We are very pleased about your interest in our company. Data protection is of particular importance for the management of Oikos Management GmbH. The web pages of Oikos Management GmbH may in principle be used without the provision of any personal data. However, if a data subject wishes to take advantage of our company’s special services through our website, the processing of personal data may be required. If the processing of personal data is required and there is no legal basis for such processing, we generally seek the consent of the data subject.
The processing of personal data such as the name, address, email address or telephone number of a data subject, always occurs in accordance with the General Data Protection Regulation and in accordance with the country-specific data protection provisions applicable Oikos Management GmbH. Through this privacy statement, our company seeks to inform the public about the nature, scope and purpose of the personal data we collect, use and process. Moreover, this privacy statement informs data subjects about their rights.
As the controller, Oikos Management GmbH has implemented numerous technical and organisational measures to ensure the most complete protection possible of personal data processed via this website. Nevertheless, the transmission of data over the internet may generally have security gaps, which means that absolute protection cannot be guaranteed. For this reason, each data subject is free to submit personal data to us by alternative means, for example by telephone.
The privacy statement of Oikos Management GmbH is based on the terminology used by European legislative bodies in the adoption of the General Data Protection Regulation (GDPR). Our privacy statement should be easy to read and understand, both for the public as well as our customers and business partners. In order to ensure this, we would like to explain in advance the terminology used.
Among other things, we use the following terms in this privacy statement:
a) Personal data
Personal data refers to any information relating to an identified or identifiable natural person (hereinafter the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
A data subject is any identified or identifiable natural person whose personal data are processed by the controller.
Processing refers to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing refers to the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to analyse or predict certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
The controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
The processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether or not a third party. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third party
A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and address of the controller
The controller as defined in the General Data Protection Regulation, other applicable data protection legislation in the Member States of the European Union, and other provisions relating to data protection is:
3. Name and address of the data protection officer
The data protection officer of the entity responsible for data processing is:
Any data subject can contact our data protection officer at any time with any questions or suggestions relating to data protection.
Through cookies, the information and offers on our website can be optimised for the benefit of the user. As already noted, cookies allow us to recognise the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, users of a website that implements cookies do not have to re-enter their login data every time they visit the website, since this is done by the website and the cookie stored on the user’s computer system. Another example is the cookie of a shopping cart in the online shop. The online shop remembers the items which a customer has placed in the virtual shopping cart via a cookie.
By adjusting the settings of the internet browser being used, the data subject can at any time prevent our website storing cookies and thus permanently refuse the storage of cookies. Moreover, previously saved cookies can be deleted at any time with an internet browser or other software programs. This is possible in all common internet browsers. If the data subject deactivates the storage of cookies in the internet browser being used, not all functions of our website may be fully usable.
Change cookie settings
5. Collection of general data and information
The website of Oikos Management GmbH collects a set of general data and information every time the website is accessed by a data subject or an automated system. This general data and information is stored in the log files of the server. The following things can be collected: the (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (the so-called referrer), (4) the sub-webpages controlled by an accessing system on our website, (5) the date and time of access to the website, (6) Internet Protocol (IP) addresses, (7) the internet service provider of the accessing system, and (8) other similar data and information which may help protect our information technology systems from attacks.
When using this general data and information, Oikos Management GmbH does not draw any conclusions about the data subject. This information is instead required in order to (1) correctly deliver the contents of our website, (2) optimise the contents of our website and advertisement for it, (3) ensure the continued functioning of our information technology systems and the technology of our website, and (4) provide law enforcement agencies with the information necessary for prosecution in case of a cyber attack. This anonymously collected data and information are therefore statistically evaluated by Oikos Management GmbH, with the aim of improving data protection and data security in our company. By doing so, we aim to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by data subjects.
6. Contact through the website
Due to legal provisions, the website of Oikos Management GmbH contains information that enables quick electronic contact with our company and direct communication with us; this also includes a general address for so-called electronic mail (email address). If a data subject contacts the controller by email or through a contact form, the personal data provided by the data subject will be automatically saved. Such personal information provided on a voluntary basis by a data subject to the controller is stored for the purposes of processing or contacting the data subject. This personal data will not be transferred to third parties.
