Privacy policy

I. Foreword

FORMAT Software Service GmbH (hereinafter also referred to as “FORMAT” or “we” or “us”) is pleased that you are visiting our website / web presence. We respect your privacy. Data protection and data security are therefore very important to us. With this privacy policy, we inform you about the extent to which personal data (hereinafter also referred to as “data”) is collected when you use our website and the purposes for which we use / process this data. We also inform you here about your rights.

II. Status, changes and updates to the privacy policy

In order to enable the implementation of new technologies and measures and to ensure that our privacy policy always complies with legal requirements, we occasionally adapt it. We therefore ask you to inform yourself regularly about the content of our privacy policy. We will inform you as soon as the changes require an act of co-operation on your part (e.g. consent) or other individual notification.

Status: 6 September 2024 | Ver.: 01.02 | Classification: 01 – PUBLIC

III. Basic definitions of terms

“Processor”: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Third party”: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

“Recipient”: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

“Personal data”: Refers to all information (hereinafter also referred to as “data”) that relates to an identified or identifiable natural person (hereinafter also referred to as “data subject”) (e.g. surname, first name, email address, IP address, etc.).

“Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

IV. Person responsible

FORMAT Software Service GmbH
Robert-Bosch-Straße 5
63303 Dreieich
Germany
Phone: +49 6103 9309-0
Email: datenschutz@formatsoftware.de
Register court: Offenbach
Register number: HRB 32191

V. External data protection officer

wavesun-technologies
Patrick Bäcker (Owner wavesun-technologies)
Am Lerchenberg 13
63322 Rödermark
Germany
Phone: +49 6074 3709395
Email: info@wavesun-technologies.de

VI. Legal basis for the processing

We process the aforementioned personal data in compliance with the applicable statutory data protection requirements, in particular in accordance with the following legal bases of the General Data Protection Regulation (“GDPR”):

a. On the basis of your consent (Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, if special categories of personal data are processed in accordance with Art. 9 para. 1 GDPR)

If you give us your consent, we will process your personal data for certain previously defined purposes. Your voluntarily granted consent can be revoked at any time – even partially – with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

b. For the fulfilment of contractual obligations or for the implementation of pre-contractual measures (Art. 6 para. 1 lit. b GDPR)

We process your personal data so that we can fulfil our contractual obligations to provide services or to carry out pre-contractual measures that are carried out on request.

c. Due to legal obligations (Art. 6 para. 1 lit. c GDPR)

We are subject to various legal obligations, which means legal requirements (e.g. retention periods under commercial and tax law in accordance with the German Fiscal Code and the German Commercial Code) according to which we must process your personal data.

d. In the context of the legitimate interest/balancing of interests (Art. 6 para. 1 lit. f GDPR)

We process your personal data to protect our legitimate interests or, if necessary, those of a third party, unless your interests or fundamental rights and freedoms, which require the protection of personal data, prevail.

e. National data protection regulations (BDSG and TDDDG)

In addition to the provisions of the GDPR, national regulations apply in Germany, including in particular the Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG). These contain special data protection regulations at national level according to which we process your data.

VII. Safety measures (TOMs)

The security of your personal data is our top priority. In accordance with legal requirements and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we take appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk to your personal data.

The measures we take (in accordance with Art. 32 GDPR) include, in particular, safeguarding the confidentiality, integrity and availability of data. We ensure this through regular checks on physical and electronic access to data, access, input, disclosure and securing the availability and separation of and access to data. We have also set up procedures to ensure that the rights of data subjects are exercised, data is deleted and we respond to data threats. We already take the protection of your personal data into account when selecting hardware, software and the introduction of new processes that affect personal data, through technology design and through data protection-friendly default settings (in accordance with Art. 25 GDPR).

Our security measures include in particular the encrypted transmission of data between your browser and our server via SSL / TLS encryption (HTTPS). You can recognise the encrypted connection by the prefix https:// and the lock in the address bar of your browser.

VIII. Technical provision

a. Nature and purpose of processing

To ensure the secure and efficient provision of our website, we use our own servers for hosting. However, we also use service providers in the areas of hosting, marketing services and programming to design our website on a case-by-case basis, who are obliged to maintain confidentiality and/or with whom corresponding contracts, such as order processing contracts (“AV contract”) in accordance with Art. 28 Para. 3 GDPR or standard contractual clauses in accordance with Art. 46 Para. 2 lit. c GDPR are concluded. Corresponding service providers are regularly checked by us as proof of data protection.

