The controller pursuant to Article 4(7) EU General Data Protection Regulation (GDPR) is:

Kieback&Peter GmbH & Co. KG
Tempelhofer Weg 50
12347 Berlin

E-mail: info[at]kieback-peter.de

(see our Legal Notice).

If you have any questions or concerns regarding data protection, please contact us at privacy[at]kieback-peter.com. For confidential inquiries, you may reach out to our Data Protection Officer directly at ds-kieback-peter[at]procado.de or by mail using the postal address provided above, with the addition “Data Protection Officer.”

You are entitled to exercise the following rights concerning your personal data:

• Right of access to information: Article 15 GDPR

• Right to rectification: Article 16 GDPR

• Right to erasure: Article 17 GDPR

• Right to restriction of processing: Article 18 GDPR

• Right to data portability: Article 20 GDPR

If the processing of your personal data is based on Article 6(1)(e) or (f) GDPR, you have the right to object to the processing at any time on grounds relating to your particular situation. This also applies to any profiling based on these provisions. The specific legal basis for processing can be found in this privacy policy.

If you object, we will cease processing the personal data in question unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims (in accordance with Article 21(1) GDPR).

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing for such marketing, including any related profiling. Upon objection, your personal data will no longer be used for direct marketing purposes (Article 21(2) GDPR).

Submitting an objection is free of charge and can be done informally. Whenever possible, please send your objection to privacy[at]kieback-peter.com. Alternatively, you may mail your objection to our postal address, adding the reference “Data Protection.”

You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data.

The Berlin Commissioner for Data Protection and Freedom of Information is responsible for our company. Contact details can be found at: https://www.datenschutz-berlin.de/.

We use carefully selected service providers to operate our websites. These service providers are engaged based on legitimate interest (Article 6(1)(f) GDPR), specifically for the secure, fast, and efficient provision of our website. Since these service providers may have access to personal data, we have established data protection agreements with them in accordance with Article 28 GDPR.

In cases where we transfer data for processing to a third country (i.e., outside the EU or EEA) or to an international organization, whether for the use of third-party services, or for disclosure or transfer of data to third parties, this is done under one of the following grounds: our legitimate interest, the necessity to fulfill our (pre-)contractual obligations, compliance with a legal obligation, or based on your consent.

If we transfer data to service providers in third countries or international organizations, it will only occur in strict compliance with the legal requirements of Chapter 5 GDPR. When data is transferred to third countries or international organizations, we will notify you accordingly during the processing.

Kieback&Peter does not engage in automated decision-making or profiling that could have legal consequences for you or otherwise significantly affect you in a similar manner.

Providing personal data is not mandatory and remains voluntary. However, we will be unable to process your request if you do not provide the necessary data.

When entering personal data into forms, we designate mandatory fields that are clearly marked. Data from these mandatory fields is essential for processing your request or granting you access to your account. The specific required data can be found in the respective input forms.

Usage data and log files

1. Description of data processing

When you visit our website, your browser automatically transmits usage data to our server, where it is temporarily stored in the form of log files. This data includes: 

• IP address; date and time of the request; time zone difference to Greenwich Mean Time (GMT); content of the request (specific page); access status/HTTP status code; amount of data transferred; website from which the request originated; browser; operating system and its interface; language and version of the browser software.

   

2. Purpose and legal basis for data processing

The legal basis for processing such data is our legitimate interest (Article 6(1)(f) GDPR).

The temporary storage of data is essential to provide you with access to our website. In particular, the user's IP address must be stored for the duration of the session to maintain functionality.

Data is also stored in log files to ensure the functionality and security of our information technology systems. These objectives constitute our legitimate interest in processing the data, in accordance with Article 6(1)(f) GDPR.

3. Duration of storage

Data is deleted as soon as it is no longer necessary to fulfill the purpose for which it was collected. For data collected to provide access to the website, this typically occurs at the end of the respective session. Data stored in log files will be deleted after a maximum of 7 days.

4. Recipients of data

No data is transferred to third parties.

5. Possibility of objection

The collection of data for website provision and its storage in log files is essential for the website’s operation. As such, there is no option for website visitors to object.

Web analysis using Matomo

1. Description of data processing

We use the web analysis service Matomo on our website to statistically evaluate user behavior. Matomo operates without the use of cookies or similar tracking technologies. 

The analysis of user behavior is conducted via a randomly assigned, time-limited hash value called the ”config_id.” The config_id stores information such as your operating system, browser, browser plug-ins, browser language, and your anonymized IP address. This information is only related to your use of this specific website. The config_id is valid for 24 hours and is automatically anonymized afterward. 

2. Purpose and legal basis for data processing

The legal basis for this data processing is our legitimate interest (Article 6(1)(f) GDPR).

We process the data to analyze user behavior on our website, helping us identify the most relevant content for visitors and improve the site continuously. These objectives reflect our legitimate interest in data processing, in accordance with Article 6(1)(f) GDPR.

3. Duration of storage

The information collected is automatically anonymized after 24 hours. 

4. Recipients of data

The web analysis service operates exclusively on our servers, meaning no data is transferred to third parties.

Storage of data on your device

1. Description of data processing

Web storage (local storage, session storage)

We utilize web storage technology on this website, which is technically necessary to manage consents for the use of cookies that require user approval. 

Data stored in Local Storage is persistent and remains even when the browser is closed. It can only be deleted by clearing the browser cache or using JavaScript. Data stored in Session Storage is automatically deleted when the browser is closed.

Cookies

Functional cookies are used to analyze website usage, such as determining the number of visitors. The data collected helps us optimize the website and tailor it to user needs. 

Content cookies provide useful functions, such as displaying maps or videos on the website. 

Marketing cookies are used to show you personalized advertising content relevant to your interests, not just on our website but also on third-party partner websites through retargeting. Marketing cookies help us display ads that are most relevant to you. 

