This Privacy Statement sets forth the nature, scope and purpose of our processing of your data (hereinafter referred to as “Personal Data”) in connection with our website and all websites, functions, content and external online portals related to our website such as our social media profile (each, a “Property”). For definitions of the terms used in this Privacy Statement such as “processing” or “responsible party,” see the definitions in Article 4 of the EU Data Protection Directive.
Hellwig Wertpapierhandelsbank GmbH
60313 Frankfurt am Main
CEOs: Annick Kleine and Arne Hellwig
Data Protection Supervisor:
Types of data that fall within the scope of this Privacy Statement
- Names, addresses and other basic information of this nature
- Contact information such as email addresses and phone numbers
- Data related to Web content such as texts, photos and videos
- Usage data such as websites visited, interest shown in specific content, access dates and times
- Metadata and communication data such as device related information and IP addresses
Purpose of data processing
- Making a Property and the functions thereof available
- Responding to user queries and communicating with users
- Security measures
- Scope measurement; marketing
Terms used in this Privacy Statement
“Personal Data” means all information relating to an identified or identifiable natural person (hereinafter referred to as the “Person Concerned” or “Persons Concerned”). An identifiable person is defined as a natural person who can be directly or indirectly identified by being linked with an identifier (such as a name), a code number, or site related data, cookies or other online identifiers; or who can be identified by means of one or more distinctive attributes that express the physical, physiological, genetic, psychological, economic cultural or social identity of such natural person.
“Processing” refers to (a) any procedure that is carried out, with or without the aid of an automated process; or (b) any series of procedures in connection with Personal Data. The scope of this term is extensive in that it encompasses virtually any instance of processing data.
“Responsible party” means any natural person, legal person, government authority, any organization or any other entity that makes official determinations alone or on concert with other parties concerning the scope and purpose of processing Personal Data.
Pursuant to Article 13 EU Data Protection Directive, in this document we clarify the legal grounds that form the basis for the processing of Personal Data. Insofar as such legal grounds are not mentioned in this Privacy Statement, the following applies: The legal grounds for obtaining authorization are constituted by Article 6(1)(a) and Article 7 EU Data Protection Directive. The legal grounds for processing data for the purpose of providing our services, performing contracts and responding to queries are constituted by Article 6(1)(b) EU Data Protection Directive. The legal grounds for processing data for the purposes of meeting our legal obligations are constituted by Article 6(1)(c) EU Data Protection Directive. The legal grounds for processing Personal Data for the purpose of protecting our legitimate interests are constituted by Article 6(1)(f) EU Data Protection Directive. Insofar as the vital interests of a Person Concerned or another natural person necessitate the processing of Personal Data, Article 6(1)(d) EU Data Protection Directive is deemed to constitute the legal grounds.
We recommend that you acquaint yourself, on a regular basis, with the content of our Privacy Statement. We update our Privacy Statement insofar as any changes in our data processing procedures and/or policies necessitates such updating. We will inform you in the event any change we make in our Privacy Statement necessitates (a) any consent or other action measure on your part; or (b) any individual notification.
Cooperative arrangements with outside contractors
Insofar as, in connection with our processing of Personal Data, we disclose any Personal Data to any outside contractor or other third party, or if we relay or otherwise afford access to such data to such parties, such disclosure shall be subject to official authorization – for example in cases where relaying data to a third party such as a payment-services provider is required by Article 6(1)(b) EU Data Protection Directive, for purposes of performing a contract; or insofar as you have granted permission for such disclosure, such disclosure is necessitated by a legal obligation, or is effected to protect our legitimate interests (e.g. in connection with the use of outside contractors, web hosting services and so on).
The legal grounds for hiring an outside contractor under a so-called order fulfillment agreement is constituted by Article 28 EU Data Protection Directive.
