1. General information
This privacy policy informs you about the nature, scope and purpose of the processing of your personal data by us. This information relates, on the one hand, to the processing of personal data on or through our website. On the other hand, you will receive information about the processing of your personal data in other internal and external processes within our company. If necessary, you will receive additional information on further processing in an appropriate manner. For example, if we use your personal data to register your visit to us on site, you will receive additional information on site. We take the protection of your personal data very seriously and treat your personal data confidentially and in accordance with legal national and European regulations as well as the requirements and recommendations of the state data protection authority responsible for us.

Bavarian State Office for Data Protection Supervision
https://www.lda.bayern.de
poststelle@lda.bayern.de
0981/180093-0
Promenade 18
91522 Ansbach
P.O. Box 1349
91504 Ansbach

We reserve the right to implement published recommendations from other data protection authorities if, in our opinion, they can better ensure the protection of your personal data. The same applies to publications in literature and case law. However, always keep in mind that the transfer of data is generally not secure. It cannot be technically ruled out by us that third parties may access your data. Therefore, handle your data and the data of other people responsibly. Gender-specific spelling is omitted exclusively for the purpose of better readability. All personal names in this “Privacy Policy” (e.g. customer, responsible person, data subject, data protection officer) are therefore to be understood as gender-neutral.

1.1. areas of application
Through this data protection information (also “privacy policy”, “data protection policy”), we inform you in accordance with Art. 12 et seq. of the GDPR which of your personal data we process (definition of the terms “personal data”, “processing”: see below) in order to present this website and to be able to use the functions of the website used. We also inform you about the other processes associated with the presentation of the website or the functions used (e.g. hosting, newsletter, etc.). If and insofar as we process personal data in further processes (e.g. telephone system, guest WiFi, video surveillance, etc.), you will receive further information in a timely and comprehensive manner. This information can also be kept on this website; we will therefore also inform you about how we store the information during further processes. This data protection information also applies to our other online presences (e.g. websites, landing pages, shops, social media sites) as well as to other processes, insofar as we expressly refer to this data protection information.
‍
1.2. Contact details of the person responsible
The person responsible for processing data on this website within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in member states of the European Union and other provisions related to data protection law is:
‍
Floy GmbH
Ludwigstrasse 9
80539 Munich
germany
info@floy.com
‍
You can contact us at any time if you have any questions about this privacy policy or would like to assert rights.

1.3. Contact details of the data protection officer
You — and any other data subject — can contact our data protection officer directly, verbally, in writing at any time if you have any questions or suggestions regarding data protection. You can reach him via our contact details above (see Impressum) and via the e-mail address datenschutz@floy.com.

1.4. Definitions
This data protection declaration and this data protection notice use, among other things, the terms used in the European General Data Protection Regulation (GDPR), OJ L 119 of 4 May 2016, pp. 1—88 (in the version in force at the time this data protection notice was created) and the German Federal Data Protection Act (BDSG) as amended on 30 June 2017; (BGBl. I p. 2097), last amended Art. 12 G of November 20, 2019; (BGBl. I p. 1626, 1633) were defined. Insofar as additional terms arise from other laws that are used in this data protection declaration or the terms serve to understand this data protection declaration, we have also explained these in addition in the following text.

1.4.1 Personal data
Personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics that are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person (see Article 4 No. 1 GDPR). Personal data includes name, address, account or telephone number, but also the IP address or ID number.

1.4.2 Data subject
Data subject is any identified or identifiable natural person whose personal data is processed by the controller (see Article 4 No. 1 GDPR). The data subject is, for example, the user of the website or the customer, client, patient, etc. of a company.

1.4.3 End users
End user is any natural or legal person who makes use of a public telecommunications service (e.g. Internet access services) without providing a public telecommunications network or a publicly available telecommunications service themselves.

1.4.4 Processing
Processing is any process or series of processes carried out with or without the aid of automated processes in connection with personal data, such as collection, collection, organization, storage, adjustment or modification, reading, querying, use, disclosure through transmission, dissemination or any other form of provision, reconciliation or linking, restriction, deletion or destruction (see Article 4 No. 2 GDPR). Processing therefore occurs when we collect, share, store or delete personal data.

1.4.5 Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of restricting their future processing (see Art. 4 No. 3 GDPR). For example, if you contact us and report that your data is incorrect, we will restrict the processing of your data in order to verify the accuracy of the data (see Article 18 (1) (b) GDPR).

