Privacy Policy

1. Definitions

We use the following terms, among others, in this privacy policy:

Personal data: Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject: Data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.
Processing: Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Restriction of processing: Restriction of processing is the marking of stored personal data with the aim of restricting its future processing.
Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation: Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller or controller responsible for the processing: The controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor: A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient: Recipient is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients.
Third party: A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent: Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Controller

The controller within the meaning of the General Data Protection Regulation is the:
UnternehmerTUM GmbH
Lichtenbergerstr.6
85748 Garching (Munich)
Germany
+49 89 541 986 9800

info@unternehmertum.de
www.unternehmertum.de

3. Data Protection Officer

The data protection officer of the controller is
Alexander Stolberg
SVF Lawyers
Oberanger 30
80331 Munich
Germany
+49 89 210 25 120

stolberg@unternehmertum.de
www.svf-law.de

Any data subject can contact our data protection officer directly at any time with any questions or suggestions regarding data protection.

4. Cookies

The Internet pages of the UnternehmerTUM GmbH use cookies. Cookies are text files that are placed and stored on a computer system via an Internet browser.
Numerous websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a character string that allows websites and servers to be assigned to the specific internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognised and identified via the unique cookie ID.
Through the use of cookies, the UnternehmerTUM GmbH can provide the users of this website with more user-friendly services that would not be possible without the cookie setting.
Cookies can be used to optimise the information and offers on our website for the benefit of the user. As already mentioned, cookies enable us to recognise the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a website that uses cookies does not have to re-enter their access data each time they visit the website because this is taken over by the website and the cookie stored on the user's computer system. Another example is the cookie of a shopping basket in an online shop. The online shop remembers the items that a customer has placed in the virtual shopping basket via a cookie.
The data subject can prevent the setting of cookies by our website at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programmes. This is possible in all common internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable.

5. Collection of general data and information

The website of the UnternehmerTUM GmbH collects a series of general data and information when a data subject or automated system calls up the website. This general data and information is stored in the server log files. The following can be recorded

browser types and versions used,
the operating system used by the accessing system,
the website from which an accessing system reaches our website (so-called referrer),
the sub-websites that are accessed via an accessing system on our website,
the date and time of access to the website,
an Internet Protocol address (IP address),
the Internet service provider of the accessing system and
other similar data and information used for security purposes in the event of attacks on our information technology systems.

When using these general data and information, the UnternehmerTUM GmbH does not draw any conclusions about the data subject. Rather, this information is required in order to

to deliver the content of our website correctly,
optimise the content of our website and the advertising for it,
to ensure the long-term functionality of our information technology systems and the technology of our website, and
to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber-attack.

Therefore, the UnternehmerTUM GmbH analyses anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

Newsletter (Mailchimp)

