• DE

Data Protection

Privacy policy for the website in accordance with the provisions of the GDPR

Name and address of the controller

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) and the applicable national data protection laws and other data protection regulations is:

northern lights text & kommunikation GmbH
Represented by the managing director Reinhard Ilg
Oelkersallee 33
22769 Hamburg
Germany
Phone: +49 (0) 172 433 4120
Email: r.ilg@northernlights.de
Website: www.northernlights.de

Name and address of the data protection officer

Reinhard Ilg
Oelkersallee 33
22769 Hamburg
Germany
Phone: +49 (0) 172 433 4120
Email: r.ilg@northernlights.de

Types of data processed

- Inventory data (e.g., personal master data, names or addresses).
- Contact data (e.g., e-mail, telephone numbers).
- Content data (e.g., text entries, photographs, videos).
- Usage data (e.g., websites visited, interest in content, access times).
- Meta/communication data (e.g., device information, IP addresses).

Categories of data subjects

Visitors and users of the online offer (hereinafter we also refer to the data subjects collectively as "users").

Purpose of the processing

- Provision of the website, its functions, and content.
- Answering contact inquiries and communicating with users.
- Security measures.
- Reach measurement/marketing

Terminology used

"Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations that is performed on personal data or sets of personal data, whether or not by automated means. The term is broad and covers practically any handling of data.

"Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

"Controller" means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Processor" means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Relevant legal bases

By Art. 13 GDPR, we inform you of the legal basis of our data processing. For users from the area of application of the General Data Protection Regulation (GDPR), i.e. the EU and the EEC, the following applies if the legal basis is not mentioned in the data protection declaration:

  • The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 GDPR;
  • The legal basis for processing the fulfilment of our services and implementation of contractual measures as well as answering enquiries is Art. 6 para. 1 lit. b GDPR;
  • The legal basis for processing the fulfillment of our legal obligations is Art. 6 para. 1 lit. c GDPR;
  • If the vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
  • The legal basis for the processing necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller is Art. 6 para. 1 lit. e GDPR.
  • The legal basis for processing to safeguard our legitimate interests is Art. 6 para. 1 lit. f GDPR.
  • The processing of data for purposes other than those for which they were collected is governed by the provisions of Art. 6 para. 4 GDPR.
  • The processing of special categories of data (by Art. 9 para. 1 GDPR) is governed by the provisions of Art. 9 para. 2 GDPR.
Security measures

We take appropriate technical and organizational measures by the legal requirements, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of the processing as well as the different likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as the access, input, disclosure, safeguarding of availability, and separation of the data. Furthermore, we have established procedures to ensure that the rights of data subjects are exercised, data is deleted and we respond to data threats. Furthermore, we take the protection of personal data into account as early as the development and selection of hardware, software, and processes, by the principle of data protection through technology design and data protection-friendly default settings.

Cooperation with processors, joint controllers, and third parties

If we disclose data to other persons and companies (processors, joint controllers, or third parties) as part of our processing, transfer it to them, or otherwise grant them access to the data, this is only done based on legal permission (e.g. if the transfer of data to third parties, such as payment service providers, is necessary to fulfill a contract), users have consented, a legal obligation provides for this or based on our legitimate interests (e.g. when using agents, web hosts, etc.).

If we disclose, transfer, or otherwise grant access to data to other companies in our group of companies, this is done in particular for administrative purposes as a legitimate interest and, in addition, on a basis corresponding to the legal requirements.

Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA), or the Swiss Confederation) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to other persons or companies, this will only take place if it is done to fulfill our (pre)contractual obligations, based on your consent, based on a legal obligation or the basis of our legitimate interests. Subject to legal or contractual authorizations, we only process or leave the data in a third country if the legal requirements are met. This means, for example, that the processing takes place based on special guarantees, such as the officially recognized determination of a level of data protection corresponding to the EU (e.g. for the USA through the "Privacy Shield") or compliance with officially recognized special contractual obligations.

Rights of the data subjects

You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data by the legal requirements.

You have the right to request the completion of data concerning you or the correction of incorrect data concerning you by the legal requirements.

By the legal requirements, you have the right to demand that the data in question be deleted immediately or to demand that the processing of the data be restricted by the legal requirements.

You have the right to request that the data concerning you that you have provided to us be received by the legal requirements and to request that it be transferred to other data controllers.

You also have the right to complain to the competent supervisory authority by the statutory provisions.

Right of cancellation

You have the right to withdraw your consent with effect for the future.

Right to object

You can object to the future processing of data concerning you at any time by the legal requirements. In particular, you may object to processing for direct marketing purposes.