Relaying data to third countries
Insofar as we process data in a third country (i.e. in a country outside the EU or EEC), or if this occurs in connection with the use of third-party services or the disclosure or transfer of data to a third party, such processing shall only be effected for the purpose of meeting our contractual obligations, based on your content, a legal obligation, or our legitimate interests. Subject to legal or contractual authorization, we will process data in third countries or cause data to be handled in third countries only insofar as the special conditions pursuant to Article 44 et. seq. EU Data Protection Directive are met. In other words, such data processing shall be based on (a) special guarantees such as officially recognized determination of the relevant EU data protection level (e.g. via a privacy shield in the US); or (b) adherence to boilerplate clauses (i.e. officially recognized specific contractual obligations).
Rights of Persons Concerned
You are entitled to (a) require us to inform you whether your Personal Data is being, will be, or has been processes; and (b) request information concerning such data, as well as further information and copies of such data pursuant to Article 15 EU Data Protection Directive.
Under Article 16 EU Data Protection Directive, you are entitled to require that your Personal Data be completed or that any inaccuracy in your Personal Data be rectified.
You are entitled to require (a) that any of your Personal Data be deleted without delay, pursuant to Article 17 EU Data Protection Directive; or (b) that restrictions be imposed on the processing of your Personal Data, pursuant to Article 18 EU Data Protection Directive.
You are entitled to require that any Personal Data that you have made available to us is (a) duly received pursuant to Article 20 EU Data Protection Directive; and (b) transmitted to any other responsible party.
In addition, pursuant to Article 77 EU Data Protection Directive, you have the right to file a complaint with the competent regulatory authority.
Right to withdraw permission for the processing of your data
Pursuant to Article 7(3) EU Data Protection Directive, you have the right to withdraw permission to process your data in the future.
Right to bar processing of your data
Pursuant to Article 21 EU Data Protection Directive, you have the right to bar any processing of your Personal Data – particularly when it comes to processing of your data for direct-advertising purposes.
Cookies are small text files that are saved on a user’s computer and in which various types of information can be stored. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) while accessing a Property or thereafter. Temporary cookies, session cookies and transient cookies are cookies that expire when you exit a Property and close your browser. Such cookies can be used to store, for example, a user’s login status or the contents of their shopping basket at an online store. Persistent cookies are cookies that are saved after you close your web browser. They can be used for purposes such as saving your login status, in cases where you search for it after a number of days have elapsed. Such cookies can also be used to save elements concerning interest you may have shown in a product or service, for purposes of scope-measurement marketing and the like. Third-party cookies are cookies that are used by providers other than the operator of the Property in question. If such cookies are only the cookies of the original provider, they are referred to as first-party cookies.
We use both temporary and persistent cookies and provide information on such use in this Privacy Statement.
If you do not wish cookies to be stored on your computer, you will need to deactivate the relevant option in the system settings of your web browser. To delete cookies stored on your computer, use the system settings of your browser. Disallowing cookies on your computer may limit the functionality of this Property.
To impose a blanket ban on the generation/storage of cookies for online marketing in connection with your internet use, particularly when it comes to services such as tracking, go to http://www.aboutads.info/choices/ or http://www.youronlinechoices.com/. You can also prevent cookies from being stored on your computer by deactivating them in your browser settings. Please bear in mind, however, that if you do this you may be unable to use some of the functions of this Property.
Personal data that we process is deleted, or its processing is restricted, pursuant to Articles 17 and 18 EU Data Protection Directive. Insofar as not expressly indicated in this Privacy Statement, any of your Personal Data that we store in our system will be deleted when it is no longer needed for its intended purpose, and provided that such deletion does not violate any archiving regulations. Insofar as such Personal Data is not deleted because it is needed for other lawful purposes, the scope of its processing will be limited. In other words, such data will be blocked and will not be processed for any other purpose. This applies, for example, to data that, by law, must be archived for commercial or tax law reasons.
Such archiving is required under German law as follows: for six years pursuant to Article 257(1) Commercial Code (HGB) (business related documents of various kinds including annual financial statements and the like); for ten years pursuant to Article 147(1) German Tax Code (AO) (commercial correspondence and other business documents, including tax related documents).
