Privacy policy

How we handle your data on visiting our website and your rights

_{Data protection information under Art. 13 f. of the EU General Data Protection Regulation}

Thank you for visiting the Grant Thornton Germany¹(“GT” or “we”) webpage. The security and protection of data when using our website are important to us. We would therefore like to let you know what personal data we collect when you visit our website, for what purposes we use them and what data protection rights you have.

_{¹This includes the following controllers: Grant Thornton AG Wirtschaftsprüfungsgesellschaft and Grant Thornton Rechtsanwaltsgesellschaft mbH.}

 

I. Name and contact information of the controller and the data protection officer

The controller within the meaning of the EU General Data Protection Regulation (“GDPR”) and of other national data protection legislation of the Member States (in Germany, the Federal Data Protection Act [Bundesdatenschutzgesetz], “BDSG”) and of other data protection regulations is:

 

Grant Thornton AG
Wirtschaftsprüfungsgesellschaft
Johannstraße 39
40476 Düsseldorf

Tel.: +49 211 9524 0
Email: datenschutz@de.gt.com 

You can find more information on data protection at Grant Thornton AG Wirtschaftsprüfungsgesellschaft and Grant Thornton Rechtsanwaltsgesellschaft mbH at https://www.grantthornton.de/en/gdpr-information/.

Data protection officer contact information 

CONCEPTEC GmbH
Thorsten Werning (certified DPO) 
Bleichstraße 5
45468 Mülheim an der Ruhr

Tel.: (0208) 69609-0
Fax: (0208) 69609-190
Email: datenschutzbeauftragter@de.gt.com

II. General principles and rights of data subjects

This Privacy Policy applies to data processing in the context of visiting our website and how we handle the data of interested parties, customers, applicants, service providers and suppliers. 

You can find the data protection information on use of personal data in job applications at https://www.grantthornton.de/en/gdpr-information/.  

The data protection information and policies of the internet sites of other providers, such as those linked to, apply to those sites.

1. Extent of the processing of personal data

We process your personal data only to the extent described below if this is necessary to provide our service, web and online offerings (“Offerings”), including functional webpages. 

• Use of our website by customers and interested parties
• Taking part in events (incl. online events)
• Downloading publications
• Subscribing to our newsletter
• Contact requests via the website contact form 
• Taking part in studies

2. Legal bases

Where personal data are processed based on consent by the data subject, the legal basis for the processing is Article 6(1)(a) GDPR.

When personal data are processed for the performance of a contract to which the data subject is party, the legal basis is Article 6(1)(b) GDPR; this also applies to processing required to take steps necessary prior to entering into a contract.

If processing is necessary for compliance with a legal obligation to which we are subject, the legal basis is Article 6(1)(c) GDPR.

If the vital interests of the data subject or of another natural person make processing necessary, the legal basis is Article 6(1)(d) GDPR.

If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in GT, processing personal data is based on Article 6(1)(e) GDPR. 

If processing is necessary for the purposes of our legitimate interests or those of a third party and such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR is the legal basis for the processing.

3. Potential recipients of personal data 

To provide our Offerings and to provide our services generally we use IT service providers, IT developers, external consultants, cloud and archive service providers, who may work on providing our services on our behalf and in accordance with our instructions (“Processors”). These service providers may receive personal data in providing services or come into contact with personal data and are deemed third parties or recipients as defined by the GDPR.

Where this is the case, we ensure that our service providers take sufficient security measures, that appropriate technical and organisational measures are in place so that they meet the relevant data protection provisions and ensure the protection of the rights of data subjects (cf. Art. 28 GDPR). 

In addition, we process your personal data within different departments at GT which are involved in carrying out the business processes in question; as far as permissible we also process personal data outside conducting business for advertising purposes. We may also be required by law to make the data we have collected available to public bodies (e.g., tax authorities, state criminal investigation offices, social security authorities). We process personal data together with cooperation partners, sponsors and business conference participants as far as legally permissible. 

