Skip to main content
HomeData protection

Data protection

Privacy Policy

 

I. Name and address of the controller

The controller as defined by the General Data Protection Regulation as well as additional national laws on data protection in EU member states and other data protection regulations is:

Kirchhoff Consult GmbH
Borselstraße 20
22765 Hamburg
Germany
Phone: +49 - 40 - 60 91 86 0
www.kirchhoff.de
E-Mail: info@kirchhoff.de

 

II. Contact details of the data protection officer

The company’s data protection officer is Mr Frank Thomsen. He can be contacted using the address given above or the following details:

Phone: +49 - 40 - 60 91 86 0
Email: datenschutz@kirchhoff.de 


III. General information about data processing

1.Scope of personal data processing
In principle, we collect and use personal data of our users only to the extent necessary in order to provide a functional website and to communicate our content and services. The collection and use of personal data about our users takes place on a routine basis only with the consent of the user. An exception applies to cases in which it is not possible to obtain prior consent for reasons of fact and data processing is permitted by law. 
 

2.Legal basis for processing personal data
Insofar as we obtain the data subject’s consent for personal data to be processed, the legal basis for the processing of personal data is article 6(1)(a) of the EU General Data Protection Regulation (GDPR).

When the processing of personal data is necessary for the performance of a contract to which the data subject is party, the legal basis is article 6(1)(b) of the GDPR. This also applies to processing operations that are necessary for carrying out tasks before a contract is entered into.

Insofar as personal data processing is necessary for compliance with a legal obligation of our company, the legal basis is article 6(1)(c) of the GDPR.

In the event that vital interests of the data subject or of another natural person require the processing of personal data, the legal basis is article (6)(1)(d) of the GDPR.

If processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, the legal basis for processing is article (6)(1)(f) of the GDPR. 

 

3.Deletion of data and duration of storage
The data subject’s personal data will be blocked or deleted as soon as the purpose of data storage ceases to apply. Furthermore, data may be stored if this is required by European or national legislative bodies based on EU regulations, laws and other directives to which the controller is subject. Data is also blocked and deleted when the retention period specified by the above standards lapses, unless it is necessary to continue storing data in order to conclude or fulfil a contract.

 

IV. Provision of the website and creation of log files

 1.Description and scope of data processing
Whenever our website is accessed, our system automatically collects data and information about the computer system being used for access. 

The following data is collected:

(1) Information about the type and version of browser used

(2) The user’s operating system

(3) The user’s internet service provider

(4) The user’s IP address

(5) The date and time of access

(6) Websites from which the user’s system accesses our website 

(7) Websites that are accessed by the user’s system from our website

This data is also saved in our system’s log files. This data is not stored together with any other personal data about the user.

 

2.Legal basis for data processing 
The legal basis for the temporary storage of data and log files is article 6(1)(f) of the GDPR.
 

3.Purpose of data processing
The temporary storage of the IP address by the system is necessary in order to allow the user to access the website from a computer. For this to happen, the user’s IP address must be stored for the duration of the session. 

This information is stored in log files to guarantee the website’s functionality. In addition, we use the data to optimise our website and to ensure the security of our information technology systems. We do not process the data collected in this context for marketing purposes. 

These purposes are also based on our legitimate interest in the processing of data according to article 6(1)(f) of the GDPR.

 

4.Duration of storage

Data is deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of data that is collected in order to provide the website, this is the case when the respective session ends. 

In the case of storing data in log files, this is the case after no more than seven days. Extended storage is possible. In this case, users’ IP addresses are deleted or made anonymous so that it is no longer possible to associate them with the accessing client.

 

5.Possibility of objection and removal
The collection of data in order to provide the website and the storage of the data in log files is essential for website operation. As a result, the user does not have the option of objecting. 

 

V. Use of cookies

a) Description and scope of data processing

This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.

In case of activation of the IP anonymization, Google will truncate/anonymize the last octet of the IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area. Only in exceptional cases, the full IP address is sent to and shortened by Google servers in the USA.

On behalf of the website provider Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage to the website provider. Google will not associate your IP address with any other data held by Google.


b) Legal basis for data processing 

The legal basis for processing personal data using cookies is article 6(1)(f) of the GDPR.
The legal basis for processing personal data using cookies that are necessary for technical reasons is article 6(1)(f) of the GDPR.

