Data Privacy

The purpose of this Privacy Statement is to explain to you the nature, scope and purpose of the processing of personal data (hereinafter referred to in short as “Data”) within our online offer and the related websites, functions and content as well as our external online presence, such as our social media profiles (hereinafter jointly referred to as our “Online offering”). With regard to the terms used, such as “processing” or “party responsible”, we refer to the definitions contained in Art. 4 of the General Data Protection Regulation (GDPR). We also hereby inform you in the following of the external components that we use for optimisation purposes and for increasing quality of use (as long as it makes the processing of third-party data the responsibility of the respective third parties once again).

The party responsible under data protection legislation (in particular the EU's General Data Protection Regulations, GDPR) is:


MetaDesign GmbH
Leibnizstraße 65
10629 Berlin

E-mail address: mail.ber@metadesign.de
Managing Director: Leyser, Daniel
Contact Data Protection Officer: yusuf.tuncay-eberl@publicisresources.com

You can exercise the following rights at any time using the contact details provided for our Data Protection Officers:

  • Information regarding data about you stored with us and its processing (Art. 15 of the GDPR),
  • Correction of incorrect personal data (Art. 16 of the GDPR),
  • Deletion of data about you that is stored with us (Art. 17 of the GDPR),
  • Restriction of data processing (provided that we are not entitled to delete your data on the basis of legal obligations) (Art. 18 of the GDPR),
  • Objection to us processing your data (Art. 21 of the GDPR) and
  • Transferability of data if you have consented to the processing of your data or have entered into a contract with us (Art. 20 of the GDPR).

If you have given us consent, you can revoke it any time, with future effect. You can refer a complaint to a regulatory authority at any time,such as to the competent supervisory authority of the Federal State of your place of residence or to our relevant responsible office with competent authority status.

A list of regulatory authorities (for the non-public sector) with addresses can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Type of data to be processed


  • Inventory data (e.g. names, addresses)
  • Contact data (e.g. e-mail, telephone numbers)
  • Content data (e.g. text entries, photographs, videos)
  • Usage data (e.g. websites visited, interest in contents, times of access)
  • Meta-/communications data (e.g. devices information, IP addresses)

Categories of persons affected


Visitors to and users of our online offering (we hereinafter also refer to persons concerned collectively as “Users”).

Purpose of processing


Provision of the online offering, and its functions and contents Answering contact requests and communication with users Security measures Reach measurement/marketing

Relevant legal bases


In the following Privacy Policy, we inform you of the legal bases for our data processing means, i.e. the legal bases of the General Data Protection Regulation, which allow us to process personal data, referring to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016.

We only process your data if at least one of the following conditions applies:

  1. Consent (Article 6(1)(a) DSGVO): You have given us your consent to process data for a specific purpose.

  2. Contract (Article 6(1)(b) DSGVO): In order to fulfill a contract or pre-contractual obligations with you, we process your data. For example, if you send us an application.

  3. Legal obligation (Article 6(1)(c) DSGVO): If we are subject to a legal obligation, we process your data. For example, we are legally obliged to cancel part of your application in case of rejection.

  4. Legitimate interests (Article 6(1) lit. f DSGVO): In case of legitimate interests that do not restrict your fundamental rights, in consideration of mutual interests, we reserve the right to process personal data. For example, we need to process certain data in order to operate our website securely and economically.

Security measures


We take appropriate technical and organisational measures under Art. 32 of the GDPR – taking into consideration technological status, implementation costs, and the type and scope and conditions and purposes for the processing of personal data, as well as varying risk probability and severity with regard to natural persons’ rights and liberties – in order to guarantee a level of protection appropriate to the risk.

These measures include the following in particular: securing confidentiality, integrity and availability of data by monitoring physical access to it, including the access conditions with respect to the latter and its input, disclosure, protection of availability and separation. We have also established procedures that guarantee observance of the rights of persons concerned, the deletion of data and response to compromised data. We also take into account the protection of personal data during the development/selection of hardware or software and individual procedures, in accordance with the principle of data protection through technology design and privacy-friendly default settings (Art. 25 of the GDPR).