Such archiving is required under Austrian law as follows: for seven years pursuant to Article 132(1) Commercial Code (BAO) (business related documents of various kinds including annual financial statements and the like); for 22 years for real estate-related documents; for 10 years for documents relating to electronically provided services, telecommunications, radio and television services provided to non-entrepreneurs in EU Member States for which the Mini-One-Stop-Shop (MOSS) is used.
We use hosting services in order to provide the following services: infrastructure and platform services, computing capacity, storage space, database services, security services and technical maintenance services that we deploy for purposes of operating this Property.
To this end we or our hosting provider process the inventory data, contact data, content data, contract data, usage data, metadata and communication data of our customers, of interested parties and of visitors to this Property – in accordance with our legitimate interests in efficient and secure provisioning of the content of this Property, as prescribed by the relevant laws stipulating that a contract must be concluded for the provisioning of such services.
Collecting access and logfile data
In accordance with our legitimate interests as prescribed by law, we collect data concerning each access to the server that this service is hosted on; this data is known as server logfiles. Access data comprises the following: names of web pages/websites accessed; date and time of access; amount of data transferred; confirmation of successful access; browser type and build; user’s operating system; referrer URL (from previously accessed pages/sites); IP address; the requesting provider.
For reasons of security (e.g. for investigations of misuse or fraud), logfile data is archived for a maximum of seven days and is then deleted. Data that needs to be archived for longer periods for evidentiary purposes is not deleted until the relevant case has been closed.
We process our customers’ Personal Data in connection with provisioning of our contractual services, which comprise the following: concept and strategy consulting; software and design development/consulting and maintenance; implementing ad campaigns and the related processes and handling; server administration; data analysis and related consulting services; training services.
In connection with these activities, we process the following types of data: basic information such as the names and addresses of our customers; contact data such as email addresses and phone numbers; texts, photos videos and other content data; contract related information such as the duration and subject matter of contracts; payment related data such as bank details; usage data and metadata, for purposes such as evaluating the success of ad campaigns and other marketing measures. As a rule we do not process special categories of Personal Data, except in cases where such processing is mandated by a data processing contract. The Persons Concerned in such cases include our customers, interested parties and their customers; as well as users, website visitors, employees, and third parties. Such processing is carried out for the purpose of providing contractual services, for billing, and for providing customer services. The legal grounds for such processing are constituted by Article 6(1)(b) EU Data Protection Directive (contractual services) and Article 6(1)(f) EU Data Protection Directive (analyses, statistics, optimization, security measures). We process data that we need in order to duly perform our contractual services, and point out the need to disclose such data. We only relay such data to third parties when doing so is mandated by a purchase order. When processing the data provided to us in connection with a purchase order, we act in accordance with the instructions of the customer and the statutory requirements for order fulfillment pursuant to Article 28 EU Data Protection Directive; we process such data solely for the purposes mandated by the purchase order in question.
We delete all Personal Data upon expiration of its statutory archiving period and the expiration the period relating to any related duties. The necessity of archiving data is reviewed at three year intervals. Data that is archived in accordance with statutory archiving requirements is deleted upon the statutory expiration date of the relevant archiving periods (6 J, § 257 (1) HGB, 10 J, § 147 (1) AO). We delete data that is provided to us in connection with customer purchase orders, in accordance with the terms and conditions of each order, and in any case once the order has been fulfilled.
Administrative activities; accounting; office management activities; contact data management
We process data in connection with administrative tasks and for purposes of organizing our operations, as well as for accounting purposes and for purposes of compliance with archiving and other regulations. Such processing involves processing the exact same data that we process in connection with the provisioning of our contractual services. The legal basis for such data processing is constituted by Articles 6(1)(c) and 6(1)(f) EU Data Protection Directive. The Parties Concerned in connection with such processing are customers, interested parties, business associates and website visitors. We undertake such data processing in connection with, and for the furtherance of, the following types of operations: administration; office management and data archiving. In other words, these are activities that keep our organization running smoothly and that enable us to provide our customers with services. The data that we delete that is related to contractual services and communication constitutes the information provided in connection with the aforementioned activities.
