Peppermint Holding GmbH Neues Kranzler Eck Kurfürstendamm 21 DE-10719 Berlin
Managing Directors: Ingeborg Neumann (General & Managing Partner), Marcus Baumbach
Headquarters: Berlin District court: Amtsgericht Charlottenburg HRB 63808 Tax Office for Corporations I VAT ID No. DE 190888731
Types of data processed
- Basic data (e.g. personal details, names or addresses). - Contact data (e.g. email addresses, telephone numbers). - Content data (e.g. text entries, photos, videos). - Usage data (e.g. websites visited, interest in content, access data). - Meta/Communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online content (hereinafter also referred to as “users” in general).
- To provide the online content, its features and content. - Answering contact requests and communication with users. - Security measures. - Reach measurement/Marketing
“Personal data” is any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is far reaching and covers practically all types of data handling.
“Pseudonymisation” is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal basis
In accordance with legal requirements, we carry out appropriate technical and organisational measures, taking into account the state of the art, the implementation costs and the type, extent, circumstances and purposes of the processing, as well as the different occurrence probability and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
In particular, these measures include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data as well as access to, inputting, disclosure, securing and separation of the data. Furthermore, we have set up procedures that guarantee the exercise of data subjects' rights, the deletion of data and the reaction to data threats. We also consider the protection of personal data as early as the development stage and when it comes to selecting hardware and software, as well as processes in accordance with the principle of data protection through technology design and data protection-friendly default settings.
Working with processors, joint controllers and third parties
Should we disclose data to other persons and companies (processors, joint controllers or third parties) within the scope of our processing, transfer the data to them or otherwise grant them access to the data, this shall only take place on the basis of legal permission (e.g. if transferring the data to third parties, such as payment service providers, is necessary for the fulfilment of the contract), users have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
Should we disclose, transmit or otherwise grant access to data to other companies within our group of companies, this is done particularly for administrative purposes, as a legitimate interest and, beyond that. based on corresponding legal requirements.
Transfers to third countries
Should we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or should this be done whilst utilising third party services or disclosing or transferring data to other persons or companies, this shall only be to fulfil our (pre)contractual obligations, based your consent, a legal obligation or based on our legitimate interests. Subject to express consent or contractually required transfer, we only process or have the data processed in third countries with a recognised level of data protection, including US processors certified under the "Privacy Shield" or on the basis of special guarantees, such as a contractual obligation through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44–49 GDPR, EU Commission website).
Rights of the data subject
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and to obtain access to this data as well as additional information and copies of the data in accordance with the legal requirements.
In accordance with the legal requirements, you have the right to have relevant personal data completed or to have inaccurate personal data that concerns you rectified.
In accordance with the legal requirements, you have the right to demand the deletion of personal data concerning you without undue delay or, in accordance with the legal requirements, the right to demand that the processing of the data is restricted.
You have the right to request to obtain the personal data concerning you, which you provided to us in accordance with the legal regulations, and request that the data is transmitted to another controller.
In accordance with the legal requirements, you also have the right to lodge a complaint with the competent authorities.
Right of revocation
You have the right to revoke any consent you have given with effect for the future.
Right to object
In accordance with the legal requirements, you may object to the future processing of personal data concerning you at any time. This right may be used particularly to object to processing for the purposes of direct marketing.
Cookies and the right to object to direct marketing
“Cookies” are small files that are saved on a user’s computer. Various details can be saved in the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is saved) during or after the user has visited online content. Temporary cookies – "session cookies" or "transient cookies” – are cookies that are deleted after a user leaves a website and closes their browser. Items added to a shopping basket in an online shop or a login status, for example, can be stored in such a cookie. “Permanent" or "persistent” cookies are those that remain saved even after the browser is closed. This means that a login status can be saved if a user wants to access it again after a few days. User interests can also be stored in these types of cookies, which are then used for reach measurement or marketing purposes. “Third-party cookies” are those offered by other providers other than the person or company responsible for the online content (conversely, when they mean their own cookies they are termed “first-party cookies”).
If users do not wish cookies to be saved on their computers, they are asked to deactivate the corresponding option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. Not accepting cookies may affect the way the online content works.
If the data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted. This means the data will be locked and not processed for other purposes. For example, this applies to data that must be retained for commercial or tax reasons.
We process applicant data only for the purpose and within the framework of the application process in accordance with the legal requirements. The processing of applicant data is carried out to fulfil our (pre)contractual obligations within the scope of the application process as defined by Art. 6 Par. 1 Cl. b) GDPR, Art. 6 Par. 1 Cl. f) GDPR if data processing becomes necessary for us, e.g. within the framework of legal proceedings (in Germany, Art. 26 BDSG also applies).
