Data protection notice of LUMENION GmbH

General notes

Detailed information on how we handle personal data in certain processing situations is available as a PDF by clicking on the following links:

• For applicants and employees (PDF)

Please read the following information about the processing of personal data when using our website:

1.         Name and address of the controller

The controller within the meaning of the General Data Protection Regulation (GDPR), of the data protection regulations applicable in the member states of European Union and of other regulations with provision relating to the protection of personal data is:

LUMENION GmbH
Ella-Barowsky-Str. 11
10829 Berlin
Tel.: +49 30 5557051-0
datenschutz@lumenion.com

2.         Name and address of the data protection officer

The data protection officer, LUMENION GmbH, Ella-Barowsky-Str. 11, 10829 Berlin, datenschutz@lumenion.com

3.         Definitions

The data protection information of LUMENION GmbH (hereinafter “LUMENION”) is based on the defined terms of the General Data Protection Regulation (GDPR). Our data protection notice should be easy to read and understand. To ensure this, we explain the terms used in advance:

3.1       Personal data

Personal data is any information relating to an identified or identifiable natural person (hereafter “data subject”). Defined as identifiable is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3.2       Data subject

Data subject is each identified or identifiable natural person, whose personal data is processed by the controller for the processing.

3.3       Processing

Processing means any operation or set of operations which is carried out in connection with personal data – whether or not by automated means – such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.4       Restricting of the processing

Restricting of the processing is the marking of personal data as stored with the objective of restricting its processing in the future.

3.5       Profiling

Profiling is each type of the automated processing of personal data, which consists of this personal data being used to permit particular personal aspects relating to a particular natural person, and here in particular aspects in respect of work performance, economic situation, health, personal likes, interests, reliability, behavior, place of residence or change of place of residence of this natural person to be evaluated, analyzed or forecast.

3.6       Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, in so far as this additional information is kept in a special way and subjected to technical and organizational measures which ensure that the personal data cannot be assigned to an identified or identifiable natural person.

3.7       Controller or party responsible for the processing

Controller or party responsible for the processing (hereafter controller) is the natural person or legal entity, authority, institution or other post, which alone or together with others decides on the purposes and means of the processing of personal data. If the purposes and means of the processing are laid down in European Union legislation or the legislation of the member states, then the controller or the particular criteria of the appointment of this controller in accordance with European Union legislation or the legislation of the member states can be provided.

3.8       Processor

Processor is a natural person or legal entity, authority, institution or other post, which processes the personal data on the instructions of the controller.

3.9       Recipient

Recipient is a natural person or legal entity, authority, institution or other post to which personal data are disclosed regardless of whether this is a third party or not. However, authorities, which receive within the framework of a particular investigation order in accordance with European Union legislation or the legislation of the member states data which possibly may be/contain personal data, do not hold good as recipients.

3.10     Third party

Third party is a natural person or legal entity, authority, institution or other post with the exception of the data subject, the controller, the order processor and those persons which are authorized under the direct responsibility of the controller or of the order processor to process the personal data.

3.11     Consent

Consent is each declaration of will given voluntarily by the data subject for the definite case in an informed and unambiguous manner in the form of a declaration or other unambiguous confirmatory action, with which the data subject makes clear that he/she agrees to the processing of personal data relating to himself/herself.

4          General information on data processing; legal basis, purposes of processing, duration of storage, objection and possibility of removal

4.1       General information on the legal basis

Article 6 para. 1 lit. a EU General Data Protection Regulation (EU GDPR) serves as the foundation for the processing of personal data in so far as we obtain the consent of the data subject for the processing of personal data.

Article 6 para. 1 lit. b GDPR serves as the legal foundation for the processing of personal data which is necessary for the fulfilment of a contract if the data subject is party to this contract. This also holds good for processing processes which are necessary for the execution of pre-contractual measures.

Article 6 para. 1 lit. c GDPR serves as the legal foundation in so far as processing of personal data is necessary for the fulfilment of a legal obligation.

Article 6 para. 1 lit. d GDPR serves as the legal foundation for the situation that vital interests of the data subject or another natural person make the processing of personal data necessary.

Article 6 para. 1 lit. f GDPR serves as the legal foundation for the situation that processing is necessary for ensuring a legitimate interest of our company or of a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not exceed the first named interest.

