Information on how your personal data is handled
Please note that we need personal data in order to conduct our business operations. If we did not collect any personal data, we would not be in a position to meet your requirements, enter into a contract with you or provide you with information on our activities, products, services or company. Of course, we only collect the data required for this. If we need to request additional data from you, we inform you of this and indicate to you that it may be provided on a voluntary basis. We do not conduct automated decision-making.

Data protection is a top priority for us. Therefore, we wish to provide you with clear and comprehensive information about how we process your personal data – naturally in compliance with the applicable legal provisions, such as the European General Data Protection Regulation (GDPR), the German Data Protection Act (BDSG 2018) and all other relevant data protection legislation. The way we handle personal data is set out in our data protection management framework, and we act accordingly.

If you believe that our Privacy Policy could be improved, we would welcome your ideas and suggestions. Our Privacy Policy and other data protection information is regularly reviewed and adapted within the context of our data protection management framework. The most up-to-date version is published on this website.

Contact details of the controller
empact GmbH
Marzellenstraße 2-8
50667 Cologne

+49 (0) 221 17 04 30 48
info@empact.energy

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data (e.g. names, email addresses or similar).

Contact details of the data protection officer
PROLIANCE GmbH
www.datenschutzexperte.de
Leopoldstr. 21
80802 Munich

+49 (0)89 25 00 39 227
datenschutzbeauftragter@datenschutzexperte.de

Data collection
How do we collect your data?

One way we collect your data is through the information you provide to us. For example, this might be data that you enter in a contact form.

Other data is collected by our IT systems either automatically or otherwise when you visit this website. This is mainly technical data (e.g. internet browser, operating system and time of website visit). This data is collected automatically as soon as you visit this website.

Legal basis
If we communicate as part of a contractual measure or to take steps prior to entering into a contract, your personal data is processed in order to carry out the related requests or contracts. These processing operations are based on Art. 6(1)(b) GDPR.

Purpose
The specific data we process and the purpose for which we use it depends on the services that you use through us. You can find details on the purposes of our data processing in the respective contractual documents, forms, declarations of consent and other information provided to you in this context. This data protection information is included in our contract texts, web pages and other documents that we provide or have provided to you. Primarily, we routinely process personal data for the following purposes:

• Customer and supplier management
• Applicant management
• Employee management
• Order management
• Website operation
• Publication of photos on the website
• Management of training and event attendees

We also process your data in the following cases for the purpose of:

• sending (via post, email, etc.) company information, provided you have not objected to this
• communicating with you
• fulfilling legal requirements, such as tax laws, compulsory insurance, etc.
• meeting legal safety, monitoring and reporting obligations
• archiving data to ensure backups are kept and for compliance with obligations to provide evidence
• disclosing information within the context of official/legal action
• some of the data is collected to ensure error-free provision of the website. Other data may be used to analyse your user behaviour.

Categories
We may process the following categories of personal data in relation to you depending on your usage of our offering:

• Master data of (potential) customers, suppliers and service providers and data of applicants, training attendees and other interested parties as well as other categories of persons associated with the aforementioned people who may be involved within the scope of their respective affiliations (e.g. family members, employees of service providers and/or suppliers, etc.)
• Contact details for the aforementioned categories of persons (postal addresses, phone numbers, email addresses, etc.)
• Variable data for the aforementioned categories of persons (interests, attendance at all kinds of events or similar)
• Photo and video data for the aforementioned categories of persons (at company or training events, etc.)
• Bank details and data regarding payments and credit-worthiness, where applicable
• Usage data on websites offered by us (IP address, time of visit to sites or apps, pages visited, etc.)
• Consent data, in order to document consent given and withdrawn

Recipients
In principle, your personal data is only made available to the internal and/or external recipients that need this in order to meet contractual and/or legal obligations or perform their work. This means that your data is passed on or disclosed to:

• an Stellen, die Daten als Auftragsverarbeiter oder in gemeinsamer Verantwortung mit uns verarbeiten (z.B. Rechenzentren, Wartung, Archivierung, Buchhaltung, Datenentsorgung, Einkauf, Kundenverwaltung, Webseitenverwaltung, Wirtschaftsprüfer, Banken, Druckereien, Lieferdienste, Logistik etc.)
• Authorities, attorneys, associations, courts, notaries, appraisers, etc. in the event of a legitimate interest
• Other possible third parties if you have expressly consented to this

Otherwise, we do not share your data.