Like many other websites, we also use the services of the newsletter company MailChimp on our website. MailChimp is operated by the company Intuit Inc, 2700 Coast Ave, Mountain View, California 94043, USA. Thanks to MailChimp, we can send you interesting news very easily by newsletter. With MailChimp, we don't have to install anything and can still draw from a pool of really useful functions. In the following, we will go into more detail about this email marketing service and inform you about the most important data protection aspects.
MailChimp is a cloud-based newsletter management service. "Cloud-based" means that we do not have to install MailChimp on our own computer or server. Instead, we use the service via an IT infrastructure - which is available via the internet - on an external server. This way of using software is also known as SaaS (Software as a Service). The following diagram shows schematically how MailChimp distributes emails to newsletter recipients.
With MailChimp, we can choose from a wide range of different e-mail types. Depending on what we want to achieve with our newsletter, we can carry out individual campaigns, regular campaigns, autoresponders (automatic emails), A/B tests, RSS campaigns (sending at a predefined time and frequency) and follow-up campaigns.
We generally use a newsletter service so that we can stay in touch with you. We want to tell you what's new with us or what attractive offers we currently have in our programme. We always look for the simplest and best solutions for our marketing measures. And that's why we opted for MailChimp's newsletter management service. Although the software is very easy to use, it offers a large number of helpful features. This allows us to create interesting and attractive newsletters in just a short time. The design templates offered allow us to personalise each newsletter and thanks to the "responsive design", our content is also displayed legibly and beautifully on your smartphone (or other mobile device).
Using tools such as the A/B test or the extensive analysis options, we can see very quickly how our newsletters are received by you. This allows us to react if necessary and improve our offer or our services.
Another advantage is MailChimp's "cloud system". The data is not stored and processed directly on our server. We can retrieve the data from external servers and thus conserve our storage space. In addition, the maintenance effort is significantly lower.
MailChimp maintains online platforms that enable us to contact you (if you have subscribed to our newsletter). If you become a subscriber to our newsletter via our website, you confirm your membership of a MailChimp email list by email. The date of registration and your IP address are stored so that MailChimp can also prove that you have registered with the "list provider". MailChimp also stores your email address, name, physical address and demographic information such as language or location at .
This information is used to send you emails and to enable certain other MailChimp functions (such as analysing the newsletter).
MailChimp also shares information with third parties to provide better services. MailChimp also shares some data with third-party advertising partners to better understand the interests and concerns of its customers in order to provide more relevant content and targeted advertising.
Using so-called "web beacons" (small graphics in HTML emails), MailChimp can determine whether the email has arrived, whether it has been opened and whether links have been clicked on. All this information is stored on the MailChimp servers. This provides us with statistical analyses and allows us to see exactly how well our newsletter was received by you. In this way, we can customise our offer much better to your wishes and improve our service.
MailChimp may also use this data to improve its own service. This can be used, for example, to technically optimise the sending process or to determine the location (country) of the recipient.
It may happen that you open our newsletter via a link provided for better display. This is the case, for example, if your email programme is not working or the newsletter is not displayed correctly. The newsletter will then be displayed via a MailChimp website. MailChimp also uses cookies (small text files that store data on your browser) on its own websites. Personal data may be processed by MailChimp and its partners (e.g. Google Analytics). This data collection is the responsibility of MailChimp and we have no influence over it. In MailChimp's "Cookie Statement" you can find out exactly how and why the company uses cookies.
As MailChimp is an American company, all data collected is also stored on American servers.
In principle, the data remains permanently stored on MailChimp's servers and is only deleted if you request this. You can have your contact deleted by us. This will permanently remove all your personal data for us and anonymise you in the MailChimp reports. However, you can also request the deletion of your data directly from MailChimp. All your data will then be removed there and we will receive a notification from MailChimp. After we receive the email, we have 30 days to delete your contact from all connected integrations.
You can withdraw your consent to receive our newsletter at any time by clicking on the link at the bottom of the email you receive. If you have unsubscribed by clicking on the unsubscribe link, your data will be deleted from MailChimp.
If you access a MailChimp website via a link in our newsletter and cookies are set in your browser, you can delete or deactivate and manage these cookies at any time. Under the section "Cookies" you will find the corresponding links to the respective instructions for the most popular browsers.
If you generally do not want to have cookies, you can set up your browser so that it always informs you when a cookie is to be set. This allows you to decide for each individual cookie whether you want to allow it or not.
Our newsletter is sent by MailChimp on the basis of your consent (Article 6(1)(a) GDPR). This means that we may only send you a newsletter if you have actively subscribed to it beforehand. If consent is not required, the newsletter will be sent on the basis of our legitimate interest in direct marketing (Article 6(1)(f)), insofar as this is permitted by law. We record your registration process so that we can always prove that it complies with our laws.
MailChimp also processes your data in the USA, among other places. MailChimp and Inuit are active participants in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. You can find more information on this here.
In addition, MailChimp uses so-called standard contractual clauses (= Art. 46 (2) and (3) GDPR). Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the standard contractual clauses, MailChimp undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here.
The Mailchimp data processing conditions (Data Processing Addendum), which correspond to the standard contractual clauses, can be found here.
You can find out more about the use of cookies at MailChimp here, information on data protection at MailChimp (Privacy) can be found here.

7. Craft CMS (ATTENTION: NOT CERTIFIED BY PRIVACY FRAMEWORK)

We use Craft CMS from Pixel & Tonic (20832 SE Humber Bend, OR 97702 USA) to manage the content of our website.
Craft CMS provides secure communication facilities between your browser and our server and uses cookies for basic internet applications. Craft CMS cookies do not collect IP addresses or any personal or sensitive information. The information stored by cookies is not sent to Pixel & Tonic or to third parties.
The standard cookies from Craft CMS are only used for communication with the Craft installation for the purpose of user authentication, form validation/security and basic web application operations.
The "CRAFT_CSRF_TOKEN" cookie is set when you access parts of the website with an integrated form and is stored for the duration of this access. The legal basis for this is a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR.
We have concluded an order processing contract with this company in accordance with Art. 28 GDPR.
More information about data protection standards at Craft CMS can be found here.

8. Contact option via the website

The website of the UnternehmerTUM GmbH contains information that enables a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the data controller by email or via a contact form, the personal data transmitted by the data subject is automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the controller are stored for the purposes of processing or contacting the data subject. This personal data is not passed on to third parties.

