The protection of your privacy is an important concern for us. We process your personal data only in accordance with the provisions of the General Data Protection Regulation (GDPR) and other statutory data protection regulations, in particular the Federal Data Protection Act (BDSG). All data will of course be treated confidentially. With the following data protection information, we would like to explain to you in detail how your data is handled when using our websites.
In principle, the collection, processing and use of personal data for the use of our Internet presence is limited to the necessary extent and data. Personal data are all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior. In addition, we use the common SSL (Secure Socket Layer) procedure within our website in conjunction with the highest level of encryption supported by your web browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is being transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.
Responsible for the collection, processing and use of your personal data in accordance with Art. 4 para. 7 GDPR is
BOSIG GmbH,
Brunnenstraße 75-77
73333 Gingen
Phone: +49 (0) 7162/4099-0
Fax: +49 (0) 7162/4099-200
E-mail: info@bosig.de
Name and address of the Data Protection Officer
You can reach the BOSIG GmbH data protection officer at the following contact details:
MSO Consulting
Daniel Voigtländer
Zeisigweg 11
71397 Leutenbach
Phone: +49 (0) 7195 / 977 2959
E-mail: datenschutz@bosig.de
Whenever you visit our websites, our systems automatically record data and information from the computer system of the calling computer (personal data that your browser sends to our server). This also occurs if you do not register or otherwise provide us with information, for example through active entries. The following data is always collected when you visit our websites:
This data is stored in the log files of our system. A storage together with other of your personal data does not take place regularly.
The storage of the aforementioned data, in particular the IP address by our systems, is basically only temporary for the duration of the session and is necessary to enable the proper operation and presentation of the website. This processing of your data also serves the purposes of evaluating and further ensuring system security and system stability as well as other administrative purposes.
Insofar as your data is stored in our log files, this is also only done for reasons of ensuring the functionality of our websites. In addition, the data serves us to optimize and ensure the security of our information technology systems.
An evaluation of the data for marketing purposes does not take place in this context.
The legitimate basis for the processing and temporary storage of your personal data is Art. 6 para. 1 sentence 1 letter f GDPR. Our legitimate interests follow from the purposes for data collection described above.
Your data will be deleted as soon as they are no longer required for the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session is ended.
In the case of storage of your data in log files, this is the case after seven days at the latest. Storage beyond this period is only envisaged in exceptional cases, for example if this is necessary for technical reasons or to improve our systems. In this case, the IP addresses of the users are deleted or alienated so that an allocation is no longer possible.
The collection of your data for the provision of the website and the storage in log files if applicable is absolutely necessary for the operation of the website.
There is therefore no possibility of objection.
A contact form is integrated on our website, through which you can get in touch with us. When using the contact form, the data entered in the input mask is transmitted to us and stored:
In addition, your IP address and the date and time of the request are stored. For the processing of the data, your consent will be obtained during the sending process and reference will be made to this Privacy Policy.
It is also possible to contact us via e-mail addresses provided by us. In this case, your personal data transmitted with the e-mail will be stored and processed by us, in particular to process your request or the reason for contacting us.
Depending on the content of your inquiry, the data will be forwarded to the responsible company in the BOSIG Group. The data will be used exclusively for processing the conversation.
The legitimate basis for the processing of your data when using the contact form is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
The legitimate basis for the processing of your data when sending an e-mail to us is Art. 6 para. 1 sentence 1 lit. a as well as f GDPR. The processing is based on an implied consent and on our legitimate interests. If the e-mail contact is aimed at the conclusion of a contract, the additional legitimate basis for processing is Art. 6 para. 1 sentence 1 lit. b GDPR.
The processing of personal data from the input mask or the e-mail sent to us serves only to process your contact with us. In the case of contacting us by e-mail, this indicates the necessary legitimate interest in the processing of the data by us. The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
We will delete your data as soon as it is no longer required for the purposes described. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with you has ended. As a rule, the conversation is finished when the circumstances indicate that the reason for contacting us has been conclusively clarified.
The additional personal data collected during the sending process will be deleted after a period of 7 days at the latest.