The legal basis for processing personal data using cookies for the purpose of analysis when the user’s consent has been obtained for this purpose is article 6(1)(a) of the GDPR.

c) Purpose of data processing

The purpose of using cookies that are necessary for technical reasons is to simplify websites use. Some features of our website cannot be offered without the use of cookies. In such cases, it is necessary for the browser to be recognised even even after the user has changed to a different website.

We require cookies for the following applications:

(1) Matomo (formerly PIWIK) Tracking 

The user data collected through technically necessary cookies is not used to create user profiles.

The use of analysis cookies is for the purpose of improving the quality of our website and its contents. Analysis cookies enable us to learn how the website is used, which means we can constantly optimise our offer.

These purposes are also based on our legitimate interest in the processing of personal data according to article 6(1)(f) of the GDPR. 

d) Duration of storage, possibility of objection and removal

Cookies are stored on the user’s computer and transmitted to our site. As a result, you as the user also have full control over the use of cookies. You can deactivate or restrict the use of cookies by changing the settings in your web browser. Any cookies that have already been saved can be deleted at any time. This can also be carried out automatically. If cookies are deactivated for our website, it is possible that some of our website’s features may no longer be fully functional.

The transmission of Flash cookies cannot be prevented through the browser settings, but by modifying the Flash Player settings. 

 

VI. Advertising analysis by Matomo (formerly Piwik)
 

 1. Scope of personal data processing
We use the open-source software tool Matomo (formerly Piwik) on our website to analyse the online behaviour of our users. The software places a cookie on the user’s computer (for cookies see above). When individual pages of our website are accessed, the following data is stored:

(1) Two bytes of the IP address of the system used for access

(2) The website accessed

(3) The website from which the user came to the accessed website (referrer)

(4) The sub-pages visited from the accessed website

(5) The length of stay on the website

(6) The frequency of website visits

This software runs exclusively on website servers. Storage of users’ personal data takes place there only. Data is not shared with third parties. 

The settings of this software mean that IP addresses are not stored in full. Instead, only two bytes of an IP address are masked (e.g. 192.168.xxx.xxx). As a result, it is no longer possible to associate a truncated IP address with the accessing computer.

2. Legal basis for processing personal data

The legal basis for processing the personal data of users is article 6(1)(f) of the GDPR.

3. Purpose of data processing
The processing of users’ personal data enables us to analyse the online behaviour of our users. By analysing the data obtained, we are able to compile information about how individual components of our website are used. This helps us to constantly improve our website and to make it more user-friendly. These purposes are also based on our legitimate interest in the processing of data according to article 6(1)(f) of the GDPR. The anonymisation of IP address sufficiently takes into account the interests of users in protecting their personal data.

4. Duration of storage
Data is deleted as soon as it is no longer needed for documentation purposes. 

In our case, this happens after 90 days.

5. Possibility of objection and removal
You may refuse the use of cookies by selecting the appropriate settings on your browser. However, if you do this, you may not be able to use the full functionality of this website. Furthermore you can prevent Google’s collection and use of data (cookies and IP address) by downloading and installing the browser plug-in available under  http://tools.google.com/dlpage/gaoptout?hl=de Please note that on this website, Google Analytics code is supplemented by “gat._anonymizeIp();” to ensure an anonymized collection of IP addresses (so called IP-masking). Especially for browsers on mobile devices, please click this link on Google Analytics on this website for your browser.“

 

VII. Applications 

We collect and process the personal data of applicants for the purpose of processing applications. Such processing may also take place electronically. This is especially the case if an applicant sends the relevant application documents to the controller using electronic means, such as email. If the controller concludes an employment contract with a candidate, the transmitted data will be stored for the purposes of managing the employment relationship in accordance with the law. If the controller does not conclude an employment contract with a candidate, the application documents will be automatically deleted six months after communication of the decision to turn down the candidate on the condition that deletion does not conflict with any other legitimate interests of the controller. Other legitimate interest in this sense include the burden of proof in a lawsuit under the German General Act on Equal Treatment (AGG). 

 

VIII. Contact form and email contact  

 

1. Description and scope of data processing
There is a contact form on our website that can be used to communicate electronically. If a user takes advantage of this option, the data entered in the form is sent to us and saved. This data includes the following:

Name, Company name, Phone, E-mail, Subject, Message.

