skip to main content

Data protection

Cookie settings

Under the following links you can adjust your cookie settings:

Change Settings Reset

Data protection

Thank you for your interest in the internet services provided by ST Extruded Products Germany GmbH (hereinafter: “STEP-G”). STEP-G attaches great importance to protecting your personal data during its collection, processing and use in the context of your visit to our website. We comply with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the Digital Services Act (DSA) and any other applicable, country-specific data protection regulations.

In principle, the website of STEP-G can be used without submitting any personal data (e.g. the visitor’s name, address, e-mail address or telephone number). However, if you wish to make use of particular services that we offer via our website, it may be necessary for your personal data to be processed by STEP-G. We always seek your consent if we need to process your personal data, unless there is already a legal basis for such processing.

The purpose of this Privacy Policy is to inform you about the nature, scope and purpose of the collection, processing and use of personal data by STEP-G. In addition, we wish to inform you about your rights under this Privacy Policy.

STEP-G has implemented a variety of technical and organisational measures to ensure that your personal data, which is processed via this website, is protected to the maximum extent possible. Nevertheless, we wish to point out that absolute protection cannot be guaranteed due to the nature of internet-based data transmission and the associated potential security vulnerabilities. You therefore have the option of providing us with your personal data by other means (e.g. by telephone or post).

1. Terminology

Within the framework of this Privacy Policy, STEP-G uses terminology that is also used in the EU General Data Protection Regulation (GDPR). Among others, this includes the following terms: 

  • Personal data 
    “Personal data” refers to any information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered to be identifiable if they can be identified either directly or indirectly, and in particular by association with an identifier such as a name, identification number, location data, an online identifier or one or more special characteristics that are specific to their physical, physiological, genetic, mental, economic, cultural or social identity. 
  • Data subject
    “Data subject” means any identified or identifiable natural person whose personal data is processed by the data controller.  
  • Processing 
    “Processing” means any process or series of operations performed with or without the aid of automated processes in connection with personal data, such as its collection, recording, organising, ordering, storage, adaptation or modification, read-out, querying, use, disclosure by transmission, dissemination or other form of disclosure, matching or linking, restriction, deletion or destruction. 
  • Restriction of processing
    “Restriction of processing” means the marking of stored personal data in order to restrict its future processing. 
  • Profiling 
    “Profiling” refers to any type of automated processing of personal data undertaken for the purpose of evaluating certain personal aspects relating to a natural person, in particular with the aim of assessing or predicting the person’s job performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or future change of location. 
  • Pseudonymisation 
    “Pseudonymisation” refers to the processing of personal data in such a way that ensures it can no longer be assigned to a specific data subject without additional information, provided that this additional information is stored separately and subjected to technical and organisational measures designed to ensure that the personal data is not assigned to an identified or identifiable natural person. 
  • File system
    A “file system” means any structured collection of personal data that is accessible via specific criteria, whether that collection is centralised, decentralised or organised on the basis of functional or geographical factors. 
  • Data controller
    The “data controller” is the natural or legal person, public authority, agency or other body which, either alone or in collaboration with others, decides on the purpose and means of the processing of personal data. Where the purpose and means of such processing are determined by European Union law or the law of the Member States, the data controller (or the specific criteria governing his/her appointment) may be determined by EU or national law. 
  • Data processor
    The “data processor” refers to a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller. 
  • Recipient
    The “recipient” means a natural or legal person, public authority, agency or other body to which personal data is disclosed, whether or not they are a third party. However, authorities which receive personal data under EU or national law in connection with a particular investigation order are not considered to be recipients. 
  • Third parties
    A “third party” refers to a natural or legal person, public authority, agency or body other than the data subject, data controller, data processor and the individuals authorised to process the personal data under the direct responsibility of the data controller or data processor. 
  • Consent
    “Consent” means any unambiguous and voluntary expression of will on the part of the data subject in the form of a statement or other unambiguous confirmatory act, whereby the data subject indicates their agreement to the processing of their personal data. 

2. Name and address of the data controller

The data controller with regard to the processing of the data collected via the websites of STEP-G is: 
ST Extruded Products Germany GmbH, Schachenstraße 14, 88267 Vogt, Germany, phone: +49 7529 999-0, e-mail: vogt.office(at)step-g.com, website: www.step-g.com

3. Name and address of the data protection officer

The data controller’s data protection officer is:
White Whale Data GbR, RA Götz Sommer, Hansaring 97, 50670 Köln, Germany, phone: +49 221 977 69 80, e-mail: info(at)wwdata.de.

All data subjects may contact our data protection officer at any time with any queries or suggestions regarding data protection. 

4. Legal basis of the processing

Pursuant to Article 6 (1) GDPR, the processing of personal data by STEP-G is lawful provided that at least one of the following conditions is met: 

a) The data subject has given their consent to the processing of their personal data for one or more specific purposes 

b) The processing is necessary for the performance of a contract to which the data subject is a party, or for the performance of pre-contractual measures at the data subject’s request (e.g. product enquiries) 

c) The processing is required to fulfil a legal obligation on the part of the data controller (e.g. tax obligations) 

d) The processing is necessary to protect the vital interests of the data subject or any other natural person (e.g. a visitor’s health insurance data in the event of an accident on our premises) 

e) The processing is necessary for the performance of a task which is in the public interest or in the exercise of official authority vested in the data controller 

f) The processing is necessary to safeguard the legitimate interests of the data controller or a third party, unless these are secondary to the interests or fundamental rights and freedoms of the data subject in the context of data protection, and in particular if the data subject is a child. 