9. Typeform

We use Typeform, a survey software, for our website. The service provider is the Spanish company Typeform, 163 Carrer de Bac de Roda, Barcelona, Spain. You can find out more about the data processed through the use of Typeform in the privacy policy here.

10. Applications, application process and talent pool

The data controller collects and processes the personal data of applicants for the purpose of handling the application process. This involves processing personal data that the applicant has provided to UnternehmerTUM (CV, certificates, questionnaires, interviews, previous activities) or job-related information that the controller has obtained from publicly accessible sources (e.g. professional social media networks, website with application, etc.).
This also includes information that is publicly accessible and contains work-related data, such as a profile on professional social media networks.
Processing may also be carried out electronically. This is particularly the case if an applicant submits relevant application documents electronically, for example by e-mail, to the controller.

If the controller concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after notification of the rejection decision, unless deletion conflicts with any other legitimate interests of the controller.
Other legitimate interest in this sense is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).

Talent pool
The talent pool is used to match your applicant profile with suitable future positions. In the event of a match, we will contact you again.
If you expressly wish to be included in our talent pool by confirming "storage in the talent pool" in an e-mail after rejection, we will store your data for a maximum of 12 months until cancellation. You will be informed one month before expiry and can thus extend the storage of your data in the talent pool by a further 12 months. After expires, your data will be deleted automatically and without separate notification.
The legal basis for the processing of your application documents is Art. 6 para. 1 sentence 1 lit. b and Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 sentence 1 BDSG.
Personio
The data you enter in the application form is transferred via an interface (API) to our HR software Personio of
Personio SE & Co KG,
Seidlstraße 3,
80335 Munich
(hereinafter referred to as "Personio").
You can find Personio's privacy policy here.

Personio uses Amazon Web Services Europe (AWS) as its hosting provider. According to Personio, the AWS data centres are DIN ISO/IEC 27001 and DIN ISO/IEC 27018 certified and guarantee the highest level of data protection security. In addition, all customer data is stored on servers within the European Union. Personio states that it takes additional technical and organisational measures to ensure the security of processing. Further information can be found here.

We have concluded an order processing contract with Personio. The legal basis for data processing is Art. 6 para. 1 lit. b GDPR.

11. Routine erasure and blocking of personal data

The controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the controller is subject to.
If the storage purpose no longer applies or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data will be routinely blocked or erased in accordance with the statutory provisions.

12. Your rights

Every data subject has the right

for information in accordance with Article 15 GDPR
the right to rectification in accordance with Article 16 GDPR
the right to erasure in accordance with Article 17 GDPR
the right to restriction of processing in accordance with Article 18 GDPR
the right to object under Article 21 GDPR and
the right to data portability under Article 20 GDPR.

The restrictions under Sections 34 and 35 BDSG apply to the right to information and the right to erasure. In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with & 19 BDSG).
You can revoke your consent to the processing of personal data at any time.
Please note that the cancellation is only effective for the future. Processing that took place before the cancellation is not affected.