For more details on specific data processing, refer to our consent management system under “Privacy.”

Pixel technology

We also use pixels, often in conjunction with cookies, to identify users and track user behavior. Pixels help us measure interactions with certain content on the website, which allows us to enhance and improve our services. 

Further information about data processing can be found in our consent management system under “Privacy.”

JavaSript

Some third-party services on our website utilize JavaScript commands to integrate external elements. This causes the user's browser to connect to the third-party provider's server, transmitting data such as the user's IP address and, in some cases, the referring website. The third-party provider may also store or read information from the user's device. If the user is logged into the third-party service, the transmitted information could be linked to any previously stored data about the user.

JavaScript commands are primarily used for services such as web analysis, embedding social media posts, or integrating links to social media platforms.

2. Purpose and legal basis for data processing

To access and store information on your device, we require your consent in accordance with Section 25(1) Telecommunications Digital Services Data Protection Act. The further processing of personal data is based on your consent in accordance with Article 6(1)(a) GDPR.

When you first visit our website, you can provide consent through our consent management system, where you can tailor your preferences. You may revoke or adjust your consent at any time under “Privacy.”

For expressly requested telemedia services, data processing is based on Section 25(2)(2) Telecommunications Digital Services Data Protection Act, and further personal data processing is based on Article 6(1)(f) GDPR, with our legitimate interest being the provision of services and the administration and documentation of user consent.

For data processing using web storage, we rely on Section 25(2) No. 2 Telecommunications Digital Services Data Protection Act, in conjunction with Article 6(1)(f) GDPR, as our legitimate interest lies in managing and documenting user consent.

For data processing involving cookies (functional, content, marketing), pixel technology, or JavaScript, we rely on your consent in accordance with Section 25(1) Telecommunications Digital Services Data Protection Act and Article 6(1)(a) GDPR.

We have integrated tools from various third-party providers on our website. When service providers outside the EU/EEA are used, this results in the transfer of data to third countries.

In compliance with legal or contractual permissions, we only process personal data using service providers in a third country if the specific requirements of Article 44 et seq. GDPR are met.

If the EU Commission has issued an adequacy decision for a third country in accordance with Article 45 GDPR, the data transfer is based on that decision.

In the absence of an adequacy decision, data transfers may take place based on appropriate safeguards under Article 46 GDPR (e.g., standard data protection clauses).

In certain cases, and in addition to Article 6(1)(a) GDPR, we may obtain your consent under Article 49(1)(a) GDPR. This consent is given voluntarily, with the understanding that data processing occurs in a country without adequate data protection standards. In such cases, personal data may be accessed by public authorities for law enforcement or national security purposes.

For U.S. service providers, the EU-US Data Privacy Framework (EU-US DPF) applies. This adequacy decision covers data transfers to U.S. companies that have self-certified under the EU-US DPF. The prerequisite is that U.S. data importers comply with the DPF through self-certification.

If the EU adequacy decision or the certification of a U.S. data importer with the U.S. Department of Commerce becomes invalid, further data processing will occur based on your consent under Article 6(1)(a) GDPR and Article 49(1)(a) GDPR.

3. Right of withdrawal

You may withdraw your consent at any time without giving any reason, and this will be effective for future data processing. To revoke your consent, simply adjust your settings in the Usercentrics Consent Management system.

Description of the services used

Below is an overview of the services we use on this website with the aforementioned technologies.

1. Usercentrics

We use the Usercentrics consent management system, provided by Usercentrics GmbH, to manage user consent for data processing activities that require it. This system automatically blocks all non-essential information (such as cookies, pixels, tags, and scripts) until the user provides consent. Upon visiting the website for the first time, and on each subsequent visit, users can configure cookies and similar technologies according to their preferences. 

2. Google Analytics 

We use Google Analytics to analyze and optimize our website. 

This service is provided by Google Ireland Limited, located at Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited is a subsidiary of Google LLC, which is certified under the EU-US Data Privacy Framework (EU-US DPF). The data transfer is conducted on the basis of Article 45 GDPR.

3. Google Tag Manager 

We use Google Tag Manager on this website to manage and control cookies, conversion pixels, and tracking codes from various programs. It helps us manage all the tools used on our website, including both technically necessary tools and those that require consent.

This service is provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited is a subsidiary of Google LLC, which is certified under the EU-US Data Privacy Framework (EU-US DPF). Data transfers are based on Article 45 GDPR.

4. Google Ads 

We use Google Ads on this website to display and manage advertising. As part of the service, we also utilize the remarketing function, which allows us to reach users who have previously interacted with our website on other websites. Our offers and recommendations are shown when users visit Google or other websites in the Google advertising network (such as Google Search, YouTube, or Google Display).

We also use conversion tracking to understand which advertisements led visitors to our website, which pages they visited, and whether a conversion (e.g., a purchase or signup) occurred.

The service is provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, a subsidiary of Google LLC, which is certified under the EU-US Data Privacy Framework (EU-US DPF). Data transfers are based on Article 45 GDPR.

5. Hotjar

We use Hotjar on this website for the purpose of analysing and optimising our website.

With the help of Hotjar's analysis and feedback tools, we can analyse user behaviour. We use this information to improve the functionality of our website and to enhance the user experience. 

The service is provided by Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta. We have concluded a data protection agreement with the service provider. 

6. Google Maps 

We use the Google Maps service on this website to display our locations. Google Maps allows us to show interactive maps and provide an easy-to-use mapping function. We have implemented a two-click solution for the map service, meaning that an initial preview window is shown, which must be actively unlocked. By clicking the “Accept” button, you consent to the transfer of data to Google.

The service is provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited is a subsidiary of Google LLC, which is certified under the EU-US Data Privacy Framework (EU-US DPF). Data transfers are based on Article 45 GDPR.