Cookies and the right to object to direct marketing

"Cookies" are small files that are stored on users' computers. Different information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to an online service. Temporary cookies, or "session cookies" or "transient cookies", are cookies that are deleted after a user leaves an online service and closes their browser. The content of a shopping basket in an online shop or a login status, for example, can be stored in such a cookie. "Permanent" or "persistent" cookies are cookies that remain stored even after the browser is closed. For example, the login status can be saved if the user visits the website after several days. The interests of users can also be stored in such a cookie and used for reach measurement or marketing purposes. "Third-party cookies" are cookies that are offered by providers other than the controller who operates the online service (otherwise, if they are only their cookies, they are referred to as "first-party cookies").

We may use temporary and permanent cookies and clarify this in our privacy policy.

If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

A general objection to the use of cookies for online marketing purposes can be declared for a large number of services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/oder the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be achieved by switching them off in the browser settings. Please note that you may then not be able to use all the functions of this website.

Deletion of data

The data processed by us will be deleted or restricted in its processing by the legal requirements. Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations.

If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

Changes and updates to the privacy policy

We ask you to inform yourself regularly about the content of our privacy policy. We will amend the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

Agency services

We process our customers' data as part of our contractual services, which include conceptual and strategic consulting, campaign planning, software, and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services, and training services.

We process inventory data (e.g., customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., text entries, photographs, videos), contract data (e.g., the subject matter of the contract, term), payment data (e.g., bank details, payment history), usage and metadata (e.g., in the context of analyzing and measuring the success of marketing measures). In principle, we do not process special categories of personal data unless these are part of commissioned processing. The data subjects include our customers, interested parties and their customers, users, website visitors or employees as well as third parties. The purpose of the processing is the provision of contractual services, billing, and customer service. The legal basis for the processing results from Art. 6 para. 1 lit. b GDPR (contractual services), Art. 6 para. 1 lit. f GDPR (analysis, statistics, optimization, security measures). We process data that is required for the justification and fulfillment of contractual services and point out the necessity of its disclosure. Disclosure to external parties only takes place if it is necessary in the context of an order. When processing the data provided to us as part of an order, we act according to the instructions of the client and the legal requirements of order processing by Art. 28 GDPR and do not process the data for any purposes other than those specified in the order.

We delete the data after the expiry of the statutory warranty and comparable obligations. The necessity of storing the data is reviewed every three years; in the case of statutory archiving obligations, the deletion takes place after their expiry (6 years, by Section 257 (1) HGB, 10 years, by Section 147 (1) AO). In the case of data disclosed to us by the client as part of an order, we delete the data to the specifications of the order, generally after the end of the order.

Administration, financial accounting, office organization, contact management

We process data as part of administrative tasks and the organization of our business, financial accounting, and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process as part of the provision of our contractual services. The processing bases are Art. 6 para. 1 lit. c. GDPR, Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners, and website visitors are affected by the processing. The purpose and our interest in the processing lie in the administration, financial accounting, office organization, and archiving of data, i.e. tasks that serve to maintain our business activities, perform our tasks, and provide our services. The deletion of data about contractual services and contractual communication corresponds to the information specified in these processing activities.

We disclose or transmit data to the tax authorities, consultants such as tax advisors or auditors as well as other fee centers and payment service providers.

We also store information on suppliers, event organizers, and other business partners based on our business interests, e.g. to contact them at a later date. We generally store this mainly company-related data permanently.

Data protection information in the application process

We process the applicant data only for the purpose and within the scope of the application procedure by the legal requirements. Applicant data is processed to fulfill our (pre-)contractual obligations as part of the application process within the meaning of Art. 6 para. 1 lit. b. GDPR Art. 6 para. 1 lit. f. GDPR if the data processing becomes necessary for us, e.g. in the context of legal proceedings (in Germany, § 26 BDSG also applies).

The application process requires that applicants provide us with the applicant data. If we offer an online form, the necessary applicant data is labeled, otherwise it results from the job descriptions and includes personal details, postal and contact addresses, and the documents belonging to the application, such as cover letter, CV, and certificates. Applicants can also voluntarily provide us with additional information.

By submitting their application to us, applicants consent to the processing of their data for the application process by the type and scope set out in this privacy policy.

Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily communicated as part of the application process, their processing is also carried out by Art. 9 para. 2 lit. b GDPR (e.g. health data, such as severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR is requested from applicants as part of the application process, their processing is also carried out by Art. 9 para. 2 lit. a GDPR (e.g. health data if this is necessary for the exercise of the profession).

If provided, applicants can send us their applications using an online form on our website. The data is transmitted to us in encrypted form by the state of the art.
Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and applicants must ensure that they are encrypted themselves. We therefore cannot accept any responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend using an online form or sending it by post. Instead of applying via the online form and e-mail, applicants still have the option of sending us their application by post.

The data provided by applicants may be processed by us for the employment relationship if the application is successful. Otherwise, if the application for a job offer is unsuccessful, the applicant's data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Subject to a justified cancellation by the applicant, the deletion will take place after six months so that we can answer any follow-up questions about the application and fulfill our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived by tax regulations.