13. Data protection: social networks

Instagram
We have integrated Instagram functions on our website. Instagram is a social media platform of the company Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA.
Instagram has been a subsidiary of Meta Platforms Inc. since 2012 and is a Facebook product. Embedding Instagram content on our website is called embedding. This allows us to show you content such as buttons, photos or videos from Instagram directly on our website. When you visit web pages on our website that have an Instagram function integrated, data is transmitted to Instagram, stored and processed. Instagram uses the same systems and technologies as Facebook. Your data is therefore processed across all Facebook companies.
When you visit one of our pages that has Instagram functions (such as Instagram images or plug-ins), your browser automatically connects to Instagram's servers. In the process, data is sent to Instagram, stored and processed. This happens regardless of whether you have an Instagram account or not. This includes information about our website, your computer, purchases made, adverts you see and how you use our website. The date and time of your interaction with Instagram is also stored. If you have an Instagram account or are logged in, Instagram stores significantly more data about you.
Facebook distinguishes between customer data and event data. We assume that this is exactly the case with Instagram. Customer data includes, for example, name, address, telephone number and IP address. This customer data is only transmitted to Instagram once it has been hashed. Hashing means that a data record is converted into a character string. This allows the contact data to be encrypted. The "event data" mentioned above is also transmitted. By "event data", Facebook - and consequently Instagram - means data about your user behaviour. Contact data may also be combined with event data. The contact data collected is compared with the data that Instagram already has about you.
The collected data is transmitted to Facebook via small text files (cookies), which are usually set in your browser. Depending on the Instagram functions used and whether you have an Instagram account yourself, different amounts of data are stored.
We assume that Instagram processes data in the same way as Facebook. This means that if you have an Instagram account or have visited www.instagram.com, Instagram has at least set a cookie. If this is the case, your browser sends information to Instagram via the cookie as soon as you come into contact with an Instagram function. This data is deleted or anonymised after 90 days at the latest (after reconciliation). Although we have intensively analysed Instagram's data processing, we cannot say exactly what data Instagram collects and stores.
Below we will show you the minimum cookies that are set in your browser when you click on an Instagram function (such as a button or an Insta image). In our test, we assume that you do not have an Instagram account. If you are logged in to Instagram, significantly more cookies will of course be set in your browser.
Instagram shares the information received between the Facebook companies with external partners and with people you connect with worldwide. Data processing is carried out in compliance with our own data policy. For security reasons, among others, your data is distributed on Facebook servers around the world. Most of these servers are located in the USA.
You have the right to information, portability, correction and deletion of your data. You can manage your data in the Instagram settings. If you want to completely delete your data on Instagram, you must permanently delete your Instagram account.
Instagram also processes your data in the USA, among other places. Instagram or Meta Platforms is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data of EU citizens to the USA. You can find more information on this here.
Instagram also uses so-called standard contractual clauses (= Art. 46 (2) and (3) GDPR). Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the standard contractual clauses, Instagram undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here.
We have tried to provide you with the most important information about data processing by Instagram. You can find out more about Instagram's data policy at https://privacycenter.instagram.com/policy/.
Facebook
We use selected tools from Facebook on our website. Facebook is a social media network of the company Meta Platforms Inc. or, for the European region, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. With the help of these tools, we can offer you and people who are interested in our products and services the best possible offer.
If data is collected and forwarded from you via our embedded Facebook elements or via our Facebook page (fan page), both we and Facebook Ireland Ltd. are responsible for this. Facebook is solely responsible for the further processing of this data. Our joint obligations are also out in a publicly accessible agreement here. This states, for example, that we must clearly inform you about the use of Facebook tools on our site. Furthermore, we are also responsible for ensuring that the tools are securely integrated into our website in accordance with data protection law. Facebook, on the other hand, is responsible for the data security of Facebook products, for example. If you have any questions about data collection and data processing by Facebook, you can contact the company directly. If you address the question to us, we are obliged to forward it to Facebook.
Below we provide an overview of the various Facebook tools, what data is sent to Facebook and how you can delete this data.
In addition to many other products, Facebook also offers the so-called "Facebook Business Tools". This is the official term used by Facebook. However, as the term is hardly known, we have decided to simply call them Facebook tools. These include, among others:
•    Facebook pixel
•    social plug-ins (such as the "Like" or "Share" button)
•    Facebook Login
•    Account Kit
•    APIs (programming interface)
•    SDKs (collection of programming tools)
•    Platform integrations
•    Plugins
•    Codes
•    Specifications
•    Documentations
•    Technologies and services
Through these tools, Facebook is expanding its services and has the opportunity to obtain information about user activities outside of Facebook.
We only want to show our services and products to people who are really interested in them. We can reach precisely these people with the help of adverts (Facebook ads). However, Facebook needs information about people's wishes and needs in order to show users suitable adverts. The company is therefore provided with information about user behaviour (and contact details) on our website. As a result, Facebook collects better user data and can show interested people suitable adverts about our products and services. The tools thus enable customised advertising campaigns on Facebook.
Facebook calls data about your behaviour on our website "event data". This is also used for measurement and analysis services. Facebook can thus create "campaign reports" on our behalf about the impact of our advertising campaigns. Furthermore, analyses give us a better insight into how you use our services, website or products. This allows us to optimise your user experience on our website with some of these tools. For example, you can use the social plug-ins to share content on our site directly on Facebook.
By using individual Facebook tools, personal data (customer data) can be sent to Facebook. Depending on the tools used, customer data such as name, address, telephone number and IP address may be sent.
Facebook uses this information to match the data with the data it has about you (if you are a Facebook member). Before customer data is transmitted to Facebook, it is hashed. This means that a data set of any size is transformed into a character string. This also serves to encrypt data.
In addition to the contact data, "event data" is also transmitted. "Event data" refers to the information we receive about you on our website. For example, which subpages you visit or which products you buy from us. Facebook does not share the information it receives with third parties (such as advertisers) unless the company has explicit authorisation or is legally obliged to do so. "Event data" can also be linked to contact details. This allows Facebook to offer better personalised advertising. After the aforementioned matching process, Facebook deletes the contact data again.
In order to optimise the delivery of advertisements, Facebook only uses the event data if it has been combined with other data (collected by Facebook in other ways). Facebook also uses this event data for security, protection, development and research purposes. Much of this data is transferred to Facebook via cookies. Cookies are small text files that are used to store data or information in browsers. Depending on the tools used and whether you are a Facebook member, different numbers of cookies are stored in your browser. We go into more detail about individual Facebook cookies in the descriptions of the individual Facebook tools. You can also find general information about the use of Facebook cookies at https://www.facebook.com/policies/cookies.
In principle, Facebook stores data until it is no longer needed for its own services and Facebook products. Facebook has servers all over the world where its data is stored. However, customer data is deleted within 48 hours after it has been compared with the company's own user data.
In accordance with the General Data Protection Regulation, you have the right to information, correction, transferability and deletion of your data.
The data that Facebook receives via our site is stored using cookies (e.g. for social plugins), among other things. You can deactivate, delete or manage individual or all cookies in your browser. Depending on which browser you use, this works in different ways. In the "Cookies" section, you will find the relevant links to the instructions for the most popular browsers.
If you generally do not want to have cookies, you can set up your browser so that it always informs you when a cookie is to be set. This allows you to decide for each individual cookie whether you want to allow it or not.
If you have consented to your data being processed and stored by integrated Facebook tools, this consent is the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners. Nevertheless, we only use the tools if you have given your consent. Most social media platforms also set cookies in your browser to store data. We therefore recommend that you read our data protection text on cookies carefully and take a look at Facebook's privacy policy or cookie guidelines.
Facebook also processes your data in the USA, among other places. Facebook or Meta Platforms is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. You can find more information on this here.
Facebook also uses so-called standard contractual clauses (= Art. 46 (2) and (3) GDPR). Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the standard contractual clauses, Facebook undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here.
The Facebook data processing conditions, which refer to the standard contractual clauses, can be found here.
We hope we have provided you with the most important information about the use and data processing by the Facebook tools. If you would like to find out more about how Facebook uses your data, we recommend that you read the data policy.