5. Legitimate interests in the processing pursued by the data controller or a third party

Where the processing of personal data is based on Article 6 (1) (f) GDPR, we have a legitimate interest in conducting our business for the benefit of all of our employees and shareholders. 

6. Duration for which the personal data is stored

STEP-G stores personal data for the duration of the respective statutory retention periods. At the end of this period, the corresponding data is routinely deleted, unless it is required for performance of the contract or for contract initiation. 

7. Existence of an automated decision-making process

As a responsible and conscientious company we do not carry out automated decision-making or profiling.

8. Rights of the data subject

Due to the regulations of the GDPR, data subjects have the following rights: 

  • Right to confirmation
    As the data subject, you have the right to ask STEP-G (as the data controller) to confirm the processing of your personal data. You can exercise this right at any time by contacting any of the data protection officers mentioned in this Privacy Policy or any other STEP-G employee. 
     
  • Right to information
    As the data subject, you have the right, at any time, to receive information from STEP-G free of charge regarding the personal data stored about you, and to receive a copy of this data. You also have the right to receive the following information:

    a) the purpose of the data processing

    b) the categories of personal data being processed  

    c) the recipients or categories of recipients to whom the personal data has been disclosed, or is yet to be disclosed, in particular recipients in third countries or international organisations 

    d) if possible, the planned storage duration for the personal data or, where this is not possible, the criteria used to determine the storage duration 

    e) the existence of a right to rectification or deletion of your personal data, or to request a restriction of its processing by the data controller, or to object to such processing f) the existence of a right of appeal to a supervisory authority

    g) if the personal data is not collected from you (as the data subject): all available information about the source of the data

    h) the existence of an automated decision-making process, including profiling, in accordance with Article 22 (1) and (4) GDPR and – at least where such processes exist – meaningful information about the logic involved and the scope and intended impact of such processing with regard to you (as the data subject)

    If personal data is transmitted to a third country or an international organisation, as the data subject you have the right to be informed about the appropriate safeguards in connection with the transfer under Article 46 GDPR. 

    As the data subject, you can exercise this right to information at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee. 
     
  • Right to rectification 
    As the data subject, you have the right to demand that STEP-G immediately correct any incorrect personal data concerning you. Taking into account the purposes of the processing, as the data subject you have the right to request the completion of incomplete personal data, including by means of a supplementary statement. 
    As the data subject, you can exercise this right to rectification at any time by contacting any data protection officer mentioned in this Privacy Policy or any other employee of ST Extruded Products Germany GmbH.
     
  • Right to deletion (“right to be forgotten”) 
    As the data subject, you have the right to require STEP-G to delete your personal data without delay, provided that one of the following reasons applies and that the processing of your data is not mandatory: 

    a) The personal data is no longer required for the purpose for which it was collected or otherwise processed.  

    b) The data subject revokes the consent on which the processing was based in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, and there is no other legal basis for the processing.

    c) The data subject raises an objection to the processing in accordance with Article 21 (1) GDPR, and there are overriding, legitimate reasons for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR.  

    d) The personal data was processed unlawfully. 

    e) The deletion of personal data is necessary to fulfil a legal obligation under EU or national laws by which the data controller is bound. 

    f) The personal data was collected in relation to information society services pursuant to Article 8 (1) GDPR. 

    If one of these reasons is correct and you, as the data subject, wish to request the deletion of your personal data stored by STEP-G, you may do so at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee. Any data protection officer mentioned in this Privacy Policy or any other STEP-G employee will arrange for the requested deletion to be carried out immediately. 

    Where STEP-G has made personal data public which we are obliged to delete pursuant to Article 17 (1) GDPR, STEP-G will take appropriate measures (including of a technical nature) – taking into account the available technology and the costs of implementation – to notify other data controllers processing the published personal data that you (as the data subject) have requested the deletion of all links to such personal data as well as all copies or reproductions thereof by those other data controllers, unless such processing is mandatory. Any data protection officer or other employee of STEP-G will arrange everything necessary in individual cases. 
     
  • Right to restriction of processing  
    As the data subject, you have the right to require STEP-G to restrict its processing of your personal data if any of the following conditions are met: 

    a) The accuracy of the personal data is contested by the data subject for a period of time that enables the data controller to verify the accuracy of the personal data. 

    b) The processing is unlawful and, as the data subject, you request the restriction of the use of your personal data rather than its deletion. 

    c) STEP-G no longer needs your personal data for processing purposes, however, as the data subject, you need it to assert, exercise or defend your rights. 

    d) As the data subject, you have objected to the processing pursuant to Article 21 (1) GDPR, and it is not yet clear whether STEP-G’s legitimate reasons for processing the data take precedence over your reasons for restricting its processing. 

