Privacy policy

Hamburg Messe und Congress GmbH is responsible for processing information on our webpages.

Hamburg Messe und Congress GmbH (HMC)
Business Management/Geschäftsführung
Messeplatz 1
20357 Hamburg
Germany

ph.: +49 (0)40-3569-0
E-mail: info(at)hamburg-messe(dot)de
Website: www.hamburg-messe.de

We have appointed a Data Protection Officer for our company’s business operations.

Datenschutzbeauftragte/Data Protection Officer
Hamburg Messe und Congress GmbH
Messeplatz 1
20357 Hamburg
Germany

ph.: +49 40 3569-0
E-mail: privacy(at)hamburg-messe(dot)de

Based on Article 4 of the GDPR, this privacy policy is based on the following definitions: 

• ‘Personal data’ (Article 4(1) of the GDPR) means any information relating to an identified or identifiable natural person (‘data subject’). A person is identifiable if they can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, an online identifier, location data or information about their physical, physiological, genetic, mental, economic, cultural or social identity. Identifiability may also be given by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings may also contain personal data).
• ‘Processing’ (Art. 4 No. 2 GDPR) is any operation involving personal data, whether or not with the aid of automated (i.e. technology-based) procedures. This includes, in particular, the collection (i.e. procurement), recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning, combining, restricting, erasing or destroying personal data, as well as changing the purpose or objective for which the data was originally processed.
• ‘Controller’ (Art. 4 No. 7 GDPR) is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
• ‘Third party’ (Art. 4 No. 10 GDPR) is any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process personal data; this also includes other legal entities belonging to the group.
• ‘Processor’ (Art. 4 No. 8 GDPR) is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with its instructions (e.g. IT service providers). In terms of data protection law, a processor is not a third party.
• ‘Consent’ (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 

By law, any processing of personal data is prohibited in principle and is only permitted if the data processing falls under one of the following justifications: 

• Art. 6(1)(a) GDPR (‘Consent’): Where the data subject has freely given, specific, informed and unambiguous consent for the processing of personal data relating to him or her, for one or more specific purposes;
• Art. 6(1)(b) GDPR: Where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• Art. 6(1)(c) GDPR: Where processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a statutory retention obligation);
• Art. 6(1)(d) GDPR: If processing is necessary to protect the vital interests of the data subject or another natural person;
• Art. 6(1)(e) GDPR: If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• Art. 6 (1) (f) GDPR (‘legitimate interests’): If processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (in particular where the data subject is a child). 

The storage of information in the end user's terminal equipment or access to information already stored in the terminal equipment is only permitted if it is covered by one of the following justifications: 

• § 25(1) TTDSG: If the end user has given their consent on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 (1) sentence 1 lit. a GDPR;
• § 25 (2) No. 1 TTDSG: If the sole purpose is to carry out the transmission of a message via a public telecommunications network or
• § 25 (2) No. 2 TTDSG: If storage or access is absolutely necessary for the provider of a telemedia service to be able to provide a telemedia service expressly requested by the user. 

We specify the applicable legal basis for each of the processing operations we carry out below. Processing may also be based on several legal bases. 

a. Information, rectification, erasure, restriction of processing, and data portability

According to the GDPR, you as a Data Subject have the following rights:

• GDPR, Art. 15: Data Subject’s right to information
  You have the right to request and obtain from us information regarding the type of personal data we process about you.
• GDPR, Art. 16: Right to data rectification
  To the extent that your personal information is incorrect or incomplete, you have the right to request rectification of incorrect and completion of incomplete information.
• GDPR, Art. 17: Right to erasure
  Under the conditions specified by GDPR, Art. 17, you may demand that your personally identifiable data be erased. Whether or not you are entitled to have your data erased will depend on various factors, including without limitation whether we need to maintain your data to fulfil our contractual and legal duties.
• GDPR, Art. 18: Right to restrict processing
  You may demand restriction of the processing of your personally identifiable data under GDPR, Art. 18.
• GDPR, Art. 20: Right to data portability
  Under the conditions specified by GDPR, Art. 20, you may demand that your personally identifiable data which you have provided to us be erased, be made available to you in a structured, common, machine-readable format, or transmitted to another Data Controller. 

b. Revoking a consent

If you have given your consent to your data being processed, you may revoke your consent at any time. Your revocation will apply to any future processing of your personally identifiable data from the time you submit your revocation to us. Any processing of your data on the basis of other legal provisions, if applicable, shall likewise remain unaffected. To the extent that your consent was the sole legal basis for processing your data, provided there is no legitimate interest on our part in processing your data pursuant to GDPR, Art. 6(1), p.1 (f), we will promptly erase your data upon receiving the revocation of your consent.

c. Objection to the processing of personally identifiable data

To the extent that we process your personally identifiable data based on a balancing of interests (GDPR, Art. 6(1), p.1 (e) or (f)), you may, on grounds arising from your particular situation, make an objection against the processing of your data. This may apply in particular if data-processing is not necessary to perform a contract with you as explained below. When you exercise your right of objection we request that you explain your grounds for prohibiting us from continuing to process your personally identifiable data. Upon receiving your well-reasoned objection, we will review the facts and either stop processing your data, or limit the extent of our data-processing, or explain to you the compelling reasons meriting protection for our continued processing of your data.

Notwithstanding the above you may at any time object to your personally identifiable data being processed for purposes of advertising and data analytics, without incurring any costs other than the costs of transmission according to applicable base rates.

You may direct any further questions regarding this as well as any other privacy protection matters to the Company Data Protection Officer at privacy(at)hamburg-messe(dot)de. 

d. Right to lodge a claim to the supervisory authority

You have the right to lodge a complaint to the supervisory authority if you believe your data is being processed in an unlawful manner. The address of the supervisory authority responsible for us is as follows:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Kurt-Schumacher-Allee 4
20097 Hamburg, Germany

Where necessary, we also transfer your personal data from the contract initiation or contract execution (master data, contact details) to third parties who support us in the execution of the contract or who cooperate with us or take actions that are necessary and you have requested this cooperation or transfer. These third parties vary depending on the service, so we will inform you separately about such processing. We generally assume that your interest in this is consistent with our interest in executing the contract. Unfortunately, we cannot execute the contract without transferring the data to third parties in these cases. 

If your personal data is passed on by us to our subsidiaries or passed on to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of existing order processing relationships. 

In some cases, we use external domestic and foreign service providers to handle our business transactions. These service providers only act on our instructions and are contractually obliged to comply with data protection regulations in accordance with Art. 28 GDPR. 

The categories of recipients of your personal data include: 

• External service providers who provide services for us within the scope of order processing or other service contracts (e.g. IT services; services for online invitation management tools, banking services; communication services, services in the area of our financial management and the destruction of data carriers, credit rating services; ticketing services, mailing services, stand construction services and catalogue entries)
• transport companies
• authorities (e.g. the Federal Employment Agency)
• Courts in the context of legal disputes and other legal disputes.
• Courts and solicitors in the context of legal disputes and other legal disputes as well as legal advice
• auditors, tax advisors
• If applicable, personnel consultants who support us in deciding whether to establish an employment relationship.
• Exhibitors: If you have redeemed an exhibitor's admission code for a ticket or are redirected to the HMC ticket shop via an exhibitor's affiliate link (partner programme) and register there, we will transfer your personal data (name, address, communication data) to the respective inviting or advertising exhibitor. This enables the exhibitor to target their customer communications more effectively in future. You can object to this at any time at datenschutz@hamburg-messe.de.
• Cooperation partner: As part of Seatrade Cruise Europe, we will pass on the registration data of visitors participating in Seatrade Cruise Europe to our cooperation partner, Informa Markets, for the necessary business processing. Our cooperation partner, Informa Markets, would also like to inform visitors about the latest news regarding the event by email or mobile phone/SMS, send notifications or reminders on site, and provide useful information about hotel bookings, matchmaking, the app, etc. You can object to this at any time at seatrade-europe@hamburg-messe.de.
• Cooperation partner: As part of the Global Security and Innovation Summit (GSIS), we will pass on your data to our cooperation partner, The International Institute for Strategic Studies (IISS), for the following purposes:
• Newsletter subscribers will receive the Executive Briefing by email on a regular basis until the event. In addition, the IISS would like to contact newsletter subscribers by email or mobile phone/SMS to inform them about opportunities to participate in the GSIS.
• Applicants for participation in the GSIS may be contacted by email or mobile phone/SMS by the IISS, as the cooperation partner responsible for the application process, in order to clarify any questions regarding the application or to obtain further information about the application process.
• Participants in the GSIS will be informed about the latest news regarding the event by email or mobile phone/SMS, receive notifications or reminders on site, and be provided with useful information on organisational aspects such as hotel bookings, matchmaking, the event app and other services. 

This can be revoked at any time by contacting info(at)gsis-hamburg(dot)com. 

• Cooperation partner: As part of Polaris, we pass on the registration data of persons applying for press accreditation to our cooperation partner Super Crowd. Our cooperation partner Super Crowd has commissioned Marchsreiter Communications GmbH, Guldeinstraße 41a, 80339 Munich, with the processing of press accreditation. It has concluded a contract with Marchsreiter Communications GmbH for the processing of orders.
• Foreign representatives of Hamburg Messe und Congress GmbH 

Your personal data will not be passed on to third parties for advertising purposes without your consent. 