When visiting our website, data is processed from all visitors as part of the provision of the above-mentioned hosting, which is generated during communication with our servers, as well as when contacting us directly and when downloading files and playing videos. This includes, in particular, your IP address, which is technically necessary for establishing a connection. Further data is collected by us (or any (hosting) service providers commissioned by us) as so-called server log files (access log data of our servers – see also “Data categories”). They are processed in particular for the following purposes:

• Ensuring a smooth connection to the website,
• Ensuring the smooth use of our website,
• Evaluation of system security (e.g. for defence against DDoS attacks “cyber attacks”) and system stability and
• for further administrative purposes.

b. Legal basis for data processing

The processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in ensuring the security and functionality as well as improving the stability of our website.

c. Data categories

IP address used (for the functionality of the connection to the website), date and time at the time of access, sub-page visited, amount of data sent in bytes, browser used, operating system used and its interface, operating system used and its interface.

d. Receiver

Recipients of the data are in particular internal employees of the marketing department and the internal IT department as well as any service providers used for the operation, maintenance and design of our website. Our website is hosted on local servers.

e. Storage periods

The data will be deleted as soon as it is no longer required for the purpose for which it was collected.

The server log files are deleted regularly (usually after 14 days; other log files are deleted for longer depending on the purpose). Should the above-mentioned security-relevant events occur, we reserve the right to retain this data for longer for the above-mentioned purposes within the scope of our legitimate interest. If the stated purpose is achieved, the data will be deleted after a reasonable period of time.

f. Requirement to provide your personal data

The provision of the aforementioned personal data is neither legally nor contractually required. However, without the transmission of your IP address, the service and functionality of our website or access to it cannot be guaranteed. In addition, individual services may not be available or may be restricted.

g. Third country transfers

Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling for this data processing.

IX. Use of cookies and similar technologies

a. Nature and purpose of processing

Wie viele andere Websites verwenden wir auch so genannte „Cookies“.

Like many other websites, we also use so-called “cookies”.

Cookies are simple files that store information about our website and your use of it. These small files are optionally created automatically by your browser when you use our website and stored locally on your end device. This does not mean that we have direct knowledge of your identity. The use of cookies serves to make the use of our website more pleasant for you.

We therefore distinguish between technically necessary and non-essential cookies:

Technically necessary cookies (“first party cookies”) are required for the operation of a website and are essential in order to navigate it and use its functions. These cookies are not stored permanently on your computer or device and are deleted when you close the browser. These are so-called “session cookies” or “session cookies”.

Information on the technically necessary cookies used can be found in the cookie consent tool under “Details”.

Non-essential cookies, on the other hand, are mostly functional cookies, analysis and performance cookies as well as marketing cookies, which make it possible, for example, to record and count the number of visitors and traffic sources in order to measure and improve the performance of the website. They are also used to find out whether problems or errors occur on certain pages, which pages are the most popular and how visitors navigate the website.

• Functional cookies
  Functional cookies are used to store information provided, such as the user name or language selection, and thus offer the website visitor improved and personalised functions based on this.
• Analysis and performance cookies
  Analysis and performance cookies are used to track visits and individual activities on websites. They are used to statistically record and analyse the use of websites.
• Marketing cookies
  Marketing cookies originate from external advertising companies, among others, and are used to collect information about the websites visited by the user, e.g. to create target group-oriented advertising for the user, but also to display external content such as videos, street maps or company profiles on social media platforms.

Information on the cookies that are not technically necessary can be found in the cookie consent tool under “Details”.

b. Legal basis for data processing

The use of technically necessary cookies (“first party cookies”) is possible without the consent of the website visitor and is subject to a legitimate interest in the economic operation and optimisation of our website and services within the meaning of Art. 6 para. 1 lit. f GDPR and § 25 para. 2 no. 2 TDDDG for the associated processing.

The use of non-essential cookies, such as functional cookies, analysis and performance cookies and marketing cookies, is subject to the consent of the website visitor in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG for the associated processing.

The cookie consent tool is used in accordance with Art. 6 para. 1 lit. c GDPR (legal obligation).

c. Data categories

• IP address
• Browser used
• Operating system used
• Session ID or value / content of the cookie
• For more information, see “Details” in the cookie consent tool

d. Receiver

Marketing department, FORMAT’s internal IT department and external service providers (see also “Details” in the cookie consent tool).

The cookie consent tool “Cookiebot” is operated by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark.

e. Storage periods

The storage periods for the individual cookies and other technologies used can be found in the cookie consent tool under “Details”.

The user can also set their web browser so that the storage of cookies on their end device is generally prevented or they are asked each time whether they agree to the setting of cookies. Once cookies have been set, the user can delete them at any time. How this works is described in the help function of the respective web browser.