1.4.6 Profiling
Profiling is any type of automated processing of personal data that consists of using this personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to the work performance, economic situation, health, personal preferences, interests, reliability, behavior, whereabouts or changes of location of that natural person (see Art. 4 No. 4 GDPR). Profiling would be, for example, evaluating your economic situation based on your purchasing behavior.

1.4.7 Pseudonymization
Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organizational measures which ensure that the personal data is not assigned to an identified or identifiable natural person (see Art. 4 No. 5 GDPR). Pseudonymization occurs, for example, when the personal data is replaced by a customer number, for example. Without knowing which customer number has been assigned to which customer, the data cannot be assigned to a specific person (customer).

1.4.8 Anonymization
Anonymization is the complete and irreproducible removal of personal data. For example, if all customer contact data is overwritten with random numbers and no storage has been made as to which customer which number was assigned, the data can no longer be assigned to a person. Due to the lack of personal reference, anonymized data is not subject to the rules of the GDPR and the BDSG (see recital 26 GDPR).

1.4.9 “Responsible person” or “person responsible for processing”
The person responsible or responsible for processing is the natural or legal person, authority, agency or other body which, alone or together with others, decides on the purposes and means of processing personal data. If the purposes and means of this processing are determined by Union law or the law of the Member States, the controller or the specific criteria for his nomination may be provided for under Union law or the law of the Member States (see Article 4 (7) GDPR). The provider of this website is responsible for processing data when using the website (see (contact details of the person responsible).

1.4.10 Contract processors
Contract processor is a natural or legal person, authority, agency or other body that processes personal data on behalf of the person responsible (see Article 4 No. 8 GDPR). As a contract processor, for example, we use a so-called host, i.e. a company that stores our website on its own servers. For example, if you enter your personal data (e.g. name, email address, etc.) via a contact form, this data is stored by the host on its server, etc. The host only processes the data in the way we have contractually agreed with him. He therefore processes the data “on our behalf” and is therefore an “order processor”.

1.4.11 Recipients
The recipient is a natural or legal person, authority, institution or other body to which personal data is disclosed, regardless of whether it is a third party or not. However, public authorities that may receive personal data as part of a specific investigation mandate under Union law or the law of the Member States are not considered recipients (see Article 4 (9) GDPR). Recipients of this privacy policy include you.

1.4.12 Third party
A third party is a natural or legal person, authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or processor, are authorized to process personal data. A third party is, for example, an authority that accesses data on the basis of a legal authorization (see Art. 4 No. 10 GDPR).

1.4.13 Consent
Consent is any statement of intent given voluntarily by the data subject in an informed and unequivocal manner in the form of a statement or other unequivocal affirmative act by which the data subject indicates that he or she agrees to the processing of personal data concerning him or her (see Art. 4 No. 11, Art. 7 GDPR). For example, you give us consent when you place your order — then you agree that we process the data you provide so that we can also process your order.

1.4.14 Content Delivery Network (CDN)
A content delivery network (CDN) is a network of servers that are connected via the Internet and send data to devices. A CDN can consist of several thousand regionally distributed servers that deliver data as quickly as possible in accordance with specific rules. The main advantage of a CDN is that it is not only the server on which, for example, our website is stored (hosted) that delivers the necessary data (e.g. texts or images), but also many servers at the same time. As a result, our website can be displayed to you much faster. In order for the CDN to work, it requires data, such as browser type, IP address, screen resolution, etc. If you do not want to use the CDN, you can install a JavaScript blocker (e.g. Sybu https://sybu.co.za or NoScript https://noscript.net) on the device you use. The delivery of the website may then be slower.

1.4.15 Terminal equipment
By the term “terminal device”, we mean any device connected directly or indirectly to the interface of the telecommunications network you are using to send, process or receive messages or data, regardless of the type of connection (wire, electromagnetic, etc.).

1.4.16 Mobile devices
By the term “mobile devices”, we mean all Internet-enabled devices that are not kept stationary, but are mobile, i.e. mobile. These can be smartphones, tablets, etc.

1.4.17 Web site
By “website” (also: website, website, web presence, etc.) we mean the presence of a provider that can be reached at an individual web address. A website can be displayed using browsers. It is comparable to a “house” at a specific address (domain) and usually has several websites (i.e. “rooms”). In addition to the web application (homepage), other services such as e-mail, storage space, etc. can be used.

