Data protection information

We have drawn up this data protection notice in order to explain to you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (data for short) we as the controller – and the processors (e.g. providers) commissioned by us – process, will process in the future and what lawful options you have. The terms used are to be understood as gender-neutral.

Data protection notices usually sound very technical and use technical legal terms. These data protection notices, on the other hand, are intended to describe the most important things to you as simply and transparently as possible. Where it is conducive to transparency, technical terms are explained in a reader-friendly way and links to further information are provided. We thus inform you in clear and simple language that we only process personal data as part of our business activities if there is a corresponding legal basis. If you still have questions, we would like to ask you to contact the responsible body named below or in the legal notice, to follow the links provided and to view further information on third-party websites. Our contact details can of course also be found in the legal notice.

This data protection information applies to all personal data processed by us in the company and to all personal data processed by companies commissioned by us (processors).

In the following data protection information, we provide you with transparent information on the legal principles and regulations, i.e. the legal bases of the General Data Protection Regulation, which enable us to process personal data.
As far as EU law is concerned, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016. You can of course read this EU General Data Protection Regulation online at EUR-Lex, the access point to EU law, at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

1. Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose.
2. Contract (Article 6(1)(b) GDPR): In order to fulfill a contract or pre-contractual obligations with you, we process your data.
3. Legal obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally obliged to keep invoices for accounting purposes. These usually contain personal data.
4. Legitimate interests (Article 6(1)(f) GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data in order to operate our website securely and efficiently. This processing is therefore a legitimate interest.

Other conditions such as recording in the public interest, the exercise of official authority and the protection of vital interests do not generally apply to us. If such a legal basis is relevant, it will be indicated at the appropriate point.

In addition to the EU regulation, national laws also apply:

• In Germany, the Federal Data Protection Act( BDSG) applies.

If other regional or national laws apply, we will inform you of this in the following sections.

If you have any questions about data protection or the processing of personal data, you will find the contact details of the person or body responsible below:

Agentur für Innovation in der Cybersicherheit GmbH
Große Steinstraße 19
06108 Halle (Saale)

E-mail: presse@cyberagentur.de
Phone: +49 151 44150645

Imprint

Below you will find the contact details of the data protection officer:

Data Protection Officer
Agentur für Innovation in der Cybersicherheit GmbH
Große Steinstraße 19
06108 Halle (Saale)
E-mail: datenschutz@cyberagentur.de

It is a general criterion for us that we only store personal data for as long as is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as the reason for the data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose no longer applies, for example for accounting purposes.

If you wish your data to be deleted or revoke your consent to data processing, the data will be deleted as quickly as possible and insofar as there is no obligation to store it.

We will inform you below about the specific duration of the respective data processing if we have further information on this.

In accordance with Articles 13, 14 GDPR, we inform you of the following rights to which you are entitled in order to ensure fair and transparent processing of data:

• According to Article 15 GDPR, you have a right to information as to whether we process your data. If this is the case, you have the right to receive a copy of the data.
• According to Article 16 GDPR, you have a right to rectification of data, which means that we must correct data if you find errors.
• According to Article 17 GDPR, you have the right to erasure (“right to be forgotten”), which specifically means that you may request the erasure of your data.
• According to Article 18 GDPR, you have the right to restriction of processing, which means that we may only store the data but not use it any further.
• According to Article 20 GDPR, you have the right to data portability, which means that we will provide you with your data in a commonly used format upon request.
• According to Article 21 GDPR, you have the right to object, which will result in a change in the processing after enforcement.
  • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you can object to the processing. We will then check as quickly as possible whether we can legally comply with this objection.
• Under Article 22 GDPR, you may have the right not to be subject to a decision based solely on automated processing (e.g. profiling).
• According to Article 77 GDPR, you have the right to lodge a complaint. This means that you can lodge a complaint with the data protection authority at any time if you believe that the processing of personal data violates the GDPR.

If you believe that the processing of your data violates data protection law or your data protection claims have been violated in any other way, you can complain to the supervisory authority. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following data protection authority is responsible for our company

Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Address: Graurheindorfer Str. 153, 53117 Bonn
Phone: +49 (0)228-997799-0
E-Mail-Adresse:poststelle@bfdi.bund.de

In order to protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. In this way, we make it as difficult as possible for third parties to infer personal information from our data.