A general deactivation of cookies may lead to functional limitations of this website.

f. Requirement to provide your personal data

The provision of your personal data in cookies is voluntary in the case of non-essential cookies, solely on the basis of your consent (so-called opt-in cookies). You can also prevent the use of pre-set, technically necessary cookies (so-called opt-out cookies) via your browser settings. Without your consent, however, the service and functionality of our website cannot be guaranteed. In addition, individual services may not be available or may be restricted.

g. Third country transfers

The transfer and processing of your personal data also takes place in third countries for certain cookie categories (for further details, see “Details” in the cookie consent tool and in the privacy policy). By consenting to these certain cookie categories, you consent to the processing of the data stored on your device or terminal equipment, such as personal identifiers or IP addresses, for these processing purposes in accordance with Section 25 (1) TDDDG and Art. 6 (1) lit. a GDPR. In addition, you consent to providers in the USA also processing your data in accordance with Art. 49 para. 1 lit. a GDPR. In this case, it is possible that the transmitted data will be processed by local authorities.

h. Revocation of consent

You can change/revoke your consent at any time with effect for the future by clicking on the cookie consent tool button at the bottom left of the website. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

i. Automated decision-making and profiling

As a responsible company, we do not use cookies for automated decision-making or profiling.

j. Cookie Policy

Further details on the use of cookies and similar technologies can be found in our detailed cookie policy (link: https://www.formatsoftware.de/en/cookie-policy/)

X. Use of Matomo for reach measurement

a. Nature and purpose of processing

We use the “Matomo” tool/service on our website, an open source web analysis tool for the statistical evaluation of visitor access. So-called “device fingerprinting” (digital fingerprinting) is used for this purpose. This is a technology (usually unrecognisable to the user) that reads and collates information specific to end devices (such as device type, device performance, screen resolution, operating system, etc.). This creates a unique “device fingerprint”, which potentially changes on a regular basis. The “device fingerprint” is not stored on the end device and no cookies are set, which means that the creation of user profiles (in addition to the anonymisation of IP addresses) is not possible. Matomo is hosted on our own servers, so no data is transferred/disclosed to third parties. Cross-site device recognition is not possible due to local hosting and cookie-free use. Only we (authorised employees) have access to the analyses. The protection of your data is important to us, which is why we have also configured Matomo so that your IP address is only recorded in abbreviated form. We therefore process your personal usage data in anonymised form. It is not possible for us to identify you personally. Further information on the terms of use and data protection regulations of Matomo can be found at: https://matomo.org/privacy/.

We use the data for statistical analysis (reach measurement) of user behaviour on our website for the purpose of optimising the functionality and stability of the website and to improve the presentation of our products and services.

b. Legal basis for data processing

The legal basis for data processing is our legitimate interest in accordance with Article 6(1)(f) GDPR for the aforementioned purposes and in accordance with Section 25(2)(1) TDDDG. By anonymising the IP address, we take account of the user’s interest in the protection of personal data. The data is never used to personally identify the user of the website and is not merged with other data.

c. Data categories

Device type, device performance, screen resolution, operating system, anonymised IP address, etc.

d. Receiver

The recipients of the data are, in particular, internal employees of the marketing department, technical and specialist support and FORMAT’s internal IT department.

e. Storage periods

The data is deleted as soon as it is no longer required for our recording purposes. In our case, this is done automatically within Matomo after the following period: 3 months. As all data collected is
Privacy policy FORMAT Website (formatsoftware.de) Ver. 1.2 06.09.2024 | Page 9 of 23
processed exclusively in anonymised form, cumulative key figures may be stored for longer periods for internal statistics.

f. Requirement to provide your personal data

The provision of your personal data takes place as described above on the basis of our legitimate interest and the stated purposes.

g. Third country transfers

Although Matomo as the manufacturer is based in New Zealand, Matomo and all associated data is hosted locally on our own servers located in Germany, i.e. there is no connection / data transfer to Matomo. The processing therefore does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Cancellation option

Since no cookies are used in our Matomo configuration as described above and the IP address is anonymised, i.e. no data is stored on your device and we have no way of identifying you, it is currently not possible to object via an opt-out or similar.

i. Automated decision-making and profiling

With the help of the Matomo analysis tool, we collect and process all data anonymously as described above. Therefore, no personal user profiles are or can be created.

XI. Use of YouTube videos

Nature and purpose of processing

We embed YouTube videos on our website. When you visit a subpage with the YouTube plugin, a connection to YouTube/Google servers is established. YouTube/Google is informed which pages you visit. If you are logged into your YouTube/Google account, YouTube/Google can assign your surfing behaviour to you personally. You can prevent this by logging out of your YouTube/Google account beforehand. If a YouTube video is started, the provider uses cookies that collect information about user behaviour. Google stores your data as user profiles and uses them for the purposes of advertising, market research and/or customising its website. Such an analysis is carried out in particular (even for users who are not logged in) to provide customised advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right. Further information on the purpose and scope of data collection and its processing by YouTube/Google can be found in the provider’s privacy policy. There you will also find further information on your rights in this regard and setting options to protect your privacy (https://policies.google.com/privacy).

b. Legal basis for data processing

The legal basis for the processing of personal data in connection with the embedding of YouTube videos is the consent of the data subject in accordance with Art. 6 para. 1 lit. a GDPR. The data subject gives their consent voluntarily after being fully informed about the purpose of the data processing and the associated risks and conditions via our cookie consent tool.

