Explanation of terms
We have designed our data protection notice in accordance with the principles of the GDPR, see Art. 5 GDPR. However, if there are any ambiguities regarding the use of terms, you can view the relevant definitions here.
Name and address of the responsible party
blu Eye GmbH
Telephone: +49 89 919 290 540
External data protection officer
blu Systems GmbH
Telephone: +49 89 919 290 560
How long do we store your data?
Unless a more specific storage period has been specified within this data protection notice, your personal data will remain with us until the purpose or legal basis for the data processing no longer applies. If you assert a justified request for deletion or revoke consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., retention periods under tax or commercial law); in the latter case, the data will be deleted once these reasons no longer apply.
Data collection on our website
When you visit our website, information is automatically sent to our website server by the browser used on your terminal device. This information is temporarily stored in a log file. The following information is collected without your intervention and stored until automatic deletion:
- IP address of the requesting computer
- Date and time of access
- Name and URL of the file accessed
- Website from which the access was made
- Browser used and, if applicable, the operating system of your computer as well as the name of your access provider
The aforementioned data is processed by us for the following purposes:
- Ensuring a smooth connection of the website
- Ensuring comfortable use of the website
- Evaluation of system security and stability
- error analysis
- for further administrative purposes
The legal basis for data processing is Art. 6 (1) (f) GDPR. Our legitimate interest follows from the purposes for data collection listed above. In no case do we use the collected data for the purpose of drawing conclusions about your person.
The legitimate interest for this processing is as follows: The integrity and security of the website, which is carried out by Security through the collection of logs, in particular IP addresses, in order to detect the possible abuse at an early stage and to be able to take measures to reduce the damage.
Your personal data is stored with our provider, with whom a Data Processing Addendum in accordance to Art. 28 GDPR has been concluded.
For security reasons, our website uses SSL encryption. This protects transmitted data and prevents it from being read by unauthorised third parties.
You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol, which is recognisable in your browser line on the left.
By making appropriate changes to your browser settings, you can be informed about the setting of cookies and decide individually whether to accept them or generally exclude them, as well as arrange for the automatic deletion of cookies when closing the browser window. By deactivating cookies, you may not be able to use all the functions of our website.
PHPSESSID (end of session)
The purpose of this cookie is to store the unique browser-ID in order to recognize the website visitor.
In order to display content on our website correctly and graphically appealing across browsers, we use Google Fonts from Google Ireland Limited, Gordon House, Barrow St, Dublin 4, Ireland on our website.
A connection to Google’s servers is established when you visit our website in order to load the used font and save it on your device.
When connecting to the Google servers, your IP address is stored by Google. In addition to your IP address, other information e.g., the name of the browser you are using, the version of this browser, the language settings, and the screen resolution of the browser, are also transmitted.
A transmission of your data to Google serves in the US cannot be ruled out. Your personal data is used by Google for analysis purposes over which we have no influence.
The collected data is stored by Google for 1 year.
The legal basis for the processing of your data is your consent according to Art. 6 (1) (a) GDPR. You give your consent via your acceptance of Google Fonts in our cookie-banner.
Data Transfer to the US and other third countries
We use tools from companies based in the USA or other third countries that are not secure under data protection law. If these tools are active, your personal data may be transferred to these third countries and processed there. We would like to point out that no level of data protection comparable to that in the EU can be guaranteed in these countries. For example, US companies are obliged to hand over personal data to security authorities without you as a data subject being able to take legal action against this. It can therefore not be ruled out that US authorities (e.g., intelligence services) process, evaluate and permanently store your data located on US servers for monitoring purposes. We have no influence on these processing activities.
Contacting the Company
You have the possibility to contact us at any time. We would like to provide you with the following information:
General contact options
As general contact media you have the following options
- by post,
- by telephone or
- by e-mail.
To process your contact request, we will have to store your communication data (e.g., telephone number, e-mail address) and identification data (e.g., name, address).
The legal basis of Art. 6 (1) (b) GDPR applies here, only if the contact is based on the initiation of a contract, the implementation of an existing contractual relationship or the amendment of a contractual relationship.
For all other cases of contact, the processing is based on the legitimate interest according to Art. 6 (1) (f) GDPR of the company.
The legitimate interest for this processing is as follows: As a company, we pursue the economic interests of individualisation and optimisation of our products, which are declared as economic factors of the company.