1.4.19 IP address
The IP address is the unique address (e.g. 216.58.190.0) of the computer or device you are using, similar to a postal address. According to a decision of the European Court of Justice (judgment of 19.10.2016, file no.: C-582/14), IP addresses are personal data (see also recital 30 GDPR). It follows that the GDPR and the BDSG also apply to IP addresses. The IP address is used to deliver data to your computer. You can find out the IP address of your computer on the network using the “ipconfig” command or you can also search online (for example at https://www.heise.de/netze/tools/meine-ip-adresse/). In doing so, your IP address is transmitted to the provider.

1.4.20 Java, Javascript
Java is a platform-independent programming language developed in 1995 by the US company Sun Microsystems Inc., Santa Clara, USA (now part of Oracle Corporation, Austin, USA), whose language specification is constantly being developed. Java is now used not only by web browsers, but also in cars, hi-fi systems and other electronic devices. JavaScript (JS for short) is a scripting language developed in 1995 by Brendan Eich for dynamic HTML in web browsers. With JS, the possibilities of HTML are extended. JavaScript was developed independently of Java and differs in many ways.

1.4.21 Cookies
Cookies are small data packets (small text files consisting of numbers and letters) that are used to store certain information locally on your device for some time. This can be used, for example, to recognize the user's computer when the page is retrieved or to save the content of a form or shopping cart. Tracking services use cookies to store collected information. In some cases, cookies are automatically deleted when you close your web browser (so-called transient cookies). These include in particular so-called session cookies or session cookies. These cookies store a so-called session ID, which can be used to assign various requests from your web browser to the current session. This makes it possible to recognize your device when you return to our website. Session cookies are deleted as soon as you log out or close the web browser. In some cases, cookies are only deleted after a specified period of time (so-called persistent cookies). The storage period varies depending on the cookie. Technically necessary cookies are required to be able to display the website. These include shopping cart cookies, login cookies or language selection cookies. If you do not agree to the storage of cookies, you can deactivate the storage of cookies in your web browser settings. You can delete existing cookies in your web browser settings. Help with the settings can be found in the respective help menu of your browser under the following links:
- Internet Explorer: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies
- Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
- Chrome: http://support.google.com/chrome/bin/answer.py?hl=de&hlrm=en&answer=95647
- Safari: https://support.apple.com/de-de/guide/safari/sfri11471/mac
- Opera: [https://help.opera.com/en/latest/web-preferences/#cookies](https://help.opera.com/en/latest/web-preferences/#_blank)
You can also object to the collection and forwarding of personal data or prevent the processing of this data by deactivating (“blocking”) the execution of JavaScript in your browser. You can also install script blockers that prevent code from running. Script blockers can be found here, for example:
- https://addons.mozilla.org/de/firefox/addon/noscript/
- https://noscript.net
- https://www.ghostery.com
- https://chrome.google.com/webstore/detail/umatrix/ogfcmafjalglgifnmanfmnieipoejdcf
Further information on cookies can be found, for example, at the Bundesverband Digitale Wirtschaft (BVDW) e. V., Berliner Allee 57, 40212 Düsseldorf, www.bvdw.org. BVDW e. V. provides additional information on the website http://meine-cookies.org/. We use a separate tool to obtain and document any necessary consent to the processing of cookies. We provide you with the necessary information about each cookie so that you can decide whether you agree to the use of the tool.

1.4.22 Cookie Consent Tool
Cookie Consent Tools (“consent” (English) consent, consent) manage the consents you have given to use certain tools that are not technically necessary. A pop-up window will inform you of the cookies you want before using tools that require cookies. You can then decide whether and with which cookies you agree or not. Your decision is then saved for a period of up to twelve months. Personal data, such as your IP address — as well as a pseudonymous user ID, the time of consent and selection, etc., are used. This data is stored either in a cookie on your device or on the server we use. You can adjust or withdraw your consent at any time. The use of the Cookie Consent Tool is based on our legitimate interest in efficiently operating the website in a legally compliant manner. Without this use, it is not possible for us to obtain the necessary consents and document the user's decision. We need documentation in accordance with Article 5 (2) GDPR in order to be able to prove that we operate the website in accordance with applicable law. For more information, see the explanations of the cookie consent tool used.

1.4.23 Web beacons
Web beacons (beacon — English “beacon”) are not graphics in HTML emails or on websites. In most cases, the image is only 1 × 1 pixel in size, often transparent or designed in the color of the background and is therefore not or barely visible. When the document is loaded, the web beacon is loaded from a server and the download is registered there. This can then be used to determine whether the document was loaded, for example the email was opened. You can prevent the use of web beacons if, for example, you open the email offline, do not open the email as an HTML email, or block external graphics with your email program. You can also use tools that detect and block web beacons, such as
- Privoxy — https://www.privoxy.org/
- Proxomitron — https://www.proxomitron.info/
For more information, see the explanations of the “web beacons” used.

