Data Protection Kursana

A. General provisions

Dussmann Stiftung & Co. KGaA and its affiliates (hereinafter “Dussmann”) take protecting your personal data very seriously and comply with the provisions of the laws on data protection and privacy. Personal data are processed only within the scope necessary for the specific purpose. Our employees have undertaken an obligation to maintain confidentiality and secrecy and to comply with the provisions of data protection and privacy law in accordance with the statutory provisions.

This text explains what information we collect and how this information is used. The text that follows is intended to provide you with information on the purposes for which your data are processed and how you can exercise your rights. You can access and print the Data Protection and Privacy Statement at any time via the “Data Protection” tab at the bottom of each page.

1. Controller

The controller responsible for data processing is:

Dussmann Stiftung & Co. KGaA
Friedrichstraße 90
10117 Berlin, Germany

A list of affiliates is available at https://www.dussmanngroup.com/verbundene-unternehmen/. To the extent that you contact our affiliates directly, via the website or otherwise, this company is the controller.

Contact details for our data protection officer:

Dussmann Stiftung & Co. KGaA
Data Protection Officer
Friedrichstraße 90
10117 Berlin, Germany

datenschutzbeauftragter @remove-this.dussmann.de
Phone +49 30 2025-0

2. Personal data

“Personal data” means any information relating to an identified or identifiable natural person (for example, your real name, address, or phone number).

“Special categories of personal data” are a specially protected subgroup of personal data described in Article 9 of the General Data Protection Regulation (GDPR). These include data concerning health and biometric data.

In principle, we collect personal data from you directly unless you grant your consent in another way. We process the personal data transmitted electronically by you as well as information that we collect in writing or electronically during your use of our website or during phone conversations with our employees. This takes place only within the scope of performing and managing our services and based on the contact forms filled out by you or other correspondence.

3. Access of third parties to your personal data

We process personal data ourselves and, unless we have expressly ruled this out, also through other affiliates of the Dussmann Group or service provider companies we have commissioned. In the latter two cases, we will ensure that affiliates and/or service provider companies comply with the relevant statutory provisions on data protection and privacy and the obligations arising from this Data Protection and Privacy Statement.

We do not disclose personal data without your consent except to government agencies that are entitled to information and if we are obligated by law or under a court order to do so (point (c) of Article 6(1) GDPR).

Disclosure may also take place pursuant to point (f) of Article 6(1) GDPR where this is necessary for the establishment, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data.

Your data are also disclosed to third parties to the extent that this is permissible by law and necessary pursuant to point (b) of Article 6(1) GDPR for the performance of contracts with you.

4. Recipients of the personal data

Within the scope of the statutory authorities, your personal data may be disclosed in particular to the following categories of recipients:

  • Web analytics service providers
  • IT service providers that process data within the scope of provision of services (for example, for IT maintenance activities, hosting service providers)
  • Document and data destruction service providers, printing service providers
  • Marketing and sales service providers
  • Newsletter and logistics service providers
  • Suppliers of things like materials and services
  • Payment service providers
  • Credit bureaus and collection agencies
  • Authorized dealers
  • Certified accountants and auditors, tax advisors, advising and consulting firms, insurance companies
  • Other Dussmann companies, if this is necessary in conjunction with an offer, a call for tenders, or preparations for, implementation or finalization of the business relationship
  • Courts, government agencies, legal advisors or arbitral tribunals, to the extent that this is necessary in order to comply with applicable law or for the establishment, exercise or defense of legal claims
  • Cooperation partners

Some internal recipients within the group of companies are based in third countries (non-EU countries). Within the group of companies, Dussmann ensures, within the scope of contracts under the law of data protection and privacy based on the standard EU data protection clauses, that your personal data are adequately protected on the recipient’s end as well.

The legal basis for the transfer of data within the group of companies is point (f) of Article 6(1) GDPR. The sharing of data within the group for internal administrative purposes constitutes a legitimate interest (recital 48 of the GDPR). 

Before we transfer your information to third parties, we take suitable measures to ensure that recipients undertake an obligation to comply with applicable data protection and privacy laws and maintain the secrecy of personal data. Where necessary, transmission of data takes place within the scope of an agreement on the processing of data on behalf of another party in order to ensure that data are processed only for the intended purpose and adequate security measures are ensured.  

