skip to main content

Data protection

Cookie settings

Under the following links you can adjust your cookie settings:

Change Settings Reset

Data protection

Thank you for your interest in the internet services provided by ST Extruded Products Germany GmbH (hereinafter: “STEP-G”). STEP-G attaches great importance to protecting your personal data during its collection, processing and use in the context of your visit to our website. We comply with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the Telecommunications Digital Services Data Protection Act, the Digital Services Act and any other applicable, country-specific data protection regulations. 

In principle, the website of STEP-G can be used without submitting any personal data (e.g. the visitor’s name, address, e-mail address or telephone number). However, if you wish to make use of particular services that we offer via our website, it may be necessary for your personal data to be processed by STEP-G. We always seek your consent if we need to process your personal data, unless there is already a legal basis for such processing. 

The purpose of this Privacy Policy is to inform you about the nature, scope and purpose of the collection, processing and use of personal data by STEP-G. In addition, we wish to inform you about your rights under this Privacy Policy.

STEP-G has implemented a variety of technical and organisational measures to ensure that your personal data, which is processed via this website, is protected to the maximum extent possible. Nevertheless, we wish to point out that absolute protection cannot be guaranteed due to the nature of internet-based data transmission and the associated potential security vulnerabilities. You therefore have the option of providing us with your personal data by other means (e.g. by telephone or post).

1. Terminology

Within the framework of this Privacy Policy, STEP-G uses terminology that is also used in the EU General Data Protection Regulation (GDPR). Among others, this includes the following terms: 

  • Personal data 
    “Personal data” refers to any information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered to be identifiable if they can be identified either directly or indirectly, and in particular by association with an identifier such as a name, identification number, location data, an online identifier or one or more special characteristics that are specific to their physical, physiological, genetic, mental, economic, cultural or social identity. 
  • Data subject
    “Data subject” means any identified or identifiable natural person whose personal data is processed by the data controller.  
  • Processing 
    “Processing” means any process or series of operations performed with or without the aid of automated processes in connection with personal data, such as its collection, recording, organising, ordering, storage, adaptation or modification, read-out, querying, use, disclosure by transmission, dissemination or other form of disclosure, matching or linking, restriction, deletion or destruction. 
  • Restriction of processing
    “Restriction of processing” means the marking of stored personal data in order to restrict its future processing. 
  • Profiling 
    “Profiling” refers to any type of automated processing of personal data undertaken for the purpose of evaluating certain personal aspects relating to a natural person, in particular with the aim of assessing or predicting the person’s job performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or future change of location. 
  • Pseudonymisation 
    “Pseudonymisation” refers to the processing of personal data in such a way that ensures it can no longer be assigned to a specific data subject without additional information, provided that this additional information is stored separately and subjected to technical and organisational measures designed to ensure that the personal data is not assigned to an identified or identifiable natural person. 
  • File system
    A “file system” means any structured collection of personal data that is accessible via specific criteria, whether that collection is centralised, decentralised or organised on the basis of functional or geographical factors. 
  • Data controller
    The “data controller” is the natural or legal person, public authority, agency or other body which, either alone or in collaboration with others, decides on the purpose and means of the processing of personal data. Where the purpose and means of such processing are determined by European Union law or the law of the Member States, the data controller (or the specific criteria governing his/her appointment) may be determined by EU or national law. 
  • Data processor
    The “data processor” refers to a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller. 
  • Recipient
    The “recipient” means a natural or legal person, public authority, agency or other body to which personal data is disclosed, whether or not they are a third party. However, authorities which receive personal data under EU or national law in connection with a particular investigation order are not considered to be recipients. 
  • Third parties
    A “third party” refers to a natural or legal person, public authority, agency or body other than the data subject, data controller, data processor and the individuals authorised to process the personal data under the direct responsibility of the data controller or data processor. 
  • Consent
    “Consent” means any unambiguous and voluntary expression of will on the part of the data subject in the form of a statement or other unambiguous confirmatory act, whereby the data subject indicates their agreement to the processing of their personal data. 

2. Name and address of the data controller

The data controller with regard to the processing of the data collected via the websites of STEP-G is: 

ST Extruded Products Germany GmbH, Schachenstraße 14, 88267 Vogt, Germany, phone: +49 7529 999-0, e-mail: vogt.office(at)step-g.com, Website: www.step-g.com

3. Name and address of the data protection officer

The data controller’s data protection officer is:

White Whale Data GbR, RA Götz Sommer, Hansaring 97, 50670 Köln, Germany, e-mail: info(at)wwdata.de, phone: +49 221 9776980.