YouTube
This website embeds videos from the YouTube website. The operator of the pages is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. For example, YouTube establishes a connection to the Google DoubleClick network regardless of whether you watch a video.
As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, YouTube can store various cookies on your end device after starting a video or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to record video statistics, improve user-friendliness and prevent fraud attempts.
After the start of a YouTube video, further data processing operations may be triggered over which we have no influence.
The use of YouTube is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
Further information about data protection at YouTube can be found in their privacy policy at: https://policies.google.com/privacy?hl=de.
The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link.

14. Google Analytics 4

This website uses Google Analytics 4, a web analysis service of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), which enables your use of our website to be analysed.
By default, Google Analytics sets 4 cookies when you visit the website, which are stored as small text modules on your end device and collect certain information. The scope of this information also includes your IP address, which, however, is shortened by Google by the last digits in order to exclude a direct personal reference.
The information is transferred to Google servers and processed there. Transmission to Google LLC, based in the USA, is also possible. Google uses the information collected on our behalf to analyse your use of the website, to compile reports on website activity for us and to provide other services relating to website activity and internet usage. The abbreviated IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. The data collected as part of the use of Google Analytics 4 is stored for a period of two months and then deleted.
All processing described above, in particular the setting of cookies on the terminal device used, will only take place if you have given us your express consent to do so in accordance with Art. 6 para. 1 lit. a GDPR.
Without your consent, Google Analytics 4 will not be used during your visit to our website. You can revoke your consent at any time with effect for the future. To exercise your right of cancellation, please deactivate this service using the "cookie consent tool" provided on the website.
We have concluded an order processing contract with Google, which ensures the protection of the data of our website visitors and prohibits unauthorised disclosure to third parties.
Further legal information on Google Analytics 4 can be found here
https://policies.google.com/privacy?hl=de&gl=de and https://policies.google.com/technologies/partner-sites