7. YouTube videos

We have integrated the YouTube service on our website to publish videos. A two-click solution is in place for YouTube videos, meaning that initially only a preview window is displayed. The data transfer to Google LLC occurs only after you actively unlock the video by clicking the “Accept” button.

If you are logged into YouTube while viewing the video, YouTube may link this information to your existing profile, potentially creating extensive user profiles.

Google, as the operator of YouTube, is solely responsible for this data processing. For more information about how Google processes your data (e.g., storage duration), please visit: Google's Privacy Policy.

YouTube LLC, headquartered at 901 Cherry Avenue, San Bruno, CA 94066, USA, is a subsidiary of Google LLC. Google LLC is certified under the EU-US Data Privacy Framework (EU-US DPF). Data transfers are based on Article 45 GDPR.

8. Meta/ Facebook 

We use the Meta pixel on this website to measure the actions of visitors and track user behavior. This helps us evaluate the effectiveness of our Facebook ads and optimize our advertising campaigns.

The service is provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, a subsidiary of Meta Platforms, Inc., which is certified under the EU-US Data Privacy Framework (EU-US DPF). Data transfers are based on Article 45 GDPR.

9. TikTok

We use the TikTok pixel to assess the effectiveness of our TikTok advertising. Various user data is processed, including IP address, session length, page views, operating system, and referral source. Data is also collected about the ad you clicked on or other triggered events. This data may be linked to your profile, especially if you are logged into TikTok at the time.

The service is provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, Ireland, with joint processing by TikTok Information Technologies UK Limited. Data transfers are based on Article 45 GDPR.

10. LinkedIn

We utilize the LinkedIn Insight Tag on our website to analyze user behavior and deliver targeted advertisements, both on and off our website. According to LinkedIn, advertisements (including across multiple devices) are shown without identifying the recipients. However, if you are logged into LinkedIn while browsing, LinkedIn may associate this data with your existing profile information, potentially creating comprehensive user profiles.

The service is provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn Ireland Unlimited Company is a subsidiary of LinkedIn Corp. LinkedIn Corp. is EU-US-DPF certified. Data transfers are based on Article 45 GDPR.

Description of data processing

There are several ways to contact us via our website.

1. Via contact form

When you reach out to us using our contact form, we process the information you provide to handle your request. Fields marked as mandatory indicate the data required for processing. Additionally, the sender’s IP address, along with the date and time of contact, are automatically recorded by our technical systems. Data transfers are encrypted.

2. By e-mail

If you contact us via e-mail, we process the data you provide to respond to your inquiry. Our technical systems automatically record the sender’s IP address, the time the message was sent, and the size of any attached documents. Data transfers are encrypted. 

3. By phone

When you contact us by phone, we process the data you provide to handle your request (e.g., by recording contact details or call notes in our systems). Additionally, traffic and communication data, such as the phone number used for the call, the date, time, and duration, are automatically recorded by our technical systems.

4. By postal mail

If you send us a letter, we process the data you provide to handle your request. Some documents may also be digitalized and stored in our IT systems for more efficient processing.

5. Through personal contact, e.g., at trade shows

You may also contact us in person at events, lectures, or trade fairs and share your information (e.g., via a business card). Data collected during these interactions, along with any notes from the conversation, are digitalized and stored in our IT systems for faster processing.

At trade fairs and similar events, we may use a lead app to collect your data. Information provided, such as your language preferences and additional details (e.g., product interests), is stored in our IT systems. Interested parties will receive a confirmation email.

The purpose of data processing using the Lead App is to facilitate effective inquiry management. It also allows for quantitative and qualitative evaluations of visits to our booth.

Purpose and legal basis of data processing

Data processing when you contact us is carried out to initiate, establish, and manage business relationships with our B2B partners. The processing is based on Article 6(1)(f) GDPR (legitimate interest) or Article 6(1)(b) GDPR (pre-contractual measures for sole traders or individuals).

Our legitimate interest lies in effectively handling inquiries to maintain and develop business relationships with our B2B partners.

Other traffic and communication data processed during communication (e.g., date and time of contact) are used to prevent misuse of the contact form and to ensure the security of our IT systems, also based on our legitimate interests.

In cases where personal data is transferred to a service provider, we have established a data protection agreement in accordance with Article 28 GDPR.

Verification and enrichment of the data

To respond to inquiries as accurately as possible and verify or update our database, we may supplement personal data by researching and enriching it when necessary (e.g., adding salutations or assigning a job title or department). We only use publicly accessible sources for this purpose.

Duration of storage

The data you provide will remain with us until you request its deletion or the purpose for which the data was stored no longer applies. Mandatory legal provisions – especially statutory retention obligations – remain unaffected.

Recipients of data

Personal data may be transmitted to the following recipients: 

• Service providers for mobile data collection. 

Description of data processing

Customers, suppliers, interested parties, and other business partners may contact us as described under “Data processing when contacting us”.

The processing of personal data primarily occurs for the initiation, establishment, and execution of contractual, pre-contractual, and delivery relationships, including delivery, payment, and handling of warranty or product liability claims.

We process the personal data you provide for these purposes.

Purpose and legal basis of data processing

Personal data is processed for the following purposes:

• Implementation of our contractual relationship

• Correspondence and communication

• Invoicing

• Credit checks

• Sending information by postal mail about upcoming events (e.g., in-house exhibitions) and our services and products (e.g., exchange campaigns)

• Settlement of any existing claims and assertion of any claims against you, the customer or the supplier.

In addition, we process personal data obtained from publicly accessible sources (e.g., public registers, press, internet) or data legitimately provided by third parties (e.g., credit agencies), when necessary for the contractual relationship and/or other business cooperation.

The processing is based either on our legitimate interest in processing the necessary data of our B2B partners to maintain business relationships (Article 6(1)(f) GDPR), on Article 6(1)(b) GDPR (in the case of sole traders or other individuals) or is necessary to fulfill a legal obligation (Article 6(1)(c) GDPR). 