    If one or more of these conditions exists and you (as the data subject) wish to request the restriction of the personal data stored by STEP-G, you can contact our data protection officer or any other STEP-G employee at any time. Any data protection officer or another employee of STEP-G will then arrange for the data processing to be restricted. 
     
  • Right to data portability
    As the data subject, you have the right to receive the personal data that you provided to STEP-G in a structured, common and machine-readable format. You also have the right to transfer this data to another data controller – without hindrance by the data controller to whom the personal data was submitted – provided that the processing is based on consent pursuant to Article 6 (1) (a) GDPR or Article 9 2 (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR and the processing is carried out by automated means, unless the processing is necessary in the public interest or in the exercise of official authority vested in the data controller. In addition, as the data subject exercising your right to data portability pursuant to Article 20 (1) EU GDPR, you have the right to have your personal data transmitted directly from one data controller to another, to the extent that this is technically feasible and that doing so does not limit the rights and freedoms of other persons. As the data subject, you can exercise this right to data portability at any time by contacting any data protection officer mentioned in this privacy policy or any other STEP-G employee. 
     
  • Right to object  
    As the data subject, you have the right, for reasons based on your particular situation, to object at any time to the processing of your personal data pursuant to Article 6 (1) (e) or (f) GDPR. This also applies to profiling carried out on the basis of these provisions. 

    In case of an objection, STEP-G will cease processing the personal data, unless we can prove that there are compelling legitimate grounds for its processing, which outweigh your interests, rights and freedoms as the data subject, or unless the purpose of the processing is to assert, exercise or defend against legal claims. 

    Where STEP-G processes personal data for the purpose of direct advertising, as the data subject you have the right, at any time, to object to the processing of your personal data for the purpose of such advertising. The same applies in the case of profiling, to the extent that it is associated with such direct advertising. As the data subject, if you object to the processing of your personal data by STEP-G for direct advertising purposes, STEP-G will no longer process your personal data for these purposes. 

    In addition, as the data subject you have the right, for reasons based on your particular situation, to object to the processing of your personal data by STEP-G for scientific or historical research purposes, or for statistical purposes pursuant to Article 89 (1) GDPR, unless such processing is necessary in the public interest. 

    As the data subject, you can exercise this right to object at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee. As the data subject, you are also entitled – in the context of the use of information society services, notwithstanding Directive 2002/58/EC – to exercise your right to object via automated processes based on technical specifications.  
     
  • Automated decisions in individual cases, including profiling 
    As the data subject, you have the right to request that decisions concerning you (including profiling), which may have legal consequences or negatively affect you, are not based solely on automated processing, provided that the decision 

    a) is not required for the conclusion or performance of a contract between you (as the data subject) and STEP-G, or 

    b) is permitted under European Union or Member State legislation to which STEP-G is bound, whereby the legislation contains adequate measures to safeguard your rights, freedoms and legitimate interests as the data subject, or 

    c) is made with your express consent as the data subject. 

    If the decision is necessary for the conclusion or performance of a contract between you (as the data subject) and STEP-G, or if it is made with your explicit consent as the data subject, STEP-G will take appropriate measures to guarantee your rights, freedoms and legitimate interests as the data subject, including at least the right to request that a STEP-G employee intervene on your behalf, and to express your own position, and to contest the decision. 

    As the data subject, you can exercise these rights with respect to automated decisions at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee. 
     
  • Right to revoke your consent relating to data privacy 
    As the data subject, you have the right to revoke your consent to the processing of your personal data at any time. 

    You can exercise your right to revoke your consent at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee. 

9. Legal or contractual regulations governing the provision of personal data; its necessity for the purpose of concluding of the contract; obligations of the data subject to provide their personal data; possible consequences of non-provision 

We wish to explicitly point out that the provision of your personal data may be required by law (e.g. due to tax regulations) or may result from contractual arrangements (e.g. details of the contracting party). For the purpose of concluding a contract it may be necessary for you, as the data subject, to provide us with personal data that must subsequently be processed by us. For example, as the data subject, you will be required to provide us with personal data if our company signs a contract with you. Refusal to provide your personal data would mean that we would not be able to conclude the contract with you (as the data subject). Before you submit your personal data to us, we advise you to contact our data protection officer or one of our employees. They will inform you (as the data subject) on a case-by-case basis whether the provision of your personal data is required by law, or contractually required, or required for the conclusion of the contract, or whether you are obliged to provide the personal data, as well as the consequences of refusing to provide it. 

10. Routine deletion and blocking of personal data

STEP-G only processes and stores personal data for the period of time necessary to achieve the purpose of the storage, or if STEP-G is bound by statutory provisions that require such storage. 

If the purpose of the storage is omitted or if a legally prescribed retention period expires, the personal data is routinely blocked or deleted in accordance with the statutory provisions. 

11. Hosting provider

STEP-G hosts the content of this website with Host Europe GmbH, c/o WeWork Wallarkaden, Pilgrimstraße 6, 50674 Cologne, which acts as a data processor for the provision and operation of our IT infrastructure. The data processing by Host Europe serves the purpose of providing and operating our IT infrastructure, as well as providing hosting and data centre services. The data processing takes place in certified high-security data centres operated by Host Europe in Munich.