B. Data processing as a result of visiting our Web pages

1. Categories of data; purposes of and legal basis of data processing

When you visit our Web pages and/or enter into a contract with us via the website, we process your personal data. This processing may include the following data:

  • Last name, first name
  • Address
  • Company name
  • e-mail address
  • Phone/fax number
  • Date and time of inquiry
  • Content of request (specific page)
  • Access status / http status code
  • Volume of data transferred in each case
  • Website from which the request originates
  • Browser type and version
  • Language and version of the browser software
  • IP address and Internet service provider
  • Operating system
  • In the case of mobile devices, possibly the manufacturer/type designation
  • Good/service
  • Bank and credit card information
  • Data on health/care
  • Message/information in the text field

We process these data in order to operate the Web pages (points (b) and (f) of Article 6(1) GDPR), to perform and finalize the contract (point (b) of Article 6(1) GDPR), and for our own advertising purposes (if you grant your consent pursuant to point (a) of Article 6(1) GDPR or on the basis of our legitimate interests pursuant to point (f) of Article 6(1) GDPR). Furthermore, we use these data to fulfill our statutory obligations toward the German state and federal authorities (such as the Finanzamt (Revenue Office) (point (c) of Article 6(1) GDPR). To enter into a contract with you, we require at least your last name and first name and possibly your address in order to identify you uniquely. We are unable to perform the contracts in question without this information. If you voluntarily provide us with additional information at your own request, we process this information on the basis of point (f) of Article 6(1) GDPR.

2. Logfiles

When you visit our pages, we temporarily store the connection data by default for purposes of system security and stability, to ensure smooth establishment of connections by the website, and for further administrative purposes.

The access logs of the Web servers log which pages have been accessed at what times. They contain the following data: IP address, date, time, pages accessed, logs, status code, data volume, referrer, user agent, host name accessed. The IP addresses are truncated before storage. The truncated IP addresses are erased after 60 days.

Error logs, which log errors that have occurred when pages are accessed, include not only the error messages, but also the IP address accessing the page and, depending on the error, the website accessed. Error logs, which log errors that have occurred when pages are accessed, are erased after seven days.

Access via FTP is logged with pseudonymized information on the user name and IP address. These data are erased after 60 days.

The mail logs for sending e-mails from the Web environment are anonymized after one day. During anonymization, all data on the sender/recipient, etc., are removed. All that remains are the data on the time of sending and the information on how the e-mail was processed (queue ID or not sent). These data are erased after 60 days.

The IP address is used exclusively to the extent that this is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Legitimate interests include the analysis of the data on the use of our website, pursuit of legal claims, investigation of criminal acts, and maintenance of our IT security systems.

The processing takes place on the basis of point (f) of Article 6(1) GDPR. Our legitimate interest arises from the above-listed purposes of collection of data.

3. Contact form

When you use a contact form on our Web pages, the information you provide is processed. This may include not only your contact information (including title, sex, last name, first name, address, phone number, e-mail), but also data on health (including care needs, degree of care) and information on your request or comment and your interest in our services. In addition, you can let us know how you heard about Kursana. The data you provide will be used exclusively to contact you and for purposes of advising. 

The data processing for the purpose of making contact and providing advice takes place pursuant to point (a) of Article 6(1) GDPR on the basis of your voluntarily granted consent. In the event that you withdraw your consent, we will erase your data without delay. To the extent that your inquiry is aimed at entry into a contract, the legal basis is point (b) of Article 6(1) GDPR.

To the extent that special categories of personal data (such as data on health pursuant to Article 9(1) GDPR) are processed, the processing takes place on the basis of your consent pursuant to point (a) of Article 9(2) GDPR. In the event that you withdraw your consent, we will erase your data without delay.

You are not obligated to provide information on your care needs in the contact form. However, if you use the contact form, separate consent is required.

4. Cookies, tracking pixels and similar technologies

“Cookies” are small text files, and tracking pixels are small image files, that make it possible to store specific information on your device (PC, laptop, tablet, smartphone or similar) while you visit one of our websites (hereinafter collectively referred to as “cookies”). Cookies help us determine how frequently our websites are used and by what number of users and to make our offerings as comfortable, convenient, and efficient as possible for you. We use both session cookies and persistent cookies on our websites.

It is also possible to use our offerings without cookies. You can deactivate the storage of cookies in your browser, restrict it to certain websites, or adjust your browser settings in such a way that your browser notifies you as soon as a cookie is transmitted. If you do this, however, please note that you should expect the website to be restricted in terms of visual display and user guidance.

The data processed by cookies are necessary for the above-mentioned purposes in order to pursue our legitimate interests and those of third parties. The processing takes place on the basis of point (f) of Article 6(1) GDPR.