1.4.24 Third countries/third countries, transfer of data to third countries
The term “third countries” or “third countries” means countries that do not belong to the European Union (i.e. Belgium, Bulgaria, Romania, Czech Republic, Denmark, Germany, Estonia, Greece, Spain, France, Ireland, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Slovenia, Slovakia, Finland and Sweden) or the European Economic Area (member states of the EU as well as Iceland, Liechtenstein and Norway). In addition to the United States of America (USA), India, China, Russia, Brazil, South Africa, Australia, there are around 160 other countries that are potential third countries. Data transfers to third countries are lawful in accordance with strict legal requirements (see Art. 44 et seq. GDPR), including if: - Either the European Commission has determined in accordance with Article 45 (3) GDPR that there is an adequate level of data protection in the third country. Such so-called adequacy decisions exist for Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan and the United Kingdom. The European Commission provides an overview of the adopted adequacy decisions.- Or when the data recipient offers appropriate guarantees to protect personal data and data subjects have enforceable and effective legal remedies (Article 46 (1) GDPR). In accordance with Article 46 (2) GDPR, such suitable guarantees include the use of the Commission's standard data protection clauses (Article 46 (2) (c), Article 93 (2) GDPR). These standard data protection clauses or standard contractual clauses (SCC) are sample templates from the EU Commission. You can find these clauses here, among others: (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de).Mit The clauses used ensure that personal data is also processed in the third country concerned at a level of data protection that corresponds to the European level. Since 10.07.2023, the “Trans Atlantic Data Privacy Framework” (TADPF) has been in force for data transfers to the USA. The TADPF introduces new binding guarantees for US recipients of data. This includes restricting access to EU citizens' data by US secret services and the establishment of the Data Protection Review Court (DPRC), a supervisory body also accessible to non-US citizens. In the event of violations, the DPRC can also order the deletion of data. The TADPF is regularly reviewed by the European Commission together with representatives of the European data protection authorities and the relevant US authorities. The first review should take place within one year of the entry into force of the TADPF. The TADPF has the effect of an adequacy decision in accordance with Article 45 (1) GDPR and applies in principle immediately to US companies participating in the TADPF. Additional authentication tools such as standard contract clauses (SVK or Standard Contractual Clauses - SCC) are therefore no longer required for data exports to US recipients, as the USA is once again considered a secure third country. However, US companies must self-certify and commit to compliance with certain data protection obligations in order to benefit from the effects of TADPF. The current status can be viewed from 17.07.2023 at [link to TADPF] (https://www.dataprivacyframework.gov/s/). Data transfer is also permitted if the data subject has consented to the transfer in accordance with Article 49 (1) (a) GDPR or if the transfer is necessary to conclude or fulfill a contract concluded in the interest of the data subject by the person responsible with another natural or legal person (Article 49 (1) (c) GDPR) or There is another exception to Article 49 GDPR. When we work with providers who are either based in a third country or process data in a third country (e.g. in the USA), we ensure compliance with legal requirements and check this regularly. In addition, we only work with providers who have concluded the necessary contracts with us. Should we have to or want to deviate from this in exceptional cases, we will inform you accordingly and seek your consent.

1.5. Storage period
Data will therefore only be deleted in compliance with legal, official and, if applicable, court requirements for the storage or deletion of personal data. In order to conclude a contract, it may be necessary for a data subject to provide us with personal data, which must then be processed by us. For example, the data subject is obliged to provide us with personal data when our company concludes a contract with him or her. Failure to provide personal data would mean that the contract with the person concerned could not be concluded.

1.6. Rights of the person concerned
The applicable data protection law grants you comprehensive data subject rights (rights of information and intervention) vis-à-vis the person responsible with regard to the processing of your personal data, which we will inform you about below:

1.6.1 Right to information in accordance with Art. 15 GDPR
You can request confirmation from the person responsible as to whether personal data concerning you is being processed by the person responsible (“right to confirmation”). You also have the right to information about: the purposes of processing; the categories of personal data that are processed; the recipients or categories of recipients to whom the personal data have been or are still being disclosed, in particular recipients in third countries or international organizations; if possible, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period; the existence of a right to Correction or deletion of personal data concerning them or to restrict processing by the controller or a right to object to this processing; the existence of a right of appeal to a supervisory authority; if the personal data is not collected from the data subject: all available information about the origin of the data; the existence of automated decision-making, including profiling in accordance with Article 22 (1) and (4) of the GDPR and — at least in these cases — meaningful Information about the logic involved and the scope and intended effects of such processing for the data subject. You also have the right to know whether personal data has been transferred to a third country or to an international organization. If this is the case, you also have the right to obtain information about the appropriate guarantees in the context of the transfer. If you would like to exercise this right of information, you can contact us or our data protection officer at any time.