The consent of the data subject also includes the transfer of personal data to YouTube or Google in third countries, in particular to the USA. This transfer takes place on the basis of Art. 49 para. 1 lit. a GDPR.

c. Data categories

• IP address of the user: The IP address of the user is automatically transmitted to YouTube/Google. This data is technically necessary in order to deliver the content and ensure the functionality of the embedded videos.
• Usage data: Information that and how the data subject visits our website and uses the embedded videos (e.g. video views, playback time, click behaviour).
• Device information: Details of the device used, including device type, operating system, browser type, screen resolution and language settings.
• Cookies and similar technologies: YouTube uses various cookies and other technologies to collect information about user behaviour. These cookies may contain information such as a unique user ID, location data, pages visited and time spent on the website. Information on the cookies used can be found in our cookie consent tool and our cookie policy
  (https://www.formatsoftware.de/cookie-richtlinie) as well as in the YouTube/Google privacy policy (https://policies.google.com/privacy).

d. Receiver

The recipients of the data are internal employees of the marketing department and FORMAT’s internal IT department for the purpose of integrating the YouTube videos.

As a service provider, the personal data will be passed on to YouTube or Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This data may also be transmitted to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and other Google Group companies in third countries, particularly in the USA.

The data is also passed on to the responsible subcontractors or service providers who work on behalf of YouTube/Google in order to operate the video services, carry out data analyses, support advertising services and provide similar functions.

e. Storage periods

The duration of the storage of personal data by YouTube/Google depends on the type of data collected, the purpose of the data collection and the internal guidelines of YouTube/Google:

• Cookies: The data collected by cookies is stored for different periods of time. Some cookies are so-called session cookies, which are only stored for as long as the user visits the website. Other cookies are stored on the user’s device for longer. Information on the cookies used can be found in our cookie consent tool and our cookie policy (https://www.formatsoftware.de/en/cookie-policy/) as well as in the YouTube/Google privacy policy (https://policies.google.com/privacy). You can use the cookie consent tool on our website to revoke the cookies used at any time with effect for the future.
• Usage data and IP addresses: Usage data and IP addresses may be stored for variable periods of time depending on the purpose and necessity. Further details on the duration of storage can be found in the YouTube/Google privacy policy (https://policies.google.com/privacy).

f. Legal / contractual requirement

The provision of your personal data is voluntary, solely on the basis of your consent. If you prevent access, this may result in functional restrictions (with regard to the unavailability of optional multimedia content) on our website.

g. Third country transfers

Due to Google’s headquarters in the USA, data transfer to third countries (in particular the USA) is possible.

The transfer of personal data to third countries, in particular to the USA, is based on the consent of the data subject in accordance with Art. 49 para. 1 lit. a GDPR.

Note on the risks of the transfer: In the USA, there is a risk that state authorities, in particular intelligence agencies, may access the transferred data without the data subjects being informed of this and without them being able to lodge effective legal remedies.

In order to make data transfers as secure as possible, Google is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection. For more information about Google’s certification, please visit the Data Privacy Framework website (https://www.dataprivacyframework.gov).

h. Revocation of consent

You can revoke your consent to the storage of your personal data at any time with effect for the future. For our website, this is mainly done via the cookie consent tool. To do this, deactivate the relevant cookies / cookie categories. You can also contact YouTube/Google regarding your personal data for which YouTube/Google is responsible (https://policies.google.com/privacy).

i. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling for this data processing.

XII. Use of Google Maps

a. Nature and purpose of processing

We use Google Maps on our website to display maps. Google Maps is operated by Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland. This allows us to show you interactive maps directly on the website and enables you to use the map function conveniently. You can find more information about data processing by Google in the Google data protection information (https://policies.google.com/privacy). You can also change your personal data protection settings there in the data protection centre. When you visit the website, Google receives information that you have accessed the corresponding sub-page of our website. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish your data to be assigned to your Google profile, you must log out of Google before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or customising its website. Such an analysis is carried out in particular (even for users who are not logged in) to provide customised advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.

b. Legal basis for data processing

The legal basis for the processing of personal data in connection with the embedding of Google Maps maps is the consent of the data subject in accordance with Art. 6 para. 1 lit. a GDPR. The data subject gives their consent voluntarily after being fully informed about the purpose of the data processing and the associated risks and conditions via our cookie consent tool.

