- General information
With this data protection notice we inform you about our handling of your personal data and about your rights according to the European Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Responsible for data processing is heyconnect GmbH (hereinafter referred to as “we” or “us”).
If you have any questions or suggestions about this information, or if you wish to contact us about asserting your rights, please send your request to
Hermannstraße 13. 20095 Hamburg
Tel. +49 (0)40 69 20 76 80
The term “personal data” under data protection law refers to all information that relates to an identified or identifiable individual. We process personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. Data processing by us only takes place on the basis of legal permission. We process personal data only with your consent (§ 25 (1) TTDSG or Art. 6 (1) a GDPR), for the performance of a contract to which you are a party, or at your request for the performance of pre-contractual measures (Art. 6 (1) b GDPR), for the performance of a legal obligation (Art. 6(1)(c) GDPR) or if the processing is necessary to protect our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms which require the protection of personal data override (Art. 6(1)(f) GDPR).
Duration of storage
Unless otherwise stated in the following notes, we only store the data for as long as is necessary to achieve the processing purpose or to fulfil our contractual or legal obligations. Such statutory retention obligations may arise in particular from commercial or tax law regulations. From the end of the calendar year in which the data was collected, we will retain such personal data contained in our accounting records for ten years and retain personal data contained in commercial letters and contracts for six years. In addition, we will retain data in connection with consents requiring proof, as well as with complaints and claims for the duration of the statutory limitation periods. We will delete data stored for advertising purposes if you object to processing for this purpose. If we process your data as a processor, we will delete the data according to the instructions of the controller or after termination of the processing on behalf of the controller.
Categories of recipients of the data
We use processors as part of the processing of your data. Processing operations carried out by such processors include, for example, hosting, emailing, maintenance and support of IT systems, customer and order management, order processing, accounting and billing, marketing activities or file and data media destruction. A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller. Processors do not use the data for their own purposes, but carry out data processing exclusively for the data controller and are contractually obliged to guarantee appropriate technical and organisational measures for data protection. In addition, we may transfer your personal data to bodies such as postal and delivery services, the company’s bank, tax advisors/auditors or the tax authorities. Further recipients may result from the following information.
Data transfer to third countries
Our data processing may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable law. Such a transfer takes place in a permissible manner if the European Commission has determined that an adequate level of data protection is provided in such a third country. If such an adequacy decision by the European Commission does not exist, a transfer of personal data to a third country shall only take place if appropriate safeguards pursuant to Article 46 of the GDPR are in place or if one of the conditions of Article 49 of the GDPR is met.
Unless otherwise stated below, we use the EU standard data protection clauses as appropriate safeguards for transfers of personal data to third countries. You have the possibility to obtain a copy of these EU standard data protection clauses or to view them. To do so, please contact us at the address given under Contact.
If you consent to the transfer of personal data to third countries, the transfer is made on the legal basis of Art. 49 (1) a GDPR.
Processing in the exercise of your rights
If you exercise your rights in accordance with Articles 15 to 22 of the GDPR, we will process the personal data provided for the purpose of implementing these rights by us and to be able to provide evidence of this. We will only process data stored for the purpose of providing information and preparing it for this purpose and for the purpose of data protection control and otherwise restrict processing in accordance with Art. 18 GDPR.
These processing operations are based on the legal basis of Art. 6 (1) c GDPR in conjunction with. Art. 15 to 22 GDPR and § 34 (2) BDSG.
As a data subject, you have the right to assert your data subject rights towards us. In particular, you have the following rights:
- In accordance with Art. 15 GDPR and § 34 BDSG, you have the right to request information as to whether and, if so, to what extent we are processing personal data relating to you or not.
- You have the right to demand that we correct your data in accordance with Art. 16 GDPR.
- You have the right to demand that we delete your personal data in accordance with Art. 17 GDPR and § 35 BDSG.
- You have the right to have the processing of your personal data restricted in accordance with Art. 18 GDPR.
- You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you, that you have provided to us, in a structured, common and machine-readable format and to transfer this data to another controller.
- If you have given us separate consent to data processing, you may revoke this consent at any time in accordance with Art. 7 (3) GDPR. Such a revocation does not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.
- If you believe that a processing of personal data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.
Right of objection
In accordance with Article 21(1) of the GDPR, you have the right to object to processing based on the legal basis of Article 6 (1) e or f of the GDPR on grounds relating to your particular situation. If we process personal data about you for the purpose of direct marketing, you may object to this processing pursuant to Article 21 (2) and (3) of the GDPR.