Cookie Consent Management Platform (general)


We use a Consent Management Platform (CMP) software on our website, which helps us and you to handle used scripts and cookies correctly and safely. The software automatically creates a cookie popup, scans and controls all scripts and cookies, provides cookie consent for you as required by data protection laws, and helps us and you keep track of all cookies.

Within our cookie management tool, you can manage each cookie yourself and have complete control over the storage and processing of your data. The declaration of your consent is stored so that we do not have to query you each time you visit our website again and so that we can also prove your consent if required by law.

You have the right and the possibility to revoke your consent to the use of cookies at any time. This works either via our cookie management tool or via other opt-out functions in the respective section of this privacy policy or the browser you use.

OneTrust (CMP)


We use OneTrust, a privacy management tool, on our website. The service provider is the Italian company iubenda s.r.l., Via San Raffaele, 1- 20121 Milan, Italy.

To learn more about the data processed through the use of OneTrust, please see the Privacy Policy at https://www.onetrust.com/privacy/.

Right of revocation


You can revoke future processing of data applicable to you, at any time, pursuant to Art. 21 of the GDPR. Such a revocation can be initiated in particular to prevent processing of data for direct marketing purposes.

Cookies and right of revocation with direct marketing


“Cookies” are small files stored on users’ computers. Different kinds of information can be stored within cookies. The primary purpose of a cookie is to save information on a user (or on the device on which the cookie is saved) during or after their visit as part of an online offering. Cookies that are deleted after a user has left an online offering and closed their browser are labelled as temporary cookies, “session cookies” or “transient cookies”. Aspects that can be saved in such a cookie include the content of a shopping cart in an online shop or a login status. Cookies are known as “permanent” or “persistent” if they remain saved after the browser has been closed. With this, login status, for example, can be saved if the users visit again after several days. The interests of users can also be saved in such a cookie, for use for range measurement or marketing purposes. Cookies offered by providers other than the party responsible (i.e. that has provided the online offering), are known as “third-party cookies” (otherwise, if it’s only their own cookies, these are known as “first-party cookies”).

We can use temporary and permanent cookies – we clarify them in the context of our Privacy Statement.

If you, as the user, do not want cookies to be stored on your computer, you will be asked to deactivate the appropriate option in the system settings of your browser. Saved cookies can be deleted in the system settings of your browser. Exclusion of cookies can lead to functional restrictions with the online offering.

A general objection to the use of cookies used for online marketing purposes can be clarified by a variety of services (especially in the case of tracking) recognised with the American website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, cookies can be saved in the browser settings by deactivating them. Please note that, if you decide to do this, not all functions included in the online offering can be used.

Collaboration with processors and third parties


If we disclose data to other persons and companies (processors or third parties) as part of our data processing, forward it to them or otherwise grant them access to data, this may be done only on the basis of a statutory permit (e.g. if it is necessary to transfer data to third parties, or to lettershops (as per Art. 6 (1) (b) of the GDPR) for the purpose of contractual fulfilment), you have consented, there is a legal obligation mandating it or if it is relevant to our legitimate interests (e.g. when using agents, web hosters, etc.).

If we commission third parties to process data on the basis of a so-called “order processing agreement”, this shall be performed on the basis of Art. 28 of the GDPR.

Transmission to third party countries


We only transfer or process data to countries outside the EU/EAA (third countries) if you consent to this processing, if this is required by law or contractually necessary and in any case only to the extent that this is generally permitted. The processing of personal data in third countries such as the USA, where many service providers have their server locations, may mean that personal data is processed and stored there.

We therefore expressly point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. Data processing by US services (such as Google) may mean that, where applicable, data is not processed and stored anonymously. Furthermore, US government authorities may be able to access individual data. In addition, it may happen that collected data is linked to data from other services of the same provider, if you have a corresponding user account.

Deletion of data


The data processed by us shall be deleted, or have its processing restricted, in accordance with Art. 17 and 18 of the GDPR. Unless explicitly stated in this Privacy Statement, data saved with us shall be deleted as soon as it is no longer required for its intended purpose and such deletion does not conflict with any statutory retention requirements. If such data is not deleted – because it is required for other, legally permitted, purposes – its processing shall be restricted. That is to say, the data shall be disabled and not processed for other purposes. This applies, for example, for data which needs to be retained for commercial or tax law reasons.

