Data Protection declaration
Provision of information pursuant to Art 13 of General Data Protection Regulation (EU) 2016/679 (“GDPR“) regarding the processing of personal data in the context of visiting and using the website https://www.goldenwhale.com/ (“Website“) as well as in the context of our social media presences outlined under point 9.
Thank you for your interest in our Website. The protection of your privacy is of high priority to us. Consequently, we process your personal data solely on the basis of the legal requirements prescribed by the GDPR in conjunction with the Austrian Data Protection Act (Datenschutzgesetz) as well as other relevant legal provisions.
You are not obligated to provide us with your data. Data processed automatically when accessing the Website are either not personal data or stored only for short periods of time (cf. point 6.1). In case you decide to contact us via the contact options present on the Website, you have to provide us certain of your data, which are necessary for the processing of your respective request (cf. point 6.2).
1. Definitions and interpretation
Data protection laws are generally relevant in case any processing of personal data is concerned. The terms used within the scope of this Data Protection Declaration are defined in and by the GDPR. As such, the broad definition of processing (Art 4 item 2 GDPR) of personal data means any operation or set of operations performed on personal data. Any information allowing us or third parties to potentially identify you in person can be considered your personal data, which makes you a data subject (Art 4 item 1 GDPR) within this context.
The following terms are particularly relevant for a better understanding of this Data Protection Declaration:
Term | Definition | Regulation |
Controller | Natural or legal person or other body which has decisive influence on the processing of personal and is therefore subject to data protection obligations. | Art 4 item 7 GDPR |
Joint Controllers | Controllers, which process personal data in common interest and have each at least partly a decisive influence on decisions made in this regard. | Art 26 GDPR |
Processor | External service provider which processes personal data on behalf of the controller and is contractually bound to its instructions. The processor thereby acts as a kind of extended arm of the controller. | Art 4 item 8 GDPR |
Recipient | Generally, every natural or legal person or other body outside of the organisation of the controller to which data being subject to the controller’s responsibility are disclosed. | Art 4 item 9 GDPR |
Legal basis | Condition determined by law that constitutes an authorisation to lawfully process personal data. | Art 6 para 1 GDPR |
Transfer to third countries | Transfer of personal data to countries outside of the EU respectively EEA through which they are detracted from the sole control of the GDPR due to stronger ties to the legal system of such third country. This might take place where data are disclosed to a recipient that (i) has its seat/residency in such third country or (ii) maintains a server there on which personal data are processed. | Chapter V GDPR |
Adequacy decision | A resolution of the European Commission through which the adequacy of the data protection level in a third country is acknowledged, and consequently a transfer of data is possible without further restrictions. | Art 45 GDPR |
Appropriate safeguards | Various instruments which allow the transfer of personal data into a third country for which an adequacy decision does not exist. As far as third-country transfers by us are based on appropriate safeguards, you may request a copy thereof by contacting us at dpo@goldenwhale.com. | Art 46 GDPR |
2. Information on the controller and contact details
Controller in the sense of Art 4 item 7 GDPR: |
Contact details: |
Golden Whale Productions GmbH (“we“) Antonigasse 3/5 1180 Vienna Austria |
Email: dpo@goldenwhale.com |
3. Links to third-party sites
On our Website and in this Data Protection Declaration, we use links to websites of third parties. If you click on one of these links, you will be forwarded to the respective website. For the operators of these websites, it is only evident that you accessed our Website beforehand. However, please be aware that accessing third-party sites results in additional processing of your data in the sphere of the respective third party! Accordingly, we refer you, in general, to the separate data protection declarations of these websites. For further information on our processing of your data in connection with our social media presences, please review point 9.