When personal data from B2B contacts is used to send information by post about events, services, or products, we rely on Article 6(1)(f) GDPR. We assume this is in both your and our economic interest, and that you reasonably expect such processing. You may object to this processing at any time by emailing privacy[at]kieback-peter.com or by sending an objection via post to our postal address, with the addition of “Data Protection.”

We enter into data protection agreements with the service providers we use. Personal data is processed by service providers in third countries only if the special requirements of Article 44 et seq. GDPR are met. For certified U.S. service providers, we rely on the EU-U.S. Data Privacy Framework adequacy decision, in accordance with Article 45 GDPR. Additionally, we may use service providers based on appropriate safeguards, including standard data protection clauses in accordance with Article 46(2)(c) GDPR.

Duration of storage

We will delete your personal data once it is no longer needed for the purposes mentioned above. After the termination of a contractual relationship, personal data will be stored for the duration required by law. This generally arises from legal evidence and retention obligations, as outlined in the German Commercial Code and the German Fiscal Code, which may require storage for up to ten years.

In some cases, personal data may be retained for the period during which claims can be asserted against us (statutory limitation periods range from three to thirty years).

Once the relevant purpose has expired or the legal retention periods have passed, your data will be routinely deleted.

Recipients of data

Personal data may be transmitted to the following recipients: 

• IT service providers (for software applications)

• Companies within our corporate group

• Public authorities and institutions (e.g., tax offices, courts)

• Auditors, tax consultants, appraisers

• Customer, supplier, or business partner banks (for SEPA payment transactions)

• Credit agencies 

In addition, we work with service providers who either transfer data to a group company in a third country or are based in a third country themselves, falling under the provisions of Chapter 5 GDPR:

• Microsoft Ireland Operations Limited. Data transfers to Microsoft Corp. are possible. Microsoft Corp. is EU-US-DPF certified, and data transfers are based on Article 45 GDPR.

Description of data processing

We offer various training courses and seminars on our products and services through our in-house academy. The target audience for these offerings includes commercial customers and interested parties.

You can register for these courses using the registration form on our website. We process the personal data you provide for the organization, execution, and documentation of the training sessions, including participant lists, invoicing, and electronic distribution of participation confirmations.

After the event, we will invite you to provide anonymous feedback through an email containing a link to a survey. Participation in this survey is voluntary. If you choose to participate, your IP address, time of participation, and the information you provide will be processed.

The survey results are anonymized, ensuring that no personal conclusions can be drawn about you. These feedback surveys help us continuously improve our customer training programs.

Purpose and legal basis of data processing

Data processing is performed for the purpose of organizing, conducting, documenting, and billing the training courses. Participant lists are compiled for internal documentation purposes, and participation confirmations can be sent via email upon request.

The data processing is based either on our legitimate interest in being able to offer our customers an optimal service by providing specific expertise on our products (Article 6(1)(f) GDPR) or – if you participate in the training as a sole trader or other individual – on Article 6(1)(b) GDPR (fulfillment of contract). If data is processed to fulfill a legal obligation, it is based on Article 6(1)(c) GDPR in conjunction with relevant legal standards.

The feedback survey is conducted on the basis of Article 6(1)(f) GDPR, where our legitimate interest lies in optimizing our training offerings.

For conducting surveys, we utilize an IT service provider with whom we have signed a data protection agreement. For U.S. service providers participating in the EU-U.S. Data Privacy Framework, data transfers rely on this adequacy decision in accordance with Article 45 GDPR.

Duration of storage

Your personal data will be deleted once it is no longer needed for the purposes mentioned above. After the termination of the contractual relationship, personal data will be stored as long as legally required. Once the relevant purpose no longer applies or the retention periods have expired, your data will be routinely deleted.

Recipients of data

Personal data is transmitted to the following recipients: 

• Microsoft Ireland Operations Limited. Data transfers to Microsoft Corp. are potentially possible. Microsoft Corp. is EU-US-DPF certified, and data transfers are based on Article 45 GDPR.

Description of data processing

We offer digital training formats, such as webinars, at irregular intervals to showcase our products and services. The target audience includes commercial customers, interested parties, and employees of Kieback&Peter group.

Participation in our webinars may require prior registration via email. In addition to the data you provide (typically your name, business email address, job title if applicable, and company/organization name if applicable), the sender’s IP address and the time the email was sent are automatically recorded by our technical systems.

User authentication may be required to join the webinars, usually through providing a username (or pseudonym) and entering a personal participation link. Additionally, connection data, such as your IP address and device/hardware information, are automatically recorded. Depending on your specific interaction during the webinar, text, audio, and video data (e.g., chat histories, video, and audio recordings) may also be processed.

If we plan to record a webinar, we will notify you in advance and obtain your consent if necessary.

Should we intend to use your email address for advertising purposes as a condition of participation, we will inform you beforehand and seek your consent.

Purpose and legal basis of data processing

Your data is processed for the purpose of conducting the webinars. If data is processed for other purposes, we will notify you separately.

The provision of webinars for customers, interested parties, and employees is based on either Article 6(1)(f) GDPR (legitimate interest) or Article 6(1)(b) GDPR (fulfillment of contract, particularly in the employment context). If data processing is carried out under Article 6(1)(f) GDPR, you have the right to object to this processing at any time.

Participation in our webinars may also be based on Article 6(1)(a) GDPR (consent) or, in compliance with the conditions set out in Section 7(3) German Act Against Unfair Competition, on Article 6(1)(f) GDPR (legitimate interest). By providing your email address and participating in our webinars, you consent to our use of your email address for advertising purposes in return for access to the webinars.

Depending on the legal basis, your consent may include the following:

• Receiving further information about our products and services, as well as those of our affiliated companies,

• Receiving invitations to webinars, product demonstrations, training events, and similar events,

• Receiving personalized offers.