Your consent is obtained for the processing of data in the context of sending this message, and reference is made to this privacy policy.

Alternatively, contact is possible using the email address provided. In this case, the user’s personal data that is sent with the email will be stored. 

No data is shared with third parties as part of this process. Data is used solely for the purpose of processing correspondence.

2. Legal basis for data processing  
The legal basis for processing data when the user’s consent has been obtained is article 6(1)(a) of the GDPR.

The legal basis for processing data transmitted in the course of sending an email is article 6(1)(f) of the GDPR. If the aim of email contact is to conclude a contract, an additional legal basis for data processing is article 6(1)(b) of the GDPR.
 

3. Purpose of data processing
We only process personal data from the entry form for the purpose of processing correspondence. Also relevant in the case of contact by email is the necessary legitimate interest in processing data.

Any other personal data that is processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
 

 4. Duration of storage
Data is deleted as soon as it is no longer necessary for the purpose for which it was collected. For personal data that is collected from the contact form or sent by email, this is the case when the relevant conversation with the user comes to an end. The conversation ends when circumstances indicate that the matter in hand has been clarified in full. 

Additional personal data that is collected during the sending process is deleted no later than after a period of seven days.
 

 5. Possibility of objection and removal
The user has the option of revoking consent to the processing of personal data at any time. If the user contacts us by email, it is possible to object to the storage of personal data at any time. In such cases, the conversation cannot be continued.

All personal data that has been stored throughout the correspondence will be deleted in this case. 

  

IX.  Data security

During your visit to our website, we use the common SSL (Secure Sockets Layer) protocol in combination with the highest level of encryption supported by your browser. In general, this is a 256-bit encryption method. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is encrypted by looking for the symbol of a closed lock or key in the bottom status bar of your browser. 

We also take appropriate technical and organisational security measures to protect your data against accidental or deliberate manipulation, partial or total loss, destruction and unauthorised access by third parties. Our security measures are continuously improved in line with developments in technology. 

 

X. Rights of the data subject

If your personal data is processed, you are the data subject as defined by the GDPR and you have the following rights vis-à-vis the controller:

 

1.Right of access
You may request confirmation from the controller as to whether personal data about you is processed by us. 

If such processing takes place, you may ask the controller to provide access to the following information:

(1) the purposes for which the personal data is processed;

(2) the categories of personal data being processed;

(3) the recipients or categories of recipients to whom your personal data has been disclosed or is still being disclosed;

(4) the planned duration of storage for your personal data or, if no specific details are available, the criteria for determining the duration of storage;

(5) the existence of the right to rectify or erase your personal data, the right to restrict processing by the controller or the right to object to such processing; 

(6) the right to lodge a complaint with a supervisory authority;

(7) all available information about the source of any personal data that is not collected from the data subject;

(8) the existence of an automated decision-making process, including profiling as per articles 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information about whether your personal data is sent to a third country or an international organisation. In this context, you can ask to be informed about the appropriate guarantees as per article 46 of the GDPR in connection with data transfers.

 

2.Right to rectification  
You have the right to rectify and/or complete data held by the controller if the personal data about you being processed is incorrect or incomplete. The controller must make any corrections without delay.

3.Right to restriction of processing
You may request that the processing of your personal data be restricted under the following conditions:

(1) if you contest the accuracy of your personal data over a period of time that allows the controller to verify the accuracy of your personal data;

(2) the processing is unlawful and you oppose the erasure of your personal data, requesting instead that use of this data be restricted;

(3) the controller no longer needs the personal data for the purposes of processing, but it is required by you in order to establish, exercise or defend legal claims;

(4) if you have objected to processing pursuant to Article 21(1) of the GDPR and it is not yet certain whether the legitimate interests of the controller override your interests.

Where processing of your personal data has been restricted, such data may, with the exception of storage, only be processed with your consent or in order to establish, exercise or defend legal claims. Alternatively, it may be processed in order to protect the rights of another natural or legal person or for reasons of important public interest in the EU or a member state.

Where data processing has been restricted in accordance with the above conditions, you will be informed by the controller before this restriction is lifted.

4.Right to erasure
a) Obligation to delete data

You may ask the controller to have your personal data erased without delay, and the controller is required to erase this data without delay where one of the following reasons applies:

(1) Your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.

