Certified data protection at INSITE

INSITE-Interventions GmbH has been certified in "Data Protection" since 2013. All company processes are reviewed for data protection and security aspects ever year. By doing this, we can ensure that we provide the best possible protection for the personal data we store. Not only does INSITE fulfil the criteria of the German Federal Data Protection Act (Bundesdatenschutzgesetz) and the General Data Protection Regulation (GDPR), but we also roll out new security measures continuously in order to protect personal data according to the state of the art.

What does certified in "Data Protection" mean?

"Data Protection" certification verifies compliance with all statutory requirements of the German Federal Data Protection Act, the General Data Protection Regulation, and aspects of IT, privacy law, data processing and IT security. Specialists conduct internal and external security assessments for this purpose. Comprehensive and rigorous security analyses of our employees, company processes and company systems assess whether the confidentiality and integrity of the data being processed satisfies the high security demands, whether the statements made in data protection documents have been effectively implemented and whether personal data are being effectively protected in accordance with the latest Federal Data Protection Act and the General Data Protection Regulation, e.g. by securing all systems against unauthorised access.

The certificate is valid for three years and is monitored during an annual audit. This audit assesses, among other things, whether the protection and security of data is still guaranteed and how processes can be continuously optimised. Re-certification is performed every three years, such that the continuous process of improving data protection and data security is maintained on a permanent basis. This cycle helps to build trust and guarantees that our security measures are always up-to-date.

What does data protection mean in the context of employee assistance?

In principle, employees or family members can use all our assistance services anonymously by using a nickname, i.e. without giving their name or personal information like their e-mail address or phone number. If people decide to entrust their data to us, they can be sure that we will protect their data and handle it with the utmost care, using it only for the purpose of providing assistance.

Got questions about our data protection concept? Give us a call (+49 69 90 555 29 – 0) or send your questions to datenschutz@insite.de and talk to our Data Protection Officer Deborah Schütt.

You can find our Transparency Notice here.

1. General information on privacy and data protection

Name and address of the controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of Member States and other data protection regulations is:

INSITE-Interventions GmbH
CEOs: Dr. Matthias Conradt, Alexander Oster
Clemensstr. 10 - 12
60487 Frankfurt am Main
Tel: +49 69 90555 290
Email: office@insite.de

Websites:
www.insite.de
www.eap.de
 

We take the protection of your personal data very seriously. We process your personal data confidentially and in accordance with statutory data protection regulations and this Privacy Policy.

Generally speaking, it is possible to use our websites without providing any personal data. Where personal data is collected on our websites (e.g. name, address or e-mail address), this is always a voluntary act as far as possible. These data are not passed on to third parties without your explicit consent.

Please note that when transferring data via the internet (e.g. when communicating via e-mail), absolute security cannot be guaranteed. It is not possible to protect data fully against third-party access.

The regulations below provide information in this regard on the nature, scope and purpose of the collection, use and processing of personal data by the provider.

2. General information on data processing

We collect, process and use the personal data of users in order to comply with the relevant data protection regulations. This means that the data of users is only ever used where we are legally permitted to do so or have obtained consent.

We take organisational, contractual and technical security measures in accordance with the state of the art in order to ensure that we are compliant with the regulations of data protection laws and in order to protect the data we manage against accidental or intentional manipulation, loss, destruction or access by unauthorised persons.

Purpose of collecting, processing and using personal data

The personal data of users are used for providing our websites and the associated user services. We forward data to third parties where this is based on consent or permitted by law in order to fulfil our contractual obligations to the users.

When you get in touch with us, information is stored for the purposes of processing your enquiry and in the event that you have any follow-up questions. Personal data are erased once they are no longer required or erasure is not prohibited by regulations on statutory retention periods.

3. Collection of access data

We collect data on every instance of access to the server where this website is located (so-called server log files). These access data include the name of the website and file accessed, the time and date of the request, the volume of data transferred, notification of successful access, browser type and version, operating system of the user, referrer URL (the site previously visited), IP address and the provider making the request. These data cannot be linked back to identifiable persons. These data are not collated with other data sources. Server log files are anonymised after 7 days. Our legitimate interest consists in providing a website that is free from bugs (Article 6(1), point (f) GDPR).