We use Microsoft Teams, a service of the provider Microsoft Corporation, to conduct telephone and video conferences, online meetings, or online events. If online meetings or online events are to be recorded, we will inform you of this before they begin and – where necessary – ask for your (verbal) consent. If you do not wish to be recorded, you can leave the online meeting or event. The following personal data may be processed in the process:
- User details: Display name, email address, profile picture (optional), preferred language.
- Meeting metadata: e.g., date, time, meeting ID, phone number, location.
- Text, audio, and video data: You may have the opportunity to use the chat function in an online meeting or event. In this case, the text entries you make are processed to display them.
The scope of the data depends on the information you provided before or during participation in the online meeting or event.
The transfer of data to the USA is based on the standard contractual clauses of the EU Commission in accordance with Art. 46 (2) (c) GDPR.
Special features of online meetings
In the context of the online meeting, we rely on Art. 6 (1) (b) GDPR.
During the online meeting, the login names of all participants and the generated communication content are displayed and can be viewed by the other participants in the online meeting. The communication content is stored for documentation purposes. If necessary, the online meeting is recorded and made available to the participants afterwards.
Special feature for online meetings
In this case, we rely on Art. 6 (1) (f) GDPR, as the legitimate interest is to be considered in the economic sense, to gain new customers for the company.
During the online event, the login names of all participants and the generated communication content are displayed and can be viewed by the other participants in the online event. The communication content is stored for documentation purposes. If necessary, the online event will be recorded and made available to the participants afterwards.
We use rapidmail on our website to send you, our newsletter. In order to do this, we process your e-mail address. To optimize our email campaigns, we track the life cycle of the email (opening of the email by recipients). Only through this function is it possible for us to optimize newsletters and send them in a targeted manner.
The legal basis for processing your data is your consent according to Art. 6 (1) (a) GDPR.
We have signed a Data Processing Addendum with rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg, Germany, in accordance with Art. 28 GDPR, in which we oblige rapidmail GmbH to protect our customer’s data and to refrain from disclosing it to third parties. rapidmail GmbH is a German, certified, newsletter software provider, which was carefully selected according to the requirements of the GDPR and the BDSG.
You are able to withdraw your given consent at any time, without affecting the lawfulness of processing based on your consent before its withdrawal. For this purpose, it is sufficient to send an informal e-mail to firstname.lastname@example.org or to click the “unsubscribe” link in the next newsletter.
Your data will be erased as soon as it is no longer required to achieve the purpose for which it was collected, you request the erasure of your data, or you withdraw your consent to the storage and processing of your data. Data that has been stored by us for other purposes remains unaffected by this.
Handling of applicant data
We offer you the opportunity to apply to us (by e-mail, post, or via a job application form). In the following, we inform you about the scope, purpose and use of your personal data collected during the application process. We assure you that the collection, processing, and use of your data will be in accordance with applicable data protection law and all other legal provisions and that your data will be treated confidentially.
If you send us an application, we process your associated personal data (e.g., contact and communication data, application documents, notes during interviews, etc.) to the extent that this is necessary to decide on the establishment of an employment relationship.
The job board to which we have a link on our website, offers you the possibility to apply directly for an open position via a job application form. If you apply to an open position via this job application form, your personal data will automatically be transmitted to the application management system coveto (provider is coveto ATS GmbH Frankenstr. 45, 63667 Nidda, Germany). We have signed a Data Processing Addendum with the provider of the system. Our recruiter will be notified of any new application via an e-mail containing merely the first and last name of the applicant and a link to the application received in the system.
The legal basis for this is Art. 6 (1) (b) GDPR (general contract initiation) as well as Section 26 (1) BDSG under German law (initiation of an employment relationship). Your personal data will only be passed on within our company to employees who are involved in processing your application.
If the application is successful, the data you submitted will be stored in our data processing systems for the purpose of implementing the employment relationship based on Art. 6 (1) (b) GDPR and Section 26 (1) BDSG.
If we are unable to make you a job offer, if you reject a job offer or withdraw your application, we will store your application documents for a period of 6 months from the end of the procedure. After the 6 months have expired, the data will be erased, and the physical application documents destroyed. This storage serves as evidence in the event of a legal dispute. If it is evident that the data will be required after the expiry of the 6-month period (e.g., due to an impending or pending legal dispute), the data will only be erased when the purpose for further storage no longer applies.