All data subjects may contact our data protection officer at any time with any queries or suggestions regarding data protection. 

4. Cookies

The websites of STEP-G use cookies. Cookies are text files that are downloaded and stored in a computer system via an internet browser. In accordance with Section 25 TDDDG, STEP-G ensures that users consent to the use of cookies before non-essential cookies are set.

Many websites and servers use cookies. Many cookies contain a so-called “cookie ID”. This consists of a character string that serves as the cookie’s unique identifier, making it possible to assign visits to internet pages and servers to the specific internet browser in which the cookie was stored. This allows the visited web pages and servers to distinguish the browser of the respective visitors from other internet browsers (if they contain other cookies). In other words, the unique cookie ID makes it possible to recognise and identify a specific internet browser. 

Cookies enable STEP-G to provide the visitors to its website with services that are more user-friendly than would otherwise be possible. By using cookies, STEP-G is able to optimise its websites for the benefit of the visitors, since the cookies make it possible to identify repeat visitors to the website, which in turn allows us to make the website easier for them to use. For example, when using cookies, visitors are not required to enter their login data each time they visit the website. The login is instead performed automatically by the website via the cookie that was previously stored on the visitor’s computer. In addition, cookies enable online shops to “remember” the items that customers have placed in their virtual shopping carts. 

As the data subject, the user must actively consent to the use of cookies.

Before cookies that are not absolutely necessary are set, a corresponding consent banner is displayed, which can be used to give consent. The user can withdraw this consent at any time.

As the data subject, the user can prevent the use of cookies by the STEP-G website by configuring the corresponding setting in their internet browser. In this way, they can permanently block the use of cookies. In addition, the visitor to the website can delete cookies that have already been stored at any time via their internet browser settings or other software programs. This feature is available in all popular internet browsers. Users (i.e. data subjects) who disable the saving of cookies in their internet browser may no longer be able to make full use of all the features of the STEP-G website. 

The storage period for “permanent cookies” can be up to two years. 

The legal basis for our use of cookies may vary depending on the circumstances. The legal basis on which we process your personal data always depends on the specific individual case. If we ask for your consent and you agree to the use of cookies, this consent provides the legal basis for the processing of your data (Art. 6 (1) (a) GDPR). Should the use of cookies become necessary in order to fulfil our (pre-)contractual obligations towards you, the data processing by STEP-G is based on Art. 6 (1) (b) GDPR. In all other cases, we base the processing of your data by means of cookies on our legitimate interest pursuant to Art. 6 (1) (f) GDPR (e.g. operation of the website and its improvement). 

5. Collection of general data and information

Whenever a data subject or automated system accesses the STEP-G website, general information about the nature of the access is periodically stored in our server’s log files. This information may include the browser type and version, the operating system, as well as the website via which the data subject or automated system accessed our website. Other recorded information may include the subpages accessed on our website, the date and time of access, the visitor’s IP address, the internet service provider of the accessing system and any other security-related data we need in the context of preventing attacks against our IT systems. 

STEP-G does not use this data for the purpose of identifying data subjects. Instead, this data is necessary to ensure that the contents of our website are properly transmitted, as well as to optimise our website, to ensure its functionality, and to provide information required by law enforcement agencies in the event of a cyberattack. We therefore evaluate this data solely for statistical purposes and also to improve data protection and data security within our company. The goal here is to ensure that the personal data we process is safeguarded to the maximum extent possible. The personal data which data subjects submit to us is stored separately from the anonymous data that our server collects via its log files. 

6. Registration on our website

You have the opportunity to register on our website by submitting personal data. For details about which personal data is transmitted to the data controller, please refer to the input screen shown to users during registration. The personal data you provide is collected and stored by STEP-G solely for internal use and for statistical purposes. We may also transfer your personal data to one or more data processors, e.g. postal operators, which also use personal data exclusively for internal order processing. 

If you register on our website, the data saved there is also transmitted by the respective internet service providers (ISP). This includes the IP address as well as the date and time of registration. We store this data as a necessary means to prevent misuse of our services and, if necessary, this information can be used at a later time to investigate previous criminal activity. The storage of the data is therefore necessary to safeguard the data controller’s systems. As a rule, we do not disclose this data to third parties, unless we are legally obliged to do so or the disclosure serves the purpose of law enforcement. 

STEP-G requires users to register – and in so doing to submit personal data – in order to offer them content and services which, due to their nature, can only be offered to registered users. At any time, registered users are entitled to modify the personal data that they submitted during registration, or to have such data removed from STEP-G’s database entirely. 

