Privacy Policy

Privacy Policy
In the following we inform you about the processing of your personal data by us and the claims and rights you are entitled to under the data protection regulations, in particular the European General Data Protection Regulation (GDPR).
This Privacy Policy explains the type, scope and purpose of the processing of personal data within our website (hereinafter “Website”). The Privacy Policy applies regardless of the domains, platforms and devices used (e.g. desktop, mobile, etc.).
Personal data within the meaning of the GDPR includes all data relating to you personally, e.g. name, address, email addresses, user behavior. The specific data processed and how it is used depends largely on the services you use with us.
We use several other terms within the meaning of the GDPR in this Privacy Policy. These include terms such as processing, restriction of processing, profiling, pseudonymization, controller, processor, recipient, third party, consent, supervisory authority and international organization. You can find the relevant definitions in Art. 4 GDPR.

1. Who is responsible for data processing and whom can I contact?
Controller:
mip Consult GmbH
Wilhelm-Kabus-Straße 9
10829 Berlin
Tel: +49 (0) 30 – 20 88 999 – 0
Fax: +49 (0) 30 – 20 88 999 – 88
E-Mail: kontakt@mip-software.de

You can reach our Data Protection Officer at:
Marvin Süß
mip Consult GmbH
Wilhelm-Kabus-Straße 9
10829 Berlin
Tel: +49 (0) 30 – 20 88 999 – 00
datenschutz@mip-consult.de
www.sofortdatenschutz.de

2. What sources and data do we use?
We process personal data that we receive from you when you use our website and, where applicable, in the context of our business relationship.
When using the website for informational purposes only, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. When you access our website, we collect the following access data, which are technically necessary for us to display our website to you and to ensure stability and security. Access data include the IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (i.e. name of the specific page accessed), access status/HTTP status code, amount of data transferred, referrer URL (previously visited page), operating system and its interface, language and version as well as type of browser software, message about successful retrieval.
We also receive your personal data if you contact us via contact form, telephone or email. Personal data in this context are e.g. your name, the company you belong to, your email address and any data you send us as a message. Depending on the type of request, further details may be required. Please note that full data security cannot be guaranteed for email communication, so we recommend using postal mail for information with a high need for confidentiality.

3. For what purposes and on what legal basis do we process your data?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) for the following purposes and on the following legal bases:
3.1 Data processing based on your consent
If you have given us consent to process personal data for specific purposes, in particular for contacting you (e.g. via our web forms or by email to handle and process your request), for sending newsletters or for direct marketing by telephone, email, SMS, the lawfulness of this processing is based on your consent in accordance with Art. 6 (1) sentence 1 lit. a GDPR.
Consent given can be withdrawn at any time. Please note that withdrawal only takes effect for the future. Processing that took place before the withdrawal is not affected. Withdrawal can be made at any time via the contact details given above.
3.2 Data processing to carry out pre-contractual measures at the request of the person
When contacting us (e.g. via web form, telephone or email), your information will be processed for handling the contact request and its processing, Art. 6 (1) sentence 1 lit. b GDPR.
3.3 Data processing to comply with legal obligations
If processing of your personal data is necessary to comply with a legal obligation to which we are subject, data processing is carried out on the basis of Art. 6 (1) sentence 1 lit. c GDPR.
3.4 Processing to protect legitimate interests of us or third parties
We may process your personal data to protect legitimate interests of ours or of third parties. In particular, we pursue the following legitimate interests:
• ensuring IT security, especially website security;
• improving the website in terms of structure and content;
• asserting legal claims and defense in legal disputes;
3.5 Conducting application procedures
When contacting us (via contact form or email) in connection with your application, we process your data to check your suitability for the position (or possibly other open positions in our company) and to carry out the application process, Art. 6 (1) sentence 1 lit. b GDPR. Your applicant data will be reviewed by the HR department after receipt of your application. Suitable applications are then forwarded internally to the department managers responsible for the respective open position. They then decide on the further process. In general, only those persons in the company who need access to your data for the proper conduct of our recruitment process will have access.
For data processing not strictly necessary for carrying out the application process, we will obtain your consent, Art. 6 (1) sentence 1 lit. a GDPR.
3.6 Storage of data on your device or access to data on your device
We use cookies and similar technologies on our website. We store information on your device because it is absolutely necessary to provide our website to you, § 25 (2) no. 2 TDDDG. Data processing is carried out to protect our legitimate interest pursuant to Art. 6 (1) sentence 1 lit. f GDPR in the best possible functionality of the website.
When you first visit our website, you will also be asked if you consent to the use of non-essential cookies and similar technologies. Data collection and storage, as well as any subsequent data processing, is carried out only with your express consent, § 25 (1) TDDDG, Art. 6 (1) sentence 1 lit. a GDPR.
Further information on the use of cookies and similar technologies can be found under “Cookies and similar technologies”.