4. Rights of the data subject
You may decide to exercise any of the following rights concerning our processing of your personal data at any time free of charge by means of a notification being sent to one of the contact options outlined under point 2; we shall then answer your request as soon as possible and within one (1) month at the latest (in exceptional cases, restrictions on these rights are possible, for instance, if otherwise the rights of third parties would be affected; for definitions see the beginning of point 6):
- access to and further information concerning your individual data processed by us (right of access, Art 15 GDPR);
- rectification of wrongly recorded data or data that have become inaccurate or incomplete (right to rectification, Art 16 GDPR);
- erasure of data which (i) are not necessary in light of the purpose of data processing, (ii) are processed unlawfully, (iii) must be erased due to a legal obligation or an objection to the processing (right to erasure, Art 17 GDPR);
- temporary restriction of processing under certain circumstances (right to restriction of processing, Art 18 GDPR);
- withdrawal of consent granted for the processing of your personal data at any time; however, please note that the withdrawal of your consent does not retroactively affect the lawfulness of data processing based on such consent – it solely affects subsequent processing activities (right to withdraw; Art 7 para 3 GDPR);
- objection to any processing of your data being based on our legitimate interest on grounds relating to your particular situation or being executed for direct marketing purposes (right to object; Art 21 para 1 and 2 GDPR);
- transfer of your personal data which are processed for the performance of a contract or on the basis of your consent in a machine-readable format to you or directly to another controller upon request (right to data portability; Art 20 GDPR);
- right to lodge a complaint with a supervisory authority in respect of our processing of your data; in Austria, a complaint has to meet the requirements laid out in § 24 Data Protection Act and has to be directed to the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40–42, 1030 Vienna, email: dsb@dsb.gv.at, phone: +43 1 52 152-0 (for the simplification of this process, the Austrian Data Protection Authority provides forms at: https://www.dsb.gv.at/dokumente).
5. Transfer of your data; recipients
For the purposes executing the data processing activities as indicated in the course of this Data Protection Declaration, we will transfer your personal data to the following recipients or make them available to them:
Within our organisation, your data will only be provided to those entities or employees who need them to fulfil their respectively our respective obligations. Furthermore, (external) processors engaged by us receive your data if they need these data to provide their respective services (whereby the mere possibility to access personal data is sufficient).
Within the context of our Website, the following processors may have access to your personal data:
- dogado GmbH, Antonio-Segni-Straße 11, 44263 Dortmund, Germany (as our hosting provider);
- HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany (as service provider in regards to our newsletter and cookie consent tool as well as provider of functional tracking, automation and marketing tools – cf. points 6.3, 7.3, 8.3.1);
- Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (as sub-processor of HubSpot Germany GmbH used for protection against DDoS attacks – cf. point 8.3.1 [iii]).
Additionally, we are joint controllers in the sense of Art 26 GDPR with the service providers described under point 9 when accessing and interacting with our respective social media presence.
Lastly, we may transfer your data to independent controllers, as far as this is necessary or we are legally obliged to do so. This includes Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, Ireland (as provider of web fonts – cf. point 8.3.2).
Some of the mentioned recipients are respectively their server landscape is located outside of the EU/EEA, or they use (further) processors to render their services to which this applies. Possible transfers of your data within this context into the legal sphere of such third parties, as far as no adequacy decision of the European Commission in the sense of Art 45 GDPR is in place, are based on standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission of which you may request a copy via the contact information provided under point 2.
6. Data processing operations
In the subsequent section, data processing operations that may occur when accessing or using our Website are described in detail. Within this context, we provide you with information on the essential elements of each data processing operation, namely (a) type and extent (when and how), (b) purpose (why) as well as (c) the storage period of your data (how long).
Moreover, we inform you about the legal basis which we use to justify the respective data processing operation as required by the GDPR. The following chart provides you with a first overview of possible legal bases, which we use in this regard:
Legal basis |
Definition |
Regulation |
Consent |
You have given us your consent prior to the beginning of the data processing operation and for the specific occasion, which therefore authorises us to process your data. (For the right to withdraw your previously given consent at any time, see point 4.) |
Art 6 para 1 lit a GDPR |
Performance of a contract |
The processing of your data is necessary for the performance of a contract concluded with you or to take steps prior to entering into a contract with you at your request. |
Art 6 para 1 lit b GDPR |
Legitimate interests |
The processing of your data is (i) necessary for the purposes of legitimate interests pursued by us or a third party and (ii) we have considered your conflicting interests and fundamental rights and freedoms accordingly. (For the right to object, see point 4.) |
Art 6 para 1 lit f GDPR |
6.1 Processing of access data when visiting our Website
Type and extent of data processing: You can visit our Website without providing any personal information. When you access our Website, only certain access data are processed automatically in so-called server log files. In particular, the following data are processed in this context: (i) name of visited website; (ii) browser type/version used; (iii) operating system of the user; (iv) previously visited website (referrer URL); (v) time of the server request; (vi) data volume transferred; (vii) host name of the accessing computer (IP address used).