They also have the right, at any time, to ask STEP-G which personal data has been stored. STEP-G will respond to such requests as soon as possible. To the extent that we are not prevented from doing so due to statutory retention periods, STEP-G will comply with any requests from data subjects for the rectification or deletion of their personal data. In this context, all employees of STEP-G as well as any data protection officers named in this Privacy Policy are available as a point of contact. 

7. Contact via the website

Due to statutory regulations, the websites of STEP-G contains features and information which enable fast electronic contact with our company as well as direct communication with us. This includes our e-mail address. 

When you contact STEP-G via e-mail or our contact form, your personal data is automatically stored. This data, which you voluntarily submit to STEP-G, is stored for the purpose of processing or contacting you (as the data subject).

8. Datenschutzbestimmungen zu Einsatz und Verwendung von Google Maps (Kopie 1)

On this website STEP-G uses the product Google Maps service provided by the company Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google Inc. (hereinafter: “Google”), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA for the purpose of displaying a map and enabling users to calculate and display travel directions to our company’s locations.

On its website (policies.google.com/privacy/frameworks?hl=en), Google also provides assurance that, when transferring data to the USA, it complies with legal framework conditions that guarantee a level of protection equivalent to EU law and also relies on the standard contractual clauses of the EU Commission. The company has also been certified in accordance with the EU-US Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active), but no longer relies on this as of 16 July 2020. 

If you use the Google Maps component, a cookie is stored on your computer via your internet browser. Your user settings and data are processed to enable the STEP-G locations to be displayed and a route to them to be calculated. We cannot rule out the possibility that Google also stores and processes this data on servers in the USA.

By connecting your internet browser to Google’s servers, the company can determine which website your request was sent from and to which IP address the directions should be sent. If you do not agree to this processing, you can prevent cookies from being installed by Google by changing the corresponding settings in your browser. You can find out more about this in the “Cookies” section of this Privacy Policy.

You can read the Google Maps Terms of Use at  https://www.google.com/intl/de_de/help/terms_maps.html  and  https://policies.google.com/terms?gl=DE&hl=de informieren

The legal basis for the collection and processing of the aforementioned data is Art. 6 (1) (f) GDPR. We have a legitimate interest in optimising the features of our website in order to offer you the best possible service.

9. Routine deletion and blocking of personal data

STEP-G only processes and stores personal data for the period of time necessary to achieve the purpose of the storage, or if STEP-G is bound by statutory provisions that require such storage. 

If the purpose of the storage is omitted or if a legally prescribed retention period expires, the personal data is routinely blocked or deleted in accordance with the statutory provisions. 

10. Rights of the data subject

Due to the regulations of the GDPR, data subjects have the following rights: 

  • Right to confirmation
    As the data subject, you have the right to ask STEP-G (as the data controller) to confirm the processing of your personal data. You can exercise this right at any time by contacting any of the data protection officers mentioned in this Privacy Policy or any other STEP-G employee. 
  • Right to information
    As the data subject, you have the right, at any time, to receive information from STEP-G free of charge regarding the personal data stored about you, and to receive a copy of this data. You also have the right to receive the following information:

    a) the purpose of the data processing

    b) the categories of personal data being processed  

    c) the recipients or categories of recipients to whom the personal data has been disclosed, or is yet to be disclosed, in particular recipients in third countries or international organisations 

    d) if possible, the planned storage duration for the personal data or, where this is not possible, the criteria used to determine the storage duration 

    e) the existence of a right to rectification or deletion of your personal data, or to request a restriction of its processing by the data controller, or to object to such processing f) the existence of a right of appeal to a supervisory authority

    g) if the personal data is not collected from you (as the data subject): all available information about the source of the data

    h) the existence of an automated decision-making process, including profiling, in accordance with Article 22 (1) and (4) GDPR and – at least where such processes exist – meaningful information about the logic involved and the scope and intended impact of such processing with regard to you (as the data subject)

    If personal data is transmitted to a third country or an international organisation, as the data subject you have the right to be informed about the appropriate safeguards in connection with the transfer under Article 46 GDPR. 

