receive non-interest-based advertising.
III. Rights of those affected (data subjects)
If we process your personal data for direct marketing purposes, you have the right to object at any time, with future effect, to the processing of personal data concerning yourself for the purpose of such advertising.
You also have the right to object at any time, for reasons arising from your particular situation, with future effect, to the processing of personal data concerning yourself, which is carried out in accordance with Art. 6(1)(e) or (f) of the GDPR.
You can exercise your right to object free of charge.
You can contact us using the contact details provided under I.2.
You have the right to know whether we process personal data affecting you, what personal data this is, and other information in accordance with Art. 15 of the GDPR.
You have the right to demand that we correct incorrect personal data affecting you (Art. 16 of the GDPR). Taking the purpose of processing into account, you have the right to demand that incomplete personal data be completed – even in the form of a supplementary explanation.
You have the right to demand that we immediately delete all personal data affecting you immediately, insofar as one of the reasons in Art. 17(1) of the GDPR applies and processing is not necessary for one of the purposes outlined in Art. 17(3) of the GDPR.
You have the right to demand the limitation of the processing of your personal data if one of the requirements outlined in Art. 18(1)(a) to (d) of the GDPR applies.
You have the right to receive personal data affecting you as provided by you in a structured, standard machine-readable format. Furthermore, you have the right to transfer this data to another responsible authority without hindrance from us, or to have it transferred directly by us insofar as is technically possible. This should always be the case if data processing is based on consent or a contract and the data is processed automatically. This does not apply to data only received in paper form.
If processing is based on consent issued by you, you have the right to revoke your consent at any time. The lawfulness of any processing up to the point of revocation shall remain unaffected.
You have the right to complain to a supervisory body.
IV. Glossary
Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Browser: Computer program for displaying websites (e.g. Chrome, Firefox, Safari)
Cookies: In connection with the World Wide Web, a cookie describes a small text file that is stored locally on the user’s computer when visiting a website. This file stores data about the user’s behaviour. If the browser is called up and the corresponding website is visited repeatedly, the cookie is used and gives the web server information about the user’s surfing behaviour using the stored data.
In this context, cookies are information that a website stores locally on the visitor’s computer in a small text file. This can be settings already made by the user on a page, but also information that the website has collected completely independently from the user. Later, these locally stored text files can be read out again by the same web server from which they were created. Most browsers automatically accept cookies. You can manage cookies using the browser functions (usually under “Options” or “Settings”). As a result, the storage of cookies can be deactivated, made dependent on your consent in individual cases or otherwise restricted. You can also delete cookies at any time.
Non-member countries: Countries that are not bound to the legal requirements of the EU Data Protection Directive (countries outside the EEA)
Personal data: Any information relating to an identified or identifiable natural person. Identifiable refers to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Pixels: Pixels are also called tracking pixels, web beacons or web bugs. These are small, invisible graphics in HTML e-mails or on web pages. When a document is opened, this small image is loaded from a server on the Internet, where the downloading is recorded. This allows the server operator to see if and when an e-mail has been opened or a website visited. This function is usually implemented by calling up a small program (Javascript). This allows certain types of information on your computer system to be recognized and passed on, such as the content of cookies, the time and date of page accesses, and a description of the page on which the tracking pixel is located.
Profiling: Any form of automated processing of personal data consisting of the use of that personal data to evaluate certain personal aspects related to a natural person, in particular to analyze or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Services: Our services to which this privacy policy applies (see Scope).
Tracking: The collection of data and its evaluation regarding the behaviour of visitors to our services.
Tracking technologies: Tracking may be done through the activity logs (log files) stored on our web servers or through data collection from your device via pixels, cookies and similar tracking technologies.
Processing: Any operation or set of operations that is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or any other form of provision, alignment or combination, restriction, erasure or destruction.