Business-related processing


We also process

  • Contract data (e.g. object of contract, duration period, customer category)
  • Payment data (e.g., bank details, payment history) of our clients, prospective clients and business partners for the purpose of providing contractual services, customer care and service, marketing, advertising and market research.

Agency services


We process our clients’ data as part of our contractual services – this includes conceptual and strategic advice, campaign planning, software and design development/advice or care, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services.

As part of this, we process inventory data (e.g. customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), contract data (e.g. object of contract, duration period), payment data (e.g. bank details, payment history), usage and metadata (e.g. as part of evaluation and performance measurement of marketing measures). There are certain categories of personal data which we will absolutely not process unless the components in question are of commissioned processing. Persons concerned include our clients and prospective customers, as well as their clients, users, website visitors or colleagues, as well as third parties. The purpose of the processing is the provision of contractual services, accounting, and our customer service. The legal bases for processing are covered in Art. 6 (1) (b) of the GDPR (contractual services), Art. 6 (1) (f) of the GDPR (analysis, statistics, optimisation, safety measures). We process data necessary for the justification and fulfilment of contractual services, with reference to the of processing it. It may be disclosed to external parties only if this is necessary as part of an order. During processing of the data transferred to us as part of an order, we will act in a manner consistent with the instructions of the client as well as with the legal requirements recognised with order processing as per Art. 28 of the GDPR, and we will not process such data for any purposes other than those specified in the order.

We will delete the data upon the expiry of the statutory warranty obligations and comparable obligations.

Business analysis and market research


For the purpose of operating our business economically (including recognition of market trends and the requests of contract partners and users), we will analyse the data that we have which covers business transactions, contracts, queries etc. We will, as part of this, process inventory data, communication data, contract data, payment data, usage data and metadata in accordance with Art. 6 (1) (f) of the GDPR – the persons concerned include contract partners, prospective clients, clients, visitors and users of our online offering.

Analyses are carried out for the purpose of business analysis, marketing and market research. We may, as part of it, consider the profiles of registered users, including information regarding the services that they use for example. We make use of these analyses in order to increase user-friendliness, and optimise our offering and operating profitability. These analyses are for our benefit only; they are not to be disclosed externally.

If such analyses or profiles are personal in nature, they shall be deleted or anonymised upon termination of use, or otherwise removed no later than two years after the conclusion of the contract. Furthermore, overall business analyses and general trend determination shall always be drafted anonymously whenever possible.

Contact


When we are contacted (e.g. via contact form, e-mail, telephone or social media), the information of the user in question shall be processed as part of the processing of the contact request and its conclusion in accordance with Art. 6 (1) (b) (as part of contractual/pre-contractual relationships) or Art. 6 (1) (f) of the GDPR (in connection with our own legitimate interests). User information can be saved in a customer relationship Management system (“CRM system”) or a comparable queries system. Your data will be deleted as soon as your request has been finally answered and such deletion is not precluded by any statutory retention obligations e.g. with any subsequent contract.

Hosting and e-mail dispatching


The hosting services that we use serve the purpose of provision of the following services: infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatching, security services and technical maintenance services that we employ as part of the operation of this online offering.

As part of this, we/our hosting provider process inventory data, contact data, content data, contract data, usage data, and metadata and communication data of clients and prospective clients and visitors to this online offering, on the basis of our legitimate interests pertinent to providing this online offering in an efficient and secure manner as per Art. 6 (1) (f) of the GDPR in conjunction with Art. 28 of the GDPR.

Collection of access data


We/our hosting provider collect data on each access to the server which hosts this service, on the basis of our legitimate interests as per Art. 6 (1) (f) of the GDPR (so-called server log files). Said access data includes: name of the requested website, file, date and time of the request, volume of transferred data, notification of successful request, browser type and version, the user’s operating system, the referrer URL (the site visited previously), the IP address and the requesting provider.