Art. 25 GDPR speaks here of “data protection by design and by default” and thus means that both software (e.g. forms) and hardware (e.g. access to the server room) should always be designed with security in mind and appropriate measures should be taken. If necessary, we will discuss specific measures below.

We use HTTPS (the Hypertext Transfer Protocol Secure stands for “secure hypertext transfer protocol”) to transmit data tap-proof on the Internet.
This means that the complete transmission of all data from your browser to our web server is secured. You can recognize the use of this data transmission security by the small lock symbol at the top left of the browser, to the left of the Internet address and the use of the https scheme (instead of http) as part of our Internet address.

When you contact us and communicate by telephone, e-mail or online form, personal data may be processed. The data is processed for the handling and processing of your question and the associated business transaction. The data will be stored for as long as required by law.

All those who seek contact with us via the communication channels provided by us are affected by the aforementioned processes.

When you call us, the call data is stored pseudonymously on the respective end device and with the telecommunications provider used. In addition, data such as name and telephone number may subsequently be sent by e-mail and stored for the purpose of responding to inquiries. The data will be deleted as soon as the business case has been completed and legal requirements permit.

If you communicate with us by email, data may be stored on the respective end device (e.g. computer, laptop, smartphone, etc.) and data may be stored on the email server. The data will be deleted as soon as the business transaction has been completed and legal requirements permit.

If you communicate with us using an online form, data is stored on our web server and may be forwarded to one of our e-mail addresses. The data will be deleted as soon as the business transaction has been completed and legal requirements permit.

The processing of the data is based on the following legal bases:

• Art. 6 para. 1 lit. a GDPR (consent): You give us your consent to store your data and to use it for purposes relating to the business transaction;
• Art. 6 para. 1 lit. b GDPR (contract): There is a need for the performance of a contract with you or a processor such as the telephone provider or we need to process the data for pre-contractual activities (e.g. in the context of application procedures);

Art. 6 para. 1 lit. f GDPR (legitimate interests): We want to handle customer inquiries and business communication in a professional manner. This requires certain technical facilities such as e-mail programs, exchange servers and mobile network operators in order to be able to operate communication efficiently.

Like most companies, we do not work alone, but also use the services of other companies or individuals. By involving various companies or service providers, we may pass on personal data for processing. These partners then act as processors with whom we conclude a contract, the so-called data processing agreement (DPA). The most important thing for you to know is that the processing of your personal data takes place exclusively in accordance with our instructions and must be regulated by the DPA.

What are cookies?

Our website uses HTTP cookies to store user-specific data.
Whenever you surf the internet, you use a browser. Well-known browsers include Chrome, Safari, Firefox, Internet Explorer and Microsoft Edge. Most websites store small text files in your browser. These files are called cookies.

Almost all websites use cookies. Cookies are small files that are stored on your computer by our website. These cookie files are automatically stored in the cookie folder, the “brain” of your browser, so to speak. A cookie consists of a name and a value. When defining a cookie, one or more attributes must also be specified.

Cookies store certain user data about you, such as language or personal page settings. When you visit our site again, your browser transmits the “user-related” information back to our site. Thanks to cookies, our website knows who you are and offers you the settings you are used to. In some browsers, each cookie has its own file; in others, such as Firefox, all cookies are stored in a single file.

There are both first-party cookies and third-party cookies. First-party cookies are created directly by our website, third-party cookies are created by partner websites (e.g. Google Analytics). Each cookie must be evaluated individually, as each cookie stores different data. The expiry time of a cookie also varies from a few minutes to a few years. Cookies are not software programs and do not contain viruses, Trojans or other “malware”. Cookies also cannot access information on your PC.

What types of cookies are there?

The question of which cookies we use in particular depends on the services used and is clarified in the following sections of the data protection information. At this point, we would like to briefly explain the different types of cookies.

A distinction can be made between 4 types of cookies:

Essential cookies

These cookies are necessary to ensure the basic functions of the website.

Purposeful cookies

These cookies collect information about user behavior and whether the user receives any error messages. These cookies are also used to measure the loading time and the behavior of the website with different browsers.

Targeted cookies

These cookies ensure better user-friendliness. For example, entered locations, font sizes or form data are saved.

Advertising cookies

These cookies are also known as targeting cookies. They are used to deliver customized advertising to the user.

