With the following information, we would like to give you as a "data subject" an overview of the way we process your personal data and your rights under data protection laws. In general, our website can be used without entering personal data. However, if you want to use certain services that our business offers through its website, it may become necessary for us to process your personal data. If the processing of personal data is necessary and there is no lawful basis for such processing, we obtain consent from you as a matter of course.
Your personal information, for example your name, postal address and e-mail address, is always processed in accordance with the General Data Protection Regulation (GDPR). By way of this data policy, we would like to inform you about the scope and purpose of the personal data that we collect, use and process.
As the controller of the data, we have implemented numerous technical and organisational measures to ensure that the personal data processed through this website is protected as securely as possible. Nevertheless, web-based data transmissions can have security gaps, meaning that absolute protection cannot be guaranteed. For this reason, you are free to submit personal data to us by alternative means, such as by telephone or post.
The controller according to the definition in the GDPR is:
IWD market research GmbH
Managing Directors: Marcus Körner, Sandra Baethge
Phone: +49 (0)391 7347 053
3. Data protection officer
You can contact the data protection officer in the following way:
You can contact our data protection officer directly at any time with any questions and suggestions regarding data protection.
This data protection policy is based on the terminology used by the European Directive and Ordinance when adopting the General Data Protection Regulation (GDPR). Our data protection policy should be easy to read and understand for the public, as well as for our customers and business partners. To ensure this, we would first like to explain the terminology used.
This data protection policy uses the following terms, among others:
4.1 Personal data
Personal data refers to any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
4.2 Data subject
A data subject is any identified or identifiable natural person whose personal data are processed by the controller (our company).
Processing refers to any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4.4 Restriction of processing
Restriction of processing refers to the marking of stored personal data, with the aim of limiting their processing in the future.
Profiling refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Processor refers to a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Recipient refers to a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities, which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law, shall not be regarded as recipients.
4.9 Third party
Third party refers to a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject refers to any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
5. Lawful basis for processing personal data
Art. 6 (1) (a) of the GDPR serves our company as the lawful basis for processing operations in which we obtain consent for a specific processing purpose.
If the processing of personal data is necessary for the fulfilment of a contract to which you are a party, as is the case, for example, with processing operations that are necessary for a delivery of goods or the provision of another service or return service, the processing is based on Art. 6 (1) (b) of the GDPR. The same applies to processing operations that are necessary for the implementation of pre-contractual measures, for example in the case of inquiries about our products or services.
If our company is subject to a legal obligation by which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 (1) (c) of the GDPR.
In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or another natural person. For example, this may be the case if a visitor were injured on our premises and his or her name, age, insurance details, or other vital information needed to be shared with a doctor, a hospital or other third parties. In that case, the processing would be based on Art. 6 (1) (d) of the GDPR.
Lastly, processing operations may be based on Art. 6 (1) (f) of the GDPR. Processing operations that are not covered by any of the aforementioned lawful bases are covered under this lawful basis if processing is required to protect a legitimate interest of our company or third party, provided that this does not override the interests, basic rights and fundamental freedoms of the data subject. We are entitled to use these types of processing operations because they are specifically mentioned by the European legislative body. On this matter, the legislative body takes the view that a legitimate interest could be assumed to exist if you are a customer of our company (Recital 47, sentence 2 of the GDPR).
6.1 SSL/TLS encryption
This site uses SSL or TLS encryption to guarantee
the security of data processing and to protect the transmission of confidential content, such as orders, login data and contact requests that you send to us as the operator. You can tell that a connection is encrypted if it has "https://" instead of "http://" in the address bar of the web browser, and by the lock symbol in your browser bar.
We use this technology to protect the data you transmit to us.
6.2 Data collection when visiting the website
When you use our website for information purposes only, i.e. if you do not register or otherwise share information with us, we only collect the data that your browser transmits to our server (in the form of so-called “server log files”). Our website collects a series of general data and information each time you or an automated system access a page. These are stored in the server’s log files.
The following can be recorded:
- 1. browser types and versions used;
- 2. the operating system used by the accessing system;
- 3. the website from which an accessing system arrives at our website (known as the “referrer”);
- 4. the sub-websites that are viewed by an accessing system on our website;
- 5. the date and time of access to the website;
- 6. an Internet Protocol (IP) address; and
- 7. the Internet service provider of the accessing system.
We do not draw any conclusions that allow us to identify you as a person when using this general data and information. Rather, this information is required to:
- 1. deliver the contents of our website correctly;
- 2. optimise the content of our website and the advertising for it;
- 3. ensure the long-term operability of our IT systems and the technology of our website; and
- 4. provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack.