Within the scope of our business relationships, your personal data may be passed on or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively for the purpose of fulfilling contractual and business obligations and maintaining your relationship with us (the legal basis is Art. 6 (1) (b) or (f) in conjunction with Art. 44 et seq. of the GDPR). The various data transfers to third countries are listed below: 

• In order to fulfil contractual purposes or to carry out pre-contractual measures with companies from third countries that are interested in exhibiting/exhibiting or visiting (Art. 6 (1) (b) GDPR), we transfer personal data to the foreign representation of the respective third country. This includes the following personal data: company data with address, name of contact person, communication data, industry affiliation, product interests, contract and billing data if applicable, exhibitor/product interest, payment data.
• In the case of representatives of trade fairs or visiting companies from third countries, the visitor's name may also be given to the company in the third country, provided there is no objection to the transfer. The registration data of a company visiting a trade fair whose representative contacts an exhibitor may be transferred to the exhibitor visited, provided the visitor has given their consent, regardless of whether the exhibitor is from the UK, the EU or a third country.
• The registration data of a company whose representative visits an exhibitor at the trade fair stand may be transferred to the exhibitor visited, provided that the visitor does not object to their data being scanned from the barcode on their admission ticket, regardless of whether the exhibitor is from the UK, the EU or other third countries.
• If data is transferred to third parties outside the EU or the EEA, we will ensure that the transfer only takes place if the data recipient contractually undertakes to comply with equivalent standards of data protection and data security, an adequate level of protection exists at the recipient's premises, you have given your consent, or the transfer is permissible for other reasons, e.g. it is necessary at your request in order to prepare and/or fulfil a contract with you.
• An overview of all foreign representations can be found on our website Foreign Representatives

If a transfer to a third country takes place, we will inform you of the relevant details of the transfer below at the relevant points.

The European Commission certifies that some third countries have data protection standards comparable to those of the EEA through so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). 

In other third countries to which personal data may be transferred, however, there may not be a consistently high level of data protection due to a lack of legal provisions. Where this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data in accordance with Art. 46 (1), (2) (c) GDPR (the standard contractual clauses of 2021 are available at https://eur-lex.europa.eu/legal-content/EN/TXT/? uri=CELEX%3A32021D0915&locale-en), certificates or recognised codes of conduct.

Please use the contact details above if you would like more information on this.

Your personal data will be deleted as soon as the purpose for storing it no longer applies. Storage may also take place if this has been provided for by European or national legislators in EU regulations, laws or other provisions to which the controller is subject, or if longer storage is necessary in individual cases due to the assertion or possible assertion of claims against us in connection with a contract or pre-contractual measures. If a legal obligation to retain data prevents deletion, we will initially only block your data and delete it after the retention obligation has expired. 

This provision applies to all data processing operations listed in this declaration, unless otherwise specified in individual cases. 

You are not under any legal or contractual obligation to transmit any personally identifiable data to us. However, in the event that you wish to enter into a contract with us, it will be necessary for you to provide personally identifiable data. If you choose not to transmit any personally identifiable data to us in a given case, you will not be able to enter into a contract with us. 

We use appropriate technical and organisational security measures to protect your personal data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties (e.g. TSL encryption for our website), taking into account the state of the art, implementation costs and the nature, scope, context and purpose of processing as well as the existing risks of a data breach (including its likelihood and impact) for the data subject. Our security measures are continuously improved in line with technological developments. 

We will be happy to provide you with further information on request. Please contact us using the contact details provided above. 

We use appropriate technical and organisational security measures to protect your personal data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties (e.g. TSL encryption for our website), taking into account the state of the art, implementation costs and the nature, scope, context and purpose of processing as well as the existing risks of a data breach (including its likelihood and impact) for the data subject. Our security measures are continuously improved in line with technological developments. 

We will be happy to provide you with further information on request. Please contact us using the contact details provided above. 

As part of the ongoing development of data protection law and technological or organisational changes, our data protection information is regularly reviewed to determine whether it needs to be adapted or supplemented. You will be informed of any changes in particular here.

A. Type and purposes of data-processing, legal basis, data storage

When Information about our company and the services we offer can be found in particular at https://www.hamburg-messe.de and the associated subpages, such as https://www.hmc-reports.de and https://tickets.hamburg-messe.de (hereinafter collectively referred to as ‘websites’). When you use our websites, various personal data is collected. The following provisions explain what data we collect and what we use it for. 

We process the personal data specified above in accordance with the provisions of the GDPR, other relevant data protection regulations and only to the extent necessary. Insofar as the processing of personal data is based on Art. 6 (1) (f) GDPR, the purposes mentioned also represent our legitimate interests. 

If the processing of the data requires the storage of information in your terminal equipment or access to information already stored in the terminal equipment, the processing is also based on Section 25 (1), (2) TTDSG as the legal basis. 

Persons under the age of 16 should not transfer any personal data to us without the consent of their parents or guardians. We do not request personal data from children and adolescents. We do not knowingly collect such data and do not pass it on to third parties (Protection of minors).

(1) Server log files

The provider of our webpages collects and stores information automatically in so-called server log files which your browser programme transmits to us automatically. The information transmitted includes:

• Browser type and version
• Operating system used
• Referrer URL
• HTTP status code and the volume of data transmitted
• Host name of the accessing computer
• Time of the server query
• IP address.

These data are not combined with any other data sources.

The processing of the aforementioned data serves statistical purposes and the improvement of the quality of our website, in particular the stability and security of the connection (legal basis is Art. 6 para. 1 sentence 1 a or f GDPR).

(2) Cookies

We use cookies on some of our web pages. Cookies are small text files that are assigned to and stored on your hard drive by the browser you are using via a characteristic string of characters, and through which certain information flows to the entity that sets the cookie. Cookies cannot execute programmes or transfer viruses to your computer and therefore cannot cause any damage. Cookies serve to make our offer more user-friendly, effective and secure. 

Cookies may contain data that makes it possible to recognise the device used. In some cases, however, cookies only contain information about certain settings that are not personally identifiable. Cookies cannot directly identify a user. 

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. In terms of their function, cookies are divided into: 

• Technical cookies: These are essential for navigating the website, using basic functions and ensuring the security of the website. They do not collect information about you for marketing purposes, nor do they store which websites you have visited.
• Performance cookies: These collect information about how you use our website, which pages you visit and, for example, whether errors occur when using the website; they do not collect any information that could identify you – all information collected is anonymous and is only used to improve our website and find out what interests our users.
• Advertising cookies, targeting cookies: These are used to offer website users tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers.
• Sharing cookies: These are used to improve the interactivity of our website with other services (e.g. social networks). 

Most of the cookies we use are so-called ‘session cookies’. They are automatically deleted at the end of your visit. 

Other cookies remain stored on your device until you delete them. These cookies enable us to recognise your browser the next time you visit. You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when you close your browser. If you deactivate cookies, the functionality of our websites may be restricted. 

In addition, we use cookies to personalise content and advertisements, to offer social media features and to analyse traffic to our website. We also share information about your use of our website with our social media, advertising and analytics partners. Our partners may combine this information with other data that you have provided to them or that they have collected as part of your use of their services. All marketing and analytics cookies are only set if you expressly agree to this in the corresponding dialogue box when you first visit a website. You can then change this setting at any time via the ‘Cookies & Tracking’ tab (at the bottom of the website footer). 

The legal basis for cookies that are strictly necessary to provide you with the service you have expressly requested is Section 25 (2) No. 2 TTDSG. Any use of cookies that is not technically necessary for this purpose constitutes data processing, which is only permitted with your express and active consent in accordance with Section 25 (1) TTDSG in conjunction with Article 6 (1) (a) GDPR. This applies in particular to the use of performance, advertising, targeting or sharing cookies. Furthermore, we only pass on your personal data processed by cookies to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

(3) Contact form and e-mail contact

When you send us a request using our contact form or by e-mail, we will store your information provided on the enquiry form or in your e-mail message, including the contact information provided by you, for the purpose of responding to your enquiry and any potential follow-up questions. We will not disclose this information to anyone without your consent.

This means that the data you enter into the contact form or e-mail message will be processed exclusively on the basis of our legitimate interest (GDPR, Art. 6(1), p.1 (f).  If the purpose of the e-mail or contact form correspondence is to enter into a contract, GDPR article 6(1), p.1 (b) provides an additional legal basis.

We process the information from the contact form or your e-mail message solely to arrange our interaction with you. This constitutes the required legitimate interest in processing the data. The data provided by you through the contact form or your e-mail message will be stored pursuant to Item I.6. 

(4) Newsletter

With your consent, you may subscribe to our newsletter which we distribute to inform you about our current programmes available to interested parties.

We use the so-called double-opt-in method for newsletter subscription registrations. If you would like to subscribe to our newsletter, which is offered on our webpages, we will need an e-mail address for you. Following your registration using your e-mail address we will send you an e-mail message to the address you provided. In this e-mail message we will ask you to confirm that you agree to receive the newsletter. If you do not confirm your registration within 7 days, your information will be temporarily blocked, and erased automatically no later than seven days thereafter. You will not be required to provide any further data but may do so voluntarily. We will use your data exclusively for the purpose of sending you the required information. We will not disclose your data to any third parties.

The data you enter into the newsletter subscription form will be processed exclusively as agreed by you (GDPR, Art. 6(1), p.1 (a)). The legal basis for sending the newsletter following the sale of products or services is the German Unfair Competition Act (UWG), section 7(3).

You may at any time revoke your consent to the storage of your data and e-mail address and to their use for the purpose of sending you the newsletter, for example by using the link ABMELDEN/UNSUBSCRIBE found in the newsletter, or by sending an appropriate message to the contact address indicated in the Imprint. The legality of any data processing prior to your revocation will remain unaffected.