In its capacity as data processor for STEP-G, Host Europe processes the following data:

  • the type and version of the browser used
  • the operating system (which may be subsequently changed by the user) and the user’s internet service provider
  • the date and time of the server request
  • the previously visited website, but only if it contained a link to our website and the visitor clicked on that link
  • the user’s IP address
  • the volume of data transmitted.

Processing is carried out on the basis of Article 6 (1) (b) GDPR and Article 28 GDPR. STEP-G has entered into the legally required data processing agreement with Host Europe in accordance with Article 28 GDPR. Under the terms of this agreement, Host Europe undertakes to ensure the necessary protection of your data and to process it exclusively on our behalf and in accordance with our instructions, and in compliance with the applicable data protection regulations. For further information about Host Europe, please visit their website: https://www.hosteurope.de.

The data is stored on servers operated by Host Europe, located in Germany. Host Europe processes this data solely for the stated purposes and on our behalf. It is neither used for any other purpose nor shared with unauthorised third parties. The data is also not stored together with any other personal information relating to the user.

Temporary storage of the user’s IP address in the system is necessary in order to deliver the website or its content to the user’s device. For this purpose, the user’s IP address remains stored for the duration of the session. Unless a different retention period is required, the stored log data is automatically deleted after six months.

All information mentioned in (1)–(8) above is stored in log files for the purpose of ensuring the functionality of the website. In addition, the data is used to optimise the website and to ensure the security of our IT systems. The data is not used for marketing purposes. The aforementioned purposes also constitute our legitimate interest in data processing in accordance with Article 6 (1) (f) GDPR in conjunction with § 25 (2) of the German Telecommunications-Digital Services Data Protection Act (TDDDG).

For further information on data processing by Host Europe, please refer to their privacy policy: https://www.hosteurope.de/AGB/Datenschutzerklaerung/

12. Cookies

The websites of STEP-G use cookies. Cookies are text files that are downloaded and stored in a computer system via an internet browser. In accordance with Section 25 TDDDG, STEP-G ensures that users consent to the use of cookies before non-essential cookies are set.

Many websites and servers use cookies. Many cookies contain a so-called “cookie ID”. This consists of a character string that serves as the cookie’s unique identifier, making it possible to assign visits to internet pages and servers to the specific internet browser in which the cookie was stored. This allows the visited web pages and servers to distinguish the browser of the respective visitors from other internet browsers (if they contain other cookies). In other words, the unique cookie ID makes it possible to recognise and identify a specific internet browser. 

Cookies enable STEP-G to provide the visitors to its website with services that are more user-friendly than would otherwise be possible. By using cookies, STEP-G is able to optimise its websites for the benefit of the visitors, since the cookies make it possible to identify repeat visitors to the website, which in turn allows us to make the website easier for them to use. For example, when using cookies, visitors are not required to enter their login data each time they visit the website. The login is instead performed automatically by the website via the cookie that was previously stored on the visitor’s computer. In addition, cookies enable online shops to “remember” the items that customers have placed in their virtual shopping carts. 

As the data subject, the user must actively consent to the use of cookies.

Before cookies that are not absolutely necessary are set, a corresponding consent banner is displayed, which can be used to give consent. The user can withdraw this consent at any time.

As the data subject, the user can prevent the use of cookies by the STEP-G website by configuring the corresponding setting in their internet browser. In this way, they can permanently block the use of cookies. In addition, the visitor to the website can delete cookies that have already been stored at any time via their internet browser settings or other software programs. This feature is available in all popular internet browsers. Users (i.e. data subjects) who disable the saving of cookies in their internet browser may no longer be able to make full use of all the features of the STEP-G website. 

The storage period for “permanent cookies” can be up to two years. 

The legal basis for our use of cookies may vary depending on the circumstances. The legal basis on which we process your personal data always depends on the specific individual case. If we ask for your consent and you agree to the use of cookies, this consent provides the legal basis for the processing of your data (Art. 6 (1) (a) GDPR). Should the use of cookies become necessary in order to fulfil our (pre-)contractual obligations towards you, the data processing by STEP-G is based on Art. 6 (1) (b) GDPR. In all other cases, we base the processing of your data by means of cookies on our legitimate interest pursuant to Art. 6 (1) (f) GDPR (e.g. operation of the website and its improvement). 

13. Collection of general data and information

Whenever a data subject or automated system accesses the STEP-G website, general information about the nature of the access is periodically stored in our server’s log files. This information may include the browser type and version, the operating system, as well as the website via which the data subject or automated system accessed our website. Other recorded information may include the subpages accessed on our website, the date and time of access, the visitor’s IP address, the internet service provider of the accessing system and any other security-related data we need in the context of preventing attacks against our IT systems. 

STEP-G does not use this data for the purpose of identifying data subjects. Instead, this data is necessary to ensure that the contents of our website are properly transmitted, as well as to optimise our website, to ensure its functionality, and to provide information required by law enforcement agencies in the event of a cyberattack. We therefore evaluate this data solely for statistical purposes and also to improve data protection and data security within our company. The goal here is to ensure that the personal data we process is safeguarded to the maximum extent possible. The personal data which data subjects submit to us is stored separately from the anonymous data that our server collects via its log files. 

