We are very pleased that you have visited our website. Data protection is of a particularly high priority for us. The use of our website is possible without any indication of personal data; however, if a data subject wants to use special services via our website, processing of personal data could become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain consent from the data subject.

The processing of personal data, such as the name, address, email address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the applicable country-specific data protection regulations. By means of this data protection declaration, we would like to inform you and the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed of their rights by means of this data protection declaration.

As the data controller, fino data services GmbH has implemented numerous technical and organizational measures (TOM) to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions can generally have security gaps, so absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us via alternative means, for example by telephone.

1. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the member states of the European Union and other provisions of a data protection nature is:

fino data services GmbH Universitätsplatz 12 34127 Kassel Germany

Management/Representation: Björn Kahle, Florian Christ

Contact: Telephone: +49 4550 996 9000 Fax: +49 4550 996 9001 Email: [email protected]

2. Contact details of the data protection officer

Any person concerned can contact our data protection officer directly at any time with any questions or suggestions regarding data protection. The data protection officer of the controller is:

BullProtect, a brand of NetBull GmbH https://bullprotect.de/ Patrick Vaillant

You can contact our data protection officer by post at our previously mentioned address with the addition “Data Protection Officer” or by email at: [email protected]

3. Collection of general data and information

Our websites collect a series of general data and information each time the website is accessed by a data subject or an automated system. This general data and information is stored in the server’s log files.

For example, the following may be recorded:

1. browser types and versions used,
2. the operating system used by the accessing system,
3. the website from which an accessing system reaches our website (so-called referrers),
4. the sub-websites that are accessed via an accessing system on our website,
5. the date and time of access to the website,
6. an Internet protocol address (IP address),
7. the Internet service provider of the accessing system and
8. other similar data and information that serve to avert dangers in the event of attacks on our information technology systems.

When using this general data and information, no conclusions are drawn about the person concerned.

This information is required in order to:

1. correctly deliver the contents of our website,
2. optimize the content of our website and the advertising for it,
3. ensure the long-term functionality of our information technology systems and the technology of our website, and
4. provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack.

These anonymously collected data and information are therefore evaluated by the controller both statistically and with the aim of increasing data protection and data security in order to ultimately ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

4. Webhosting

This website is hosted by an external service provider (hoster).

Personal data that is collected on this website is stored on the hoster’s servers. This can primarily be data such as IP addresses, contact requests, meta and communication data, website access, and other data generated via a website.

The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 Para. 1 lit. b GDPR) and in the legitimate interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 Para. 1 lit. f GDPR).

We have concluded a data processing agreement with the provider in accordance with the requirements of Art. 28 GDPR, in which we oblige them to protect our customers’ data and not to pass it on to third parties.

Services and service providers used here:

• Amazon Web Services (AWS): web hosting and infrastructure services; service provider: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA; Data protection declaration: https://aws.amazon.com/de/privacy/?nc1=f_pr
• Cloudflare: Content Delivery Network (CDN); Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Privacy Policy: https://www.cloudflare.com/privacypolicy/

5. Legal basis for processing

Art. 6 Para. 1 lit. a) GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. Other legal bases are described in Art. 6 Para. 1 lit. b)–f) GDPR depending on contract, legal obligations, vital interests, or legitimate interests.

6. Duration for which the personal data is stored

The criterion for the duration of storage of personal data is the respective statutory retention period. After the deadline has expired, the corresponding data will be routinely deleted unless required for other statutory purposes.

7. Routine deletion and blocking of personal data

The controller processes and stores personal data only for the period necessary to achieve the purpose of storage or as required by law. When this purpose expires, the data will be routinely blocked or deleted.

8. Legal or contractual provisions for the provision of personal data

Provision of personal data may be required by law or contract, e.g., tax regulations or contractual obligations. The controller clarifies on a case-by-case basis whether provision is necessary.

9. Registration on our website / use of input masks and forms

The data subject may register and provide personal data via forms for newsletters, contact forms, or event participation. The data is used internally and may be passed to processors solely for controller purposes.

IP address, registration date, and time are also recorded to prevent misuse and protect the controller. Registered users can update or delete their personal data at any time.

10. Recipients or categories of recipients

Depending on the purpose, personal data may be transmitted to recipients or categories of recipients involved in processing.

11. Transfer to third countries

Transmission to providers outside the EEA occurs only if adequate protection or appropriate safeguards are in place.

12. Existence of automated decision-making

We do not use automated decision-making or profiling.

13. Data protection for applications and in the application process

Applicant data may be processed electronically for recruitment purposes. If no contract is concluded, data is deleted no later than six months after rejection, unless other legitimate interests apply.

14. Definitions

• a) Personal data: Information relating to an identified or identifiable natural person.
• b) Data subject: Any identified or identifiable natural person whose data is processed.
• c) Processing: Any operation with personal data, manual or automated.
• d) Restriction of processing: Marking stored personal data to limit its future use.
• e) Profiling: Automated processing of personal data to evaluate personal aspects.
• f) Pseudonymisation: Processing so data cannot be attributed to a specific person without extra information.
• g) File system: Any structured set of personal data accessible by criteria.
• h) Controller: Person or entity determining purposes and means of processing.
• i) Processor: Person or entity processing data on behalf of the controller.
• j) Recipient: Person or entity receiving data.
• k) Third party: Any party other than data subject, controller, processor, or authorised persons.
• l) Consent: Freely given, specific, informed, unambiguous agreement to data processing.
• m) Company: Natural or legal person conducting economic activity.
• n) Group of companies: Controlling company and controlled companies.

15. Rights of the data subject

a) Right to confirmation: Verify if personal data is processed. b) Right to information: Obtain details on personal data, purpose, recipients, storage, and rights. c) Right to rectification: Correct inaccurate or incomplete data. d) Right to erasure: Request deletion if no longer necessary, consent withdrawn, unlawful processing, legal obligation, or specific service context. e) Right to restriction of processing: Limit use in specific conditions. f) Right to data portability: Receive and transmit data in structured, machine-readable format. g) Right to object: Object to processing based on legitimate interests or direct marketing. h) Automated decisions: Right not to be subjected to solely automated decisions without safeguards. i) Right to withdraw consent: Revoke consent at any time. j) Right to lodge a complaint: Submit complaints to supervisory authorities.

Data protection supervisory authority responsible for us: The Hessian Commissioner for Data Protection and Freedom of Information P.O. Box 3163 65021 Wiesbaden

Our data protection officer is also available using the contact details above.

16. Cookies

Cookies are text files stored on devices to optimize website functionality. They can be managed, deleted, or blocked via browser settings.

Application and use of other applications, plugins and tools

We integrate tools to improve service, optimize loading times, and increase security.

Data protection provisions on the application and use of Cloudflare: Cloudflare (101 Townsend St., San Francisco, CA 94107, USA) is used to optimize performance and security. Data may be sent to Cloudflare for this purpose, processed under GDPR, and deleted when no longer needed.

Purposes of processing: Improve website performance and security. Legal basis: Contractual obligations (Art. 6 Para. 1 lit. b GDPR) and legitimate interest (Art. 6 Para. 1 lit. f GDPR). More info: https://www.cloudflare.com/dede/privacypolicy/

Opportunity to object: Users can manage, delete, or block cookies via browser settings, but some functionalities may be affected.