Therefore, the data and information collected will be used for statistical purposes only, and with the aim of increasing the data protection and data security of our company so as to ensure the highest possible level of protection for the personal data that we process. The data from the server log files is stored separately from all personal data provided by a data subject.
The lawful basis for the data processing is Art. 6 (1) (f) of the GDPR. Our legitimate interest is based on the data collection purposes listed above.
7. Transmission of data to third parties
Your personal data will not be transferred to third parties for purposes other than those listed below.
We only share your personal data with third parties if:
- 1. you have given your express consent to this in accordance with Art. 6 (1) (a) of the GDPR;
- 2. the disclosure is permissible under Art. 6 (1) (f) of the GDPR in order to protect our legitimate interests, and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data;
- 3. a legal obligation exists for disclosure pursuant to Art. 6 (1) (c) of the GDPR; and
- 4. this is legally permissible and required according to Art. 6 (1) (b) of the GDPR as part of fulfilling a contractual relationship with you.
8.1 General information about cookies
Information related to the specific device used is stored in the cookie. However, this does not mean that it provides us with direct knowledge about your identity.
One reason for using cookies is that it helps to make using our services a more pleasant experience for you. We use “session cookies” to recognise whether you have already visited specific pages of our website. These are automatically erased after you leave our website.
To optimise the user-friendliness of our website, we also use temporary cookies, which are stored on your device for a specific period of time. If you revisit our website to use our services, the website will automatically recognise that you are a repeat visitor and remember any information and settings you have entered, so that you do not have to re-enter them.
The data processed by cookies, which are required for the proper functioning of the website, are therefore necessary to protect our legitimate interests, as well as those of third parties pursuant to Art. 6 (1) (f) of the GDPR.
You give your consent to the use of all other cookies, via our opt-in banner, under Art. 6 (1) (a).
9. Contents of our website
9.1 Contact / contact form
We collect personal data when you contact us (e.g. via contact form or email). The nature of the data collected when using the contact form is made clear in the relevant contact form. This data is stored and used solely for the purpose of responding to your request or to contact you, and the technical administration associated with doing so.
The lawful basis for the processing of the data is our legitimate interest in responding to your request pursuant to Art. 6 (1) (f) of the GDPR. If you contact us with the aim of concluding a contract, an additional lawful basis for the processing is Art. 6 (1) (b) of the GDPR.
Your data will be deleted after final processing of your request; this is the case if it can be inferred from the circumstances that the matter concerned has been conclusively clarified, and provided that there are no legal storage obligations to the contrary.
9.2 Application management / job portal
We collect and process the personal data of job candidates for the purpose of processing their applications. Data can also be processed electronically. This is particularly the case if an applicant sends us the relevant application documents electronically, for example by email or via a web form on our website.
If we conclude an employment contract with an applicant, data shared with us will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If we do not conclude an employment contract with the applicant, the application documents will be automatically erased two months after notification of the rejection, provided that no other legitimate interests on our part prevent deletion.
Legitimate interest in this context also includes, for example, the burden of proof for proceedings under the General Act on Equal Treatment (AGG).
In this respect, the data processing is based on our legitimate interest pursuant to Art. 6 (1) (f) of the GDPR.
10. Newsletter distribution
10.1 Advertising newsletter
On our website, you are given the opportunity to subscribe to our company's newsletter. The nature of the personal data that are shared with us when requesting the newsletter results from the input mask used for this purpose.
We inform our customers and business partners about our offers at regular intervals by means of a newsletter. As a basic principle, you can only receive our company’s newsletter if:
- 1. you have a valid email address; and
- 2. you have registered to be on the newsletter mailing list.
For legal reasons, a confirmation email will be sent to the email address you entered when you initially asked to receive the newsletter using the double opt-in procedure. This confirmation email is used to verify that you, as the owner of the email address, have authorised receipt of the newsletter.
When you register for the newsletter, we also store the IP address of the IT system you are using at the time of registration, as assigned by your Internet service provider (ISP), as well as the date and time of registration. Collecting this data is necessary so that we can track the (possible) misuse of your email address at a later date, and it therefore serves as legal protection for us.