4. Processing of personal data in third countries

Your personal data is processed as a rule within the European Union (“EU”) or the European Economic Area (“EEA”). Information may only be transmitted to third countries in exceptional cases (e.g. disclosing personal data within the GT network). Third countries are countries outside the EU/EEA in which it cannot be automatically assumed that there is an adequate level of data protection in accordance with European requirements. 

Where transferred information also includes personal data that is transferred without being pseudonymised or anonymised, we ensure before the transfer that an adequate level of data protection is guaranteed in the third country in question or with the recipient in the third country. This may result from a European Commission “adequacy decision”, be ensured by using the “EU standard contractual clauses” or by concluding an intercompany agreement with strict rules within the GT network.

5. Data erasure and storage duration

Personal data of data subjects will be erased when the data are no longer necessary for the purposes of processing or where there is no longer any legal basis for storage. Data may be stored, instead of being erased, subject to a restriction of processing, if this is provided for by European or national legislation in EU regulations, laws, or other regulations, particularly:

• to comply with statutory retention duties (e.g. section 147 of the German Fiscal Code [Abgabenordnung – AO] or section 257 of the German Commercial Code [Handelsgesetzbuch – HGB], currently 6 to 10 years), and/or:
• if legitimate interests in storage exist (e.g. while the statute of limitation is still running for the purposes of legal defence (section 195 f. of the German Civil Code [Bürgerliches Gesetzbuch – BGB], currently between 3 and 30 years). 

The data will be erased when the storage period prescribed by the legal provisions referred to above ends at the latest, unless it is necessary for us to continue to store them and a legal basis exists for this. 

6. Categories of data

We differentiate personal data into the following main categories:

a)     Master data

Master data are data on your company and/or your person that you make available to us. These particularly include company, first name, last name, email address, and telephone number.  

b)     Event and marketing data

These are data we obtain from you from events (incl. online events), trade fairs and studies, etc. They particularly include contact data, meta and log files, IP addresses and sessions IDs.

c)      Meta and log files

Meta and log files include IP addresses, session IDs, browser type, operating system information and time of request.

7. Rights of data subjects

The GDPR conveys certain rights to data subjects whose data are processed (“rights of the data subject”). If you would like to exercise one or more of these rights listed below, you can contact us at any time. As a data subject, you have the following rights in particular:

a)     Right of access under Art. 15 GDPR

You can obtain from the controller information as to whether and for what purposes personal data concerning you was or is being processed.

b)     Right to rectification under Art. 16 GDPR

You have a right with respect to the controller to rectification and/or to have incomplete personal data completed if the processed personal data concerning you is incorrect or incomplete.

c)      Right to erasure under Art. 17 GDPR

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay unless one of the exceptions set out in the GDPR applies or other statutory document retention periods require the controller to keep the data in question. 

d)     Right to restriction of processing under Art. 18 GDPR

You may obtain from the controller restriction of processing of personal data concerning you under the conditions laid down by the GDPR.

e)     Right to data portability under Art. 20 GDPR

You have the right to receive the personal data concerning you which you have provided to the controller and which is based on consent or on a contract with you in a structured, commonly used and machine-readable format. Furthermore, based on the conditions laid down by the GDPR, you have the right to transmit these data to another controller without hindrance from the controller to which the personal data have been provided. In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This may not adversely affect the rights and freedoms of others.

f)       Right to object under Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on points (e) or (f) of Art. 6(1) GDPR, including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

g)     Right to withdrawal of consent under Art. 7(3) GDPR

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. 

You can withdraw your consent at any time at datenschutz@de.gt.com.

h)     Right to lodge a complaint under Art. 77 GDPR

In the case of alleged or committed infringements of data protection regulations, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedies.

The data protection supervision authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Bettina Gayk
Kavalleriestr. 2-4
40213 Düsseldorf
Telephone: 0211 38424-0
Fax: 0211 38424-999
Email: poststelle@ldi.nrw.de

You can also submit your complaint to all other supervisory authorities. You can find the contact information of other data protection supervisory authorities in Germany by following this link:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

8.  No obligation to provide personal data

We do not make the conclusion of contracts or the fulfilment of our Offerings contingent on your providing personal data beforehand. As a customer, interested party, website visitor or other party, you are under no statutory or contractual obligation to provide us with any personal data; however, if you do not provide us with the necessary data, we may not be able to provide certain Offerings or only provide them to a limited extent.   

