Privacy - English version is for reference only, German contract is legally binding
I. Introduction and terms
We process personal data with the operation of our website with the URL https://granny.de and https://granny.co (hereinafter referred to as “website”). These are treated confidentially by us and processed in accordance with the applicable laws – in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). With these data protection provisions, we want to inform you which personal data we collect from you, for what purposes and on what legal basis we use them and, if necessary, to whom we disclose them. In addition, we will explain to you which rights you have to protect and enforce your data protection.
Our data protection regulations contain technical terms that are in the GDPR and the BDSG. For your better understanding, we want to explain these terms in simple terms in advance:
2.1 Personal data
“Personal data” is all information that relates to an identified or identifiable person (Art. 4 No. 1 GDPR). Details of an identified person can e.g. B. the name or the e-mail address. Personal data are also data for which the identity is not immediately apparent, but can be determined by combining your own or third-party information and thus finding out who it is. A person is z. B. by providing your address or bank details, your date of birth or user name, your IP address and / or location data. Relevant here is all information that in any way allows conclusions to be drawn about a person.
Art. 4 No. 2 GDPR defines “processing” as any process in connection with personal data. This applies in particular to the collection, recording, organization, arrangement, storage, adaptation or modification, reading, querying, use, disclosure, transmission, dissemination or any other form of provision, comparison or linking , the restriction, the deletion or the destruction of personal data.
II. Responsible and data protection officer
Responsible for data processing is:
Company: Granny GmbH (“we”)
Legal representative: Dora Osinde; Saghar Munz; Moritz Preisser; Philip Hohn (Managing Director)
Address: Prinzenstrasse 84.1
Telephone: +49 30 609 821 880
4. DATA PROTECTION OFFICER
We have appointed an external data protection officer for our company. You can reach him at:
Dachauer Str. 65
Telefon: 089 / 7400458 40
III. Processing framework
5. PROCESSING FRAMEWORK: WEBSITE
As part of the website, we process the personal data from you listed in detail in Section IV. We only process data from you that you actively provide on the website (e.g. by filling out forms) or that you automatically provide when using our offer.
Your data will only be processed by us and will not be sold, loaned or passed on to third parties. If we use the help of external service providers to process your personal data, this is done as part of what is known as order processing, in which we, as the client, are authorized to give instructions to our contractors. To operate our website, we use external service providers for hosting as well as for maintenance and servicing. We host our website at the external provider Domainfactory (domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning, Germany) in the data center in Strasbourg, France. If further external service providers are used for individual processing listed in Section IV., They will be named there.
A data transfer to third countries does not take place by us and is also not planned. We will inform you about exceptions to this principle in the processing operations set out below. Any data transfer to third countries then takes place on the basis of the so-called EU standard contractual clauses.
IV. The processing in detail
6. PROVISION OF THE WEBSITE AND SERVER LOGFILES
6.1 Description of processing
Each time the website is accessed, we automatically collect information that your browser transmits to our server. These are the following data:
The browser software used, as well as its version and language
the website from which the visitor came to the website (so-called referrer)
the subpages called up on the website
the date and time the website was accessed
Internet service provider
Country and place from which a user visited the website
These are also stored in the so-called log files of our system. The temporary storage of your IP address by the system is necessary in order to be able to deliver our website to the end device of a user. To do this, the user’s IP address must be saved for the duration of the session. The IP address is only recorded in the log files shortened by the last three digits.
The processing is carried out to enable the website to be accessed and to ensure its stability and security. In addition, the processing serves the statistical evaluation and improvement of our online offer.
6.3 Legal basis
The processing is necessary to safeguard the overriding legitimate interests of the person responsible (Art. 6 Para. 1 lit. f GDPR). Our legitimate interest lies in the purpose stated in Section 6.2.
6.4 Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of data collection for the provision of the website, this is the case when the respective session has ended. The log files are deleted after […] days.
7. COOKIES AND OTHER TRACKING TECHNOLOGIES
7.1 Description of processing
Which cookies are used on our website for which purpose, how long they are stored on your device and which consents you may have already given can be found in the settings of the consent tool https://de.borlabs.io/borlabs-cookie / remove .
7.3 Legal basis
The processing is necessary with regard to technically required cookies and the use of the consent tool to safeguard the overriding legitimate interests of the person responsible (Art. 6 Para. 1 lit. f GDPR). Our legitimate interest lies in the purpose stated in Section 7.2. When processing with regard to all other – i.e. not technically necessary cookies / tracking technologies – the legal basis is consent (Art. 6 Para. 1 lit. a GDPR). Such consent is voluntary.