You have the possibility to revoke your consent to the processing of your personal data at any time. If you contact us by e-mail, you can object to the storage of your personal data at any time. In such a case, however, the conversation with you may not be able to continue. All personal data stored in the course of the contact will be deleted in this case.
When sending our electronic newsletter ("Newsflex"), to which you can subscribe, we process the following of your personal data:
The e-mail address is mandatory for sending the electronic newsletter ("Newsflex"). The processing of your other data serves to personalise this contact and to specialise the offers and information and is voluntary.
We process your e-mail address in order to contact you for the purpose of sending you our electronic newsletter ("Newsflex") and to inform you about current offers and promotions. In addition, we use this data for advertising messages by e-mail and, if we have received your e-mail address in connection with our products and services, for advertising measures about our own similar products and services.
We will always obtain your express consent to send you our newsletter ("Newsflex"). We use the so-called double opt-in procedure for this purpose.
After you have registered for the newsletter ("Newsflex"), we will send you an e-mail to the e-mail address you have provided in which we ask you to confirm that you wish to receive the newsletter ("Newsflex"). If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store the IP addresses you use and the times of registration and confirmation. The purpose of this procedure is to prove your registration and to be able to clarify any possible misuse of your personal data.
If we only process your data in exceptional cases and not already on the basis of your explicit consent, your personal data will only be processed to the extent that this is necessary to protect our legitimate interests or the legitimate interests of a third party and does not outweigh your interests or fundamental rights and freedoms that require the protection of personal data (Art. 6 para. 1 sentence 1 lit. f GDPR).
We delete your data as soon as we no longer need it to fulfil the purposes described. We are authorised to store the data required to prove your consent to receive the newsletter ("Newsflex") until the expiry of the statutory limitation periods. This serves to enable us, if necessary, to defend ourselves against the assertion of unauthorised claims.
You can revoke your consent at any time and thus unsubscribe from receiving information about current and future products, services or other information about us. You can declare your cancellation by clicking on the link provided in every newsletter ("Newsflex") e-mail, by sending an e-mail to datenschutz@bosig.de or by sending a message to our contact details. If you object to the use of your data, we will no longer send you any advertising communications.
We process your order data (such as name, address, e-mail address, delivery modalities and other order information) to process the order and to deliver the ordered goods. In addition, we process the payment information required according to the payment method; for example, we store IBAN and BIC ourselves.
The legitimate basis for processing is the conclusion and fulfilment of the purchase contract for the ordered goods, Art. 6 para. 1 sentence 1 lit. b GDPR.
These data are deleted when they are no longer required for the execution of the contract (including customer service and warranty), unless we are legally obliged to store them, e.g. due to commercial or tax law retention obligations.
If you apply for a job offer or send an unsolicited application, you agree that we may save the documents sent and use the information contained therein to process your application. As a rule, your documents contain special categories of personal data (e.g. information on marital status; information on health; a photograph allowing conclusions to be drawn about your ethnic origin and, where applicable, sight and/or religion; similarly sensitive data within the meaning of Art. 9 GDPR), which may only be processed in the present form with your consent. You agree that we may process the special categories of personal data contained in your letter of application and the attached documents for the purpose of carrying out the application procedure. This consent serves exclusively to enable us to consider the application in its present form. The information will not be considered in the application process, unless there is a legal obligation to do so. You can refuse your consent to the processing of the application in the application process without giving reasons and revoke any consent you have given at any time, for example by e-mail. In the event of revocation, your data covered by your consent will be deleted immediately. As a result, data processing based on this consent may no longer be continued in the future. In the event that consent is not granted or is revoked, an application already submitted cannot be considered in its present form.