    As the data subject, you can exercise this right to information at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee. 
  • Right to rectification 
    As the data subject, you have the right to demand that STEP-G immediately correct any incorrect personal data concerning you. Taking into account the purposes of the processing, as the data subject you have the right to request the completion of incomplete personal data, including by means of a supplementary statement. 
    As the data subject, you can exercise this right to rectification at any time by contacting any data protection officer mentioned in this Privacy Policy or any other employee of ST Extruded Products Germany GmbH. 
  • Right to deletion (“right to be forgotten”) 
    As the data subject, you have the right to require STEP-G to delete your personal data without delay, provided that one of the following reasons applies and that the processing of your data is not mandatory: 

    a) The personal data is no longer required for the purpose for which it was collected or otherwise processed.  

    b) The data subject revokes the consent on which the processing was based in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, and there is no other legal basis for the processing.

    c) The data subject raises an objection to the processing in accordance with Article 21 (1) GDPR, and there are overriding, legitimate reasons for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR.  

    d) The personal data was processed unlawfully. 

    e) The deletion of personal data is necessary to fulfil a legal obligation under EU or national laws by which the data controller is bound. 

    f) The personal data was collected in relation to information society services pursuant to Article 8 (1) GDPR. 

    If one of these reasons is correct and you, as the data subject, wish to request the deletion of your personal data stored by STEP-G, you may do so at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee. Any data protection officer mentioned in this Privacy Policy or any other STEP-G employee will arrange for the requested deletion to be carried out immediately. 

    Where STEP-G has made personal data public which we are obliged to delete pursuant to Article 17 (1) GDPR, STEP-G will take appropriate measures (including of a technical nature) – taking into account the available technology and the costs of implementation – to notify other data controllers processing the published personal data that you (as the data subject) have requested the deletion of all links to such personal data as well as all copies or reproductions thereof by those other data controllers, unless such processing is mandatory. Any data protection officer or other employee of STEP-G will arrange everything necessary in individual cases. 
  • Right to restriction of processing  
    As the data subject, you have the right to require STEP-G to restrict its processing of your personal data if any of the following conditions are met: 

    a) The accuracy of the personal data is contested by the data subject for a period of time that enables the data controller to verify the accuracy of the personal data. 

    b) The processing is unlawful and, as the data subject, you request the restriction of the use of your personal data rather than its deletion. 

    c) STEP-G no longer needs your personal data for processing purposes, however, as the data subject, you need it to assert, exercise or defend your rights. 

    d) As the data subject, you have objected to the processing pursuant to Article 21 (1) GDPR, and it is not yet clear whether STEP-G’s legitimate reasons for processing the data take precedence over your reasons for restricting its processing. 

    If one or more of these conditions exists and you (as the data subject) wish to request the restriction of the personal data stored by STEP-G, you can contact our data protection officer or any other STEP-G employee at any time. Any data protection officer or another employee of STEP-G will then arrange for the data processing to be restricted. 
  • Right to data portability
    As the data subject, you have the right to receive the personal data that you provided to STEP-G in a structured, common and machine-readable format. You also have the right to transfer this data to another data controller – without hindrance by the data controller to whom the personal data was submitted – provided that the processing is based on consent pursuant to Article 6 (1) (a) GDPR or Article 9 2 (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR and the processing is carried out by automated means, unless the processing is necessary in the public interest or in the exercise of official authority vested in the data controller. In addition, as the data subject exercising your right to data portability pursuant to Article 20 (1) EU GDPR, you have the right to have your personal data transmitted directly from one data controller to another, to the extent that this is technically feasible and that doing so does not limit the rights and freedoms of other persons. As the data subject, you can exercise this right to data portability at any time by contacting any data protection officer mentioned in this privacy policy or any other STEP-G employee. 
  • Right to object  
    As the data subject, you have the right, for reasons based on your particular situation, to object at any time to the processing of your personal data pursuant to Article 6 (1) (e) or (f) GDPR. This also applies to profiling carried out on the basis of these provisions. 

    In case of an objection, STEP-G will cease processing the personal data, unless we can prove that there are compelling legitimate grounds for its processing, which outweigh your interests, rights and freedoms as the data subject, or unless the purpose of the processing is to assert, exercise or defend against legal claims. 

    Where STEP-G processes personal data for the purpose of direct advertising, as the data subject you have the right, at any time, to object to the processing of your personal data for the purpose of such advertising. The same applies in the case of profiling, to the extent that it is associated with such direct advertising. As the data subject, if you object to the processing of your personal data by STEP-G for direct advertising purposes, STEP-G will no longer process your personal data for these purposes. 

    In addition, as the data subject you have the right, for reasons based on your particular situation, to object to the processing of your personal data by STEP-G for scientific or historical research purposes, or for statistical purposes pursuant to Article 89 (1) GDPR, unless such processing is necessary in the public interest. 

