1. General
(1) This data privacy statement gives an overview, which information is collected or stored when you visit our website and how it is used. This statement also explains how to verify the accuracy of the personal information we hold about you and how to delete, block or update such personal information in our database.

(2) Basically, we process personal data of our users only insofar as this is necessary for a functioning website and for our content and services. Further uses are listed in the following regulations. The processing of personal data of our users takes place only with the consent of the use regularly. An exception applies, if it is not possible to obtain prior consent for factual reasons and data processing is permitted by law.

(3) Legal basis for processing of personal data
Insofar as we obtain the consent of the data subject for processing of his or her personal data, Art. 6 (1) (a) GDPR is the legal basis. In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR is the legal basis.
This also applies to processing operations, which are necessary for the implementation of pre-contractual measures.Insofar as data processing is necessary for compliance with a legal obligation, Art. 6 (1)(c) GDPR is legal the basis.In case data processing is necessary in order to protect the vital interests of the data subject or of another natural person, Art. 6 (1) (d) GDPR is the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or a third party and interests or fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 (1) (f) GDPR is the legal basis for the data processing.

(4) Erasure of personal data and storage period
The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage is omitted. In addition, such storage may be provided because the European or national legislator set such in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the regulations mentioned expires, unless there is a need for further data storage for conclusion of a contract or performance of the contract.
Due to legal requirements, especially for tax purposes, we may be obliged to store your data beyond the period of your use of our website. However, we will only store the data to the extent required, taking into account the statutory provisions.

(5) Transfer of personal data
If your data is transferred to other companies or subcontractors, this will only be done in compliance with the present data protection regulations and the statutory provisions as well as to fulfil the contractual obligations, e.g. the provider can see corresponding statistical data, if necessary.
Your personal data will not be transferred to third parties outside the company without your explicit consent. External service providers, who process data on our behalf, are contractually obliged. These service providers are especially prohibited from using your data for other than the original underlying purposes.
We will provide third parties with further data than provided by you, in particular to such data you have made available to us just for handling of the contract for internal purposes, only in case of a corresponding statutory obligation or to safeguard legitimate interests.

(6) Data storage location
Your data will be processed on servers located in Germany and thus within the scope of the EU level of data protection. We must point out any exemptions according to no. 3 of these regulations.

2. Collection of personal data
(1) If you just visit our website, we only save access data within so-called server log files. This is data your browser makes transmits without any personal connection.

Browser type and browser version
Operating system used
Referrer-URL (previously visited website)
Websites accessed by the user's system through our website
the user’s internet service provider
Host name of the accessing computer (IP address)
Date and time of the server access
We are not able to assign these data to specific persons. A collection of this data with other data sources is not done, the data also is deleted after a statistical evaluation. For this purpose, the user's access to our websites, including the IP address, is stored in the server log files. These log files are prepared monthly for statistical evaluations with an analysis software and then deleted. It is not possible for us to draw conclusions concerning a certain person when using the data.
(2) The legal basis for this data processing is Art. 6 (1)(f) GDPR. On the one hand, legitimate interests arise from the need to present and optimize the content of the website in a technically correct manner. Furthermore, the data collection is necessary to ensure the functionality of the website in case of attacks by third parties and to allow prosecution of such attacks.
(3) The temporary storage of the IP address by the system is necessary to enable the delivery of the website to the user’s computer. Therefore, the user's IP address must be stored for the duration of the session. In these purposes, our legitimate interest of data processing is justified in the sense of Art. 6 (1) (f) GDPR.
(4) The data will be deleted as soon as it is no longer necessary for the purpose it was collected for. In case of data collection for providing the website, this is the case when the respective session is completed.
(5) The data collection for providing the website and the storage of the data in log files is essential for the operation of the website. As a result, the user has no possibility to object.

3. Third Party Plug-Ins
(1) Legitimate Interest
The use of the third-party plug-ins mentioned below has been checked in terms of data protection law and is based on Art. 6 (f) GDPR in order to safeguard legitimate interests and to improve our website.
(2) Privacy Policy for the use of Google Analytics
This website uses Google Analytics, a web analytics service. It is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses so-called "cookies". These are text files that are stored on your computer and that allow an analysis of the use of the website by you. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.
IP anonymization
We have enabled the function IP anonymization on this website. As a result, your IP address will be shortened by Google within member states of the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the United States. Only in exceptional cases, the full IP address is transmitted to a server of Google in the USA and shortened there.
On behalf of this website owner, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website owner with other services relating to website and Internet use.
The IP address transmitted by your browser in the context of Google Analytics will not be merged with other Google data.
Browser plugin
You can prevent these cookies being stored by selecting the appropriate settings in your browser. However, we wish to point out that doing so may mean you will not be able to enjoy the full functionality of this website. You can also prevent the data generated by cookies about your use of the website (incl. your IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
Objecting to the collection of data
You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this site: Click here to disable Google Analytics³
For more information about how Google Analytics handles user data, see Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=en.
Contract data processing
We have entered into a contract for data processing with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.
Demographics in Google Analytics
This website uses the feature “demographics” of Google Analytics. Therefore, reports can be created that contain statements on the age, gender and interests of the website visitors. This data has been obtained from interest-based advertising by Google and third-party visitor data. This data cannot be associated to identify a certain person. You can disable this feature at any time via the ad settings in your Google Account, or generally prohibit the collection of your data by Google Analytics as described in the section "Opposition to Data Collection".
(3) DoubleClick
Google also uses the DoubleClick DART cookie. It is possible to disable the use of the cookie. Please refer to https://policies.google.com/technologies/ads?hl=en for details. 