As part of our business relationship, you only need provide us with those personal data that are necessary to establish, execute and terminate the business relationship or which we are legally obliged to collect. This includes data on responsible parties, beneficial owners, contractual partners and related entities/persons under the German Money Laundering Act [Geldwäschegesetz – GwG] and to ensure network-wide independence. If you do not provide the necessary information and documentation, we will not be able to accept the business relationship you desire.

9. Use of artificial intelligence

We only use artificial intelligence (“AI”) as part of lawful data processing for the purposes of optimising internal processes, and improving customer satisfaction and business interests. The use of AI and the collection and use of personal data in the use of AI applications is subject to data protection requirements and AI principles, particularly under the GDPR and the AI Directive.

As far as possible, personal data are processed in an anonymised state. 

10. Hosting

The contents of our website are hosted by Optimizely Inc., 119 Fifth Avenue, 7th Floor, New York, NY 10003, USA (“Optimizely”). When you visit our website, Optimizely collects various logfiles, including your IP address. Optimizely saves cookies or other recognition technology that are necessary to show the page, provide certain website functions and safeguard security (necessary cookies). You can find further information in the Optimizely Privacy Notice: https://www.optimizely.com/legal/privacy-notice/

Use of Optimizely is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the presentation of our website being as reliable as possible. If consent is requested, processing takes place solely based on Art. 6(1)(a) GDPR and section 25(1) of the TDDDG if consent includes the saving of cookies or access to information on the user’s device (e.g. device finger printing) within the meaning of the TDDDG. Consent can be withdrawn at any time.

The transfer of data to the USA is based on the EU Commission standard contractual clauses. You can find details here: 
https://www.optimizely.com/de/trust-center/data-processing-agreement/.

III. Data collection through use of our website for information

1. Description and extent of data processing

Every time our website is accessed, our systems automatically collect data and information from the computer system of the accessing computer. The following log files are processed in particular:

• Browser type and browser version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Date and time of the server request
• IP addresses for backend log

Information on the processing of other meta and log files by using Matomo, YouTube, Google Maps or social media, etc. is provided starting from Section VII. 

These data are not combined with other data sources.

2. Purpose and legal basis of data processing

It is necessary for the systems to temporarily store the IP address and other log files as required every time our website is accessed in order to provide the website to your computer. They are required to give an address to the traffic between the user and our services or are necessary in order to use our services. The legal basis for this data processing – i.e. for the duration of your website visit – is Art. 6(1)(b) or (f) GDPR.

Any processing and storing of the IP address and log files for purposes other than the communication process serves to ensure the functionality of our Offerings, to optimise these Offerings and to ensure the security of our information technology systems. The legal basis for storing the IP address for purposes other than the communication process is Art. 6(1)(f) GDPR.

3. Storage duration

Data are stored for as long as they are needed to fulfil the above processing purposes. In the case of date collection for provision of the website, this is the case when the relevant session, i.e. the website visit, has ended. Any further storage of log files including the IP address for the purposes of system security and optimising our Offerings will be for a maximum period of seven days from the end of access by the user.

4. Option to object

The recording of log files, including storage within the limits described above, is absolutely necessary for the operation of the website and the individual functions stored on it. Users of the website therefore have no right to object. This does not apply to processing log data for purposes of analysis. The option to object is governed here by Section II.7.f) of this Privacy Policy, depending on the web analytic tools used and type of data analysis (personal/anonymous/pseudonymous).

IV. Email contact and contact form

1. Description and scope of data processing

To contact us, you can use the email addresses provided on our website or our contact forms. If you make use of these options, personal data will be processed and store with us to reply to your inquiry. In this context, we process first name, last name, business and email address in particular. We do not disclose these data to third parties without your consent.

