Skip to content

Privacy policy

Privacy policy

We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH. The use of the Internet pages of the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH is possible without any indication of personal data. However, if a person concerned wishes to make use of special services of our company via our website, it may be necessary to process personal data. If the processing of personal data is necessary and there is no statutory basis for such processing, we generally obtain consent from the data subject.
The processing of personal data, such as the name, address, e-mail address or telephone number of a data subject, is always carried out in accordance with the General Data Protection Regulation and in compliance with the data protection regulations applicable to e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH in accordance with the country-specific data protection regulations. By means of this data protection declaration, our company would like to inform the public about the type, scope and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.
e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH, as the controller, has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. Nevertheless, Internet-based data transmissions can generally have security gaps, so that absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means, for example by telephone or post.

Data security

We use the widespread SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by your browser when you visit our website. As a rule, this is 2048-bit encryption. If your browser does not support 2048-bit encryption, we use 128 to 256-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.

Person responsible

e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH
Partner: Dipl.-Ing. Bernhard Klug
Managing Directors: Dipl.-Ing. (FH) Lutz Zeibig, Kristina Steinborn
Kunstseidenstraße 3
01796 Pirna
Phone: +49 3501 4666-0
Fax: +49 3501 4666-11
E-mail: info(at)esm-pirna.de
Website: www.esm-pirna.de

Contact of the data protection officer

Datenschutz.Guide
Inh. Nico Eberhardt
Pfotenhauer Straße 65
01307 Dresden

Appointed data protection officer:

Nico Eberhardt
Phone: +49 351 31409830
Fax: +49 351 31409831
Email: info(at)Datenschutz(.)Guide
Website: https://Datenschutz.Guide
Report the incident directly to the data protection officer:
esm(at)datenschutz(.)guide

Types of data processed

– Inventory data (e.g., personal master data, names or addresses).
– Contact details (e.g., e-mail, telephone numbers).
– Content data (e.g., text entries, photographs, videos).
– Usage data (e.g., websites visited, interest in content, access times).
– Meta/communication data (e.g., device information, IP addresses)

Categories of affected persons

Visitors, users and interested parties of the online offer and our company (hereinafter we also refer to the data subjects collectively as “users”).

Purpose of the processing

– Provision of the online offer, its functions and content.
– Answering contact requests and communicating with users.
– Safety measures.
– Reach measurement/marketing

Definitions

The data protection declaration is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to explain the terms used in advance.
We use the following terms, among others, in this privacy policy:

a) personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Person concerned

Data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.

c) Processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of restricting its future processing.

e) Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

f) Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

g) Controller or controller responsible for the processing

Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

h) Processor

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i) Recipient

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

j) Third party

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

k) Consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Relevant legal bases

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. For users from the area of application of the General Data Protection Regulation (GDPR), i.e. the EU and the EEC, the following applies if the legal basis is not mentioned in the data protection declaration:
The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 GDPR;
The legal basis for processing to fulfill our services and carry out contractual measures as well as answering inquiries is Art. 6 para. 1 lit. b GDPR;
The legal basis for processing for the fulfillment of our legal obligations is Art. 6 para. 1 lit. c GDPR;
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
The legal basis for the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is Art. 6 para. 1 lit. e GDPR.
The legal basis for processing to safeguard our legitimate interests is Art. 6(1)(f) GDPR.
The processing of data for purposes other than those for which they were collected is governed by the provisions of Art. 6(4) GDPR.
The processing of special categories of data (in accordance with Art. 9(1) GDPR) is governed by the provisions of Art. 9(2) GDPR.

Technical storage/access in accordance with § 25 TDDDG

We use cookies and similar technologies (e.g. local/session storage). The storage of information in your terminal equipment or access to it is either based on your consent (Section 25 (1) TDDDG) or is absolutely necessary to provide the telemedia service you have expressly requested (Section 25 (2) TDDDG). The subsequent processing of personal data is based on Art. 6 GDPR. We use a consent service to manage your consents (see section “Consent Management – Borlabs Cookie”) – Section 26 TDDDG.
Security measures
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, disclosure, safeguarding of availability and its separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and the response to data threats. Furthermore, we take the protection of personal data into account as early as the development and selection of hardware, software and processes, in accordance with the principle of data protection through technology design and data protection-friendly default settings.