7. Routine erasure and blocking of personal data
The controller shall process and store the personal data of data subjects only for the period necessary for achieving the purpose of the storage, or if required by the laws or regulations of European legislative bodies or other lawmakers to which the controller is subject.
If storage no longer serves its purpose or if the storage period prescribed by European legislative bodies or other competent lawmakers expires, personal data will be routinely blocked or erased in accordance with the statutory provisions.
8. Rights of the data subject
a) The right to confirmation
Every data subject has the right – granted by European legislative bodies – to require that a controller confirm whether personal data concerning him/her is being processed. If a data subject wishes to exercise this right of confirmation, he or she can contact an employee of the controller at any time.
b) The right to information
Any data subject affected by the processing of personal data shall have the right – granted by European legislative bodies – to obtain from the controller information on the personal data about him or her that is stored as well as a copy of that information – free of charge and at any time. Furthermore, European legislative bodies have stipulated that the following information shall be provided to the data subject:
- the aims of the data processing
- the categories of personal data being processed
- the recipients or categories of recipients to whom the personal data has been disclosed or are still being disclosed, particularly where the recipients are in third countries or international organisations
- if possible, the planned duration for which the personal data will be stored or, if that is not possible, the criteria for determining this duration
- the existence of a right to rectification or erasure of the personal data concerning them, or a right to the limitation of processing by the controller, or a right to object to such processing
- the existence of a right of appeal to a supervisory authority
- if personal data are not collected from the data subject: all available information about the origin of the data
- the existence of automated decision-making including profiling in accordance with Article 22 (1) and (4) of the GDPR, as well as – at least in these cases – meaningful information about the logic involved and the scope and intended impact of such processing on the data subject
- Moreover, the data subject has a right to information on whether personal data has been transmitted to a third country or an international organisation. If this is the case, the data subject has the right to receive information about the appropriate guarantees in connection with the transfer.
If a data subject wishes to exercise this right to information, he or she can contact an employee of the controller at any time.
c) The right to correction
Any data subject affected by the processing of personal data has the right – granted by European legislative bodies – to demand the immediate correction of incorrect personal data concerning him or her. Furthermore, the data subject has the right to demand the completion of incomplete personal data, including by means of a supplementary declaration, taking into account the purposes of the processing.
If a data subject wishes to exercise this right to correction, he or she can contact an employee of the controller at any time.
d) The right to erasure (the right to be forgotten)
Any data subject affected by the processing of personal data has the right – granted by European legislative bodies – to demand that the controller immediately erase the personal data concerning him or her, provided that one of the following reasons applies and the processing is not necessary:
- The personal data were collected or otherwise processed for purposes for which they are no longer necessary.
- The data subject revokes the consent on which the processing was based in accordance with Article 6 (1) (a) of the GDPR or Article 9 (2) (a) of the GDPR, and there is no other legal basis for the processing.
- The data subject objects to the processing pursuant to Art. 21 (1) of the GDPR and there are no overriding, justified reasons for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) of the GDPR.
- The personal data were processed unlawfully.
- The erasure of personal data is necessary to fulfil a legal obligation under Union law or the laws of Member States to which the controller is subject.
- The personal data were collected in relation to information society services offered in accordance with Art. 8 para. 1 of the GDPR.
If one of the above reasons is applicable and a data subject wishes to arrange for the erasure of personal data stored by Oikos Management GmbH, he or she can contact an employee of the controller responsible for the processing at any time. The employee of Oikos Management GmbH will arrange to have the demand for deletion fulfilled immediately.
If the personal data have been made public by Oikos Management GmbH and if our company is the controller responsible for erasing personal data pursuant to Art. 17 para. 1 of the GDPR, Oikos Management GmbH shall – taking into consideration the available technology and implementation costs – take appropriate measures, including technical ones, to inform other controllers who process the published personal data that the data subject has demanded that the latter controllers erase all links to this personal data or copies or duplicates of such personal data, provided that the processing is not required. The employee of Oikos Management GmbH will make arrangements for the necessary steps in individual cases.
d) The right to the restriction of processing
Any data subject affected by the processing of personal data has the right – granted by European legislative bodies – to demand that the controller restrict the processing, provided that one of the following conditions applies:
- If one of the above-mentioned conditions applies and a data subject wishes to restrict the personal data stored by Oikos Management GmbH, he or she can contact an employee of the controller responsible for the processing at any time. The employee of Oikos Management GmbH will arrange to have the processing restricted.