When you visit a website for the first time, you are usually asked which of these cookie types you would like to allow. And of course this decision is also stored in a cookie.

Purpose of processing via cookies

The purpose ultimately depends on the cookie in question. You can find more details on this below or from the manufacturer of the software that sets the cookie.

Storage duration of cookies

The storage period depends on the respective cookie and is specified below.

You can also influence the storage period yourself. You can delete all cookies manually at any time via your browser (see also “Right to object” below). Furthermore, cookies that are based on consent will be deleted at the latest after you withdraw your consent, whereby the legality of the storage until then remains unaffected.

Right to object – how can I delete cookies?

You decide how and whether you want to use cookies. Regardless of which service or website the cookies come from, you always have the option of deleting, deactivating or only partially allowing cookies. For example, you can block third-party cookies but allow all other cookies.

If you want to find out which cookies have been stored in your browser, if you want to change or delete cookie settings, you can find this in your browser settings:

Chrome: Delete, activate and manage cookies in Chrome

Safari: Managing cookies and website data with Safari

Firefox: Delete cookies to remove data that websites have stored on your computer

Internet Explorer: Deleting and managing cookies

Microsoft Edge: Deleting and managing cookies

If you generally do not want to have cookies, you can set up your browser so that it always informs you when a cookie is to be set. You can then decide for each individual cookie whether or not to allow it. The procedure differs depending on the browser. It is best to search for the instructions in Google using the search term “delete cookies Chrome” or “deactivate cookies Chrome” in the case of a Chrome browser.

Legal basis

The so-called “Cookie Guidelines” have been in place since 2009. These state that the storage of cookies requires your consent (Article 6(1)(a) GDPR). In Germany, the cookie guidelines have not been implemented as national law. Instead, this directive was largely implemented in Section 15 (3) of the German Telemedia Act (TMG), which has been replaced by the Digital Services Act (DDG) since May 2024.

For strictly necessary cookies, even if no consent has been given, there are legitimate interests (Article 6 (1) (f) GDPR), which in most cases are of an economic nature.

If cookies that are not absolutely necessary are used, this will only take place with your consent. In the following sections, you will be informed in more detail about the use of cookies if the software used uses cookies.

What is web hosting?

When you visit websites these days, certain information – including personal data – is automatically created and stored, including on this website. This data should be processed as sparingly as possible and only with justification. By website, by the way, we mean the entirety of all web pages on a domain, i.e. everything from the start page (homepage) to the very last subpage (like this one). By domain we mean cyberagentur.de.

To display the website, the browser must connect to another computer where the website code is stored: the web server. Operating a web server is a complicated and time-consuming task, which is why this is usually done by professional providers. In our case, we have set up our own web server. This means that all data remains in our hands.

When the browser on your computer (desktop, laptop, tablet or smartphone) connects and during data transfer to and from the web server, personal data may be processed. On the one hand, your computer stores data; on the other hand, the web server must also store data for a certain period of time in order to ensure proper operation.

Why do we process personal data?

The purposes of data processing are:

1. Professional website hosting and operational security
2. to maintain operational and IT security
3. Anonymous evaluation of access behavior to improve our offer and, if necessary, for criminal prosecution or prosecution of claims

What data is processed?

Even while you are currently visiting our website, our web server usually automatically saves data such as

• the complete Internet address (URL) of the website accessed
• Browser and browser version
• the operating system used
• the address (URL) of the previously visited page (referrer URL) (e.g. https://www.beispielquellsite.de/vondabinichgekommen/)
• the host name and IP address of the device from which access is made
• Date and time

in files, the so-called web server log files.

How long is data stored?

As a rule, the above-mentioned data is stored for two weeks and then automatically deleted. We do not pass this data on, but we cannot rule out the possibility of this data being viewed by the authorities in the event of unlawful conduct.

Legal basis

The lawfulness of the processing of personal data in the context of web hosting is based on Art. 6 para. 1 lit. f GDPR (protection of legitimate interests).

What is Matomo On-Premise (without cookies)?

We use the data protection-friendly analysis program Matomo On-Premise on our website without the use of cookies. With the on-premise version, Matomo is installed on our own server. This means that we act as the operator of the software and any data that we might collect from you is stored directly by us. The data processing therefore remains entirely in our hands. The tool is produced by the New Zealand company InnoCraft Ltd, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand.