7.4 Storage period, revocation of consent
If third-party cookies are used, data may be transmitted to the corresponding providers of these third-party services. Under certain circumstances, data may also be transmitted to third countries outside the European Union or the European Economic Area. We provide information about the recipients of data as well as third-country transfers in the settings of the consent tool or in the corresponding passage on the third-party service in these data protection provisions.
8. CONTACT BY E-MAIL
8.1 Description of processing
You can also contact us via the e-mail addresses provided on the website. To contact us, you can write to us via the e-mail address provided on the website. In this case, the personal data transmitted with the e-mail will be processed by us.
The data transmitted with and in your e-mail will be used exclusively for the purpose of processing and responding to your request.
8.3 Legal basis
The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose named in section 8.2. If the e-mail contact is aimed at the conclusion or fulfillment of a contract, the data processing is carried out for the fulfillment of the contract (Art. 6 para. 1 lit. b GDPR).
8.4 Storage period
We delete the data as soon as they are no longer required to achieve the purpose for which they were collected. This is usually the case when the respective communication with you has ended. The communication is terminated when it can be inferred from the circumstances that your concern has been conclusively clarified. If legal retention periods prevent deletion, the data will be deleted immediately after the expiry of the legal retention period.
9. SOCIAL NETWORKS
9.1 Description of processing
Our website does not use any so-called social media plugins. The logos of Facebook, Instagram, LinkedIn and Youtube displayed on our website are only linked to the corresponding profiles of our company on the social networks. A data transfer to the social networks does not take place with the integration of the logos. If you click on one of the logos, you will only be redirected to the external website of the respective social network.
However, data processing is represented by our profiles within the social networks. If you are logged in to the respective social network when you visit such a profile, this information is assigned to your user account there. If you interact with our profile, eg comment on a post, “share”, “like” or “retweet”, this information will also be saved in your user account. Your interactions with our profile can usually also be viewed by us.
On the social networks Facebook and Instagram, we have the option of receiving statistical data on the use of our Facebook page or our Instagram profile via the so-called “Insights” function. These statistics are provided by Facebook and Instagram. The “Insights function” is not indispensable. We cannot decide to turn this feature on or off. It is available to all Facebook fan page operators and all operators of an Instagram business account, regardless of whether you use the Insights function or not.
The following data is made available to us via Facebook Insights for a selectable period in anonymous form with regard to fans, subscribers, people reached and interacting people: total number of page views, “likes” information including origin, page activities, post interactions, Reach, post reach (divided into organic, viral and paid interactions), comments, shared content, responses and demographic evaluations, i.e. country of origin, gender and age. With the Insights statistics, it is not possible for us to identify subscribers and fans of our site and to view their profiles.
Furthermore, the Instagram Insights provides us with data in anonymous form about the development and range of our Instagram profiles, as well as the posts, stories and videos we have posted there. In Instagram Insights, we also receive statistical information on the place of origin, gender and age of the subscribers to our Instagram profile.
The so-called “Insights” function on the LinkedIn social network enables us to receive statistical data on the use of our LinkedIn profile.
The social networks with which you communicate save your data using pseudonyms as usage profiles and use them for advertising purposes and for market research. For example, you can see advertisements within the social network and on other third-party websites that correspond to your presumed interests. For this purpose, cookies are usually used, which the social network stores on your device. You have the right to object to the creation of these user profiles, which you must contact the social networks directly to exercise.
We maintain profiles on the aforementioned social networks for the purpose of public relations and corporate communication with customers and interested parties. We use the “Insights” function of Facebook and Instagram to evaluate the reach of our posts on the social network and to make them more appealing for our visitors in the future.
9.3 Legal basis
The legal basis for data processing in the context of our profiles on social networks is the safeguarding of our predominant legitimate interests (Art. 6 Para. 1 lit.f GDPR). Our legitimate interest lies in the purpose stated in Section 9.3. If you are asked for your consent by the respective operator of a social network, the legal basis is Article 6 (1) (a) GDPR. The data processing takes place with regard to our presences on Facebook, Instagram and LinkedIn otherwise on the basis of a joint responsibility according to Art. 26 GDPR.
9.4 Recipients and transmission to third countries
The respective social networks are operated by the companies listed below. Further information on data protection with regard to our profile on the social networks can be found in the linked data protection provisions.