- The accuracy of the personal data is contested by the data subject for a period of time that enables the controller to verify the accuracy of the personal data.
- The processing is unlawful, the data subject rejects the erasure of the personal data and instead demands that the use of the personal data be restricted.
- The controller no longer requires the personal data for processing purposes, but the data subject requires them to assert, exercise or defend legal claims.
- The data subject has objected to the processing pursuant to Art. 21 para. 1 of the GDPR, and it is not yet clear whether the justifiable reasons of the controller outweigh those of the data subject.
f) The right to data portability
Any data subject affected by the processing of personal data has the right – granted by European legislative bodies – to receive the personal data relating to him or her, which were provided by the data subject to a controller, in a structured, common and machine-readable format. He or she also has the right to transfer these data to another controller without hindrance by the controller to whom the personal data were provided, provided that the processing is based on consent pursuant to Art. 6 (1) (a) of the GDPR, or Art. 9 (2) (a) of the GDPR, or on a contract pursuant to Article 6 (1) (b) of the GDPR, and the processing takes place by automated means, and the processing is not necessary for performing a task carried out in the public interest or is carried out in the exercise of official authority vested in the controller.
Furthermore, in exercising the right to data portability under Article 20 (1) of the GDPR, the data subject has the right to have personal data transmitted directly from one controller to another, provided that this is technically feasible and the rights and freedoms of others are not impaired.
To assert the right of data transferability, the data subject can contact an employee of Oikos Management GmbH at any time.
g) The right to objection
Any data subject affected by the processing of personal data has the right – granted by European legislative bodies – to object at any time to the processing of personal data concerning him or her that is carried out pursuant to Art. 6 (1) (e) or (f) of the GDPR, for reasons arising from particular circumstances. This also applies to profiling based on these provisions.
In the event of an objection, Oikos Management GmbH will no longer process personal data unless we can prove compelling reasons for processing that outweigh the interests, rights and freedoms of the data subject, or if the processing serves the assertion, exercise or defence of legal claims.
If Oikos Management GmbH processes personal data in order to conduct direct advertising, the data subject has the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to profiling, insofar as it is associated with such direct advertising. If the data subject objects to Oikos Management GmbH processing his or her data for direct advertising purposes, Oikos Management GmbH will no longer process the personal data for these purposes.
Moreover, the data subject has the right, for reasons arising from his/her particular situation, to object to the processing of personal data concerning him or her which is carried out by Oikos Management GmbH for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 of the GDPR, unless such processing is necessary to fulfil a task in the public interest.
To assert the right to objection, the data subject can directly contact any employee of Oikos Management GmbH or another employee. The data subject is also free, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise his or her right to objection by means of automated procedures making use of technical processing.
h) Automated decisions in individual cases including profiling
Any data subject affected by the processing of personal data shall have the right, granted by European legislative bodies, not to be subject to decisions based solely on automated processing, including profiling, which have a legal effect on him or her or, similarly, impairs him or her considerably, unless the decision (1) is necessary for the conclusion or fulfilment of a contract between the data subject and the controller; or (2) is permitted by Union or Member State legislation to which the controller is subject, and this legislation provides for appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject; or (3) with the express consent of the data subject.
If a decision (1) is required for the conclusion or fulfilment of a contract between the data subject and the controller, or (2) is taken with the express consent of the data subject, Oikos Management GmbH shall undertake appropriate measures to safeguard the rights, liberties and legitimate interests of the data subject, including at least the right to obtain the intervention of a person on behalf of the controller, to express his/her own position and to contest the decision.
If a data subject wishes to exercise rights relating to automated decisions, he or she can contact an employee of the controller at any time.
i) The right to revoke consent relating to data protection laws
Any data subject affected by the processing of personal data has the right – granted by European legislative bodies – to revoke consent to the processing of personal data at any time.
If a data subject wishes to exercise his or her right revoke consent, he or she can contact an employee of the controller at any time.