    As the data subject, you can exercise this right to object at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee. As the data subject, you are also entitled – in the context of the use of information society services, notwithstanding Directive 2002/58/EC – to exercise your right to object via automated processes based on technical specifications.  
  • Automated decisions in individual cases, including profiling 
    As the data subject, you have the right to request that decisions concerning you (including profiling), which may have legal consequences or negatively affect you, are not based solely on automated processing, provided that the decision 

    a) is not required for the conclusion or performance of a contract between you (as the data subject) and STEP-G, or 

    b) is permitted under European Union or Member State legislation to which STEP-G is bound, whereby the legislation contains adequate measures to safeguard your rights, freedoms and legitimate interests as the data subject, or 

    c) is made with your express consent as the data subject. 

    If the decision is necessary for the conclusion or performance of a contract between you (as the data subject) and STEP-G, or if it is made with your explicit consent as the data subject, STEP-G will take appropriate measures to guarantee your rights, freedoms and legitimate interests as the data subject, including at least the right to request that a STEP-G employee intervene on your behalf, and to express your own position, and to contest the decision. 

    As the data subject, you can exercise these rights with respect to automated decisions at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee. 
  • Right to revoke your consent relating to data privacy 
    As the data subject, you have the right to revoke your consent to the processing of your personal data at any time. 

    You can exercise your right to revoke your consent at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee. 

11. Privacy with regard to applications and during the application process

In connection with the career portal, STEP-G collects and processes applicants’ personal data for the purpose of processing their applications. Such processing may be carried out by electronic means. In particular, this applies in cases where applicants submit their application documents to STEP-G by e-mail, via a web form on our website, or by other electronic means. 

If an application is successful and the applicant is hired, STEP-G stores the data submitted by the applicant for the purpose of facilitating the employment relationship. This data is stored in accordance with the statutory regulations. 

If an application is unsuccessful, i.e. if no employment contract is concluded, STEP-G automatically deletes the submitted documents two months from the date on which the respective applicants were notified of their unsuccessful application. The data is only kept beyond this time if its deletion conflicts with other justified interests of STEP-G – for example, in the event that STEP-G is required to give evidence in proceedings under the German General Equal Treatment Act (AGG). 

12. Privacy policy regarding the use and application of Facebook

Components provided by the social network Facebook are integrated into the websites of STEP-G. 

A social network is an online service that allows users to communicate and interact in virtual space. This online social meeting point (online community) can be used to exchange views and experiences and provide personal or business information to other users within the online community. Among other things, Facebook users can create personal profiles, upload photos and network with other users via friend requests. 

The operator of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. For data subjects who live outside the US or Canada, the data controller for Facebook is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. 

STEP-G shares responsibility with Facebook Ireland Ltd. for the collection of data that Facebook receives via the components embedded on STEP-G’s websites. The same applies to the transmission of any data to Facebook in connection with content and advertising information that is tailored to the presumed interests of users. Similarly, it is possible that Facebook will use information to target users via Facebook Messenger and improve its ability to identify content and/or promotional information that is likely to be of interest to users. 

If a visitor to the websites of STEP-G accesses an individual subpage containing a Facebook component (Facebook plug-in), their IT system is automatically instructed by the component in question to download a version of the corresponding Facebook component from Facebook. All Facebook plug-ins are described in an overview which is available at developers.facebook.com/docs/plugins/. Via this technical process, Facebook is able to determine which specific subpage the user is visiting. 

If the user (as the data subject) is also logged in to Facebook, during each visit to the websites of STEP-G by the user – and for the entire duration of the respective visits – Facebook is able to identify which specific subpages were viewed. The installed Facebook plug-in collects this information and Facebook assigns it to the user’s Facebook account. If the user clicks on one of the Facebook buttons integrated into our website or submits a comment, this information is assigned by Facebook to the data subject’s personal user account and this personal data is subsequently stored. 

If a data subject is logged in to Facebook when they visit the websites of STEP-G, Facebook is notified about the visit via the respective plug-ins – regardless of whether or not the user clicks on the Facebook buttons. As a user and data subject, if you do not agree to such a transfer of your data to Facebook, you can prevent this by making sure that you are logged out of your Facebook account before visiting the websites of STEP-G. 

Information about Facebook’s data policy, including the personal data that is collected, processed and used by Facebook, is available at  https://de-de.facebook.com/about/privacy/. In addition, you will find information there about settings provided by Facebook to protect the data subject’s privacy. Various applications which make it possible to prevent or limit the transmission of personal data to Facebook are also available. The user (as the data subject) can therefore prevent the transmission of their data to Facebook by means of these applications.