We use the log data without assigning it to the person of the user or any other profiling, in accordance with the statutory provisions, for statistical analysis only, for the purpose of running, securing and optimising our offering. However, we reserve the right to retroactively analyse the log data if we have a legitimate suspicion of unlawful use based on concrete evidence.

4. Cookies

Our websites use so-called cookies. You can find more information on cookies in the cookie banner. Cookies do not harm your computer and do not contain viruses. Cookies are small text files that are stored on your computer and which your browser saves. The cookies we use are so-called "Session Cookies" which are required for seamless access to the website. They are automatically deleted when you end your visit. Other cookies remain on your end device until you delete them. You can adjust your settings so that your browser tells you when cookies are used and only allows cookies in individual instances, so that it allows cookies in certain instances or blocks them in general, and so that it automatically deletes cookies when you close your browser.

We also use Marketing Cookies for analysis and statistical purposes. We use the Google Tag manager for this. The Google Tag Manager is a tool which we can use to integrate tracking or statistics tools and other technologies into our website. The Google Tag Manager does not create any user profiles itself, does not store any cookies and does not conduct any analyses of its own. It is used solely for managing and operating the tools which are integrated through it.

We use the LinkedIn Insight Tag for retargeting using the conversion tracking technology provided by the LinkedIn Corporation. With this technology, personalised ads can be displayed to users of this website on LinkedIn. It also allows us to compile anonymous reports on the performance of our web ads and information on website interactions. The LinkedIn Insight Tag is integrated into this website, which means that a connection is established with the LinkedIn server if you visit this website while you are logged in to your LinkedIn account.

Our use of cookies is based on Article 6(1), point (f) GDPR. The website operator has a legitimate interest in the fast and uncomplicated integration and management of different tools on his website. Where consent has been asked for, processing is performed solely on the basis of Article 6(1), point (a) GDPR and Sec. 25 TTDSG (German Telecommunications-Telemedia Data Protection Act); this consent can be withdrawn at any time.

5. Getting in touch

On our website, you can get in touch with us via e-mail and/or our contact form. When this happens, the information provided by the user is stored for the purposes of processing their contact request. This information is not forwarded to third parties. The data collected are not compared against any data that may have been collected via other components of our website either. The contact request can be erased at any time (see "Data subject rights"). The legal basis for collecting and processing the data is Article 6(1), point (b) GDPR.

6. Newsletter data: subscribing to our newsletter

On our website, you can sign up to receive our company newsletter. We use this newsletter to keep clients and interested parties up-to-date with what our company has to offer at regular intervals. We use Maileon for sending out our newsletters. The provider is XQueue GmbH, Christian-Pleß-Straße 11-13, 63069 Offenbach am Main. Maileon is a service that can be used for organising and analysing the delivery of newsletters. The data you provide for the purposes of receiving the newsletter (e.g. e-mail address) are stored on XQueue servers in Germany. INSITE has an audit and data processing agreement in place with XQueue GmbH.

In order to send out the newsletter, we need a valid e-mail address for you and information which will allow us to check that you are the owner of the e-mail address provided and that you have consented to receive the newsletter. We do not collect any additional data except on a voluntary basis. For legal reasons, a confirmation e-mail is sent to the e-mail address of any person signing up to receive the newsletter for the first time as part of the Double Opt-In procedure. We only use these data to send out the newsletter and do not forward them to third parties. The legal basis for collecting and processing the data is Article 6(1), point (a) GDPR.

When someone signs up for the newsletter, we also store the IP address of the computer system used by the data subject at time of registration, which is provided by their Internet Service Provider (ISP), and the time and date of registration. We need to collect these data in order to trace any (potential) misuse of the e-mail address of a data subject at a later time. We therefore collect these data in order to protect ourselves.

You can withdraw any consent you have given to storage of these data, your e-mail address and the use of your e-mail address for sending you the newsletter at any time, e.g. by clicking on the "Unsubscribe" link in each newsletter. Alternatively, you can unsubscribe by e-mailing datenschutz@insite.de at any time. This will not affect the lawfulness of any data processing conducted up until you withdraw your consent.

We store the data you send us for the purposes of subscribing to the newsletter until you unsubscribe from the newsletter, and erase these data after you unsubscribe.