14. Registration on our website

You have the opportunity to register on our website by submitting personal data. For details about which personal data is transmitted to the data controller, please refer to the input screen shown to users during registration. The personal data you provide is collected and stored by STEP-G solely for internal use and for statistical purposes. We may also transfer your personal data to one or more data processors, e.g. postal operators, which also use personal data exclusively for internal order processing. 

If you register on our website, the data saved there is also transmitted by the respective internet service providers (ISP). This includes the IP address as well as the date and time of registration. We store this data as a necessary means to prevent misuse of our services and, if necessary, this information can be used at a later time to investigate previous criminal activity. The storage of the data is therefore necessary to safeguard the data controller’s systems. As a rule, we do not disclose this data to third parties, unless we are legally obliged to do so or the disclosure serves the purpose of law enforcement. 

STEP-G requires users to register – and in so doing to submit personal data – in order to offer them content and services which, due to their nature, can only be offered to registered users. At any time, registered users are entitled to modify the personal data that they submitted during registration, or to have such data removed from STEP-G’s database entirely. 

They also have the right, at any time, to ask STEP-G which personal data has been stored. STEP-G will respond to such requests as soon as possible. To the extent that we are not prevented from doing so due to statutory retention periods, STEP-G will comply with any requests from data subjects for the rectification or deletion of their personal data. In this context, all employees of STEP-G as well as any data protection officers named in this Privacy Policy are available as a point of contact. 

15. Contact via the website

Due to statutory regulations, the websites of STEP-G contains features and information which enable fast electronic contact with our company as well as direct communication with us. This includes our e-mail address. 

When you contact STEP-G via e-mail or our contact form, your personal data is automatically stored. This data, which you voluntarily submit to STEP-G, is stored for the purpose of processing or contacting you (as the data subject).

16. Privacy information regarding the use and application of TYPO3

STEP-G uses the TYPO3 content management system (CMS) provided by the TYPO3 Association, Sihlbruggstrasse 105, 6340 Baar, Switzerland, to manage and publish website content.

When using TYPO3, the following data is processed:

  • Website content data (e.g. text, images, videos)
  • Metadata relating to this content (e.g. publication date, author)
  • User and editorial data (e.g. username, roles and permissions within the editorial system)
  • System usage log data (e.g. login times, content changes)

This data is processed for the following purposes:

  • Centralised management and maintenance of website content
  • Publication and updating of information on the website
  • Quality assurance of published content
  • Optimisation of internal editorial and approval processes

The processing is carried out on the basis of Article 6 (1) (f) GDPR. STEP-G’s legitimate interest lies in the efficient management, publication and quality assurance of website content.

The TYPO3 system features a comprehensive permissions and role-based access model, allowing data access to be restricted accordingly. Access to content and user data can thus be effectively limited based on user roles and authorisations. Data can be modified or deleted in accordance with access rights, ensuring secure and accurate administration of the website.

The data is stored for the duration of website operation and beyond, in accordance with statutory retention periods. Once these periods expire, the data is deleted.

Data stored in TYPO3 is only shared with internal departments and technical service providers commissioned to maintain and host the system.

STEP-G implements technical and organisational security measures to protect your data against accidental or intentional manipulation, loss, destruction or unauthorised access.

For more information about TYPO3, please visit the following website: https://typo3.org

17. Privacy with regard to applications and during the application process

In connection with the career portal, STEP-G collects and processes applicants’ personal data for the purpose of processing their applications. Such processing may be carried out by electronic means. In particular, this applies in cases where applicants submit their application documents to STEP-G by e-mail, via a web form on our website, or by other electronic means. 

If an application is successful and the applicant is hired, STEP-G stores the data submitted by the applicant for the purpose of facilitating the employment relationship. This data is stored in accordance with the statutory regulations. 

If an application is unsuccessful, i.e. if no employment contract is concluded, STEP-G automatically deletes the submitted documents two months from the date on which the respective applicants were notified of their unsuccessful application. The data is only kept beyond this time if its deletion conflicts with other justified interests of STEP-G – for example, in the event that STEP-G is required to give evidence in proceedings under the German General Equal Treatment Act (AGG). 

18. Privacy information regarding the use and application of Google Maps

On this website STEP-G uses the product Google Maps service provided by the company Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google Inc. (hereinafter: “Google”), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA for the purpose of displaying a map and enabling users to calculate and display travel directions to our company’s locations. When you use Google Maps on our website, the following data is processed:

  • IP address
  • Geographical data
  • Browser information
  • Usage data

By connecting your internet browser to Google’s servers, the company can determine which website your request was sent from and to which IP address the directions should be sent. If you do not agree to this processing, you can prevent cookies from being installed by Google by changing the corresponding settings in your browser. You can find out more about this in the “Cookies” section of this Privacy Policy.

