An overview of data protection
The following information provides you with an easy-to-navigate overview of what happens with your personal data when you visit this website or one of our fan pages (LinkedIn, Xing). The term “personal data” comprises all data that can be used to personally identify you. For detailed information on the subject of data protection, please refer to our Data Protection Declaration, which we have included beneath this copy.
SSL and/or TLS encryption
For security reasons, and to protect the transmission of confidential content, such as purchase orders or enquiries you submit to us as the website operator, this website uses either an SSL or a TLS encryption programme. You can recognise an encrypted connection by checking whether the address line of the browser changes from “http://” to “https://” and also by the appearance of the lock icon in the browser line. If the SSL or TLS encryption is activated, data you transmit to us cannot be read by third parties.
1. Person responsible for data processing and contact details under data protection law:
Person responsible under data protection law
Tel: +49 221 33 77 84-0
Fax: +49 221 33 77 84-29
Contact details of our data protection officer:
2. Purposes and legal basis on which we process your data
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other applicable data protection regulations (details below). Precisely which data is processed and how it is used depends largely on the services requested and/or agreed in each case. Further details or additions to the purposes of the data processing can be found in the respective contractual documents, forms, declaration of consent and/or other information provided to you (e.g. our terms and conditions). In addition, this data protection information may be updated from time to time, as you can see from our website www.pallas.com/en/privacy/.
2.1 Purposes for the fulfilment of a contract or pre-contractual measures (Art. 6 para. 1 b GDPR)
Personal data is processed for the fulfilment of our contracts with you and for the execution of your orders, as well as for the performance of measures and activities in the context of pre-contractual relationships, e.g. with interested parties. In particular, the processing serves the provision of IT and consulting services in accordance with your orders and wishes, and includes the services, measures and activities necessary for this. These primarily include contract-related communication with you; the verifiability of transactions, orders and other agreements and quality control through appropriate documentation, goodwill procedures, measures for the management and optimisation of business processes and for the fulfilment of general due diligence obligations, management and control by affiliated companies (e.g. parent company); statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, accounting and tax assessment of operational services, risk management, assertion of legal claims and defence in legal disputes; guarantee of IT security (including system and plausibility checks) and general security, including building and facility security, ensuring and exercising domiciliary rights (e.g. through access controls); guarantee of integrity, authenticity and availability of data, prevention and investigation of criminal offences; checks by supervisory bodies (e.g. auditing).
2.2 Purposes in the context of a legitimate interest by us or third parties (Art. 6 para. 1 f GDPR)
Beyond the actual performance of the contract or pre-contract, we may process your data if it is necessary to safeguard our legitimate interests or those of third parties, in particular for purposes of:
- advertising or market and opinion research, insofar as you have not objected to the use of your data;
- obtaining information and exchanging data with credit agencies, insofar as this exceeds the scope of our economic risk;
- testing and optimising procedures for needs analysis;
- further developing services and products as well as existing systems and processes;
- disclosing personal data within the scope of due diligence in company sales negotiations;
- for comparison with European and international anti-terrorism lists, insofar as this goes beyond the legal obligations;
- enriching our data, including by using or researching publicly accessible data;
- statistical evaluations or market analysis;
- asserting legal claims and defending legal disputes that are not directly related to the contractual relationship the limited storage of data if deletion is not possible or only possible with disproportionate effort due to a special type of storage;
- the development of scoring systems or automated decision-making processes;
- the prevention and investigation of criminal offences, insofar as not exclusively for the fulfilment of legal requirements;
- the security of buildings and facilities (e.g. through access control and security measures), insofar as this goes beyond the general duty of care;
- internal and external investigations, security checks;
- obtaining and maintaining certifications of a private-law or official nature;
securing and exercising domiciliary rights through appropriate measures as well as through video surveillance for the protection of our customers and employees and for the securing of evidence in the event of criminal offences and their prevention.