4.2       General information on data deletion and storage duration

The personal data of the data subject are deleted or disabled as soon as the purpose for which the data was stored lapses. In addition, storage can take place if this was stipulated by the European or national legislatures in orders, laws or other regulations in accordance with European Union law to which the controller is subject. Disabling or deletion of the data is also carried out if a storage period prescribed by the standards as named expires unless there is a necessity for the continued storage of the data for the concluding or fulfilling of a contract.

4.3       General information about processing on our website          

Data protection, data security and data secrecy are high priorities for us. The durable protection of your personal data, your company data and your business secrets is especially important to us.

You can always visit our website without providing any personal information. However, if you make use of our company’s services via our website, this makes it necessary to provide your personal data. As a rule, we use the data provided by you and collected by the website and stored during use exclusively for our own purposes, namely for the implementation and provision of our website and the initiation, implementation and processing of the services/offers offered via the website (fulfilment of contract) and do not pass them on to external third parties unless there is an officially ordered obligation to do so. In all other cases, we obtain your separate consent.

Your personal data is processed in accordance with the requirements of the General Data Protection Regulation and in compliance with the country-specific data protection provisions applicable to us. By means of this data protection notice, we would like to inform you about the type, scope and purpose of the personal data processed by us. In addition, we inform you about your rights by means of this data protection notice.

We have implemented technical and organizational measures to ensure an appropriate level of protection for the personal data processed via this website. Nevertheless, internet-based data transmissions can always have security gaps, so that absolute protection cannot be guaranteed. 

5.         Collection of general data and information

The website of LUMENION collects a series of general data and information every time a data subject or automated system calls up the website. This general data and information is stored in the log files of the server. The following data may be collected: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrer), (4) the sub-websites which are accessed via an accessing system on our website, (5) the date and time of an access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

When using these general data and information, LUMENION does not draw any conclusions about the data subject. Rather, this information is needed (1) to deliver the contents of our website correctly, (2) to optimize the contents of our website as well as the advertising for these, (3) to ensure the long-term operability of our information technology systems and the technology of our website, and (4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber-attack. Therefore, LUMENION analyzes anonymously collected data and information on one hand for statistical purposes, and on the other hand for the purpose of increasing the data protection and data security of our enterprise, and ultimately to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject.

Legal basis	Storage purpose	Storage duration	Objection / opportunity for elimination
Art. 6 para. 1 lit. f GDPR(legitimate interest)	The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.	The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.	No because the data is essential for operating of the website

6.         Contact

Our website contains a contact form that can be used for electronic contact. By using this contact form, the data entered in the input mask is transmitted to us and stored. These data are:

• Name*
• Email*
• Your message*

*Mandatory data

The following data is also stored at the time the message is sent:

• The IP address of the user
• Date and time of dispatch

It is also possible to contact us via the e-mail address or telephone number provided on the website. If you contact us via one of these options, your personal data transmitted to us will be automatically stored (e-mail) or collected by us and stored manually.

In this context, the data will not be passed on to third parties. The data is used exclusively for the processing of the conversation or the handling of your request.

Legal basis	Storage purpose	Storage duration	Objection / opportunity for elimination
The legal basis for the processing of data in the case of enquiries via the contact form and/or e-mail and telephone is generally Art. 6 para. 1 lit. b. GDPR (contract fulfilment; pre-contractual measures); Art. 6 para. 1 lit. c. GDPR (fulfilment of a legal obligation, e.g. answering questions about data protection) and otherwise Art. 6 para. 1 lit. f GDPR (legitimate interest).	The processing of personal data from the input mask or e-mail and telephone serves us solely to process the contact. This also constitutes the necessary legitimate interest in processing the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.	The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by e-mail or communicated by telephone, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the matter in question has been conclusively clarified.   The foregoing shall not apply if the correspondence is subject to a retention obligation under commercial law.   The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.	In the case of processing for the exercise of legitimate interests: Right of objection according to section 11.7

7.         Third-party technologies

Google Analytics

We have integrated the Google Analytics component (with anonymization function) on this website. The operating company of the Google Analytics component is Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Google Analytics is a web analysis service. Web analytics is the collection, collation, and analysis of data about the behavior of visitors to websites. The purpose of the Google Analytics component is to analyze the flow of users of our website. Google uses the data and information obtained to, among other things, evaluate the use of our website, to compile online reports for us showing the activities on our website and to provide other services related to the use of our website.