The consent of the data subject also includes the transfer of personal data to Google in third countries, in particular the USA. This transfer takes place on the basis of Art. 49 para. 1 lit. a GDPR.

c. Data categories

• IP address of the user: The IP address of the user is automatically transmitted to Google. This data is technically necessary to deliver the content of Google Maps and to ensure the functionality of the embedded maps.
• Location data: If location services are activated, Google can record the user’s location in order to display an exact position on the map.
• Usage data: Information that and how the data subject visits our website and uses the embedded maps (e.g. map elements clicked on, zoom level, areas displayed).
• Device information: Details of the device used, including device type, operating system, browser type, screen resolution and language settings.
• Cookies and similar technologies: Google uses various cookies and similar technologies to collect information about user behaviour. These cookies may contain information such as a unique user ID, location data, pages visited and time spent on the website. Information on the cookies used can be found in our cookie consent tool and our cookie policy (https://www.formatsoftware.de/en/cookie-policy/) as well as in Google’s privacy policy (https://policies.google.com/privacy).

d. Receiver

The recipients of the data are internal employees of the marketing department and FORMAT’s internal IT department for the purpose of integrating Google Maps.

As a service provider, the personal data is forwarded to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This data may also be transmitted to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and other Google Group companies in third countries, in particular in the USA.

The data is also passed on to the responsible subcontractors or service providers who work on behalf of YouTube/Google in order to operate the video services, carry out data analyses, support advertising services and provide similar functions.

e. Storage periods

The duration of the storage of personal data by Google depends on the type of data collected, the purpose of the data collection and Google’s internal guidelines:

• Cookies: The data collected by cookies is stored for different periods of time. Some cookies are so-called session cookies, which are only stored for as long as the user visits the website. Other cookies are stored on the user’s device for longer. Information on the cookies used can be found in our cookie consent tool and our cookie policy (https://www.formatsoftware.de/en/cookie-policy/) as well as in the YouTube/Google privacy policy (https://policies.google.com/privacy). You can use the cookie consent tool on our website to revoke the cookies used at any time with effect for the future.
• Usage data and IP addresses: Usage data and IP addresses may be stored for variable periods of time depending on the purpose and necessity. Further details on the duration of storage can be found in Google’s privacy policy (https://policies.google.com/privacy).

f. Third country transfers

Due to Google’s headquarters in the USA, data transfer to third countries (in particular the USA) is possible.

The transfer of personal data to third countries, in particular to the USA, is based on the consent of the data subject in accordance with Art. 49 para. 1 lit. a GDPR.

Note on the risks of the transfer: In the USA, there is a risk that state authorities, in particular intelligence agencies, may access the transferred data without the data subjects being informed and without them being able to lodge effective legal remedies.

In order to make data transfers as secure as possible, Google is certified under the EU-US Data Privacy Framework, which ensures an appropriate level of data protection. For more information about Google’s certification, please visit the Data Privacy Framework website (https://www.dataprivacyframework.gov).

h. Revocation of consent

You can revoke your consent to the storage of your personal data at any time with effect for the future. For our website, this is mainly done via the cookie consent tool. To do this, deactivate the relevant cookies / cookie categories. You can also contact Google regarding your personal data for which Google is responsible (https://policies.google.com/privacy).

i. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling for this data processing.

XIII. Use of other Google services

Various Google services are integrated on our website (e.g. YouTube and Google Maps) to improve functionality and user-friendliness. Please note that the use of these Google products may automatically load additional services (e.g. Google Fonts) that transmit personal data to Google (including to the USA). This data transfer takes place in accordance with Art. 6 para. 1 lit. a GDPR (and Art. 49 para. 1 lit. a GDPR for the transfer to third countries) only with your express consent (usually via our cookie consent tool).

Note: We have no influence on the type and scope of data processed by Google in the context of these services. Further information on the processing of personal data by Google can be found in Google’s privacy policy (https://policies.google.com/privacy).

XIV. Contact us

a. Nature and purpose of processing

If you contact us with questions or concerns of any kind via contact form, e-mail, telephone, etc., your personal data will be collected, processed and stored. When using contact forms, which are integrated on our website for various purposes, we require the data from you that are declared as mandatory fields. All other information is voluntary.

This data is stored and used exclusively to respond to your enquiry or to contact you and for the associated technical administration. This data will not be passed on to third parties unless it is necessary to pursue our claims or there is a contractual or legal obligation to do so or you have given us your consent.

If your contact is aimed at the conclusion of a contract, the data will be processed for the contractual initiation and conclusion of the contract. We also need this data for the legally required compliance check. We offer our products and services exclusively to companies (B2B). If a contractual relationship already exists, the data will be processed to fulfil the contract.

b. Legal basis for data processing

The legal basis for the processing of the data is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in responding to your request and carrying out the compliance check. If your contact is aimed at the conclusion of a contract or if a contract already exists, the legal basis for the processing is Art. 6 para. 1 lit. b GDPR ((pre-)contractual measure). If we are subject to retention obligations (e.g. under tax and commercial law) in connection with responding to your enquiry or for the performance of a contract, the legal basis is Article 6(1)(c) GDPR (legal obligation).

c. Data categories

See information under “Type and purpose of processing”.

d. Receiver

The recipients of the data are, in particular, internal technical and specialist support staff, departments that deal with your enquiry, FORMAT’s internal IT department and, where applicable, service providers/processors to assist in responding to support enquiries.

e. Storage periods

For enquiries from non FORMAT customers / interested parties:

Your data, which we have received in the course of contacting you, will be deleted as soon as it is no longer required for the purpose for which it was collected, i.e. your request has been fully processed, no further communication with you is required or requested by you, no legal or contractual basis exists, no consent has been given and no retention obligations exist.