Youtube: YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA. YouTube is represented by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. YouTube / Google data protection provisions: https://www.google.com/policies/privacy/partners/?hl=de.
The social networks also process your personal data in the USA.
10. GOOGLE ANALYTICS
10.1 Description of processing
The processing takes place in order to be able to evaluate the use of our website. The information obtained in this way is used to improve and tailor our online presence to requirements.
10.3 Legal basis
The processing takes place on the basis of a consent according to Art. 6 Para. 1 lit. a GDPR. We obtain this via the consent tool (see section 7.1). Such consent is voluntary.
10.4 Storage duration and right of objection, revocation of consent
We have explained the storage duration and your control and setting options for cookies in Section 7.4. You can revoke the consent you have given with regard to Google Analytics at any time in the settings of the consent tool with effect for the future. Alternatively, you can object to data processing by Google Analytics at any time by downloading and installing the browser add-on offered by Google at https://tools.google.com/dlpage/gaoptout?hl=de . The analysis data processed and stored with Google Analytics will be automatically deleted by us after 14 months.
10.5 Recipients and transfers to third countries
According to the German data protection supervisory authorities (data protection conference), Google Analytics is jointly responsible for data processing for us. With this in mind, we have also concluded the “Google Measurement Controller-Controller Data Protection Terms” with Google. Google also processes your personal data in the USA.
11. GOOGLE WEBFONTS
11.1 Description of processing
Our website uses “Google Web Fonts”, a font replacement service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “Google”). With Google Web Fonts, the standard fonts on your device are exchanged for fonts from the Google catalog when our website is displayed. If your browser prevents the integration of Google web fonts, the text on our website will be displayed in the standard fonts of your device. The Google fonts are loaded directly from a Google server. In order for this to happen, your browser sends a request to a Google server. This means that your IP address may also be transmitted to Google in connection with the address of our website. However, Google Webfonts does not store any cookies on your device. According to Google, data that is processed as part of the Google Webfonts service is transferred to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com. You will not be associated with data that may be related to the use of other Google services such as the search engine of the same name or Gmail. Further information on data protection at Google Webfonts can be found at https://developers.google.com/fonts/faq?hl=de-DE&csw=1. General information on data protection at Google is available at https://policies.google.com/privacy?hl=de-DE .
The processing takes place in order to be able to show you the text of our website in a more legible and aesthetically appealing way.
11.3 Legal basis
The processing is necessary to safeguard the overriding legitimate interests of the person responsible (Art. 6 Para. 1 lit. f GDPR). Our legitimate interest lies in the purpose stated in Section 11.2.
11.4 Recipients and transmission to third countries
By using Google web fonts, personal data may be transmitted to Google. Google also processes your personal data in the USA.
12.1 Description of processing
Our website uses services from “YouTube”, a video platform operated by YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA (hereinafter referred to as “YouTube”). YouTube is represented by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. We use YouTube by embedding individual videos from the platform on our website as so-called iFrames so that they can be played directly on our website. The videos are integrated in the “extended data protection mode” offered on YouTube, i. H. no personal data will be transferred from you to Google as long as you do not play the videos. Data is only transferred to Google when a video is played, over which we have no influence. If you play an embedded video on a subpage of our website, it is transmitted to Google which subpage you visited and which video you viewed. Your IP address may also be sent to Google. If you are logged in as a YouTube or Google user, Google will assign this information to your user account. Google saves your data as a usage profile and uses it for advertising purposes, for market research and / or to tailor the Google website to your needs. You have a right to object to the creation of these user profiles, which you must contact Google directly to exercise. Further information on data protection at Google can be found at www.google.com/intl/de-DE/policies/privacy/.
The processing takes place in order to be able to show you videos on our website.
12.3 Legal basis
The processing takes place on the basis of a consent according to Art. 6 Para. 1 lit. a GDPR. This is obtained by us using the “Borlabs” consent tool (see section 7.1) or as part of a content blocker at the point on our website where a YouTube video is to be displayed. Such consent is voluntary.
12.4 Revocation of consent
You can revoke your consent to display YouTube videos on our website at any time in the settings of the consent tool […] with effect for the future.
12.5 Recipients and transmission to third countries
By integrating YouTube, personal data may be transmitted to YouTube LLC or Google. Google also processes your personal data in the USA.