1.6.2 Right to correction in accordance with Article 16 GDPR
You have the right to immediate correction of incorrect data concerning you and/or to complete your incomplete data stored by us; the correction or completion must be carried out immediately.

1.6.3 Right to deletion in accordance with Article 17 GDPR
You have the right to request that the personal data concerning you be deleted immediately, provided that one of the following reasons applies and insofar as processing is not necessary: The personal data was collected or otherwise processed for such purposes for which it is no longer necessary. The data subject withdraws his consent on which processing was based in accordance with Article 6 (1) letter a GDPR or Article 9 (2) letter a GDPR, and there is no such thing as a Another legal basis for The processing. The data subject objects to the processing in accordance with Article 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing in accordance with Article 21 (2) of the GDPR. The personal data has been processed unlawfully. The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject. Data has been collected in relation to information society services offered in accordance with Article 8 (1) GDPR. If one of the above reasons applies and a data subject wishes to request the deletion of personal data that has been stored, he or she can contact us at any time. If the personal data has been made public and our company is obliged to delete the personal data in accordance with Article 17 (1) GDPR, taking into account the available technology and Implementation costs appropriate measures, including technical measures, to inform other data controllers who process the published personal data that the data subject has requested from these other data controllers the deletion of all links to this personal data or of copies or replications of this personal data, insofar as processing is not necessary.

1.6.4 Right to restrict processing in accordance with Article 18 GDPR
You have the right to request that the processing of your personal data be restricted as long as the accuracy of your data disputed by you is checked, if you refuse to delete your data due to unlawful data processing and instead request that the processing of your data be restricted, if you need your data to assert, exercise or defend legal claims, after we no longer need this data after the purpose has been achieved, or if you file an objection for reasons relating to your particular situation As long as it is not yet clear whether our legitimate reasons prevail. If the processing of personal data concerning you has been restricted, this data — apart from storage — may only be processed with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State. If the restriction of processing has been restricted, you will be informed by the person responsible before the restriction is lifted.

1.6.5 Right to be informed in accordance with Article 19 GDPR
If you have exercised your right to correct, delete or restrict processing, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this correction or deletion of the data or restriction of processing, unless this is impossible or involves disproportionate effort. You also have the right to be informed about these recipients.

1.6.6 Right to data portability in accordance with Article 20 GDPR
‍ You have the right to receive the personal data you have provided to us in a structured, common and machine-readable format or to request transmission to another person responsible, insofar as this is technically possible.

1.6.7 Right of withdrawal in accordance with Article 7 (3) GDPR
You have the right to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. You also have the right to withdraw your data protection consent at any time with effect for the future. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent up to the revocation. In the event of an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for processing which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.Do we process personal data to engage in direct marketing, such as have You have the right to object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, insofar as it is associated with such direct advertising. If you object to direct marketing, we will no longer process the personal data for these purposes. In addition, you have the right to object, for reasons arising from your particular situation, to the processing of personal data concerning you for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) of the GDPR, unless such processing is necessary to perform a task in the public interest.To exercise the right to You can contact us directly for an objection. In the context of using information society services, notwithstanding Directive 2002/58/EC, they are also free to exercise their right of objection by means of automated procedures using technical specifications.

1.6.8 Right to lodge a complaint in accordance with Article 77 GDPR
Without prejudice to any other administrative or judicial remedy or remedy, you have the right to lodge a complaint with a supervisory authority. You can contact the supervisory authority of your place of residence, place of work or place of the alleged infringement if you believe that the processing of personal data concerning you violates data protection rules.

1.7. Legal basis for processing
All data processing is carried out on the basis of a valid legal basis (see Art. 5 para. 1 lit. a GDPR - Principle of lawfulness. We process personal data either on the basis of consent, to fulfill a contract or a legal obligation, or on the basis of our legitimate interest.