Google Analytics 4 uses the special function "demographic characteristics" and can use it to create statistics that make statements about the age, gender and interests of site visitors. This is done by analysing advertising and information from third-party providers. This allows target groups to be identified for marketing activities. However, the data collected cannot be assigned to a specific person and is deleted after being stored for a period of two months.
As an extension to Google Analytics 4, Google Signals can be used on this website to generate cross-device reports. If you have activated personalised ads and have linked your devices to your Google account, Google can analyse your usage behaviour across devices and create database models, including for cross-device conversions, subject to your consent to the use of Google Analytics in accordance with Art. 6 para. 1 lit. a GDPR. We do not receive any personal data from Google, only statistics. If you wish to stop the cross-device analysis, you can deactivate the "Personalised advertising" function in the settings of your Google account. To do this, follow the instructions on this page: https:
Further information on Google Signals can be found at the following link: https://support.google.com/analytics/answer/7532985?hl=de

As an extension to Google Analytics 4, the "UserIDs" function can be used on this website. If you have consented to the use of Google Analytics 4 in accordance with Art. 6 para. 1 lit. a GDPR, have set up an account on this website and log in with this account on different devices, your activities, including conversions, can be analysed across devices.
For data transfers to the USA, the provider has signed up to the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

15. Google Maps

This website uses an online map service from the following provider: Google Maps (API) from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
Google Maps is a web service for displaying interactive (land) maps in order to visualise geographical information. Using this service will show you our location and make it easier for you to find us.
Information about your use of our website (such as your IP address) is transmitted to Google servers and stored there as soon as you access the subpages in which the Google Maps map is integrated; this information may also be transmitted to the servers of Google LLC. in the USA. This occurs regardless of whether Google provides a user account through which you are logged in or whether a user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish your data to be associated with your Google profile, you must log out before activating the button. Google stores your data (even for users who are not logged in) as usage profiles and analyses them.
The collection, storage and evaluation are carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of Google's legitimate interest in the display of personalised advertising, market research and/or the needs-based design of Google websites. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right. If you do not agree to the future transmission of your data to Google in connection with the use of Google Maps, you can also completely deactivate the Google Maps web service at by switching off the JavaScript application in your browser. Google Maps and thus also the map display on this website can then not be used.
Insofar as legally required, we have obtained your consent to the processing of your data as described above in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future. To exercise your right of revocation, please follow the option described above for making an objection.

16. Hubspot

We use the Hubspot service. Hubspot is a software company from the USA with a branch in Ireland (2nd Floor 30 North Wall Quay, Dublin 1, Ireland, phone: +353 1 5187500). This is software that we use for customer relationship management (CRM) and for contacting us via a contact form.
In order to optimise our marketing activities, the following data may be collected and processed via Hubspot:
•    Geographical location
•    Browser type
•    Navigation information
•    Reference URL
•    Performance data
•    Information on how often the application is used
•    Mobile apps data
•    Login information for the HubSpot subscription service
•    Files that are displayed on site
•    Domain names
•    Pages viewed
•    Aggregated usage Version of the operating system
•    Internet service provider
•    IP address
•    Device identification
•    Duration of the visit
•    Where the application was downloaded from
•    Operating system
•    Events that occur within the application
•    Access times
•    Clickstream data
•    Device model and version
As part of data processing by Hubspot, data may be transferred to the USA. The security of the transfer is ensured by so-called standard contractual clauses, which ensure that the processing of personal data is subject to a level of security that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to establish an adequate level of security, consent will be obtained from you in advance in accordance with Art. 49 para. 1 lit. a GDPR as part of the consent management system on our website (data protection settings).
We use HubSpot on our website to provide contact forms. The data entered in the form is transmitted to Hubspot.
For this purpose, we forward your data to HubSpot, which processes the data exclusively on our behalf.
Consequently, when a contact form is sent to us, personal data may be transmitted to service providers in third countries. These third countries do not have an adequate level of data protection. If data is transferred to the USA, there is a risk that your data may be processed by US authorities for control and monitoring purposes without you having any legal recourse. The security of the transfer is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a level of security that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to establish an adequate level of security, your acknowledgement of the data protection declaration in the contact forms is deemed to be consent within the meaning of Art. 49 para. 1 lit. a GDPR, which justifies a data transfer to insecure third countries.
The legal basis for processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. If you do not want Hubspot to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

17. Salesforce

We use Salesforce on our website, a service for our customer relationship management (CRM). The service provider is the American company Salesforce, Inc, One Market Street, Suite 300, San Francisco, CA 94105, USA.

Salesforce also processes your data in the USA, among other places. Salesforce is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. You can find more information on this here.
In addition, Salesforce uses so-called standard contractual clauses (= Art. 46 (2) and (3) GDPR). Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Salesforce undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.
The data processing conditions (Data Processing Addendum), which correspond to the standard contractual clauses, can be found at https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf.
You can find out more about the data processed through the use of Salesforce in the Privacy Policy at https://www.salesforce.com/de/company/privacy/.