4. Who receives my data?
Within our company, departments that need your data to fulfill our contractual and legal obligations have access to it.
Processors commissioned by us (Art. 28 GDPR) may also receive data for the purposes mentioned above. These are companies in categories such as IT services, telecommunications, as well as sales and marketing. If we pass data on to our service providers, they may only use the data to fulfill their tasks. The service providers are carefully selected and commissioned by us. They are contractually bound to our instructions, have suitable technical and organizational measures to protect the rights of the persons concerned, ensure an adequate level of data protection and are carefully monitored by us.
Data will only be passed on to third parties who are not processors within the framework of legal requirements. We only disclose users’ data to third parties if this is necessary, for example, under Art. 6 (1) sentence 1 lit. b GDPR for contractual purposes or on the basis of legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR for the economical and effective operation of our business, or if you have consented to the transfer. When using the website purely for information, we generally do not pass on any data to third parties.

5. How long will my data be stored?
5.1 Access data
For security reasons (e.g. to investigate misuse or fraud), log file information is stored for a maximum of four weeks and then deleted (see above section 2). Data that must be retained as evidence is exempt from deletion until the incident has been fully resolved.
5.2 (Pre-)Contractual measures
Where necessary, we process and store your personal data for the duration of our business relationship, which also includes the initiation of a contract via contact form or email.
5.3 Applicant data
If an application is rejected, applicant data will be deleted after 6 months. If employment does not occur but your application remains of interest to us, we will keep your application for future job postings with your explicit written consent. The data will be deleted no later than after two years or upon withdrawal of your consent. If we hire you for the advertised position, your data will be stored in our HR management system.
5.4 Statutory retention periods
In addition, we are subject to various retention and documentation obligations arising from, among others, the Commercial Code (HGB) and the Fiscal Code (AO). The prescribed periods for retention and documentation are six to ten years.
5.5 Limitation periods
Finally, the storage period is also based on statutory limitation periods, which, for example under §§ 195 ff. of the Civil Code (BGB), are usually 3 years, but in certain cases can be up to thirty years, with the regular limitation period being three years.
If you assert your rights as a data subject, we will store the information provided to you in this regard until the expiry of the statutory limitation period in accordance with § 31 (2) no. 1 OWiG, § 41 (1) BDSG, Art. 83 (5) lit. b GDPR for 3 years. This period may be extended if the statutory limitation period is extended due to interruptions (e.g. inquiries from supervisory authorities).
5.6 Other retention periods
Information on further retention periods can be found in the following sections.

6. Will data be transferred to a third country or an international organization?
The data provided will be processed within the European Union and in the USA. When transferring data to the USA, we ensure that recipients are certified under the EU-U.S. Data Privacy Framework or that we agree EU Standard Contractual Clauses with recipients without certification. Where we rely on the EU Standard Contractual Clauses, we will take additional security measures to protect your data and ensure an appropriate level of protection for your personal data. You have the option to receive or view a copy of the EU Standard Contractual Clauses. Where applicable, we will obtain your express consent for data transfers to the USA.

7. What are my data protection rights?
Every data subject has
• the right of access under Art. 15 GDPR (i.e. you have the right to request information at any time about your personal data stored by us),
• the right to rectification under Art. 16 GDPR (i.e. if your personal data is inaccurate or incomplete, you can request that it be corrected),
• the right to erasure under Art. 17 GDPR and the right to restriction of processing under Art. 18 GDPR (i.e. you may have the right to request the erasure or restriction of the processing of your personal data if, for example, there is no longer a legitimate business purpose for such processing and statutory retention obligations do not require further storage),
• the right to data portability under Art. 20 GDPR (i.e. you may have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transmit this data to another controller without hindrance).
Furthermore, you can withdraw consent, generally with effect for the future.
In addition, there is a right to lodge a complaint with a supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG). You can find the supervisory authority responsible for you at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html. We would appreciate it if you contact us first with your complaint so that we can resolve your concerns before you contact the supervisory authority.
We also draw your attention to your right to object under Art. 21 GDPR:
Information on your right to object under Art. 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is based on Art. 6 (1) sentence 1 lit. e GDPR (data processing in the public interest) and Art. 6 (1) sentence 1 lit. f GDPR (data processing based on a balancing of interests); this also applies to profiling based on these provisions within the meaning of Art. 4 no. 4 GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
In individual cases, we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
The objection can be made informally to us via the contact details provided above and no costs will be incurred other than the transmission costs according to the base rates.

8. To what extent is there automated decision-making including profiling?
When accessing our website or when contacting us via form or email, we generally do not use fully automated decision-making pursuant to Article 22 GDPR. Should we use such procedures in individual cases, we will inform you separately if this is required by law. We do not process your data automatically for the purpose of evaluating certain personal aspects (profiling).

9. Am I obliged to provide data?
When visiting our website, you must provide the personal data that is technically or IT security-wise necessary for using our website. If you do not provide this data, you cannot use our website.
When contacting us via form or email, you only need to provide the personal data necessary to process your request. Otherwise, we cannot process your request.
If your request aims at concluding a contract or if providing data is necessary as part of contract initiation, failure to provide data may mean we cannot provide the intended service.