2.3 Purposes within the scope of your consent (Art. 6 para. 1 a GDPR)
Processing of your personal data for certain purposes (e.g. use of your e-mail address for marketing purposes) may also be based on your consent. You can revoke this at any time. This also applies to the revocation of declarations of consent given to us prior to the introduction of the GDPR, i.e. prior to 25 May 2018. You will be informed about the purposes and the consequences of revoking or not giving consent separately in the text of the relevant consent declaration.
As a general rule, the revocation of consent is only effective for the future. Processing that took place before the revocation is not affected by this and remains lawful.
2.4 Purposes to comply with legal requirements (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)
Like anyone involved in business, we are subject to a variety of legal obligations. These are primarily legal requirements (e.g. commercial and tax laws, Telecommunications Act, KRITIS), but also supervisory or other official requirements (e.g. BNetzA). The purposes of the processing may include identity and age verification, fraud and money laundering prevention, the prevention, combating and investigation of terrorist financing and crimes endangering assets, comparisons with European and international anti-terrorism lists, the fulfilment of control and reporting obligations under tax law, and the archiving of data for data protection and data security purposes as well as auditing by tax and other authorities. In addition, the disclosure of personal data may become necessary in the context of official/court measures for the purpose of evidence collection, criminal prosecution or the enforcement of civil claims.
3. The categories of data we process, insofar as we do not receive data directly from you, and their origin
Insofar as this is necessary for the provision of our services, we process personal data permissibly received from other companies or other third parties (e.g. credit agencies, address publishers). In addition, we process personal data that we have permissibly taken, received or acquired and may process from publicly accessible sources (such as telephone directories, commercial and association registers, civil registers, debtor registers, land registers, the press, the internet, Whois and other media).
Relevant categories of personal data may include in particular:
- Personal data (name, date of birth, place of birth, nationality, marital status, profession/industry and comparable data)
- Contact data (address, email address, telephone number and comparable data)
- Address data (registration data and comparable data)
- Payment/coverage confirmation for bank and credit cards
- Information about your financial situation (creditworthiness data including scoring, i.e. data for assessing the economic risk)
- Customer history
- Data about your use of the telemedia offered by us (e.g. time of accessing our websites, apps or newsletters, clicked pages/links from us and/or entries and comparable data, firewall logs, proxy logs, e-mail logs)
4. Recipients or categories of recipients of your data
Within our company, those internal offices or organisational units that require your data to fulfil our contractual and legal obligations or as part of the processing and implementation of our legitimate interest receive it. Your data will only be transferred to
- external bodies in connection with the processing of contracts;
- for the purposes of fulfilling legal requirements which oblige us to provide information or notification or to transfer data, or if the transfer of data is in the public interest (cf. section 2.4);
- insofar as external service providers process data on our behalf as order processors or together with us as joint controllers or as third parties (e.g. external data centres, support/maintenance of EDP/IT applications, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, data validation or plausibility checking, data destruction, purchasing/procurement, customer administration, letter shops, marketing, media technology, research, risk controlling, accounting, telephony, website management, auditing services, credit institutions, printers or companies for data disposal, courier services, logistics);
- on the basis of our legitimate interest or the legitimate interest of a third party for the purposes mentioned in section 2.2 (e.g. authorities, credit agencies, debt collection, lawyers, courts, appraisers, affiliated companies and committees and supervisory bodies);
- if you have given us consent to transfer data to third parties.
Data exchange within the group of companies
Data exchange within the group of companies to which we belong takes place exclusively within the EU/EEA and Switzerland as a country with an adequate level of protection pursuant to Art. 45 para. 1 GDPR and serves only internal administrative purposes. By group of companies we mean affiliated companies within the meaning of Art. 4 No. 19 GDPR.
We will not pass on your data to third parties beyond this. If we commission service providers to process your order, they are subject to the same security standards as we are. Generally, the recipients may only use the data for the purposes for which it was transmitted to them.
Online application process
We offer you the opportunity to apply to us online via our application portal. The data you enter and the file attachments you send are transmitted via a transport-secured connection. For this purpose, we use our parent company Swiss IT Security AG, Etzelmatt 1, 5430 Wettingen, Switzerland, with whom we have concluded a corresponding contract for order processing.