Service providers that we have commissioned to act as a processor or as a joint controller with us may only use the data for the purposes for which we have given it to them. This is contractually regulated and the data processing is subject to the same conditions there as with us.

Data protection
The operators of this website take the protection of your personal data very seriously. We treat your personal data as confidential and handle it in accordance with data protection laws and this Privacy Policy.

Various types of personal data are collected when you use this website. Personal data is data that can be used to identify you personally. This Privacy Policy sets out which data we collect and what we use it for. It also explains how and for what purpose this is done.

Please bear in mind that transmitting data over the internet (e.g. when communicating by email) may give rise to security risks. It is not possible to completely protect data from access by third parties.

Basic rights
You may assert your data protection rights vis-à-vis us under certain conditions:

• You have the right to obtain information about your data held by us in accordance with the rules under Art. 15 GPDR – with restrictions, where applicable
• If your data held by us is inaccurate or incorrect, you may request that it be rectified in accordance with Art. 16 GDPR
• You may obtain the erasure of the personal data concerning you in accordance with Art. 17 GDPR. However, this only applies as long as no other legal requirement prevents its erasure.
• If the conditions of Art. 18 GDPR are met, you may obtain restriction of processing of your data
• In accordance with Art. 21 GDPR, you have the right to object in particular circumstances. This means that you may object to the processing of your personal data, after which we must cease processing your data.
• Under certain circumstances, you have the right to require us to make available to you your personal data under the conditions of Art. 20 GDPR

You have the right to withdraw consent given at any time with future effect. From that point on, your personal data is no longer processed for the purposes to which you objected. No specific format is required for this objection.

Withdrawal of your consent to data processing
Many data processing operations can only be carried out with your express consent. You may withdraw your consent at any time. You can simply email us to inform us of this, as no specific format is required. The lawfulness of the data processing conducted prior to the withdrawal remains unaffected by the withdrawal.
Right to object to the collection of data in particular situations and to direct marketing (Art. 21 GDPR)

If your data is processed on the basis of Art. 6(1)(e) or (f) GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, including profiling based on those provisions. The applicable legal basis for processing can be found in this Privacy Policy. If you object, we no longer process personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims (objection pursuant to Art. 21(1) GDPR).

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object, your personal data is then no longer used for direct marketing purposes (objection pursuant to Art. 21(2) GDPR).

Right to lodge a complaint with the competent supervisory authority
In the event of infringements of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy.

Right to data portability
You have the right to have data that we process automatically on the basis of your consent or for the performance of a contract provided to you or to a third party in a commonly used, machine-readable format. If you ask to have the data transmitted directly to another controller, this is only done where technically feasible.

SSL or TLS encryption
This site uses SSL or TLS encryption for security reasons and to ensure secure transmission of confidential content, such as orders and enquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the browser address bar changes from http:// to https:// and by the lock icon there.

If SSL or TLS encryption is enabled, the data you transmit to us cannot be read by third parties.

Access, erasure and rectification
In accordance with the applicable legal provisions, you have the right to free information at any time about your personal data held by us, its source and recipients and the purpose of the data processing as well as, where applicable, the right to rectification or erasure of this data. Please contact us at any time via the address provided in the legal notice if you have further questions about this or other issues relating to personal data.

Right to restriction of processing

You have the right to obtain restriction of processing of your personal data. Please contact us at any time via the address provided in the legal notice for this purpose. The right to restriction of processing applies in the following cases:

If you contest the accuracy of your personal data held by us, we generally need some time to verify this. While this verification is underway, you have the right to obtain restriction of processing of your personal data.

