Privacy policy
A. Information on the collection of personal data
In the following, we provide information about the processing of personal data when using our website. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behaviour. In this way, we would like to inform you about our processing operations and at the same time fulfil our legal obligations, in particular those arising from the EU General Data Protection Regulation (GDPR).
The controller pursuant to Art. 4 (7) GDPR is
Allstein GmbH
Bunsenstraße 24
32052 Herford
represented by the managing director Gordon Whitelaw, ibid.
Phone: 05221/6949922
Mail: christian.fugazzaro@allstein.com
You can reach our data protection officer at:
Christian Fugazzaro c/o Allstein GmbH
Bunsenstrasse 24
32052 Herford
Phone: 05221/6949922
Mail: christian.fugazzaro@allstein.com
or our postal address with the addition ‘the data protection officer’.
If we use contracted service providers for individual functions of our offer or would like to use your data for advertising purposes, we will always carefully select and monitor these service providers and inform you in detail below about the respective processes. In doing so, we also specify the defined criteria for the storage period.
B. Principles for the processing of personal data, Art. 5 GDPR
1. Scope of the processing of personal data
We only process personal data of our users if this is necessary to provide a functional website and our content and services, if there is a legitimate interest, or if the processing is carried out with the user's consent.
2. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis.
When processing personal data that is necessary for the fulfilment of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.
3. Data erasure and storage duration
The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
4. explanations
a. Data processing agreement (DPA)
If personal data is processed by a provider on our behalf, the conclusion of a DPA is required in accordance with Art. 28 GDPR. This is a contract prescribed by data protection law, which guarantees that the provider will only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.
b. Revocation
If you have given your consent to data processing in accordance with Art. 6 para. 1 lit. a GDPR, you can revoke this consent at any time vis-à-vis the controller, Art. 7 para. 3 GDPR. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
c. EU-US Data Privacy Framework
This is an agreement on data exchange between the European Union and the United States of America. It safeguards the rights of data subjects whose data is processed in the USA. There is an adequacy decision by the European Commission within the meaning of Art. 45 GDPR, according to which an adequate level of protection has been established. Providers can submit to self-certification. If certification is obtained, the data transfer to this US provider is covered by the adequacy decision.
C. Information in accordance with Art. 13 GDPR
1. Your rights
You have the following rights vis-à-vis the controller from A) with regard to the personal data concerning you
- Right of access,
- Right to rectification or erasure,
- Right to restriction of processing,
- Right to object to processing,
- Right to data portability.
You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us.
You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us. The contact details are:
State Commissioner for Data Protection and Freedom of Information
North Rhine-Westphalia
Kavalleriestr. 2-4
40213 Düsseldorf
Telephone: 0211/38424-0
E-Mail: poststelle@ldi.nrw.de
2. Provision of the website and log files
a. Hosting
We host the content of our website with the following provider:
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 4-6
32339 Espelkamp
When you visit our website, the provider collects various log files including your IP addresses. Details can be found in the provider's privacy policy: https://www.mittwald.de/datenschutz.
The provider is used on the basis of Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible.
b. Order processing
We have concluded a data processing agreement with the above-mentioned provider.
c. Encryption
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator.
You can recognise an encrypted connection by the fact that the address line of the browser changes from ‘http://’ to ‘https://’ and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
d. Log files
The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:
- browser type and browser version
- operating system used
- referrer URL
- host name of the accessing computer
- time of the server request
- the IP address
- this data is not merged with other data sources.
This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website - the server log files must be recorded for this purpose.
3. contact form and making contact
When you contact us by e-mail or via a contact form, the data you provide will be stored by us in order to answer your questions. If the enquiry is assigned to a contract, we delete the data collected in this context after the contract period has expired, otherwise after storage is no longer required, or restrict processing if there are statutory retention obligations. Depending on the type of enquiry, the legal basis is our legitimate interest in responding to your enquiry quickly and effectively in accordance with Art. 6 para. 1 lit. f GDPR or the implementation of pre-contractual measures in accordance with Art. 6 para. 1 lit. b GDPR. If the enquiry can be assigned to an existing contract, the legal basis is the fulfilment of the contract pursuant to Art. 6 para. 1 lit. b GDPR.
