1. Data Privacy
We would like to point out that the transmission of data over the Internet may be subject to security gaps. Complete protection of data from access by third parties is not possible.
2. Controller and Data Privacy Officer
The Controller is the natural or legal person, public authority, institution or other entity that takes a decision, either alone or together with others, on the purposes and means of the processing of personal data.
The party responsible for the data processing, in regard to the provision of the Website, is:
The Phoenix Lighthouse GmbH
External DPO contact:
Prof. Dr. Christian Rauda
Board-certified specialist for information technology law
GRAEF Rechtsanwälte Digital Part GmbB
Phone +49.40.80 6000 9-0
Fax +49.40.80 6000 9-10
3. General details concerning data processing
a. Scope of the processing of personal data
We essentially only gather and use personal data of our users in so far as is necessary to provide our website, complete with its content and services. Our users’ personal data is usually only gathered and used after we have obtained the user’s consent. An exception applies in cases where the processing of the data is permitted, based on statutory provisions, but, for practical reasons, it is not possible to obtain consent in advance.
b. Legal basis for the processing of personal data
In so far as we obtain the data subject’s consent to personal data processing procedures, Art. 6(1)(a) EU General Data Protection Regulation (GDPR) serves as a legal basis for the processing of personal data.
In regard to the processing of personal data that is required to fulfill a contract, of which the data subject is a contracting party, Art. 6(1)(b) GDPR serves as a legal basis. This also applies to data processing procedures that are required in order to implement precontractual measures.
In so far as the processing of personal data is required to fulfill a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as a legal basis.
In the event of vital interests of the data subject or another natural person making the processing of personal data necessary, Art. 6 (1)(d) GDPR serves as a legal basis.
Should the processing be required in order to protect a legitimate interest of our company or a third party, and should the interests, basic rights and basic freedoms of the data subject not outweigh the interest first mentioned. Art. 6(1)(f) GDPR shall serve as a legal basis for the processing.
c. Erasure of data and duration of storage
The personal data of the data subject will be erased or blocked once the purpose of storage ceases to apply. Said data may be stored beyond that point in time if it has been stipulated by the European or national legislative authority in any EU regulations, laws or other provisions to which the Controller is subject. The data may also be blocked or erased if a storage period stipulated by the standards mentioned expires, unless it is necessary to continue to store the data for the purpose of concluding a contract or in relation to the fulfillment of a contract.
4. Provision of the Website and creation of log files
Whenever our website (including the web application) is accessed, our system records automated data and information from the computer system of the accessing computer. In this respect, the following data is temporarily gathered:
- The IP-address
- The date and time of accessing the page concerned
- The name of the file that was accessed, and its URL
- The states of transmission (successful or aborted)
- The respective volume of data transmitted
- The website/URL from which the request comes
- The browser type, operating system and its interface
- The language and version of the browser software
The data is stored in the log files of our system. This data is only needed in order to analyze any faults, and is erased, at the latest, within 14 days. The legal basis for the temporary storage of the data and the log files is Art. 6(1)(f) GDPR. It is necessary for the IP address to be temporarily stored by the system in order to make the Website available to the user’s computer. The user’s IP address needs to continue to be stored for the duration of the session, for this purpose. The data is stored in log files to ensure the functionality of the Website. In addition, the data serves to help us optimize the Website and ensure the security of our information technology systems. The data is not, in this context, evaluated for marketing purposes, and your identity cannot be discovered through this. The gathering of the data to make the Website available, and the storage of the data in log files, is absolutely necessary in order to operate the Website. Consequently, there is no option for the user to raise objections.
You can contact us using the contact form or by email, telephone or letter. In this respect, your details resulting from the inquiry, including the contact details given by you there, are exclusively used for the purpose of handling the inquiry and for the eventuality of any follow-up questions that you may have. No data is passed on to third parties in this context.
The legal basis for the processing of the data is Art. 6(1)(f) GDPR. Our interest in answering your inquiry outweighs your interest, as you have written to us, it is, moreover, also in your own interest that we answer you, and you are aware that we need to process your data in order to answer your inquiry.
Should the contact be aimed at concluding a contract, the legal basis for the processing is Art. 6(1)(b) GDPR.
The data will be erased once it is no longer needed in order to achieve the purpose for which it was gathered. This is the case once the respective conversation with the user has been terminated. The conversation has been terminated once it can be inferred from the circumstances that the issue concerned has conclusively been clarified.