Admission to our applicant pool:
If we do not make you a job offer, it may be possible to register you in our applicant pool. If you are registered in our applicant pool, all documents and details from the application will be transferred into the applicant pool in order to contact you in the event of suitable job vacancies.
Admission to the applicant pool takes place exclusively on the basis of your explicit consent (Art. 6 (1) (a) GDPR). Giving consent to the admission to our applicant pool is voluntary and is not in any relation to the current application process. The data subject may withdraw his or her consent at any time. In this case, the data from the applicant pool will be irrevocably erased, unless legal requirements for storing the data exist.
The data from the applicant pool will be irrevocably erased no later than two years after consent has been given.
The system coveto for our management of Applications and the applicant pool is provided by coveto ATS GmbH, Frankenstr. 45, 63667 Nidda, Germany. A Data Processing Addendum with the provider has been signed.
Processing of data for events (online and in attendance)
The processing of personal Data is for the purposes of registration, reception, organization, implementation, and quality assurance of the event, as well as the dispatch of information on other events. Photos or video recordings made at the event may be processed for the purpose of public relations and, if necessary, published on the internet or in our publications.
The legal basis for processing the data is Art. 6 (1) (b) and Art. 6 (1) (f) GDPR. The processing of data serves the public relations of the company and thus also serves the competitiveness of the company. Our legitimate interest follows from the afore mentioned purposes of data collection, furthermore we rely in this context on the economic interest of the company.
If you have given your consent for the processing of photos and video recordings for the above-mentioned purposes, the legal basis is Art. 6 (1) (a) GDPR. You may withdraw your consent at any time with effect for the future.
Recipient of the data
An internal transfer of your personal data takes place exclusively for the fulfilment of the stated purposes or the fulfilment of legal obligations.
As far as the purpose allows, the following companies within the blu Group may access your personal data:
- blu BEYOND GmbH
- blu Professionals GmbH
- blu Systems GmbH
All responsible employees are obliged to maintain the confidentiality of your data. As a matter of principle, we do not transmit your personal data externally unless we are legally permitted to do so, or we have your given consent to do so. Should we use a processor of your personal data on our behalf, we will nevertheless remain responsible for the protection of your data. All processors of your data are contractually obligated to treat your data confidentially and to process the data only within the scope of the service provision.
No automated individual decision-making procedures pursuant to Art. 22 GDPR or other profiling methods in the sense of Art. 4 (4) GDPR take place.
Your data is processed exclusively within the European Union. A transfer outside the Union does not take place. Should a transfer outside the European Union become necessary, we will inform you in advance and ensure all necessary measures to maintain an appropriate level of data protection.
The legislation has enacted a large number of retention periods, which we observe with the utmost care in order to comply with these obligations. As a general rule, we only store your personal data for as long as permitted by the defined purpose or as required by law for reasons of proof.
Data Processing through Social Media
We maintain publicly accessible profiles on social media. The individual social media used by us can be found below.
Social media such as Facebook, Twitter, etc. can generally comprehensively analyse your user behaviour when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). By visiting our social media presences, numerous data protection-relevant processing operations are triggered.
In detail: If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected under certain circumstances if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.
With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, you can be shown interest-based advertising inside and outside the respective social media presence. Provided you have an account with the respective social network, the interest-based advertising may be displayed on all devices on which you are or were logged in.
Our social media presences are intended to ensure the most comprehensive presence possible on the internet. This is a legitimate interest within the meaning of Art. 6 (1) (f) GDPR.
The analysis processes initiated by the social networks may be based on different legal grounds, which must be stated by the operators of the social networks (e.g., consent within the meaning of Art. 6 (1) (a) GDPR).
Responsible party and assertion of rights
If you visit one of our social media sites (e.g., Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g., Facebook).
Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.
Duration of the Data storage
The data collected directly by us via the social media presence will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your end device until you delete them. Mandatory legal provisions – in particular, retention periods – remain unaffected.
Used social media in detail
On our website, we use the functions of LinkedIn, a service of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. When you visit our website, which contains the LinkedIn function, a connection to LinkedIn servers is established. As far as we know, your personal data is not stored, in particular the IP address is not stored, or the usage behaviour is not evaluated.
