Data protection

With the following information, we would like to provide you, as the “data subject,” with an overview of the processing of your personal data by us and your rights under data protection laws. It is generally possible to use our websites without providing personal data. However, if you would like to use specific services offered by our company via our website, processing of personal data may be required. If the processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain your consent.

The processing of personal data, such as your name, address, or email address, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the applicable national data protection regulations for “ECCO Management GmbH.” Through this privacy policy, we would like to inform you about the scope and purpose of the personal data we collect, use, and process.

As the data controller, we have implemented numerous technical and organizational measures to ensure the most comprehensive protection of the personal data processed through this website. Nevertheless, internet-based data transmissions can have security vulnerabilities, so absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us by alternative means, such as by phone or by mail.

You can also take simple and easily implemented steps to protect yourself against unauthorized access to your data by third parties. Therefore, we would like to provide you with some advice on securely handling your data:

• Protect your account (login, user, or customer account) and your IT system (computer, laptop, tablet, or mobile device) with secure passwords.
• Only you should have access to your passwords.
• Ensure that you use your passwords only for one account (login, user, or customer account).
• Do not use the same password for different websites, applications, or online services.
• Especially when using publicly accessible or shared IT systems, you should always log out after each login to a website, application, or online service.

The data controller within the meaning of the GDPR is:

ECCO Management GmbH
Südliche Münchner Straße 55

82031 Grünwald

Email:l: info@ecco-group.de

Representatives of the data controller: Dr. Daniel Ebert, Uli Lorenz

We are not required to appoint and/or designate a data protection officer.

Article 6(1)(a) of the GDPR (in conjunction with Section 25(1) of the TDDTG (formerly TTDSG)) serves as the legal basis for processing activities in which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are a party, such as in processing activities required for the delivery of goods or the provision of other services or considerations, the processing is based on Article 6(1)(b) of the GDPR. This also applies to processing activities that are necessary for carrying out pre-contractual measures, such as inquiries about our products or services.

If our company is subject to a legal obligation that requires the processing of personal data, such as to comply with tax obligations, the processing is based on Article 6(1)(c) of the GDPR.

In rare cases, the processing of personal data may be required to protect vital interests of the data subject or another natural person. For example, if a visitor were to be injured on our premises, and their name, age, health insurance information, or other vital information had to be provided to a doctor, hospital, or other third parties, the processing would be based on Article 6(1)(d) of the GDPR.

Finally, processing activities could be based on Article 6(1)(f) of the GDPR. This legal basis applies to processing activities not covered by any of the aforementioned legal bases when the processing is necessary for the purposes of legitimate interests pursued by our company or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not outweigh those interests. These processing activities are particularly allowed because they are specifically mentioned by the European legislator, who considered that a legitimate interest could be assumed if you are a customer of our company (Recital 47, sentence 2 of the GDPR).

We will only share your personal data with third parties if:

1. You have explicitly given us your consent pursuant to Article 6(1)(a) of the GDPR,
2. The transfer is permissible under Article 6(1)(f) of the GDPR to protect our legitimate interests, and there is no reason to believe that you have a predominant legitimate interest in not disclosing your data,
3. There is a legal obligation to transfer the data pursuant to Article 6(1)(c) of the GDPR, or
4. The transfer is legally permissible and necessary for the performance of contractual relationships with you pursuant to Article 6(1)(b) of the GDPR.

To protect your data and, if necessary, enable data transfers to third countries (outside the EU/EEA), we have entered into data processing agreements based on the Standard Contractual Clauses of the European Commission. If the Standard Contractual Clauses are insufficient to establish an adequate level of security, your consent pursuant to Article 49(1)(a) of the GDPR may serve as the legal basis for the transfer to third countries. This, however, does not apply to transfers to third countries for which the European Commission has issued an adequacy decision pursuant to Article 45 of the GDPR.

This site uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data, or contact requests that you send to us as the operator. You can recognize an encrypted connection by the fact that “http://” is replaced by “https://” in the browser’s address bar and by the padlock symbol in your browser bar.

We use this technology to protect your transmitted data.

When you visit our website for informational purposes only, without registering or providing any information or consent for processing that requires consent, we only collect data that is technically necessary for the provision of the service. This usually involves data that your browser transmits to our server (“in so-called server log files”).

Each time a page is accessed by you or an automated system, a series of general data and information is collected by our website. This general data and information is stored in the server’s log files. The following may be collected:

1. The types and versions of the browser used,
2. The operating system used by the accessing system,
3. The website from which the accessing system arrives at our website (so-called referrer),
4. The subpages accessed on our website by the accessing system,
5. The date and time of access to the website,
6. A shortened internet protocol address (anonymized IP address), and
7. The internet service provider of the accessing system.