13.1 Description of processing
Our website uses plugins from “Spotify”, an audio streaming platform operated by Spotify AB, Birger Jarlsgatan 61, 113 56 Stockholm, Sweden. You can find an overview of the Spotify plugins at: https://developer.spotify.com We use Spotify by embedding individual audio files, albums or playlists from the platform on our website as so-called iFrames so that they can can be played as a stream on our website. When you visit a subpage of our website on which a Spotify plug-in is embedded, a connection to the Spotify servers is established and the plug-in is displayed on our website. This will tell Spotify which website you have visited. If necessary, your IP address will also be transmitted to Spotify. When you play an embedded audio file, album or playlist, this information is also passed on to Spotify. If you are logged in as a Spotify user, Spotify will assign this data to your user account. If you do not want Spotify to be able to assign your visit to our website to your Spotify user account, please log out of your Spotify user account. Further information on data protection at Spotify can be found at https://www.spotify.com/de/legal/privacy-policy
The processing takes place in order to be able to integrate playable audio files, albums or playlists from Spotify on our website.
13.3 Legal basis
Processing takes place on the basis of consent in accordance with Article 6 (1) (a) GDPR. This is obtained by us using the “Borlabs” consent tool (see section 7.1) or as part of a content blocker at the point on our website where a Spotify plug-in is to be displayed. Such consent is voluntary.
13.4 Revocation of consent
You can revoke your consent to the display of Spotify plugins on our website at any time in the settings of the consent tool […] with effect for the future.
13.5 Recipients and transmission to third countries
By using the Spotify service, personal data may be transmitted to Spotify AB, Birger Jarlsgatan 61, 113 56 Stockholm, Sweden. Spotify also processes this data on servers outside the EU.
14. GOOGLE MAPS
14.1 Description of processing
Our website uses “Google Maps”, a service for displaying maps from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “Google”). We use Google Maps by including a map with our business address on our website. The map is loaded directly from a Google server. In order for this to happen, your browser sends a request to a Google server. This means that your IP address may also be transmitted to Google in connection with the address of our website. However, Google Maps does not store any cookies on your device. If you are logged in to Google when visiting our site, Google Maps will assign this information to your Google user account. Google stores your data as a usage profile and uses it for advertising purposes, for market research and / or to tailor the Google website to your needs. You have the right to object to the creation of these user profiles, which you must contact Google directly to exercise. Further information on data protection at Google can be found at https://policies.google.com/privacy?hl=de-DE.https://policies.google.com/privacy?hl=de-DE.
The processing takes place in order to be able to show you an interactive map on our website.
14.3 Legal basis
Processing takes place on the basis of consent in accordance with Article 6 (1) (a) GDPR. This is obtained by us using the “Borlabs” consent tool (see section 7.1) or as part of a content blocker at the point on our website where an interactive map is to be displayed. Such consent is voluntary.
14.4 Revocation of consent
You can revoke your consent to the display of Google Maps maps on our website at any time in the settings of the consent tool https://de.borlabs.io/borlabs-cookie/ with effect for the future.
14.5 Recipients and transmission to third countries
Google also processes your personal data in the USA.
15. PROCESSING OF APPLICANT DATA
15.1 Description of processing
We process the data you provide in connection with your application in order to assess your suitability for the position (or other open positions in our company, if applicable) and to carry out the application process. Overall, this involves general data about you (such as your name, address and contact details), information about your professional qualifications and school education, information about professional training, knowledge and skills, as well as other information that you disclose to us in connection with your application. This is usually done through letters of application, resumes, references, correspondence, telephone or verbal statements from you.
We would like to evaluate all applicants only according to their qualifications and therefore ask you to refrain from disclosing “special categories of personal data” according to Art. 9 of the General Data Protection Regulation in your application if possible (e.g. a photo that reveals ethnic origin, information about severely disabled status, etc.). If your application contains such information, please send us a corresponding declaration of consent, otherwise your application cannot be considered.
If your application is successful, we will include your data in your personnel file and use it to carry out and terminate your employment.
If we are currently unable to offer you employment, we will continue to process your data after sending the rejection in order to defend ourselves against any legal claims, in particular due to alleged discrimination in the application process.
If you are not selected for the vacant position, we will transfer your data to our applicant pool – provided we have your consent to do so.
The processing is carried out to carry out the application procedure, to decide on the establishment of an employment relationship with us and to document compliance with legal requirements in the application procedure.