We will store the data you have provided for the purpose of receiving the newsletter until you cancel your newsletter subscription, and erase your data upon your cancellation as stipulated under Item I.6. Data stored by us for other purposes (e.g. e-mail addresses for the ticket shop or the Online Service Center) will remain unaffected.

(5) Registering on our webpages and on site

(Ticket shop, Online Service Center, Wi-Fi, job applicant management, journalist accreditation, press mailing list, saving favorites)

You may register on our webpages for the use of additional website features. We will use the data entered by you exclusively for the purpose of enabling usage of the relevant services that you have registered for. The information required for registration must be provided in full. We cannot accept incomplete registration.

Registration is required to purchase online tickets. This will require you entering your personally identifiable data, which we need to process your ticket order. The information required for contract performance is marked appropriately. All additional information will be provided at your own discretion. 

The data you provide when you register will be processed on the basis of your consent (GDPR, Art. 6(1), p.1 (a)). You may revoke your consent at any time pursuant to Item I.3.b. You may do so in an informal e-mail message to us. The legality of any data processing performed previously will remain unaffected by your revocation.

To the extent that it is necessary to process personally identifiable data in fulfilment of a contract between ourselves and the Data Subject, Art. 6(1), p.1 (b) of the GDPR provides the legal basis. The same applies to any data processing that is necessary to perform certain pre-contractual activities.

Provided that processing your data is necessary for us to safeguard our legitimate interests, the alternative legal basis will be GDPR, Art. 6(1), p.1 (f). We process the information from the relevant contact form solely for the purpose of providing this or the relevant other service. This constitutes the required legitimate interest in processing the data.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 Para. 1 lit. c DSGVO serves as the legal basis for the processing of this data.

The above also applies to the purchase of tickets to trade events on site. In order to attend trade events, identification as a trade visitor is also required.

In addition, we process your data so that we can put visitors in touch with suitable exhibitors or contact persons as part of our matchmaking service (matchmaking functionality, see II.7).

If you place an ORDER AS A GUEST, we will process your data exclusively for executing the purchasing contract. Your data will not be used for any further marketing purposes unless you have given your express consent to receiving customer messages from us (GDPR, Art. 6(1), p.1 (a)).

In the event of major changes to the services we offer, or any changes necessary for technical reasons, we will use the e-mail address you provided with your registration to notify you accordingly. We may also use your data for marketing purposes among our customer base.

If you purchase an online ticket for a third party (“Bring your Collegue” function, exhibitor passes) in our ticket stores, we process the third party data you provide to us as part of the processing of the order and on the basis of the aforementioned legal bases.
We also process this data in order to inform the third party by system e-mail that an online ticket is available for them and that the registration process must be started. A few weeks before the event, a further system reminder email will be sent if the registration process has not yet been completed. We also process this data in order to provide you with the print@home online function when you purchase your tickets.
A ticket purchase for a third person is only permitted if you are authorized to order the tickets and transmit the data of the third person. The legal basis for the processing of this data is Art. 6 para. 1 sentence 1 lit. b) GDPR. Please inform the third party that their data will be processed in accordance with this privacy policy.

(6) Job applicant registration on our webpages

The “Career” section of our website will take you to our job application portal were you may submit a job application to us.

Your personally identifiable data will be used and processed by us for the purpose of making a hiring decision about you.

The legal basis for processing is Art. 6 (1) lit. b and f GDPR. Furthermore, personally identifiable data may be processed under other provisions of labour and social law as amended, in particular those pertaining to the rights of employees at their place of work. To the extent that processing personally identifiable data is required to fulfil a legal obligation of the Data Controller, the legal basis is Art. 6(1), p.1 (c) of the GDPR.

Personally identifiable data processed for the purpose of making a hiring decision will be deleted as soon as processing is no longer required to arrive at a hiring decision. This means that the duration of data storage depends on the duration of the decision-making process.

Applicants who have received a rejection message will be told upon completion of their application process that HMC would like to store their data for potential future job openings. If this is not desired, the data will be deleted. 

If you have sent us an unsolicited application which does not respond to a specific job opening advertised by us, we will likewise process your personally identifiable data so as to make a hiring decision. The above stipulations apply mutatis mutandis. As a matter of principle, we will erase your data if we do not anticipate being able to make use of your personally identifiable data for making a hiring decision in the foreseeable future, or if you do not want us to store your data for potential future job openings.

Your personally identifiable data may be used to assert, exercise or defend legal claims, provided that you or we have or wish to assert any such legal claims. 

The legal basis of data processing in these cases is GDPR, Art. 6(1), p. 1 (f). In such an event, the Data Controller's or any third party's legitimate interests shall be the assertion, exercise or defence of a legal claim. If you give us your consent to processing your personally identifiable data, your written consent shall at least constitute part of the legal basis of data processing (GDPR, Art. 6(1), p. 1 (a)).

Conceivably, this might result in a storage duration beyond the time at which a hiring decision is made. For example, this would be the case if there is any indication that you might assert legal claims against the Data Controller. In this case, the data will be stored for the amount of time needed to assert, exercise or defend such legal claims. The criteria for determining an appropriate storage duration may include the terms stipulated by the German General Equal Treatment Act (AGG; sec. 15(4)(1)) as well as the German Labour Court Law (ArbGG; sec. 61(b)), as well as statute of limitations rules and legally stipulated retention periods. Furthermore, the data may be stored if such storage is provided for or required under European or national legislation as per EU regulations, laws or other provisions applicable to the Data Controller. If you have agreed to your data being stored for an unlimited time period, your data will be erased as soon as you revoke your consent.

There are no intentions to transmit your applicant data to other countries outside the European Union, however, such transmission cannot be entirely excluded to the extent that it is legally permissible.

You are under no obligation to provide any personally identifiable data to us for the purposes of a job application. However, we are unable to conduct an evaluation of your application without you providing any information allowing us to assess your suitability and availability or to contact you. 

(7) online invitation management tool

At some events we work together with service providers such as Guest Company. The service provider provides us with an online invitation management tool for events which allows us to distribute free (online) invitations, reminders, registration confirmations and admission tickets for events. We have entered into a data processing agreement according to GDPR, Art. 28 with the service providers. Data is processed exclusively for the purpose of sending invitations to a selected group of recipients.

The service provider generally receives the following personal data from us for this purpose:

• Mr/Mrs/Dr
• Title
• First and last name
• Function
• Department
• Company
• Address
• E-mail address

In addition, we may receive data from our cooperation partners which we may have processed by the service provider on their behalf according to GDPR, Art. 28.

The legal basis for processing this data is provided by GDPR, Art. 6 (1) b and f ("legitimate interest") and the German Unfair Competition Act (UWG), section 7(3). The data will be deleted as soon as it is no longer needed for the processing purposes.

You may object to the use of your data for the purposes given above at any time, or revoke your consent, by sending a message to privacy(at)hamburg-messe(dot)de. If you choose to ask for deletion of your personally identifiable data stored by us, we will comply immediately unless our documentation and retention obligations require us to do otherwise. 

If you provide personal data of accompanying persons, we assume that their consent has been obtained. This data will also be deleted after the event.

(8) Social Media

We maintain publicly accessible profiles on social networks and social media channels for public relations, external representation, customer acquisition, advertising and communication with participants in social networks. The legal basis for data processing is the legitimate interest of Hamburg Messe und Congress GmbH in maintaining an appropriate public presence and initiating and maintaining business contacts (Art. 6(1)(f) GDPR). 

Our social sharing is limited to copying the current page URL and linking to the respective platform. No data exchange takes place in this process.

(a) YouTube Plug-In

In order to be able to show you YouTube videos, we may have integrated YouTube, a service provided by Google LLC (hereinafter ‘Google’), 901 Cherry Ave., San Bruno, CA 94066, USA; policies.google.com/privacy into our website. Data processing is carried out based on Art. 6 (1) lit. a GDPR (consent). 

A connection to Google is only established when you agree to this on our site. This sets a cookie in your browser that records this selection. 

The information generated by the cookie about your use of our website is usually transferred to a Google server in the USA and stored there. However, as we have activated IP anonymisation on our website, your IP address will be truncated by Google within member states of the European Union. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there (for more information on the purpose and scope of data collection, please visit https://policies.google.com/privacy?hl=de&gl=de). We have also concluded a contract with Google for order processing in accordance with Art. 28 GDPR. Google will therefore only use all information strictly for the purpose of evaluating the use of our websites for us and compiling reports on website activity. 

You can revoke your consent at any time. To do so, please use one of the following options:

• You inform us that you wish to revoke your consent.
• You can prevent the storage of cookies by adjusting your browser software settings accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.
• You can also prevent Google from collecting the data generated by the cookie and relating to your use of our websites (including your IP address) and from processing this data by downloading and installing the browser plug-in available at the following link (https://tools.google.com/dlpage/gaoptout?hl=de).

(b) LinkedIn

As a company, we use the LinkedIn platform provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter referred to as ‘LinkedIn’). 

When you visit our company page on LinkedIn at https://de.linkedin.com/company/hamburg-messe-und-congress-gmbh, your personal data is collected. 

The legal basis for the processing is your consent in accordance with Art. 6 (1) (a) GDPR, § 25 (1) TTDSG, as well as a legitimate interest in accordance with Art. 6 (1) (f) GDPR, in particular in the optimal presentation of the page content and the display of interest-based posts. 

Further information on this can be obtained from LinkedIn at https://de.linkedin.com/legal/cookie-policy?. You can object to the processing at any time on the page www.linkedin.com/psettings/guest-controls/retargeting-opt-out. By using this pixel, LinkedIn creates so-called user profiles and, if necessary, links them to the data from your LinkedIn profile. 

