Data Protection Declaration in accordance with Art. 13 of the
General Data Protection Regulation (GDPR)
I. Name and address of controller
The controller, as defined in the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations, is:
Augsburger Straße 283
Local Court of Stuttgart HRB 751648
Managing Director Prof. Dr. Josef Kallo
Our data protection officer can be reached at:
II. General information on data processing
1. Scope of personal data processed
We generally process the personal data of our users only to the extent necessary for the provision of a functional website and our content and services. The processing of our users' personal data usually occurs only after the user has consented to it. Exceptions apply where it is not possible to obtain prior consent for factual reasons or where the processing of the data is legally permitted.
2. Deletion of data and storage period
The personal data of a data subject shall be deleted or blocked as soon as the purpose for storing the data no longer applies. Furthermore, the data may be stored where stipulated by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data shall also be blocked or deleted after a storage period stipulated under the above regulations expires, unless storage of the data needs to be continued in order to conclude or fulfil a contract.
III. Provision of the website and creation of log files
1. Description and scope of data processing
Each time our website is called up, our system will automatically record data and information from the computer system of the calling computer.
The following data is then collected:
Partially anonymised IP address
Language and keyboard settings
Internet service provider
Referral and exit pages
Date / time stamp
The information is also stored in the log files of our system. We do not store this data together with any other personal data of the user.
2. Legal basis for data processing
The legal basis for accessing data already stored in the device of the user of the website is section 25 para. 2 no. 2 TTDSG [Telecommunications Telemedia Data Protection Act].
The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f GDPR.
3. Purpose of data processing
The system needs to temporarily store the IP address to allow delivery of the website to the user's computer. For this purpose, the user's IP address must be saved for the duration of the session.
Storage in log files is necessary to ensure the functionality of the website. Furthermore, we use the data to optimise our website and to ensure the security of our information technology systems. The data is not evaluated for marketing purposes in this context.
These purposes also constitute our legitimate interest in the data processing according to Art. 6 para. 1 lit. f GDPR.
4. Duration of storage
The data will be deleted from our system as soon as it is no longer needed for the purpose it was collected for. Data collected in order to provide the website will be deleted after the end of the respective session.
Data stored in log files will be deleted after ten days at the latest. Longer storage periods are possible. In this case, the IP addresses of the users are deleted or alienated so that they can no longer be assigned to the calling client.
5. Objection and removal options
Both the collection of data for providing the website and the storage of data in log files are essential for the operation of the website. Therefore, the user cannot object to this in any way.
a) Description and scope of data processing
Cookies classified as necessary cookies help make a website usable because they provide basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
The following data is stored and transmitted in the cookies during this process:
b) Legal basis for data processing
The legal basis for the processing of personal data by means of cookies that are technically necessary is § 25 para. 2 no. 2 TTDSG, Art. 6 para. 1 lit. f GDPR.
c) Purpose of data processing
The user data gathered by means of technically necessary cookies is not used to create user profiles.
d) Duration of storage, objection and removal options
The transmission of flash cookies cannot be prevented by changing the browser settings, but it can be blocked by changing the settings of the flash player.
V. Links to other websites
This website contains links to third-party websites. There is no embedding of third-party content by way of plug-ins, i.e. personal data of our website visitors is not automatically transmitted to the operators of such third-party websites (e.g. social media).
We endeavour to offer only links to websites that meet our high standards and share our respect for your privacy. We do not, however, monitor or control any third party website as to which information is gathered when you access it by clicking a link. The operators of third party websites may handle personal information in a manner different from ours. Accordingly, we do not assume responsibility for the content or privacy practices of other websites.
Any transmission to operators of social media services, e.g. YouTube or Instagram, is done exclusively by way of linking, so that the personal data of our website visitors is not transmitted to these operators until the visitors themselves actively select the link of the operator of the respective platform.
The following links are used on our website:
https://careers.h2fly.de/ (leads to the career portal provided by Recruitee B.V.)
To learn more about the scope and purposes of data processing on these third party websites, please see the privacy information provided there.
VI. Rights of data subjects
Whenever personal data relating to you is processed, you are a data subject as defined in the GDPR. As such, you have the following rights towards the controller:
1. Right of access
You can request information from the controller on whether or not we process any personal data relating to you.
If the data is processed by us, you can request the following information from the controller:
(1) the purposes for which your personal data is processed;
(2) the categories of personal data which are processed;
(3) the recipients or categories of recipients to whom your personal data have been or will be disclosed;
(4) the intended storage period of your personal data or, if it is not possible to provide specific information on this, criteria for determining the storage period;
(5) the existence of the right to have your personal data rectified or deleted; the right to restrict its processing by the controller or the right to object to such processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) any available information on where the personal data originates, if it is not collected from the data subject;
(8) whether automated decision-making, including profiling, is carried out pursuant to Art. 22 para. 1 and 4 GDPR and, at least in such cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
You are entitled to request information on whether personal data relating to you is transmitted to a third country or to an international organisation. In this context, you may request information about the appropriate safeguards pursuant to Art. 46 GDPR as regards such transmission of data.