18. Wonderlink

We use Wonderlink technology from Seyffert mit Himmelspach GmbH, Boppstrasse 10, 10967 Berlin, Germany, to create the link tree that takes users of our social media channels to our privacy policy, among other things.
Wonderlink does not use cookies or other technologies to create user profiles or to analyse user data in any way.
The use of this service is in our legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR in a legally compliant use of social media platforms.
You can contact Seyffert mit Himmelspach GmbH regarding data protection issues via the e-mail address support(at)wonderlink.de.
Here you can find more information about Wonderlink and the privacy policy of Seyffert mit Himmelspach GmbH.

19. Data processing in third countries

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.
Subject to express consent or contractually or legally required transfer, we only process or have the data processed in third countries with a recognised level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de

20. events and pictures

If you attend an event organised by UnternehmerTUM GmbH, personal data will be processed for the purpose of organising the event in accordance with the following information.
In particular, the following categories of personal data may be processed for the organisation of the event:
•    Name and contact details (e-mail, telephone)
•    Information on the employment relationship (legal company, job title)
•    Dates for participation in workshops
•    Event pictures
•    Data on participation in the event as such
If you provide personal data of other persons as part of the registration process, you agree that it is your responsibility to obtain the consent of these third parties in accordance with the applicable law.
Our events are regularly accompanied by photographers or film teams who take pictures or video recordings ("recordings") of the event. The production and publication of the event recordings is based on the legitimate interest of the controller in illustrated reporting, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail (Art. 6 para. 1 sentence 1 lit. f GDPR).
The recordings are made for the purpose of public relations and published on our website, our social media channels or on the event website.

21. Vimeo

We also use videos from the company Vimeo on our website. The video portal is operated by Vimeo LLC, 555 West 18th Street, New York, New York 10011, USA. With the help of a plug-in, we can show you interesting video material directly on our website. Certain data may be transferred from you to Vimeo. In this privacy policy, we show you what data is involved, why we use Vimeo and how you can manage or prevent your data or data transfer.
Vimeo is a video platform that was founded in 2004 and has enabled the streaming of videos in HD quality since 2007. Since 2015, it has also been possible to stream in 4k Ultra HD. The portal is free to use, but paid content can also be published. Compared to the market leader YouTube, Vimeo prioritises high-quality content in good quality. For example, the portal offers a lot of artistic content such as music videos and short films, but also informative documentaries on a wide range of topics.
When you access a page on our website that has a Vimeo video embedded, your browser connects to the Vimeo servers. This results in a data transfer. This data is collected, stored and processed on the Vimeo servers. Regardless of whether you have a Vimeo account or not, Vimeo collects data about you. This includes your IP address, technical information about your browser type, your operating system or very basic device information. Furthermore, Vimeo stores information about which website you use the Vimeo service and which actions (web activities) you perform on our website. These web activities include, for example, session duration, bounce rate or which button you clicked on our website with built-in Vimeo function. Vimeo can track and store these actions with the help of cookies and similar technologies.
If you are logged in to Vimeo as a registered member, more data can usually be collected, as more cookies may already have been set in your browser. In addition, your actions on our website will be directly linked to your Vimeo account. To prevent this, you must log out of Vimeo while "surfing" on our website.
Below we show you the cookies that are set by Vimeo when you are on a website with an integrated Vimeo function. This list is not exhaustive and assumes that you do not have a Vimeo account.
Vimeo uses this data, among other things, to improve its own service, to communicate with you and to implement its own targeted advertising measures. Vimeo emphasises on its website that only first-party cookies (i.e. cookies from Vimeo itself) are used for embedded videos as long as you do not interact with the video.
Vimeo is headquartered in White Plains in the state of New York (USA). However, the services are offered worldwide. The company uses computer systems, databases and servers in the USA and other countries. Your data can therefore also be stored and processed on servers in America. The data remains stored by Vimeo until the company no longer has a commercial reason for storing it. The data is then deleted or anonymised.
You always have the option of managing cookies in your browser according to your wishes. For example, if you do not want Vimeo to set cookies and thus collect information about you, you can delete or deactivate cookies in your browser settings at any time. This works a little differently depending on your browser. Please note that various functions may no longer be fully available after deactivating/deleting cookies. In the "Cookies" section, you will find the relevant links to the instructions for the most popular browsers.
If you are a registered Vimeo member, you can also manage the cookies used in the Vimeo settings.
If you have consented to your data being processed and stored by integrated Vimeo elements, this consent is the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners. Nevertheless, we only use the integrated Vimeo elements if you have given your consent. Vimeo also sets cookies in your browser to store data. We therefore recommend that you read our data protection text on cookies carefully and consult the privacy policy or cookie guidelines of the respective service provider.
Vimeo also processes your data in the USA, among other places. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. This may entail various risks for the legality and security of data processing.
Vimeo uses so-called standard contractual clauses (= Art. 46. para. 2 and 3 GDPR) as the basis for data processing with recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer to these countries. Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through these clauses, Vimeo undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de
You can find more information on the standard contractual clauses at Vimeo at https://vimeo.com/privacy#international_data_transfers_and_certain_user_rights