In the case of webinar recordings, data processing is based on Article 6(1)(a) GDPR (consent). Recordings are made for specific purposes, and your consent is required in relation to your usage behavior. Depending on the information you disclose, your consent may extend to the recording of text messages (e.g., chat), audio, and video data.

For example, the purpose of a recording may be to provide training materials for a restricted group of individuals.

Granting consent is voluntary, and you can revoke your consent at any time without providing reasons. Upon revocation, we will stop processing your data for purposes based on that consent. However, the legality of the data processing that took place before the revocation remains unaffected. Revocation requests can be sent to privacy[at]kieback-peter.com or by postal mail to our address, marked “Data Protection.”

If data processing is based on Article 6(1)(f) GDPR, you have the right to object at any time in accordance with Article 21(1) GDPR. For more details, refer to the section „Your rights to object“.

The setting of technically necessary session cookies for video conferencing systems is carried out in accordance with Section 25(2) Telecommunications Digital Services Data Protection Act (technically necessary). Session cookies are automatically deleted when the browser is closed.

For the provision of our webinars, we work with IT service providers under data protection agreements. Personal data is processed by service providers in third countries only when the special requirements of Article 44 et seqq. GDPR are met. For U.S. service providers participating in the EU-U.S. Data Privacy Framework, we rely on this adequacy decision under Article 45 GDPR. If Article 45 GDPR is not applicable, data processing is conducted on the basis of suitable guarantees in accordance with Article 46(2)(c) GDPR (standard data protection clauses).

Duration of storage

We store your personal data for one year after the end of the webinar for direct marketing purposes. If we establish a business relationship with you during this time, we will retain your contact data beyond the one-year period, in line with the general retention periods applicable to our customer relationships.

Recipients of data

Personal data is transmitted to the following recipients: 

• GoTo Technologies Ireland Unlimited Company, 77 Sir John Rogerson's Quay, Block C, Suite 207, Grand Canal Docklands, Dublin 2, D02 VK60 Ireland. Service provided: GoToWebinar. GoTo Technologies Ireland Unlimited Company is a subsidiary of GoTo Group, Inc, USA. GoTo Group is EU-US-DPF certified, and data transfers are based on Article 45 GDPR.

• Microsoft Ireland Operations Limited. Data transfers to Microsoft Corp. are potentially possible. Microsoft Corp. is EU-US-DPF certified, and data transfers are based on Article 45 GDPR.

Description of data processing

We offer our premium partners a learning management platform that provides specialised knowledge about Kieback&Peter products and services for the employees of premium partners. 

User accounts are set up by Kieback&Peter at the instigation of the premium customer.

You will receive access to the platform via an e-mail invitation with a personalised registration link. To contact you, we use the contact details provided by the premium customer and/or the e-mail addresses of the contact persons lawfully collected as part of the existing customer relationship. 

If personal details are stored for the user, personalised training certificates are issued.

When using the learning management platform, usage data is automatically transmitted to the platform by the user's browser and temporarily stored in the form of log files. The following data is processed:

• the IP address (encrypted), browser type and version, operating system used, referrer URL, host name of the accessing computer and time of the server enquiry.

In addition, login data is automatically collected by the system and temporarily stored in log files. The data is technically required to ensure authorised use of the services and to detect and prevent unauthorised access. The following files are processed: 

• Date, login/logout, period of use, password, IP address, user agent (browser information, operating system, device information) 

Purpose and legal basis of data processing

Personal data is processed for the purpose of granting our customers access to our learning management platform in order to be able to access the training formats integrated there.

Data processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR (legitimate interest). Our legitimate interest is to provide an optimal service by providing a learning platform for the transfer of specific expertise. Users of this platform have the right to object to this processing at any time.

The processing of usage data and login data is carried out for the purpose of defence against attacks. The legal basis is Article 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in the provision of a functional application and in ensuring IT security (defence against attacks). Data processing is absolutely necessary for the operation of the platform. Consequently, the user has no option to object.

Duration of storage

We store your personal data for the duration of the existing business relationship. We delete your personal data as soon as it is no longer required for the above-mentioned purposes or you have objected to the processing. After the purpose no longer applies, we may still store your personal data to fulfil retention periods. If the purpose that authorised longer data storage no longer applies, your data will be routinely deleted.

The usage and login data stored in log files are deleted after 365 days.

Recipients of data

Personal data is transmitted to the following recipients: 

• Microsoft Ireland Operations Limited. Data transfers to Microsoft Corp. are potentially possible. Microsoft Corp. is EU-US-DPF certified. The data transfer is based on Art. 45 GDPR.

Description of data processing

We conduct online surveys, either anonymous or personal, at irregular intervals. Invitations to participate are sent via email, outlining the purpose of the survey, the method (anonymous or by name), and the legal basis. The email also includes a participation link and a reference to the data protection information.

These online surveys may target customers, interested parties (e.g., trade fair visitors), planners, suppliers, or employees within the Kieback&Peter group. For these surveys, we process the data you provide (e.g., email address and survey responses). Additionally, our technical systems record communication-related data, such as your IP address and the time the email was sent.

Participation in online surveys is voluntary.

Purpose and legal basis of data processing

Data processing is conducted to organize and execute the surveys, communicate with participants, and evaluate and utilize the survey results afterward.

If your email address was collected as part of a lawful customer relationship, we process data based on Article 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in maintaining contact with interested parties and potential business partners to improve our services. You have the right to object to this processing at any time, as outlined in Article 21(1) GDPR. For more details, refer to the section „Your rights to object“.