Matomo On-Premise is a web analysis platform that takes data protection very seriously and yet provides us, as the website operator, with precise statistics about your behavior on our website. A big difference to other analysis programs is the possibility of data storage on our own server. Matomo On-Premise also offers various options for anonymizing the IP addresses of our website visitors and deactivating cookies. We have also made use of the deactivation of cookies. This means that we use Matomo On-Premise for our website without the use of cookies.

Why do we use Matomo On-Premise?

Many of the usual analysis tools collect vast amounts of personal data and can also pass this on to third-party providers. This means that it is very difficult to maintain control over your data. Data protection is very important to us, which is why we have opted for Matomo On-Premise without the use of cookies. However, we do not want to do without web analysis altogether. After all, we can use statistics on website behavior to optimize our service and adapt it to your individual needs.

What data is stored by Matomo On-Premise?

Above all, information about your visitor behavior is stored. This is not personal data, but information such as the number of visitors to the website, page views, length of stay or search terms used. Technical data such as browser type, the operating system you are using and your screen resolution may also be stored. Matomo On-Premise can also collect information about which website you came to us from. The data collected is stored by us and is not passed on or sold to third parties.

How long and where is the data stored?

Matomo On-Premise is a self-hosted analysis platform, which means that we store all collected data directly on our own servers. Our server is located in Germany, which means that data is not processed in any third countries, i.e. in countries outside the scope of the GDPR.

In principle, we store data for as long as required for business purposes. Unfortunately, we cannot specify exact retention periods at this point because these depend very much on our individual configurations. If you would like to find out more about our data retention periods and configurations, please do not hesitate to contact us.

How can I delete my data or prevent data storage?

You have the right and opportunity to access your personal data at any time and to object to its use and processing.

Legal basis

We have a legitimate interest in analyzing the behavior of website visitors in order to improve our offer technically and economically. With the help of Matomo On-Premise, we can identify optimization potential for our website and improve its efficiency. The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate interests). If you would like to know more about data processing by Matomo On-Premise without cookies, you can also contact us. We also recommend the Matomo privacy policy at https://matomo.org/privacy-policy/.

What is email marketing?

In order to keep you up to date, we also use the option of e-mail marketing. If you have agreed to receive our e-mails or newsletters, your data will also be processed and stored. This involves sending news or general information about a company or services by e-mail to a specific group of people who are interested in them.

If you want to take part in our e-mail marketing, all you have to do is register with your e-mail address. To do this, fill out an online form and send it off.

Basically, the registration for newsletters works with the help of the so-called “double opt-in procedure”. After you have registered for our newsletter on our website, you will receive an e-mail confirming your newsletter registration. This ensures that the e-mail address belongs to you and that no one has registered with a third-party e-mail address. We or a notification tool used by us logs each individual registration. This is necessary so that we can prove that the registration process is legally correct. As a rule, the time of registration, the time of registration confirmation and your IP address are saved. In addition, it is also logged when you make changes to your stored data.

What data is processed?

In addition to your IP address and e-mail address, your title, name, address and telephone number may also be stored. However, only if you consent to this data storage. The data marked as such is necessary so that you can participate in the service offered. Providing this data is voluntary, but if you do not provide it, you will not be able to use the service. We record your declaration of consent so that we can always prove that it complies with our laws.

Duration of data processing

If you unsubscribe your e-mail address from our e-mail/newsletter distribution list, we may store your address for up to three years on the basis of our legitimate interests so that we can still prove your consent at that time. We may only process this data if we have to defend ourselves against any claims.

However, if you confirm that you have given us your consent to the newsletter registration, you can submit an individual deletion request at any time. If you permanently revoke your consent, we reserve the right to store your e-mail address in a blacklist. As long as you have voluntarily subscribed to our newsletter, we will of course retain your e-mail address.

Right of objection

You can cancel your newsletter subscription at any time. All you have to do is revoke your consent to the newsletter registration. If you cannot find the link in the newsletter, please contact us by e-mail and we will cancel your newsletter subscription immediately.

Legal basis

Our newsletter is sent on the basis of your consent (Article 6(1)(a) GDPR). This means that we may only send you a newsletter if you have actively subscribed to it beforehand. Information on special email marketing services and how they process personal data can be found in the following section.

What is Brevo?