The application process requires applicants to provide us with their personal data. If we offer an online form, the necessary applicant data are marked, otherwise they result from the job descriptions and generally include personal details, postal and contact addresses and documents belonging to the application, such as a cover letter, curriculum vitae and certificates. In addition to this, applicants can provide us with extra information.
If special categories of personal data within the meaning of Art. 9 Par. 1 GDPR are voluntarily disclosed in the application process, their processing is also carried out in accordance with Art. 9 Par. 2 Cl. b) GDPR (e.g. health data, such as severely disabled status or ethnic origin). If special categories of personal data within the meaning of Art. 9 Par. 1 GDPR are requested of the applicant in the application process, their processing is also carried out in accordance with Art. 9 Par. 2 Cl. a) GDPR (e.g. health data, if this is required to carried out the job).
Where available, applicants may submit their applications using an online form on our website. The data will be transmitted to us encrypted according to the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and the applicants themselves must ensure that they are encrypted. We therefore cannot assume any responsibility for the transmission path of the application between the sender and the recipient on our server and therefore recommend using an online form or sending the application by post.
In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application is not successful, the applicant's data will be deleted. Applicant data will also be deleted if an application is withdrawn. Applicants are entitled to do this at any time.
Subject to a justifiable revocation by the applicant, deletion will take place after a period of six months so that we can answer any follow-up questions regarding the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law provisions.
As part of the application process, we offer applicants the opportunity to be included in our "talent pool" for a period of two years based on consent as defined in Art. 6 Par. 1 Cl. a) and Art. 7 GDPR.
The application documents in the talent pool will be processed solely as part of future job advertisements and for the employee search and will be destroyed at the latest after expiry of the deadline. Applicants are informed that their consent to their inclusion in the talent pool is voluntary, has no influence on the current application procedure and that they can revoke this consent at any time for the future and make objections in accordance with Art. 21 GDPR.
When contacting us (e.g. via contact form, email, telephone or social media), the user's details are used to process the contact enquiry and to process it in accordance with Art. 6 Par. 1 Cl. b) (as part of contractual/pre-contractual relationships), Art. 6 Par. 1 Cl. f) (other enquiries) GDPR. The user data can be stored in a customer relationship management system ("CRM system") or comparable enquiry organization.
We will delete these enquiries once they are no longer required. We review the necessity to keep these enquiries every two years; furthermore, the statutory archiving obligations apply.
Hosting and sending email
The hosting services used by us serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services and technical maintenance services which we use for the purpose of operating this online content.
For this, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta data and communication data from clients, interested parties and visitors to this online content based on our legitimate interests in the efficient and secure provision of this online content in accordance with Art. 6 Par. 1 Cl. f) GDPR in conjunction with Art. 28 GDPR (conclusion of an order processing contract).
Collection of access data and log files
Based on our legitimate interests in accordance with Art. 6 Par. 1 Cl. f) DSGVO, we, and/or our hosting provider, collect data every time the server on which this service is located is accessed (so-called server log files). This access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Log file information is stored for security reasons (e.g. for the clarification of abuse or fraud actions) for a maximum of 7 days and is deleted afterwards. Data that need to be retained longer for evidence purposes, are excluded from deletion until the respective incident has been finally clarified.
Google uses this information on our behalf to evaluate the user’s use of our online content, to compile reports on the activities within this online content and to provide us with other services associated with the use of this online content and the internet. Pseudonymous user profiles can be created from the processed data.
We only use Google Analytics with IP anonymisation enabled. This means that the user’s IP address is shortened by Google within member states of the European Union or in other contracting states of the agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.
If we ask the user for consent (e.g. via a cookie consent pop-up) the legal ground for this processing is Art. 6 Par. 1 Cl. a) GDPR. Otherwise, the user’s personal data will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online content in accordance with Art. 6 Par. 1 Cl. f) GDPR).
The user’s personal data is either deleted or anonymised after 14 months.
Online presence on social media
We maintain online presences within social networks and platforms in order to be able to communicate with clients, interested parties and other active users, and to inform them about our services.
We would like to point out that user data may be processed outside the European Union. This could result in risks for users as it could make it more difficult to enforce users' rights. With respect to US providers certified under the Privacy Shield, we would like to point out that they are committed to complying with EU privacy standards.