If the processing of your personal data was/is unlawful, you may obtain restriction of data processing instead of erasure.

If we no longer need your personal data, but you need it for the exercise, defence or establishment of legal claims, you have the right to obtain restriction of processing of your personal data instead of erasure.

If you object in accordance with Art. 21(1) GDPR, a balance must be struck between your interests and ours. Until it has been determined whose interests prevail, you have the right to obtain restriction of processing of your personal data.

If you have restricted the processing of your personal data, such data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

Objection to promotional emails
We hereby object to the use of contact details published in the context of the obligation to provide a legal notice for the purpose of sending unsolicited advertising and information materials. The operators of this website expressly reserve the right to take legal steps if unsolicited advertising information, such as spam emails, is sent.

External hosting

This website is hosted by an external service provider (hosting provider). Personal data collected on this website is stored on the hosting provider’s servers. In particular, this may include IP addresses, contact requests, metadata, communication data, contract information, contact details, names, website accesses and other data generated via a website.

We use the hosting provider for the purpose of performing a contract with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of ensuring the secure, fast and efficient provision of our website by a professional provider (Art. 6(1)(f) GDPR).

Our hosting provider only processes your data to the extent necessary to fulfil its obligations and follows our instructions in relation to this data.

Conclusion of a data processing agreement

We have concluded a data processing agreement with our hosting provider to ensure processing in compliance with data protection laws.

Cookies
We use what are known as cookies in certain areas of our website. Cookies do not cause any damage to your device or contain any viruses. They are used to make our website more user-friendly, effective and secure. Cookies are small text files that are placed on your computer and stored by your browser.

Most of the cookies we use are what are known as “session cookies”. These are automatically deleted at the end of your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognise your browser the next time you visit.

You can configure your browser so that you are informed about the placement of cookies and allow cookies only on a case-by-case basis, block all or certain cookies and enable automatic deletion of cookies when you close the browser. The functionality of this website may be restricted if cookies are disabled.

Cookies that are required for electronic communication or for the provision of certain functions you wish to use (e.g. the shopping cart function) are stored on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in storing cookies to ensure that it can provide services that are optimised and free from technical errors. If the relevant consent has been obtained (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR; this consent may be withdrawn at any time.

If other cookies (e.g. cookies for analysing your surfing behaviour) are stored, these are treated separately in this Privacy Policy.

Server log files
The website provider automatically collects and stores information in what are known as “server log files” that your browser automatically transmits to us. The following information is collected:

• Browser type and version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Time of the server request
• IP address

This data is not merged with other data sources.

This data is collected on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website – the server log files are required to ensure this.

What categories of personal data do we process and for what purposes?
We process your personal data when you visit empact GmbH on social media channels. With our various social media channels, we want to offer you a broad range of multimedia services and exchange ideas with you on topics that matter to you. In addition to the respective provider of any social network, we also collect and process personal user data on our social media channels. Through this notice, we are letting you know which data relating to you we collect in connection with our social media channels, how we use this and how you can object to the use of data. For information on the respective data processing purposes and data categories, please refer to the individual social media channels, which are explained in more detail below.

The data processing serves the following purposes:

• Communication with empact GmbH social media channel visitors
• Handling requests from empact GmbH social media channel visitors
• Capturing statistical information about the reach of empact GmbH social media channels
• Conducting customer surveys, marketing campaigns, market analysis, prize draws, competitions or similar activities and events
• Resolving disagreements and legal disputes, establishing, exercising or defending legal claims or disputes, enforcing existing contracts

We need to process your personal data for these purposes.

Unless expressly stated otherwise, the legal basis for the processing is Art. 6(1)(f) GDPR. We have a legitimate interest in being able to respond to your messages or requests and in analysing the reach and usage of our social media channels to ensure an appropriate design and continuous optimisation. If you wish to enter into a contractual relationship with empact GmbH through your request, the legal basis for this processing is Art. 6(1)(b) GDPR.