This information does not allow us to identify you personally; however, IP addresses are considered personal data within the meaning of the GDPR and theoretically allow to draw certain conclusions on your person, particularly when combined with the other data sets as indicated above.
Hosting provider of our Website is dogado GmbH (Dortmund, Germany – cf. point 5).
Legal basis and purpose: The purpose of this data processing operation is to establish and maintain technical security with regards to our Website, improve the Website’s quality and generate non-personal statistical information. The processing is based on our legitimate interest (Art 6 para 1 lit f GDPR; for the “right to object”, see point 4) in achieving the mentioned purposes.
Storage period: Server log files are stored for short periods only and subsequently erased automatically.
6.2 Contacting; contact form
Type and extent of data processing: When contacting us via the contact form provided on our Website, we will use your data as indicated in order to process your contact request and deal with it. The data processing involved is necessary to issue a response in respect of your request. Details whose indication is mandatory are marked with a *-symbol; certain additional information may be provided voluntarily. Moreover, the respective elucidations of this point apply accordingly to the processing of data being entailed by direct contact requests executed via contact details provided on our Website or in the course of this Data Protection Declaration without making use of the contact form.
Legal basis and purpose: Purpose of the data processing is to enable us an exchange with users of the Website and our customers. We process your data and answer your request on the basis of our legitimate interest (Art 6 para 1 lit f GDPR; regarding your “right to object” see point 4) in maintaining a properly functioning contact system, which is a prerequisite for the provision of any services. As far as your request is based on an existing contractual relationship with us or you are interested in establishing said contractual relationship, the processing is based on the performance of the corresponding contract, or on taking steps prior to entering into a contract with you at your request (Art 6 para 1 lit b GDPR).
Storage period: We delete your requests as well as your contact data if the request has been answered conclusively. Your data are, in general, stored for a period of six (6) months and subsequently erased within fourteen (14) days if we do not receive follow-up requests and if the data must not be further processed for different purposes.
6.3 Newsletter
Type and extent of data processing: Via the Website, you may subscribe to our newsletter by providing us the data as indicated in the relevant form (in particular, your email address). The newsletter provides you with news about our company and services; it will solely be sent to email addresses having been indicated by interested users themselves. If you no longer wish to receive the newsletter, you may unsubscribe at any time (withdraw your consent) by notifying us via the contact address specified under point 2 or by clicking on the respective link at the end of each newsletter.
In order to increase performance and reach of our advertising measures, we also use the newsletter for statistical evaluations. By doing so, we are able to analyse opening and click behaviour as well as information on the technical deliverability of the newsletter via a tracking pixel (cf. point 7.4) contained in each newsletter. Furthermore, we are able to detect if certain predefined actions are carried out after opening/clicking on the newsletter (conversion rate).
For delivery of the newsletter and statistical evaluations, we use the email delivery service of HubSpot Germany GmbH (Berlin, Germany – cf. point 5). Hence, your voluntarily provided data as well as analytical data generated will be saved on servers of the respective service provider in order to provide our newsletter service to the extent described above. Within this context, HubSpot Germany GmbH acts as our processor in the sense of Art 28 GDPR.
Legal basis and purpose: The data mentioned above are processed in the form of a newsletter for the purposes of direct marketing and are necessary to send the newsletter. A newsletter or other electronic advertisements will in no case be sent without your prior consent (Art 6 para 1 lit a GDPR, for your “right to withdraw”, see point 4) which we obtain from you directly on our Website, and which we will ask you to confirm by means of clicking the confirmation link we subsequently send to the indicated email address. All statistical evaluations are based on our legitimate interest (Art 6 para 1 lit f GDPR; for your “right to object”, see point 4) in creating a cost efficient newsletter statistic, that is easy to handle and useful for marketing purposes.
Storage period: All data having been collected for the delivery of the newsletter shall be erased within fourteen (14) days after a potential cancellation of the newsletter subscription as long as the data are not lawfully processed for other purposes as well. Statistical data generated from newsletter delivery will solely be used to create an overall statistic of newsletter performance and not be stored in a personal form that would allow attribution to a specific data subject.