2. Purpose and legal basis of the data processing

The legal basis for processing data transferred as part of an inquiry using the contact form on the website is Article 6(1)(a) of the GDPR. You can withdraw the consent you have given us at any time at datenschutz@de.gt.com. If you contact us directly by email, Art. 6(1)(b) and/or Art. 6(1)(f) GDPR is the legal basis for the data processing.

3. Storage duration

The data will generally be erased as soon as they are no longer required for the purpose for which they were collected. 

Where data are no longer necessary to comply with contractual or statutory obligations, including document retention duties under commercial and tax law, or to pursue legitimate interests, i.e. to preserve evidence related to the statute of limitations, they will be erased.

V. Registration, downloading studies, signing for events (including online)

1. Description and extent of data processing

To be able to make use of selected Offerings on our website (e.g. download studies or white papers or sign up for events (incl. online events) user/participant registration is sometimes necessary. Here we process the following data:

• Title, first name and last name
• Position
• Business, address or post box
• Email address
• Photos and videos for in-person events

2. Purpose and legal basis of data processing

Your data is processed when registering as a user to download studies or white papers and register to sign up for events (incl. online events) based on our legitimate interest under Art. 6(1)(f) GDPR. Our legitimate interest is in generating new business contacts for the purpose of initiating contracts and in organising and reporting on events (incl. online events). Without providing the above data, participants in events (incl. online events) cannot take part in events (incl. online events). 

3. Storage duration 

If you register on our website for a service requiring sign up, your personal data will be stored in our customer relationship management system (CRM). We will store your personal data until you object or we update our master data in the CRM. 

4. Potential recipients

To organise and carry out events (incl. online events) we collaborate with cooperation partners. The data collected in the context of an event (incl. an online event) are shared with involved cooperation partners.

The data are not shared with cooperation partners when studies or white papers are downloaded.

VI. Data processing for the purpose of sending newsletters, advertising and marketing materials and public relations

In addition to the purely informational use of our website, personal data may be processed for advertising and/or marketing purposes (e.g. newsletters), to conduct customer satisfaction surveys and for the purposes of media and public relations.

1. Newsletters

On our website you can subscribe to various newsletters. Subscribing to our newsletters is voluntary and free of charge. If you subscribe to the newsletters we provide, the “newsletter data” we will process will include the following:

• Title, first name and last name
• Business, address or post box
• Email address
• Date and time of sign-up and confirmation

To be able to check whether you are the owner of the email address given or whether the owner agrees to receiving the newsletter, we will send an automated email to the email address provided after the first step of registration (double opt-in). We will only add the email address to our mailing list after the newsletter subscription has been confirmed via a link in the confirmation email. We do not collect any data other than the email address and the information to confirm subscription. 

If you do not confirm your subscription within 24 hours, your information will be automatically deleted after 24 hours.

Your data is processed for the purpose of sending the newsletter you have requested. The legal basis for this processing is Art. 6(1)(a) GDPR or section 7 of the Act against Unfair Competition [Gesetz gegen unlauteren Wettbewerb – UWG] (see below). 

Your data will be erased as soon as they are no longer required for the purpose for which they were collected, no new justified purpose and legal basis has come about and no retention periods prevent erasure. Your email address and other “newsletter data” will therefore be stored for as long as the subscription to the newsletter is active. Your consent and ordering of the newsletter and withdrawal of consent or unsubscribing are stored according to the statutory storage periods for evidence purposes. Other than this, we only store personal data for the assertion of or defence against legal claims or as long as there are legal obligations to store them.

You can withdraw your consent to receiving the newsletter at any time and unsubscribe from the newsletter. You can withdraw consent by clicking on the link provided in every newsletter email or by sending an email to datenschutz@de.gt.com.

2. Advertising, marketing and customer surveys 

Your personal data is only used for the purposes of advertising and/or marketing and for conducting customer satisfaction surveys if you have given your consent to this or if another legal basis exists that permits advertising and/or marketing without consent being given. To the extent legally permissible, we reserve the right to contact customers for advertising purposes on the basis of publicly accessible data and/or third-party address data obtained from publicly accessible sources (e.g. data from directory media, the internet, company websites, public registers or similar).