We do not draw any conclusions about your person from the use of these general data and information. These pieces of information are instead required to:

1. Deliver the content of our website correctly,
2. Optimize the content of our website and the advertising for it,
3. Ensure the permanent functionality of our IT systems and the technology of our website, and
4. Provide law enforcement authorities with the necessary information for prosecution in the event of a cyber attack.

The collected data and information will be evaluated by us for statistical purposes and to increase the privacy and data security within our company, ultimately ensuring an optimal level of protection for the personal data we process. The anonymous data in the server log files will be stored separately from all personal data provided by an affected person.

The legal basis for data processing is Article 6(1)(f) of the GDPR. Our legitimate interest arises from the purposes of data collection listed above.

We host our website with IONOS SE, Elgendorfer Str. 57, 56410 Montabaur (hereinafter referred to as IONOS).

When you visit our website, your personal data (e.g., IP addresses in log files) is processed on IONOS’ servers.

The use of IONOS is based on Article 6(1)(f) of the GDPR. We have a legitimate interest in providing and securing our website in the most reliable way possible.

We have concluded a data processing agreement (DPA) with IONOS pursuant to Article 28 of the GDPR. This is a legally required contract ensuring that IONOS processes personal data of our website visitors only according to our instructions and in compliance with the GDPR.

For more information on IONOS’ privacy policy, please visit: https://www.ionos.de/terms-gtc/terms-privacy

The data processed through cookies, which are necessary for the proper functioning of the website, are required for the protection of our legitimate interests and those of third parties according to Article 6(1)(f) of the GDPR.

For all other cookies, you have provided your consent through our opt-in cookie banner in accordance with Article 6(1)(a) of the GDPR.

We collect and process the personal data of applicants for the purpose of managing the application process. The processing may also take place electronically, particularly when an applicant submits application documents electronically, for example, via email or through a web form available on the website. If we conclude an employment or service contract with an applicant, the transmitted data will be stored for the purpose of managing the employment relationship, in compliance with legal requirements. If no contract is concluded with the applicant, the application documents will be automatically deleted two months after the rejection decision has been communicated, unless there are other legitimate interests on our part that prevent deletion. An example of such a legitimate interest would be the obligation to provide evidence in proceedings under the General Equal Treatment Act (AGG).

The legal basis for processing your data is Article 6(1)(b), 88 of the GDPR in conjunction with Section 26(1) of the Federal Data Protection Act (BDSG).

On our website, you are provided with the option to subscribe to our company’s newsletter. The personal data transmitted to us when ordering the newsletter is derived from the input form used for this purpose.

We regularly inform our customers and business partners about our offers via a newsletter. Our company’s newsletter can generally only be received by you if

1. You have a valid email address, and
2. You have registered for the newsletter subscription.

For legal reasons, a confirmation email will be sent to the email address you first register for the newsletter, following a double opt-in procedure. This confirmation email serves to verify that you, as the owner of the email address, have authorized the receipt of the newsletter.

When subscribing to the newsletter, we also store the IP address assigned to you by your internet service provider (ISP) of the IT system you used at the time of registration, as well as the date and time of the registration. The collection of this data is necessary to trace any possible misuse of your email address at a later time and therefore serves as our legal safeguard.

The personal data collected during the newsletter registration process will be used exclusively for sending our newsletter. Additionally, subscribers to the newsletter may be informed via email if necessary for the operation of the newsletter service or related registration, such as in cases of changes to the newsletter offering or alterations to technical conditions. No personal data collected in the course of the newsletter service will be passed on to third parties. The subscription to our newsletter can be canceled at any time by you. The consent for the storage of personal data provided for the newsletter dispatch can be revoked at any time. A corresponding link for revoking consent is included in every newsletter. Additionally, you can always unsubscribe from the newsletter directly on our website or notify us in another way.

The legal basis for data processing for the purpose of newsletter dispatch is Article 6(1)(a) of the GDPR.

In order to communicate with you in social networks and inform you about our services, we are represented there with our own pages. When you visit one of our social media pages, we are jointly responsible with the provider of the respective social media platform for the processing activities triggered, in accordance with Article 26 of the GDPR.

We are not the original provider of these pages but use them solely within the scope of the possibilities offered to us by the respective providers.

Therefore, we would like to inform you that your data may also be processed outside the European Union or the European Economic Area. As a result, the use of these platforms may involve data protection risks for you, as the exercise of your rights (e.g., access, deletion, objection, etc.) may be more difficult. Furthermore, processing in social networks often occurs directly for advertising purposes or for analyzing user behavior by the providers, without us being able to influence it. If the provider creates user profiles, cookies are often used, and your usage behavior is assigned to your own member profile in the social networks.

The described processing activities of personal data are carried out in accordance with Article 6(1)(f) of the GDPR, based on our legitimate interest and the legitimate interest of the respective provider, to communicate with you in a modern way or to inform you about our services. If you need to give consent for data processing as a user with the respective providers, the legal basis is Article 6(1)(a) of the GDPR in conjunction with Article 7 of the GDPR.