Your electronic application data will be received by the respective personnel department responsible and will only be forwarded to the specialist department responsible for the respective position or to the persons entrusted with the processing. All parties involved will treat your application documents with due care and absolute confidentiality. Please note that you can decide during the application process whether your application documents may also be passed on to companies within the group of companies and thus, if applicable, to countries in the EU or Switzerland. In the event of your consent, we would make use of this. You can withdraw your consent at any time, please contact us in this regard via our contact details.
After completion of the applicant selection process, we will keep your application documents for another three months and then delete them or destroy any copies, unless we have concluded an employment contract with you. However, as part of the application, you can also indicate that you would like to be included in our talent pool.
Please note that applications sent to us by e-mail are transmitted to us unencrypted. We therefore recommend the use of the online application portal.
The TeamViewer software can be used for remote maintenance and our helpdesk. The provider of this software is TeamViewer GmbH, Jahnstr. 30, 73037 Göppingen. If you wish to use remote maintenance, you must download the TeamViewer software from the provider using a link provided by us and run it on your computer. TeamViewer allows us to temporarily access your system, view your screen and remotely control your mouse and keyboard. Please close all windows with content that needs to be protected under data protection law or that is critical to the company before you allow access. TeamViewer is subject solely to the data protection provisions of TeamViewer GmbH as your contractual
partner for the use of the software. These can be accessed at https://www.teamviewer.com/en/privacy-policy/?t=1614330073298.
5. Duration of storage of your data
We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
In addition, we are subject to various storage and documentation obligations resulting from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The periods specified therein for storage and documentation are up to 10 years from the end of the business relationship or the pre-contractual legal relationship.
Furthermore, special statutory regulations may require a longer retention period, such as the preservation of evidence within the legal statute of limitations. According to sect. 195 et seq. of the German Civil Code (BGB), the regular limitation period is three years; however, limitation periods of up to 30 years may also be applicable.
If the data is no longer required for the fulfilment of contractual or legal obligations and rights, it is deleted, unless its further processing for a limited period of time is necessary for the fulfilment of the purposes listed in section 2.2 due to an overriding legitimate interest. Such an overriding legitimate interest also exists, for example, if deletion is not possible or only possible with disproportionate effort due to the special nature of the storage and processing for other purposes is excluded by appropriate technical and organisational measures.
6. Processing of your data in a third country or by an international organisation
Data is transferred to bodies in countries outside the European Union (EU) or the European Economic Area (EEA) (known as third countries) if it is necessary for the execution of an order/contract from or with you, if it is required by law (e.g. reporting obligations under tax law), if it is in the context of a legitimate interest by us or a third party, or if you have given us your consent.
The processing of your data in a third country may also take place in connection with the involvement of service providers within the framework of order processing. If there is no EU Commission decision on an adequate level of data protection in the country concerned, we ensure that your rights and freedoms are adequately protected and guaranteed in accordance with EU data protection requirements by means of appropriate contracts. We will provide you with the relevant detailed information on request.
Information on the appropriate or adequate safeguards and the possibility of obtaining a copy may be requested from the data protection officer.
7. Your data protection rights
Under certain conditions, you can assert your data protection rights against us.
Thus, you have the right to receive information from us about your data stored by us according to the regulations of Art. 15 GDPR (if necessary with restrictions according to sect. 34 BDSG).
At your request, we will correct the data stored about you in accordance with Art. 16 GDPR if it is inaccurate or incorrect.
If you so wish, we will delete your data in accordance with the principles of Art. 17 GDPR, provided that other statutory regulations (e.g. statutory retention obligations or the restrictions under sect. 35 BDSG) or an overriding interest on our part (e.g. for the defence of our rights and claims) do not prevent this.
Taking into account the requirements of Art. 18 GDPR, you may request us to restrict the processing of your data.
Furthermore, you can object to the processing of your data in accordance with Art. 21 GDPR, on the basis of which we must stop processing your data. However, this right to object only applies in very particular circumstances regarding your personal situation, whereby the rights of our company may conflict with your right to object.