In certain cases, we will seek your consent for processing, with Article 6(1)(a) GDPR serving as the legal basis. Granting consent is voluntary and can be revoked at any time without providing reasons. Upon revocation, we will stop processing your data for purposes related to that consent in the future. However, the revocation does not affect the legality of any processing that occurred prior to the revocation. Please send revocation requests to privacy[at]kieback-peter.com or via post to our address, labeled “Data Protection.”

We use an IT service provider to conduct surveys, and a data protection agreement has been established with them. For U.S. service providers that participate in the EU-U.S. Data Privacy Framework, we rely on this adequacy decision in accordance with Article 45 GDPR.

Duration of storage

The data processed will be deleted from our IT systems as soon as the purpose for its storage no longer applies, you request deletion, or you revoke your consent. Personal survey data is stored for a maximum of three years.

Recipients of data

Personal data is transmitted to the following recipients: 

• Microsoft Ireland Operations Limited. Service provided: Microsoft Teams. Data transfers to Microsoft Corp. are potentially possible. Microsoft Corp. is EU-US-DPF certified, and data transfers are based on Article 45 GDPR.

Description of data processing

We offer an online application portal for Kieback&Peter and its German subsidiaries. Additionally, you may apply via email or post. Any application data provided through these channels will be transferred to our recruiting system.

We process the personal data you submit to facilitate the application process, including any correspondence or interview transcripts related to your application. If you provide it, we may also process special categories of personal data (e.g., health data).

In online applications, mandatory fields are clearly marked, indicating the data we require to process your application. All data transmission is encrypted. For electronic applications (online or by email), our technical systems automatically record the sender's IP address, the time the application is sent, and the size of any attachments. To provide the online form, technically necessary session cookies are stored on the user’s device.

We may also obtain data about you from other sources, such as publicly accessible websites, including online profiles (e.g., XING, LinkedIn), if you have made such information publicly available.

Note: While providing personal data is voluntary, it is necessary for processing your application and entering into an employment contract with us. Without this information, we cannot process your application or consider you for employment.

Description of data processing when creating a user account

Applicants have the option to create a user account. To create this account, you must register with your email address. The data you provide will be processed to manage your user account.

Once you register, you will receive a password by email, which must be changed upon your first login. The new password must have at least 8 characters and include one uppercase letter, one lowercase letter, and one number. The system will verify that these requirements are met.

To use the “Forgot password” feature, you must define a personal security question and answer under “My account” / “Access data.” You may update your information or delete your account at any time.

Purpose and legal basis of data processing

We process your personal data to conduct the selection process. The data you provide is used to process your application, and if an employment relationship is established, for managing that employment relationship. The legal basis for this processing is Article 6(1)(b) GDPR (pre-contractual measures).

If necessary, we process your data to defend against legal claims during the application process, based on Article 6(1)(f) GDPR. Our legitimate interest is the defense against unjustified claims, particularly concerning the General Equal Treatment Act (AGG).

Data transfers to Kieback&Peter group subsidiaries are based on Article 6(1)(f) GDPR, with our legitimate interest being the use of a centralized applicant portal. These recipients are responsible for further data processing under applicable data protection laws.

Technically necessary session cookies for providing the online applicant portal are set in accordance with Section 25(2) Telecommunications Digital Services Data Protection Act (technically necessary). These session cookies are deleted when the browser is closed.

Duration of storage

We retain your personal data for 6 months or for as long as necessary to protect the legitimate interests of Kieback&Peter, in compliance with applicable law.

If you accept employment with us, your personal data will be stored for the duration of your employment, in accordance with the data protection guidelines for Kieback&Peter employees.

Recipients of data

Personal data is transmitted to the following recipients: 

• Subsidiaries in the Kieback&Peter group: Your application will be processed by the relevant personnel department of the company whose job listing you applied for. In the case of unsolicited applications, your data may also be reviewed by affiliated companies.

• IT service providers: Personal data is shared with our IT service provider responsible for maintaining the online application portal, as part of technical support

Description of data processing

Individuals who wish to report (suspected) violations of national or EU regulations (e.g., violations of the Whistleblower Protection Act or Supply Chain Act) can submit their report online, by email, or by telephone. All reports are centrally managed on our reporting platform and processed by our compliance team. This platform is available to employees, customers, service providers, and suppliers.

For online or email reports, the following data from the reporter may be processed:

• Name (optional)

• E-mail address

• Date and time of the report

• Content of the report, including any supporting documents

• Personal access data: Identifier and password (only for online registration)

• Communication through the login area (only for online registration)

For telephone reports, the following data may be processed:

• Name (optional)

• Date and time of the report

• Content in the form of an audio recording or transcript (if consent is provided)

• Content data in the form of a subsequent call log

• Telephone number (optional)

Reporters can choose which reporting channel to use and what personal data to provide, both about themselves and others involved. When using the online form, an email address is required, but this can be an alias email address. If a follow-up conversation is necessary to clarify the report, this will occur via the same reporting channel, provided contact details were shared.

For online form submissions, a case-related communication page is generated to allow confidential communication. The whistleblower receives a unique ID for authorization and must assign a password. Follow-up communication via the reporting platform is also available for telephone and electronic reports, for which a start code is sent to the reporter.

Purpose and legal basis of data processing

Personal data is processed to investigate and address (suspected) violations of national or EU laws that are subject to criminal penalties or fines.

Data processing is based on Article 6(1)(c) GDPR (legal obligation) in conjunction with relevant legal standards (e.g., the German Whistleblower Protection Act, the German Supply Chain Act).

Data may also be processed based on Article 6(1)(f) GDPR (legitimate interest), as the company is subject to various legal obligations. Our legitimate interest lies in detecting and investigating potential misconduct, protecting the company’s interests through immediate actions to prevent further harm, and asserting claims for damages or other penalties.

Under the Whistleblower Protection Act, data processing may also be carried out with the consent of the whistleblower or individuals mentioned in the report, in accordance with Article 6(1)(a) GDPR, and Section 9(3) and (4) Whistleblower Protection Act.