In order to continuously improve the attractiveness of our offering and presence on the platform, we receive anonymised data from LinkedIn via the LinkedIn Insights programme in the form of statistics on visits to our company page. We use this to further optimise communication with LinkedIn users. 

As joint controllers for the data collection that takes place on our company page, we have entered into a joint controller addendum with LinkedIn in accordance with Art. 26 (1) GDPR, which you can access at https://legal.linkedin.com/pages-joint-controller-addendum. 

Further information about data processing by LinkedIn can be found on the page https://de.linkedin.com/legal/privacy-policy?. As part of our company profile on LinkedIn, your personal data is processed in the following cases: 

• Visiting our company page.

• Using the contact form (Lead Gen Form).

• Placing company advertisements. 

When you visit our company page, the legal basis for processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR, in particular in the form of information about company news and advertising for our company. 

When using the contact form, the legal basis for data processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. If the communication is aimed at concluding a contract, Art. 6 (1) (b) GDPR also serves as the legal basis. If contact is made with you as a (potential) employee, data processing is also based on Section 26 of the Federal Data Protection Act (BDSG). If you wish us to contact you outside of LinkedIn – for example, to arrange a job interview or because you are interested in our products – we will transfer the data you have provided to us to our general system and process it there for the specified purposes. Otherwise, we will not process your data outside of LinkedIn. 

We do not process any personal data when placing company advertisements. If we place target group-specific advertisements on LinkedIn, we define target groups for LinkedIn that are interested in the advertisements and to whom LinkedIn displays the advertisements. Data processing, in the form of selecting the users to whom the advertisements are displayed, is carried out solely by LinkedIn. 

We process data exclusively within Germany and the EU. Some of LinkedIn's data processing also takes place in third countries outside the EU and the EEA. LinkedIn Corporation is certified under the Privacy Shield and undertakes to comply with European data protection standards (see https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active).

(c) Xing

As a company, we use the platform www.xing.de, a service provided by New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany (hereinafter: XING).

You can access our company page at:

https://www.xing.com/pages/hamburgmesseundcongress.

We use this to create posts, for advertising purposes for upcoming events, to advertise job vacancies and for other informational purposes. Personal data is processed in the process.

As the operator of the company profile on Xing, we have access to statistical evaluations of the number of visits to the company profile and the job advertisements we have placed. This data is available in aggregated and anonymised form. It does not allow us to draw any conclusions about individual visitors to the company profile. The legal basis for processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR in continuously designing our company page to be attractive and tailored to user interests. 

If users are logged into their XING user account when they visit the company page, information about their visit to the service can be assigned to the respective user account. We have no influence on the interactive functionalities and the visibility of your user activities on Xing. The company profile also offers the option of contacting us via message using the contact details provided. 

We process the information transmitted in this way on the basis of Art. 6 (1) lit. f GDPR (legitimate interest). We use this information solely for the purpose of responding to enquiries in a targeted manner. 

If you have given your consent (e.g. by setting your XING status to ‘actively seeking employment’), we can contact you directly via the platform to offer you suitable job vacancies.

This data is stored and deleted by XING in accordance with XING's data protection regulations. We do not store any further internal company data. This data processing is carried out solely by NEW WORK SE, whose privacy policy can be viewed here: https://privacy.xing.com/de/datenschutzerklaerung. We have no influence on the data collected and data processing operations, nor are we aware of the full scope of data collection, the purposes of processing or the storage periods. 

(d) Instagram

As a company, we use the Instagram platform, a service provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter referred to as ‘Facebook’). 

As joint controllers for the data processing that takes place on our company page, we have entered into a joint controller addendum with Facebook in accordance with Art. 26(1) of the GDPR, which is available at the following link:

 https://www.facebook.com/legal/terms/page_controller_addendum 

When you use Facebook products – including when you visit our company page – Facebook processes personal data, regardless of whether you are logged into Facebook services. We have no influence whatsoever on the specific design of the processing. Facebook describes in detail which (personal) data is processed, how, for what purposes and on what legal basis in its data policy (https://help.instagram.com/519522125107875?helpref=page_content), which applies to all Facebook products. There you will also find information about how to contact Facebook and how to set your preferences for advertisements, cookies, etc. The data may be transferred to countries outside the European Union. 

When you visit our company page, Facebook collects, among other things, your IP address, the date and time of your request, and the specific page you requested. When you visit our company page, the legal basis for processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR, in particular in the form of information about company news and advertising for our company. Together with other information that Facebook may obtain through cookies, Facebook provides us, as the operator of the company page, with anonymised statistical information about the use of our page (so-called page insights). This is aggregated data that shows how users interact with the page. We are unable to trace this data back to a natural person. Facebook provides more detailed information on this here: https://www.facebook.com/about/privacy.

(e) Facebook 

As a company, we use the Facebook platform. We are jointly responsible with Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter ‘Facebook’) for the data processing that takes place on the platform. 

As joint controllers for the data processing that takes place on our company page, we have concluded a joint controller addendum with Facebook in accordance with Art. 26 (1) GDPR, which is available at the following link:

 https://www.facebook.com/legal/terms/page_controller_addendum. 

When you use Facebook products – including when you visit our company page – Facebook processes personal data, regardless of whether you are logged in to Facebook services. We have no influence on the specific design of the processing. 

Facebook describes in detail which (personal) data is processed, how, for what purposes and on what legal basis in its data policy (https://help.instagram.com/519522125107875?helpref=page_content), which applies to all Facebook products. There you will also find information about how to contact Facebook and how to set your preferences for advertisements, cookies, etc. The data may be transferred to countries outside the European Union. 

When you visit our company page, Facebook collects, among other things, your IP address, the date and time of your request, and the specific page you requested. When you visit our company page, the legal basis for processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR, in particular in the form of information about company news and advertising for our company. Together with other information that Facebook may obtain through cookies, Facebook provides us, as the operator of the company page, with anonymised statistical information about the use of our page (so-called page insights). This is aggregated data that shows how users interact with the page. We are unable to trace this data back to a natural person. Facebook provides more detailed information on this here: https://www.facebook.com/about/privacy.

(9) Web Analytics

We use applications on our website to evaluate visitor behaviour on the website and to continuously develop our offering on this basis. 

(a) Google Analytics 

Our websites use the web analytics service Google Analytics. 

If you have given your consent, this website uses Google Analytics 4, a web analytics service provided by Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’). Google Analytics uses ‘cookies’, which are text files placed on your computer, to help the website analyse how users use the site. 

Processed data 

For this purpose, Google collects data to identify your browser, as well as when and how often you have visited our web pages, how long you have stayed on the web pages and how you have interacted with the web pages. 

Purpose of processing 

On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services relating to website activity and internet usage to the website operator. For this purpose, we have concluded a contract with Google for data processing. 

The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other Google data. 

IP truncation 

This website uses Google Analytics with the extension ‘anonymizeIp()’. This means that IP addresses are truncated before being processed, thus ruling out any personal references. If the data collected about you is personal, it will be immediately excluded, and the personal data will be deleted immediately. 

Legal basis 

We use Google Analytics to analyse and regularly improve the use of our website. The statistics obtained enable us to improve our offer and make it more interesting for you as a user. The legal basis for the use of Google Analytics is Art. 6 (1) (a) GDPR and § 25 (1) TDDDG (consent). 

The data sent by us and linked to cookies, user IDs (e.g. user ID) or advertising IDs is automatically deleted after 26 months due to the event cycles. Data that has reached its retention period is automatically deleted once a month. 

Right of withdrawal You can withdraw your consent at any time. To do so, please use one of the following options:

• You inform us that you wish to withdraw your consent.
• You can prevent the storage of cookies by adjusting your browser software settings accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.
• You can also prevent Google from collecting the data generated by the cookie and relating to your use of our websites (including your IP address) and from processing this data by downloading and installing the browser plug-in available at the following link (https://tools.google.com/dlpage/gaoptout?hl=de). 

Third country transfer 

If data is processed outside the EU/EEA and there is no level of data protection that meets European standards, we have concluded standard contractual clauses with Google to ensure an adequate level of data protection[E3]. The parent company of Google Ireland, Google LLC, is based in California, USA. The transfer of data to the USA cannot be ruled out. 

An adequacy decision by the European Commission (EU-US Privacy Framework) currently exists for the USA. Google LLC is certified under the EU-US Privacy Framework. Google servers are distributed worldwide and transfer to other third countries cannot be completely ruled out. For more information on the terms of use of Google Analytics and data protection at Google, please visit: 

https://marketingplatform.google.com/about/analytics/terms/de/and https://policies.google.com/?hl=de 

Demographic characteristics in Google Analytics 

Our website uses the ‘demographic characteristics’ function of Google Analytics. This allows reports to be created that contain information about the age, gender and interests of site visitors. 

This data comes from interest-based advertising by Google and from visitor data from third-party providers. This data cannot be attributed to any specific person. 

You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as described in the section ‘Objection to data collection’.

(b) Matomo

We use the open-source software tool Matomo on our website to analyse the surfing behaviour of our users. This is an open-source web analytics tool from InnoCraft, 150 Willis St, 6011 Wellington, New Zealand.

This allows us to find out how you use this website and to continuously improve and develop our internet presence and our public offering.

We only use Matomo if you have given us your prior consent. Matomo does not collect session data without your consent. Matomo does not transfer any personal data to servers outside the European Union.

Matomo uses cookies. These text files are stored on your computer and enable us to analyse the use of our website. For this purpose, the usage information obtained by the cookie is stored so that we can evaluate usage behaviour. 