You can subscribe to our newsletter free of charge on our website. To ensure that this works, we use the e-mail delivery service Brevo for our newsletter. This is a service provided by the German company Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin. Brevo is, among other things, an email marketing tool with which we can send you customized newsletters. In the following, we will go into more detail about Brevo’s email marketing service and inform you about the most important aspects relevant to data protection.

What data is processed by Brevo?

You should be aware that when you register for the newsletter, all the data you enter (such as your email address or your first and last name) will be stored and managed on our server and by Brevo. This also involves personal data. For example, in addition to the time and date of registration, your IP address is also stored. During the registration process, you also consent to us sending you the newsletter and further reference is made to this privacy policy. Data such as click behavior in the newsletter may also be processed.

How long and where is the data stored?

The data for the newsletter tool is stored on servers in Germany. The data collected that makes you identifiable as a person (i.e. personal data) will generally be deleted by Brevo no later than two years after the end of the contractual relationship with us. However, you can also request the deletion of your data individually at any time. Requests will be processed within 30 days. Data that we collect and send to Brevo will be deleted as soon as you unsubscribe from our newsletter.

Right of objection

You can cancel your newsletter subscription at any time. All you have to do is withdraw your consent to the newsletter subscription. You will usually find a link to cancel your newsletter subscription at the end of every email. If you cannot find the link in the newsletter, please contact us by email and we will cancel your newsletter subscription immediately. After unsubscribing, the personal data will be deleted from our server and from the Brevo servers, which are located in Germany.

Legal basis

Our newsletter is sent by Brevo on the basis of your consent (Article 6(1)(a) GDPR). This means that we may only send you a newsletter if you have actively subscribed to it beforehand. If you would like more information about data processing, we recommend that you read the company’s privacy policy at https://www.brevo.com/de/legal/privacypolicy/.

What is social media?

In addition to our website, we are also active on various social media platforms. We have embedded elements of a social media platform directly into our website, which redirects you directly to our social media presence.

What data is processed?

Exactly which data is stored and processed depends on the respective provider of the social media platform.

We do not collect cookies ourselves, but give you the opportunity to follow our social media channels directly via LINK.

All data collected via one of the social media platforms is also stored on the provider’s servers. This means that only the providers have access to the data and can provide you with the appropriate information or make changes.

If you want to know exactly what data is stored and processed by the social media providers and how you can object to the data processing, you should carefully read the respective company’s data protection information. We also recommend that you contact the provider directly if you have any questions about data storage and data processing or wish to assert corresponding rights.

What is Mastodon?

We use the microblogging service Mastodon. This service was developed by the German company Mastodon gGmbH (Mühlenstraße 8a, 14167 Berlin, Germany) and is designed as a decentralized network.

Legal basis

The service is operated on many different networked servers. The operator of the respective server or the respective so-called instance is always responsible for data processing. We also offer a server and are therefore responsible for the data we process. In addition to metadata such as the time of communication, profile names and messages, this also includes your IP address, which is considered personal data according to the GDPR. We also refer you to Mastodon’s privacy policy: https://mastodon.social/privacy-policy. We would like to emphasize once again that we are only responsible for the data processing of our own instance.

What is X?

We have included a link to X on our website. X is a short message service and a social media platform of the American company X Corp, 1355 Market Street, Suite 900 San Francisco, CA 94103, USA. For the European region, Twitter International Unlimited Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland) is responsible for the processing of personal data.

Legal basis

In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners. We do not collect cookies ourselves, but give you the opportunity to follow our social media channel directly via LINK.

Most social media platforms also set cookies in your browser to store data. We therefore recommend that you read our data protection text on cookies carefully and consult the privacy policy or cookie guidelines of the respective service provider.

We hope we have given you a basic overview of data processing by X. We do not receive any data from X and are not responsible for what X does with your data. If you have any further questions on this topic, we recommend that you read the X data protection information at https://twitter.com/de/privacy.

What is YouTube?

We have included a link to YouTube on our website. This allows us to present interesting videos directly on our site. YouTube is a video portal that has been a subsidiary of Google since 2006. The video portal is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.

Legal basis

In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners. We do not collect cookies ourselves, but give you the opportunity to follow our social media channel directly via LINK. As YouTube is a subsidiary of Google, there is a joint data protection notice. If you would like to find out more about how your data is handled, we recommend that you read the privacy policy at https://policies.google.com/privacy?hl=de.