You also have the right to receive your data in a structured, common and machine-readable format under the provisions of Art. 20 GDPR, or to transfer it to a third party. In addition, you have the right to revoke your consent to the processing of personal data at any time with effect for the future (see section 2.3).
Furthermore, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). However, we recommend that a complaint is always directed to our data protection officer in the first instance.
Wherever possible, your requests to exercise your rights should be addressed in writing to the address above or directly to our data protection officer.
8. Scope of your obligations to provide us with your data
You only need to provide the data that is required for the establishment and implementation of a business relationship or for a pre-contractual relationship with us or that we are legally obliged to collect. Without this data, we will usually not be able to conclude or execute the contract. This may also apply to data required later in the course of the business relationship. If we request additional data from you, you will be informed separately that providing this information is voluntary.
9. Existence of automated decision-making in individual cases (including profiling)
We do not use purely automated decision-making procedures pursuant to Article 22 GDPR. If we do use such a procedure in individual cases in the future, we will inform you separately, provided this is required by law.
Such procedures can also be used to assess your creditworthiness and credit standing, and to combat money laundering and fraud. “Score values” can be used to assess your creditworthiness and credit standing. Scoring uses mathematical methods to calculate the probability that a customer will fulfil their payment obligations in accordance with the contract. Such score values thus support us, for example, in assessing creditworthiness, making decisions in the context of product transactions, and flow into our risk management. The calculation is based on mathematically and statistically recognised and proven methods and is carried out on the basis of your data, in particular income situation, expenses, existing liabilities, occupation, employer, length of employment, experience from the business relationship up until this point, repayment of previous loans in accordance with the contract. and information from credit agencies.
Information on nationality and special categories of personal data pursuant to Art. 9 of the GDPR are not processed.
Part 2: Supplementary information for visitors to the website
General internet logging
Internet logs primarily record the IP address, browser type used, internet provider, access date and time, and calculation data. This information, which is only used for internal purposes (see next paragraph), is also not linked to personal data that may become known to us through any entry in a form. Usage statistics are only compiled without personal reference after anonymisation of the IP addresses in the log files of the web servers.
Information about cookies and statistical analysis
These cookies are addressed separately below.
Matomo (formerly Piwik)
This website uses the open-source web analysis software Matomo to optimise and statistically evaluate visitor access to our website.
General information about data protection at Matomo: https://matomo.org/docs/privacy/
Adobe Fonts/Adobe Typekit
We use Adobe Typekit/Adobe Fonts to display fonts on our website. This is a service that provides access to a font library and is provided by Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe).
When you call up this website, your browser loads the required fonts directly from Adobe so that they can be displayed correctly on your terminal device. In doing so, your browser establishes a connection to Adobe’s servers in the USA. This enables Adobe to know that your IP address has been used to access this website. According to Adobe, no cookies are stored when providing the fonts.
Adobe is certified under the EU-US Privacy Shield. The Privacy Shield is an agreement between the United States of America and the European Union to ensure compliance with European data protection standards. All the relevant details can be found at: https://www.adobe.com/uk/privacy/eudatatransfers.html. The use of Adobe Fonts/Typekit is necessary to ensure a consistent typeface on this website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.