For FORMAT customers:

Your data that we have received as part of the execution of the contract or related services will be deleted as soon as it is no longer required for the purpose for which it was collected, e.g. the contract has been cancelled, there is no legal or contractual basis, no consent has been given and there are no retention obligations.

f. Requirement to provide your personal data

For enquiries from non FORMAT customers / interested parties:

If you contact us, we must at least receive a communication address and the request from you in order to answer the enquiry.

For FORMAT customers:

In the event of support enquiries or contractual questions (e.g. via e-mail messages or tickets via the FORMAT customer portal), we require the data stored with us (e.g. customer number, ticket number, etc.) as well as any additional data / information provided by you in order to be able to answer the corresponding enquiries.

g. Third country transfers

The processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Contradiction

You can object to the storage of your personal data and its use for contacting you (if this is in the legitimate interest of FORMAT) at any time with effect for the future by sending an e-mail to datenschutz@formatsoftware.de.

i. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling for this data processing.

XV. Newsletter and direct advertising

a. Nature and purpose of processing

For persons who have consented to receive the newsletter:

If you have given us your express, voluntary consent, we will regularly send you our newsletter or comparable information on FORMAT product news, trade fairs and events by e-mail to the e-mail address you have provided.

To receive the newsletter, you must provide your company e-mail address, title, first name, surname and company. When subscribing to our newsletter, this data is used exclusively for this purpose. Newsletter subscribers may also be informed of circumstances relevant to the service or registration (such as changes to the newsletter offer or technical circumstances).

Your data will only be used to send you the newsletter you have subscribed to by e-mail. Your name is given so that we can address you personally in the newsletter and, if necessary, identify you if you wish to exercise your rights as a data subject. When you register to receive our newsletter, the data you provide will be used exclusively for this purpose. Subscribers may also be informed by email about circumstances that are relevant to the service or registration (e.g. changes to the newsletter offer or technical circumstances).

We require a valid e-mail address for effective registration. We use the “double opt-in” procedure to check that a registration is actually made by the owner of an e-mail address. For this purpose, we log the subscription to the newsletter, the sending of a confirmation email and the receipt of the requested reply. No further data is collected. The data is used exclusively for sending the newsletter.

For existing customers:

If we receive your e-mail address in connection with the sale of a product or service and you have not objected to this, we reserve the right to regularly send you information on new products, trade fairs and events organised by FORMAT or on products/services similar to those already purchased by e-mail. This serves to safeguard our legitimate interests, which predominate in the context of a balancing of interests, in a promotional approach to our customers.

b. Legal basis for data processing

For persons who have consented to receive the newsletter:

On the basis of your express consent in accordance with Art. 6 para. 1 lit. a GDPR, we will regularly send you our newsletter or comparable information by e-mail to the e-mail address you have provided.

For existing customers:

The processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with. § Section 7 (3) UWG on the basis of our overriding legitimate interest in advertising to our customers.

c. Data categories

Company e-mail address, title, first name and surname, logging of registration/deregistration or existing customer entry and dispatch data.

d. Receiver

The recipients of the data are internal employees of the marketing department, technical and specialist support and the internal IT department of FORMAT and rapidmail GmbH, Wentzingerstr. 21, 79106 Freiburg i.Br., Germany, which hosts, administers and maintains the SaaS newsletter tool.

e. Storage periods

The data will only be processed in this context as long as the corresponding consent has been given, you (if applicable as an existing customer) object to the sending of marketing emails or the purpose no longer applies. After revocation of consent or objection to direct marketing, you will be removed from the relevant mailing lists after a reasonable period of time.

f. Requirement to provide your personal data

The provision of your personal data is voluntary, solely on the basis of your consent or because you are registered with us as an existing customer.

g. Third country transfers

Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Revocation of consent / objection

You can revoke / object to the storage of your personal data and its use for the newsletter dispatch / direct advertising at any time with effect for the future by sending an e-mail to news@formatsoftware.de.

When sending newsletters, you also have the option of clicking on an unsubscribe link in the respective newsletter (usually at the bottom of the message). After clicking on the link, a rapidmail page will open.

i. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling for this data processing.

XVI. Online training courses / webinars

a. Nature and purpose of processing

We offer online training courses/webinars, which you can view on our website, for training purposes, in particular for the use and/or presentation of FORMAT software. We use the “GoToWebinar” software from GoTo Technologies Ireland Unlimited Company (formerly LogMeIn), The Reflector, 10 Hanover Quay, Dublin 2, Ireland, D02R573, for the technical realisation of the online training courses/webinars.