Your IP address is an anonymous identifier for us; we have no technical means of identifying you as a registered user. You remain anonymous as a user.

We consider this analysis to be part of our internet offering. We would like to use it to further improve our website and tailor it even better to the needs of our users.

If you agree to web analysis with Matomo, the following data is collected when you visit individual pages of our website:

• Anonymised IP address of the user's accessing system.
• The accessed website (page URL, page title, clicked or downloaded files)
• The website from which the user accessed the accessed website (referrer URL)
• The subpages accessed from the accessed website (date and time of the visit; links to external domains clicked on, number of visits)
• The length of time spent on the website
• The frequency with which the website is accessed
• Information about the user's device (browser information, device information, screen resolution, user ID, time zone, geographical location)

The software runs exclusively on our website's servers. The users' personal data is also stored there.

You can decide whether a web analysis cookie may be stored in your browser so that we can collect and evaluate statistical data.

Data processing only takes place on this basis and in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TDDDG (consent).

The processing of users' personal data enables us to analyse the surfing behaviour of our users. By evaluating the data obtained, we can compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. We have no interest in evaluating information about you as a person. However, from a technical point of view, the analysis of usage behaviour requires assignment to an individualised identifier. Matomo therefore anonymises the IP address, which is in line with users' interests in protecting their personal data.

Data is not passed on to third parties. The data collected is also not used for purposes other than those specified above, in particular not for performance or behaviour monitoring of website visitors.

The data is deleted as soon as it is no longer required for our collection purposes. The maximum storage period for cookies is 1 year and 1 month. The statistics generated no longer contain any personal data. The deletion periods for these evaluations may vary. Further information on the deletion periods for cookies can also be found in our cookie settings.

Further information on the data protection settings of the Matomo software can be found at the following link: https://matomo.org/docs/privacy/.

(10) Online advertisements

User behaviour on our webpages is evaluated in pseudonymised form for the purpose of matching advertisements with your personal interests. The information captured includes data about your activities on this website (e.g. surfing behaviour, sub-pages visited, time spent on each page, etc.). Without your express consent, this information will not be combined with the identity of the bearer of the pseudonym.

Unless otherwise specified below, the legal basis for this is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in being able to provide you with information about our offers as accurately as possible within the scope of direct marketing (EG 47 to the GDPR). 

(a) Aumago

We work together with Aumago GmbH (“Aumago”), Berlin, a target audience marketing firm. Aumago uses so-called cookies, text files which are saved by the browser of the computer. Pseudonymised usage information is collected in the form of cookie IDs and advertisement IDs without any IP addresses. Cookie IDs and advertisement IDs without an IP addresses do not provide enough information to identify a natural person behind the browser / user.

Based on the surfing behaviour (websites, categories and product pages visited), Aumago assumes a certain interest in a specific B2B industry sector and uses this information on our behalf to send usage-based online marketing messages in a more targeted manner. The cookies can be synchronised with those from other platforms in a process referred to as Cookie Matching. For example, cookie matching may be performed for: Google, Doubleclick, Adition, Appnexus, Mediamath, The Trade Desk, Adform, Active Agent, yieldlab.

The relevant cookies are either Aumago cookies or cookies from third-party service providers contracted by Aumago, such as TheADEX GmbH, Berlin. Users may opt out using the following link at any time to express their disagreement with this cookie tracking. This will cause a so-called opt-out cookie to be set. The OptOut cookie only works if it is not prevented from being stored on the computer, or deleted, by browser settings. If the opt-out cookie is deleted, the user must opt out again. As alternative options, the user may delete the cookies directly from the browser files, set the Do-not-track option of the browser, or go here to manage his or her cookie preferences. If you would like to find out what information your cookie has captured, please send us your cookie ID.

(b) Google adsense

Our websites use the online advertising service Google AdSense which allows advertisements to be custom-tailored to your personal interests. We use this service for the purpose of presenting you with advertisements which might be of interest to you so as to enhance the value of our website to you. To this end, the service captures statistical information about you which is then processed by our advertisement partners. These advertisements can be identified by the inserted note "Google ad” or “Google-Anzeigen”, respectively.

When you visit our webpages, Google is notified that you have accessed them. To obtain this information, Google uses a web beacon to install a cookie on your computer. The data that is transmitted at this time is detailed under Item II.1. of this policy. The type of data collected is beyond our control and we have no precise knowledge of the scope of the data collection and the duration of data storage. Your data will be transmitted to USA for evaluation. If you have logged on to your Google account, your data can be directly assigned to your account. If you do not wish your page usage data to be assigned to your Google profile, please log off from your Google user account. Your data may be disclosed to Google contractors, other third parties as well as government authorities. The legal basis for processing your data is GDPR, Art. 6(1), p. 1 (f). This website does not include any third-party advertisements via Google AdSense.

There are various ways for you to prevent installation of Google AdSense cookies: (a) Modify your browser settings. Specifically, suppressing third-party cookies will prevent you from receiving third-party advertisements. (b) Disable interest-related Google advertisements using the link www.google.de/ads/preferences; please note that this setting will be deleted when you delete your cookies. (c) Use the link www.aboutads.info/choices to disable interest-related advertisements from providers who have joined the self-regulating campaign “About Ads”. This setting will be deleted when you delete your cookies. (d) If you are using Firefox, Internet Explorer or Google Chrome as a browser, you can disable these cookies permanently by following this link: www.google.com/settings/ads/plugin. Please be advised that by so doing you may not be able to use the full range of features offered by this website.

For further information regarding the purpose and scope of data collection and processing, as well as additional information on your related rights and your configuration options to protect your privacy, please contact: Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; data privacy terms and conditions for advertisements: www.google.de/intl/de/policies/technologies/ads.

(c) Google adwords and google conversion tracking

Our webpages may use Google AdWords to advertise our attractive services on third-party webpages using so-called Google AdWords. We can assess the success of individual advertisements using the advertising campaign data. We use this service for the purpose of presenting you with advertisements which are of interest to you, to enhance the value of our website to you, and to achieve fair advertising cost levels. AdWords is an online advertising application provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”).

In connection with the use of Google AdWords we also use a technology called Conversion Tracking. Whenever you click an advertisement provided by Google, a conversion tracking cookie is set. Cookies are small text files the user's Internet browser installs on the user’s computer. These cookies expire after 30 days and are not used to make the user personally identifiable. If the user visits specific pages of our website before the cookie expires, both Google and we can recognise that the user has clicked the advertisement and was redirected to that page. Analytics items typically stored along with this cookie include the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions) as well as opt-out information (flags indicating that a user no longer wishes to be approached).

Each Google AdWords customer receives an individual cookie. These cookies cannot be tracked by the websites of AdWords Customers. The information collected by the conversion cookies is used to create conversion statistics for AdWords customers who have agreed to use conversion tracking. These customers are told how many users have clicked their advertisement and been redirected to a page bearing a conversion tracking tag. However, they do not receive any information allowing them to personally identify any users. If you do not wish to participate in conversion tracking, you may easily object to the use of this feature by disabling the Google Conversion Tracking cookie in your Internet browser's user settings. When you have done this, you will not be included in any conversion tracking statistics. We exclusively receive statistical evaluations from Google. These evaluations allow us to determine which of our advertisements have been most effective. We do not receive any other data from the use of our advertisements. In particular, we are unable to identify individual users based on this information.

Based on the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the scope and further use of the data collected by Google's use of this tool. Therefore we can only provide the following information based on our current knowledge: By incorporating AdWords Conversion, Google learns that you have accessed a particular section of our website or clicked on one of our advertisements. If you are registered for a Google service, Google may assign your visit to your account. Even if you're not registered or logged on to Google, the provider may obtain and store your IP address.

You can prevent being included in this tracking procedure in several ways:

a)    By setting your browser software accordingly; in particular, suppressing third-party cookies will prevent you from receiving any advertisements from third-party providers;

b)   By disabling cookies for conversion tracking. To do this, set your browser to block cookies from the domain “www.googleadservices.com”, www.google.de/settings/ads; however, this setting will be deleted if you delete your cookies;

c)    By disabling interest-based advertisements from providers who have joined the self-regulating campaign "About Ads” using the link www.aboutads.info/choices. This setting will be deleted if you delete your cookies;

d)   If you are using Firefox, Internet Explorer or Google Chrome as a browser, by disabling these cookies permanently via this link: www.google.com/settings/ads/plugin. Please be advised that by so doing you may not be able to use the full range of features offered by this website.

The legal basis for the processing of your data is your consent in accordance with Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

For further information on Google's data privacy protection please visit: www.google.com/intl/de/policies/privacy or services.google.com/sitestats/de.html. As an alternative, you may visit the website of the Network Advertising Initiative (NAI) at www.networkadvertising.org.

(d) Google analytics remarketing

Our webpages may use Google Analytics Remarketing functionality in combination with the multi-device features of Google AdWords. This functionality is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

These features allow the advertising target audiences generated using Google Analytics Remarketing to be linked with the device-independent features of Google AdWords. This means that personalised advertising messages can be adapted to your interests based on your previous user and surfing behaviour on one of your devices (e.g. smartphone) and presented on any of your other devices (e.g. tablet or PC).

Provided that you have given your consent, Google will match your web and app browser history with your Google account for this purpose. As a result, the same personalised advertising messages can be displayed on any device that is logged on to your Google account.

To support this feature, Google Analytics captures Google-authenticated user IDs, which are then temporarily combined with our Google Analytics data to define and create target audiences for advertisement across devices.

You may object to cross-device remarketing/targeting permanently by disabling personalised advertising in your Google account using the following link: www.google.com/settings/ads/onweb/.