If the report suggests a possible criminal offense within the employment relationship, and the person’s interest in excluding the processing does not outweigh this, the processing is based on Section 26(1) sentence 2 German Federal Data Protection Act.

Duration of storage

The personal data of whistleblowers and other individuals involved in a report, as well as the communication page provided for the whistleblower (in cases of online reporting), will be retained for as long as necessary to investigate and resolve the (suspected) violation and its final processing. This includes addressing any grievances identified and handling any related legal proceedings.

Once the purpose for which the data was collected has been fulfilled, or the statutory retention periods have expired, your data will be deleted immediately. Typically, personal data associated with a report is deleted three years after the conclusion of the investigation.

Recipients of data

Reports are processed internally by the relevant persons or departments responsible for handling such cases. This includes employees of our compliance team, the responsible management, and other internal departments such as auditing, legal, or human resources, depending on the content of the report.

If a report involves a subsidiary, the relevant departments in that company will be notified.

In cases where clarification is needed, we may consult external specialists, such as lawyers, auditors, or forensic experts. It may also be necessary to report violations to law enforcement authorities, other competent agencies, or courts.

Description of data processing

1. Registration

To use our Connect service platform for remote access to your GA systems, you must register. During the registration process, we collect personal data necessary for establishing and fulfilling the contract, including your first name, last name, email address, the company headquarters address, and the password you set. This data is transferred from our CRM system.

2. User administration

The service platform includes a user administration feature that allows you, as the administrator, to manage other users. You can store and update mandatory information such as email addresses and passwords, along with optional details such as names, notes, and telephone numbers.

3. Log files

When using “Connect,” system log data is automatically collected and stored in log files. The following information is recorded, along with the corresponding date:

• Login

• Logout

• Acceptance of the General Terms and Conditions for Remote Access for the Provision and Use of Online Services (Yes/No).

• Acceptance of the General Terms and Conditions for Remote Access (Yes/No).

• Creation/deletion of user accounts

• Activation/deactivation of user accounts

• E-mail release/blocking

• Remote access release/blocking

   

4. Remote maintenance and order processing

When using our remote maintenance services, it may be necessary to access personal data. In such cases, you are required to establish an order processing agreement with us, in accordance with Article 28 GDPR. This can be done by accepting the General Terms and Conditions for Remote Access of Kieback&Peter GmbH & Co.

Purpose and legal basis for data processing

The legal basis for processing personal data to establish, provide, and use the service platform is Article 6(1)(f) GDPR. Our legitimate interest is to offer our customers optimal service. Log data, which is collected and stored by the system, is processed to ensure the security and continuous improvement of the platform, also based on our legitimate interest, in accordance with Article 6(1)(f) GDPR.

Duration of storage

We process your personal data only as long as necessary to fulfill our contractual and legal obligations. Personal data is deleted once it is no longer required for the purposes mentioned above. However, personal data may be retained for the period during which claims can be asserted against us.

Administrators can delete their user accounts at any time. Upon request, we will delete the administrator’s account.

Automatically stored log data will be deleted 10 years after the end of the contract.

Recipients of data

Personal data is transmitted to the following recipients: 

• Kieback&Peter when using the Connect platform services

• IT service providers for support and repair services

We operate the website https://www.qanteon.com, which provides information about our building and energy management system, Qanteon. Below is a description of the data processing that takes place on this website.

Hosting

We use an external service provider to support the operation and hosting of our website. For more information on data processing, see the section “Data processing when visiting our website”.

Description of data processing

1. Usage data and log files

When you use the website for informational purposes only, meaning you do not transmit information in other ways, our system automatically collects data and information that your browser sends to our server (usage data). For more information on data processing, see the section “Data processing when visiting our website”.

2. Cookies and similar web storage technologies

We use cookies and similar web storage technologies on our website. Some of these technologies are technically necessary to ensure the proper functioning of our website, while others allow us to analyze and optimize our offerings, such as measuring success or analyzing user behavior. For more information on data processing, see the section “Data processing when visiting our website”.

3. Data processing when using our contact form

When you contact us through our contact form, we process the data you provide in order to handle your request. The data fields in the form are mandatory. Additionally, the date and time of your message are automatically transmitted and stored. For more information on data processing, see the section “Data processing when visiting our website”.

4. Data processing when using the login area

The login area is available to Kieback&Peter customers after they set up a customer account and register. This area grants authorized users access to the Qanteon Services platform. The data processing associated with logging in takes place on the platform. Logged-in users can find more detailed information about data processing in the data protection information of the Qanteon Service platform.

Purpose and legal basis for data processing

Personal data is processed to provide the website and related services. Data processing for contacting us or using our services is carried out to initiate, establish, and manage contractual and delivery relationships with B2B partners.

The legal basis for processing personal data for website functionality, as well as for providing the contact form and login area services, is Article 6(1)(f) GDPR. Our legitimate interest is to ensure the website’s functionality and to effectively process customer and inquiry-related matter.

For more details, refer to the sections “Data processing when visiting our website” and “Data processing when contacting”.

Duration of storage

Personal data is deleted once it is no longer required for the purposes outlined above. For more details, refer to the sections “Data processing when visiting our website” and “Data processing when contacting”.

Recipients of data

No data is transferred to external recipients.

Your data protection rights

For details about your rights as a data subject, as well as contact information for our data protection officer and the relevant supervisory authority, please refer to the “General information” section.

Kieback&Peter provides the “Qanteon ReadMe app” for the mobile recording of consumption and meter readings for customers.

The company that uses the app for its operational processes is responsible for the data processing that occurs using the Qanteon ReadMe app under data protection law. If users have any questions regarding data protection, they should contact their own company.

Description of data processing

The Qanteon ReadMe app is used for the mobile recording of consumption data, which is then transmitted to Qanteon (on-premises or SaaS). The data processing affects users of the Qanteon ReadMe app as well as building users whose consumption data is recorded (e.g., tenants, owners). The data collected may be personal or personally identifiable.