4. processing of data from your end devices
In addition to the above-mentioned data, we use technical aids for various functions when you use our website, in particular cookies, which can be stored on your end device. When you access our website and at any time thereafter, you have the choice of whether you generally allow cookies to be set or which individual additional functions you would like to select. You can make changes in your browser settings or via our Consent Manager. In the following, we first describe cookies from a technical point of view before going into more detail about your individual options by describing technically necessary cookies and cookies that you can voluntarily select or deselect.
Cookies are text files or information in a database that are stored on your hard drive and assigned to the browser you are using so that certain information can flow to the location that sets the cookie. Cookies cannot run programmes or transmit viruses to your computer, but are primarily used to make the website faster and more user-friendly. This website uses the following types of cookies, whose function and legal basis are explained below:
Transient cookies: Such cookies, especially session cookies, are automatically deleted when the browser is closed or when you log out. They contain a so-called session ID. This allows various requests from your browser to be assigned to the joint session and your computer can be recognised when you return to our website.
Persistent cookies: These are automatically deleted after a specified period, which varies depending on the cookie. You can view the cookies set and the duration at any time in the settings of your browser and delete the cookies manually.
Other technologies: These functions are not based on cookies, but on similar technical mechanisms, such as Flash cookies, HTML5 objects or an analysis of your browser settings. As a result, we can also use the technologies described below. Here, too, you can of course consent or object.
Mandatory functions that are technically necessary to display the website: The technical structure of the website requires us to use technologies, in particular cookies. Without these technologies, our website cannot be displayed (completely correctly) or the support functions could not be enabled. These are basically transient cookies that are deleted at the end of your website visit, at the latest when you close your browser. You cannot deselect these cookies if you wish to use our website. The individual cookies can be seen in the Consent Manager.
Optional cookies if you give your consent: We only set various cookies after you have given your consent, which you can select on your first visit to our website via the so-called cookie consent tool. The functions are only activated if you give your consent and can be used in particular to enable us to analyse and improve visits to our website, to make it easier for you to use different browsers or end devices, to recognise you when you visit us again or to place advertising (possibly also to tailor advertising to your interests, measure the effectiveness of advertisements or show interest-oriented advertising). The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a GDPR.
You can withdraw your consent at any time without this affecting the lawfulness of processing up to the point of withdrawal.
The functions we use, which you can select and revoke individually via the Consent Manager, are described below.
a. Consent Manager
We use the ‘Cookiebot’ service from the provider Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark, to obtain consent to the data processing of website users and their administration.
The following data is processed: shortened IP address, date and time of consent, browser information, anonymous and random encrypted key as proof of consent.
The key and consent status are stored for 12 months by the cookie ‘CookieConsent’. The data is then deleted.
The legal basis for this processing is our legal obligation to provide proof of consent given (from Art. 7 para. 1 GDPR) in accordance with Art. 6 para. 1 lit. c GDPR.
b. Lead forensics
On our website, we use the Lead Forensics marketing tool from the provider of the same name with the address 4 Old Park Lane, Mayfair, London W1K 1QW, United Kingdom, to identify companies that visit our website. The purpose of using cookies is to acquire new customers, maintain existing customer relationships and for recruiting purposes.
No cookies are used by the provider. Only your IP address is transmitted to the provider when you visit our website, who then compares it with their own databases. In this register, the provider processes data about companies, the company owners and employees of these persons. Personal data may include business IP addresses, names, email addresses or LinkedIn profiles. If a match is found, the provider makes the associated company data available to us. We also receive information about which of our websites you have visited and how long you stayed there. If no hit is obtained, the IP address is deleted by the provider.
The legal basis for the processing is your freely revocable consent pursuant to Art. 6 para. 1 lit. a GDPR. You can give your consent by selecting the relevant entry or all entries in our Consent Manager. We store the data obtained by the provider until you withdraw your consent or until the purpose is no longer applicable.
The provider acts as a processor and we have concluded a DPA. The provider provides further information on data protection at: https://www.leadforensics.com/data-compliance/.
c. Campaign Monitor
We use the Campaign Monitor service of the provider Campaign Monitor Pfy Ltd, Level 38/201 Elizabeth St, Sydney NSW 2000, Australia, to send emails, track and analyse them and to manage email addresses.
The purpose of the processing is to send your enquiries to our employees via the contact forms on our website and to send messages to applicants.