5. Job applications
We gather and process personal data of applicants for the purpose of handling the job application procedure. The processing may also be carried out electronically. This is in particular the case if you transmit corresponding application documents electronically, for example using our application interface or by email. If we conclude an employment contract with you, the data transmitted will be stored for the purpose of handling the employment relationship, paying attention to the statutory regulations. Should no employment contract be concluded with you, the application documents will automatically be deleted once the decision to decline your application has been announced, unless such a deletion is in conflict with any other legitimate interests of the Controller responsible for the processing. Another legitimate interest, in this sense, may, for example, be an obligation to provide evidence in any proceedings under the German General Equal Treatment Act (AGG).
Should personal data of yours be processed, you are, within the meaning of the GDPR, a data subject, and you have the following rights vis-à-vis the Controller:
a. The right to be provided with information
You may request from the Controller a confirmation about whether any personal data concerning you is being processed by us.
Should such processing be done by us, you may request the following information from the Controller:
(1) The purposes for which the personal data is being processed;
(2) the categories of personal data that are being processed;
(3) the recipients or categories of recipients to whom the personal data about you has been disclosed or is yet to be disclosed;
(4) the period of time for which it is expected to store the personal data, or, if it is not possible to give specific details in this respect, criteria for establishing the period of storage;
(5) the existence of a right to rectify or erase the personal data concerning you, a right to restrict the processing by the Controller or a right to object to such processing;
(6) the existence of a right to appeal to a supervisory authority;
(7) any information available on the origin of the data if the personal data is not gathered personally from the data subject;
(8) the existence of automated decision-making, including profiling, pursuant to Art. 22(1) and (4) GDPR, and – at least in such cases – meaningful information about the logic involved, as well as the reach and the intended effects of such processing on behalf of the data subject.
You are entitled to request information on whether the personal data concerning you has been transmitted to a non-EU country or an international organization. In this context, you may request to be informed about the appropriate guarantees under Art. 46 GDPR in connection with the transmission.
b. The right to rectification
You are entitled to have your data rectified or completed vis-à-vis the Controller if the personal data processed relating to you is incorrect or incomplete. The Controller will be required to rectify it without delay.
c. The right to restriction of the processing
You may, on the following prerequisites, request the restriction of the processing of personal data concerning you:
(1) If you dispute the accuracy of the personal data concerning you for a period of time which enables the Controller to check the accuracy of the personal data;
(2) if the processing is unlawful and you reject the erasure of the personal data and instead request the restriction of use of the personal data;
(3) if the Controller no longer needs the personal data for the purposes of the processing, however you need it in order to assert, exercise or defend any legal claims; or
(4) if you have filed an objection to the processing pursuant to Art. 21(1) GDPR, and it has not yet been established whether the legitimate grounds of the Controller outweigh your grounds.
Should the processing of the personal data concerning you have been restricted, this data may – except for being stored – only be processed with your consent or in order to assert, exercise or defend any legal claims or to protect the rights of another natural or legal person, or for reasons relating to a significant public interest of the EU or a Member State.
Should the restriction of the processing have been carried out in line with the above prerequisites, you will be notified by the Controller before the restriction is lifted.
d. The right to erasure
Obligation to erase personal data
You may also require of the Controller that personal data concerning you is erased without delay, and the Controller will be obliged to erase said data without delay, as long as one of the following reasons applies:
a) The personal data concerning you is no longer needed for the purposes for which it was gathered or processed in any other way;
(b) you revoke your consent, on which the processing pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR was based, and there is no other legal basis for the processing;
(c) pursuant to Art. 21(1) GDPR, you are filing an objection to the processing, and there are no overriding legitimate grounds for the processing, or you are filing an objection to the processing pursuant to Art. 21(2) GDPR;
d) the personal data concerning you has been processed unlawfully;
(e) the erasure of the personal data concerning you is necessary in order to fulfill a legal obligation in accordance with EU law or the law of the Member States to which the Controller is subject;
(f) the personal data concerning you has been gathered in regard to information society services offered pursuant to Art. 8(1) GDPR.
e. Information passed on to third parties
Should the Controller have published the personal data concerning you, and should it, pursuant to Art. 17(1) GDPR, be obliged to erase it, it shall, taking into account the available technology and the costs of implementation, take appropriate steps, also of a technical nature, to inform any controllers responsible for processing the data, about the fact that you, as a data subject, have requested them to erase any links to said personal data or copies or replications of said personal data.