What is Xing?

On our website we have set up a link to Xing, the company Xing SE, Dammtorstraße 30, 20354 Hamburg, Germany. You can recognize the plug-ins by the company name or the Xing logo. Xing is a social network with its headquarters in Hamburg.

Legal basis

In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners. We do not collect cookies ourselves, but give you the opportunity to follow our social media channel directly via LINK. We have tried to provide you with the most important information about data processing by Xing. You can find out more about data processing by the Xing social media network at https://privacy.xing.com/de/datenschutzerklaerung.

What is Instagram?

We have included a link to Instagram on our website. Instagram is a social media platform of the company Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA. Instagram has been a subsidiary of Meta Platforms Inc. since 2012 and is a Facebook product. Instagram uses the same systems and technologies as Facebook. Your data is therefore processed across all Facebook companies.

Legal basis

In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners. We do not collect cookies ourselves, but give you the opportunity to follow our social media channel directly via LINK.

We have tried to provide you with the most important information about data processing by Instagram. You can find out more about Instagram’s data policy at https://privacycenter.instagram.com/policy/.

What is LinkedIn?

We have included a link to LinkedIn, LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA, on our website. For the European Economic Area and Switzerland, LinkedIn Ireland Unlimited Company Wilton Place in Dublin is responsible for data processing.

What data is stored by LinkedIn?

LinkedIn does not store any personal data simply by integrating the social plug-ins.

Legal basis

In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners. We do not collect cookies ourselves, but give you the opportunity to follow our social media channel directly via LINK. We have tried to provide you with the most important information about data processing by LinkedIn. You can find out more about data processing by the LinkedIn social media network at https://www.linkedin.com/legal/privacy-policy.

We have included a link to Meta Platforms Inc. on our website. You can recognize these buttons by the classic Facebook logo.

Legal basis

In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners. We do not collect cookies ourselves, but give you the opportunity to follow our social media channel directly via LINK.

If you want to find out more about Facebook’s data protection, we recommend that you read the company’s own data policy at https://www.facebook.com/privacy/policy/.

What is application data?

You can apply to us for a job in our company by e-mail, online form or via a recruiting tool. All data that we receive and process from you as part of an application is considered application data. You always disclose personal data such as your name, date of birth, address and telephone number.

Why do we process application data?

We process your data so that we can carry out a proper selection procedure in relation to the advertised position. We guarantee that we handle your data with particular care and only ever process your data within the legal framework. Even within our company, your data will only be forwarded to persons who are directly involved with your application.

What data is processed?

Exactly which data is processed depends primarily on the job advertisement. In most cases, however, it will be your name, date of birth, contact details and proof of qualifications. If you submit your application via an online form, the data will be encrypted and forwarded to us. If you send us the application by e-mail, this encryption does not take place. We can therefore accept no responsibility for the transmission method. However, once the data is on our servers, we are responsible for the lawful handling of your data.

During an application process, in addition to the above-mentioned data, information about your health or ethnic origin may also be requested so that we and you can exercise the rights relating to labor law, social security and social protection and at the same time comply with the corresponding obligations. This data is special category data.

Here is a list of possible data that we receive and process from you:

• Name
• Contact address
• E-mail address
• Phone number
• Date of birth
• Information from the cover letter and CV
• Proof of qualifications (e.g. certificates)
• Special categories of data (e.g. ethnic origin, health data, religious beliefs)
• Usage data (websites visited, access data, etc.)
• Metadata (IP address, device information)

How long will the data be stored?

If we accept you as a team member in our company, your data will be processed further for the purpose of the employment relationship and stored by us at least until the end of the employment relationship. All application documents will then be placed in your employee file.

If we do not offer you the job, you reject our offer or withdraw your application, we may retain your data for up to 6 months after completion of the application process on the basis of legitimate interest (Art. 6 para. 1 lit. f GDPR). After that, both your electronic data and all data from physical application documents will be completely deleted or destroyed. We retain your data so that we can answer any follow-up questions or so that we can provide evidence of the application in the event of a legal dispute. If a legal dispute arises and we may still need the data after the 6 months have expired, we will only delete the data when there is no longer any reason to retain it. If there are statutory retention obligations to be fulfilled, we must generally store the data for longer than 6 months.