6.3 Newsletter
Type and extent of data processing: Via the Website, you may subscribe to our newsletter by providing us the data as indicated in the relevant form (in particular, your email address). The newsletter provides you with news about our company and services; it will solely be sent to email addresses having been indicated by interested users themselves. If you no longer wish to receive the newsletter, you may unsubscribe at any time (withdraw your consent) by notifying us via the contact address specified under point 2 or by clicking on the respective link at the end of each newsletter.
In order to increase performance and reach of our advertising measures, we also use the newsletter for statistical evaluations. By doing so, we are able to analyse opening and click behaviour as well as information on the technical deliverability of the newsletter via a tracking pixel (cf. point 7.4) contained in each newsletter. Furthermore, we are able to detect if certain predefined actions are carried out after opening/clicking on the newsletter (conversion rate).
For delivery of the newsletter and statistical evaluations, we use the email delivery service of HubSpot Germany GmbH (Berlin, Germany – cf. point 5). Hence, your voluntarily provided data as well as analytical data generated will be saved on servers of the respective service provider in order to provide our newsletter service to the extent described above. Within this context, HubSpot Germany GmbH acts as our processor in the sense of Art 28 GDPR.
Legal basis and purpose: The data mentioned above are processed in the form of a newsletter for the purposes of direct marketing and are necessary to send the newsletter. A newsletter or other electronic advertisements will in no case be sent without your prior consent (Art 6 para 1 lit a GDPR, for your “right to withdraw”, see point 4) which we obtain from you directly on our Website, and which we will ask you to confirm by means of clicking the confirmation link we subsequently send to the indicated email address. All statistical evaluations are based on our legitimate interest (Art 6 para 1 lit f GDPR; for your “right to object”, see point 4) in creating a cost efficient newsletter statistic, that is easy to handle and useful for marketing purposes.
Storage period: All data having been collected for the delivery of the newsletter shall be erased within fourteen (14) days after a potential cancellation of the newsletter subscription as long as the data are not lawfully processed for other purposes as well. Statistical data generated from newsletter delivery will solely be used to create an overall statistic of newsletter performance and not be stored in a personal form that would allow attribution to a specific data subject.
6.4 Job applications
Type and extent of data processing: On our Website, we may offer to accept job applications. For this purpose, we publish information on job vacancies in our company under https://www.goldenwhale.com/team/#career. Applications are to be sent via email as indicated. Your identity data and application documents will subsequently be used to create a personal profile of the applicant; those data will then be evaluated accordingly by our department competent for employee administration and, if appropriate, used to schedule a job interview.
Legal basis and purpose: We process your data provided within this context to conduct application processes and adequately fill vacant positions on the basis of taking steps at your request prior to potentially entering into a contract (Art 6 para 1 lit b GDPR).
Storage period: Your data will be stored until we make a final decision on your application; afterwards, we shall erase your data within seven (7) months. However, in case you hired and thus become our employee, your data will be processed further for this purpose; in such case, we will provide you additional information in line with the requirements of the individual case.
6.5 Web analysis and tracking; third-party solutions
Type and extent of data processing: On our Website, we analyse user behaviour and use respectively provide solutions for different purposes by utilising different third-party software tools. The specific services and their functionality are briefly described under point 8.2; information in greater detail for each service can be found under point 3.
Furthermore, we use the service “Burst Statistics” to analyse user behaviour and interactions on our Website. Within this context, we process your Connection Data (cf. point 8.1) and utilise storage technologies as well (cf. point 7). Burst Statistics is hosted locally on our servers, wherefore no third-party recipient receives any of your data in this regard.
Legal basis and purpose: Within the framework of the respective service, we use collected data in order to generate statistics, analytical reports and other information, that allows us to draw conclusions on user experience and personalise our offer. The relevant legal basis is stated in the description of the respective service.
The abovementioned purpose applies correspondingly to our use of Burst Statistics. We base the utilisation of the service on your prior consent (Art 6 para 1 lit a GDPR; for your “right to withdraw”, see point 4).
Storage period: We store generated data in accordance with the requirements and possibilities stipulated by the relevant service for as long as it is necessary to fulfil the respective processing purpose.