For more information please read the Google privacy policy at: www.google.com/policies/technologies/ads/.

(e) Facebook custom audiences (pixel)

Our webpages may use the visitor activity pixel by Facebook (Facebook Custom Audiences), Meta Platforms, Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) to measure conversion. This enables users of our webpages visiting the social media network Facebook or any other websites using the same method to see interest-related advertisements ("Facebook Ads”). We use this service for the purpose of presenting you with advertisements which are of interest to you so as to enhance the value of our webpages to you.

Based on the marketing tools used, your browser automatically establishes a direct connection with the Facebook server. We have no influence on the scope and further use of the data collected by Facebook's use of this tool. Therefore we can only provide the following information based on our current knowledge: By incorporating Facebook Custom Audiences, Facebook learns that you have accessed a particular section of our website or clicked one of our advertisements. If you are registered for a Facebook service, Facebook may assign your visit to your account. Even if you are not registered or logged on to Facebook, the provider may obtain and store your IP address and other identification information.

This is done to track the behaviour of visitors of our pages. It allows us to evaluate the effectiveness of Facebook advertisements for statistical and market research purposes and to optimise future advertisement campaigns.

For us as operators of our website, the data collected in this way remains anonymous, and we are unable to draw any conclusions regarding the identity of any user. However, Facebook will store and process this information. This means that linking it with the relevant user profile is possible, and Facebook may use this information for its own advertising purposes according to the Facebook policy on the usage of user data. This method allows Facebook to place advertisements on Facebook pages as well as non-Facebook websites. As the operator of our website, we have no influence on the way this data is used.

The legal basis for the processing of your data is your consent in accordance with Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

For more information on the way Facebook processes user information please visit www.facebook.com/about/privacy.

For further information about the protection of your privacy please refer to the data privacy policy of Facebook: www.facebook.com/about/privacy/.

You may also disable the remarketing feature called “Custom Audiences” in the advertisement settings section at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen after logging on to Facebook.

If you do not have a Facebook account, you may disable usage-based Facebook advertisements by going to the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

(f) LinkedIn Insight Tag

With your consent, we use the conversion tracking technology and the retargeting function of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA on our website. This technology enables visitors to our website to be shown personalized advertisements on LinkedIn. It is also possible to generate anonymous reports on the performance of the advertisements and information on website interaction. For this purpose, the LinkedIn Insight Tag is integrated on this website, which establishes a connection to the LinkedIn server if you visit this website and are logged into your LinkedIn account at the same time. We would like to point out that, as the provider of the website, we have no knowledge of the content of the data transmitted or its use by LinkedIn. The information about your use of our website recorded by the LinkedIn Insight Tag is encrypted. The cookie is stored in the LinkedIn member's browser until the member deletes the cookie or it expires (the expiry date is six months after the member's browser last loaded the insight tag).

The data processing takes place on the basis of your consent and thus on the legal basis of Art. 6 Para. 1 lit. a) GDPR. You can object to the collection and use of your data to display LinkedIn Ads at any time or revoke your consent, e.g. by changing your cookie settings on our site accordingly. LinkedIn members have the option of opting out of LinkedIn conversion tracking and blocking and deleting cookies or deactivating demographic characteristics at www.linkedin.com/psettings/advertising/. In the LinkedIn settings, there is no separate opt-out option for third-party impressions or click tracking for campaigns running on LinkedIn, as all underlying campaigns respect the settings of LinkedIn members. You can also deactivate the LinkedIn Insight Conversion Tool and interest-based advertising as a non-member by opting out at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

In the data protection guideline of LinkedIn at https://www.linkedin.com/legal/privacy-policy you will find further information on data collection and data usage as well as the possibilities and rights to protect your privacy.

(g) Adform

Our webpages may use the conversion-tracking service of Adform Germany GmbH (below “Adform”) to advertise our attractive services on third-party webpages with suitable means. We can assess the success of individual advertisements using the advertising campaign data. We use this service for the purpose of presenting you with advertisements which are of interest to you, to enhance the value of our website to you, and to achieve fair advertising cost levels.

Cookies are used to measure advertisement success based on specific parameters such as advertisements viewed or user clicks. The cookie is set as soon as you establish contact with an advertisement feature (e.g., a banner) provided via Adform for a Hamburg Messe und Congress GmbH event. The cookie will contain an advertisement ID and remain valid for 60 days. It does not capture any attributes (such as you complete IP address, your first and last name, your address, your e-mail address) that would allow anyone to identify you personally. However, the advertisement ID tells us which advertisement feature made you aware of the Hamburg Messe und Congress GmbH event in question. Hamburg Messe und Congress GmbH will never attempt to merge the advertisement ID with personally identifiable data.

Users who do not wish to participate in conversion tracking can deactivate the Adform cookie via their browser at http://site.adform.com/privacy-policy/de.

The legal basis for processing your data is GDPR, Art. 6(1), p. 1 (f). For further information on Adform's data privacy protection please visit: https://site.adform.com/privacy-center/overview. 

(h) EPROFESSIONAL

To analyse the use of our web pages for the purposes of various advertising methods, we use a tracking tool provided by our Data Processor EPROFESSIONAL GmbH, Heidenkampsweg 74–76, 20097 Hamburg in connection with selected events (GDPR, Art. 6(1)(f)).

This tool uses a pixel tag to transmit the following information: HTTP header information, such as the anonymised IP address, the web browser you use, the website URL, the date and time, pixel tag-specific data, including the pixel tag ID and cookie ID, as well as additional information about the visit of our web pages, for example, any orders placed.

You may disable the tracking tool at any time by going here.

(j) Quantcast Pixel

The POLARIS CONVENTION ticket shop uses the website tag from Quantcast (Quantcast Pixel), Quantcast Inc, 201 3 rd St, Floor 2, San Francisco, CA 94103-3153, USA ("Quantcast") for conversion measurement. This enables interest-based advertisements ("Programmatic Advertising") to be displayed to users of our websites. Our interest in doing so is to show you advertising that is of interest to you.

If you agree to the use of marketing cookies, your browser automatically establishes a direct connection with the server of Quantcast. Through the integration of Quantcast pixels, Quantcast receives the information that you have accessed the corresponding web page of our website or clicked on an advertisement from us. The personal information Quantcast collects does not include information that can be used to identify you directly (for example, Quantcast does NOT collect your name or email address). However, Quantcast does collect information that can indirectly identify you. Some information transmitted by cookies and tags, including log data, is personal information.

Quantcast may also receive some information about you from third parties and may combine this information with personal information we have collected about you ourselves. Although Quantcast makes predictions about your interests and demographics based on this information, Quantcast does not know who you are.

Likewise, the data collected is anonymous to us as operators of our websites; we cannot draw any conclusions about the identity of users.

The legal basis for the processing of your data is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in the specific evaluation and improvement of our offering.

For more information on data processing by Quantcast, please visit www.quantcast.com/privacy/.
You can find further information on the protection of your privacy in Quantcast's data protection information: https://www.quantcast.com/privacy/

You can object to the collection and use of your data for the future by setting an opt-out cookie in your browser by clicking on this link: https://www.quantcast.com/opt-out/.

(j) Tik Tok Pixel

We use the TikTok Pixel in the POLARIS CONVENTION ticket shop. The TikTok Pixel is a TikTok Advertiser Tool of the two providers
- TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and
- TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (both are hereinafter jointly referred to as "TikTok").
The TikTok Pixel is a JavaScript code snippet that allows us to understand and track visitors' activity on our website. For this purpose, the Tiktok Pixel collects and processes information about visitors to our website or the devices they use (so-called event data). For example, when you purchase a product on our website, the TikTok Pixel is triggered and stores your actions on our website in one or more cookies.
Event data collected through the TikTok Pixel is used for targeting our ads and improving ad delivery and personalized advertising. For this purpose, event data collected on our website using the TikTok Pixel is transmitted to TikTok. TikTok uses email or other login or device information to identify users of our website and associate their actions with a TikTok user account.
In part, this event data is information stored in the device you are using. In addition, cookies are also used via the TikTok Pixel, through which information is stored on your end device used. Such storage of information by the TikTok Pixel or access to information already stored in your terminal device will only occur with your consent. The legal basis for the collection and transmission of personal data by us to TikTok is therefore Art. 6 (1) a DSGVO. You can revoke your consent at any time via our Consent Management Tool.
TikTok is the sole controller for the processing of the transmitted event data following the transmission. TikTok uses this data to display targeted and personalized advertising to its users and to create interest-based user profiles. The collected data is anonymous and not visible to us and is only used for us in the context of measuring the effectiveness of ad placements. For more information about how TikTok processes personal data, including the legal basis on which TikTok relies and how you can exercise your rights against TikTok, please see TikTok's Data Policy at https://www.tiktok.com/legal/privacy-policy?lang=de-DE.
For more information about TikTok's data processing, please visit https://www.tiktok.com/legal/privacy-policy-eea?lang=de.

(11) Other third-party services

We also use the following third-party services:

(a) Linotype Web Fonts

This site uses web fonts provided by Monotype GmbH, Werner-Reimers-Straße 2-4, 61352 Bad Homburg, Germany (also known as ‘Linotype’ or ‘linotype.com’) to ensure consistent and correct font display. JavaScript code is reloaded into your browser for this purpose. When you visit a page, your browser also loads the required web fonts into your browser cache. Processing is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TDDDG.

If you have enabled JavaScript in your browser and do not use a JavaScript blocker, your browser may transmit personal data to Linotype. We do not know what other data Linotype links to the data it receives and for what purposes Linotype collects and uses the data.