The following data are processed as part of data transfer for advertising and marketing/customer surveys:

• Title, first name and last name
• Business, address or post box
• Email address, telephone number
• Position

The following legal basis applies to the transfer of data for advertising and marketing activities and customer surveys:

a)     The legal basis for advertising and/or marketing activities and conducting customer satisfaction surveys on the basis of express consent is Art. 6(1)(a) GDPR; the statements on consent in Section II.7.g) apply accordingly.

b)     The legal basis for the use of personal data for the purpose of direct advertising by post is Art. 6(1)(f) GDPR (legitimate interest); the legitimate interest here is to approach potential customers for the purpose of directly advertising our services.

c)      The legal basis for advertising and/or marketing measures by telephone call is section 7(2) No. 2 of the Act against Unfair Competition [UWG]; this requires express consent in the case of consumers and at least presumed consent in the case of other market participants; for the requirement of express consent, see above and Section II.7.g).

d)     The legal basis for advertising and/or marketing by email for the purpose of directly advertising our own similar services is section 7(3) of the Act against Unfair Competition [UWG], provided that: 

(i) we have received your email address from you in connection with providing a service 

(ii) you have not objected to the use of your email address for the purpose of direct marketing and 

(iii) we clearly inform you when we collect your email address and each time we use it that you can object to such use of your email address at any time (for the right to object, see Section II.7.f).

Personal data are stored and used for the purpose of advertising depending on the legal basis for the advertising or marketing (consent or legitimate interest). If you have objected to the use of your data for the purpose of advertising or have withdrawn your consent to this, your data will be erased unless storage periods prevent erasure.

You can withdraw your consent to the processing of personal data at any time with effect for the future without giving any reason. Withdrawal may be made by phone, in writing or by email (e.g. to datenschutz@de.gt.com).

You can object to processing on the basis of legitimate interests at any time; a right to object exists in particular in the case of profiling under Art. 21 GDPR. 

If a withdrawal and/or objection is made, the personal data will no longer be processed for the purposes concerned; this does not in any case apply to the processing of data that are still required for the purposes of the performance of a contract (Art. 6(1)(b) GDPR), including statutory retention obligations and/or if the data are still required within the scope of legitimate interests (Art. 6(1)(f) GDPR) (e.g. in the case of an objection to advertising, the processing of data on a blacklist to prevent future advertising attempts). 

We will gladly provide you with further information about our handling of data for marketing and/or the sources of our data on request; please contact our data protection officer, whose contact details can be found in Section I. 

3. Media and public relations

Concerning the media and public relations, we collect and process master data, contract performance data or third-party data of journalists and/or media representatives for the purposes of media and public relations. This may particularly include providing press releases, processing enquiries from the media, addresses by media representatives and invitations to media events. The legal basis for such data processing is Art. 6(1)(b) GDPR (performance of a contract/steps prior to entering into a contract) to the extent that it serves to perform a relevant agreement and/or as part of a specific enquiry. Data are otherwise processed for legitimate interests under Art. 6(1)(f) GDPR; the legitimate interest here is the organising of media and public relations to benefit GT.

The data are otherwise processed based on consent corresponding to the purpose. This consent may also be withdrawn by the data subject for the future at any time without stating a reason. The data subject is otherwise entitled to the rights arising from Section II.7.

VII. Social media

We have also integrated the buttons for various social media into our website. These buttons provide you with various functions by which you can share information in the respective third-party portals with your contacts there. Their subject and scope are determined by the operators of the social networks. 

Please note that we are not providers of social networks and that we have no control over the data processing of the respective providers. Furthermore, we have no knowledge of the content of the data transferred or of use of them by the respective provider. You can find more information about how your data are handled in the privacy policies of the social media providers: 

1. Instagram

We have set up a link to the social network Instagram on our website. Instagram is operated by Meta Platforms Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. If you activate/click on the Instagram button (icon), a direct connection is established between your browser and the Meta server. Meta thereby receives the information that you have visited our website using your IP address. If you are logged into Instragram, Instagram may assign the visit to your Instagram account. For the purposes and scope of data collection and further processing and use of the data by Instagram as well as your rights and settings options to protect your privacy, please see the Instagram privacy policy. 