5. Google Analytics

We use Google Analytics, a Web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics makes it possible to generate statistics regarding website use and the sources thereof. The cookies are stored for two years. We use Google Analytics exclusively for statistical purposes, such as to track how many users have clicked on a certain element or a certain piece of information.

The legal basis is our legitimate interests in measuring the reach of our informational offerings in cooperation with our service providers (point (f) of Article 6(1) GDPR) and creating pseudonymous use profiles regarding the use of our website by the visitors to our informational offerings.

Google Analytics is based on cookies. It collects information on your use of our website, including your IP address. To prevent website visitors from being identified based on their IP addresses, we use a special code to ensure that your IP address is disclosed only in truncated, and thus anonymized, form. It is no longer possible to identify individual users based on this truncated IP address. For further information on data protection and privacy in the case of Google Analytics, please click here: https://support.google.com/analytics/answer/2700409?hl=en&ref_topic=2611283.

You can prevent the collection and transfer of data to Google by downloading and installing the plugin available via the following link: https://tools.google.com/dlpage/gaoptout. You can also adjust the settings at https://adssettings.google.com/anonymous?hl=en-GB&sig=ACi0TCgjQOtZZmsnhor-F-jUaLKUXPozB-azrbC60G1nlIid6ZBXp9mJfsSLCyW2C06i4JsWIeRrQw2CyV7laWP2gtjISjDTv8QM7RXXbZBM5xM64a1uc or via the deactivation page operated by NAI (Network Advertising Initiative) at http://www.networkadvertising.org. Finally, you can prevent the storage of cookies via your browser’s general settings.

The term of storage of user and event data associated with cookies, user IDs, and advertising IDs that has been agreed with Google is 14 months.

General information on Google: The information collected by Google Analytics is transferred to Google LLC, which is based in the United States. Further information on data protection and privacy at Google is available at https://policies.google.com/privacy?hl=de.

6. Use of Google Maps

This website uses Google Maps to display maps and generate driving directions. Google Maps is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Our legitimate interest in the use of Google Maps consists in providing visitors with information about our sites. The legal basis for the data processing described is point (f) of Article 6(1) GDPR.

The cooperation with Google from the standpoint of data protection and privacy law takes place on the basis of a contract entered into with regard to the parties’ joint status as controllers pursuant to Article 26 GDPR, which is accessible at the following URL: https://cloud.google.com/maps-platform/terms/maps-controller-terms/.

When subpages where Google Maps is incorporated are accessed, information on your use of our website (such as your IP address) is transferred to servers of Google and stored there.  As part of this process, personal data may also be transferred to the servers of Google LLC in the United States. In the event of transfer of personal data to Google LLC, which is based in the United States.

In the event that you do not agree to the future transfer of your data to Google, you can entirely deactivate the Google Maps Web service by turning off the JavaScript application in your browser. It will then no longer be possible to use Google Maps, and thus the map display feature on our website.

7. Google Ads / Ads conversion tracking

We use Google Ads and Google Ads conversion from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) in order to measure the efficiency of individual ads, offers, and functions. To this end, a cookie is placed as soon as you click on a Google ad. This cookie is not used for personal identification. Instead, it is intended to allow us to determine whether you return to the website within the cookie’s 30-day term of validity for that specific offer. The information we receive from the conversion cookie serves to generate conversion statistics for Google Ads customers that have chosen to use conversion tracking. We determine the total number of users who have clicked on an ad and been redirected to a website with a conversion tracking tag.

The legal basis is our legitimate interests in measuring the efficiency of individual ads, offerings, and functions of our information offerings in cooperation with our service providers (point (f) of Article 6(1) GDPR) and creating pseudonymous use profiles regarding the use of our website by the visitors to our informational offerings.

You can prevent the collection and transfer of data to Google by preventing corresponding technical settings from being selected in your browser. However, please note that if you do this, you may not be able to use all of the functions of this website in full. You can also adjust your advertising settings with Google. To do this, please visit https://support.google.com/ads/answer/7395996?hl=de and deactivate personalized ads. Please note that these settings may not be effective on all of your devices and in all of your browsers. Further information is also available at https://support.google.com/ads/answer/2662922?hl=de.

Within the scope of the use of Google Ads, personal data may also be transferred to the servers of Google LLC in the United States.

8. Use of Facebook fan pages

We operate what are known as “fan pages” on Facebook. These are websites that are offered on the Facebook platform in order to present ourselves as a company and connect with others, such as customers and prospective customers.