To this end, we disclose or relay data to third parties such as tax consultants, auditors and payment-services providers.
In order to further our own commercial interests, we also archive data concerning suppliers, event organizers and other business associates for purposes of contacting them in the future, and so on. As a rule, we archive such predominantly company related data permanently.
Business analyses and market research
In order for us to remain a going concern and to keep track of market tendencies and customer/user preferences, we analyze the data in our possession concerning business processes, contracts, queries and the like. In so doing, we process basic data (names, address etc.) communication data, contractual data, payment data, usage data and metadata (pursuant to Article 6(1)(f) EU Data Protection Directive). The Persons Concerned in such cases are customers, interested parties, business associates, and visitors to and users of our Property.
We analyze such data for the following purposes: commercial assessments; marketing; market research. In carrying out such analyses, we have occasion to take into account the profiles of registered users in respect of matters such as their purchasing processes. Such analyses enable us to optimize the user friendliness, content and economic viability of our website. We use these analyses solely for our own purposes and do not disclose their results to third parties, except in the guise of anonymous analyses containing summarized figures.
Insofar as such analyses or profiles are related to a specific individual, they are deleted or rendered anonymous upon termination of the relevant customer’s relationship with us; or lacking that, they are deleted or rendered anonymous two years following conclusion of the relevant contract. In addition, general economic and trend analyses are generated in an anonymous fashion, insofar as possible.
Data privacy in connection with job applications
We process job application data solely for purposes of and in connection with the relevant job application procedure, and as prescribed by law. Such data processing enables us to meet our job application procedure-related contractual obligations as prescribed by law, insofar as we need to carry out such processing in connection with statutory processes.
In order for job application procedures to be carried out by us, job applicants must submit their application materials to us. Insofar as we provide an online job application form, the required applicant data is labeled. If not, it arises from the relevant job descriptions and includes Personal Data, postal and contact addresses and application materials such as cover letters, CVs and certifications. Job applicants are of course also free to provide us with additional information, if they wish to.
In submitting a job application to us, the applicant grants us their permission to process their data for purposes of the job application procedure, and in the manner stipulated in this Privacy Statement.
Insofar as job applicants voluntarily provide us with specific classes of data as part of the job application process (pursuant to Article 9(1) EU Data Protection Directive), such data is also processed pursuant to Article 2(b) EU Data Protection Directive, and includes data such as information concerning severe disabilities and ethnic origin. Insofar as specific classes of data are requested of applicants as part of the job application process (pursuant to Article 9(1) EU Data Protection Directive), such data is also processed pursuant to Article 9(2)(a) EU Data Protection Directive, and includes data such as health information, insofar as such information is relevant for exercise of the relevant profession.
If we provide an online job application form, job applicants have the option to submit their application via such form, on our website. Such data is transmitted to us via state of the art encryption.
Job applicants also have the option to email their applications to us. Please note, however, that emails are not encrypted as a matter of course, and if an applicant wants their job application materials to be encrypted, they will need to take care of this themselves. Hence we cannot be held responsible for the transfer path of application materials between the sender and our server – and therefore recommend that job applicants use our online form or send us their application in the mail. In other words, instead of submitting their application materials via our online form or via email, job applicants also have the option to submit them to us by mail.
Data submitted by successful job applicants may be processed in connection with the resulting employment relationship. Data submitted by unsuccessful job applicants is deleted. Data from applicants who exercise their right to withdraw their application is also deleted.
Deletion is effected (subject to prior warranted recall of such data by the applicant) after six months have elapsed, so as to enable us to (a) respond to any queries that may arise concerning a given application; and (b) provide any evidence, as required by law, concerning equal treatment. Statements of account concerning any travel cost reimbursements are archived as prescribed by law.
Individuals who submit a job application to us have the option to be included in a talent pool for a two year period, provided that such individuals grant permission for such inclusion as prescribed by law.