The right of erasure does not exist if the processing is necessary
(a) to exercise the right to freely express an opinion and provide information;
(b) to fulfill a legal obligation which requires the processing under the law of the European Union or the Member States to which the Controller is subject, or to take on a task which is in the public interest or in exercise of public authority that has been conferred upon the Controller;
(c) for reasons of the public interest in the field of public health pursuant to Art. 9(2)(h) and (i), as well as Art. 9(3) GDPR;
(d) for archival purposes or scientific or historic research purposes that are in the public interest, or for statistical purposes pursuant to Art. 89(1) GDPR, in so far as the right mentioned in Section a) will probably make the implementation of the objectives of said processing impossible or seriously impede them; or
(e) in order to assert, exercise or defend any legal claims.
g. The right to notification
Should you have asserted the right to rectification, erasure or restriction vis-à-vis the Controller, the latter shall be obliged to inform all recipients to whom the personal data concerning you has been disclosed about said rectification or erasure or the data or restriction of the processing, unless this proves impossible or involves disproportionate effort.
You are entitled to assert against the Controller the right to be notified about said recipients.
h. The right to data portability
You are entitled to be given the personal data concerning you, with which you have provided the Controller, in a structured, well-established and machine-readable format. In addition, you have the right to transmit said data to another controller, without any impediment by the Controller to whom the personal data was provided, as long as
(1) the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, or a contract pursuant to Art. 6(1)(b) GDPR; and
(2) the processing is carried out using automated procedures.
When exercising this right, you are, moreover, entitled to arrange for the personal data concerning you to be transmitted directly from one controller to another controller, in so far as this is technically feasible. No freedoms or rights of other persons may be compromised by this.
The right to data portability shall not apply to any processing of personal data which is necessary in order to take on a task that is in the public interest or in exercise of public authority that has been conferred upon the Controller.
i. The right to object
You are entitled, for reasons arising from your particular situation, to raise an objection at any time to the processing of the personal data concerning you based on Art. 6(1)(e) or (f) GDPR. This also applies to any profiling activities conducted based on these provisions.
The Controller will then no longer process the personal data concerning your unless it can provide evidence of compelling reasons for the processing, worthy of protection, which outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending any legal claims.
Should the personal data concerning you be processed in order to engage in direct marketing, you are entitled to raise an objection to the processing of personal data concerning you for the purpose of such advertising at any time. This also applies to profiling, in so far as it is connected with such direct marketing.
Should you raise an objection to the processing for direct marketing purposes, the personal data concerning you will no longer be used for said purposes.
In connection with the use of services of the information society, you may, notwithstanding Directive 2002/58/EC, exercise your right of objection using automated procedures that make use of technical specifications.
j. The right to revoke the declaration of consent granted under data privacy law
You are entitled to revoke your declaration of consent under data privacy law at any time. The legitimacy of the processing that has been carried out based on the consent prior to revocation is not affected by the consent being revoked.
k. Automated decisions in the individual case, including profiling
You have the right not to be made the subject of any decision based exclusively on automated processing – including profiling – insofar as this decision has legally valid consequences for you or significantly adversely affects you in a similar manner.
This does not apply if the decision:
(1) is necessary for the conclusion or fulfillment of an agreement between you and the Controller;
(2) is legitimate based on legislation of the European Union or the Member States to which the Controller is subject and said legislation includes appropriate measures to preserve your rights and freedoms, as well as your legitimate interests; or
(3) if the decision is taken with your express consent.
Such decisions may not, however, be based on particular categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9(2) (a) or (g) applies and appropriate measures have been taken in regard to the protection of the rights and freedoms, as well as your legitimate interests.
In regard to the cases mentioned in (1) and (3), the Controller will take appropriate steps to preserve the rights and freedoms, as well as your legitimate interests, which at least includes the right to arrange for the intervention of a person on the part of the Controller, the right to explain one’s own position and the right to contest the decision.
l. The right to appeal to a supervisory authority
Irrespective of any other legal remedy under administrative law or any judicial remedy, you are entitled to lodge a complaint with a supervisory authority, especially in the Member State of your place of residence, place of work or the place of the presumed infringement, if you are of the opinion that the processing of the personal data concerning you violates the GDPR.
The supervisory authority with which the complaint has been filed will inform the Appellant about the status and results of the complaint, including the option of a judicial remedy under Art. 78 GDPR.
Status: June 2022