STEP-G has concluded a special agreement with Facebook (“Addendum for Data Controllers”). This agreement, which is available at https://www.facebook.com/legal/controller_addendum, sets out the security measures that Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and explains how it complies with the rights of data subjects under the GDPR.

13. Privacy policy for the use and application of Google Analytics (with anonymisation feature)

STEP-G has integrated the component Google Analytics (with anonymisation feature) into this website. Google Analytics is a web analytics service. Web analytics is the process of collecting and analysing of data about the behaviour of visitors to websites. Among other things, the web analytics service collects data about the website from which you (as the data subject) accessed our website (so-called “referrers”), which subpages of our website you accessed and how often and for what length of time you viewed a subpage. The web analytics service is primarily used for the purpose of optimising our website and carrying out cost-benefit analyses of online advertising activities. 

The operating company of the Google Analytics component is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. 

STEP-G uses the parameter “_gat._anonymizeIp” for its web analytics via Google Analytics. This parameter allows the IP address of the data subject’s internet connection to be shortened and anonymised by Google if the data subject accesses our website from a Member State of the European Union or from another contracting state to the Agreement on the European Economic Area. 

The purpose of the Google Analytics component is to analyse visitor flows on our website. Among other things, Google uses the acquired data to evaluate the use of our website, to compile online reports for us which show activities on our websites, and to provide other services related to the use of our website. 

Google Analytics stores a cookie in the respective data subjects’ IT system. Cookies are text files that are downloaded and stored in a computer system via an internet browser. Many websites and servers use cookies. Many cookies contain a so-called “cookie ID”, which is a unique identifier for the cookie. It consists of a character string via which web pages and servers can be assigned to the specific internet browser in which the cookie was stored. This allows visited websites and servers to distinguish the individual’s browser from other internet browsers that contain other cookies. A particular web browser can therefore be recognised and identified via the unique cookie ID. By using this cookie, Google is able to analyse the visitor’s usage of our website. 

Each time an individual page of the STEP-G website that contains a Google Analytics component is accessed, the internet browser on the data subject’s IT system is automatically instructed by the corresponding Google Analytics component to transmit data to Google for the purpose of online analytics. As part of this technical process, Google obtains knowledge of the data subject’s personal data, including their IP address, which Google uses to track the origin of visitors and clicks, and subsequently to generate commission invoices. 

The cookie stores personal data, such as the time of access, the location from which access was made and the frequency of the data subject’s visits to our website. Each time the data subject visits our website, their personal data, including the IP address of their internet connection, is transferred to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may transfer the personal data collected via this technical process to third parties. 

As previously mentioned, the data subject can prevent the use of cookies by our website at any time by configuring the relevant settings in their internet browser, and can thus permanently disable the storage of cookies. Configuring an internet browser in this way would also prevent Google from storing a cookie in the data subject’s IT system. In addition, a cookie already stored by Google Analytics can be deleted at any time via the internet browser or other software programs. 

Furthermore, the data subject has the option of objecting to – and preventing the collection of – the data generated by Google Analytics regarding their use of this website, as well as the processing of this data by Google. To do so, the data subject must download and install a browser add-on via this link: https://tools.google.com/dlpage/gaoptout. This browser add-on informs Google Analytics via JavaScript that no data and information about visits to the website may be transmitted to Google Analytics. If the data subject installs the browser add-on, Google acknowledges their objection to its use of their web analytics data. If the data subject’s IT system is later deleted, formatted or reinstalled, they must reinstall the browser add-on in order to disable Google Analytics. If the browser add-on is uninstalled or disabled by the data subject or another person within their sphere of control, it remains possible to reinstall or reactivate the browser add-on. 

On its website (policies.google.com/privacy/frameworks?hl=en), Google also provides assurance that, when transferring data to the USA, it complies with legal framework conditions that guarantee a level of protection equivalent to EU law and also relies on the standard contractual clauses of the EU Commission. The company has also been certified in accordance with the EU-US Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active), but no longer relies on this as of 16 July 2020. 

Additional information and Google’s privacy policy are available at https://policies.google.com/privacy?hl=de&gl=de and https://marketingplatform.google.com/about/analytics/terms/de/. Detailed information about Google Analytics is available via this link: https://marketingplatform.google.com/about/

14. Privacy policy regarding the use and application of HubSpot

STEP-G uses the HubSpot marketing automation system from HubSpot Inc. for the purposes of statistics, marketing, content management, web analysis and search engine optimisation. (25 First Street, 2nd Floor, Cambridge, MA 02141, USA). HubSpot operates offices in Ireland (One Dockland Central, Dublin 1, Ireland) and Germany (Am Postbahnhof 17, 10243 Berlin). The software uses cookies (see Sec. 4). 