If your application is unsuccessful, you can agree that your personal data, which have been communicated during the entire application procedure (e.g. in cover letters, CV, certificates, applicant questionnaires, applicant interviews), may be stored beyond the end of the specific application procedure. For this purpose, you can consent to us using this data to contact you later and to continue the application procedure if you should be considered for another position. If special categories of personal data in accordance with Art. 9 GDPR have been communicated via the application documents (e.g. a photo that shows the ethnic origin, information about being severely handicapped, etc.), the consent also refers to this data. This consent also applies to data on your qualifications and activities from generally accessible data sources (especially professional social networks), which we have permissibly collected during the application process. Your data will not be passed on to third parties. This consent is voluntary and has no effect on your chances in the current application procedure. You can also revoke your consent at any time. In this case, your data will be deleted immediately after completion of the application procedure. As a result, we are not allowed to continue the data processing that was based on this consent in the future.
The legitimate basis for data processing of applications is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
When you visit and use our website, a cookie is stored on your computer. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a character string that enables the browser to be uniquely identified when the website is called up again.
The temporary cookie set is essential, i.e. technically necessary for the operation of our website. Other cookies, such as for statistical purposes or to analyse access to our website or for marketing purposes or to be able to offer you the use of external media, are not set. Temporary cookies are deleted as soon as you close your browser.
The legal basis for data processing when using this essential cookie is Art. 6 para. 1 sentence 1 lit. f GDPR. We use the following essential cookies:
We use so-called essential cookies as follows:
essential/technically necessary cookies (1)
Essential or technical cookies enable basic functions and are necessary for the proper functioning of the website.
For communication with our customers, we use, for example, the conference tool Microsoft Teams. The provider is Microsoft Corporation, One Microsoft Way, Redmond, WA, 98052-6399, USA ("Microsoft").
Microsoft collects all data that you provide/use for the usage of the tools (e-mail address and/or your telephone number). Furthermore, Microsoft processes the duration of the conference, start and end (time) of participation in the conference, number of participants and other "contextual information" related to the communication process (metadata). Furthermore, Microsoft processes all technical data that are necessary for the handling of the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, and the type of connection. If content is exchanged, uploaded or otherwise made available within Microsoft Teams, it will also be stored on Microsoft's servers. Such content includes, but is not limited to, cloud recordings, chat/instant messages, voicemail uploaded photos and videos, files, whiteboards and other information shared while using Microsoft Teams. Please note that we do not have full control over the data processing operations of the tools used.
a) Legal basis for the use of Microsoft Teams
When using Microsoft Teams, we process your personal data on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR. We have a legitimate interest in communicating with you directly and effectively using an online conferencing tool. This also serves to optimise our business processes.
If we process your data using Microsoft Teams beyond the scope described in section 2.7.1., such as recording and storing conversations, this will only be done with prior, explicit notification and only if you explicitly consent to the storage in accordance with supplementary data protection information. By default, we do not record calls using Microsoft Teams.
b) Legal basis for the transfer of personal data to a third country
If personal data is transferred to the USA, it will be processed on the basis of the data protection law described at
Subject to legal or contractual authorisations, personal data may only be processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. In particular, data may be transferred if the European Commission has determined by means of a decision within the meaning of Art. 45 (1), (3) GDPR that the third country in question offers an adequate level of protection under data protection law. By means of such so-called adequacy decisions, the European Commission certifies that third countries provide a level of data protection comparable to the recognised standard in the European Economic Area (a list of these countries and a copy of the adequacy decisions can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
Insofar as a data transfer between the USA and the EU takes place in the present case, it should be noted that such an adequacy decision exists for the USA. The European Commission adopted its adequacy decision for the new EU-US data protection agreement on 10 July 2023. The data protection agreement and the adequacy decision can be viewed at Adequacy decision EU-US Data Privacy Framework_en.pdf (euro-pa.eu). The decision stipulates that the USA guarantees an adequate level of protection - comparable to that of the European Union - for personal data that is transferred from the EU to US companies within the scope of the new data protection agreement.
US companies can be certified under the new data protection agreement by committing to comply with the specified data protection requirements, including, for example, the obligations to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure the continuation of protection when personal data is passed on to third parties. A list of all certified US companies can be found at https://www.dataprivacyframework.gov/s/participant-search.
Microsoft is certified under the new data protection agreement.