Various data is processed when you use GoToWebinar. The scope of the data depends on the information you provide before or during participation in an online training/webinar. Relevant personal data are:

When registering: first name, surname, e-mail address and company. All other information is voluntary. GoToWebinar may send you information about the online training/webinar you have booked on our behalf.

Meeting metadata: Topic or title description (optional), device/hardware information and participant IP addresses.

When dialling in by phone: information on the incoming and outgoing phone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be saved.

Text, audio and video data during an online training course/webinar: You may have the opportunity to use the chat, question or survey functions in an online training course/webinar. In this respect, the text entries you make are processed in order to display them in the online training/webinar, to log them if necessary and to answer subsequent questions. In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera of the end device will be processed accordingly for the duration of the online training/webinar. You can switch off or mute the camera or microphone yourself at any time via the GoToWebinar settings.

For recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.

Participants are prohibited from making recordings of any kind of the online training/webinar. Text, audio and video data may not be recorded, copied or saved.

Data about your device, operating system and browser will only be used by GoToWebinar on our behalf for the purpose of providing, optimising and securing the services of GoToWebinar. The participation information you provide will be used for the purpose of identification in the online training/webinar. Transmitted video and audio data will be processed for the purpose of conducting the online training/webinar and subject to your consent to its recording. You will be informed of the purpose of the recording before recording begins.

If you access the GoToWebinar website, the provider GoTo Technologies Ireland Unlimited Company is responsible for data processing. However, it is only necessary to access the website to use GoToWebinar in order to download the software for use. You can also use GoToWebinar if you enter the relevant meeting ID and any other access data for the meeting directly in the GoToWebinar app. If you do not want to or cannot use the GoToWebinar app, the basic functions can also be used via a browser version, which you can also find on the GoToWebinar website.

b. Legal basis for data processing

Insofar as personal data of FORMAT employees is processed, Art. 88 GDPR in conjunction with Art. 6 para. 1 lit. b GDPR in conjunction with Art. 6 para. 1 lit. f GDPR is applicable. Art. 6 para. 1 lit. b GDPR in conjunction with. § Section 26 (1) BDSG is the legal basis for data processing.

The legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the effective implementation of online training courses/webinars. If the online training/webinar is carried out as part of an existing or prospective contractual relationship, the additional legal basis is Art. 6 para. 1 lit. b GDPR. Online training/webinars will only be recorded if we have informed you of this in advance and you have consented to the recording. The legal basis in this case is Art. 6 para. 1 lit. a GDPR (consent).

c. Data categories

See details under “Type and purpose”.

d. Receiver

The recipients of the data are FORMAT departments that carry out the respective training courses as well as employees who carry out the technical administration and GoTo Technologies Ireland Unlimited Company as the processor for the provision, maintenance and support of the platform.

e. Storage periods

We generally delete personal data when there is no need for further processing / storage. A requirement may exist in particular if the data is still needed to fulfil contractual services, to check and grant or defend against warranty and guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation. In the case of existing consents, data will be deleted if the consent is revoked or the purpose no longer applies.

f. Requirement to provide your personal data

Without the provision of the personal data described under “Type and purpose”, we cannot organise online training courses/webinars. Giving consent for the recording of online training courses/webinars is voluntary.

g. Third country transfers

GoToWebinar is a service of GoTo Technologies Ireland Unlimited Company, which has affiliated companies and sub-processors in the USA. Personal data may therefore also be processed in a third country. We have concluded an order processing agreement with the provider of GoToWebinar. As far as possible, we have concluded the so-called EU standard contractual clauses with GoTo Technologies Ireland Unlimited Company and all affiliated companies.

h. Revocation of consent

If you have given us your consent for the recording of online training courses/webinars, you can revoke this consent at any time with effect for the future.

i. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling for this data processing.

XVII. Business relationships

As part of the use of our website and communication (e.g. enquiries via contact forms or by email) with us, a contract may be initiated, for example. In addition to our privacy policy (which concerns our website and related services), we provide you with the information obligations pursuant to Art. 13 and 14 GDPR for interested parties, customers, service providers and suppliers under the following link: https://www.formatsoftware.de/informationspflichten-ds-gvo

XVIII. Applications

We have included information on current vacancies on our website (mainly at https://www.formatsoftware.de/en/job-openings/).

The corresponding data protection information can be viewed at https://www.formatsoftware.de/en/information-sheet/. Further information on data processing will be provided (if necessary) during the application process.

XIX. Social Media

We have online presences in social networks (“social media”) and process user data in these networks in order to provide information about us and to communicate with users. As a rule, we also use social media channels to display adverts and conduct market research. Further information on FORMAT’s online presence in social networks and the corresponding data protection notices can be found on our website at https://www.formatsoftware.de/en/information-sheet/.