Newsletter tracking

The newsletter contains so-called web beacons. A web beacon is a mini graphic that is embedded in e-mails which are sent in HTML format so that a log file can be registered and analysed. This allows us to conduct a statistical evaluation of the success or failure of online marketing campaigns. Using the embedded web beacon, we can tell whether and when a data subject has opened an e-mail and what links in the e-mail the data subject has clicked on.

We store and evaluate the personal data collected via the web beacons contained in our newsletters based on our legitimate interest in optimising our newsletter and better tailoring the content of future newsletters to the interests of the data subject. The legal basis is Article 6(1), point (a) GDPR. These personal data are not passed on to third parties. Data subjects are entitled to withdraw their consent to this, which they give separately via the Double Opt-In procedure, at any time. Once consent has been withdrawn, these personal data are erased by the controller. Unsubscribing from the newsletter is treated as an automatic withdrawal of consent.

7. Use of Google AdWords

We also use the Google advertising tool "Google AdWords" to advertise our websites. As part of this, our websites use the "Conversion Tracking" analysis tool provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter "Google". If you have landed on our website via a Google ad, a cookie will be placed on your computer. Cookies are small text files that are placed and stored on your computer. These so-called "Conversion Cookies" expire after 30 days and are not used to identify you personally. If you visit certain pages on our websites and the cookies has not yet expired, we and Google can tell that you have clicked on one of our ads on Google and that you have been directed to our website.

The information we obtain using the "Conversion Cookies" helps Google to compile visitor statistics for our website. These statistics tell us the total number of users who have clicked on our ad and also which pages on our website each user has subsequently accessed. However, neither we nor other parties advertising via "Google AdWords" receive any information which can be used to identify users personally.

The legal basis for this data processing is your consent (Article 6(1) point (a) GDPR) which can be withdrawn at any time. The legal basis for transferring data to the USA is the EU-US Privacy Framework.

You can adjust your browser settings to block installation of "Conversion Cookies" , e.g. by deactivating the automatic use of cookies in general or specifically blocking only cookies from the domain "googleadservices.com".

Google's Privacy Policy can be accessed via the following link: https://policies.google.com/privacy?gl=de.  

8. Google Analytics with anonymisation function

We use Google Analytics on our website. This is a web analysis service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter "Google". Google Analytics uses so-called "Cookies", small text files which are stored on your computer and which allow your use of the website to be analysed. The information generated by these cookies, such as the time, location and frequency of your website visit, including your IP address, is transferred to Google in the USA where it is stored.

We use Google Analytics on our website with an IP anonymisation function. This means that your IP address will be shortened, and therefore anonymised, by Google while still in the Member States of the European Union or other contract states to the European Economic Area Agreement. Google will use this information to analyse your use of our website in order to prepare reports for us on website activity and in order to provider other services associated with the use of the website and internet use. Google may also transfer this information to third parties where this is a legal requirement and provided third parties are processing this data on behalf of Google.

The legal basis for this data processing is your consent (Article 6(1) point (a) GDPR) which can be withdrawn at any time. The legal basis for transferring data to the USA is the EU-US Privacy Framework.

You can block cookies by making changes to your browser settings; however, please be aware that this may affect the functionality of the features of this website.

Google also offers a deactivation option for the most common browsers which gives you more control over what data Google collects and processes. If you activate this option, no information concerning your visit to our website will be transferred to Google Analytics. However, this does not prevent information from being transferred to us or any other web analysis services which we use. More information on Google's deactivation option and on how to activate it can be found at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

9. Usercentrics consent management service

We use the consent management service Usercentrics from Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany (Usercentrics). This allows us to obtain and manage consent from website users to the processing of data. This processing is necessary in order to fulfil a legal obligation (Article 7(1) GDPR) which we are subject to (Article 6(1)(1), point (c) GDPR). To do this, we process the following information:

• Date and time of access
• Browser information
• Device information
• Geographical location
• Cookie preferences
• URL of page visited

We cannot guarantee the functionality of the website without processing these data.

Usercentrics is the recipient of your personal data and works on our behalf as a data processor.

Processing is conducted in the European Union. More information on objection and disposal options for Usercentrics can be found at: https://usercentrics.com/de/datenschutzerklaerung/

Data are erased after 3 years.

Please observe the general information above concerning the deletion and deactivation of cookies.