Data Protection Officer
You can reach our data protection officer at the following contact details:
Herting Oberbeck Datenschutz GmbH
Hallerstr. 76, 20146 Hamburg
- Data processing on our website
When you use the website, we collect information that you provide yourself. In addition, during your visit to the website, certain information about your use of the website is automatically collected by us. In data protection law, the IP address is also generally considered to be personal data. An IP address is assigned to every device connected to the Internet by the Internet provider so that it can send and receive data.
Processing of server log files
During the purely informative use of our website, general information that your browser transmits to our server is initially stored automatically (i.e. not via registration). This includes by default: browser type/version, operating system used, page accessed, the previously visited page (referrer URL), IP address, date and time of the server request and HTTP status code. The processing is carried out to protect our legitimate interests and is based on the legal basis of Art. 6 (1) f GDPR. This processing serves the technical administration and security of the website. The stored data is deleted after seven days unless there is a justified suspicion of unlawful use based on concrete indications and further examination and processing of the information is necessary for this reason. We are not able to identify you as a data subject from the stored information. Articles 15 to 22 of the GDPR therefore do not apply pursuant to Article 11 (2) of the GDPR unless you provide additional information that enables you to be identified in order to exercise your rights set out in these articles.
Contact options and enquiries
Our website contains contact forms that you can use to send us messages. The transfer of your data is encrypted (recognisable by the “https” in the address line of the browser). All data fields marked as mandatory are required to process your request. Failure to provide this information will result in us not being able to process your request. The provision of further data is voluntary. Alternatively, you can send us a message via the contact e-mail. We process the data for the purpose of answering your enquiry. Insofar as your enquiry is directed towards the conclusion or performance of a contract with us, Art. 6 (1) b GDPR is the legal basis for the data processing. Otherwise, we process the data on the basis of our legitimate interest in contacting enquirers. The legal basis for the data processing is then Art. 6 (1) f GDPR.
The contact form for sales prospects is provided by Monday, a service of monday.com Ltd. based in Israel. In the course of this, a transfer of the registration data to Israel cannot be excluded. The European Commission has issued an adequacy decision for Israel in accordance with Article 45 of the GDPR, which ensures an adequate level of protection.
You have the option of applying via our website in the Jobs section. For this purpose, we collect personal data from you, including in particular your name, CV, letter of application and other content provided by you. For the selection and administration of our applications, we use a service provider who is solely bound by instructions in accordance with the legal requirements for commissioned processing. Your personal application data will only be processed for purposes related to your interest in current or future employment with us and the processing of your application. Your online application will only be processed and noted by the relevant contact persons at our company. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. If we are unable to offer you employment, we will retain the data you have submitted for up to six months after the end of the application process for the purpose of answering questions relating to your application and rejection. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of providing evidence or if you have expressly consented to longer storage.
The legal basis for the collection of data is § 26 (1) sentence 1 BDSG. If we retain your applicant data for longer than six months and you have expressly consented to this, we would like to point out that this consent can be freely revoked at any time in accordance with Art. 7 (3) GDPR. Such a revocation does not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.
Consent management tool
This website uses a consent management banner to control cookies. The consent banner enables users of our website to give consent to certain data processing procedures or to revoke a given consent. By confirming the “I accept” button or by saving individual cookie settings, you consent to the use of the associated cookies. The legal basis under data protection law is your consent within the meaning of Art. 6 (1) a GDPR.
In addition, the banner helps us to provide proof of the declaration of consent. For this purpose, we process information about the declaration of consent and further log data about this declaration. Cookies are also used to collect this data. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to document your consent (Art. 6 (1) c in conjunction with Art. 7 (1) GDPR).
Google Ireland will process the data thus collected on our behalf in order to evaluate the use of our website by the users, to compile reports on the activities within our website and to provide us with further services related to the use of our website and the internet. In doing so, pseudonymous user profiles can be created from the processed data.
The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for the data processing in connection with the Google Analytics service is therefore Art. 6 (1) a GDPR. You can revoke this consent via our Consent Management Tool at any time with effect for the future. The personal data processed on our behalf to provide Google Analytics may be transferred to any country in which Google Ireland or Google Ireland’s sub-processors maintain facilities. Please refer to the information in the section “Data transfer to third countries”.
- Further data processing within our partner portal
Login and registration
In order to use our partner portal, registration via the website is required. You create the necessary registration data yourself. After registration, you will be activated by our administrator. Your data will be processed within the portal for the purpose of providing services. The processing of your data as a contact person of your company is based on the legal basis of Art. 6 (1) f GDPR and on our legitimate interest to fulfil the contractual relationship with your employer.