You can find more information in the Meta privacy policy at: https://help.instagram.com/519522125107875.

2. YouTube

YouTube services are integrated into our website. This function is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. If you activate and use the button, a direct connection will be established with the YouTube servers. By activating the button, YouTube will receive the information that you have accessed that page of our website. If you are logged into YouTube, YouTube may assign the visit to your YouTube account. For the purposes and scope of the data collection and further processing and use of the data by YouTube and your rights and settings options to protect your privacy, please see the YouTube privacy policy. 

You can find more information in the YouTube privacy policy at: https://policies.google.com/privacy?hl=en&gl=de.

3. LinkedIn

The social network LinkedIn is integrated into our website. This function is provided by LinkedIn Ireland Limited, 77 Sir John Rogerson’s Quay, Dublin 2, Ireland. Data are also transferred to LinkedIn. Please note that, as the provider of the website, we have no knowledge of the contents of the data transferred and how they are used by LinkedIn. If you are logged into LinkedIn, LinkedIn may assign your visit to your LinkedIn account. For the purposes and scope of the data collection and further processing and use of the data by LinkedIn and your rights and settings options to protect your privacy, please see the LinkedIn privacy policy. 

You can find more information in the LinkedIn privacy policy at:

https://www.linkedin.com/legal/privacy-policy?.

4. Xing

The function of the Xing service is integrated into our website, which is operated by XING AG, Gänsemarkt 43, 20354 Hamburg. If you activate and use the button, your browser will establish a direct connection with the Xing servers. The content of the button will be transferred directly from Xing to your browser and integrated by it into the website. By activating the button, Xing will receive the information that you have accessed the corresponding page of our website. If you are logged into Xing, Xing may assign the visit to your Xing account. For the purposes and scope of the data collection and further processing and use of the data by Xing and your rights and settings options to protect your privacy, please see the Xing privacy policy. 

You can find more information in the Xing privacy policy at:

https://privacy.xing.com/en.

VIII. Integration of YouTube, Google Maps and Spotify

We have integrated the video platform YouTube, the Google Maps map display service and the Spotify music service into our website to display videos, additional information, podcasts and an interactive map function. We technically cover consent to the processing of your personal data for YouTube, Google Maps and Spotify using our cookies query. If you reject our cookies, you may still use the services of YouTube, Google Maps and Spotify but without processing your data. You can find more information on our cookies in Section IX. and in our cookie settings. 

Integration of YouTube videos

1. Description and extent of data processing

We have incorporated YouTube videos into our website, which are stored at http://www.YouTube.com and can be played directly from our website. They are all included in the “expanded data protection mode”, i.e. no data about you as a user are transferred to YouTube if you do not play the videos. Data are only transferred when you play the videos, over which we have no control. By visiting the website, YouTube receives the information that you have accessed that page of our website. Data are transferred regardless of whether YouTube provides a user account on which you are logged in or whether there is no user account. If you are logged in to Google, your data will be directly assigned to your account. If you do not wish them to be assigned to your YouTube profile, you must log out before activating the button. YouTube stores your data as user profiles and uses them for the purposes of advertising, market research and/or need-based presentation of its website. This type of evaluation is carried out particularly (even in the case of users who are not logged in) to provide need-based advertising and to inform other users of the social network of your activities on our website. You have a right to object to the compilation of these user profiles, for which you must contact YouTube, however.

2. Purpose and legal basis of data processing

These data are processed on the basis of Art. 6(1)(a) of the GDPR. We request your consent by using cookies. If you reject our cookies, your will still be able to use YouTube, but without your data being processed.