9. Data protection for job applications and in the job application process
The controller collects and processes the personal data of job applicants for the purpose of processing the applications. The processing can also be done electronically. This is particularly the case if an applicant submits application documents to the controller by electronic means, for example by email or through a web form available on the website. If the controller concludes an employment contract with an applicant, the transmitted data will be stored for employment purposes in accordance with the law. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted two months after the announcement of the rejection decision, provided that deletion does not prejudice any other legitimate interests of the controller. An other legitimate interest in this sense would be e.g. a burden of proof in a procedure under the General Act on Equal Treatment (AGG).
10. Data protection policy for the use of Google Analytics (with anonymisation function)
The controller has integrated the Google Analytics component (with anonymisation function) on this website. Google Analytics is a web analysis service. Web analytics is the elicitation, collection and analysis of data about the behaviour of visitors to websites. Among other things, a web analytics service collects data on the website from which a data subject has come to a website (so-called referrers), on the sub-pages of the website which were accessed, and how often a sub-page was viewed and the duration of this viewing. Web analytics are primarily used to optimise a website and conduct a cost-benefit analysis of internet advertising.
The operating company of the Google Analytics component is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.
The controller uses the suffix “_gat._anonymizeIp” for web analytics via Google Analytics. With this addition, Google shortens and anonymises the IP address of the data subject’s internet connection, if our web pages are accessed from a Member State of the European Union or from another contracting state of the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse visitor flows on our website. Among other things, Google uses the data and information obtained to evaluate the use of our website, in order to compile for us online reports showing the activities on our website, and to provide other services related to the use of our website.
Google Analytics places a cookie on the data subject’s information technology system. What cookies are has already been explained above. By placing this cookie, Google can analyse the usage of our website. Every time one of the pages of this website, which is operated by the controller and into which a Google Analytics component has been integrated, is accessed, the respective Google Analytics component automatically causes the internet browser on the information technology system of the data subject to transmit data to Google for the purpose of online analysis. As part of this technical process, Google receives information about personal data such as the IP address of the data subject, which Google uses, among other things, to track the origin of visitors and clicks, and to subsequently enable commission settlements.
By means of the cookie, personal information such as the accessing time, the location from which a website was accessed and the frequency of site visits by the data subject are stored. Each time our website is visited, this personal data, including the IP address of the Internet connection used by the data subject, is transferred to Google in the United States of America. This personal information is stored by Google in the United States of America. Google may transfer this personal data collected through this technical process to third parties.
The data subject can prevent the storage of cookies by our website, as described above, at any time by adjusting the settings of the internet browser used and thus permanently refuse the storage of cookies. This adjustment to the settings of the internet browser being used would also prevent Google from storing a cookie on the information technology system of the data subject. Moreover, cookies already stored by Google Analytics can be deleted at any time through the internet browser or other software programs.
This website uses the demographics feature of Google Analytics. Through this, reports can be produced that contain information on the age, gender and interests of website visitors. This data comes from interest-based advertising from Google and from third-party visitor data. This data cannot be assigned to a specific person. You can disable this feature at any time through the ad settings in your Google Account, or generally prohibit the collection of your data by Google Analytics as described in the section “Objecting to data collection”
11. Data protection policy on the use of Google AdWords
The controller has integrated Google AdWords into this website. Google AdWords is an internet advertising service that allows advertisers to place advertisements in both Google’s search engine results and in the Google Display Network. Google AdWords allows advertisers to predetermine keywords that will display an advertisement in Google’s search engine results only when the user accesses a keyword-related search result through the search engine. In the Google Display Network, advertisements are distributed to topic-relevant websites using an automated algorithm and according to previously defined keywords.
The operating company of Google AdWords services is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.
The purpose of Google AdWords is to promote our website by displaying interest-based advertising on the websites of third-party companies and in the search engine results of the Google search engine, and by displaying third-party advertisements on our website.
If a data subject accesses our website through a Google ad, Google stores a so-called conversion cookie on the data subject’s information technology system. What cookies are has already been explained above. A conversion cookie loses its validity after thirty days and is not used to identify the data subject. Provided that it has not yet expired, the conversion cookie allows for an understanding of whether certain sub-pages, such as the shopping cart of an online shop system, were accessed on our website. The conversion cookie informs both us and Google whether a data subject who came to our website through an AdWords ad generated revenue, i.e. completed or cancelled a purchase.