Additionally, user data is usually processed for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the resulting interests of users. The user profiles can in turn be used to place advertisements inside and outside the platforms which are presumed to correspond to the interests of the users. For these purposes, cookies are usually saved on the user's computer, which contain information pertaining to the user's usage behaviour and interests. Furthermore, data can be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
The processing of the user’s personal data is carried out on the basis of our legitimate interests in effective user information and communication with users in accordance with Art. 6 Par. 1 Cl. f) GDPR. If the users are requested by the respective providers of the platforms to give their consent to the aforementioned data processing, the legal basis for the processing is Art. 6 Par. 1 Cl. a) and Art. 7 GDPR.
For a detailed description of the respective processing and the opt-out options, please refer to the following linked information from the providers.
Also in the case of information requests and the assertion of user rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the user data and can take direct, appropriate measures and provide information. Should you still require help, please get in touch with us.
Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online content in accordance with Art. 6 Par. 1 Cl. f) GDPR), we include content or service offers from third parties in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content”) within our online content.
This always assumes that the third-party providers of this content recognise the user’s IP address, as they would not be able to send the content to their browser without the IP address. The IP address is therefore crucial for depicting the content. We strive to use this content only when the provider uses the IP address solely for the distribution of the content. Third parties may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. These "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be saved in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visit times and other information about the use of our website; it may also be linked to similar information from other sources.
The following information is intended to inform you about the content of our newsletter, as well as the registration, delivery and statistical analysis processes, as well as your rights to object. By subscribing to our newsletter, you give your consent to receiving it and the processes described.
Content of the newsletter
We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter “Newsletter”) solely with the recipient’s consent or based on a legal authorisation. Provided that the content of the Newsletter is specifically described during the registration process, it constitutes consent by the user.
Double opt-in and logging
A double opt-in process is used when you register for our Newsletter. That means that you receive an e-mail after registration in which you will are asked to confirm your registration. This confirmation is necessary so that no one can log on using someone else’s e-mail address.
Newsletter registrations are logged in order to be able to provide proof of the registration process in accordance with legal requirements. This includes logging and storing the time of registration and confirmation as well as the IP address. Changes made to your data which is stored at MailChimp are also logged.
Use of the “MailChimp” delivery service
The newsletter is sent using ‘MailChimp’, a newsletter delivery platform from the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The e-mail addresses of our newsletter recipients, as well as their other data described in this information, are stored on the servers of MailChimp in the USA. MailChimp uses this information to send and analyse the newsletter on our behalf. Furthermore, according to its own information, MailChimp may use this data to optimize or improve its own services, e.g. to technically optimize the sending and presentation of newsletters or for economic purposes to determine from which countries the recipients come. However, MailChimp does not use the data of our newsletter recipients to write to them itself or pass them on to third parties.
To register for our newsletter, you only need to provide your e-mail address.
You may optionally also provide your first name and surname. This information is only used to personalise the newsletter.
Statistical collection and analyses
The newsletters contain a “web beacon”, i.e. a pixel-sized file which is retrieved from the MailChimp server the newsletter is opened. This file retrieval mainly serves to gather technical information, such as information on your browser, your system and your IP address at the time of retrieval. This information is used for technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their access locations (which can be determined by means of the IP address) or the access times.
The statistical analyses also include determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be associated with individual newsletter recipients. However, it is neither our aim nor that of MailChimp to monitor individual users. Instead, the analyses are used to identify the reading habits of our users and to adapt our content to them or to send different content according to out users’ interests.
Online access and data management
You can cancel the receipt of our newsletter at any time, i.e. withdraw your consent. Your consent to its delivery via MailChimp and the statistical analyses expire at the same time. It is unfortunately not possible to separately withdraw delivery by MailChimp or the statistical analysis.
A link to cancel the newsletter can be found at the end of each newsletter.
Legal basis from the General Data Protection Regulation
In accordance with the provisions of the General Data Protection Regulation (GDPR) applicable from 25th May 2018, we hereby inform you that consent to the sending of e-mail addresses is granted on the basis of Art. 6 Para. 1 a), 7 GDPR as well as Section 7 Para. 2 No. 3 and Para. 3 Unfair Competition act (UWG). The use of mailing service provider MailChimp, execution of statistical collection and analyses as well as logging of the registration process, are based on our legitimate interests according to Article 6Para. 1 f) GDPR. Our interest extends to our use of a user-friendly and secure newsletter system, which serves not only our business interests but is also in line with user’s expectations.
We should furthermore like to point out that you can object to future processing of your personal data at any time in accordance with the statutory provisions as per Article 21 GDPR. In particular, you may object to processing for the purposes of direct marketing.