Bernhard Kraemer
// privacy_policy.md

Privacy Policy

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) within the scope of providing our services as well as within our online offering and the websites, functions, and content associated with it, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”). With regard to the terminology used, such as “processing” or “controller,” we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Controller

Bernhard Krämer Münchner Str. 2A 83623 Dietramszell Germany

Represented by: Bernhard Krämer

Contact: Phone: +49 8027 / 9084813 Email: mail@bernhard-kraemer.com

Link to Legal Notice:
bernhard-kraemer.com/impressum

Types of Data Processed

  • Inventory data (e.g., personal master data, names, or addresses)
  • Contact data (e.g., email, telephone numbers)
  • Content data (e.g., text entries, photographs, videos)
  • Usage data (e.g., websites visited, interest in content, access times)
  • Meta/communication data (e.g., device information, IP addresses)

Categories of Data Subjects

Visitors and users of the online offering (hereinafter collectively referred to as “users”).

Purpose of Processing

  • Provision of the online offering, its functions, and content
  • Responding to contact inquiries and communicating with users
  • Security measures
  • Reach measurement / marketing

Terminology Used

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data.

“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Relevant Legal Bases

In accordance with Article 13 GDPR, we inform you of the legal bases for our data processing. For users within the scope of the GDPR (i.e., the EU and the EEA), the following applies unless another legal basis is specified in this privacy policy:

  • Consent: Article 6(1)(a) and Article 7 GDPR
  • Performance of services and contractual measures, and responding to inquiries: Article 6(1)(b) GDPR
  • Compliance with legal obligations: Article 6(1)(c) GDPR
  • Protection of vital interests: Article 6(1)(d) GDPR
  • Performance of a task carried out in the public interest or in the exercise of official authority: Article 6(1)(e) GDPR
  • Legitimate interests: Article 6(1)(f) GDPR

Processing for purposes other than those for which the data were collected is determined by Article 6(4) GDPR.
Processing of special categories of data (Article 9(1) GDPR) is governed by Article 9(2) GDPR.

Security Measures

In accordance with statutory requirements and taking into account the state of the art, implementation costs, nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include ensuring confidentiality, integrity, and availability of data through control of physical access, access to data, data entry, transfer, availability, and separation. We have also established procedures to ensure the exercise of data subject rights, deletion of data, and response to data threats. Furthermore, we consider the protection of personal data already during the development or selection of hardware, software, and procedures, in accordance with the principles of data protection by design and by default.

Cooperation with Processors, Joint Controllers, and Third Parties

If, in the course of our processing, we disclose data to other persons or companies (processors, joint controllers, or third parties), transmit data to them, or otherwise grant them access to data, this is done only on the basis of a legal authorization (e.g., if data transfer to third parties such as payment service providers is necessary for contract performance), user consent, a legal obligation, or our legitimate interests (e.g., when using agents, web hosts, etc.).

If we disclose data to companies within our corporate group, transmit data to them, or otherwise grant access, this is done in particular for administrative purposes as a legitimate interest and otherwise on a legal basis compliant with statutory requirements.

Transfers to Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA), or the Swiss Confederation), or if this occurs in the context of using third-party services or disclosing or transferring data to other persons or companies, this is done only if it is necessary for the fulfillment of our (pre-)contractual obligations, based on your consent, due to a legal obligation, or on the basis of our legitimate interests.

Subject to statutory or contractual permissions, we process or have data processed in a third country only if the statutory requirements are met, e.g., on the basis of special safeguards such as an officially recognized determination of an adequate level of data protection by the EU or compliance with officially recognized standard contractual clauses.

Rights of Data Subjects

You have the right to request confirmation as to whether personal data concerning you are being processed and to obtain information about such data, as well as further information and a copy of the data in accordance with statutory requirements.

You have the right to request the completion or correction of inaccurate personal data concerning you.

You have the right to request the immediate deletion of personal data concerning you or, alternatively, restriction of processing in accordance with statutory requirements.

You have the right to receive the personal data concerning you that you have provided to us, in accordance with statutory requirements, and to request their transfer to other controllers.

You also have the right to lodge a complaint with the competent supervisory authority.

Right of Withdrawal

You have the right to withdraw any consent given, with effect for the future.

Right to Object

You may object at any time to the future processing of your personal data in accordance with statutory requirements. In particular, the objection may be directed against processing for direct marketing purposes.