  • They save the following data:
  • Geographical position
  • Browser type
  • Navigation information
  • Links (URL)
  • Performance data
  • City location
  • Number of uses of the application
  • Mobile app data
  • Subscription data for the HubSpot subscription service
  • Files shown locally
  • Domain names
  • Pages viewed
  • Aggregated usage
  • Operating system version
  • Internet service provider
  • IP address
  • Device ID
  • Duration of visit
  • Information on download of the application
  • Operating system
  • Events that occur during use
  • Access times
  • Clickstream data
  • Device model and version

The legal basis for the use of the software is the consent of the user according to. Art. 6 (1) (a) GDPR. You can revoke your consent at any time with effect for the future by changing the cookie settings using our Content Management platform. 

It is possible that HubSpot may pass on or transfer the data collected to another country (e.g. Ireland, the USA or other countries in which HubSpot partners operate), or countries outside the European Union and the European Economic Area which do not have an appropriate data protection level. If the data is transferred to the USA, there is a risk that it will be used by US authorities for control and surveillance purposes without data subjects having the right to legal recourse. 

A contractual relationship exists between STEP-G and HubSpot on the basis of “standard contractual clauses” that have been approved by the EU Commission. In this agreement, HubSpot undertakes only to process user data in accordance with the instructions of STEP-G and to maintain the same level of data protection as that found in the EU member states. HubSpot’s privacy policy is available at https://legal.hubspot.com/de/privacy-policy. More information about data protection at HubSpot is available at https://legal.hubspot.com/de/dpa.

15. Privacy Policy regarding the use and application of LinkedIn

STEP-G has integrated components provided by the LinkedIn Corporation into the websites of STEP-G. 

LinkedIn is a web-based social network for maintaining existing – and establishing new – business contacts. With over 500 million registered users in more than two hundred countries, the platform is currently the largest of its kind and one of the world’s most frequently visited internet sites. 

LinkedIn’s operating company is LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. Outside the United States, issues relating to the company’s Privacy Policy are handled by LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland. 

Each time you visit an area of the websites of STEP-G that contains a LinkedIn component (LinkedIn plug-in), this component instructs the browser you are using to download a version of the LinkedIn component. More information about the LinkedIn plug-ins can be found at https://docs.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/plugins?context=linkedin/consumer/context. Via this technical process, LinkedIn gains knowledge about which specific subpage of our website you are viewing (as the data subject).

If you are logged in to LinkedIn when you visit our website, the social network is able to identify which specific subpage of our website you are viewing, as well as the duration of your visit. The LinkedIn plug-in collects this information, which is then assigned to your LinkedIn account by LinkedIn. If you click on a LinkedIn button on our website, LinkedIn assigns this information to your user account and subsequently stores this personal data. 

If the data subject is logged in to LinkedIn when they visit the websites of STEP-G, LinkedIn is notified about this visit via the respective plug-ins – regardless of whether or not the user clicks on the LinkedIn component. As a user and data subject, if you do not agree to such a transfer of your data to LinkedIn, you can prevent this by making sure that you are logged out of your LinkedIn account before visiting the websites of STEP-G. 

Via the URL www.linkedin.com/psettings/guest-controls,  you can unsubscribe from e-mails, text messages, targeted ads, and manage your ad settings. LinkedIn also uses partners such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua, and Lotame, which may also store cookies on your IT system. LinkedIn makes its current privacy policy available at https://www.linkedin.com/legal/privacy-policy. LinkedIn’s cookie policy is available at https://www.linkedin.com/legal/cookie-policy.

16. Privacy Policy regarding the use and application of Xing

STEP-G has integrated components provided by Xing into the websites of STEP-G. 

Xing is a social network in which members primarily manage their professional contacts, and to a lesser extent their private contacts, and also establish new contacts. Xing primarily offers a platform for business networks in German-speaking countries, which allows individual users to create a personal profile and companies to create company profiles and publish job advertisements. 

The operating company of Xing is XING AG, Dammtorstraße 30, 20354 Hamburg, Germany. 

Each time you visit an area of the websites of STEP-G that contains a Xing component (Xing plug-in), this component instructs the browser you are using to download a version of the Xing component. More information about the Xing plug-ins can be found at dev.xing.com/plugins. Via this technical process, Xing gains knowledge about which specific subpage of our website you are viewing (as the data subject). 