10. Booking a consultation

In some cases, we offer users the ability to book a consultation directly via our website. To do this, we process the personal information your provide, such as your name and contact details (e-mail, telephone no.), and your preferred consultation. This service is provided by TerminApp GmbH, Munich within the framework of a data processing agreement. The personal data transmitted are processed by TerminApp GmbH exclusively for the purpose of arranging a consultation online on behalf of INSITE-Interventions GmbH as the client. The legal basis for processing your personal data in order to book a consultation is Article 6(1)(1), point (b) GDPR. Personal data that were collected in the context of booking a consultation are erased after 18 months.

More information on timify can be found on the TerminApp GmbH website: https://www.timify.com/de-de/pages/nutzungsbedingungen-fuer-terminbucher/ and the timify Privacy Policy https://www.timify.com/de-de/legal/

11. Audio and video conferences

Data processing

We use online conference tools to communicate with our clients. The specific tools we use are listed below. Whenever you communicate with us via online video or audio conference, we and the provider of the conference tool in question collect and process your personal data.

These conference tools collect all the data which you provide/enter in order to use the tools (e-mail address and/or telephone no.). The conference tools also record the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other "context information" relating to the communication process (metadata).

The provider of the tool also processes all technical data which are required in order to facilitate the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, and type of connection.

Where content is exchanged, uploaded or otherwise made available within the tool, this content is also stored on the servers of the tool provider. This content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information that is shared while the service is being used.

Please note that we do not have full control over the data processing procedures which these tools use. Our ability to exercise control is largely determined by the company policy of the respective provider. For more information on how conference tools process data, please see the privacy policies for the tools in question which we have listed below this text.

Purpose and legal basis

The conference tools are used in order to communicate with existing or potential contract partners or to offer our clients specific services (Article 6(1), point (b) GDPR). We also use the tools in order to generally simplify and speed up communication with us or our companies (legitimate interest within the meaning of Article 6(1), point (f) GDPR). Where consent has been asked for, the tools in question are used on the basis of this consent; this consent can be withdrawn at any time with effect for the future.

Storage periods

The data which we collect directly via video and conference tools is erased from our systems as soon as you ask us to erase them or withdraw your consent to their storage, or as soon as the purpose for which they are being stored no longer applies. Cookies remain on your end device until you delete them. Mandatory statutory retention periods are unaffected.

We have no influence on the storage periods for data concerning you which the operators of the conference tools have stored for their own purposes. For details, please contact the operators of the conference tools directly.

Conference tools used

We use the following conference tools:

Zoom

We use Zoom, a means of communication which we use for performance of a contract. The legal basis is Article 6(1), point (b) GDPR (performance of a contract or steps taken prior to entering into a contract)

If you do not wish for your data to be transferred, you cannot take part in the relevant web meeting.

Recipients

• Server centre
• External IT company

Transfer to third countries

Zoom Communications Inc., San Jose, 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA

• Standard contractual clauses: The EU Commission's Standard Contractual Clauses (SCC) have been concluded for data transfers to the USA: https://zoom.us/de-de/privacy.html
• Data processing agreement: A data processing agreement has been concluded.
• Details on data processing can be found in the Zoom Privacy Statement: https://zoom.us/de-de/privacy.html and https://explore.zoom.us/de/trust/privacy/ and https://explore.zoom.us/de/gdpr/

Storage periods / Deletion policies

Expiry of purposes of data storage, hosting of web meeting.

We have no influence on the storage periods for data concerning you which the operators of the conference tools have stored for their own purposes. For details, please contact the operators of the conference tools directly.

Change of purpose

The use of personal data for purposes other than those, for which they were collected, is not permitted.

MS Teams

A number of different types of data are processed when you use "Microsoft Teams". The scope of these data depends on what information you provide before or during an "online meeting".

Processing may relate to the following personal data.

User information:

• First name;
• Surname;
• Telephone (optional);
• E-mail address, password (if not using "Single Sign-On");
• Profile picture (optional);
• Department (optional);

Meeting metadata:

• Subject, description (optional);
• Participant IP addresses;
• Device/hardware information;

When dialling in from a phone:

• Information on incoming and outgoing telephone number;
• Country name;
• Start and end time.
• other connection data, e.g. the IP address of the device, may be stored.