In this case, no direct personal data of the user are stored, but only the Internet Protocol address. This information is needed to recognize you automatically when you visit our website again and to make navigation easier for you. For example, Cookies allow us to adapt a website to your interests or to store your password so that you do not have to re-enter it every time.
Details may be obtained under 4. of this Policy.

For the user it is possible to object to the use of DART cookies by submitting an opt-out statement under Google ad and content network privacy policy. For more information about DoubleClick DART cookies, see http://emea.doubleclick.com/DE/privacy/faq.aspx.

4. Cookies
(1) Our website uses cookies. Cookies are text files that are stored in the Internet browser or rather on the Internet browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened.
(2) There are cookies which will be deleted after the end of the browser session (so-called session ID cookies). The cookies are used for the purpose of authorization, identification and obtaining specific information such as information on whether you wish to remain logged in. After one hour the cookies will be automatically deleted.
(3) The user data collected in this way will be pseudonymised by means of technical precautions. Therefore, an assignment of the data to the calling user is no longer possible. The data will not be stored together with other personal data of the user.
(4) While accessing our website, the users are informed about the use of cookies for analysis purposes by an information banner and will be referred to this privacy policy or, if necessary, consent to the processing of personal data in connection with cookies is obtained.
In that regard, there is also an indication of how the storage of cookies in the browser settings can be prevented.
(5) If cookies are stored on your PC additionally, you have control over whether and when these cookies are deleted. Please use the corresponding function in your browser.
(6) With most Internet browsers, you can delete cookies from your hard disk, lock them, or receive a warning before a cookie is deposited. You can set your browser so that you are informed about the setting of cookies, you can decide on a case-by-case basis, or you can preclude the general acceptance of cookies. The non-acceptance of cookies may limit the functionality of our website. Please refer to the user manual of your browser or the manufacturer of the browser for information regarding how to set the programs accordingly.
(7) Only with your prior consent we will associate such automatically stored information with the personal data that you have provided to us previously (for example, during the registration) on our websites.
(8) The utilization of data from set cookies is done on the basis of Art. 6 f) GDPR for the protection of legitimate interests, whereas we assume that your interests, fundamental rights and freedoms are not restricted by this, as personal data is neither gained by us nor by third parties. Additionally, it is basically statistical data adjusted to your user behavior and, if necessary, other factors are revealed, but not data that may lead to an individual identification.

5. Data security
(1) We secure our websites and the connected systems against loss, destruction, access, modification or dissemination of your data by unauthorized persons by technical and organizational measures.
(2) You should always keep your access information confidential and close the browser window, when you have stopped using it, to prevent misuse of your account, especially if you share the computer with others.
(3) We are not liable for the content of other providers, which can be reached via the hyperlinks on our websites. Links on our website refer to content that is not stored on our own servers. External content was checked for links for illegality and criminal liability. Nevertheless, it can’t be ruled out that content will be changed by vendors afterwards.

6. E-Mail
(1) When contacting by e-mail, the personal data transmitted by the user with the e-mail will be stored.
(2) In this context, the data is not provided to third parties. The data is exclusively used for processing the conversation.
(3) The legal basis for the processing of the data transmitted in the course of sending an e-mail is article 6 (1) lit. f GDPR. If the e-mail contact aims to conclude a contract, then additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
(4) The processing of the personal data is only for processing the contact. In the case of contact via e-mail, this also includes the required legitimate interest in the processing of the data. The personal data sent by e-mail will be deleted when the respective conversation with the user has ended. The conversation is ended when it can be seen from the circumstances that the relevant facts have been finally clarified.
(5) The user has the possibility to revoke his given consent to the processing of the personal data by means of communication by e-mail or post to the responsible office (see below) at any time. If the user contacts us by e-mail, he can object to the collection of his personal data at any time. In this case, the conversation cannot be continued. All personal data collected in the course of contacting us will be deleted in this case.