 

Joint status of controller with Facebook

We share the status of controller with Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, for the phase involving collection and use for statistical preparation of your data; the processing takes place when you visit our fan page. The information below is provided to comply with our obligation to provide information within the scope of our joint status as controllers. When you visit our fan page, personal data are processed by Facebook, including in the form of your IP address and further information present on your device in the form of cookies. This applies both to visitors who have a Facebook account and those who are not registered with Facebook. To find out specifically which data are processed, please see the information about page insights data provided by Facebook: https://www.facebook.com/legal/terms/information_about_page_insights_data

The results of this processing are then provided to us, as the operator of the fan page, by Facebook in aggregated, statistical, and anonymized form as user statistics.

The data about you collected in this context are processed by Facebook Ireland Ltd. and may be transferred to countries outside the European Union in the process. Facebook describes which data Facebook processes for further purposes of its own in its data policy, accessible via the following link: https://de-de.facebook.com/policy.php. This page also contains information on ways to contact Facebook and how to adjust your ad settings. We have no influence over this further processing of data by Facebook. Facebook is the sole controller responsible for the processing of such personal data in conjunction with visits to fan pages that do not fall under our shared status as controllers.

Please note that data from the collection phase are also disclosed to bodies in the United States, and thus outside the European Union.

If you visit our fan page while you are logged in to Facebook as a user, a cookie containing your Facebook ID will be placed on your device. This allows Facebook to track that you have visited our fan page and how you used it. This also applies to all other Facebook pages. If you wish to prevent this, you should log out of Facebook or deactivate the “stay logged in” function, erase the cookies present on your device, and close and relaunch your browser.

In the agreement entered into with us (accessible at https://www.facebook.com/legal/terms/page_controller_addendum), Facebook agrees to assume primary responsibility as a controller pursuant to the GDPR for the processing of what are known as “insights data” and to fulfill all obligations arising from the GDPR with regard to the processing of these insights data. We do not make any decisions regarding the processing of insights data or any other information arising from Article 13 GDPR. For the key points of the agreement, please visit https://www.facebook.com/legal/terms/information_about_page_insights_data.

Should you wish to exercise a right to which you are entitled as a data subject (for information on these rights, please see Sec. E.3 below) pursuant to the GDPR, please note that we may not be able to fulfill these rights in full on our own. It would therefore definitely be more effective for you to contact Facebook directly. Facebook provides information on your rights with regard to page insights here: 

https://www.facebook.com/legal/terms/information_about_page_insights_data.

With regard to page insights and our joint status as controllers with Facebook, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. For information on how you can exercise your right to object, please visit 

https://www.facebook.com/legal/terms/information_about_page_insights_data.

Should you still need help, please feel free to contact us. We will then forward your inquiry to Facebook to the extent that it relates to insights data.

The processing of personal data of visitors serves to provide the fan page and for purposes of statistical analysis of the use of our fan page. This analysis takes place on an anonymized basis for us. The legal basis for the data processing is point (f) of Article 6(1) GDPR. Our legitimate interests with respect to the collection of personal data when you visit the fan page and to the preparation of statistical analyses are: communication and interaction with potential customers and customers; distributing information about our company; anonymized analysis and depiction of the use of the fan page and creation of pseudonymous use profiles regarding the use of our website by the visitors to our informational offerings.

 

Our sole responsibility as controller

In addition to the foregoing, we process data from your use of the fan page that you voluntarily provide (for example in a comment) for the purpose of responding to your inquiries and communicating with you and to publish information regarding the content offered on the fan page or information belonging to us. The legal basis for processing is point (f) of Article 6(1) GDPR and, to the extent that an inquiry concerns entry into a contract, point (b) of Article 6(1) GDPR. The legitimate interest consists in effectively providing information to users, customers, and potential customers and communicating with these persons.

You are welcome to contact us and assert the rights to which you are entitled as a data subject toward us to the extent that the matter concerns the data we process on our own responsibility as the controller. However, to the extent that your rights concern processing that takes place purely within Facebook’s sphere of responsibility as the controller, please note in advance that the options available to us in the event that your rights are exercised are limited to referring you to the appropriate bodies of Facebook.

9. Use of YouTube

We use the provider YouTube to present videos to you, which is also our legitimate interest. YouTube is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The legal basis for the use of YouTube plugins is Art. 6 para. 1 lit. f) DS-GVO. We use embedded YouTube videos in extended privacy mode. According to YouTube this means the following: YouTube does not store cookies for a user who views a website with an embedded YouTube video player but does not click on the video to start playback. When the YouTube video player is clicked, YouTube may store cookies on the user's device (PC, laptop, tablet, smartphone, or similar), but we do not store personally identifiable cookie information for embedded video playback. Google also processes your personal data in the USA. Further information on data protection at Google is available at https://policies.google.com/privacy?hl=en.