Cookies and Right to Object to Direct Advertising

“Cookies” are small files stored on users’ computers. Cookies can store various types of information. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering.

Temporary cookies, also known as “session cookies” or “transient cookies,” are deleted after a user leaves an online offering and closes their browser. For example, such a cookie can store the contents of a shopping cart or a login status.

“Permanent” or “persistent” cookies remain stored even after the browser is closed. For example, the login status can be stored so that users can access it again after several days. Such cookies may also store user interests used for reach measurement or marketing purposes.

“Third-party cookies” are cookies offered by providers other than the controller operating the online offering. Otherwise, they are referred to as “first-party cookies.”

We may use temporary and permanent cookies and explain this in this privacy policy.

If users do not wish cookies to be stored on their computer, they are asked to deactivate the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. Excluding cookies may result in functional limitations of this online offering.

A general objection to the use of cookies for online marketing purposes can be declared for many services, particularly tracking, via the U.S. website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. In addition, cookies can be disabled via browser settings. Please note that in this case not all functions of this online offering may be available.

Deletion of Data

The data processed by us are deleted or restricted in processing in accordance with statutory requirements. Unless expressly stated otherwise in this privacy policy, the data stored by us are deleted as soon as they are no longer required for their intended purpose and no statutory retention obligations prevent deletion.

If data are not deleted because they are required for other legally permissible purposes, their processing is restricted. This means that the data are blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

Changes and Updates to the Privacy Policy

We ask you to regularly review the contents of our privacy policy. We adapt the privacy policy as soon as changes to our data processing activities make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.

Business-Related Processing

In addition, we process the following data of our customers, prospects, and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising, and market research:

  • Contract data (e.g., subject matter, term, customer category)
  • Payment data (e.g., bank details, payment history)

Agency Services

We process our customers’ data within the scope of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, campaign and process implementation/handling, server administration, data analysis/consulting services, and training services.

In doing so, we process inventory data (e.g., customer master data such as names or addresses), contact data (e.g., email, telephone numbers), content data (e.g., text entries, photographs, videos), contract data (e.g., subject matter, term), payment data (e.g., bank details, payment history), usage and meta data (e.g., as part of the evaluation and success measurement of marketing measures). We generally do not process special categories of personal data unless they are part of a commissioned processing.

Data subjects include our customers, prospects, and their customers, users, website visitors, employees, and third parties. The purpose of processing is the provision of contractual services, billing, and customer service. The legal bases are Article 6(1)(b) GDPR (contractual services) and Article 6(1)(f) GDPR (analysis, statistics, optimization, security measures).

We process data required for the establishment and fulfillment of contractual services and indicate the necessity of providing such data. Disclosure to external parties occurs only if required within the scope of an order. When processing data provided to us in the context of an order, we act in accordance with the instructions of the client and the statutory requirements of commissioned processing pursuant to Article 28 GDPR and do not process the data for any purposes other than those specified in the order.

We delete data after the expiry of statutory warranty and comparable obligations. The necessity of retaining data is reviewed every three years; in the case of statutory archiving obligations, deletion occurs after their expiry (6 years pursuant to § 257(1) HGB, 10 years pursuant to § 147(1) AO). Data disclosed to us by clients within the scope of an order are deleted in accordance with the order specifications, generally after completion of the order.

Administration, Financial Accounting, Office Organization, Contact Management

We process data in the context of administrative tasks and the organization of our operations, financial accounting, and compliance with legal obligations such as archiving. In doing so, we process the same data that we process in the context of providing our contractual services. The legal bases are Article 6(1)(c) GDPR and Article 6(1)(f) GDPR.

Data subjects include customers, prospects, business partners, and website visitors. The purpose and our interest in processing lie in administration, financial accounting, office organization, and data archiving—tasks that serve to maintain our business activities and provide our services.

We disclose or transmit data to tax authorities, advisors such as tax consultants or auditors, as well as other fee offices and payment service providers.

Furthermore, based on our business interests, we store information about suppliers, event organizers, and other business partners, e.g., for later contact. These predominantly company-related data are generally stored permanently.

Business Analyses and Market Research

To operate our business economically and to identify market trends and the needs of contract partners and users, we analyze available data on business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, and meta data on the basis of Article 6(1)(f) GDPR.