The legal basis for the collection and processing of the aforementioned data is Art. 6 (1) (f) GDPR. We have a legitimate interest in optimising the features of our website in order to offer you the best possible service. Google processes your data in the USA, among other places. Google is an active participant in the EU-US Data Privacy Framework, which governs the proper and secure transfer of personal data from EU citizens to the United States. You can find more information about this at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Google also uses Standard Contractual Clauses (SCCs) pursuant to Article 46 (2) and (3) GDPR. These clauses are template agreements provided by the European Commission and are intended to ensure that the use of your data continues to meet European data protection standards even when transferred to and stored in third countries (such as the United States). Through its participation in the EU-US Data Privacy Framework and the use of Standard Contractual Clauses, Google undertakes to comply with the level of data protection required under European law when processing your data, even if the data is stored, processed or managed in the United States. These clauses are based on an implementing decision by the European Commission. You can find the decision and the applicable Standard Contractual Clauses, among other places, here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

The Google Ads Data Processing Terms, which refer to the Standard Contractual Clauses, can be found at: https://business.safety.google/intl/de/adsprocessorterms/

You can read the Google Maps Terms of Use at https://www.google.com/intl/de_de/help/terms_maps.html and https://policies.google.com/terms?gl=DE&hl=de

19. Privacy information regarding the use and application of HubSpot

STEP-G uses the HubSpot marketing automation system from HubSpot Inc. for the purposes of statistics, marketing, content management, web analysis and search engine optimisation. (25 First Street, 2nd Floor, Cambridge, MA 02141, USA). HubSpot operates offices in Ireland (One Dockland Central, Dublin 1, Ireland) and Germany (Am Postbahnhof 17, 10243 Berlin). The software uses cookies (see Sec. 4).

They save the following data:

  • First name
  • Surname
  • E-mail address (primary, membership-related)
  • Telephone number (primary, mobile, fax)
  • Job title
  • Preferred language
  • Password (stored only in hashed and secure form)
  • User IDs (creator and last editor)
  • Residential and billing location (city, country/region, postcode)
  • IP-based location data (geographical position, city-level location, time zone)
  • Company name (for small businesses/self-employed individuals)
  • Industry, number of employees, company departments
  • Timestamps (first interaction, last activity, last update, next scheduled activity)
  • Communication history (last contact, messages, surveys, meetings)
  • Usage behaviour (navigation data, referring URL, visit duration, events, access times)
  • Engagement metrics (contacts, sales activities, audience and service interactions)
  • Device details (browser type, operating system, model, version, device ID, advertising IDs)
  • Network data (IP address, domain, internet provider)
  • Mobile app and download information
  • Payment history (completed/anticipated payments, total amount collected/outstanding)
  • Bank details
  • Deal and sales data (amounts, closing date, associated deals, closing probability)

You can find more information about the data processed via the use of HubSpot in the privacy policy at https://legal.hubspot.com/de/privacy-policy?tid=331733495288 and at https://knowledge.hubspot.com/de/properties/hubspots-default-contact-properties#analytics.

HubSpot is also used to distribute STEP-G’s newsletter. Subscribing to the newsletter is entirely optional and requires a deliberate action by the user. You will not receive the newsletter unless you have actively subscribed to it. STEP-G uses the double opt-in procedure for newsletter sign-up. After registering on the website, the user receives a confirmation e-mail containing a link. The user must click this link to complete the sign-up process – the newsletter will then be sent to the user by e-mail. This procedure guarantees that the subscription is initiated by the user and serves as valid proof of consent.

When you sign up for our newsletter, your e-mail address and, optionally, other personal data will be stored in HubSpot. This data is used exclusively for distribution of the newsletter and to personalise its content where appropriate. Each newsletter contains an unsubscribe link, allowing you to opt out at any time.

The legal basis for the use of the software is the user’s consent in accordance with Art. 6 (1) (a) GDPR. Consent to the use of cookies is obtained via a banner that informs visitors on their first visit – or after cookies have been deleted – that cookies are in use and gives them the option to accept or block their use. If consent is given, the corresponding cookies are stored in the visitor’s browser. If it is declined, no HubSpot cookies are activated. For certain functions – such as the HubSpot chat tool or advertising cookies – the user’s explicit consent is requested separately. If the visitor later changes their decision, they can withdraw their consent via the banner. In this case, any cookies already set will be deleted, and features that rely on cookies – such as the chat history or personalised advertising – may no longer be available. You can find out more about this in the “Cookies” section of this Privacy Policy.

It is possible that HubSpot may pass on or transfer the data collected to another country (e.g. Ireland, the USA or other countries in which HubSpot partners operate), or countries outside the European Union and the European Economic Area which do not have an appropriate data protection level. As HubSpot acts as our data processor, the data is processed on behalf of STEP-G. It should be noted that the GDPR applies not only to companies based in the EU but also to all organisations that process the personal data of EU citizens, regardless of their location. To ensure GDPR compliance, HubSpot provides features such as cookie banners for obtaining consent, tools for recording the legal basis for data processing, and functions for GDPR-compliant data deletion.