15.3 Legal basis
Data processing in connection with the application procedure has its legal basis in Section 26 (1) sentence 1 BDSG and Art. 6 para 1 lit. b GDPR. If your application is successful, further data processing will be carried out in accordance with Art. 6 Para. 1 lit. b GDPR in conjunction with Art. 88 Para. 1 GDPR in conjunction with Section 26 Para. 1 BDSG for the purpose of establishing, implementing and terminating the employment relationship. If you have given your consent, e.g. for the inclusion of your data in our applicant pool, the data processing is based on Art. 6 para 1 lit. a GDPR. Incidentally, the legal basis for data processing after a rejection is Art. 6 para 1 lit. f GDPR. Our legitimate interest is the defense against legal claims.
15.4 Storage period
If your application is successful, your data will be transferred to your personnel file and deleted in accordance with the regulations applicable to personnel files. If we are currently unable to offer you employment, we will continue to process your data for up to six months after sending the rejection letter. If we transfer your data to our applicant pool after completion of the application process, we will delete it from the applicant pool in the event of subsequent establishment of an employment relationship or otherwise two years after inclusion.
15.5 Recipients of your data, transfer of data to third parties and transfer to third countries
Your applicant data will be viewed by the HR department after receipt of your application. Suitable applications are then forwarded internally to the department managers for the respective open position. The further procedure is then coordinated. In principle, only those persons in the company have access to your data who require it for the proper conduct of our application process. As a matter of principle, data is not passed on to third parties. Likewise, no data is transferred to third countries, nor is this planned.
The data transmitted in the context of your application will be transferred via TLS encryption and stored in a database. This database is operated by Personio GmbH, which offers personnel administration and applicant management software (https://www.personio.de/impressum/). Personio acts as a service provider for us within the scope of order processing. Further information on data protection at Personio can be found at: https://www.personio.de/datenschutzerklaerung/.
V. Safety measures
16. Safety measures
In order to protect your personal data from unauthorized access, we have provided our website with an SSL or TLS certificate. SSL stands for “Secure Sockets Layer” and TLS for “Transport Layer Security” and encrypts the communication of data between a website and the user’s device. You can recognize the active SSL or TLS encryption by a small lock logo that is displayed on the far left in the address line of the browser.
VI. Your rights
17. Affected Rights
With regard to the data processing by our company described above, you have the following rights of data subjects:
17.1 Information (Art. 15 GDPR)
You have the right to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, you have a right to information about this personal data and to the information listed in detail in Art. 15 GDPR under the conditions specified in Art. 15 GDPR.
17.2 Correction (Art. 16 GDPR)
You have the right to request us to correct any incorrect personal data concerning you and, if necessary, to complete incomplete personal data.
17.3 Deletion (Art. 17 GDPR)
You have the right to request that we delete personal data relating to you immediately if one of the reasons detailed in Art. 17 GDPR applies, e.g. B. if your data is no longer required for the purposes we pursue.
17.4 Restriction of data processing (Art. 18 GDPR)
You have the right to demand that we restrict processing if one of the conditions listed in Art. B. If you dispute the accuracy of your personal data, the data processing will be restricted for the period that enables us to check the accuracy of your data.
17.5 Data portability (Art. 20 GDPR)
You have the right, under the conditions set out in Art. 20 GDPR, to request the surrender of your data in a structured, common and machine-readable format.
17.6 Revocation of consent (Art. 7 Para. 3 GDPR)
You have the right to revoke your consent at any time for processing that is based on consent. The revocation applies from the time of its assertion. In other words, it works for the future. The revocation of the consent does not make the processing illegal retrospectively.
17.7 Complaint (Art. 77 GDPR)
If you are of the opinion that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You can assert this right with a supervisory authority in the EU member state of your place of residence, your place of work or the place of the alleged infringement.
17.8 Prohibition of automated decisions / profiling (Art. 22 GDPR)
Decisions that have legal consequences for you or significantly affect you may not be based solely on automated processing of personal data – including profiling. We inform you that we do not use any automated decision-making including profiling with regard to your personal data.
17.9 Right to object (Art. 21 GDPR)
If we process your personal data on the basis of Art. 6 Para. 1 lit.f GDPR (to safeguard overriding legitimate interests), you have the right, under the conditions listed in Art. 21 GDPR to object to this. However, this only applies if there are reasons that arise from your particular situation. After an objection, we will no longer process your personal data unless we can prove compelling legitimate reasons for processing that outweigh your interests, rights and freedoms. We also do not have to stop processing if it serves to assert, exercise or defend legal claims. In any case – regardless of a particular situation – you have the right to object at any time to the processing of your personal data for direct mail.
As of november 2021