If we intend to process your personal data for a purpose other than the one mentioned above, we will inform you of this prior to that processing.

empact GmbH on LinkedIn
The empact GmbH LinkedIn pages are operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”). When you visit the empact GmbH LinkedIn pages, LinkedIn processes your personal data in accordance with its privacy policy, which you can find at: https://www.linkedin.com/legal/privacy-policy

We process the following personal data:

Your LinkedIn user name as well as comments on our empact GmbH LinkedIn pages and messages that you send to us via our empact GmbH LinkedIn pages.

Other information needed to respond to requests and enquiries from our visitors or to uniquely identify our visitors in our systems

Joint controllership with LinkedIn
We use the statistical information (visits to our website, scope of interaction, information on the countries and cities our visitors come from and statistics about the field of work of our visitors) in connection with the usage of our LinkedIn company page that LinkedIn makes available in an anonymised form via the LinkedIn Analytics service. It is not possible for empact GmbH to identify individual users or access individual user profiles.

For this reason, empact GmbH and LinkedIn are considered “joint controllers” within the meaning of the GDPR and have therefore concluded a joint controller agreement to comply with GDPR requirements. This joint controller agreement can be viewed here: https://www.linkedin.com/legal/privacy-policy. This sets out all information of relevance for you as a data subject, especially with respect to exercising your rights under data protection law.

Beyond the processing of personal data mentioned in the LinkedIn Privacy Policy, empact GmbH has no influence over the processing of personal data in connection with your use of our LinkedIn company page.

Google Analytics 4

This website uses Google Analytics 4, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”), which can be used to analyze the use of websites.

When using Google Analytics 4, so-called “cookies” are used. The information collected by cookies about your use of the website (including the IP address transmitted by your end device, shortened by the last digits, see below) is usually transmitted to a Google server, where it is stored and processed. This may also result in information being transmitted to the servers of Google LLC based in the USA and further processing of the information there.

When using Google Analytics 4, the IP address transmitted by your end device when you use the website is always collected and processed in abbreviated form by default and automatically, so that the information collected cannot be directly linked to a person. This automatic anonymization takes place by shortening the IP address transmitted by your terminal device by Google within member states of the European Union (EU) or other signatory states to the Agreement on the European Economic Area (EEA) by the last digits.

Google uses this and other information on our behalf to evaluate your use of the website, to compile reports on your website activity and usage behavior and to provide us with other services relating to your use of the website and the Internet. The abbreviated IP address transmitted by your device as part of Google Analytics 4 will not be merged with other Google data. The data collected as part of the use of Google Analytics 4 is stored for 6 months and then deleted.

Google Analytics 4 also enables the creation of statistics with statements about the age, gender and interests of website users on the basis of an evaluation of interest-based advertising and with the use of third-party information via a special function, the so-called “demographic characteristics”. This makes it possible to determine and differentiate between user groups of the website for the purpose of target group-optimized marketing measures. However, data collected via the “demographic characteristics” cannot be assigned to a specific person and therefore not to you personally. This data collected via the “demographic characteristics” function is stored for 2 months and then deleted.

All processing described above, in particular the setting of Google Analytics cookies for the storage and reading of information on the end device used by you for the use of the website, will only take place if you have given us your express consent to do so in accordance with Art. 6 para. 1 lit. a GDPR. Without your consent, Google Analytics 4 will not be used during your use of the website.

In connection with this website, the “UserIDs” function is also used as an extension of Google Analytics 4. By assigning individual UserIDs, we can have Google create cross-device reports (so-called “cross-device tracking”). This means that your usage behavior can also be analyzed across devices if you have given your consent to the use of Google Analytics 4 in accordance with Art. 6 para. 1 lit. a GDPR, if you have set up a personal account by registering on this website and are logged in to your personal account on different devices with your relevant login data. The data collected in this way shows, among other things, on which device you clicked on an ad for the first time and on which device the relevant conversion took place.

We have concluded a so-called order processing contract with Google for our use of Google Analytics 4, which obliges Google to protect the data of our website users and not to pass it on to third parties.