Via our partner portal, you have the option of opening a support ticket and monitoring its status. For this purpose, we use the Freshdesk service of the provider Freshworks, Inc (USA). When you open a support ticket via Freshdesk, the data you enter is transmitted to Freshdesk. All data fields marked as mandatory are required to process your ticket. Failure to provide this information will result in us not being able to process your ticket. The provision of further data is voluntary. Alternatively, you can send us a message via the contact email. We process the data for the purpose of answering your request and closing your ticket.
The integration of the service is based on our legitimate interest in an appealing and user-friendly design of our portal. The processing of your data in the course of support is carried out on the basis of Art. 6 (1) b GDPR, insofar as your request is directed towards the conclusion or implementation of a contract with us. Otherwise, we process your data on the basis of Art. 6 (1) f GDPR based on our legitimate interest to get in contact with inquiring persons.
When using the service, data transfer to the USA cannot be ruled out. Please also note the information in the section “Data protection transfer to third countries”. Further information on data protection at Freshwork can be found in Freshwork’s data protection information at https://www.freshworks.com/de/datenschutz/.
Document and form creation and dispatch
Via our partner portal, you have the option of filling out, creating and sending documents and forms to us. For this purpose, we use the Monday service of the provider Monday, Ltd (Israel). When you create or fill out a document or form, the personal data you enter is transmitted to Monday, Ltd. The provision of data is voluntary. Alternatively, you can send us a message via the contact email. The integration of the service is based on our legitimate interest in an appealing and user-friendly design of our portal. Your data is processed on the basis of Art. 6 (1) b GDPR if your request is directed towards the conclusion or performance of a contract with us. Otherwise, we process your data on the basis of Art. 6 (1) f GDPR based on our legitimate interest in fulfilling the contractual relationship with your employer.
When using the service, a data transfer to Israel cannot be excluded. For Israel, the European Commission has issued an adequacy decision in accordance with Art. 45 of the GDPR, which ensures an appropriate level of protection.
We offer the possibility to register for our newsletter in our partner portal as well as in the onboarding process. After registration, we will regularly inform you about the latest news on our offers. A valid e-mail address is required to register for the newsletter. If you subscribe to the newsletter via the onboarding process or via our partner portal, we process personal data such as your e-mail address and your name on the basis of the consent you have given. The processing is based on the legal basis of Art. 6 (1) a GDPR. You can revoke your consent at any time with future effect, for example via the “unsubscribe” link in the newsletter or by contacting us via the channels mentioned above. The legality of the data processing operations already carried out remains unaffected by the revocation.
When registering for the newsletter, we also store the IP address and the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to document your consent (Art. 6 (1) c in conjunction with Art. 7 (1) GDPR).
We also analyse the reading behaviour and opening rates of our newsletter. For this purpose, we collect and process pseudonymised usage data that we do not merge with your email address or your IP address. The legal basis for the analysis of our newsletter is Art. 6 (1) f GDPR and the processing serves our legitimate interest in optimising our newsletter. You can object to this at any time by contacting one of the above-mentioned contact channels.
We use the MailChimp service of The Rocket Science Group LLC d/b/a MailChimp (USA) for the management of subscribers, the dispatch of the newsletter and the analysis. Your email address is therefore transmitted by us to the service provider. If you do not want your data to be processed by this service provider, you should not subscribe to the newsletter or unsubscribe from it again. Please note the information in the section “Data transfer to third countries”.
- Data processing on our social media pages
We are represented on several social media platforms with a company page. Through this, we would like to offer further opportunities for information about our company and for exchange. Our company has company pages on the following social media platforms:
When you visit or interact with a profile on a social media platform, personal data about you may be processed. Information associated with a social media profile in use also regularly constitutes personal data. This also covers messages and statements made while using the profile. In addition, during your visit to a social media profile, certain information is often automatically collected about it, which may also constitute personal data.
Visit of a social media page
- a) Instagram page
When you visit our Instagram page, through which we present our company or individual products from our range, certain information about you is processed. The sole controller of this processing of personal data is Meta Platforms Ireland Limited (Ireland/EU – “Meta”). For more information about Meta’s processing of personal data, please visit https://www.facebook.com/privacy/explanation. Meta offers the possibility to object to certain data processing; information and opt-out options in this regard can be found at https://www.facebook.com/settings?tab=ads.