Since we do not have access to the data held by the providers, we would like to point out that you should exercise your rights (e.g., access, correction, deletion, etc.) directly with the respective provider. Further information on the processing of your data in the social networks is provided below for each provider we use:

(Co-) Controller for data processing in Europe:

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Privacy Policy: https://www.linkedin.com/legal/privacy-policy

On this website, we use HubSpot functions. The provider is HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA.

HubSpot tracks the visitors to our website using browser cookies. Every time you access our website, HubSpot checks if a HubSpot tracking cookie is set. If no such cookie is set on your browser, a HubSpot cookie will be placed (if you give your consent) which will record all the pages you visit on our website later on.

Regarding HubSpot’s handling of tracking cookies, the following should be noted:

• Your visit to our website is only tracked with the HubSpot cookie if you have given your consent to set the HubSpot cookie or any tracking cookies.
• If you fill out and submit one of the forms on our website (e.g., a contact form) and have given consent to set the HubSpot cookie, HubSpot will link your previous page views (from the tracking cookie) with the form you submitted.
• If you have already been in contact with us, the email address submitted via the form will be matched with the information we already have.
• If you delete all your cookies or specifically delete the HubSpot cookies, you will be considered a new visitor on our website, and a new cookie will be set. However, HubSpot will automatically deduplicate any form submissions from the same email address, even if they are associated with different browser cookies.
• Since cookies are set only once on a browser, submissions from two people sharing a single computer will be linked to the same contact entry. This deduplication via cookies ensures that, if a contact person submits forms from different email addresses, all submissions are assigned to a single contact entry in HubSpot.
• HubSpot associates page views with a contact person if the contact clicks a link in a tracked marketing email that leads to a page where the HubSpot tracking code is installed.

These processing activities are carried out only upon explicit consent in accordance with Article 6(1)(a) of the GDPR. Your data will be stored until you withdraw your consent.

You can set your browser to be notified about the setting of cookies, allow cookies only in individual cases, exclude the acceptance of cookies for certain cases or generally, and activate automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.

The transfer of your personal data to the USA is based on the Standard Contractual Clauses.

Further information about HubSpot can be found at: https://legal.hubspot.com/privacy-policy.

We use the WordPress plugin Polylang by WP SYNTEX, 28, rue Jean Sébastien Bach, 38090 Villefontaine, France.

This service allows us to publish content on our website in multiple languages. This also includes the display of “Emojis.”

For the calculation of dynamic content, the following data is used:

The WP SYNTEX cookie is set solely to recognize and store the language used or selected by the user. This cookie is stored for one year and then deleted. The processed data always includes the IP address and the chosen language setting.

These processing activities are based on our legitimate interest under Article 6(1)(f) of the GDPR to provide a reliable and engaging online presence in order to increase business efficiency.

You can view WP SYNTEX’s privacy policy at: https://polylang.pro/privacy-policy/.

You have the right to request free information about the personal data we store about you at any time, as well as a copy of this data in accordance with legal provisions.

You have the right to request the correction of incorrect personal data concerning you. Furthermore, you have the right to request the completion of incomplete personal data, considering the purposes of processing.

You have the right to request the immediate deletion of personal data concerning you, provided that one of the legally provided reasons applies, and as long as processing or storage is not required.

You have the right to request the restriction of processing by us if one of the legal conditions is met.

You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you, which is carried out based on Article 6(1)(e) (data processing in the public interest) or (f) (data processing based on a balancing of interests) GDPR.

This also applies to profiling based on these provisions as defined in Article 4(4) GDPR.

If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing serves the assertion, exercise, or defense of legal claims.

In individual cases, we process personal data for direct marketing purposes. You may object at any time to the processing of personal data for such marketing purposes. This also applies to profiling, insofar as it is related to such direct marketing. If you object to us processing data for direct marketing purposes, we will no longer process your personal data for such purposes.

Additionally, you have the right, for reasons arising from your particular situation, to object to the processing of personal data concerning you that is being processed for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

You are free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, using automated procedures where technical specifications are used.

You have the right to withdraw consent for the processing of personal data at any time with effect for the future.

You have the right to lodge a complaint with a supervisory authority responsible for data protection regarding our processing of personal data.

The criterion for the duration of the storage of personal data is the respective statutory retention period. After the retention period has expired, the relevant data will routinely be deleted, unless it is required for contract fulfillment or contract initiation.

This privacy policy is currently valid and has the status: January 2025.

Due to the further development of our websites and services or due to changes in legal or regulatory requirements, it may be necessary to amend this privacy policy. The most current privacy policy can be accessed and printed at any time on our website under “https://ecco-group.de/datenschutz/”.

You can find a list of supervisory authorities on the page: https://www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.html

This privacy policy was created by Great Oak Datenschutz GmbH & Co. KG with the support of the data protection software: GO DSM.