C. Data processing within the cooperative relationship with business partners

The processing of data within our cooperative relationships with business partners is subject to the then-applicable data protection and privacy statements for business partners of the individual companies of the Dussmann Group. A list of affiliates is available at https://www.dussmanngroup.com/verbundene-unternehmen/.

D. Data processing within the application process

Application processes are subject to the then-applicable data protection and privacy statements for application processes of the individual companies of the Dussmann Group. A list of affiliates is available at https://www.dussmanngroup.com/verbundene-unternehmen/.

E. Further information

1. Duration of data of storage

Where no express duration of storage is stated when the data are collected (for example within the scope of a declaration of consent) or within this Data Protection and Privacy Statement, personal data are erased to the extent that they are no longer necessary in order to fulfill the purpose for which they are stored, except where statutory storage obligations (such as obligations of storage under commercial and tax law) conflict with the erasure thereof.

To the extent that we store personal data exclusively to fulfill storage obligations, these data are typically blocked, with the result that access thereto is possible only if it is necessary with an eye to the purpose of the obligation of storage.

2. Security

We take all necessary technical and organizational security measures to protect your personal data from loss and abuse. Your data are stored in a secure operational environment that is not accessible to the public. SSL or TLS encryption is used on all websites. Your data are encrypted directly during transfer. For security reasons, we will refrain from providing any further information here.

3. Rights of data subjects

Withdrawal of consent

To the extent that you have granted your consent to the processing of personal data, you can withdraw it at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of withdrawal of consent, we will erase the data in question without delay to the extent that there is no legal basis for processing thereof that does not require consent that can be used as the basis for further processing. You can send your withdrawal to hotline @remove-this.dussmann.de or datenschutzbeauftragter @remove-this.dussmann.de, or, alternatively, by mail to Dussmann Stiftung & Co. KGaA, Friedrichstraße 90, 10117 Berlin, Germany.

Further rights

You can assert your rights toward the national branch of the Dussmann Group in your country in each case. For the names and addresses of the controller responsible in each case, please see the list of affiliates at https://www.dussmanngroup.com/verbundene-unternehmen/ or the legal notice of the relevant national branch.

You have the right to obtain from the relevant controller within the Dussmann Group confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to these personal data and the specific information enumerated in Article 15 GDPR.

You have the right to obtain from the relevant controller without undue delay the rectification of inaccurate personal data concerning you and, where applicable, to have incomplete personal data completed (Article 16 GDPR).

You have the right to obtain from the relevant controller the erasure of personal data concerning you without undue delay where one of the specific grounds enumerated in Article 17 GDPR applies, for example if the data are no longer needed for the purposes pursued (right to erasure).

You have the right to obtain from the relevant controller restriction of processing where one of the prerequisites enumerated in Article 18 GDPR applies, for example if you have lodged an objection to the processing.

You have the right to receive the personal data concerning you that you have provided to us in a commonly used and machine-readable format and the right to have the relevant controller transmit those data to another controller (right to data portability, Article 20 GDPR) to the extent that this is feasible in technical terms.

If your personal data have been transferred to a country outside the EU that does not provide an appropriate level of protection, we typically enter into a contract that ensures appropriate protection of personal data. In addition, we use standard data protection clauses accessible via the following URL: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. The controller will then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims (Article 21 GDPR).

You can object to the use of your data for direct marketing purposes at any time without any further considerations.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Article 77 GDPR). You can exercise this right with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement. For example, the supervisory authority with jurisdiction over Dussmann Stiftung & Co. KGaA in Berlin is the Berlin State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit Berlin), Friedrichstr. 219, 10969 Berlin, Germany. You can also contact a different supervisory authority at any time. For the relevant controllers responsible in your Member State outside Germany, you can contact the authority with jurisdiction there.

An overview of further national and international data protection authorities is available here.

4. Changes to this Data Protection and Privacy Statement

To ensure that the information we provide on data protection and privacy is always in keeping with the current statutory specifications, we reserve the right to make changes at any time. This also applies in the event that the information on data protection and privacy requires adjustment due to new or revised offerings or services.

Should you have any questions or suggestions concerning this Data Protection and Privacy Statement, please feel free to contact us. We are delighted that you entrust your data to us.

Last updated: October 07, 2020


 
Privacy policy for printing
Privacy policy for printing
View file