Your data collected within the context of Burst Statistics will be in general only processed for short periods in a personally identifiable form and shall be erased as soon as they are no longer necessary to reach the mentioned purpose.
7. Storage technologies and consent tool
On our Website, we us the following technologies for different purposes. If information is stored on your end device or information on your end device is accessed by doing so, they are called storage technologies, and are subject to particular data protection regulations. If they are not technically necessary for the functioning of our Website, we need to collect your consent prior to their use. Additionally, we use other technology for similar purposes and may further process data collected therewith by means of storage technologies. Storage technologies are also used in the in the scope of third-party services described under point 8.
7.1 Cookies
If you give us your consent (Art 6 para 1 lit a GDPR; for the “right to withdraw”, see points 4, 7.3), so-called “cookies” are used on our Website; in case you decline to provide your consent, we shall limit our use of cookies to those cookies being technically necessary and essential for the proper functioning of our Website (see below) and process your data on the basis of our accompanying legitimate interest (Art 6 para 1 lit f GDPR), as far as personal data are involved (for the “right to object”, see point 4).
Cookies are small data sets that are stored on your end device by your respective browser. They are placed by a web server and sent back to it as soon as a new connection is established in order to recognise the user and his settings. In this sense a cookie assigns a specific identity consisting of numbers and letters to your end device.
Cookies can fulfil different purposes, e.g. helping to maintain the functionality of websites with regard to state of the art functions and user experience. The actual content of a specific cookie is always determined by the website that created it.
Cookies always contain the following information:
- name of the cookie;
- name of the server the cookie originates from;
- ID number of the cookie;
- an end date at the end of which the cookie is automatically deleted.
Cookies can be differentiated according to type and purpose as follows:
- Necessary cookies: Technically necessary (also: essential) cookies are required for the proper functioning of websites by enabling basic functions, such as site navigation and access to protected areas. Without such cookies, a website regularly fails to be fully functional. Necessary cookies are always first-party cookies. They can only be deactivated in the settings of your browser by rejecting all cookies without exception (see below) and are also used on our Websitelegally permissible without obtaining prior consent.
- Functional cookies: Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedback, and other third-party features.
- Performance cookies: Performance cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for the visitors.
- Analytical cookies: Analytical cookies are used to understand how visitors interact with a website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
- Advertisement cookies: Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customised ads.
With regard to the storage period cookies can be further differentiated as follows:
- Session cookies: Such cookies will be deleted without any action on your part as soon as you close your current browser session.
- Persistent cookies: Such cookies (e.g. to save your language settings) remain stored on your end device until a previously defined expiration date or until you have them manually removed.
Furthermore, cookies may be differentiated by their subject of attribution:
- First-party cookies: Such cookies are used by ourselves and placed directly from our Website. Browsers generally do not make them accessible across domains which is why the user can only be recognised by the page from which the cookie originates.
- Third-party cookies: Such cookies are not placed by the website operator itself, but by third parties when visiting a specific website, in particular, for advertising purposes (e.g. to track surfing behaviour). They allow, for example, to evaluate different page views as well as their frequency.
Most browsers automatically accept cookies (for further information on our specific consent tool, see point 7.3). Moreover, you have the option to customise your browser settings so that cookies are either generally declined or only allowed in certain ways (e.g., limiting refusal to third-party cookies). However, if you change your browser’s cookie settings, our Website may no longer be fully usable. Via the browser settings, you also have the option to delete the entirety of cookies already stored on your end device.
7.2 Local storage; session storage
If you have given us your explicit consent (Art 6 para 1 lit a GDPR), we use storage capacity of your browser software in order to, for instance, enhance the usability of our Website, its user-friendliness and our service in general (for example to save your language settings). (For the “right to withdraw”, see points 4, 7.3.) Therefore, we use the so-called local storage or session storage to store certain data on your end device, whereby your browser software maintains a separate local storage or session storage for each domain. Besides yourself, only we are able to access the data we are processing in this context. If technically necessary for the functioning of our Website, certain information may be stored in the local storage or session storage without your consent. Under no circumstances, third parties/websites will be able to access/read any of such data; however, the data may be stored on your end device by our partners (third-party service providers). In contrast to “cookies”, this method is safer and faster because data are not transferred automatically to the respective server with every HTTP request, but stored by your browser software. Additionally, a greater volume of data (at least 5 megabytes) can be stored, whereas cookies have a maximum storage capacity of 4096 Bytes.