Each time one of the individual pages of this website operated by us and on which a Google Analytics component has been integrated is called up, the internet browser on the information technology system of the data subject is automatically caused by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. As part of this technical process, Google obtains knowledge of personal data, such as the IP address of the data subject, which Google uses, among other things, to track the origin of visitors and clicks and subsequently to enable commission calculations.

The cookie is used to store personal data, such as the access time, the location from which an access originated and the frequency of visits to our website by the data subject. Each time the data subject visits our website, this personal data, including the IP address of the internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may share this personal data with third parties.

We use the addition “_gat._anonymizeIp” for web analysis via Google Analytics. By means of this addition, the IP address of the internet connection of the person concerned is shortened and anonymized by Google if access to our website is from a member state of the European Union or from another state party to the Agreement on the European Economic Area.

We obtain your consent for the operation of Google Analytics on this website. You can revoke your consent at any time by changing your cookie settings. Please also refer to the information in the cookie consent mechanism and in section 9 of this privacy notice.

Further information and the applicable Google privacy policy can be found at https://www.google.de/intl/de/policies/privacy/ and at http://www.google.com/analytics/terms/de.html. Google Analytics is explained in more detail under this link https://www.google.com/intl/de_de/analytics/.

Google Tag Manager

We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

The Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store cookies, and does not carry out any independent analyses. It only manages and runs the tools integrated via it. However, the Google Tag Manager does collect your IP address, which may also be transferred to Google’s parent company in the United States.

The Google Tag Manager is used on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the quick and uncomplicated integration and administration of various tools on his website. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

hCaptcha

We use “hCaptcha” (hereinafter referred to as “hCaptcha“) on this website. The provider is Intuition Machines, Inc., 2211 Selig Drive, Los Angeles, CA 90026, USA (hereinafter referred to as “IMI”). hCaptcha is being used to determine whether the entry of data into this website (e.g., into a contact form) is being processed by a person or an automated program. For this purpose, hCaptcha analyzes the behavior patterns of website visitors on the basis of several characteristics. This analysis begins automatically as soon as the website visitor enters a website with the activated hCaptcha feature. For the analysis, hCaptcha uses a wide range of information (e.g., the IP address, time spent on the website or mouse actions taken by the user). The data recorded during this analysis is forwarded to IMI. If hCaptcha is used in the “invisible mode,” the analyses are completely conducted in the background. Website visitors are not alerted to the performance of an analysis. The storage and analysis of the data occurs on the basis of Art. 6 (1)(f) GDPR. The website operator has a legitimate interest in protecting the operator’s web presentations against abusive automatic spying and SPAM. In the event that respective consent has been obtained, the data will be processed exclusively on the basis of Art. 6 (1)(a) GDPR and § 25 (1) TTDSG, if the consent comprises the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) as defined in the TTDSG (German Telecommunications Act). Such consent may be revoked at any time. The processing of data is based on Standard Contract Clauses, included in the Data Processing Supplement to the General Terms and Conditions of IMI or in the data processing agreements.

For further information on hCaptcha, please consult the Data Protection Policy and Terms of Use under the following links: https://www.hcaptcha.com/privacy and https://hcaptcha.com/terms.

8.         Cookies

Description and scope of data processing:

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user calls up a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change.

The following data is stored and transmitted in the cookies:

• Language settings
• Log-in information

We also use cookies on our website that are not technically necessary and, for example, enable an analysis of the user’s surfing behaviour (“other cookies”).

In the case of analysis cookies, for example, the following data may be transmitted:

• Search terms entered
• Frequency of page views
• Use of website functions

The user data collected in this way is pseudonymized by technical precautions. The data is not stored together with other personal data of the users.

When calling up our website, the user is informed about the use of technically unnecessary cookies and his or her consent to the processing of personal data used in this context is obtained. In this context, a reference to this data protection notice is also made.