To help visitors find our location quickly, our website uses a link to the location of the company on Google Maps. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When using Google Maps. Google collects, processes, and uses data about visitors’ use of the map functions. You can find more information about the processing of data by Google and Google’s Data Privacy here: https://policies.google.com/privacy?hl=en&gl=de
The legal basis for the processing of this personal data is Art. 6 (1) (f) GDPR. Our legitimate interest lies in the easy location of our company.
Rights of the data subject
Right of access
In accordance with Art. 15 GDPR, you have the right to request information about your personal data that we process. This right includes information about:
- the purposes of processing,
- the categories of personal data,
- the recipients or categories of recipients to whom your data have been or will be disclosed
- the planned storage period, or at least the criteria for determining the storage period,
- the existence of a right to rectification, erasure, restriction of processing or objection,
- the existence of a right of appeal to a supervisory authority,
- the origin of your personal data, if it has not been collected by us, or
- the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.
Right of rectification
In accordance with Art. 16 GDPR, you have the right to have incorrect or incomplete data stored with us corrected without delay.
Right of erasure
Pursuant to Art. 17 GDPR, you have the right to request that we delete your personal data without undue delay, unless further processing is necessary for one of the following reasons:
- the personal data are still necessary for the purposes for which they were collected or otherwise processed,
- for the exercise of the right to freedom of expression and information,
- for compliance with a legal obligation which requires processing under the law of the European Union or the Member States to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- for reasons of public interest in public health in accordance with Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR,
- for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
- for the assertion, exercise, or defence of legal claims.
Right of restriction of processing
According to Art. 18 GDPR, you can request the restriction of the processing of your personal data on one of the following grounds:
- You dispute the accuracy of your personal data,
- The processing is unlawful and you object to the erasure of the personal data,
- We no longer need the personal data for the purposes of processing, but you need it for the assertion, exercise, or defence of legal claims, or
- You object to the processing pursuant to Art. 21 (1) GDPR.
Right of notification
If you have requested the rectification or erasure of your personal data or a restriction of processing in accordance with Art. 16, Art. 17 (1) and Art. 18 GDPR, we will notify all recipients to whom your personal data has been disclosed, unless this proves impossible or involves a disproportionate effort. You can request that we inform you of these recipients.
Right to data protability
We grant you the right to receive your personal data that you have provided to us in a structured, common, and machine-readable format.
You also have the right to request the transfer of this data to a third party if the processing is carried out with the aid of automated procedures and is based on consent pursuant to Art. 6 (1) (a) GDPR, Art. 9(2) (a) GDPR or Art. 6 (1) (b) GDPR.
Right to withdraw consent
In accordance with Art. 7 (3) GDPR, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out based on the consent until the withdrawal. In the future, we may no longer continue the data processing based on your revoked consent.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent supervisory authority pursuant to Art. 77 GDPR. This depends on the federal state of your residence, your work, or the alleged violation. A list of the supervisory authorities (for the non-public sector) with address can be found at: https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html.
Our responsible supervisory authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
P.O. Box 1349
Online complaint: https://www.lda.bayern.de/de/beschwerde.html.
Right to object
If we process your personal data based on a legitimate interest pursuant to Art. 6 (1) (f) GDPR, you have the right to object to this processing pursuant to Art. 21 GDPR if you can demonstrate special reasons for this. These grounds may arise from your particular situation or be directed against direct marketing. In the latter case, you have a general right of objection, which must be implemented by us without any indication of the specific situation. You can send your right of objection or revocation directly by email to email@example.com.
Automated individual decision-making, including Profiling
Pursuant to Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.
However, this does not apply if the decision:
- is necessary for the conclusion or performance of a contract between the data subject and the controller,
- is permissible on the basis of legal provisions of the Union or the Member States to which the controller is subject, and these legal provisions contain appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject; or
- with the express consent of the data subject.
For the cases mentioned in 1 and 3, we take measures to safeguard your rights and freedoms as well as your legitimate interests, which include at least the right to obtain the involvement of a person from our side, to express your point of view and to contest the decision.
Amendment and Updating
In the process of updating, changes may be made to our data protection notice from time to time. If changes are made to this notice, we will mark them for you.
This data protection notice is dated 11th April 2022