We have not currently integrated any online presences on our website in such a way that personal data is transmitted to the operators of the sites. We have only included links (e.g. images, icons or texts). If you click on these images, icons or texts, the external website of the social media provider opens (on which the data protection provisions of the respective provider apply – FORMAT has no influence on these).

XX. Data retention obligations and deletion of data

Your personal data will only be stored for as long as it is required for the fulfilment of our contractual and legal obligations or as long as you revoke your consent(s). If your data is not deleted because it is required for other legal purposes, its processing will be restricted to these purposes, i.e. generally blocked.

Further information on the deletion of your personal data can also be found in the individual data protection notices of this privacy policy.

If the data is no longer required for the fulfilment of contractual or legal obligations, as mentioned above, it is regularly deleted. Unless temporary and limited further processing is required for the following purposes, among others:

• Fulfilment of retention periods under commercial and tax law: The German Commercial Code (HGB) and the German Fiscal Code (AO) should be mentioned. The retention periods stipulated there are generally up to 10 years.
• Preservation of evidence within the framework of the statutory limitation period. According to §§ 195 ff. of the German Civil Code (BGB), the regular limitation period is 3 years, in special circumstances up to 30 years.
• Compliance with storage obligations arising from other legal obligations.

XXI. Right to revoke consents granted in accordance with Art. 7 para. 3 GDPR

You have the right to withdraw your consent(s) – even partially – at any time with effect for the future. The withdrawal of consent(s) shall not affect the lawfulness of processing based on consent(s) before its/their withdrawal. As a result, we may no longer continue the data processing that was based on this/these consent(s) in the future, provided that there are no legal obligations or contractual provisions to the contrary.

XXII. Right to information pursuant to Art. 15 GDPR

Every data subject has a right of access to the personal data concerning them. The right of access extends to all data processed by us. The right can be exercised easily and at regular intervals so that all data subjects are always aware of the processing of their personal data and can check its lawfulness (see recital 63 GDPR). The right of access includes in particular the following information:

• The purpose of the processing
• The data categories
• The recipients / categories of recipients, in particular recipients from international organisations or third countries; if a third country is involved, the data subject also has the right to obtain information about the appropriate safeguards in connection with the transfer.
• Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
• All available information about the origin of the data if the personal data is not collected from the data subject.
• All available information on the existence of automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR
• The existence of a right to
  – Correction or
  – erasure of the personal data concerning them or
  – the restriction of processing by the controller or
  – a right to object to this processing and
  – the existence of a right to lodge a complaint with a supervisory authority

If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact us using the contact details provided at the beginning of this data protection notice.

XXIII. Right to rectification pursuant to Art. 16 GDPR

Every data subject has the right to obtain from our company without undue delay the rectification of inaccurate personal data concerning him or her. Furthermore, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration, taking into account the purposes of the processing.

If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact us using the contact details provided at the beginning of this privacy policy.

XXIV. Right to erasure (right to be forgotten) in accordance with Art. 17 GDPR

Every data subject has the right to erasure and to be forgotten and can demand that we erase the personal data concerning them without undue delay, provided that one of the following reasons applies and insofar as the processing is not necessary:

• The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
• The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
• The data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) GDPR.
• The personal data was processed unlawfully.
• The deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data was collected in relation to information society services offered in accordance with Art. 8 para. 1 GDPR.

If one of the aforementioned reasons applies and a data subject wishes to request the erasure of personal data, they can contact us at any time using the contact details provided at the beginning of this privacy policy. The controller will ensure that the request for erasure is complied with immediately.

XXV. Right to restriction of processing in accordance with Art. 18 GDPR

Every data subject has the right to obtain from the controller restriction of processing where one of the following applies:

• The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
• The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
• The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
• The data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by the controller, he or she may contact us at any time using the contact details provided at the beginning of this privacy policy. The controller will arrange for the restriction of processing.

XXVI. Right to data portability pursuant to Art. 20 GDPR

Each data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. They also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising his or her right to data portability pursuant to Art. 20 (1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others. To assert the right to data portability, the data subject can contact us at any time using the contact details provided at the beginning of this privacy policy.

XXVII. Right to object pursuant to Art. 21 GDPR

Every data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR. This also applies to profiling based on these provisions.

The controller shall no longer process the personal data in the event of an objection, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. If the controller processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This also applies to profiling insofar as it is associated with such direct advertising. If the data subject objects to the controller to the processing for direct marketing purposes, the controller will no longer process the personal data for these purposes.

In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by the controller for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise the right to object, the data subject may contact us at any time using the contact details provided at the beginning of this privacy policy.

XXVIII. Right to lodge a complaint with a supervisory authority
in accordance with Art. 77 GDPR

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The supervisory authority responsible for us is

The Hessian Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Germany

The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.