The data and information collected through the use of the conversion cookie is used by Google to create visitor statistics for our website. These visitor statistics are then used by us to determine the total number of users who were sent to us through AdWords ads, in other words to determine the success or failure of particular AdWords ads and to optimise our AdWords ads for the future. Neither our company nor other Google AdWords advertisers receive information from Google which allows data subjects to be identified.
Through the conversion cookie, personal information such as the websites visited by a data subject, are stored. Each time our website is visited, personal data including the IP address of the internet connection used by the data subject, is transmitted to Google in the United States of America. This personal information is stored by Google in the United States of America. Google may transfer this personal data collected through this technical process to third parties.
The data subject can prevent the storage of cookies by our website, as described above, at any time by adjusting the settings of the internet browser used and thus permanently refuse the storage of cookies. This adjustment to the settings of the internet browser being used would also prevent Google from storing a conversion cookie on the information technology system of the data subject. Moreover, cookies already stored by Google AdWords can be deleted at any time through the internet browser or other software programs.
Furthermore, the data subject can object to Google’s interest-based advertising. In order to do this, the data subject must access the link www.google.com/settings/ads from each of the internet browsers he or she uses and adjust the desired settings there.
12. The legal basis for data processing
Art. 6 I lit. a of the GDPR serves as the legal basis for our company’s data processing operations in which we obtain consent for a particular processing purpose. If the processing of personal data is necessary to fulfil a contract of which the data subject is a party, as is the case e.g. in data processing operations necessary for the delivery of goods or the provision of another service or consideration, the processing shall be based on Art. 6 (I) (b) of the GDPR. The same applies to data processing operations necessary for carrying out pre-contractual measures, for example in the case of enquiries about our products or services. If our company is subject to a legal obligation which requires the processing of personal data, such as the fulfilment of tax obligations, the processing shall be based on Art. 6 (I) (c) of the GDPR. In rare cases, the processing of personal data may be required to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our company were injured and his or her name, age, health insurance data or other vital information would have to be given to a doctor, hospital or other third party. Then the processing would be based on Art. 6 (I) (d) of the GDPR. Ultimately, data processing operations could be based on Art. 6 (I) (f) of the GDPR. Data processing operations which are not covered by any of the previously mentioned legal bases, are justified by this legal basis if the processing is necessary to safeguard the legitimate interests of our company or a third party, unless the interests, fundamental rights and fundamental freedoms of the data subject prevail. We are permitted to perform such data processing operations because they have been specifically mentioned by the European legislative bodies. They considered that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47 Sentence 2 of the GDPR).
13. Legitimate interests in data processing pursued by the controller or a third party
If the processing of personal data is based on Article 6 (I) (f) of the GDPR, our legitimate interest is the conducting of our business activities for the benefit of all of our employees and shareholders.
14. Duration for which personal data is stored
The criterion for the duration of storing personal data is the respective statutory retention period. After the period is over, the corresponding data will be routinely deleted if they are no longer required for fulfilling a contract or to initiate a contract.
15. Legal or contractual requirements for the provision of personal data; necessity for the conclusion of a contract; obligation of the data subject to provide personal data; possible consequences of non-provision
We would like to inform you that the provision of personal data is in part required by law (e.g. tax regulations) or may result from contractual arrangements (e.g. information on the contracting party). Sometimes it may be necessary for the conclusion of a contract that a data subject provides us with personal data which must subsequently be processed by us. For example, the data subject is required to provide us with personal information when our company concludes a contract with him or her. Failure to provide personal data would make it impossible to conclude a contract with the data subject. Before the data subject provides personal data, he or she must contact one of our employees. Our employee will inform the data subject on a case-by-case basis whether the provision of personal data is legally or contractually required, whether it is required for the conclusion of a contract, whether there is an obligation to provide personal data, and what consequences the failure to provide personal data would have.
16. Existence of automated decision-making
As a responsible company, we refrain from automatic decision-making or profiling.
Oikos Management GmbH