In addition, users can find out how to disable cookies in the main browsers by following the links below:

• Mozilla Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen  
• Chrome Browser: https://support.google.com/accounts/answer/61416?hl=de  
• Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies

Legal basis	Storage purpose	Storage duration	Objection / opportunity for elimination
Art. 6 para. 1 lit. f GDPR (legitimate interests) for technically mandatory cookies For the rest: Art. 6 para. 1 lit. a GDPR (consent)	The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change. Other cookies are used to improve the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimise our offer.	Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, you as a user also have full control over the use of cookies.	Technically necessary cookies: By changing the settings in your internet browser, you can deactivate or restrict the transmission of technically necessary cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent. The transmission of Flash cookies cannot be prevented via the settings of the browser, but by changing the settings of the Flash Player. Other cookies: Furthermore, you can revoke your consent for the use of other cookies at any time. Please refer to the cookie settings on our website.

Consent with Borlabs Cookie

Our website uses the Borlabs consent technology to obtain your consent to the storage of certain cookies in your browser or for the use of certain technologies and for their data privacy protection compliant documentation. The provider of this technology is Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany (hereinafter referred to as Borlabs). Whenever you visit our website, a Borlabs cookie will be stored in your browser, which archives any declarations or revocations of consent you have entered. These data are not shared with the provider of the Borlabs technology. The recorded data shall remain archived until you ask us to eradicate them, delete the Borlabs cookie on your own or the purpose of storing the data no longer exists. This shall be without prejudice to any retention obligations mandated by law. To review the details of Borlabs’ data processing policies, please visit https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/ We use the Borlabs cookie consent technology to obtain the declarations of consent mandated by law for the use of cookies. The legal basis for the use of such cookies is Art. 6(1)(c) GDPR.

9.       Your rights

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

9.1     Right of access

You may request confirmation from the controller as to whether personal data relating to you is being processed by us.

If there is such processing, you can request information from the controller about the following:

• the purposes for which the personal data are processed;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed;
• the planned duration of the storage of the personal data relating to you or, if specific information on this is not possible, criteria for determining the storage duration;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• all available information on the source of the data if the personal data are not collected from the data subject;
• the existence of automated decision-making, including profiling, referred to in Article 22 para. 1 and para. 4 GDPR and, at least in these cases, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information on whether personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

9.2     Right of rectification

You have a right of rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

9.3     Right to restriction of processing

You may request the restriction of the processing of personal data concerning you where one of the following applies:

• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of processing, but you need it for the establishment, exercise or defense of legal claims, or
• if you have objected to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate grounds of the controller outweigh your grounds.

Where the processing of personal data relating to you has been restricted, those data may be processed, with the exception of their storage, only with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

9.4     Right of cancellation

9.4.1  Duty to delete

You may request the controller to erase the personal data concerning you without delay and the controller is obliged to erase this data without delay if one of the following reasons applies:

• The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
• You withdraw your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing.
• You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR.
• The personal data concerning you has been processed unlawfully.
• The deletion of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
• The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.

9.4.2  Information to third parties

If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17 para. 1 GDPR, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform controllers which process the personal data that you, as the data subject, have requested that they erase all links to, or copies or replications of, that personal data.

9.4.3  Exceptions

The right to erasure does not exist insofar as the processing is necessary

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89 para. 1 GDPR, where the right referred to in Section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
• for the assertion, exercise or defense of legal claims.

Furthermore, the right to deletion does not exist if the personal data must be stored by the controller due to statutory retention obligations and periods. In such a case, the personal data will be blocked instead of deleted.

9.5     Right to information

If you have asserted the right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed of these recipients by the controller.

9.6     Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that

• the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
• the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. This must not affect the freedoms and rights of other persons.

The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9.7     Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6 para. 1 lit. e or lit. f GDPR; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.

9.8     Right to withdraw from the declaration of consent under data protection law

You have the right to withdraw your declaration of consent under data protection law at any time and without giving reasons. In the event of withdrawal, we will immediately delete your personal data and no longer process it.  The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

9.9     Automated decision-making in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

• is necessary for the conclusion or performance of a contract between you and the responsible person,
• is authorized by legislation of the Union or the Member States to which the controller is subject and that legislation contains adequate measures to safeguard your rights and freedoms and your legitimate interests, or
• is done with your express consent.