Since their functionality is similar to that of cookies, point 7.1 applies correspondingly. Please be aware that information in the local storage does not have a predefined expiration date (similar with persistent cookies). In contrast, information in the session storage is stored only for the duration of respective browser session (similar to session cookies).
With respect to providing or withdrawing your consent through our consent tool, see point 7.3. The manual erasure of data from the local or session storage can be achieved similarly to the manual erasure of cookies through the browser settings of most browsers since common browsers combine settings for cookies, local storage and session storage, collectively referring to website data (e.g., “cookies and other website data”); therefore please review point 7.1 for the full picture. If cookies and other website data are combined accordingly by your browser software, disabling cookies also disables access to the local storage or session storage (which therefore can lead to usability limitations). Disabling JavaScript can also prevent websites from accessing the local or session storage. However, this may result in severe usability limitations.
7.3 Consent tool
Where necessary, and in order to ensure that you have given us your prior consent regarding the use of storage technologies, a consent tool appears automatically when accessing our Website. Through the options provided therein, you can select your preferences. If you do not provide us with your consent, certain parts of our Website may be unusable.
In order to ensure that you can adequately express your consent, we use a consent tool of HubSpot Germany GmbH (Berlin, Germany – cf. point 5). To save your preferences, a technically necessary cookie may be placed on your end device for each cookie category that has been accepted or rejected.
7.4 Tracking pixel
Apart from cookies, we also use so-called tracking pixels (also: pixel tags or web beacons) to collect certain data in the course of certain implementations on our Website. Tracking pixels are transparent images which are practically invisible as they consist of a single pixel. The tracking pixel is placed on a server and loaded therefrom as soon as a respective subpage of our Website is accessed. They allow us to track that a subpage is accessed as well as certain user activities on this page for targeted marketing. By means of the tracking pixel, in particular, the following information can be collected: (i) operating system used; (ii) browser type/version used; (iii) time of access; (iv) user behaviour on the visited page; (v) IP address and approximate location of the user.
Tracking pixels are used on our Website on the basis of our legitimate interests (Art 6 para 1 lit f GDPR; for the “right to object” see point 4) in analysing user accesses in a state of the art manner. As a tracking pixel is merely an image loaded from a server, its lifetime is limited to your current browser session. However, information collected via a tracking pixel may be subsequently stored in cookies (see point 7.1).
8. Third-party services
8.1 General explanations
Purpose of processing: In order to optimise our Website for its intended purposes, provide necessary or useful functions in regards to an economically viable pursuit of our business activity as well as to make available services to users that are usually expected in our line of business, we utilise a variety of services on our Website which are rendered by third-party service providers and subsequently described below.
Processing roles: Unless stated otherwise, the respective third-party service provider acts as our processor in the sense of Art 28 GDPR and subsequently provides its services in our name and on the basis of a corresponding agreement. However, some of the engaged third-party service providers may (also) receive data as independent controllers for their own purposes, in particular for the optimisation of their services. Regardless of their specific processing role, they are in any case considered recipients of some of your data, since the use of the respective service on our Website requires the processing of your data by the corresponding service provider.
Necessary processing: From a purely technical perspective, certain data are transferred when visiting any website, and generally shared with all implemented services. These data in their entirety amount to a digital fingerprint (browser fingerprint) which you leave in the course of your online activities – and can be used to draw certain conclusions about you or your end device.
In this regard, the following categories of “Connection Data” can be distinguished, which are (possibly) transferred to the server of which the Website or a specific file is requested.
- Implicit Connection Data (automated, obligatory and unsolicited transfer):
- IP address of the accessing computer;
- user agent (browser type and version, operating system);
- accessed site (URL);
- site from which the user accessed (referrer URL);
- time of access;
- language settings.
- Explicit Connection Data (transferred if intended by the source code of the respective service)
- Screen resolution;
- Colour depth;
- time zone;
- touch screen support;
- browser plugins.