Application materials included in the talent pool are processed solely in connection with future job postings and recruitment processes and are deleted upon expiration of the aforesaid two year period. Job applicants are informed of the following: being included in the talent pool is strictly voluntary; such inclusion will have no impact on any ongoing job application process; applicants have the right to cancel or object to their inclusion in the talent pool, pursuant to Article 21 EU Data Protection Directive.
If a user decides to contact us (e.g. by phone, via our contact form, via email, or via social media), their data is processed for purposes of handling and processing their query, pursuant to Article 6 (1b) EU Data Protection Directive. User information may also be stored in a customer relationship management system (CRM system) or equivalent.
We delete all queries as soon as such archiving is no longer necessary. We review the necessity of such archiving at two year intervals, subject to statutory archiving requirements.
We maintain a presence in social media, so as to enable us to communicate with customers, interested parties and users who also use such media and keep them informed about our services. When you access third-party networks and platforms, the terms and conditions and the data processing guidelines of their operators apply.
Insofar as not otherwise indicated in this Privacy Statement, we process the data of users who interact with us via social media – for example by posting articles on our website or sending us messages.
User of third party services and content
One of the rights that we exercise in connection with our Property is the right to further our legitimate interests (i.e. our legitimate interest in analyzing and optimizing our Property and operating it in an economically viable fashion) by using third party content and/or services such as videos or fonts, for the purpose of integrating such elements (hereinafter referred to as “Content”) into our website.
Such use in every case presupposes that the third party providers of such Content know the IP addresses of the relevant users, given that, without such addresses, such providers would not be able to transmit such content to users’ browsers. Thus IP addresses are needed in order to display such content. We make every effort to use only the Content of providers who use IP addresses solely for Content delivery purposes. Third party providers also have the option to use what are known as pixel tags (invisible graphics, also known as web beacons) for statistical and/or marketing purposes. Such tags enable us to evaluate data such as user traffic on our website. Cookies also enable the storage of pseudonym information on user devices, as well as (without limitation) technical information concerning browsers and operating systems, referring websites, visit times, and other information concerning the use of our Property. Such information can also be linked to information from other sources.
We incorporate YouTube videos into our website, which are supplied by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy statement: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
We incorporate a bot detection function, e.g. for entries in online forms – a service known as ReCaptcha, which is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy statement: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
We incorporate Google Maps into our website. They are provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data that we process also includes user IP addresses and location data that in some cases may be collected without the permission of the users in question and which is normally effected via the settings in users’ mobile devices. Such data may be processed in the US. Privacy statement: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
Our Property may incorporate Twitter functions and content, which are provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. This may include, for example, Content such as images, videos, texts and buttons with which users can express their appreciation of the content and/or subscribe to the authors of the content or our proprietary content. Users of our website who are also Twitter users have the option to assign accessing of the aforementioned Content and functions to the users' profiles there. The fact that Twitter is certified under the Privacy Shield Agreement enables it to guarantee that it adheres to EU data privacy regulations (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Privacy statement: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.
Our Property may incorporate Xing functions and Content, which are provided by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. This may include, for example, Content such as images, videos, texts and buttons with which users can post positive feedback about the Content and/or subscribe to the authors of the Content or our proprietary Content. Users of our website who are also Xing users have the option to assign accessing of the aforementioned Content and functions to the users' profiles there. Xing Privacy Statement: https://www.xing.com/app/share?op=data_protection..
Our Property may incorporate LinkedIn functions and Content, which are provided by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland. This may include, for example, Content such as images, videos, texts and buttons with which users can post positive feedback about the Content and/or subscribe to the authors of the Content or our proprietary Content. Users of our website who are also LinkedIn users have the option to assign accessing of the aforementioned content and functions to the users' profiles there. LinkedIn Privacy Statement: https://www.linkedin.com/legal/privacy-policy.. The fact that LinkedIn is certified under the Privacy Shield Agreement enables it to guarantee that it adheres to EU data privacy regulations (https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active). Privacy statement: https://www.linkedin.com/legal/privacy-policy, Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out