If your browser does not support web fonts, a standard font from your computer will be used instead. If you want to prevent JavaScript code from being executed altogether, you can install a JavaScript blocker, e.g. from www.ghostery.com.

Further information on Linotype web fonts and the corresponding data protection guidelines can be found at https://www.linotype.com/de/2061-18846/datenschutzrichtlinien.html.

(b) Google Web Fonts

This site may use so-called web fonts provided by Google to ensure uniform font display. When you visit a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.

For this purpose, the browser you are using must connect to Google's servers. This allows Google to know that our web pages have been accessed via your IP address. The use of Google web fonts is in the interest of a uniform and appealing presentation of our online offerings. Processing is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG.

If your browser does not support web fonts, a standard font from your computer will be used.

Further information on Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google's privacy policy.

(c) Google Maps

Our webpages may use Google Maps through an API. This functionality is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

To use the features of Google Maps it is necessary to store your IP address. This information is typically transmitted to, and stored on, a Google server located in the USA. The provider of this webpage has no influence on the transmission of these data.

We use Google Maps to improve the appearance of our online services and make sure the localities described in our webpages can be found easily. This constitutes a legitimate interest as stipulated by GDPR, Art. 6(1)(f).

For more information about the handling of user data please read the Google data privacy policy.

(d) Audience Response Systeme/Interaction tools

Use of the Slido interaction tool (polls & chats)

During some of our events, participants can use the Slido interaction tool to take part in surveys, cast votes or send questions and impulses via the chat function. The use of Slido is optional and the event can also be followed without Slido.

Q&A: The Q&A function gives participants the opportunity to ask the speakers questions and thus become an active part of the event. For this purpose, participants can ask questions to the speakers after registering (depending on the setting with name only or with name and e-mail address or even without registering at all). After possible moderation, these questions are passed on to the speakers and also made visible to other participants.

Live Polls / Surveys: With the help of the survey function, participants get the chance to share their opinion and take part in surveys. To do this, participants can take part in publicly switched polls after registering (depending on the setting, with name only or with name and e-mail address or even without registering at all).

If the interaction tool is used, this requires the consent of the participants to the use of data by Slido s. r. o.. The corresponding privacy policy can be found on the homepage of Slido s. r. o. (www.sli.do/terms#privacy-policy).

The request for consent is made on the event page via a so-called two-click solution (double opt-in). This means that before the interaction tool is used, reference is made to the privacy policy of the operator of the tool and the consent or agreement to the use of data is given in the form of a click. After that, the interaction tool can be used in the form of a second click. Personal data will only be transmitted after consent has been given.

The data processed by Slido include: Name, e-mail address, company (optional), questions asked, answers to polls, IP address, information about the device used (hardware model, operating software used), time of access, TSL protocol, TSL certificates, information about any system crashes of the interaction tool, hardware settings, language settings, query of pre-installed cookies to identify the browser or any Slido account (if installed on the device used).

b. Data security on our webpages

We would like to point out that security gaps can never be completely ruled out when transferring data over the Internet (e.g. when communicating by e-mail). It is not possible to completely protect data from access by third parties. We have taken appropriate technical and organisational measures (Art. 32 GDPR) to protect your data as comprehensively as possible:

For security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator, these web pages use SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from ‘http://’ to ‘https://’ and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

c. Encrypted payment transactions

If you have entered into an agreement with us that includes a payment obligation which requires transmission of your payment information to us (e.g. account number for us to withdraw a specified amount), this information is needed to carry out the financial transaction.

All payments using common payment methods (such as Visa/MasterCard, PayPal) are exclusively transacted through encrypted SSL or TLS connections. You can recognise an encrypted connection when the beginning of your browser's address line switches from “http://" to “https://”, and a small lock symbol appears next to it.

Encrypted communication prevents third parties from reading any information you send to us.

We have installed video cameras on our premises. In the event that our video cameras record any images of you, your personally identifiable data may be subject to processing. We use our video cameras to protect our property (or the property of third parties) or our householder's rights (or those of third parties). Ostentatious video monitoring is intended to be preventive and, by being obvious, avert any potential hostile activities directed against us. Furthermore, recorded video footage may be used to investigate criminal acts and other relevant events. It also permits us to prosecute criminal acts, enforce legitimate claims and provide legal evidence. Video monitoring also allows us to control vehicle and visitor traffic on our premises. Finally, video recordings may, within the scope of applicable law in a given case, may serve the purpose of uncovering violations of work or training-related responsibilities and provide evidence of the circumstances thereof. In such cases, video recordings are used to enforce specific measures under employment law up to and including termination of an existing work or training relationship.

The legal basis for processing this data for the purpose of protecting property and our householder's rights is GDPR, Art. 6(1), p. 1 (f). The Data Controller’s legitimate interests in processing the data are described in the paragraph above. To the extent that the data processed is video footage showing the behaviour of an employee, trainee or job applicant, data processing is covered by the provisions of the GDPR in connection with the German Federal Data Protection Act (BDSG), section 26.

Since storage of the data is based upon due balancing of the Data Controller's interests and those of the Data Subject, the existing interests and any change thereof are key criteria for the duration of storage. As a matter of principle, the data will be erased as soon as the Data Controller's legitimate interests no longer exist or no longer supersede your interest in erasure. Video recordings are never stored for more than a few days. In the event that video recordings are required to assert, defend or exercise legal claims, enforce employer measures or serve as evidence and aid in the investigation of specific facts, this data will be stored until these purposes have been achieved.

Further exceptions from the erasure rules may arise from the provisions of the GDPR and German Federal law, in particular the German Privacy Act (BDSG).

If you give us your business card or tell us your contact information by telephone expressly for business purposes the first time you contact us, we will submit this Data Privacy Policy to you based on your consent (GDPR Art. 6(1)(a)) given during our first electronic correspondence (follow-up or newsletter), or based on your consent to pre-contractual activities.

You may revoke your consent at any time. You may do so in an informal e-mail message to privacy(at)hamburg-messe(dot)de.

During your visit, you have the option of having your admission ticket scanned by an exhibitor/visitor in order to participate in lead tracking. In this case, we will transfer your personal data (salutation, title, surname, first name, company, street, postcode, town, email address and, where applicable, industry information) to this exhibitor/visitor. The exhibitor/visitor can then use your data for the purpose agreed with you individually. This function serves to enable you to contact the exhibitor/visitor more quickly and easily. 

The legal basis for the processing of your personal data is your legitimate interest in a quick and uncomplicated exchange of contact details with other exhibitors/participants, Art. 6 (1) (f) GDPR. Our legitimate interest is to transfer the data to the exhibitor/visitor in accordance with your request. 

We store the personal data in accordance with Section I.8.

You may use our wireless computer network in our conference and event buildings free of charge. To do so you must register with us. The following data must be provided for registration: 

• Form of address,
• First and last name,
• E-mail address. 

We will process this data for the purpose of providing our wireless computer network, defending ourselves against third-party claims, and managing our customers, in particular, providing you with event-specific information e-mails relating to the events you visit. 

If you choose to use a premium account for a fee, your data will also be processed by us or a service partner contracted by us for the purposes of contract execution. 

The information required for registration must be provided in full. We cannot accept incomplete registration. 

The data you provide through your registration will be processed for the purpose of contract performance (GDPR, Art. 6(1), p.1 (b)). The legal basis for processing personally identifiable data is GDPR, Art. 6(1), p. 1 (f). 

Our legitimate interests are the provision of our wireless computer network and defending our legal claims if applicable. 

We will save your personally identifiable data pursuant to Item I.6.

When we organise lotteries (tombolas, competitions etc.) we collect personal data form the participants for the purpose of carrying out the lottery. Depending on the specific occasion, this personal data may include, without being limited to, the following:

• Name
• E-mail address
• Form of address (voluntary)
• Telephone Number (voluntary)

The personal data we collect will be processed as required to conduct the respective lottery. The legal basis for this is GDPR, Art. 6(1)(f). Our legitimate interest consists in offering lotteries to you while raising your awareness of our own, internally-organised events. Furthermore we may use your personal data to inform you by e-mail about our own events (the legal basis being GDPR, Art. 6(1)(f)). You may object to such data processing at any time by sending a message to privacy(at)hamburg-messe(dot)de. Your data will be deleted once it is no longer necessary to store it. In the event of statutory retention obligations, we will restrict processing.

Provided that we make a prize available to you under our contractual obligation when conducting a lottery, we do so on the basis of GDPR, Art. 6(1)(b). To this end we may disclose your data to the sponsor of the lottery, if required (which is always a company that is in some way connected to our own events).

Swapcard
At some of our events, functions and content of the service Swapcard, offered by SWAPCARD CORPORATION SAS, 6 Rue du Paradis, 75010 Paris, France, are integrated in cooperation with Informa Markets, 240 Blackfriars Rd, London SE1 8BF, Great Britain. By participation in the event, the Client can access the platform automatically in order to network with other participants before, during and after the event.

The following customer data is stored on the platform:

• Account name
• Title
• Salutation
• Surname
• First Name
• Email address
• Company name
• Fax number
• Street address
• Post code
• Town
• Region
• Country code
• Country code
• Position
• Phone number
• Ticket type of person for the fair
• Function in the company
• Department in the company
• Branch of the company

As a user, the Client has the option of deciding whether he or she wants to be visible to other participants. An order processing agreement has been concluded with Swapcard. The Client's data is processed by Swapcard exclusively on the servers of AWS in Ireland within the European Union. The legal basis for the processing of personal data is Art. 6 (1) lit b and f GDPR. Further information on data protection and data processing at Swapcard can be found here: https://www.swapcard.com/privacy-policy

In our parking facilities, which are operated ticketless, the registration number of our employees, service providers and business partners is recorded in accordance with GDPR, Art.6 Para. 1 lit. f as well as § 4 Federal Data Protection Act due to our legitimate interest, mainly for the purpose of safeguarding the right of access and entry control. Automatically recorded data will be deleted immediately after leaving the parking facility, unless there is a concrete reason for longer storage.