The agreement introduces binding guarantees. For example, it is envisaged that the access of US intelligence services to EU data will be limited to a necessary and proportionate level and that a Data Protection Review Court (DPRC) will be established to which data subjects in the EU will have access. If, for example, the Data Protection Review Court finds that the new guarantees have been violated during data collection, it can order the deletion of the data. The guarantees in the area of government access to data supplement the obligations that US companies importing data from the EU must fulfil.
Data subjects have several legal remedies if their data is not handled properly by US companies. These include free independent dispute resolution mechanisms and an arbitration centre.
In addition, the data protection agreement provides guarantees with regard to access by US authorities to data transferred within the data protection agreement, in particular for data access for the purposes of law enforcement and national security. Access to data is limited to what is necessary and proportionate to protect national security.
Data subjects in the EU have access to an independent and impartial redress mechanism in relation to the collection and use of their data by US intelligence agencies, including recourse to a data protection review tribunal. This tribunal independently investigates and resolves complaints, including by ordering binding remedies.
The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory legal retention periods remain unaffected. We have no influence on the storage period of your data stored by Microsoft for its own purposes.
Further information on the purpose and scope of the data collection and its processing as well as further information on your rights in this respect and setting options for protecting your privacy can be obtained from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA and at https://privacy.microsoft.com/en-us/privacystatement and https://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=18600.
This website uses so-called Web Fonts for the uniform display of fonts, which are provided by Google Ireland Limited, Gordon House, Barrow Street Dublin 4.
When you open a page, your browser will load the required web fonts into its browser cache in order +to display texts and fonts correctly.
The necessary font files are integrated locally by us, meaning that they are stored exclusively on our own servers. A transfer of personal data to Google servers, in particular a data transfer to the USA, does not occur.
If your browser does not support web fonts, a standard font will be used by your computer.
The use of Google WebFonts is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the uniform presentation of the typeface on our website
Further information on Google Web Fonts can be found at Google Ireland Limited Gordon House, Barrow Street Dublin 4 as well as at https://developers.google.com/fonts/faq and in Google's privacy policy: https://www.google.com/policies/privacy/.
We maintain publicly accessible profiles on the social networks Facebook, Instagram and LinkedIn. The provider of the social networks Facebook and Instagram is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter "Meta").
The provider of the social network LinkedIn is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter "LinkedIn").
Social networks such as Facebook, LinkedIn and Instagram can generally analyse your user behaviour comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations. In detail:
If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies that are stored on your end device or by recording your IP address.
With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or have been logged in.
Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.
Meta and LinkedIn also regularly transmit data to affiliated companies in the USA (Meta Platforms Inc, 1 Meta Way Menlo Park California 94025 and LinkedIn Corporation, 1000 West Maude Avenue Sunnyvale, CA 94085 USA). It cannot be ruled out that the personal data processed when using the network will be transmitted to the aforementioned companies in the USA. You can find more details on this under section 2.9.3.
Our social media presence is intended to ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on different legal bases, which must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 para. 1 lit. a GDPR).
If personal data is transferred to the USA to the extent specified above, it will be transferred on the basis of the legal basis specified at
Subject to legal or contractual authorisations, personal data may only be processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. In particular, data may be transferred if the European Commission has determined by means of a decision within the meaning of Art. 45 (1), (3) GDPR that the third country in question offers an adequate level of protection under data protection law. By means of such so-called adequacy decisions, the European Commission certifies that third countries provide a level of data protection comparable to the recognised standard in the European Economic Area (a list of these countries and a copy of the adequacy decisions can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de).
Insofar as a data transfer between the USA and the EU takes place in the present case, it should be noted that such an adequacy decision exists for the USA. The European Commission adopted its adequacy decision for the new EU-US data protection agreement on 10 July 2023. The data protection agreement and the adequacy decision can be viewed at Adequacy decision EU-US Data Privacy Frame-work_en.pdf (europa.eu). The decision states that the US will ensure an adequate level of protection - comparable to that of the European Union - for personal data transferred from the EU to US companies within the scope of the new data protection agreement.