Data subjects include contract partners, prospects, customers, visitors, and users of our online offering. The analyses are carried out for business evaluations, marketing, and market research. User profiles of registered users may be considered, e.g., regarding services used. These analyses serve to improve user-friendliness, optimize our offering, and enhance economic efficiency. The analyses are used exclusively by us and are not disclosed externally unless they are anonymous analyses with aggregated values.

If analyses or profiles are personal, they are deleted or anonymized upon user termination; otherwise, after two years from contract conclusion. Overall business analyses and general trend determinations are anonymized where possible.

Contact

When contacting us (e.g., via contact form, email, phone, or social media), user information is processed for handling the contact request and its execution pursuant to Article 6(1)(b) GDPR (contractual/pre-contractual relationships) and Article 6(1)(f) GDPR (other inquiries). User information may be stored in a customer relationship management system (CRM) or a comparable inquiry organization.

We delete inquiries when they are no longer required. Necessity is reviewed every two years; statutory archiving obligations also apply.

Newsletter

The following information explains the content of our newsletter, the registration, dispatch, statistical evaluation procedures, and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the procedures described.

Newsletter content: We send newsletters, emails, and other electronic notifications with promotional information (“newsletter”) only with recipient consent or a legal authorization. If the newsletter content is specifically described during registration, it is decisive for user consent. Otherwise, our newsletters contain information about us and our services.

Double opt-in and logging: Newsletter registration follows a double opt-in procedure. After registering, you will receive an email asking you to confirm your registration. This confirmation is necessary to prevent registration with third-party email addresses. Registrations are logged to demonstrate compliance with legal requirements, including storage of registration and confirmation times and IP addresses. Changes to data stored by the dispatch service provider are also logged.

Registration data: To subscribe, providing an email address is sufficient. Optionally, we ask for a name for personal address in the newsletter.

The newsletter is sent and its performance measured based on recipient consent pursuant to Article 6(1)(a) and Article 7 GDPR in conjunction with § 7(2) No. 3 UWG, or, if consent is not required, based on our legitimate interests in direct marketing pursuant to Article 6(1)(f) GDPR in conjunction with § 7(3) UWG.

Logging of the registration process is based on our legitimate interests pursuant to Article 6(1)(f) GDPR. Our interest is to use a user-friendly and secure newsletter system that serves our business interests and meets user expectations, while allowing us to demonstrate consent.

Cancellation/withdrawal: You may cancel the newsletter at any time, i.e., withdraw your consent. A cancellation link is included at the end of each newsletter. We may store unsubscribed email addresses for up to three years based on our legitimate interests to prove prior consent before deletion. Processing of this data is limited to defending potential claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed.

Hosting and Email Dispatch

The hosting services we use serve to provide infrastructure and platform services, computing capacity, storage space, database services, email dispatch, security services, and technical maintenance for operating this online offering.

In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, and meta/communication data of customers, prospects, and visitors on the basis of our legitimate interests pursuant to Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (processing agreement).

Collection of Access Data and Log Files

We or our hosting provider collect data on each access to the server on which this service is located (server log files) based on our legitimate interests pursuant to Article 6(1)(f) GDPR. Access data include the name of the accessed website, file, date and time of access, data volume transferred, message of successful retrieval, browser type and version, operating system, referrer URL, IP address, and requesting provider.

Log file information is stored for security reasons (e.g., to investigate misuse or fraud) for a maximum of seven days and then deleted. Data required for evidentiary purposes are excluded from deletion until final clarification of the incident.

Online Presences in Social Media

We maintain online presences within social networks and platforms to communicate with customers, prospects, and users active there and to inform them about our services.

User data may be processed outside the EU, which may involve risks such as more difficult enforcement of user rights. For U.S. providers certified under Privacy Shield, they commit to complying with EU data protection standards.

User data are generally processed for market research and advertising purposes. Usage profiles may be created based on user behavior and interests and used to display interest-based advertising. Cookies are typically stored on users’ devices, and data may be stored across devices if users are logged into the respective platforms.

Processing is based on our legitimate interests pursuant to Article 6(1)(f) GDPR. If consent is requested by platform providers, the legal basis is Article 6(1)(a) and Article 7 GDPR.

For details on processing and opt-out options, please refer to the providers’ privacy policies. Requests for information and assertion of rights are most effectively addressed directly to the providers, as they have direct access to user data. If you need assistance, you may contact us.