Legal basis

The legal basis for the processing of your data is Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. b GDPR (contract or pre-contractual measures), Art. 6 para. 1 lit. f GDPR (legitimate interests) and Art. 9 para. 2 lit. a. GDPR (processing of special categories).

In the case of the protection of vital interests, data processing is carried out in accordance with Art. 9 para. 2 lit. c. GDPR. For the purposes of health care, occupational medicine, medical diagnosis, health or social care or treatment or for the management of health or social care systems and services, the processing of personal data is carried out in accordance with Art. 9 para. 2 lit. h. GDPR. GDPR. If you voluntarily provide data of special categories, the processing is carried out on the basis of Art. 9 para. 2 lit. a. GDPR.

What are video conferencing & streaming?

We use software programs that enable us to hold video conferences, online meetings, webinars, display sharing and/or streaming. During a video conference or streaming, information is transmitted simultaneously via sound and moving images. With the help of such video conferencing or streaming tools, we can communicate with customers, business partners, clients and even employees quickly and easily via the Internet. When selecting the service provider, we naturally pay attention to the specified legal framework conditions.

In principle, third-party providers can process data as soon as you interact with the software program. Third-party providers of video conferencing and streaming solutions use your data and metadata for various purposes. For example, the data helps to make the tool more secure and to improve the service. In most cases, the data may also be used for the third-party provider’s own marketing purposes.

Information on special video conferencing and streaming solutions and their data protection settings can be found in the appointment scheduling.

We process the personal data provided by you as part of the implementation of the award procedure insofar as this is necessary for this purpose.

What data is processed?

The following types of data may be subject to processing:

• Personal master data: Surname, first name
• Contact details: Address, e-mail address, telephone number(s)
• Qualification data: depending on the scope of the tender documents, e.g. references, certificates, attestations, etc.
• Meeting notes: transcripts from telephone calls, e-mail correspondence, possibly from bidder meetings
• Evaluation data: e.g. analysis sheet
• Log data in general from IT systems, web applications and software such as time, date, sender, IP address, upload data in the allocation portal, from e-mail communication, from files (PDF, Word, Excel), connection data
• Bank details

In addition, constellations may arise in which we process personal data that are not mentioned here or whose purposes are not communicated here. In such a case, we will provide separate information on data protection on an ad hoc basis and inform you in advance if this is required by law.

Who receives personal data and where is it processed?

Within our company, only those employees who need your personal data to fulfill our contractual or legal obligations will have access to it. In the context of evaluations, the (personal) data required to carry out the evaluation may be passed on to a jury. As a rule, evaluations are carried out by a panel of experts from the Cyberagentur and from authorities and organizations from the national security sector who are bound to confidentiality.

In addition, in accordance with Section 19 (4) of the German Minimum Wage Act (MiLoG), Section 21 (4) of the Posted Workers Act (AEntG) and Section 21 (1) of the Act to Combat Clandestine Employment (SchwarzarbG), we are obliged to request information from the competition register for the bidder who is to be awarded the contract for contracts of EUR 30,000 (net) or more before the contract is awarded. For this purpose, the required personal data (name and address) will be forwarded to the responsible Federal Cartel Office.

In the event that the future contractor is a natural person, the following additional information is provided:

In accordance with the provisions of public procurement law (see Section 134 (1) GWB, Section 62 (2) VgV, Section 36 (2) VSVgV and Section 46 (1) UVgO), we will inform bidders or participants whose bids are not to be considered of the name of the company whose bid is to be accepted. In the case of an EU-wide procedure, this company name is published in the contract award notice in the Supplement to the Official Journal of the EU in accordance with Section 39 VgV or Section 35 VSVgV.

The data is only processed within the European Union and countries within the European Economic Area (EEA). There is no transfer to a third country.

Legal basis

The processing of personal data takes place within the framework of the Cyberagentur’s award procedures for the preparation of a contractual relationship on the basis of Art. 6 para. 1 lit. b), c) and e), Art. 6 para. 3 GDPR in conjunction with. § SECTION 3 BDSG. Furthermore, legal bases may arise from other legal regulations that we must observe, such as Sections 7, 55 of the Federal Budget Code (BHO), Sections 97 et seq. Act against Restraints of Competition (GWB), Public Procurement Ordinance (VgV), VSVgV, Sub-Threshold Procurement Ordinance (UVgO).