However, these decisions must not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit a or lit. g applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

With regard to the cases referred to in para. 1 and para. 3, the controller shall take reasonable steps to safeguard the rights and freedoms of, and your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, to express his or her point of view and to contest the decision.

9.10   Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

10.       Changes to this data protection notice

We always keep this data protection notice up to date. Therefore, we reserve the right to change it from time to time and to update any changes in the collection, processing, or use of your personal data. The current version of the data protection notice is always available under “Privacy Policy” within the website.

---

Our social media appearances

This privacy policy applies to the following social media presence

• https://www.facebook.com/lumenionenergy
• https://twitter.com/lumenion_energy
• https://www.linkedin.com/company/lumenion-gmbh
• https://www.youtube.com/@lumenionenergy

Data processing through social networks

We maintain publicly available profiles in social networks. The individual social networks we use can be found below.

Social networks such as Facebook, Twitter etc. can generally analyze your user behavior comprehensively if you visit their website or a website with integrated social media content (e.g., like buttons or banner ads). When you visit our social media pages, numerous data protection-relevant processing operations are triggered. In detail:

If you are logged in to your social media account and visit our social media page, the operator of the social media portal can assign this visit to your user account. Under certain circumstances, your personal data may also be recorded if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies stored on your device or by recording your IP address.

Using the data collected in this way, the operators of the social media portals can create user profiles in which their preferences and interests are stored. This way you can see interest-based advertising inside and outside of your social media presence. If you have an account with the social network, interest-based advertising can be displayed on any device you are logged in to or have logged in to.

Please also note that we cannot retrace all processing operations on the social media portals. Depending on the provider, additional processing operations may therefore be carried out by the operators of the social media portals. Details can be found in the terms of use and privacy policy of the respective social media portals.

Legal basis

Our social media appearances should ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. The analysis processes initiated by the social networks may be based on divergent legal bases to be specified by the operators of the social networks (e.g., consent within the meaning of Art. 6 (1) (a) GDPR).

Responsibility and assertion of rights

If you visit one of our social media sites (e.g., Facebook), we, together with the operator of the social media platform, are responsible for the data processing operations triggered during this visit. You can in principle protect your rights (information, correction, deletion, limitation of processing, data portability and complaint) vis-à-vis us as well as vis-à-vis the operator of the respective social media portal (e.g., Facebook).

Please note that despite the shared responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are determined by the company policy of the respective provider.

Storage time

The data collected directly from us via the social media presence will be deleted from our systems as soon as you ask us to delete it, you revoke your consent to the storage or the purpose for the data storage lapses. Stored cookies remain on your device until you delete them. Mandatory statutory provisions – in particular, retention periods – remain unaffected.

We have no control over the storage duration of your data that are stored by the social network operators for their own purposes. For details, please contact the social network operators directly (e.g., in their privacy policy, see below).

Your rights

You have the right to receive information about the origin, recipient and purpose of your stored personal data at any time and free of charge. You also have the right to object, the right to data portability and the right to file a complaint with the responsible regulatory agency. Furthermore, you can request the correction, blocking, deletion and, under certain circumstances, the restriction of the processing of your personal data.

Individual social networks

Facebook

We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter Meta). According to Meta’s statement the collected data will also be transferred to the USA and to other third-party countries.

We have signed an agreement with Meta on shared responsibility for the processing of data (Controller Addendum). This agreement determines which data processing operations we or Meta are responsible for when you visit our Facebook Fanpage. This agreement can be viewed at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can customize your advertising settings independently in your user account. Click on the following link and log in: https://www.facebook.com/settings?tab=ads.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

Details can be found in the Facebook privacy policy: https://www.facebook.com/about/privacy/.

Twitter

We use the short message service Twitter. The provider is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

You can customize your Twitter privacy settings in your user account. Click on the following link and log in: https://twitter.com/personalization.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://gdpr.twitter.com/en/controller-to-controller-transfers.html.

For details, see the Twitter Privacy Policy: https://twitter.com/privacy.

LinkedIn

We have a LinkedIn profile. The provider is the LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you want to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

For details on how they handle your personal information, please refer to LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.

YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Details on how they handle your personal data can be found in the YouTube privacy policy: https://policies.google.com/privacy?hl=en.

Date: 29.06.2023