3. Storage duration

You can find more information on the purpose, scope and storage duration of the collection of data and processing of them by YouTube in its privacy policy. In it you can also find more information on your rights and settings options to protect your privacy: https://policies.google.com/privacy?hl=en&gl=de.

Integration of Google Maps

1. Description and extent of data processing

We use the service of Google Maps. This allows us to show you interactive maps directly on our website and allows you to use the map functions conveniently. By visiting our website, Google receives the information that you have accessed that page of our website. 

Your data are transferred regardless of whether Google provides a user account on which you are logged in or whether there is no user account. If you are logged in to Google, your data will be directly assigned to your account. If you do not wish Google to assign them to your profile, you must log out before activating the button. Google stores your data as user profiles and uses them for the purposes of advertising, market research and/or need-based presentation of its website. This type of evaluation is carried out particularly (even in the case of users who are not logged in) to provide need-based advertising and to inform other users of the social network of your activities on our website. You have a right to object against the compilation of these user profiles, for which you must contact Google, however.

2. Purpose and legal basis of data processing

These data are processed on the basis of Art. 6(1)(a) of the GDPR. We request your consent by using cookies. If you reject cookies, the map depiction services of Google Maps will still be available to you. In this case, no data are processed.

3. Storage duration

You can find more information on the purpose, scope and storage duration of the collection of data and processing of them by Google in its privacy policy. In it you can also find more information on your rights and settings options to protect your privacy: https://policies.google.com/privacy?hl=en&gl=de.

Integration of Spotify

1. Description and extent of data processing

We have incorporated podcasts into our website which are stored at Spotify and can be played directly from our website. They are all included in the “expanded data protection mode”, i.e. no data about you as a user are transferred to Spotify if you do not play the podcasts. Data are only transferred when you play the podcast, over which we have no control. By visiting the website, Spotify receives the information that you have accessed that page of our website. Data are transferred regardless of whether Spotify provides a user account on which you are logged in or whether there is no user account. If you are logged in to Spotify, your data will be directly assigned to your account. If you do not wish Spotify to assign them to your profile, you must log out before activating the button. Spotify stores your data as user profiles and uses them for the purposes of advertising, market research and/or need-based presentation of its website. This type of evaluation is carried out particularly (even in the case of users who are not logged in) to provide need-based advertising and to inform other users of the social network of your activities on our website. You have a right to object against the compilation of these user profiles, for which you must contact Spotify, however.

2. Purpose and legal basis of data processing

These data are processed on the basis of Art. 6(1)(a) GDPR. We request your consent by using cookies. If you reject cookies, the music service Spotify will still be available to you. In this case, no data are processed.

3. Storage duration

You can find more information on the purpose, scope and storage duration of the collection of data and processing of them by Spotify in its privacy policy. In it you can also find more information on your rights and settings options to protect your privacy: https://www.spotify.com/de-en/legal/privacy-policy/. 

IX. Cookies

1. Description and extent of data processing

We use cookies on our website. Cookies are small text files which your internet browser sets and stores on your computer by which certain information is collected by the party that set them. They serve to optimise our website and services. 

Most of them are “session cookies” which are deleted at the end of your visit. Sometimes, however, such cookies give information to automatically recognise a revisiting user. This recognition is based on the IP address stored in the cookies; however, they are not able to directly identify a user. 

We also use web analytics tools (“performance cookies”) to analyse the online platform. By using cookies, we can process online platform use data and in this way obtain knowledge about the use of our online platform (e.g. number of views, number of users). 

Advertising cookies or targeting cookies serve to offer website users need-based advertising on the website or services from third parties and to measure the effectiveness of these services. Sharing cookies serve to improve the interactivity of our website with other services (e.g. social networks).

All use of cookies that is not technically necessary constitutes data processing that is only permitted with your explicit and active consent in accordance with Art. 6(1)(a) GDPR. This particularly applies to the use of advertising, targeting or sharing cookies. Furthermore, we only disclose your personal data that has been processed by cookies to third parties if you have given your explicit consent to this under Art. 6(1)(a) GDPR.

You can prevent cookies from being set by selecting the appropriate setting in your browser; however, please note that in this case you may not be able to use all functions of our website to their full extent.