Furthermore, most of the respective services use storage technologies (cf. point 7).
Transfer to third countries: The mentioned service providers are respectively their server landscape is located outside of the EU/EEA, or they use (further) processors to render their services to which this applies. Possible transfers of your data within this context into the legal sphere of such third parties, as far as no adequacy decision of the European Commission in the sense of Art 45 GDPR is in place, are based on standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission – unless otherwise stated. You may request a copy of standard contractual clauses concluded by us via the contact information provided under point 2.
8.2 Overview and brief summary
Subsequently, you can find a brief summary of services used as well as accompanying basic legal information.
If you press on the name of one of the services, you will be transferred to the data protection declaration of the respective service provider. Please be aware that accessing third-party sites results in additional processing of your data in the sphere of the respective third party (cf. point 3).
Service |
Processing operation |
Purpose |
Legal basis |
Processing user data via different utility tools |
Web analysis and tracking; user administration; enhancing efficiency and effectiveness of the Website |
Consent Legitimate interest |
|
Processing of Connection Data; processing of data using storage technologies |
Protection against DDoS attacks |
Legitimate interest |
|
Processing of Connection Data |
Embedding digital fonts into the Website |
Legitimate Interest |
8.3 Individual third-party services
8.3.1 HubSpot
On our Website, we use several functional tools and services provided by HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany (“HubSpot Germany“). HubSpot Germany allows us to realise wide-ranging automation, personalisation and segmentation of our services and marketing measures.
Outsourcing of processing activities by HubSpot Germany to third parties such as group companies may take place, wherefore a processing of your data in the US, in particular by HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA, is possible. Any transfer your data within this context into the legal sphere of such third parties, as far as no adequacy decision of the European Commission in the sense of Art 45 GDPR is in place, are based on standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission.
(i) Tracking; web analysis
We embed tracking code of HubSpot Germany into our Website, allowing us to collect data on user behaviour as well as other helpful information when users interact with our services. This entails processing of your Connection Data (cf. point 8.1) as well as the utilisation of storage technologies (cf. point 7). As a result, we receive those data in form of an interactive dashboard that enables us to draw statistical conclusions on the use of our Website and its functions. Therewith, we can personalise the Website accordingly and make our offerings more interesting to you.
We base utilisation of HubSpot tracking tools on your prior consent (Art 6 para 1 lit a GDPR; for your “right to withdraw”, see point 4). Your data collected within this context will be in general only processed for short periods in a personally identifiable form and shall be erased as soon as they are no longer necessary to reach the abovementioned purpose.
(ii) Other HubSpot services
Furthermore, we use several other services provided by HubSpot Germany offering us a wide variety of functions. Within this context, we particularly use:
- HubSpot’s Marketing service, (i) allowing us to effectively administer our contacts that may be used for certain marketing purposes and initiate the relevant steps in this respect – this particularly includes the use of HubSpot’s newsletter delivery and administration service pursuant to cf. point 6.3; (ii) providing further marketing (automation) tools which allow us, e.g., to use any information generated by analysing user behaviour on our Website to tailor our ads displayed on third-party sites respectively advertising networks to your interests and process your respective interactions therewith (purpose of effectively executing direct marketing measures and simplifying processes involved);
- HubSpot’s Dashboard & Reporting service, allowing us to connect data sets processed in the course of using different HubSpot services in order to build customised dashboards specifically tailored to our needs (purpose of analysing data flows on our Website in order to draw necessary and helpful conclusions and steadily improve our services).
Any further processing of your data due to interactions between different HubSpot services and service components that treat data having been collected for different purposes as outlined in the course of this Data Protection Declaration is based on our legitimate interest pursuant to Art 6 para 1 lit f GDPR in creating overarching insights, simplifying decision making and improving our services in terms of efficiency and effectiveness (for your “right to object”, see point 4).
(iii) Cloudflare (protection against DDoS attacks)
In the course of the HubSpot integrations implemented into our Website, the web application firewall of Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (“Cloudflare“) is used for the purpose of protection against so-called distributed denial of service attacks (“DDoS attacks“). This allows us to prohibit interruptions and ensure a secure experience for our users.
Within this context, your Connection Data (cf. point 8.1) are processed when accessing our Website. Furthermore, a technically necessary cookie will be placed on your end device (cf. point 7.1).