Text, audio and video data:

You may have the option of using the chat, question or survey functions as part of an "online meeting". If you do, the text you enter will be processed in order to display it in the "online meeting" and may also be archived. Data from the microphone of your end device and any video camera on the end device will therefore be processed for the duration of the meeting in order to display video and replay audio. You can switch off your camera or mute your microphone yourself at any time via the "Microsoft Teams" applications.

In order to take part in an "online meeting" or enter the "meeting room", you must provide your name as a minimum.

Scope of processing

We use "Microsoft Teams" in order to hold "online meetings" and cooperate with our clients/business partners.

We do not conduct any automated decision-making within the meaning of Article 22 GDPR.

The use of "Microsoft Teams" is based on Article 6(1), point (f) GDPR. In these instances, our interest consists in the effective hosting of "online meetings" and cooperative collaboration.

A further legal basis for processing data when hosting "online meetings" is Article 6(1), point (b) GDPR insofar as the meetings are being held within the context of steps taken prior to entering into a contract.

Recipients

The provider of Microsoft will, by necessity, gain knowledge of the data indicated above insofar as this has been stipulated within the framework of our data processing agreement with Microsoft.

We have concluded a data processing agreement with Microsoft and supporting IT service providers which complies with the requirements of Article 28 GDPR. Microsoft keeps the data collected on European servers only.

12. Privacy policy regarding applications and during the application process

Our privacy policy regarding applications can be found here.
 

13. Whistleblower system

We use the online platform DPMS – Data Protection Management System, LegalInnovate Technologies GmbH, Thomas Niersmann, An der Niers 6, 47608 Geldern to operate the whistleblower system for our clients.

We have concluded a data processing agreement in this regard with the aforementioned provider in order to guarantee that this provider only processes the personal data of our clients in accordance with our instructions and in compliance with the GDPR.

The legal basis for this data processing is performance of a contract pursuant to Article 6(1)(1) point (b) GDPR. Personal data are erased after 3 years.
https://www.datenschutz-management.software/wp-content/uploads/terms_current.pdf
 

14. Data subject rights

Where personal data concerning you are processed, you constitute a data subject within the meaning of the GDPR and have the following rights with respect to the controller:

a. Right of access

You may demand confirmation from the controller of whether we are processing personal data concerning you. Where such processing is taking place, you may demand the following information from the controller:

(1) The purposes, for which the personal data are being processed;

(2) The categories of personal data which are being processed;

(3) The recipients or categories of recipients, to whom the personal data concerning you have been or will be disclosed;

(4) The planned duration of storage of the personal data concerning you or, where concrete information cannot be provided in this regard, criteria for setting storage periods;

(5) The existence of a right to rectification or right to erasure regarding the personal data concerning you, a right to restriction of processing, or a right to object;

(6) The existence of a right to lodge a complaint with a supervisory authority: https://datenschutz.hessen.de/

(7) All available information concerning the source of the data where personal data have not been obtained from the data subject;

(8) The existence of automated individual decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR and – at least in such cases – meaningful information on the logic involved and on the extent and intended effects of such processing for the data subject.

You have a right to demand confirmation as to whether or not the personal data concerning you are transferred to a third country or an international organisation. In this regard, you may demand that you be informed of the suitable guarantees pursuant to Article 46 GDPR in connection with such a transfer.

b. Right to rectification

You have a right to rectification and/or to have incomplete information completed insofar as the personal data concerning you that are being processed are incorrect or incomplete. The controller shall perform rectification without undue delay.

c. Right to restriction of processing

Subject to the following conditions, you may demand the restriction of processing of personal data concerning you:

(1) if you are contesting the correctness of the personal data concerning you, for a period which allows the controller to verify the correctness of the personal data;

(2) the processing is unlawful and you reject erasure of the personal data and instead demand restriction of the use of the personal data;

(3) the controller no longer requires the personal data for the purposes of the processing but you require these data for the establishment, exercise or defence of legal claims; or

(4) you have objected to the processing pursuant to Article 21(1) GDPR and it has not yet been determined whether the legitimate interests of the controller outweigh your legitimate interests.