We would like to inform you below about the processing of personal data in connection with the use of ‘Microsoft Teams’.

(a) Purposes and legal bases of processing

We use the ‘Microsoft Teams’ tool to conduct telephone conferences, online meetings and/or video conferences (hereinafter: ‘online meetings’). ‘Microsoft Teams’ is a service of Microsoft Corporation

Please note that this data protection notice only informs you about the processing of your personal data by us if you hold online meetings with us. If you access the ‘Microsoft Teams’ website, the provider of ‘Microsoft Teams’ is responsible for data processing. If you require information about the processing of your personal data by Microsoft, please refer to the relevant Microsoft statement

Various types of data are processed when you use ‘Microsoft Teams’. The scope of the data also depends on the data you provide before or when participating in an ‘online meeting’.

The following personal data is processed

• IP address
• User details: e.g. display name (‘display name’), e-mail address if applicable, profile picture (optional), preferred languag
• Meeting metadata: e.g. date, time, meeting ID, telephone numbers, locatio
• Text, audio and video data: You may have the option of using the chat function in an ‘online meeting’. In this respect, the text entries you make are processed in order to display them in the ‘online meeting’. In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera of the end device will be processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the ‘Microsoft Teams’ applications.

The legal basis for data processing when conducting ‘online meetings’ is your consent in accordance with Art. 6 para. 1 letter a and/or Art. 6 para. 1 letter b) GDPR, insofar as the meetings are conducted within the framework of contractual relationships

If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f) GDPR. Our interest here is in the effective organisation of ‘online meetings’ to improve communication.

(b) Recipients / disclosure of personal data

Personal data that is processed in connection with participation in ‘online meetings’ is not passed on to third parties unless it is specifically intended to be passed on. Please note that content from ‘online meetings’ as well as face-to-face meetings is often used to communicate information with customers, interested parties or third parties and is therefore intended to be passed on

Other recipients: The provider of ‘Microsoft Teams’ necessarily receives knowledge of the above-mentioned data, insofar as this is provided for in our order processing contract with ‘Microsoft Teams’.

(c) Transfer of personal data to a third country

‘Microsoft Teams’ is part of Microsoft Office 365 and a service offered by a European subsidiary of Microsoft Corporation based in the USA. Data processing with Office 365 takes place on the basis of the Microsoft EU Data Boundary on servers in data centres in the European Union in Ireland and the Netherlands

Nevertheless, we cannot completely rule out the possibility that Microsoft Corporation or US security authorities may have access to the circumstances and content of communication via Microsoft Teams. Microsoft Corporation may also have access to the data in the context of remote maintenance. However, if data can also be processed by Microsoft outside the EU, we take appropriate and reasonable measures to ensure an adequate level of data protection, e.g. by concluding so-called EU standard contractual clauses

Microsoft reserves the right to process usage data for its own legitimate business purposes. We have no influence on this data processing by Microsoft. To the extent that ‘Microsoft Teams’ processes personal data in connection with legitimate business purposes, Microsoft is independently responsible for these data processing activities and as such is responsible for compliance with all applicable data protection regulations. If you require information about the processing by Microsoft, please consult the relevant Microsoft statement or contact Microsoft directly. You can find information on this here: privacy.microsoft.com/de-de/privacystatement or learn.microsoft.com/de-de/microsoftteams/teams-privacy.

(d) Duration of storage of personal data

We generally delete personal data when there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfil contractual services, to check and grant or defend against warranty and guarantee claims.

If the data is no longer required for the fulfilment of the processing purposes described above, it will be deleted unless its - temporary - further processing is required for the following purposes

Fulfilment of retention obligations under commercial and tax law: The German Commercial Code (HGB) should be mentioned. The retention and documentation periods specified there are up to ten years

Preservation of evidence within the framework of statutory limitation periods. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.

The following processing operations are stored for an explicitly defined period:

• Login data and IP addresses are deleted at the latest after Microsoft's standard period/setting (currently 90 days ).
• The chat content during an online meeting is logged when using ‘Microsoft Teams’ and remains in the chat histories of all meeting participants.
• Recordings of online meetings are automatically deleted after the standard Microsoft period/setting (currently 60 days).

For the first time, we are offering a WhatsApp chatbot at INTERNORGA 2025 to communicate with our customers, send current information and offers, and provide customer support. It is used via the official WhatsApp Business API in conjunction with the technology provider ManyChat, Inc. (535 Everett Ave, Palo Alto, CA 94301, USA, hereinafter referred to as "ManyChat").

When using this service, the following types of personal data are processed:

• Your telephone number
• Your WhatsApp profile name
• Your first name (if available)
• Your communication and interaction data in the chat
• Your click behavior within the chat
• Publicly visible information from your social media profiles (if relevant)
• Your navigation behavior on our website
• Other data you enter as part of the chat interaction
• Technical log data (IP address, browser used, etc.)

The processing of your personal data takes place on different legal bases depending on the purpose:

• Art. 6 Para. 1 lit. a GDPR - Consent: If we process your data to send you information or marketing messages via WhatsApp, this only happens with your express consent. This is done via the chat by selecting the "START" button. Consent can be revoked at any time by sending "STOP" in the chat.
• Art. 6 Para. 1 lit. b GDPR - Contract fulfillment or contract initiation: If you use WhatsApp for customer support or contract processing (e.g. for support requests or processing orders), your data will be processed to fulfill a contract or to carry out pre-contractual measures.
• Art. 6 Para. 1 lit. f GDPR - Legitimate interest: In certain cases, the processing may be based on our legitimate interest in effective customer communication. This applies, for example, when we analyze how our chatbot is used in order to improve it.

We only store your data for as long as it is necessary for the respective processing purposes:

• If you revoke your consent (by clicking "STOP" in the chat), your personal data will no longer be used for the WhatsApp service and will be anonymized.
• Communication histories are deleted after 12 months at the latest, unless there is a statutory retention period.
• If the data is required to process a contract, it will be stored in accordance with the statutory retention periods.

Your data is primarily processed on servers in Frankfurt am Main, Germany, which are hosted by ManyChat. This means that your data is processed within the EU and is subject to the high data protection requirements of the GDPR. In addition, data may be transferred to third countries (in particular the USA) in the following cases:

• Support requests or system maintenance by ManyChat, Inc.: If technical support is required by ManyChat, ManyChat, Inc. employees in the USA can access personal data.
• Data transfer by WhatsApp to Meta (USA): WhatsApp Ireland Limited processes the data within the EU, but can pass data on to Meta Platforms, Inc. (USA).

If data is transferred to the USA, the following protective measures are active:

• EU-US Data Privacy Framework: ManyChat participates in the new EU-US Data Privacy Framework, which ensures an adequate level of data protection.
• EU Standard Contractual Clauses (SCCs): ManyChat and WhatsApp use standard contractual clauses from the EU Commission to ensure a GDPR-compliant level of data protection.

Further details on the respective data protection declarations can be found here:

• ManyChat: https://manychat.com/privacy_statement.html, https://manychat.com/privacy.html
• WhatsApp: https://www.whatsapp.com/legal/#privacy-policy

The DocuSign software is used to formally simplify processes within the responsible body. It is used where and in the form in which the relevant written form requirements allow. It also facilitates the traceability of the receipt of the necessary feedback.

The legal basis for the processing of personal data is Art. 6 (1) lit. f) GDPR (optmization of formal processes). Your email address is used to send you the form and to facilitate the process of obtaining the necessary documents. The legal basis for the processing of personal data is therefore Art. 6 (1) lit. f) GDPR with the aforementioned legitimate interests.

Your personal data will be stored for as long as necessary to fulfill the stated purposes and as long as statutory and/or contractual retention obligations apply.

After the end of the service relationship, the data will also be deleted in accordance with the relevant retention periods. Tax-relevant data is stored for a period of 6, 8, or 10 years, for example (see Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO)). Data processed via “DocuSign” is automatically deleted by the system 60 days after the document is completed.

Our company uses Microsoft Copilot (Copilot), an AI-powered assistant feature integrated into Microsoft 365 applications. Copilot can assist our employees in creating, analysing and editing content in programmes such as Word, Excel, Outlook and Teams. This may involve the processing of personal data of customers, interested parties, service providers and other affected persons, e.g. when preparing for telephone calls with customers, summarising past correspondence or researching current market developments. Automated decision-making and profiling are excluded.

Processing is based on Art. 6 (1) lit. f GDPR (legitimate interest in efficient work organisation and internal communication). You can object to this processing at any time.

Microsoft Copilot accesses content stored in our Microsoft 365 tenant (e.g. emails, documents, calendar data) within the scope of existing user authorisations. Processing is carried out by Microsoft Ireland Operations Limited as a processor in accordance with the applicable data protection agreements (including the Data Protection Addendum, DPA).

We have taken technical and organisational measures to ensure that Copilot is used in compliance with data protection regulations.

These include, among other things:

• a role-based authorisation concept (need-to-know principle),
• Restriction of sensitive data processing
• Training of our employees in the use of AI-supported tools
• Conducting a data protection impact assessment in accordance with Art. 35 GDPR. 

Further information on data processing by Microsoft can be found at:
https://privacy.microsoft.com/de-de/privacystatement

Privacy policy - mobile app (PDF)