Cooperation with processors, joint controllers and third parties

If we disclose data to other persons and companies (processors, joint controllers or third parties) as part of our processing, transfer it to them or otherwise grant them access to the data, this is only done on the basis of legal permission (e.g. if the transfer of data to third parties, such as payment service providers, is necessary to fulfill the contract), users have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we disclose, transfer or otherwise grant access to data to other companies in our group of companies, this is done in particular for administrative purposes as a legitimate interest and, in addition, on a basis that complies with the legal requirements. You can find our partners at: https://www.esm-pirna.de/unternehmen/partner/

Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to other persons or companies, this will only take place if it is done to fulfill our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to express consent or contractually required transfer, we only process or have the data processed in third countries with a recognized level of data protection on the basis of special guarantees, e.g. contractual obligation through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR).

Rights of the data subject

a) Right to confirmation
Each data subject shall have the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact any employee of the controller.

b) Right to information

Any person affected by the processing of personal data has the right granted by the European legislator of directives and regulations to obtain from the controller free information about the personal data stored about him or her and a copy of this information at any time. Furthermore, the European legislator has granted the data subject access to the following information: the purposes of the processing the categories of personal data concerned the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing the existence of the right to lodge a complaint with a supervisory authority where the personal data are not collected from the data subject: All available information on the origin of the data The existence of automated decision-making, including profiling, in accordance with Article 22 (1) and (4) GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject Furthermore, the data subject has a right of access as to whether personal data has been transferred to a third country or to an international organization. If this is the case, the data subject also has the right to obtain information about the appropriate safeguards in connection with the transfer. If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact any employee of the controller.

c) Right to rectification

Any person affected by the processing of personal data has the right granted by the European legislator of directives and regulations to demand the immediate correction of incorrect personal data concerning them. Taking into account the purposes of the processing, the data subject shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact any employee of the controller.

d) Right to erasure (right to be forgotten)

Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing. The data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) GDPR. The personal data was processed unlawfully. The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.

The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH, he or she may, at any time, contact any employee of the controller. The employee of the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH shall promptly ensure that the erasure request is complied with immediately.

If the personal data have been made public by the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH and our company is obliged to erase the personal data pursuant to Article 17(1) of the GDPR, the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform other controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. An employees of the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH will arrange the necessary measures in individual cases.

e) Right to restriction of processing

Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:
The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.

The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH, he or she may, at any time, contact any employee of the controller. The employee of the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH will arrange the restriction of the processing.

f) Right to data portability/

Any person affected by the processing of personal data has the right, granted by the European legislator, to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. He or she also has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
In order to assert the right to data portability, the data subject may at any time contact any employee of the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH at any time.

g) Right to object

Any person affected by the processing of personal data has the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.

The e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.

If the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This also applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH to the processing for direct marketing purposes, the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH will no longer process the personal data for these purposes.

In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

In order to exercise the right to object, the data subject may contact any employee of the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH or another employee. The data subject is also free, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise his or her right to object by automated means using technical specifications.

h) Automated decisions in individual cases including profiling

Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, provided that the decision (1) is not necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is based on the data subject’s explicit consent.

If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject’s explicit consent, the e.s.m. Edelstahl- Schwimmbad- und Metallbau GmbH shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision. If the data subject wishes to exercise the rights concerning automated individual decision-making, he or she may, at any time, contact any employee of the controller.

i) Right to withdraw consent under data protection law

Each data subject shall have the right granted by the European legislator to withdraw his or her consent to processing of his or her personal data at any time.
If the data subject wishes to exercise the right to withdraw the consent, he or she may, at any time, contact any employee of the controller.