Making contact

When contacting us (e.g. by contact form, e-mail, telephone, or via social media), the user's details will be used to process the contact inquiry and its handling by Art. 6 para. 1 lit. b. GDPR. (in the context of contractual/pre-contractual relationships), Art. 6 para. 1 lit. f. (other inquiries) GDPR. The user's details may be stored in a customer relationship management system ("CRM system") or comparable inquiry organization.

We delete the inquiries if they are no longer required. We review the necessity every two years; the statutory archiving obligations also apply.

Hosting and e-mail dispatch

The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services, and technical maintenance services that we use to operate this online offering.

In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, and meta and communication data of customers, interested parties, and visitors to this online offer based on our legitimate interests in the efficient and secure provision of this online offer by Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of contract). Art. 28 GDPR (conclusion of order processing contract).

Collection of access data and log files

We, or our hosting provider, collect based on our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR, we collect data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type, and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for a maximum of 7 days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

Online presence in social media

We maintain an online presence within social networks and platforms to communicate with the customers, interested parties, and users active there and to inform them about our services.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights. About US providers that are certified under the Privacy Shield, we would like to point out that they thereby undertake to comply with the data protection standards of the EU.

Furthermore, user data is generally processed for market research and advertising purposes. For example, user profiles can be created from user behavior and the resulting interests of users. The user profiles can in turn be used, for example, to place adverts inside and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are generally stored on the user's computer, in which the user's usage behavior and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

The processing of users' data is based on our legitimate interests in effective user information and communication with users by Art. 6 para. 1 lit. f. GDPR. GDPR. If the users are asked by the respective providers of the platforms for consent to the data processing described above, the legal basis for the processing is Art. 6 para. 1 lit. a., Art. 7 GDPR.

For a detailed description of the respective processing and the possibilities of objection (opt-out), we refer to the following linked information from the providers.

In the case of requests for information and the assertion of user rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the user's data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

- Facebook, -pages, -groups, (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) based on an agreement on joint processing of personal data - Privacy Policy: https://www.facebook.com/about/privacy/, especially for pages: https://www.facebook.com/legal/terms/information_about_page_insights_data, Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.

- Google/YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) - Privacy Policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) - Privacy Policy/ Opt-Out: http://instagram.com/about/legal/privacy/.

- Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) - Privacy Policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.

- Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA) - Privacy Policy/ Opt-Out: https://about.pinterest.com/de/privacy-policy.

- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) - Privacy Policy https://www.linkedin.com/legal/privacy-policy, Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.

- Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) - Privacy Policy/ Opt-Out: https://privacy.xing.com/de/datenschutzerklaerung.

- Wakalet (Wakelet Limited, 76 Quay Street, Manchester, M3 4PR, United Kingdom) - Privacy Policy/ Opt-Out: https://wakelet.com/privacy.html.

- Soundcloud (SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany) - Privacy Policy/ Opt-Out: https://soundcloud.com/pages/privacy.

Integration of third-party services and content

Based on our legitimate interests (i.e. interest in the analysis, optimization, and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR), we use content or service offers from third parties within our online offer. GDPR) content or service offers from third-party providers to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content").

This always presupposes that the third-party providers of this content recognize the IP address of the user, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required to display this content. We endeavor to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit, and other information about the use of our online offer, as well as being linked to such information from other sources.

Vimeo

We can integrate the videos of the platform "Vimeo" of the provider Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA. Privacy policy: https://vimeo.com/privacy. We would like to point out that Vimeo may use Google Analytics and refer you to the privacy policy (https://policies.google.com/privacy) and opt-out options for Google Analytics (http://tools.google.com/dlpage/gaoptout?hl=de) or Google's settings for data used for marketing purposes (https://adssettings.google.com/).

YouTube

We integrate the videos of the platform "YouTube" of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Instagram

Functions and content of the Instagram service, offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, may be integrated into our online offering. This may include, for example, content such as images, videos, or text and buttons with which users can share content from this online offering within Instagram. If the users are members of the Instagram platform, Instagram can assign access to the above-mentioned content and functions to the users' profiles there. Instagram privacy policy: http://instagram.com/about/legal/privacy/.

Xing

Functions and content of the Xing service, offered by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany, may be integrated into our online offering. This may include, for example, content such as images, videos, or texts and buttons with which users can share content from this online offering within Xing. If the users are members of the Xing platform, Xing can assign access to the above-mentioned content and functions to the users' profiles there. Privacy policy of Xing: https://privacy.xing.com/de/datenschutzerklaerung.

LinkedIn

Functions and content of the LinkedIn service, offered by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland, may be integrated into our online offering. This may include, for example, content such as images, videos, or texts and buttons with which users can share content from this online offering within LinkedIn. If the users are members of the LinkedIn platform, LinkedIn can assign access to the above-mentioned content and functions to the users' profiles there. LinkedIn privacy policy: https://www.linkedin.com/legal/privacy-policy. LinkedIn is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active). Privacy policy: https://www.linkedin.com/legal/privacy-policy, Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.