The provider processes your email addresses on servers in the USA, Germany and Australia. The provider uses this information to send and analyse the newsletter on our behalf. In addition, the provider enables the technical and visual optimisation of the email messages and the identification of the countries of origin of email recipients. The provider has undertaken to comply with the provisions of the GDPR and has taken extensive data security measures to this end. The provider provides information on this: https://www.campaignmonitor.com/trust/privacy-hub/.
The legal basis for the processing is your freely revocable consent pursuant to Art. 6 para. 1 lit. a GDPR. We store the data obtained by the provider until you revoke your consent or until the purpose is no longer applicable.
The provider acts as a processor and we have concluded an DPA. The provider provides further information on data protection at: https://www.campaignmonitor.com/policies/
d. Vimeo
We use plug-ins from the video portal Vimeo. The provider is Vimeo Inc, 555 West 18th Street, New York, New York 10011, USA.
When you visit one of our pages equipped with a Vimeo plug-in, a connection to the provider's servers is established. Vimeo will be shown which of our data you have viewed and what your IP address is, regardless of whether you are logged in to Vimeo or have registered an account with Vimeo.
The information collected in this way is transmitted to the Vimeo server located in the USA. For these cases, Vimeo has, according to its own information, imposed a standard that corresponds to the EU-US Privacy Framework and has promised to comply with applicable data protection laws when transferring data internationally. We have also agreed so-called standard contractual clauses with Vimeo, the purpose of which is to maintain an appropriate level of data protection in the third country
If you are also logged in with your video account while visiting our website, Vimeo can assign the data collected in this way to your individual user account. You can prevent this by logging out of your account.
The legal basis is our legitimate interest in an appealing presentation of our website in accordance with Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.
Further information can be found in Vimeo's privacy policy at: https://vimeo.com/privacy.
e. Use of Google Ads
We use Google Ads to draw attention to our offers with the help of advertisements. If you access our website via a Google ad, Google Ads will store a cookie on your device. The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. a GDPR, i.e. the integration only takes place with your consent.
The advertising material is delivered by Google via so-called “ad servers”. For this purpose, we and other websites use so-called ad server cookies, through which certain parameters for measuring success, such as the display of ads or clicks by users, can be measured. We can obtain information about the success of our advertising campaigns via the Google Ads cookies stored on our website. These cookies are not intended to identify you personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (re-relevant for post-view conversions) and opt-out information (marking that a user no longer wishes to be addressed) are usually stored as analysis values for this cookie.
The cookies set by Google enable Google to recognize your internet browser. If a user visits certain pages of an Ads customer's website and the cookie stored on their computer has not yet expired, Google and the customer can recognize that the user clicked on the ad and was redirected to this page. A different cookie is assigned to each Ads customer so that the cookies cannot be tracked via the websites of other Ads customers. By integrating Google Ads, Google receives the information that you have accessed the relevant part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider will find out your IP address and store it.
Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We ourselves do not independently collect personal data in the aforementioned advertising measures, but only provide Google with the opportunity to collect the data. We only receive statistical evaluations from Google, which provide information on which ads were clicked on how often and at what prices. We do not receive any further data from the use of the advertising material; in particular, we cannot identify users on the basis of this information.
You can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. The easiest way to withdraw your consent is via our Consent Manager or via the following functions:
a) by setting your browser software accordingly; in particular, the suppression of third-party cookies means that you will not receive any ads from third-party providers;
b) by setting your browser to block cookies from the domain “www.googleadservices.com”, www.google.de/settings/ads, whereby this setting is deleted when you delete your cookies;
c) by deactivating the interest-based ads of the providers that are part of the “About Ads” self-regulation campaign via the link www.aboutads.info/choices, whereby this setting is deleted when you delete your cookies;
d) by permanently deactivating them in your Firefox, Internet Explorer or Google Chrome browsers via the link www.google.com/settings/ads/plugin. We would like to point out that in this case you may not be able to use all functions of this website to their full extent.
The provider also processes data in the USA. The USA is generally an unsafe third country. However, the provider is an active participant in the EU-US Data Privacy Framework, which sets out rules for secure data transfer to the USA. In addition, the provider uses standard contractual clauses within the meaning of Art. 46 II, III GDPR, which are intended to ensure that data processing is aligned with European standards. The EU Commission has assessed these clauses in an implementing decision as appropriate safeguards for the transfer of personal data to the USA.
Further information on data protection at Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, can be found here: www.google.com/intl/de/policies/privacy and ser-vices.google.com/sitestats/en.html.