Cookies and right to object to direct advertising
“Cookies” are small files that are stored on users’ computers. Different information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to an online service. Temporary cookies, or “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online service and closes their browser. The content of a shopping cart in an online store or a login status, for example, can be stored in such a cookie. Cookies that remain stored even after the browser is closed are referred to as “permanent” or “persistent”. For example, the login status can be saved if the user visits the website after several days. The interests of users can also be stored in such a cookie and used for reach measurement or marketing purposes. “Third-party cookies” are cookies that are offered by providers other than the controller who operates the online service (otherwise, if they are only the controller’s cookies, they are referred to as “first-party cookies”).

We may use temporary and permanent cookies and provide information about this in our privacy policy.

If we ask users for their consent to the use of cookies (e.g. as part of a cookie consent), the legal basis for this processing is Art. 6 para. 1 lit. a. GDPR. Otherwise, the personal cookies of the users are processed in accordance with the following explanations in the context of this data protection declaration on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR). DS-GVO) or if the use of cookies is necessary for the provision of our contract-related services, pursuant to Art. 6 para. 1 lit. b. DS-GVO, or if the use of cookies is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us pursuant to Art. 6 para. 1 lit. e. DS-GVO, processed.

If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

A general objection to the use of cookies used for online marketing purposes can be declared for a large number of services, especially in the case of tracking, via the US site aboutads.info or the EU site youronlinechoices.com. Furthermore, the storage of cookies can be achieved by deactivating them in the browser settings. Please note that you may then not be able to use all the functions of this online offer.

Deletion of data
The data processed by us will be deleted or its processing restricted in accordance with the legal requirements. Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations.

If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

Changes and updates to the privacy policy
We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

Business-related processing
In addition, we process
– contract data (e.g., subject matter of the contract, term, customer category).
– payment data (e.g., bank details, payment history)
from our customers, interested parties and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.

Services
We process our customers’ data as part of our contractual and pre-contractual services, which include conceptual and strategic consulting, campaign planning or maintenance, implementation of campaigns and projects as well as consulting services.

We process inventory data (e.g., customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., text entries, photographs, videos), contract data (e.g., subject matter of the contract, term), payment data (e.g., bank details, payment history), usage and metadata (e.g., as part of the evaluation and performance measurement of marketing measures). In principle, we do not process special categories of personal data, unless these are part of commissioned processing. The data subjects include our customers, interested parties and their customers, users, website visitors or employees as well as third parties. The purpose of the processing is the provision of contractual services, billing and our customer service. The legal basis for the processing results from Art. 6 para. 1 lit. b GDPR (contractual services), Art. 6 para. 1 lit. f GDPR (analysis, statistics, optimization, security measures). We process data that is required to justify and fulfill the contractual services and point out the necessity of their disclosure. Disclosure to external parties only takes place if it is necessary in the context of an order. When processing the data provided to us as part of an order, we act in accordance with the instructions of the client and the legal requirements of order processing in accordance with Art. 28 GDPR and do not process the data for any purposes other than those specified in the order.

We delete the data after the expiry of statutory warranty and comparable obligations. The necessity of retaining the data is reviewed every three years; in the case of statutory archiving obligations, the deletion takes place after their expiry (6 years, pursuant to Section 257 (1) HGB, 10 years, pursuant to Section 147 (1) AO). In the case of data disclosed to us by the client as part of an order, we delete the data in accordance with the specifications of the order, generally after the end of the order.

Administration, financial accounting, office organization, contact management

We process data in the context of administrative tasks and the organization of our business, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process as part of the provision of our contractual services. The processing bases are Art. 6 para. 1 lit. c. DS-GVO, Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e. tasks that serve to maintain our business activities, perform our tasks and provide our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information specified in these processing activities.

We disclose or transmit data to the tax authorities, consultants such as tax advisors or auditors as well as other fee offices and payment service providers.