HubSpot also processes some of your data in the USA. HubSpot is an active participant in the EU-US Data Privacy Framework, which governs the proper and secure transfer of personal data from EU citizens to the United States. You can find more information about this at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

HubSpot also uses Standard Contractual Clauses (SCCs) pursuant to Article 46 (2) and (3) GDPR. These clauses are template agreements provided by the European Commission and are intended to ensure that the use of your data continues to meet European data protection standards even when transferred to and stored in third countries (such as the United States). Through its participation in the EU-US Data Privacy Framework and the use of Standard Contractual Clauses, HubSpot undertakes to comply with the level of data protection required under European law when processing your data, even if the data is stored, processed or managed in the United States. These clauses are based on an implementing decision by the European Commission. You can find the decision and the applicable Standard Contractual Clauses, among other places, here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

The Data Processing Agreement, which incorporates the Standard Contractual Clauses, is available at: https://legal.hubspot.com/dpa

20. Privacy policy for the use and application of Google Analytics (with anonymisation feature)

STEP-G has integrated the component Google Analytics (with anonymisation feature) into this website. The operating company of the Google Analytics component is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics is a web analytics service. Web analytics is the process of collecting and analysing of data about the behaviour of visitors to websites.

Google Analytics collects data on:

  • The origin of visitors (referrer)
  • The subpages visited and the time spent on them
  • The frequency of visits
  • The technical device used (e.g. IP address, browser and device type)

The purpose of data processing via Google Analytics is:

  • To analyse visitor behaviour on our website
  • To generate reports on website activity
  • To provide additional services related to the way visitors use our website

To protect your privacy, STEP-G uses the “_gat._anonymizeIp” extension for web analysis via Google Analytics. This parameter allows the IP address of the data subject’s internet connection to be shortened and anonymised by Google if the data subject accesses our website from a Member State of the European Union or from another contracting state to the Agreement on the European Economic Area.

Google Analytics stores a cookie in the respective data subjects’ IT system. Each time a page of the STEP-G website that contains a Google Analytics component is accessed, data is automatically transmitted to Google for the purposes of online analysis. This includes personal data such as your IP address, which is used to track the origin of visits and clicks. Information such as the time of access, the referring source and the frequency of visits is also stored via cookies and transferred to Google in the United States.

The use of Google Analytics is subject to your consent, which STEP-G obtains via its cookie pop-up. This consent serves as the legal basis for the processing of personal data in accordance with Article 6 (1) (a) GDPR, including data collected through web analytics tools.

STEP-G uses a consent management tool that gives you the option to accept or reject the use of cookies and tracking technologies when you first visit our website. You can withdraw or adjust your consent at any time via the settings in the consent banner. You can find out more about this in the “Cookies” section of this Privacy Policy.

Google Analytics cookies are generally valid for 30 days and are not used to personally identify users. Once this period expires, the collected data is deleted.

In addition to your consent, STEP-G also has a legitimate interest in analysing visitor behaviour on its website to improve its offering from both a technical and commercial perspective. Google Analytics helps STEP-G detect website errors, identify potential attacks and improve efficiency. The legal basis for this is Article 6 (1) (f) GDPR (legitimate interests). Nevertheless, STEP-G only uses Google Analytics on the basis of your consent.

Google also processes some of your data in the USA. Google is an active participant in the EU-US Data Privacy Framework, which governs the proper and secure transfer of personal data from EU citizens to the United States. You can find more information about this at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Google also uses Standard Contractual Clauses (SCCs) pursuant to Article 46 (2) and (3) GDPR. These clauses are template agreements provided by the European Commission and are intended to ensure that the use of your data continues to meet European data protection standards even when transferred to and stored in third countries (such as the United States). Through its participation in the EU-US Data Privacy Framework and the use of Standard Contractual Clauses, Google undertakes to comply with the level of data protection required under European law when processing your data, even if the data is stored, processed or managed in the United States. These clauses are based on an implementing decision by the European Commission. You can find the decision and the applicable Standard Contractual Clauses, among other places, here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

The Google Ads Data Processing Terms, which refer to the Standard Contractual Clauses, can be found at: https://business.safety.google/intl/de/adsprocessorterms/

As previously mentioned, the data subject can prevent the use of cookies by our website at any time by configuring the relevant settings in their internet browser, and can thus permanently disable the storage of cookies. Configuring an internet browser in this way would also prevent Google from storing a cookie in the data subject’s IT system. In addition, a cookie already stored by Google Analytics can be deleted at any time via the internet browser or other software programs.

Furthermore, the data subject has the option of objecting to – and preventing the collection of – the data generated by Google Analytics regarding their use of this website, as well as the processing of this data by Google. To do so, the data subject must download and install a browser add-on via this link: https://tools.google.com/dlpage/gaoptout. This browser add-on informs Google Analytics via JavaScript that no data and information about visits to the website may be transmitted to Google Analytics. If the data subject installs the browser add-on, Google acknowledges their objection to its use of their web analytics data. If the data subject’s IT system is later deleted, formatted or reinstalled, they must reinstall the browser add-on in order to disable Google Analytics. If the browser add-on is uninstalled or disabled by the data subject or another person within their sphere of control, it remains possible to reinstall or reactivate the browser add-on.

If you would like to learn more about how your data is processed, please refer to Google’s privacy policy at: https://policies.google.com/privacy?hl=de&tid=331733495616

21. Social media networks

STEP-G is represented via company accounts on the social media networks YouTube, Instagram, Facebook, Xing and LinkedIn.