5. Our presence in social networks
We have various presences on social media platforms. We operate these sites with the following providers:
- Facebook (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, represented by Richard Kelly; https://www.facebook.com/privacy/policy/); Our presence: https://de-de.facebook.com/people/Allstein/100064203546942/
- LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, represented by Keith Ranger Dolliver, Benjamin Orndorff, James O'Connor, Henry Chi-Ning Fong, Mark Legasp; https://www.linkedin.com/legal/privacy-policy; Our presence: https://de.linkedin.com/company/allstein-gmbh)
- Xing (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany/ New Work Networ-king Spain SL, Consell de Cent, 334-336, 1º 1ª, 08009 Barcelona, Spain/ New Work XING AG, Pfingstweidstrasse 106e, 8005 Zurich, Switzerland, Management Board: Petra von Strombeck (Chairwoman), Ingo Chu, Frank Hassler Chairman of the Supervisory Board: Martin Weiss; https://privacy.xing.com/de/datenschutzerklaerung; Our presence: https://www.xing.com/pages/allstein-gmbh)
- YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, represented by Elizabeth M. Cunningham, David M. Sneddon, Vanessa Hartley, Colin Goulding, Amanda Storey; https://policies.google.com/privacy?hl=de; Our presence: https://www.youtube.com/channel/UCWzzq8r4K_KAxHvb39HYFqQ)
We use the technical platform and services of the providers for these information services. We would like to point out that you use our presence on social media platforms and their functions on your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating). When you visit our websites, the providers of the social media platforms collect, among other things, your IP address and other information that is stored on your device in the form of cookies. This information is used to provide us, as the operator of the accounts, with statistical information about the interaction with us.
The data collected about you in this context is processed by the platforms and may be transferred to countries outside the European Union, in particular the USA. The providers Meta, Google and LinkedIn are active participants in the EU-US Data Privacy Framework, for which the European Commission has determined an adequate level of protection within the meaning of Art. 45 GDPR.
We do not know how the social media platforms use the data from your visit to our account and interaction with our posts for their own purposes, how long this data is stored and whether data is passed on to third parties. Data processing may differ depending on whether you are registered and logged in to the social network or whether you visit the site as a non-registered and/or non-logged-in user. When you access a post or the account, the IP address assigned to your end device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your device can be used to track how you have moved around the network. Buttons integrated into websites enable the platforms to record your visits to these websites and assign them to your respective profile. This data can be used to tailor content or advertising to you. If you wish to avoid this, you should log out or deactivate the “stay logged in” function, delete the cookies on your device and restart your browser.
As the provider of the information service, we also only process the data from your use of our service that you provide to us and that requires interaction. For example, if you ask a question that we can only answer by e-mail, we will store your information in accordance with the general principles of our data processing, which we describe in this privacy policy. The legal basis is our legitimate interest in the advertising and presentation of our company in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.
To exercise your rights as a data subject, you can contact us or the provider of the social media platform. If one party is not responsible for responding or must receive the information from the other party, we or the provider will then forward your request to the respective partner. Please contact the operator of the social media platform directly if you have any questions about profiling and the processing of your data when using the website. If you have any questions about the processing of your interaction with us on our website, please write to the contact details provided by us above.
What information the social media platform receives and how it is used is described by the providers in their privacy policies (see link in the table above). There you will also find information about contact options and the settings options for advertisements. Further information on social networks and how you can protect your data can also be found at www.youngdata.de.
6. online application
You have the option of applying to us online using the contact form at https://www.allstein.com/karriere/#initiative. In doing so, we collect your e-mail address and all other personal data provided by you, such as your name, details of your educational background, the desired field of activity, application documents such as CV and reference documents and the message sent. The purpose of the processing is to process your application and subsequently contact you.
The legal basis for processing is pre-contractual measures relating to your application in accordance with Section 26 (1) BDSG in conjunction with Art. 6 (1) lit. Art. 6 para. 1 lit. b, Art. 88 GDPR.
If an employment relationship is not concluded, we process the applicant data to protect our legitimate interest in a defense against legal claims and to secure evidence within the meaning of Art. 6 para. 1 lit. f. GDPR.
We delete your applicant data at the latest at the end of the third year after completion of the application process, subject to statutory retention obligations or processing rights that go beyond this.