Log file information shall be saved for a maximum period of 7 days, for security reasons (e.g. in the interests of investigation of abuse or fraud), after which it shall be deleted. Data which needs to be retained for longer for evidence purposes shall be exempt from such deletion up until the time of the final clarification of the incident in question.

Google AdWords and Conversion Measurement


We use the Google AdWords online marketing process to place ads on the Google Advertising Network (e.g., in search results, videos, websites, etc.) so that they are displayed to users who have a suspected interest in the ads. This allows us to display ads within our online offering in a more targeted manner in order to present users only with ads that potentially match their interests.

We also receive an individual "conversion cookie". The information obtained with the help of the cookie is used by Google to compile conversion statistics for us. However, we only know the anonymous total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag. However, we do not receive any personally identifiable information.

User information is processed pseudonymously within the Google Advertising Network. This means, for example, that Google does not store and process the user's name or e-mail address, but processes the relevant data cookie-related within pseudonymous user profiles. This means that, from Google's point of view, the ads are not administered and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymization. The information collected about users is transmitted to Google and stored on Google's servers in the United States.

The use of Google AdWords requires your consent, which we have obtained with our cookie pop-up. According to Art. 6 (1)(a) GDPR (Consent), this consent constitutes the legal basis for the processing of personal data as may occur during the collection by web analytics tools.

In addition to consent, we have a legitimate interest in analyzing the behavior of website visitors in order to improve our services technically and economically. With the help of Google Site Kit, we can detect website errors, identify attacks, and improve profitability. The legal basis for this is Art. 6 (1)(f) GDPR (Legitimate Interests). Nevertheless, we only use Google Site Kit if you have given your consent.

You can also prevent or restrict the installation of cookies by making the appropriate settings in your Internet browser. At the same time, you can delete cookies that have already been saved at any time. However, the steps and measures required for this depend on the Internet browser you are using. If you have any questions, please use the help function or documentation of your Internet browser or contact its manufacturer or support.

The Google Ads Data Processing Terms, which reference the standard contractual clauses, can be found at https://business.safety.google/intl/de/adsprocessorterms/

To learn more about Google's data processing, we recommend that you read Google's comprehensive privacy policy at https://policies.google.com/privacy?hl=de.

Matomo (On-Premise)


We use the privacy-friendly analysis program Matomo On-Premise on our website. With the on-premise variant, Matomo is installed on our own server. This means that we act as the operator of the software and any data that we might collect from you is stored directly by us. The data processing thus remains entirely in our hands. The service provider is the New Zealand company InnoCraft Ltd, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand.

If you want to know more about the data processing by Matomo On-Premise, you can also contact us. In addition, we recommend reading Matomo's privacy policy at https://matomo.org/privacy-policy/.

Online presence on social media


We maintain an online presence in the form of social networks and platforms so that we can communicate with the clients, prospective clients and users active there and provide them with information about our services. During access to the respective networks and platforms, the business terms and conditions and the data processing guidelines of their respective operators shall apply.

Unless otherwise specified in our Privacy Statement, we will process users’ data for as long as they communicate with us on social networks and platforms, e.g. by writing posts on our online presence profiles or by sending us messages.

JW player videos


Plug-ins of the video portal JWPlayer, LongTail Ad Solutions, Inc. d/b/a JW Player 2 Park Avenue, 10th Floor New York, NY 10016, USA, are embedded on our websites. Each time you retrieve a page that offers one or more JWPlayer video clips, a direct connection is established between your browser and our local server. Information about your visit and your IP address will be stored there.

Use of Facebook social plug-ins


So-called social plug-ins of the company Meta Platforms Inc. are installed on our website. You can recognize these buttons by the classic Facebook logo, such as the "Like" button (the hand with raised thumb) or by a clear "Facebook Plug-in" label. A social plug-in is a small part of Facebook that is integrated into our site. Each plug-in has its own function. The most commonly used functions are the well-known "Like" and "Share" buttons. The following social plug-ins are offered by Facebook:

  • "Save" button
  • "Like" button, share, send and quote.
  • Page plug-in
  • Comments plug-in
  • Messenger plug-in
  • Embedded posts and video player
  • Groups plug-in

At https://developers.facebook.com/docs/plugins you will find more detailed information on the use of the individual plug-ins. We use the social plug-ins to offer you a better user experience on our site, and also because Facebook can optimize our advertisements.