We also store information on suppliers, event organizers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date. We generally store this data, most of which is company-related, permanently.

Data protection information in the application process (online form & e-mail)

Purpose: Implementation of the application procedure, decision on the establishment of an employment relationship.
Data categories: Master data (title, name, address, contact), education/employment/qualification data (if applicable), file uploads (CV, cover letter, certificates, other documents), communication and metadata (time, technical logs).
Legal basis: Art. 6 para. 1 lit. b GDPR in conjunction with. § Section 26 BDSG (pre-contractual/employment law measures); for voluntary additional information/initiative pool Art. 6 para. 1 lit. a GDPR (consent).
Recipient/access: HR/personnel department, specialist departments; IT/hosting service provider as processor.
Transfer to third countries: no, unless otherwise stated in individual cases.
Storage period: Rejection cases 6 months after completion of the procedure (evidence purposes), with consent to the applicant pool max. 2 years, then deletion. If the application is made via the online form, the data is transmitted in encrypted form; spam protection services (see section “Google reCAPTCHA”) can only be used after consent has been given.
Obligation to provide: Data required for participation in the procedure are marked as mandatory fields; no processing is possible without their provision.
Your rights: Art. 15-22 GDPR; revocation/objection at any time with effect for the future.

Applicant pool
As part of the application process, we offer applicants the opportunity to be included in our “applicant pool” for a period of two years on the basis of consent within the meaning of Art. 6 para. 1 lit. a. and Art. 7 GDPR.

The application documents in the applicant pool will only be processed in the context of future job advertisements and the search for employees and will be destroyed after the deadline at the latest. Applicants are informed that their consent to inclusion in the applicant pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future and declare an objection within the meaning of Art. 21 GDPR.

Data processing in the context of our activities on Instagram

In the course of our editorial activities on social networks such as Instagram, we process personal data of users who interact with us. This data processing is necessary in order to process your inquiries and adapt our services accordingly. The data stored includes your profile and account name, your profile picture, the content of your requests, the number of followers and accounts you follow, and your latest posts or tweets. This data is stored temporarily and remains on a server within the European Union for a period of six months.
This processing of personal data is based on Article 6(1)(e) of the General Data Protection Regulation (GDPR), which permits processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
It is also important to note that the operators of the social networks on which we are present have their own data usage policies. These operators store and use users’ personal data (such as personal information and IP addresses) for business purposes in accordance with their policies. We have no influence on the way these platforms collect data, nor on how long and where the data is stored, whether and how the networks comply with deletion obligations, which analyses and links are carried out with the data and to whom the data is passed on.
We always recommend that users are aware of the data protection practices of the respective social networks and check the corresponding data protection guidelines.
You can find information on what data is processed by Instagram and for what purposes it is used in Instagram’s privacy policy.

Hosting and e-mail delivery

The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services and technical maintenance services that we use for the purpose of operating this online offering.

In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of order processing contract). Art. 28 GDPR (conclusion of order processing contract).

Collection of access data and log files

We, or our hosting provider, collect data about every access to the server on which this service is located (so-called server log files) on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR. The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g. to investigate misuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

Changes and updates to the privacy policy

We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

Contact via the website

Contact forms & e-mail

Purpose: Processing of enquiries/offers, pre-contractual communication.
Data categories: Title, name, contact details, address, telephone availability, free text message and selection of topics (e.g. indoor pools, hotel pools, etc.).
Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual inquiries) or Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient communication).
Storage period: Enquiry/correspondence data 12 months after completion of the process; statutory retention obligations remain unaffected.
Spam/abuse protection: reCAPTCHA is only loaded after consent; see separate section for details.

Cookies & comparable technologies according to § 25 TDDDG

What is used? Cookies, local/session storage, content blockers.
What for? Operation of the website (essential) and – only with consent – display of external content/protection against misuse.
Legal basis: § 25 para. 2 TDDDG (absolutely necessary) or § 25 para. 1 TDDDG + Art. 6 para. 1 lit. a GDPR (optional services). You can revoke/change your consent at any time in the “Settings”.