If you are logged in to Xing when you visit our website, the social network is able to identify which specific subpage of our website you are viewing, as well as the duration of your visit. The Xing plug-in collects this information, which is then assigned to your Xing account by Xing. If you click on a Xing button on our website, Xing assigns this information to your user account and subsequently stores this personal data. 

If the data subject is logged in to Xing when they visit the websites of STEP-G, Xing is notified about this visit via the respective plug-ins – regardless of whether or not the user clicks on the Xing component. As a user and data subject, if you do not agree to such a transfer of your data to Xing, you can prevent this by making sure that you are logged out of your Xing account before visiting the websites of STEP-G. 

Xing’s current privacy policy is available via the URL www.xing.com/privacy. This includes information about which personal data Xing collects, processes and uses. Furthermore, at https://www.xing.com/app/share?op=data_protection you can find privacy information regarding the XING share button. 

17. Social media networks

STEP-G is represented via company accounts on the social media networks YouTube, Instagram, Facebook, Xing and LinkedIn. In this context, STEP-G collects and processes data in order to exchange information with other users of these services and to provide company information. 

In doing so, there is a possibility that these social networks may process users’ data outside the European Union. In certain cases, this may make it more difficult to assert the users’ rights. 

As a rule, user data is also processed within social networks for the purpose of market research and advertising; for example, by evaluating user behaviour in terms of the users’ interests. These usage profiles may then be used both within and outside these networks to serve advertisements that correspond to the presumed interests of the respective users. This is made possible, for example, by storing cookies on each user’s computer. 

With regard to the individual social networks, we refer to the above statements regarding Facebook (also applies to Instagram), LinkedIn, Xing and Google products (applies to YouTube). 

The social network Instagram is operated by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Its privacy policy is available at https://help.instagram.com/519522125107875

The operator of LinkedIn is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Its privacy policy is available at https://www.linkedin.com/legal/privacy-policy

The operating company of Xing is XING AG, Dammtorstraße 30, 20354 Hamburg, Germany. Xing’s current privacy policy is available via the URL www.xing.com/privacy

18. Legal basis of the processing

Pursuant to Article 6 (1) GDPR, the processing of personal data by STEP-G is lawful provided that at least one of the following conditions is met: 

a) The data subject has given their consent to the processing of their personal data for one or more specific purposes 

b) The processing is necessary for the performance of a contract to which the data subject is a party, or for the performance of pre-contractual measures at the data subject’s request (e.g. product enquiries) 

c) The processing is required to fulfil a legal obligation on the part of the data controller (e.g. tax obligations) 

d) The processing is necessary to protect the vital interests of the data subject or any other natural person (e.g. a visitor’s health insurance data in the event of an accident on our premises) 

e) The processing is necessary for the performance of a task which is in the public interest or in the exercise of official authority vested in the data controller 

f) The processing is necessary to safeguard the legitimate interests of the data controller or a third party, unless these are secondary to the interests or fundamental rights and freedoms of the data subject in the context of data protection, and in particular if the data subject is a child. 

19. Legitimate interests in the processing pursued by the data controller or a third party

Where the processing of personal data is based on Article 6 (1) (f) GDPR, we have a legitimate interest in conducting our business for the benefit of all of our employees and shareholders. 

20. Duration for which the personal data is stored

STEP-G stores personal data for the duration of the respective statutory retention periods. At the end of this period, the corresponding data is routinely deleted, unless it is required for performance of the contract or for contract initiation. 

21. Legal or contractual regulations governing the provision of personal data; its necessity for the purpose of concluding of the contract; obligations of the data subject to provide their personal data; possible consequences of non-provision 

We wish to explicitly point out that the provision of your personal data may be required by law (e.g. due to tax regulations) or may result from contractual arrangements (e.g. details of the contracting party). For the purpose of concluding a contract it may be necessary for you, as the data subject, to provide us with personal data that must subsequently be processed by us. For example, as the data subject, you will be required to provide us with personal data if our company signs a contract with you. Refusal to provide your personal data would mean that we would not be able to conclude the contract with you (as the data subject). Before you submit your personal data to us, we advise you to contact our data protection officer or one of our employees. They will inform you (as the data subject) on a case-by-case basis whether the provision of your personal data is required by law, or contractually required, or required for the conclusion of the contract, or whether you are obliged to provide the personal data, as well as the consequences of refusing to provide it. 

22. Existence of an automated decision-making process

As a responsible and conscientious company we do not carry out automated decision-making or profiling.