2. Right to rectification
Should the processed personal data relating to you be inaccurate or incomplete, you have a right to have them corrected and/or completed by the controller. The controller has to carry out any such rectification without undue delay.
3. Right to restriction of processing
You may request that the processing of your personal data be restricted, if any of the following conditions apply:
(1) when you deny the accuracy of the personal data relating to you, for the period of time which permits the controller to verify the accuracy of the personal data;
(2) where processing is unlawful and you oppose the erasure of the personal data request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, whereas you need this data for the establishment, exercise or defence of legal claims; or
(4) when you have objected to the processing pursuant to Art. 21 para. 1 GDPR and it remains to be determined whether the legitimate grounds for the processing put forward by the controller override your grounds.
Where the processing of personal data relating to you has been restricted, this data may only be processed, except for storage, with your consent or for the establishment, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the EU or a member state.
If the restriction of processing was limited on the basis of the above conditions, you will be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Duty to erase data
You may request the controller to erase your personal data without undue delay and the controller shall have the obligation to erase this data without undue delay where one of the following grounds applies:
(1) The personal data relating to you are no longer required for the purposes it was collected or otherwise processed for.
(2) You withdraw your consent to the processing carried out pursuant to Art. 6 para. 1 lit. a GDPR and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing, or you raise an objection to the processing pursuant to Art. 21 para. 2 GDPR.
(4) The personal data relating to you have been processed unlawfully.
(5) Erasure of the personal data relating to you is necessary to comply with a legal obligation under EU or member state law to which the controller is subject.
(6) The personal data relating to you have been collected in respect of services offered by an information society pursuant to Art. 8 para. 1 GDPR.
b) Information to third parties
Where the controller has made the personal data relating to you public and is obliged to erase such data pursuant to Art. 17 para. 1 GDPR, the controller shall take reasonable steps, also technical ones, taking into account the available technology and the cost of implementation, to inform controllers that are processing the personal data of the fact that you, as the data subject, have requested them to erase all links to, or copies or replications of, this personal data.
You do not have the right to deletion if the data processing is necessary in order to:
(1) exercise the right to freedoms of expression and information;
(2) comply with legal obligations which requires processing under the EU or member state law to which the controller is subject; to perform tasks carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health pursuant to Art. 9 para 2 lit. h and i and Art. 9 para. 3 GDPR;
(4) for archiving purposes of public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 para. 1 GDPR, in so far as the right referred to in section (a) above is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
(5) for the assertion, exercise or defence of legal claims.
5. Right to be informed
In the event that you have exercised the right to rectification, erasure or restriction of processing towards the controller, the controller shall be obliged to notify all recipients to whom your personal data have been disclosed of this data’s rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed by the controller of who these recipients are.
6. Right to data portability
You have the right to receive the personal data relating to you which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data have been provided, if
(1) the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or is based on a contract pursuant to Art. 6 para. 1 lit. b GDPR, and
(2) the processing is carried out by means of automated procedures.
When exercising this right, you are also entitled to have your personal data transmitted directly from one controller to another controller, if technically feasible. The freedoms and rights of other individuals must not be affected by this.
The right to data portability shall not apply to the processing of personal data required in the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you based on Art. 6 para. 1 lit. e or f GDPR, including profiling based on these provisions.
The controller shall no longer process the personal data relating to you, unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend a legal claim.
Where personal data relating to you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing. This includes profiling to the extent it is related to such direct marketing.
If you object to the processing for direct marketing purposes, the personal data relating to you shall no longer be processed for these purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to withdraw consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on your side or similarly affects you in a significant way. This shall not apply, if the decision
(1) is necessary to enter into, or performance of, a contract between you and the controller;
(2) is authorised by the law of the EU or the Member States to which the controller is subject and these legal provisions contain appropriate measures to protect your rights and freedom as well as your legitimate interests; or
(3) is based on your explicit consent.
These decisions must not, however, be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies and appropriate measures have been taken to safeguard your rights and freedoms as well as your legitimate interests.
As regards the cases described in (1) and (3) above, the controller shall implement suitable measures to safeguard your rights and freedoms as well as your legitimate interests, which include at least the right to obtain the intervention of a person on the part of the controller, to express his or her point of view and to contest the decision.
10. Right to complain to a supervisory authority
Notwithstanding any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, place of work or place of the alleged infringement, if in your view the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the right to an effective judicial remedy pursuant to Art. 78 GDPR.
The supervisory authority responsible for us is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg [i.e. the State Commissioner for Data Protection and Freedom of Information]
Tel: 0711/615541 – 0
Fax: 0711/61 55 41 – 15