A social network is an online service that allows users to communicate and interact in virtual space. This online social meeting point (online community) can be used to exchange views and experiences and provide personal or business information to other users within the online community. Among other things, Facebook users can create personal profiles, upload photos and network with other users via friend requests. This website provides static hyperlinks to the relevant profiles for that purpose. As a rule, these links do not automatically transmit any personal data to the respective platforms.

Data processing by the relevant platform provider may only occur if a user actively clicks on such a link or interacts with a social media plugin or embedded content (e.g. videos or feeds) on the website. In such cases, information such as your IP address or other technical details may be transmitted to platform provider. Further information about this can be found in the following sections, which explain how each social media platform handles your data.

a. Privacy information regarding the use of Facebook links

The STEP-G website includes a hyperlink that directs users to STEP-G ’s Facebook profile. The social network Facebook is operated by Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. For users residing outside the USA and Canada, the controller for the processing of personal data is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

By clicking this link, you will exit the STEP-G website and be redirected to the Facebook platform.

When you click the Facebook link, Facebook processes personal data such as your IP address, browser details, and potentially other information, in accordance with its own privacy policy. This data processing takes place outside the control of STEP-G.

STEP-G does not transmit any personal data to Facebook in order to provide this link. Data is only transferred to Facebook once the link has been actively clicked by the website user.

The link is provided for the sole purpose of giving you access to additional information about STEP-G on Facebook.

Information about your rights in relation to data processing on Facebook, as well as the contact details of Facebook’s data protection officer, can be found in Facebook’s privacy policy mentioned above.

Further details of Facebook’s data processing activities can be found in its privacy policy: https://www.facebook.com/about/privacy.

Since STEP-G merely provides a link to its Instagram profile and does not embed content directly on its website, there is no joint controller relationship with Meta Platforms Ireland Limited within the meaning of Article 26 GDPR.

b. Privacy information regarding the use of Instagram links

The STEP-G website includes a hyperlink that directs users to STEP-G’s Instagram profile. The social network Instagram is operated by Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. For users residing outside the USA and Canada, the controller for the processing of personal data is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

By clicking this link, you will exit the STEP-G website and be redirected to the Instagram platform.

Simply clicking the link does not transmit any personal data to Instagram. Your data will only be processed if you actively use the Instagram platform. The applicable privacy policy is that of Meta, which you can view at: https://privacycenter.instagram.com/policy/

Please note that you are solely responsible for your use of Instagram and its features.

Instagram processes personal data such as your IP address, device and browser information, and any content you share or interact with on its platform.

You can manage your privacy settings and exercise your rights regarding data access, rectification, deletion and objection either directly in your Instagram account or via this link: https://privacycenter.instagram.com/policy/

Since STEP-G merely provides a link to its Instagram profile and does not embed content directly on its website, there is no joint controller relationship with Meta Platforms Ireland Limited within the meaning of Article 26 GDPR.

c. Privacy information regarding the use of LinkedIn links

The STEP-G website includes a hyperlink that directs users to STEP-G’s LinkedIn profile. LinkedIn’s operating company is LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. Outside the United States, issues relating to the company’s Privacy Policy are handled by LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Please note that by clicking this link, you will exit the STEP-G website and be redirected to the LinkedIn platform. LinkedIn is an independent service, and STEP-G has no influence over how LinkedIn processes your data.

Once you follow the link, LinkedIn may process personal data such as your IP address, browser information, and other details in accordance with its own terms of use and privacy policy.

STEP-G does not transmit any personal data to LinkedIn in order to provide this link. Data is only transferred to LinkedIn once the link has been actively clicked by the website user.

The purpose of the link is solely to provide you with additional information about our company on LinkedIn and to make our social media presence accessible.

You can find out how LinkedIn processes your personal data and exercise your rights as a data subject directly through LinkedIn.

Further details of LinkedIn’s data processing activities can be found in its privacy policy: https://www.linkedin.com/legal/privacy-policy.

LinkedIn’s cookie policy is available at www.linkedin.com/legal/cookie-policy

Since STEP-G merely provides a link to its LinkedIn profile and does not embed content directly on its website, there is no joint controller relationship with LinkedIn within the meaning of Article 26 GDPR.

d.       Privacy information regarding the use of Xing

The STEP-G website includes a hyperlink that directs users to STEP-G’s Xing profile. The operating company of Xing is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany.

Please note that by clicking this link, you will exit our website and be redirected to the Xing platform. Xing is an independent service over which STEP-G has no influence with regard to data processing.

Once you follow the link, Xing may process personal data such as your IP address, browser information, and other details in accordance with its own terms of use and privacy policy.

STEP-G does not transmit any personal data to Xing in order to provide this link. Data is only transferred to Xing once the link has been actively clicked by the website user.

The link is provided solely to offer you further information about our company on Xing and to make our social media presence accessible.

You can find out how Xing processes your personal data and exercise your rights as a data subject directly through Xing.

Further details of Xing’s data processing activities can be found in its privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

Xing’s cookie policy is available at https://privacy.xing.com/de/datenschutzerklaerung#cookies

Since STEP-G merely provides a link to its Xing profile and does not embed content directly on its website, there is no joint controller relationship with Xing within the meaning of Article 26 GDPR.