(2) You withdraw the consent underlying data processing in accordance with article 6(1)(a) or article 9(2)(a) of the GDPR, and there is no other legal basis for processing. 

(3) You object to data processing pursuant to article 21(1) of the GDPR and there are no overriding legitimate interests in favour of processing, or you object to data processing pursuant to article 21(2) of the GDPR. 

(4) Your personal data has been unlawfully processed. 

(5) Your personal data has to be erased in order to ensure compliance with a legal obligation under EU or member state law to which the controller is subject. 

(6) Your personal data has been collected in relation to the offer of information society services in accordance with article 8(1) of the GDPR.

b) Information to third parties

Where the controller has made your personal data public and is required to erase this data under article 17(1) of the GDPR, the controller – taking into consideration the available technology and cost of implementation – shall take reasonable action, including technical measures, to inform other controllers processing such personal data that you as the data subject have requested all parties concerned to erase any links to this personal data as well as any copies or replications thereof. 

c) Exceptions

The right to erasure does not apply if data processing is necessary for any of the following reasons:

(1) to exercise the right of freedom of expression and information;

(2) to comply with a legal obligation that requires processing under EU or member state law to which the controller is subject, to perform a task carried out in the public interest or to exercise official authority vested in the controller;

(3) for reasons of public interest in the area of public health in accordance with article (9)(2)(h) and (i) as well as Article 9(3) of the GDPR;

(4) for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes in accordance with article 89(1) of the GDPR insofar as the right referred to in paragraph (a) is likely to render impossible or seriously impair the achievement of these processing objectives; or

(5) to establish, exercise or defend legal claims.

5.Right to be informed
If you have exercised your right to the rectification, erasure or restriction of data processing vis-à-vis the controller, the latter is required to notify all recipients to whom your personal data has been disclosed of the need to correct or erase data or to restrict processing unless doing so proves to be impossible or would involve a disproportionate effort.

You have the right to request information about these recipients from the controller.

6.Right to data portability
You have the right to receive any personal data you have provided to the controller in a common, structured and machine-readable format. Furthermore, you have the right to share this data with another controller without hindrance by controller who first received your personal data, provided that:

(1) processing takes place with consent in accordance with article (6)(1)(a) or article (9)(2)(a) of the GDPR, or based on a contract in accordance with article (6)(1)(b) of the GDPR, and

(2) processing is carried out using automated means.

In exercising this right, you also have the right to make sure that your personal data is transmitted directly from one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other individuals may not be compromised as a result.

The right to data portability does not apply to any processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.Right to object
You have the right to object, at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is based on point (e) or (f) of article 6(1) of the GDPR, including profiling based on those provisions. 

If you make such an objection, the controller will no longer process your personal data unless the controller can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defence of legal claims.

Where personal data is processed for direct marketing purposes, you have the right to object, at any time, to the processing of your personal data for the purpose of such marketing; this also applies to profiling insofar as it is conducted in conjunction with such direct marketing.

If you object to the processing of your personal data for direct marketing purposes, we will cease to process your personal data for this purpose.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8.Right to revoke the data protection consent declaration
You have the right to revoke your data protection consent declaration at any time. Revoking consent does not affect the legality of any data processing carried out with your consent before the time of revocation.

9.Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or which have a similar significant impact on you. This shall not apply if the decision: 

(1) is necessary for entering into, or fulfilling, a contract between you and the controller;

(2) is permissible under EU or member state law to which the controller is subject, where this legislation also contains suitable measures to safeguard your rights, freedoms and legitimate interests; or

(3) is made with your explicit consent.

However, such decisions may not be based on certain categories of personal data referred to in article 9(1) of the GDPR unless article (9)(2)(a) or (g) applies and suitable measures are in place to safeguard your rights, freedoms and legitimate interests.

With respect to the cases referred to in items (1) and (3) above, the controller must implement suitable measures to safeguard your rights, freedoms and legitimate interests, which include at the very least the right to obtain human intervention from the controller, to express a personal point of view and to contest the decision.

10.Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state where you reside, work, or where you suspect that your rights have been infringed if you believe that the processing of your personal data violates the GDPR. 

The supervisory authority with which a complaint has been lodged shall inform the complainant with respect to the status of the complaint and any outcome, including the possibility of a judicial remedy pursuant to article 78 of the GDPR.