1.7.1 Consent
If you have consented to data processing, we process your personal data on the basis of Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, if special categories of data under Article 9 (1) GDPR (e.g. data that reveal racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership, as well as the processing of genetic data, biometric data to uniquely identify a natural person, health data or data on sex life or sexual orientation of a natural person). In the event of express consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Article 49 (1) (a) GDPR. If you have consented to the storage of cookies or access to information on your device or information stored there, data processing is also carried out on the basis of Section 25 (1) TTDSG. The consent can be withdrawn at any time.

1.7.2 Fulfilment of a contract
If the processing of personal data is necessary to fulfill a contract to which you are a party (e.g. in the case of a purchase or consulting contract), the processing is based on Art. 6 para. 1 lit. b GDPR. The same applies to such processing operations that are necessary to carry out pre-contractual measures, for example in cases of inquiries about our products or services.

1.7.3 Legal obligations
‍ If our company is subject to a legal obligation which requires the processing of personal data, such as to fulfill tax obligations, the processing is based on Art. 6 para. 1 lit. c in conjunction with paragraph 3 GDPR.

1.7.4 Vital Interests
In rare cases, the processing of personal data could be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if you injured yourself during a visit to our company and we would then have to share your name with a doctor, hospital or other third party, for example. Processing would then be based on Article 6 (1) (d) GDPR.

1.7.5 Legitimate interest
Processing may also be based on a so-called legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO. Processing operations that are not covered by any of the above legal bases are based on this legal basis if processing is necessary to protect a legitimate interest of our company (e.g. intention to make a profit, present the company, etc.) or of a third party, provided that the interests, fundamental rights and fundamental freedoms of the data subject do not prevail. The weighing of any conflicting interests is always a - process- or system-related - individual case analysis and decision. According to EC 47 sentence 2, there is a legitimate interest in data processing if the data subject is a customer of the person responsible, or the processing of personal data is carried out to prevent fraud, etc. (see EC 47 sentence 6) or for direct marketing purposes (see EC 47 sentence 7).

2. Data processing by this website
Each time you visit our website, our system automatically collects and stores data and information that your browser transmits to our server (so-called “server log files”). The following data is collected: date and time at the time of access Amount of data sent in bysource/reference from which other website you came to our websiteMeta and communication data (information about the system used, operating system, browser used, IP addresses, etc.) .The collection of data to provide the website and the storage of data in log files is absolutely necessary for the operation of the website. The legal basis for processing is Article 6 (1) (f) GDPR; we have a legitimate interest in improving the stability and maintaining the functionality of our website. The temporary storage of the IP address by the system is necessary to enable our website to be delivered to your computer (“client”). To do this, the IP address of the terminal device you are using must be stored for the duration of the session. If you do not agree to the processing of this data, you have the option to completely refrain from using and visiting our website. The data will not be passed on or used in any other way. However, if we have concrete evidence of illegal use of our website, we will review the server log files retrospectively and use the data, for example, to file a criminal complaint or to assert civil claims. If personal data is stored in log files, they will be deleted no later than seven days after use. Longer storage is possible if, for example, illegal use pp. Has been identified and we want to prosecute this misconduct. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

2.1. Collection of general data and information
With every visit to the website, our website collects a series of general data and information. This general data and information is stored in the server's log files. The browser types and browser versions used, the operating system used by the accessing system, the website from which an accessing system accesses our website (so-called referrer URL), the sub-websites that are accessed by an accessing system on our website, the date and time of access to the website, an Internet protocol address (IP address), the Internet service provider of the accessing system and other similar data can be collected and information provided by Provide security in the event of attacks on our information technology systems. This data is not combined with other data sources. The data is generally anonymized. However, it is generally possible that we may not or cannot carry out anonymization due to legal, regulatory or court requirements. The basis for collecting general data and information when you access our website is Art. 6 para. 1 lit. b GDPR, which permits the processing of data to fulfill a contract or pre-contractual measures. If you do not conclude a contract with us or no pre-contractual measures are necessary, we process the data on the basis of Article 6 (1) (f) GDPR (so-called “legitimate interest”). Insofar as we are legally obliged to process data, processing is carried out on the basis of Art. 6 para. 1 lit. c DSGVO. If we request your consent to the processing, the legal basis for data processing is Art. 6 para. 1 lit. a, 4 no. 11, 7, 9 GDPR. We do not use the above information to draw conclusions about the data subject, but to: correctly deliver the content of our website, to optimize the content of our website and advertising for it, to ensure the long-term functionality of our information technology systems and the technology of our website, and Law enforcement agencies in the event of a To provide cyber attacks with the information necessary for law enforcement. We therefore analyse this anonymously collected data and information statistically on the one hand and also with the aim of increasing data protection and data security in our company in order to ensure an optimal level of protection for the personal data processed by us. The anonymous data in the server log files is stored separately from all personal data provided by you. It is therefore not possible to draw any conclusions about you. For example, we are unable to determine which type of browser you are using. We only have data on which browser types were used by visitors in a specific period of time. For example, if a visitor logs into the customer area incorrectly several times, we save the IP address — which is a personal date — in order to identify (hacker) attacks on our system and prevent them in good time.