The data processing involved in the installation and use of the Qanteon ReadMe app is described as follows.

1. Download

The Qanteon ReadMe app is available in app stores (Google, Apple) for use by service providers in the building management sector. Downloading apps typically requires prior registration in the respective app store, and various data, some of which is personal, is processed by the app and the user’s device during installation and use.

Kieback&Peter has no influence over this data processing; the responsibility lies with the app store operators. Further details on this can be found in the privacy policies of the respective app store providers.

The app is installed on the user’s device in accordance with Section 25(2) sentence 2 Telecommunications Digital Services Data Protection Act, as this constitutes an expressly requested telemedia service.

2. Device authorizations

For the Qanteon ReadMe app to function correctly, certain access permissions must be granted. You will be prompted to approve the necessary permissions either once during setup or when using specific features. These authorizations can be revoked at any time through your device settings. However, if you do not grant the required permissions, some features of the Qanteon ReadMe app may be limited or unusable.

Access to device functions is solely for enabling the features provided by the app. If the necessary permissions are granted, the relevant personal data may be processed by the Qanteon ReadMe app. The required permissions include:

• Network access & network connections: Needed for synchronization, which requires an online mode.

• NFC (Near Field Communication): Required to read NFC stickers with a smartphone.

• Camera: Needed for measuring point identification via QR code or photo documentation of readings. 

• Memory: Required to transfer photos of readings to Qanteon during synchronization.

3. Registration

To use the Qanteon ReadMe app, registration with Qanteon is required. During the registration process, the data you provide – along with the IP address, user agent, and unique device and card identifiers (e.g., IMEI, UDID) – is processed for the purpose of registration. 

4. Login and synchronization of data

To synchronize data with Qanteon, you must log in to the Qanteon ReadMe app using a valid user account. The username and password you provide are processed for login purposes.

When synchronizing measurement data, the following information is processed:

• Measuring point number

• Measured value

• Date and time of the reading

• Photos of the reading (if this feature is used)

All measured values are stored in the Qanteon database, along with the user account name. Additionally, the IMEI of your smartphone or tablet is transmitted to Qanteon and stored to enable device identification.

For more detailed information on data processing via Qanteon, registered users can refer to the data protection information provided for  “Qanteon Hub and Qanteon Services.” 

Purpose and legal basis for the data transfer

Data processing is carried out under Article 6(1)(f) GDPR (legitimate interest). The company using the Qanteon ReadMe app to perform official tasks is responsible for data processing and determining the purposes for which the data is used.

Duration of storage

The company utilizing the Qanteon ReadMe app to perform official tasks is responsible for determining the storage duration for the collected data.

Recipients of data

Personal data may be transmitted to the following recipients: 

• Kieback&Peter in the context of commissioning Qanteon Services as part of order processing

We maintain publicly accessible profiles in the following social networks:

XING

We have a profile on XING, provided by New Work SE, Am Strandkai 1, 20547 Hamburg, Germany. For details on how XING processes your personal data, please refer to XING's Privacy Policy. XING processes personal data as an independent controller in accordance with Art. 4 No. 7 GDPR.

LinkedIn

We have a profile on LinkedIn, provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. You can find more information on how LinkedIn handles your personal data in LinkedIn's Privacy Policy.

YouTube

We have a profile on YouTube, which is operated by YouTube, LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA. YouTube is a subsidiary of Google. For details on how YouTube and Google process your personal data, please refer to Google's Privacy Policy.

Instagram

We have a profile on Instagram. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, 2 Dublin, Ireland. Meta Platforms Ireland Limited is a subsidiary of Meta Platforms Inc. (USA). For details on how they handle your personal data, please refer to Meta's Privacy Policy. 

Facebook

We have a Facebook profile. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Meta Platforms Ireland Limited is a subsidiary of Meta Platforms Inc. (USA). For details of how they handle your personal data, please refer to Meta's Privacy Policy.

TikTok

We have a profile on TikTok, provided by TikTok Technology Limited, 10 Earlsfort Terrace, D02 T380, Dublin, Ireland. For details on how TikTok processes your personal data, please refer to TikTok's Privacy Policy.

The data you provide on our social media pages – such as comments, videos, images, likes, tweets, etc. – is published by the social media platform and is not used or processed by us for any other purposes. We reserve the right to delete content if necessary. Additionally, we may share your content on our social media profiles if the platform offers this function, and we may communicate with you via the platform.

The purpose of this data processing is to communicate with users and enhance the presentation of our company and products. The legal basis for this processing is Article 6(1)(f) GDPR. Our legitimate interest lies in the targeted promotion of our services and products and in facilitating effective communication with customers and interested parties.

Kieback&Peter jointly operates its social media pages with the platform operators mentioned above. As joint controllers of these pages under Article 26 GDPR, we have agreements with the platform providers that define the terms for managing these pages. The respective user agreements or data processing agreements of the platform operators apply. 

• Terms of Use LinkedIn

• Terms of Use YouTube

• Terms of Use Instagram by Meta

• Terms of Use Facebook fan page of Meta

• Terms of Use TikTok. 

The operators of these platforms utilize web tracking methods. This tracking can occur regardless of whether you are logged in or registered with the social media platform. We have no control over web tracking or the ability to disable it.

It is possible that social media platform providers may use your profile and behavioral data to analyze your habits, relationships, and preferences. We have no influence over this data processing.

For further information on data processing by social media providers, please refer to the privacy policies linked above.

Any data collected directly by us via our social media presence will be deleted from our systems as soon as its purpose has been fulfilled, or upon your request for deletion or withdrawal of consent.

We have no control over the storage duration of data retained by the social media platform operators for their own purposes. For further details, please contact the social media platforms directly.