As personal data may be transferred by Google to affiliated companies and subcontractors in countries outside the EU and the EEA, further protective mechanisms are required to ensure the level of data protection under the GDPR. For the USA, there is an adequacy decision by the EU Commission pursuant to Art. 45 (1) GDPR with regard to companies with certification under the EU-U.S. Data Privacy Framework. Google LLC is certified in accordance with the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search

For potential transfers to other third countries outside the EU and the EEA for which there is no adequacy decision by the EU Commission, we have also agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the third country to process the data in accordance with the level of protection in Europe.

Further legal information on Google Analytics 4, including a copy of the aforementioned standard contractual clauses, can be found at the following link: https://policies.google.com/privacy

Details on the processing triggered by Google Analytics 4 and how Google handles data from websites can be found here: https://policies.google.com/technologies/partner-sites

Vimeo

555 West 18th Street, New York, New York 10011, USA.

If you visit one of our pages featuring a Vimeo plugin, a connection is established to the Vimeo servers. Here the Vimeo server is informed about which of our pages you have visited. Vimeo also receives your IP address. This applies even if you are not logged into Vimeo or do not have a Vimeo account. The information collected by Vimeo is transmitted to a Vimeo server in the US.

If you are logged into your Vimeo account, Vimeo can assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your Vimeo account.

Vimeo is used in the interest of making our website appealing. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. If the relevant consent has been obtained (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR; this consent may be withdrawn at any time.

Further information on the use of user data can be found in the Vimeo Privacy Policy at: https://vimeo.com/privacy

Personal data related to you is generally collected directly from you – for example in the context of the application process – based on Section 26(1) BDSG in the version that came into effect on 25 May 2018.

In addition, we may also obtain data from third parties (e.g. job portals such as Indeed, Stepstone or similar job placement services).

We also process personal data that we have lawfully obtained from publicly accessible sources (such as professional social networks), where applicable.

The categories of personal data of applicants processed include in particular your master data (such as first name, last name, name affixes, nationality, personnel number), contact details (such as home address, (mobile) phone number, email address) and data from the application process as a whole (cover letter, CV, work or other references, proof of qualifications).

If you also voluntarily disclose special categories of personal data (such as health information, religious affiliation or degree of disability) in your application letter or during the application process, this is only processed if you have consented to this there.

We process personal data relating to employees and applicants on the basis and under consideration of the European General Data Protection Regulation (EU GDPR), the German Data Protection Act (BDSG) and all other relevant provisions in German labour law (e.g. the German General Equal Treatment Act (AGG), the German Works Constitution Act (BetrVG), the German Social Code (SGB), etc.).

Your personal data is primarily processed within the context of the application process in order to conduct the application process and especially to determine suitability for the advertised position. We are therefore required to process your applicant data in order to decide on the establishment of an employment relationship. The primary legal basis for this is Art. 88 GDPR in conjunction with Section 26(1) BDSG.

Data transfer
Within our company, your personal data is only shared with the people and departments who need it to make employment decisions regarding you and to meet our legal and contractual obligations.

Otherwise, we only transfer your personal data – for example to investigating authorities – if legally obliged to do so.

Data retention period
Personal applicant data provided to us is erased as soon as it is no longer needed for the aforementioned purposes and after six months at the latest. This does not apply if you have agreed to a longer data retention period, the data must be retained for evidentiary purposes or legal provisions prevent its erasure. For example, we retain your applicant data for as long as there is a possibility that you may bring legal claims against empact, for example for a breach of the provisions of the German General Equal Treatment Act.

On the other hand, if your application leads to the establishment of an employment relationship with you, we continue to retain and use your data for the purposes of the usual administration and organisational processes and to conduct the employment relationship under consideration of the applicable legal requirements.

Your rights
Like all other data subjects, applicants and employees can naturally exercise data subject rights in accordance with Art. 15 to 22 GDPR in relation to the processing of their personal data by companies.

You have the right to lodge a complaint with the data protection officer mentioned above or a data protection supervisory authority. (For contact details, please see above in this Privacy Policy.)