The engagement of Cloudflare for the abovementioned purposes is based on our legitimate interest (Art 6 para 1 lit f GDPR; for the right to object, see point 4).
For further information on the data protection practice of Cloudflare, you may also review the Cloudflare Privacy Policy under https://www.cloudflare.com/de-de/privacypolicy/.
8.3.2 Google Fonts
On our Website, we use digital fonts provided by Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, Ireland (“Google Ireland“), namely “Google Fonts“, as they are optimised for websites and allow us to save bandwidth. This leads to reduced loading times for the Website as well as to a uniform appearance on all common browsers and end devices. Due to our use of Google Fonts, your Connection Data (cf. point 8.1) will be transferred to Google servers when accessing the Website.
Utilisation of Google Fonts is based on our legitimate interest in realising an appealing and uniform web appearance (Art 6 para 1 lit f GDPR; for the right to object, see point 4). Data processing follows the purpose of making our Website more appealing to potential users. Google Ireland acts as independent controller of any transferred data in this regard, using them for analysis purposes.
Google Ireland intends to process data of users of the EEA region, where possible, in data centres situated in Europe; however, an outsourcing of processing activities to third parties such as group companies may take place, wherefore a processing of your data in the US, in particular by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA is possible. An overview of Google’s data centres can be viewed at: https://www.google.com/about/datacenters/inside/locations/?hl=en.
For further information on data usage by Google Ireland and affiliated companies as well as your options in terms of settings and objection, please review the data protection declaration of Google under https://policies.google.com/privacy?hl=en. More information on Google Fonts specifically can be found at https://developers.google.com/fonts/faq.
9. Social media presences
For the purpose of promoting our business activity and our service offer, we maintain presences in various social networks. The processing of your data in this context is based on our legitimate interest (Art 6 para 1 lit f GDPR; for the right to object, see point 7) in expanding our reach as well as providing additional information and means of communication to users of social networks. In order to reach said purposes at the best possible rate, we may utilise functions provided by the respective service provider to measure our reach in detail (access statistics, identification of returning users, etc.).
In the course of accessing any of the online presences outlined subsequently, we process the general information being evident due to your profile in the respective network as well as additional continuance, contact or content data, as far as you provide us with such data by interacting with our online presence and its contents. We do not store those data separately outside of the respective social network.
Since we jointly decide with the relevant service provider (respectively entity expressly outlined as controller) upon purposes and means of data processing in the course of a respective online presence, we are to be considered joint controllers in the sense of Art 26 GDPR. The provider of each social network mentioned shall act as the primary point of contact with regard to all general and technical questions in respect of our online presences; this also applies to fulfilling rights of the data subjects in the sense of point 7. However, in case of requests concerning the specific operation of our online presences, your interactions with them or information published/collected via such channels, we shall be the primary point of contact; point 7 as well as other stipulations in this Data Protection Declaration apply correspondingly.
Some of the subsequent service providers are respectively their server landscape is located outside of the EU/EEA in countries for which no adequacy decision of the European Commission in the sense of Art 45 GDPR is in place, or they use processors to render their services to which this applies. Please be aware that we have no influence if or to which extent such transfers take place when using the respective network. You can find the relevant information on how each service provider handles third-country transfers (which might include data of you provided in the course of interacting with our Social Media Presences) in the relevant data protection information of such service provider (cf. the respective links under each subsequent subsection). Mostly, those service providers utilise standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission in order to justify their transfers.
9.1 LinkedIn
The social network “LinkedIn” is operated and data processing is controlled in the EEA area by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn Ireland“). In respect of the operation of our LinkedIn account “Golden Whale Productions” (https://www.linkedin.com/company/golden-whale-productions/), we are joint controllers in the sense of Art 26 GDPR with LinkedIn Ireland.
Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by LinkedIn in order to personalise and maintain our LinkedIn account. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://www.linkedin.com/legal/user-agreement?_l=en_EN) as well as the separate data protection declaration (https://www.linkedin.com/legal/privacy-policy) and consider the settings options in your LinkedIn account. In regards to any information provided by us via mechanisms made available by LinkedIn (postings, chats, etc.), we are naturally fully responsible.