In the event of an assignment, we process the personal data of contractual partners and any subcontractors or other contact persons named by them in accordance with Art. 6 Para. 1 lit. b) GDPR that are required to fulfill the contractual relationship.

Is there an obligation to provide personal data?

Participation in our procurement procedures is neither contractually nor legally required. In the event of participation, the provision of personal data is necessary for the implementation of the procedure and for the planned conclusion of the contract. If the required information is not provided, the examination and evaluation of requests to participate or tenders cannot be carried out or cannot be carried out in full, with the result that these must be excluded.

How long will the data be stored?

The personal data transmitted in connection with the award procedure will be stored for the proper budgetary, cash and accounting management of the Cyberagentur and as proof of the proper execution of the procedure in accordance with the budgetary retention periods of the Federal Budget Code (BHO) and the periods applicable to the retention of documents under the German Commercial Code (HGB) and the relevant public procurement regulations.

What rights do you have?

All data subjects have the right of access under Art. 15 GDPR, the right to rectification of their data under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing of their data under Art. 18 GDPR, the right to data portability under Art. 20 GDPR and the right to object to processing (Art. 21 GDPR). Restrictions may apply to the right of access and the right to erasure in accordance with Sections 34 and 35 BDSG.

We have included links to various memberships on our website. The links can be recognized by the full URL (e.g. https://www.afcea.de/). The homepage of the respective membership opens in a separate window. We have compiled an overview of all memberships below:

• AFCEA Bonn e.V. – https://www.afcea.de/
• Alliance for Cyber Security – https://www.allianz-fuer-cybersicherheit.de/
• Bitkom e. V. – https://www.bitkom.org/
• Competence Center for Applied Security Technology, CAST e.V. https://cast-forum.de/
• German Informatics Society – https://gi.de/
• Leipzig Science Network e.V. – https://www.leipzig-science-network.de/
• Quantum Business Network UG – https://qbn.world/
• The Linux Foundation® – https://www.linuxfoundation.org/
• NExT e.V. – https://next-netz.de/

What data is processed?

We do not process any data ourselves, but provide the opportunity to gain an insight into our memberships via LINK. However, data processing can be carried out on the respective pages of the memberships. If you do not wish your data to be processed or passed on, please do not use these links. You will find further information in the data protection notices of the memberships

Legal basis

In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in transparent cooperation with our member partnerships. We do not collect any data ourselves, but give you the opportunity to follow our memberships directly via LINK.

We always endeavor to write our data protection information as clearly and comprehensibly as possible. However, this is not always easy, especially when it comes to technical and legal topics. It often makes sense to use legal terms (e.g. personal data) or certain technical terms (e.g. cookies, IP address). However, we do not want to use these without explanation. Below you will find an alphabetical list of important terms used, which we may not have covered sufficiently in the previous data protection notice.

Processor

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“Processor” a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Explanation: As a company and website owner, we are responsible for all data that we process from you. In addition to controllers, there may also be so-called processors. This includes any company or person that processes personal data on our behalf. In addition to service providers such as tax consultants, processors can therefore also be hosting or cloud providers, payment or newsletter providers or large companies such as Google or Microsoft.

Supervisory authority concerned

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“supervisory authority concerned” a supervisory authority that is affected by the processing of personal data because

a) the controller or processor is established in the territory of the Member State of that supervisory authority,

b) such processing has or is likely to have a significant impact on data subjects residing in the Member State of that supervisory authority; or

c) a complaint has been submitted to this supervisory authority;

Explanation: In Germany, each federal state has its own supervisory authority for data protection. If your company headquarters (main office) is therefore in Germany, the relevant supervisory authority of the federal state is generally your point of contact.

Third

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“third party” a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

Consent

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“Consent” any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Receiver

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“Receiver” a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Health data

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“health data” personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, and from which information about their health status is derived;

Personal data

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“personal data” any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Profiling

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“Profiling” any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

Pseudonymization

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“Pseudonymization” the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

The company

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“enterprise” a natural or legal person that carries out an economic activity, regardless of its legal form, including partnerships or associations that regularly pursue an economic activity;

Person responsible

Definition according to Article 4 of the GDPR

For the purposes of this Regulation:

“Controller” the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processing

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term: “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;