The personal data collected when you subscribe to the newsletter is used solely to send our newsletter. Newsletter subscribers can also be notified by email if required for the newsletter service or for related registration, for example in the event of changes to the newsletter offer or technical changes to the newsletter service. The personal data collected for the newsletter service is not shared with third parties. You can cancel your subscription to our newsletter at any time. Consent to the storage of personal data, which you gave when you signed up for our newsletter, can be revoked at any time. Each newsletter includes a link that enables you to unsubscribe from the newsletter. Furthermore, it is possible to unsubscribe from the newsletter at any time directly on our website, or to inform us of this in another way.
The lawful basis for data processing for the purpose of sending newsletters is Art. 6 (1) (a) of the GDPR.
This website uses CleverReach to distribute newsletters. This service is provided by CleverReach GmbH & Co. KG, Mühlenstraße 43, 26180 Rastede. CleverReach is a service that can be used to organise and analyse newsletter distribution. The data you enter for the purpose of receiving the newsletter (e.g. your email address) is stored on CleverReach's servers in Germany or Ireland.
The newsletters that we send with CleverReach allow us to analyse the behaviour of the recipients. For example, we can analyse, among other things, how many recipients opened the newsletter message, and how often each link in the newsletter was clicked. With the help of “conversion tracking”, we can also analyse whether a pre-defined action took place after clicking on the link in the newsletter (e.g. the purchase of a product on our website). Further information on data analysis using CleverReach can be found at: https://www.cleverreach.com/en-de/newsletter-tool/newsletter-reporting/
Data processing is based on your consent under Art. 6 (1) (a) of the GDPR. You can withdraw your consent at any time by unsubscribing from the newsletter. However, this does not affect the legitimacy of the processing that has already been conducted based on your consent.
If you do not want CleverReach to analyse your data, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter. It is also possible to unsubscribe from the newsletter directly on our website.
). We would like to point out that these measures may mean that not all functions of our website are available.
We store the data that you provide for the purpose of the newsletter subscription until you withdraw from the newsletter service. We then erase your data, both from our servers and from the CleverReach servers, after you unsubscribe from the newsletter. Data saved by us for other purposes (e.g. email addresses for the members’ area) are not affected.
For more information, please refer to CleverReach’s data protection policies at: https://www.cleverreach.com/en-de/privacy-policy/
11. Our activities on social networks
We have our own pages on social networks so that we can communicate with you through that channel and inform you about our services.
We are not the original provider (controller) of these pages; we merely use them within the scope of the possibilities offered to us by the respective providers.
Therefore, as a precaution, we point out that your data may also be processed outside the European Union or the European Economic Area. Consequently, the use of such pages can expose you to data protection risks, because the protection of your rights, e.g. of access, to erasure, to object, etc. can become more difficult, and because the processing of data in social networks is frequently carried out by the provider for the direct purpose of advertising or to analyse user behaviour, without us being able to influence these processes in any way. If the provider creates user profiles, cookies are often used, or usage behaviour is directly linked to your own member profile on the social network (if you are logged in).
These processing operations are carried out exclusively when explicit consent is given in accordance with Art. 6 (1) (a).
Given that we do not have any access to the providers’ data files, we would like to point out that it is best for you to exercise your rights (e.g. of access, to rectification, to erasure, etc.) directly with the respective provider. Below we provide links to further information regarding the processing of your data on social networks and the option of exercising your right to object or revoking your consent (opt out) for each social network providers that we use:
11.1 Facebook / Instagram
Responsible for data processing in Europe:
Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland
Data Protection Policy (Data Policy):
Opt-out and advertising settings:
Responsible for data processing in Europe:
Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland
Data Protection Policy:
Information about your data:
Opt-out and advertising settings:
Responsible for data processing in Europe:
LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland
Data Protection Policy:
Opt-out and advertising settings:
13. Web analysis – Google Analytics
If you have given your consent, this website uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible party for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").
Scope of processing
Google Analytics 4 has IP address anonymization enabled by default. Due to IP anonymization, your IP address will be shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. During your website visit, your user behavior is recorded in the form of "events".
Events can be:
- Page views
- First visit to the website
- Start of session
- Your "click path", interaction with the website
- Scrolls (whenever a user scrolls to the bottom of the page (90%))
- clicks on external links
- internal search queries
- interaction with videos
- file downloads
- seen / clicked ads
- language settings
- Your approximate location (region)
- your IP address (in shortened form)
- technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
- your internet service provider
- the referrer URL (via which website/advertising medium you came to this website)
Purposes of processing
On behalf of the operator of this website, Google will use this information to evaluate your pseudonymous use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyse the performance of our website.
Recipients of the data are/may be:
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor under Art. 28 DSGVO).
- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
- Alphabet Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
It cannot be ruled out that US authorities may access the data stored by Google.
Third country transfer
Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider
to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by US authorities to the data stored by Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.
Duration of storage
The data sent by us and linked to cookies are automatically deleted after 14 months. The deletion of data whose retention period has been reached occurs automatically once a month.
The legal basis for this data processing is your consent pursuant to Art.6 para.1 p.1 lit. a GDPR.
You can revoke your consent at any time with effect for the future by accessing the cookie settings
and changing your selection there. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected.
You can also prevent the storage of cookies from the outset by setting your browser software accordingly. However, if you configure your browser to reject all cookies, this may result in a restriction of functionalities on this and other websites. In addition, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google, by
and at https://policies.google.com/?hl=en
14. Plugins and other services
14.1 Google reCAPTCHA
We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on our websites. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
reCAPTCHA is used to check whether the data entered on our website (such as on a contact form) has been entered by a human or by an automated program. To do this, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis starts as soon as the website visitor confirms the checkbox "Spam protection (Google reCaptcha)" on the Contact page (Contact form) and changes the Cookie-Settings
. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, how long the visitor has been on the website, or mouse movements made by the user). The data collected during the analysis will be forwarded to Google. The reCAPTCHA analyses take place completely in the background. Website visitors are not advised that such an analysis is taking place. Data processing is based on Art.6 para.1 p.1 lit. a GDPR.
15. Your rights as a data subject
15.1 Right to confirmation
You have the right to request confirmation from us as to whether or not we are processing your personal data.
15.2 Right of access Art. 15 GDPR
You have the right to free receive information at any time about the personal data that we store concerning you, and to receive a copy of this data in compliance with the legal provisions.
15.3 Right to rectification Art. 16 GDPR
You have the right to request the rectification of any incorrect personal data. Moreover, you have the right to request the completion of any incomplete personal data, taking the purposes of processing into account.
15.4 Erasure Art. 17 GDPR
You have the right to demand that we delete personal data concerning you without delay, provided that one of the relevant legal grounds applies, and insofar as the processing or further storage of the data is not necessary.
You have the right to request that we immediately erase your personal data if one of the relevant legal grounds applies.
15.6 Data portability Art. 20 GDPR
You have the right to receive the personal data that you have shared with us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us (as the body to whom the personal data has been provided), provided that the processing is based on consent pursuant to Art. 6 (1) (a) of the GDPR or Art. 9 (2) (a) of the GDPR, or on a contract pursuant to Art. 6 (1) (b) of the GDPR, and the processing is carried out by automated means, unless processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Furthermore, when exercising your right to data portability pursuant to Art. 20 (1) of the GDPR, you have the right to have your personal data transferred directly from one controller to another controller, to the extent that this is technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals.
15.7 Objection Art. 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) (e) (data processing in the public interest) or (f) (data processing on the basis of a balance of interests) of the GDPR.
This also applies to profiling based on these provisions within the scope of Art. 4 (4) of the GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
In individual cases, we process personal data in order to conduct direct advertising. You may object to the processing of personal data for the purpose of such advertising at any time. This also applies to any profiling connected with such direct advertising. If you object to us processing your data for direct marketing purposes, we will no longer process the personal data for these purposes.
In addition, you have the right, on grounds relating to your particular situation, to object to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes, or for statistical purposes pursuant to Article 89 (1) of the GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
You are free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures that use technical specifications.
15.8 Revocation of consent under data protection law
You are entitled to withdraw your consent given for the processing of personal data at any time in the future.
15.9 Complaining to a supervisory authority
You have the right to lodge a complaint with a supervisory authority for data protection in connection with our processing of personal data.
16. Routine storage, deletion and blocking of personal data
We process and store your personal data only for the period necessary to achieve the purpose for which it is stored, or to the extent that this is provided for by the legal provisions to which our company is subject.
If the purpose of storage no longer applies, or if a prescribed storage period expires, the personal data will be routinely blocked or erased in accordance with the statutory provisions.
17. Retention period for personal data
The criterion for the length of time for which personal data can be stored is the relevant retention period as stipulated by law. Once this period ends, data are routinely erased if they are no longer required for the fulfilment or conclusion of a contract.
This data protection policy is currently valid and came into effect in July 2022.
The further development of our website and offers, or changes in legal or official requirements, may necessitate changes to this data protection policy. You can access and print out the current data protection policy at any time on the website at "https://www.iwd-marketresearch.com/data-protection-declaration.php".