Consent Management – Borlabs Cookie

Provider: Borlabs GmbH (Germany).
Purpose: Obtaining, documenting and managing your consent; controlling content blockers (YouTube, Vimeo, Google Maps, reCAPTCHA).
Data processing: A consent cookie and/or storage entries are set, which store, among other things, consent status, timestamp, language, random UID. Personal visitor data is not transmitted to Borlabs; the logs are stored on our server.
Legal basis: Art. 6 para. 1 lit. c GDPR (legal obligation to manage consent) in conjunction with. § 25 TDDDG; for the technically necessary consent cookie § 25 para. 2 TDDDG.
Storage period: Consent cookie up to 12 months (depending on configuration); log evidence up to 3 years (evidence purposes, Art. 5 para. 2 GDPR).
Objection/revocation: possible at any time via the Consent Manager.
Source/Technology Note: Borlabs documents that UID/status are stored locally and that no visitor data flows to Borlabs.

YouTube (embedded videos)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; possibly Google LLC, USA.
Purpose: Display of embedded videos.
Data: IP address, device/browser data, referrer/URL, interactions; Google may set cookies/similar technologies (also restricted for “nocookie” domain).
Legal basis: Section 25 (1) TDDDG + Art. 6 (1) lit. a GDPR (only after consent – content is blocked until then).
Third country transfer: USA; protection via standard contractual clauses (SCCs).
Storage period/recipients: see Google/YouTube privacy policy.
Note: Content is visible before consent as “placeholder – unblock content” on the website.

Vimeo (embedded videos)

Provider: Vimeo.com, Inc, 555 West 18th Street, New York, NY 10011, USA.
Purpose & data: Display of videos; processing as with YouTube (IP, device / usage data; cookies / similar IDs).
Legal basis: § 25 para. 1 TDDDG + Art. 6 para. 1 lit. a GDPR (only after consent – content is blocked).
Third country transfer: USA; SCCs according to provider.
Storage period / details: see Vimeo Cookie Policy (updated 25.06.2024).
Note: Placeholder “Unblock content …” is visible on the website.

Google Maps (Maps)

Provider: Google Ireland Limited; possibly Google LLC (USA).
Purpose: Interactive maps/locations.
Data: IP address, location/geodata (upon release), device/browser data; cookies/similar IDs possible.
Legal basis: Section 25 (1) TDDDG + Art. 6 (1) lit. a GDPR.
Third country transfer: USA; SCCs.
Note: Shown as placeholder before consent.

Google reCAPTCHA (spam/abuse protection)

Provider: Google Ireland Limited; possibly Google LLC (USA).
Purpose: Protection of forms against automated attacks/spam.
Data: IP address, mouse/keyboard interactions, device/browser data, possibly Google cookies/IDs; server-side evaluation.
Legal basis: Section 25 para. 1 TDDDG + Art. 6 para. 1 lit. a GDPR (only after consent; blocked until then).
Third country transfer: USA; SCCs.
Note: It is not possible to send the form without consent (“You must load the content of reCAPTCHA …”).

Information on data transfers to the USA

For the Google and Vimeo services mentioned above, data may be transferred to the USA. The legal basis is your consent (Art. 49 para. 1 lit. a GDPR) together with the SCCs of the provider. Risks: Access by authorities without enforceable legal remedies for EU data subjects (also presented transparently in the Consent Dialog).

Right of appeal and complaints office

In the event of breaches of data protection law, you have the right to lodge a complaint with the competent supervisory authority. The competent supervisory authority for data protection issues is:
Sächsische Datenschutz- und Transparenzbeauftragte
Dr. Juliane Hundert
Devrientstraße 5
01067 Dresden
Phone: +49 351 85471-101
Fax: +49 351 85471-109
Email: saechsdsb(at)slt.sachsen.de – No access for electronically signed documents!
Website: saechsdsb.de

Status: 10/2025