10. Cookies and similar technologies
10.1 General information
Cookies are stored in the browser on the user’s device. They contain information stored for a visited page. The cookie is either sent by the web server to the browser or created in the browser by a script (JavaScript). On later visits, the web server can read this cookie information directly or the script of the website can transfer the cookie information back to the server. When cookies are set, they usually collect and process certain user information such as browser and location data and IP address values. Some of these cookies are essential for the functionality of our website, while others help us improve our website by giving us insights into how you use it.
With web storage, information is stored locally in your browser’s cache. The stored information is either automatically deleted after closing the browser window (“session storage”) or remains so it can be read again during your next visit to the website (“local storage”), unless you delete your browser cache (“browser data”).
Web beacons are 1×1 pixel graphics embedded in websites or emails (newsletters) in various ways and also serve to collect and analyze user data.
You can individually prohibit the storage of cookies via your browser settings (see the help page of your browser to learn how to configure cookie handling). Help for cookie management in the most common browsers can be found at the following addresses:
• Mozilla Firefox: https://support.mozilla.org/de/kb/cookies-loeschen-daten-von-websites-entfernen
• Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=de
• Opera: http://www.opera.com/de/help
• Safari: https://support.apple.com/kb/PH17191?locale=de_DE&viewlocale=de_DE
• Microsoft Edge: https://support.microsoft.com/de-de/microsoft-edge/cookies-in-microsoft-edge-l%C3%B6schen-63947406-40ac-c3b8-57b9-2a946a29ae09
Please note that disabling cookies may result in limited functionality of this website.
We provide further information on the use of the technologies mentioned above and the scope of the information collected in the following sections.

10.2 Service information and consent settings
Please enable JavaScript to see the list of all declared cookies and similar technologies.

11. Our social media presences
We are present on social networks and platforms so that we can also communicate with you there and inform you about our services.
Please note that when using social networks or platforms, your data may also be processed outside the European Union and that the providers of the social networks usually process the data for market research and advertising purposes. Usage profiles can be created from user behavior and resulting interests. These usage profiles can in turn be used to place ads inside and outside the platforms that are presumably relevant to users’ interests. For this purpose, cookies and similar technologies may also be stored on users’ devices, which store usage behavior and interests. Other data may also be stored in these profiles, especially if users are members of the respective platforms and logged in to them.
On our website, we only link to our company profiles on the respective social networks. Please note, however, that when you click a link to a social network, data is transmitted to its servers. If you are logged in to the respective social network at that time with your username and password, information that you visited our company profile from our website will be transmitted and can be stored in your user account.
We generally have no significant influence on the data processing of social networks. However, we do receive statistics from the providers about the use and visits to our company profiles in social networks (e.g. information about number of views, interactions such as likes and comments, as well as aggregated demographic and other information or statistics). Further information on the data used by the providers can be found in the privacy policies linked below.
If we receive personal data from you via social networks (e.g. as part of a message) and process it exclusively ourselves, we are the controller for that data processing. In this case, you are entitled to the rights listed in this Privacy Policy. You can send inquiries about data processing in connection with our company profiles to us using the contact details above. Please carefully check which personal data you share with us via social networks.
If the data you transmit via the social network is also or exclusively processed by the provider of the social network (insights data), then the provider as well as we are jointly responsible for the data processing under the GDPR. Data processing in this context is based on an agreement between joint controllers in accordance with Art. 26 GDPR.
If you wish to assert rights in this regard against the provider of the social network, it is easiest to contact the provider directly. The provider knows both the technical operation of the platform and the associated data processing as well as the specific purposes of the data processing. The contact details can be found in the privacy policies linked below. Of course, we will support you in asserting your rights where possible.
The processing of users’ personal data is generally based on your consent under Art. 6 (1) sentence 1 lit. a GDPR. The legal basis is also Art. 6 (1) sentence 1 lit. b GDPR if we receive and process your data in the context of a contract-related inquiry via our social media presence. The legal basis for linking to and operating our company profiles in social networks, including receiving statistics on the use of our profiles, is Art. 6 (1) sentence 1 lit. f GDPR, based on our legitimate interest in our corporate communication in the respective social networks.
For information on the respective processing and opt-out options, please refer to the privacy policies of the providers linked below:
• Facebook (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland) – Privacy information: https://www.facebook.com/about/privacy/, Opt-out: https://www.facebook.com/settings?tab=ads, Page controller addendum: https://www.facebook.com/legal/terms/page_controller_addendum
• Instagram (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland) – Privacy information: https://help.instagram.com/519522125107875/?helpref=hc_fnav
• LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) – Privacy information: https://www.linkedin.com/legal/privacy-policy, Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
• TikTok (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland) – Privacy information: https://www.tiktok.com/legal/privacy-policy
• X (Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland) – Privacy information: https://twitter.com/de/privacy, Opt-out: https://twitter.com/personalization
• YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy information: https://policies.google.com/privacy, Opt-out: https://adssettings.google.com/authenticated