If the processing of personal data concerning you has been restricted, these data may only be processed – excluding storage – with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing has been restricted according to the conditions above, you will be notified by the controller before this restriction is lifted.

b. Right to erasure

Duty of erasure

You may demand from the controller that the personal data concerning you be erased immediately and the controller has a duty to erase these data without undue delay, provided one of the following reasons applies:

(1) The personal data concerning you are no longer required for the purposes, for which they were collected or otherwise processed;

(2) You withdraw your consent, on which the processing was based pursuant to Article 6(1), point (a) or Article 9(2), point (a) GDPR, and there is no other legal basis for the processing;

(3) You object to the processing pursuant to Article 21(1) GDPR and there do not exist any superior legitimate interests in the processing, or you object to the processing pursuant to Article 21(2) GDPR;

(4) The personal data concerning you were being processed unlawfully;

(5) The erasure of the personal data concerning you is necessary in order to fulfil a legal obligation under EU law or the law of the Member States which the controller is subject to.

(6) The personal data concerning you were collected in relation to information society services pursuant to Article 8(1) GDPR.

Forwarding information to third parties

If the controller has made the personal data concerning you public and he is obliged to erase these data pursuant to Article 17(1) GDPR, he shall take appropriate measures, including measures of a technical nature, in order to inform the data processor who is processing the personal data that you, as a data subject, have demanded from him the erasure of all links to these personal data or of copies or duplicates of these personal data, taking into account the technologies available and the costs of implementation.

Exceptions

The right to erasure does not apply insofar as the processing is necessary:

(1) in order to exercise the right to freedom of speech and information;

(2) in order to fulfil a legal obligation which makes the processing necessary according to the law of the EU or of Member States which the controller is subject to, or in order to exercise a duty which is in the public interest, or in order to exercise a public power which has been transferred to the controller;

(3) for reasons of public interest with respect to public health pursuant to Article 9(2), point (h) and point (i) and Article 9(3) GDPR;

(4) for archival, scientific or historical research purposes which are in the public interest or for statistical purposes pursuant to Article 89(1) GDPR, insofar as the right indicated under a) will not foreseeably have a serious negative impact on or render impossible the realisation of the objectives of this processing; or

(5) for the establishment, exercise or defence of legal claims.

e. Right to notification

If you have enforced the right to rectification, erasure or restriction of processing against the controller, he is obliged to notify all recipients, to whom the personal data concerning you have been disclosed, of this rectification or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate effort.

You have a right to be informed of these recipients by the controller.

f. Right to data portability

You have the right to receive the personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transfer these data to another controller without hindrance from the controller, to which the personal data have been provided, where:

(1) the processing is based on consent pursuant to Article 6(1), point (a) or Article 9(2), point (a) or on a contract pursuant to Article 6(1), point (b); and

(2) the processing is carried out by automated means.

In exercising this right to data portability you furthermore have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The rights and freedoms of other persons may not be impaired as a result.

The right to data portability does not apply to the processing of personal data which is necessary in order to exercise a duty which is in the public interest, or in order to exercise a public power which has been transferred to the controller.

g. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1), point (e) or (f) , including profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In connection with the information society services, you may exercise your right to object by automated means – notwithstanding Directive 2002/58/EC – for which technical specifications are used.

h. Right to withdraw consent

You have the right to withdraw any consent you have given under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

i. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

(1) is necessary for entering into, or performance of, a contract between you and the controller;

(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

(3) is based on your explicit consent.

However, these decisions must not be based on special categories of personal data referred to in Article 9(1), unless Article 9(2) point (a) or point (g) applies and suitable measures to safeguard your rights and freedoms and your legitimate interests are in place.

With regards to the cases indicated under (1) and (3), the controller shall take appropriate measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

j. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, your place of work or the place of the suspected breach, if you are of the opinion that the processing of the personal data concerning you is in breach of the GDPR.

The supervisory authority where the complaint has been lodged will notify the complainant of the progress and outcome of the complaint, including information on how to seek a judicial remedy according to Article 78 GDPR.

15. Name and address of the Data Protection Officer

The controller's Data Protection Officer is:

Ms Deborah Schütt
Clemensstr. 10-12
60487 Frankfurt am Main
Germany
Tel: +49 69 90555 29-0, Direct dial -20
Email: datenschutz@insite.de

16. Amendments to the Privacy Policy

We reserve the right to amend this Privacy Policy in order to adapt it to changes in the legal framework or changes to the service and the data processing. Users are therefore kindly requested to review the content of this policy regularly.

Frankfurt am Main, January 2024

The Management