If you have a Facebook account or have visited https://www.facebook.com/ before, Facebook has already set at least one cookie in your browser. In this case, your browser sends information to Facebook via this cookie as soon as you visit our site or interact with social plug-ins (e.g. the "Like" button).

The information received is deleted again or anonymized within 90 days. According to Facebook, this data includes your IP address, which website you visited, the date, the time and other information concerning your browser.

To prevent Facebook from collecting a large amount of data during your visit to our website and connecting it with Facebook data, you must log out of Facebook during your website visit (log out).

If you are not logged into Facebook or do not have a Facebook account, your browser will send less information to Facebook because you have fewer Facebook cookies. Nevertheless, data such as your IP address or which website you visit may be transmitted to Facebook. We would still like to explicitly point out that we do not know exactly about the exact content of the data. However, we try to inform you as best as possible about the data processing according to our current state of knowledge. You can also read about how Facebook uses the data in the company's data policy at https://www.facebook.com/about/privacy/update.

Xing


Functions and contents of the Xing service (offered by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) can be integrated into our online offering. This may include content such as images, videos or bodies of text and buttons which allow users to share content within this online offering within Xing. If users are members of the Xing platform, Xing can assign the request for the above contents and functions to users’ local profiles. Xing’s Privacy Statement: https://privacy.xing.com/de/datenschutzerklaerung

If you have consented that your data can be processed and stored by embedded elements, this consent is considered the legal basis of the data processing (Art. 6 (1)(a) GDPR). In principle, your data will also be stored and processed on the basis of our legitimate interests (Art. 6 (1)(f) GDPR) in quick and effective communication with you or other customers and business partners. Nevertheless, we only use the embedded elements if you have given your consent.

Recruiting Tool


Online job applications/publication of job vacancies We offer you the opportunity to apply for work with us via our website. With such digital applications, we will electronically collect and process your applicant and application data as part of the processing of the application procedure. The legal process for such processing is outlined in § 26 (1) (1) of the Federal Data Protection Act in conjunction with Art. 88 (1) of the GDPR.

If a contract of work is entered into as part of a job application procedure, we will save the data you submitted as part of your application in your personal file as part of the regular organisation and administration process – we will of course take into consideration further legal obligations when we do this. The legal basis for such processing is also outlined in § 26 (1) (1) of the Federal Data Protection Act in conjunction with Art. 88 (1) of the GDPR.

When rejecting an application, we will automatically delete the data transferred to us two months after notification of the rejection. However, such a deletion shall not take place if, on account of certain legal regulations (e.g. owing to duties of proof under the German General Equal Treatment Act), the data is required to be saved for longer (up to six months, or up to the conclusion of legal proceedings).

The legal basis for such a case is covered in Art. 6 (1) (f) of the GDPR and § 24 (1) (2) of the Federal Data Protection Act. Our legitimate interest in such matters is legal defence/enforcement. If you have expressly consented for your data to be saved for longer, or to be included in a candidate or prospective candidates' database, the data shall be processed as per your consent. The legal basis here shall be Art. 6 (1) (a) of the GDPR. However, you are of course entitled to withdraw your consent at any time as per Art. 7 (3) of the GDPR by informing us accordingly, at which point it shall become effective in the future.

We use SmartRecruiters, an applicant management software. The service provider is the Austrian company SmartRecruiters GmbH Wilhelmstraße 118; 10963 Berlin. You can learn more about the data processed through the use of SmartRecruiters in the privacy policy at https://www.smartrecruiters.com/de/legal/general-privacy-policy/.

Changes to our Privacy Statement We reserve the right to make adjustments to this Privacy Statement to ensure that it always meets the current legal requirements, or to implement changes to our services offered in the Privacy Statement e.g. with the introduction of new services. In such a case, the new Privacy Statement will apply at the time of your new visit. Privacy Statement version: March 2023