Meta provides us with anonymised statistics and insights for our Instagram page that help us gain insights into the types of actions people take on our page (called “page insights”). These page-insights are created based on certain information about individuals who have visited our page. This processing of personal data is carried out by Meta and us as joint controllers. The processing serves our legitimate interest to evaluate the types of actions taken on our site and to improve our site based on these insights. The legal basis for this processing is Article 6(1) f GDPR. We cannot associate the information obtained via page-insights with individual user profiles interacting with our Instagram page. We have entered into a joint controller agreement with Meta which sets out the allocation of data protection obligations between us and Meta. Details of the processing of personal data to create page-insights and the agreement entered into between us and Meta can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data. In relation to this data processing, you also have the option of asserting your data subject rights (see “Your rights”) towards Meta. Further information on this can be found in Meta’s data protection declaration at https://www.facebook.com/privacy/explanation.
Please note that according to the Meta data protection regulations, user data is also processed in the USA or other third countries. Meta only transfers user data to countries for which an adequacy decision has been issued by the European Commission in accordance with Art. 45 of the GDPR or on the basis of appropriate guarantees in accordance with Art. 46 of the GDPR.
- b) LinkedIn company page
LinkedIn Ireland Unlimited Company (Ireland/EU) is in principle the sole controller for the processing of personal data when you visit our LinkedIn page. Further information about the processing of personal data by LinkedIn can be found at https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.
When you visit, follow or engage with our LinkedIn company page, LinkedIn processes personal data to provide us with anonymised statistics and insights. This provides us with insights into the types of actions that people take on our page (so-called page-insights). For this purpose, LinkedIn processes in particular such data that you have already provided to LinkedIn via the information in your profile, such as data on function, country, industry, seniority, company size and employment status. In addition, LinkedIn will process information about how you interact with our LinkedIn-company-page, e.g. whether you are a follower of our LinkedIn-company-page. With Page-Insights, LinkedIn does not provide us with any personal data about you. We only have access to the aggregated Page-Insights. It is also not possible for us to draw conclusions about individual members using the information in the Page-Insights. This processing of personal data in the context of Page-Insights is carried out by LinkedIn and us as joint controllers. The processing serves our legitimate interest to evaluate the types of actions taken on our LinkedIn-company-page and to improve our company-page based on these insights. The legal basis for this processing is Article 6 (1) f GDPR. We have entered into a joint controller agreement with LinkedIn which sets out the allocation of data protection obligations between us and LinkedIn. The agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum. Thereafter, the following applies:
- LinkedIn and we have agreed that the Irish Data Protection Commission is the lead supervisory authority overseeing processing for Page-Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see dataprotection.ie) or any other supervisory authority.
- c) Xing company page
New Work SE (Germany/EU) is in principle the sole controller for the processing of personal data when you visit our Xing profile. Further information on the processing of personal data by New Work SE can be found at: https://privacy.xing.com/de/datenschutzerklaerung.
Comments and direct messages
We also process information that you have provided to us via our company page on the respective social media platform. Such information may be the username used, contact details or a message sent to us. These processing operations are carried out by us as the sole data controller. We process this data on the basis of our legitimate interest to get in contact with inquiring persons. The legal basis for the data processing is Art. 6 (1) f GDPR. Further data processing may take place if you have consented (Art. 6 (1) a GDPR) or if this is necessary for the fulfilment of a legal obligation (Art. 6 (1) c GDPR).
- Further data processing
Contact by e-mail
If you send us a message via the contact email provided, we will process the data submitted for the purpose of responding to your enquiry. We process this data based on our legitimate interest in contacting enquirers. The legal basis for the data processing is Art. 6 (1) f GDPR.
Customer and interest data
If you contact our company as a customer or interested party, we process your data to the extent necessary to establish or implement the contractual relationship. This regularly includes the processing of personal master, contract and payment data provided to us as well as contact and communication data of our contact persons at commercial customers and business partners. The legal basis for this processing is Art. 6 (1) f GDPR. We also process customer and interested persons data for evaluation and marketing purposes. This processing is carried out on the legal basis of Art. 6 (1) f GDPR and serves our interest in further developing our offer and informing you specifically about our offers. Further data processing may take place if you have consented (Art. 6 (1) a GDPR) or if this is necessary for the fulfilment of a legal obligation (Art. 6 (1) c GDPR).
Use of the email address for marketing purposes
We may use the email address you provided upon registration to inform you about similar products and services offered by us. The legal basis is Art. 6 (1) f GDPR in conjunction with. § 7 (3) UWG. You can object to this at any time without incurring any costs other than the transmission costs according to the basic rates. To do so, you can unsubscribe by clicking on the unsubscribe link contained in each mailing or by sending an e-mail to email@example.com.
Status: August 2022