Our website uses only transient (e.g. session cookies), persistent and third party cookies. For all else, please see our cookie settings.

2. Storage duration

Transient cookies are automatically deleted when you close your browser. This particularly includes session cookies. These store asession ID, with which your browser’s various requests can be assigned to the same session. In this way, your computer can be recognised again when you return to our website. The Session cookies are deleted when you log out or close the browser. 

However, persistent cookies will be deleted after a prescribed duration which may differ depending on the cookie. You can delete cookies at any time in your browser’s security settings.

You can find an overview and additional information on the cookies we use, together with information on the provider, purpose of data processing, technology used, data collected, legal basis, location of processing, duration of storage, data recipients, data protection officer and disclosure to third countries, in our cookie settings. 

X. Third-party analytics tool

We employ the analysis tool Matomo by InnoCraft Limited, a cookie-less variation with an anonymisation function. Cookies are not placed, meaning there are no permanent identifiers and no disclosure of data to third parties, so that the website operator retains full control over the data. Matomo stores tracking data locally on the operator’s server in compliance with data protection regulations, such as anonymisation of IP addresses and daily refreshing the config_id. The config_id is generated based on parameters such as operating system, browser type, anonymised IP address and browser language. It is stored in the database and serves to recognise visitors for a maximum of 24 hours. The config_id is regenerated every day, which ensures that long-term tracking is not possible. All the data collected on user interactions, such as page access, length of visit and other interactions, are stored together with the config_id in the database. These data are anonymised and are used to analysis website performance and visitor flows.

The use of the analysis tool is for the purpose of improving the quality of our website and its contents. With analysis cookies we find out how the website is used and so are able to constantly optimise our services. The legal basis for processing personal data using analysis tools is that of legitimate interest under Art. 6(1)(f) GDPR.

XI. Further information

We value the trust you place in us. We therefore intend to be available to you at all times to answer your questions about the processing of your personal data. If you have any questions that this Privacy Policy has not been able to answer or if you would like in-depth information on any point, please contact us at any time at the following email address: datenschutz@de.gt.com.

We reserve the right to amend this Privacy Policy from time to time upon further development of data protection legislation or technological or organisational changes and will notify you of all major changes that will have an effect on the use of your personal data. This data protection information is updated as of February 2025.

 

Data protection information of our service providers

I. CRIF GmbH

_{Information about CRIF GmbH under Art. 14 of the EU General Data Protection Regulation}

In providing this data protection information, we are informing you under the EU General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, about the processing of your personal data by our service providers and the rights you are entitled to. This information is updated and made available to you as required.

Service provider: CRIF GmbH

As part of contractual relationships, Grant Thornton transfers collected personal data concerning the application for and performance of a business relationship as well as data on non-contractual behaviour to CRIF GmbH, Leopoldstraße 244, 80807 Munich.

The legal basis for this transfer is Art. 6(1)(b) and (f) GDPR. The data exchange with CRIF GmbH is to fulfil legal duties to conduct creditworthiness checks (sections 505a and 506 of the German Civil Code [Bürgerliches Gesetzbuch – BGB]).

CRIF GmbH processes the received data and also uses them for the purpose of creating profiles (scoring) to give contractual partners in the European Economic Area and Switzerland as well as potentially in other third countries information, including on the assessment of the creditworthiness of natural persons. 

The personal data are transferred to third countries in accordance with Art. 44 f. GDPR. 

For more information on the work of CRIF GmbH, please see their online information sheet at www.crif.de/datenschutz.

We value the trust you place in us. We therefore intend to be available to you at all times to answer your questions about the processing of your personal data. If you have any questions that this Privacy Policy has not been able to answer or if you would like in-depth information on any point, please contact us at any time at the following email address: datenschutz@de.gt.com.

We reserve the right to amend this Privacy Policy from time to time upon further development of data protection legislation or technological or organisational changes and will notify you of all major changes that will have an effect on the use of your personal data. This data protection information is updated as of February 2025.