For more information on Adobe Fonts, please visit:
LinkedIn Social network:
Please note that LinkedIn is simply another of several options for contacting us or receiving information from us. Alternatively, the information offered via our LinkedIn account can also be accessed on our website, for example. Responsible party with whom our LinkedIn account (“fan page”) is jointly operated (“platform operator”):
LinkedIn Corporation, 1000 W. Maude Avenue Sunnyvale, CA 94085 USA Data controller for individuals living in the European Union (EU) and the European Economic Area (EEA) and Switzerland: LinkedIn Ireland Unlimited Company Wilton Place Dublin 2 Ireland In an agreement pursuant to Art. 26 para. 1 of the GDPR, the joint controllers determined who fulfils which obligation pursuant to the GDPR The platform operator shall make the essential contents of this agreement available to the data subjects: https://legal.linkedin.com/pages-joint-controller-addendum Data protection contact details:
The contact details for data protection can be found in our Data Protection Declaration, linked here. The platform operator’s data protection officer can be contacted at the following web form HTTPS://WWW.LINKEDIN.COM/HELP/LINKEDIN/ASK/TSO-DPO or at the following address:
Senior Privacy Counsel
LinkedIn Corporation Legal Department – Privacy
1000 W. Maude Ave. Sunnyvale,
Categories of data subjects: Both registered and unregistered visitors to our fan page on the social network We would like to make the persons concerned aware that they use LinkedIn and its functions on their own responsibility. This applies in particular to the use of interactive functions (e.g. sharing, rating).
Categories of personal data: Data that we process from registered visitors to our fan page: User ID or user name under which the data subjects have registered, released profile data (name, e-mail address, telephone number), ProFinder profile data, education, work experience, salary expectations, photo, location data, skills and endorsed skills, professional achievements (e.g. granting of patents, professional recognition, projects), possibly also special categories of personal data such as religious affiliation, health data etc., data arising from content sharing, messaging and communication, data required in the context of contract initiation or execution at the request of registered visitors, other data and content freely published, provided, disseminated, posted or uploaded by data subjects on LinkedIn or via their LinkedIn account. Otherwise, we only process pseudonymised data such as statistics and insights into how people interact with our fan page, the posts, pages, videos and other content provided via it (page activities, page views, “like” votes, reach, general demographic, location and interest-related information on age, gender, country, city, language), evaluations of the success and background of our advertisements, other analyses and measurements regarding …
The pseudonymised data cannot be combined with the corresponding assignment feature (e.g. name details) by us. This makes it impossible for us to identify individual visitors, who thus remain anonymous to us. Data we process from non-registered visitors to our fan page:
Pseudonymised data such as statistics and insights into how people interact with our fan page, the posts, pages, videos and other content provided via it(page activities, page views, “like” votes, reach, general demographic, location and interest-related information on age, gender, country, city, language), evaluations of the success and background of our advertisements, other analyses and measurements regarding …
The pseudonymised data cannot be combined with the corresponding assignment feature (e.g. name details) by us. This makes it impossible for us to identify individual visitors, who thus remain anonymous to us. Data we process from our website visitors:
Integrating the LinkedIn button (pure link) into our website does not transmit any IP addresses of website visitors to the platform operator. Data that the platform operator processes about registered and non-registered visitors to our fan page can be found at the following link:
The platform operator may use various analysis tools for evaluation. We have no influence on the use of such tools by the platform operator and were not informed about such potential use.
If tools of this kind are used by the platform operator for our fan page, we have neither commissioned nor approved this nor supported it in any other way. Nor is the data obtained during the analysis made available to us. Moreover, we have no possibility of preventing or turning off the use of such tools on our fan page, nor do we have any other effective means of control.
Origin of the data We receive the data directly from the data subjects or from the platform operator. Where the platform operator obtains the data of the data subjects can be seen at the following link: https://www.linkedin.com/legal/privacy-policy
We have no influence on or effective means of control over whether the procurement of data by the platform operator is permissible. Legal basis for data processing We process data on the following legal bases:
- Art. 6 para. 1 lit. a) GDPR: Consent of the data subjects If applicable, Art. 6 para. 1 lit. b)
- GDPR: Fulfilment of a contract with the data subject or implementation of pre-contractual measures at the request of the data subject Art. 6 para. 1 lit. f)
- GDPR legitimate interest Simplification of communication and data exchange by meaningfully supplementing the existing communication channels, such as website, press releases, print products and events, through the fan page
- Promoting sales of our products and services
- Optimisation of our fan page
We process special categories of personal data, if at all, only on the basis of the following legal grounds:
- Art. 9 (2) (a) GDPR: Consent of the data subject
- Art. 9 (2) (e) GDPR: The data subject has manifestly made the personal data public
The legal grounds on which the platform operator’s data processing is based can be found at the following link:
We have no influence or effective means of control over whether the data processing by the platform operator is permissible.