22. Legal bases

We only process your data if at least one of the following conditions applies:
a)    Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of the data you have entered in a contact form.
b)    Contract (Article 6(1)(b) GDPR): In order to fulfil a contract or pre-contractual obligations with you, we process your data. For example, if we conclude a purchase contract with you, we need personal information in advance.
c)    Legal obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally obliged to keep invoices for accounting purposes. These usually contain personal data.
d)    Legitimate interests (Article 6(1)(f) GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data in order to operate our website securely and efficiently. This processing is therefore a legitimate interest.
Other conditions such as the fulfilment of recording in the public interest and the exercise of official authority as well as the protection of vital interests do not generally apply to us at . If such a legal basis is relevant, it will be indicated at the appropriate point.

23. legitimate interests of the controller in the processing

Where the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is the performance of our business activities for the benefit of the well-being of all our employees and our shareholders.

24. Ticketing (ECENT)

We use the ticketing platform of:

ECENT GmbH
Zentnerstr. 1,
80798 Munich.

You can find Ecent's terms and conditions here: https://ecent.eu/agb. You can find more information about Ecent's data protection here: https://ecent.eu/datenschutz

25. Pretix

Within our event offer, functions and contents of the service pretix are offered, provided by:

rami.io GmbH
Berthold-Mogel-Straße 1
69126 Heidelberg
Heidelberg, Germany

This includes the ticket shop, which is integrated via a JavaScript widget. When you buy a ticket, pretix uses a technically necessary cookie to enable the ordering process and to remember which shopping basket belongs to you. The cookie is set as soon as you interact with the widget. pretix does not store IP addresses, browser information or other unnecessary metadata beyond the duration of your request. Further information on data protection at pretix can be found here: pretix.eu/about/en/privacy

26. Eventbrite

We use Eventbrite, an online platform for event and ticket management, for our website. The service provider is the American company Eventbrite Inc, 535 Mission Street, 8th Floor, San Francisco, CA 94103, USA. For European legislation, the American company is represented by the Irish company Eventbrite Operations Limited (97 South Mall Cork, T12 XV54, Ireland).
Eventbrite also processes your data in the USA, among other places. Eventbrite is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data of EU citizens to the USA. You can find more information on this at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.
Eventbrite also uses so-called standard contractual clauses (= Art. 46 (2) and (3) GDPR). Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Eventbrite undertakes to comply with the European level of data protection when processing your relevant data at , even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.
You can find more information on the standard contractual clauses at Eventbrite in the data processing conditions at https://www.eventbrite.com/support/articles/en_US/Troubleshooting/data-processing-addendum-for-organizers?lg=en_US.

27. Duration of data storage

The criterion for the duration of the storage of personal data is the respective statutory retention period. Once this period has expired, the corresponding data is routinely deleted, provided it is no longer required for the fulfilment or initiation of a contract.

28. TLS encryption

We use HTTPS (the Hypertext Transfer Protocol Secure stands for "secure hypertext transfer protocol") to transmit data tap-proof on the Internet.
This means that the complete transmission of all data from your browser to our web server is secured.
We have thus introduced an additional layer of security and fulfil data protection by design (Article 25(1) GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure data transmission on the Internet, we can ensure the protection of confidential data. If you would like to know more about encryption, we recommend a Google search for "Hypertext Transfer Protocol Secure wiki" to find good links to further information.

29. Existence of automated decision-making

As a responsible company, we do not use automated decision-making or profiling.

30. Zapier (ATTENTION: NOT CERTIFIED BY PRIVACY FRAMEWORK!)

To integrate various databases and tools, we use Zapier, a service provided by Zapier Inc, 548 Market St #62411, San Francisco, California 94104, USA. Customer data, with the exception of payment data, may be transmitted. Further information on data protection at Zapier can be found at https://zapier.com/privacy/

31.Duration of data storage

Status: 01/05/2025