2.2. External hosting
Our website is technically maintained and stored by an external service provider (“host”). The personal data collected on this website is therefore stored directly on the host's servers and not on servers that are held directly by us. The host is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b DSGVO) and in our interest in providing our online offering securely, quickly and efficiently and presenting our company and services by a professional provider (so-called “legitimate interest” within the meaning of Art. 6 para. 1 lit. f GDPR). When balancing our interests with your interests, in particular your right to informational self-determination, we have come to the conclusion that our interests prevail; there is little interference with your rights. You are also free to use our offer and disclose data. Our host only processes your data to the extent necessary to fulfill its contractual performance obligations. We have concluded a contract with the host for the processing of personal data on our behalf (so-called “order processing contract”) and thus complied with the strict requirements of the General Data Protection Regulation, the Federal Data Protection Act and other laws (e.g. Telemedia Act, Telecommunications Telemedia Data Protection Act). The data is only processed by the host on our instructions and within the framework of applicable laws. We work together with the host Amazon Web Services (AWS) 410 Terry Avenue North, Seattle WA 98109 (USA). Further information can be found on the provider's website, in particular in the privacy policy https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf.

2.3. TLS encryption
For security reasons and to protect the transmission of confidential content that you send to us as a site operator, our website uses TLS encryption. TLS (Transport Layer Security) is an encryption technology that enables secure access to the Internet. TLS has so-called end-to-end encryption; i.e. the information is encrypted by the sender (e.g. a client) before being sent and is only decrypted by the recipient (e.g. a web server). This is made possible by asymmetrically encrypting the information and exchanging a common symmetrical session key between the communication partners. Only the communication partners can decrypt the information, as the encryption technologies also check the authenticity of the communication partners and they must first purchase appropriate certificates from a special certification authority. Data that you submit via this website cannot be read by third parties due to SSL encryption. You can recognize that our website is encrypted when you access it with “https://”. You can also recognize the use of the technology by a small lock icon in your browser. The certificate we used was issued by the certification authority Let's Encrypt (LE) 548 Market St, PMB 77519, San Francisco, CA 94104-5401 (USA). The certification authority may process your IP address. Information on data protection and data processing can be found on the certification body's website https://letsencrypt.org/privacy/.

2.4. Website modular system
To design our website, we use a content management system (abbreviation: “CMS”, English for “content management system”) from the provider Webflow 398 11th Street, 2nd Floor, San Francisco, CA 94103 (USA). With the help of the CMS, we can also use many functions for our website and web shop without programming effort. The CMS processes technical data such as operating system, browser, language and keyboard settings as well as personal data (e.g. IP address). The legal basis for processing personal data is our legitimate interest in making our website efficient and effective (Art. 6 para. 1 lit. f GDPR). When balancing our interests with your interests, in particular your right to informational self-determination, we have come to the conclusion that our interests prevail; there is little interference with your rights. You are also free to use our offer and share data. If the CMS uses cookies, you also have the option to object to their use. Further information on data protection can be found on the website and in the provider's privacy policy https://webflow.com/

2.5. Contact, contact options
Due to legal regulations, the website contains information that enables quick electronic contact with our company and direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by email or via a contact form, the personal data provided by the data subject is automatically stored. Such personal data provided voluntarily by a data subject to the controller will be stored for the purpose of processing or contacting the data subject. There is no transfer of this personal data to third parties. If you contact us by email, telephone or fax, your request, including all resulting personal data (name, request), will be stored and processed by us for the purpose of processing your request. We will not share this data without your consent. This data is processed on the basis of Article 6 (1) (b) GDPR, provided that your request is related to the fulfilment of a contract or is necessary to carry out pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6 para. 1 lit. f DSGVO) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested. The data you send us via contact requests will be stored by us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after your request has been processed). Mandatory legal provisions — in particular statutory retention periods — remain unaffected.