Purposes of data processing
We process data for the following purposes:
- Public presentation and advertising
- Communication and data exchange
- Event management
- If necessary, contract initiation and execution
Information on the purposes for which the platform operator processes data can be found at the following link: https://privacy.xing.com/en/privacy-policy
We have no influence on the purposes for which the platform operator actually uses the data. We also have no effective means of control in this respect.
The storage and deletion of data is the duty of the platform operator. Information on this can be found at the following link: https://privacy.xing.com/en/privacy-policy
We have no influence on how the platform operator determines the regular deletion periods and in what way the data is deleted. We also have no effective means of control in this respect.
Categories of recipients
Only our employees and service providers who manage our fan page and require the data for the above-mentioned purposes have access to the data we process. If the data subjects post their data publicly on our fan page, it can be accessed by other registered and possibly also non-registered visitors.
The categories of recipients to whom the platform operator discloses the data or enables registered visitors to disclose their data, as well as information on intra-group data exchange, can be found at the following link: https://privacy.xing.com/en/privacy-policy
We have no influence on the disclosure of data to individual (categories of) recipients by the platform operator. We also have no effective means of control in this respect.
Data transfers to third countries
If data subjects post their data publicly on our fan page, it can be accessed by other registered and possibly also non-registered visitors.
Involved logic and scope of profiling or automated individual decision-making based on the collected data
The platform operator may use various analysis tools for evaluation purposes.
We have no influence on the use of such tools by the platform operator and have not been informed about any such potential use. If tools of this kind are used by the platform operator for our fan page, we have neither commissioned nor approved this nor supported it in any other way. Nor is the data obtained during the analysis made available to us. Moreover, we have no possibility to prevent or turn off the use of such tools on our fan page, nor do we have any other effective means of control.
Rights of data subjects
Joint controllers must provide data subjects with various rights regarding the processing of their data, which they can exercise directly in relation with the platform operator:
Data subjects have a right of access, rectification or deletion of personal data concerning them or a right to restriction of data processing by the data controller if certain conditions are met in accordance with Art. 15 to 18 GDPR. Data subjects also have the right to revoke their consent to the processing of their personal data at any time with effect for the future (Art. 7 (3) GDPR).
They may also object to the further processing of their data, which is based exclusively on the legitimate interest of the controller pursuant to Art. 6 (1) (f) GDPR (Art. 21 (1) GDPR), insofar as legitimate interests in the exclusion of data processing arise from their particular personal situation and there are no longer any compelling legitimate reasons for the controller to continue processing their data. Insofar as personal data is processed for the purpose of direct marketing, data subjects have the right to object to this processing with effect for the future at any time (Art. 21 (2) GDPR).
If the data processing is based on the consent of the data subject pursuant to Art. 6 (1) (a), Art. 9 (1) (a) GDPR or pursuant to Art. 6 (1) (b) GDPR on a contract with the data subject, and is carried out with the help of automated processes, the data subjects may, pursuant to Art. 20 (1) GDPR, request to receive the personal data stored about them in a structured, common and machine-readable format, or to have it transferred to a third party designated by the data subject.
In principle, data subjects have the right not to be subject to automated individual decision-making pursuant to Art. 22 (1) GDPR. Where such an automated individual decision is permitted under Art. 22 (2) (a) to (c) GDPR, data subjects are granted the following rights under Art. 22 (3) GDPR: Right to express one’s point of view, right to object to the intervention of a person by the controller, right to challenge the automated individual decision (right of challenge).
Furthermore, data subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data violates the GDPR, Art. 77 GDPR. The supervisory authority responsible for the platform operator is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
(The Hamburg Commissioner for Data Protection and Freedom of Information)
Ludwig-Erhard-Str. 22, 7. OG
20459 Hamburg, Germany
Phone: +49 40 428 54 4040
Fax: +49 40 428 54 4000