7. Newsletter data
(1) If you wish to receive the newsletter offered on the website, we require an e-mail address from you, as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agreed to receive the e-mail newsletters. Further data is not collected. We use this data exclusively for the delivery of the requested information and do not pass it on to third parties.
(2) You may revoke your consent to the storage of the data, the e-mail address and its use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter.
(3) The legal basis for the processing of the data after registration for the newsletter by the user is in the presence of a consent Art. 6 para. 1 lit. a GDPR.
(4) The data will be deleted as soon as they are no longer necessary for the purpose of their collection. The e-mail address of the user is therefore stored as long as the subscription to the newsletter is active.
(5) The mailing of the newsletter is done by "MailChimp", a transmission platform for newsletters of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The e-mail addresses of our newsletter recipients, as well as other data described in these notes, are stored on the servers of MailChimp in the USA. MailChimp uses this information to send and evaluate the newsletters on our behalf. Furthermore, MailChimp may, according to its own information, use this data to optimize or improve its own services, for example for the technical optimization of the sending and the presentation of the newsletters or for economic purposes, to determine which countries the recipients come from. But MailChimp does not use the data of our newsletter recipients to write them down or to transmit them to third parties. The Privacy Policy of MailChimp can be found here: https://mailchimp.com/legal/privacy
(6) Statistical survey and analyses
The newsletters contain a so-called "web-beacon", which is a pixel-sized file that is retrieved from the MailChimp server when opening the newsletter. During the retrieval, technical information, such as information about the browser and your system, as well as your IP address and time of retrieval, will be collected first. This information is used to improve the technical performance of services by their technical data or target groups and their reading behaviour or by the locations of their retrievals (which can be determined using the IP address) or access times. The statistical surveys also include to determine if the newsletters will be opened, when they will be opened, and which links will be clicked. This information can be assigned to the individual newsletter recipients for technical reasons. But it is neither our effort nor the effort of MailChimp to observe individual users. We much more use the analyses to recognize the reading behaviours of our users and to adapt our content to them or to send different content according to the interests of our users.

8. SSL-Encryption
This website uses SSL encryption for safety matter as well as to protect the transfer of confidential data like contact inquiries you send to us. An encrypted connection can be identified by a symbolized lock in the address-bar of your browser as well as by the address being “https://” instead of “http://”. If SSL is activated, data may be transferred without third parties being able to read this data.

9. Your rights as data subject
If your personal data is processed, you are ‘data subject’ as laid down in GDPR and you have following rights to the controller:
a. Right of access
You may ask the controller to confirm if your personal data is processed by us. If so, you can request details about following information from the controller:

the purposes of processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom your personal data have been or will be disclosed
the envisaged period for which the personal data will be stored, or, if specific information is not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing;
the right to lodge a complaint with a supervisory authority;
any available information as to their source; where the personal data are not collected from the data subject;
the existence of automated decision-making, including profiling, referred to in Art. 22(1) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. You have the right to request information, if your personal have been transferred to third countries or international organisations. In this connection, you can request the appropriate guarantees in accordance with. Art. 46 GDPR in connection with the transfer.
b. Right to rectification
You have the right to obtain the rectification and/or completion of inaccurate or incomplete personal data concerning you. The controller has to make the rectification without undue delay.
c. Right to restriction of processing
Under the following conditions you have the right to obtain from the controller restriction of processing of personal data concerning you:

if you contest accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
if processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
if the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
if you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override yours. Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained restriction of processing pursuant to the above-mentioned conditions, you will be informed by the controller before the restriction of processing is lifted.
d. Right to erasure (‘right to be forgotten’)
Erasure obligations You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
You withdraw consent on which the processing is based according to Art. 6(1) (a) GDPR, or Art. 9(2) (a) GDPR, and where there is no other legal ground for the processing;
You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR;
Your personal data have been unlawfully processed.
Your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
Your personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
Information to third parties
Where the controller has made the personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Exceptions
There is no right to erasure, to the extent that processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) GDPR as well as Art. 9 (3) GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.
e. Right to information
If you have asserted the right to rectification, erasure or restriction of processing to the controller, the controller has to communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed about those recipients by the controller.
f. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format.
You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6(1) (b) GDPR and
the processing is carried out by automated means.
In exercising these rights, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible. Rights and freedoms of others shall not be affected by that.
That right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
g. Right to object
You have the right to object, on grounds relating your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR including profiling based on those provisions.
The controller no longer processes your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data are no longer processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the right to object by automated means using technical specifications.
h. Right to revocation of declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.
i. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision:

is necessary for entering into, or performance of, a contract between the data subject and a data controller;
is authorised by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your explicit consent.
But these shall not be based on special categories of personal data referred to in Art. 9(2)1) GDPR, unless Art. 9 (2) (a) or (g) of GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. In the cases referred to in points (1) and (3), the data controller implements suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
j. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
The competent supervisory authority is

Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Würtemberg
 Königstr. 10 a 70173 Stuttgart
Postfach 10 29 32, 70025 Stuttgart
Tel.: 0711/615541-0
FAX: 0711/615541-15  
E-Mail: poststelle@lfdi.bwl.de

10. Contact for data protection
Controller within the meaning of GDPR is

Phoenix Design GmbH + Co. KG
Kölner Straße 16, 70376 Stuttgart Germany
Tel +49 711 955 976 0
Fax +49 711 955 976 99
info(at)phoenixdesign.com
Managing Partners: Andreas Diefenbach, Joon-Mo Lee, Harald Lutz

11. Update to this Policy
We may change this privacy policy from time to time due to legal, technical or commercial changes. If we update it, we will take measures adequate to the importance of the changes to inform you. If we make important changes to our privacy policy, we will gather your consent, if this is mandatory due to the privacy laws. The date of the last changes to this policy is given at the end of this policy.

Last Update: 20th of September 2021