US companies can become certified under the new data protection agreement by committing to comply with the specified data protection requirements, including, for example, the obligations to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure the continuity of protection when personal data is transferred to third parties. A list of all certified US companies can be found at https://www.dataprivacyframework.gov/s/participant-search.
Meta and LinkedIn are certified under the new data protection agreement.
The agreement introduces binding guarantees. For example, it is envisaged that access by US intelligence services to EU data will be limited to what is necessary and proportionate and that a Data Protection Review Court (DPRC) will be established to which data subjects in the EU will have access. If, for example, the Data Protection Review Court finds that the new guarantees have been violated during data collection, it can order the deletion of the data. The guarantees in the area of government access to data supplement the obligations that US companies importing data from the EU must fulfil.
Data subjects have several legal remedies if their data is not handled properly by US companies. These include free independent dispute resolution mechanisms and an arbitration centre.
In addition, the data protection agreement provides guarantees with regard to access by US authorities to data transferred within the data protection agreement, in particular for data access for the purposes of law enforcement and national security. Access to data is limited to what is necessary and proportionate to protect national security.
Data subjects in the EU have access to an independent and impartial redress mechanism in relation to the collection and use of their data by US intelligence services, including recourse to a data protection review tribunal. This tribunal independently investigates and resolves complaints, including by ordering binding remedies.
If you visit one of our social media sites (Facebook, Instagram, LinkedIn), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (information, rectification, erasure, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (against Meta and LinkedIn).
Please note that despite our joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.
The data collected directly by us via the social media presence will be deleted from our systems as soon as you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory provisions - in particular retention periods - remain unaffected.
We have no influence on the storage period of your data that is stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).
For details on how they handle your personal data, please refer to Meta's privacy policy:
https://help.instagram.com/519522125107875 and https://www.facebook.com/privacy/policy/ and from LinkedIn https://de.linkedin.com/legal/privacy-policy2
We use IT services of durarsys GmbH, Leonhard-Weiss-Str. 1, 73037 Göppingen (hosting) for the provision of our website. The services of durarsys GmbH are imperative for the provision of our website.
When you visit our website, personal data is collected in the course of hosting, such as your IP address, your e-mail address in the context of a newsletter subscription or, if you have given your consent, information on user behavior.
We have concluded a data processing agreement with durarsys GmbH in accordance with Art. 28 GDPR. Your data will of course be processed in accordance with the applicable data protection regulations.
We do not share personal information with companies, organizations or individuals outside of our company except in one of the following circumstances:
We pass on personal data to third companies, organizations or persons outside our company if you have given us your explicit consent to do so.
We may make your personal data available to our third party business partners, other trustworthy companies or persons who process it on our behalf. This will always be done based on our instructions and in accordance with our privacy policy and other appropriate confidentiality and security measures.
We will disclose your personal information to companies, organizations or individuals outside of our company if we have a good faith belief that access to or use, preservation or disclosure of such information is reasonably necessary, in particular to comply with any applicable law, regulation or legal process or to comply with an enforceable governmental request.
You have the right:
The competent supervisory authority in Baden-Württemberg is:
The State Commissioner for Data Protection and freedom of Information Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
Telephone: 0711/ 61 55 41 - 0
Fax: 0711/61 55 41 – 15
E-mail: poststelle@lfdi.bwl.de
If you have given your consent to the processing of your data, you can revoke this consent at any time in accordance with Art. 7 Para. 3 GDPR. Such revocation will affect the permissibility of processing your personal data after you have given it to us.
Insofar as we process the processing of your personal data in accordance with the balancing of interests in accordance with Art. 6 para. 1 sentence 1 letter f GDPR, you have the right to object to the processing in accordance with Art. 21 GDPR. This is the case if the processing is not necessary, in particular, for the fulfilment of a contract with you, which is described by us in each case in the description of the functions. If you exercise such an objection, we request that you explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the facts of the case and will either stop or adapt the data processing or show you our compelling reasons worthy of protection on the basis of which we will continue the processing.
Of course, you can object to the processing of your personal data for the purposes of advertising and data analysis at any time. You can inform us about your objection to advertising by using the contact details given above.