2.6. application process
On our website, we offer you the opportunity to apply online. It is necessary to provide personal data for your participation in the application process. This data may include personal master data such as first name, last name, address, date of birth, contact details such as telephone number or e-mail address, as well as data relating to your school and/or professional career such as school and work references, data about apprenticeships, internships or previous employers. This data can be from an application form you fill out online on the application platform or from the documents you provide, such as a cover letter, a curriculum vitae, a Application photo, certificates or other evidence come from. Data that is absolutely necessary to participate in the application process is marked accordingly as mandatory information. Unless this privacy policy mentions a third-party provider whose service we use to provide the online application function, the data will not be passed on to third parties. We process the above data for the purpose of carrying out the application process. If you have given us consent, the legal basis for processing the data is Art. 6 (1) (a) GDPR. Insofar as the above data is processed to initiate contractual relationships, the legal basis is Art. 6 (1) (b) GDPR. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the event that there is an employment relationship, training relationship, internship or other employment relationship following the application process, the data will initially continue to be stored and transferred to the personnel file. Otherwise, the application process ends with receipt of a rejection. In this case, the data will be deleted. There will be no deletion if further processing and storage of your personal data is necessary in individual cases to assert, exercise or defend legal claims. In this case, we have a legitimate interest in continuing to process and store your personal data. The legal basis is Art. 6 (1) (f) GDPR. Your personal data will not be deleted even if we are required by law to continue to store your personal data. You can withdraw your consent given to us at any time and object to the processing of your personal data at any time. In particular, you also have the option to withdraw your application at any time without giving reasons. As part of the application process, you should only provide us with the personal data that is necessary to participate in and carry out the application process. There is no legal or contractual obligation to provide data, unless there may be an obligation to apply for other reasons (e.g. official request, etc.). However, we would like to point out that we cannot carry out the application process without this data and cannot consider your application. The same applies in the event of an objection directed against the processing of your data. If you are required to apply, we will inform the respective institution of the application or the revocation of processing pp., if this does not enable us to carry out the application process. We also offer you the option of having your application saved in an application pool. This gives you the opportunity for us to consider your application in addition to the specific application reason as part of further future application processes. Storing your application in the application pool requires your consent, which we will request in individual cases. If consent has been given, the legal basis for processing (inclusion in the applicant pool) is Art. 6 para. 1 lit. a) GDPR. You can withdraw the consent you have given us at any time with effect for the future.

2.7. Web analytics
This website uses features of web analysis services, in particular Plausible Analytics (provider: Plausible Insights OÜ, address: Västriku tn 2, 50403, Tartu, Estonia, website: https://plausible.io, privacy policy: https://plausible.io/data-policy). Web analysis services enable us to analyze the behavior of website visitors. In doing so, we receive various usage data, such as page views, length of stay, operating systems used and origin of users. This data can be summarized in a profile that is assigned to the respective user or their device. For this purpose, Plausible collects, among other things, the following information: date and time of your visit, title and URL of the pages visited, and the country in which you are located. However, Plausible does not use or store “cookies” on your device. All personal data, such as your IP address, is stored completely anonymously in the form of a so-called hash. A hash is an encryption of data that is irreversible so that it cannot be “decrypted.” In this way, we can analyze your visit without processing personal data. The use of these analysis tools is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its website and its advertising. If a corresponding consent has been requested (e.g. consent to the storage of cookies), processing is carried out exclusively on the basis of Article 6 (1) (a) GDPR, and consent can be withdrawn at any time. It is possible that data may be transferred to the USA. Please note our information in the “Definitions” section on the keyword “Data transfer to third countries.” Where possible, we have activated the IP anonymization function. This will abbreviate your IP address. Only in exceptional cases will the full IP address be transferred to one of the provider's servers in the USA and only abbreviated there. On behalf of the operator of this website, this information is used to evaluate your use of the website, to prepare reports on website activity and to provide other services related to website activity and Internet usage to the website operator.

3. Minors
Our services are not directed at children under 13 years of age. We do not knowingly collect information from children under 13 years of age. If you have not yet reached the age limit, do not use the Services or provide us with any personal information. If you are a parent of a child under the age limit and you become aware that your child has provided us with personal data, please contact our data protection officer (contact details see above) or with us directly so that we can take the necessary steps, such as blocking or deleting the data.

4. Regulatory notice
Individual product functions and their editions are currently still undergoing regulatory testing and approval processes. Medical use is therefore only permitted within the framework of the applicable legal provisions.
If you have any questions or concerns, please contact info@floy.com.