Privacy policy2019-07-19T14:48:03+02:00

Data Protection Policy

This Data Protection Policy explains which personal data we process, the reasons why we process them, and the legal basis for, and duration of, that processing.

Note on data processing in connection with credit checks:

This Data Protection Policy provides information on data processed when you visit our website or when you contact us, not, however, information on personal data processed in the context of a credit check.

Detailed information on how Boniversum GmbH processes personal data in the context of issuing credit checks can be found in our BONIPEDIA information area and on the page “Information for consumers pursuant to EU-GDPR”.

To BONIPEDIA

Overview / contents

Our Data Protection Policy contains the following information:

  • Name and contact details of the controller (i.e. the party responsible for the collecting and using personal data)
  • Contact details of the Data Protection Officer
  • Legal bases for processing personal data
  • Data erasure and data storage period
  • Sources of personal data
  • General categories, purposes and legal bases for processing personal data
  • Recipients and categories of recipients of personal data
  • Data processing in connection with the mailing of newsletters
  • DData processing in connection with the press mailing lists
  • Contacting us by email, fax or phone
  • Website provision and collection of data in logfiles
  • Data processing in connection with job applications
  • Contact forms and contact by email
  • Use of cookies by ourselves and by third-party service providers
  • Use of the analytics tool Google Analytics
  • Use of the map service Google Maps
  • Use of Google Ads and Google conversion tracking
  • Use of Google Fonts
  • Use of the Google APIs interface
  • Use of the WordPress Plugin Wordfence
  • Use of the chatbot “BoniBot”
  • Website encryption
  • Transmission of personal data to a third country (country outside the EU)
  • Right to information access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to notification
  • Right to data portability
  • Right to object to processing by virtue of a legitimate interest
  • Right to withdraw a consent once given
  • Automatic decision-making, including profiling
  • Voluntary nature of the provision of data
  • Right to lodge a complaint with a supervisory authority

A. Our contact details and general information on how we process data

Name and contact details of the controller

Responsible for collecting and using personal data in the context of data protection law is

Creditreform Boniversum GmbH
Hellersbergstrasse 11
41460 Neuss
Germany

Tel: +49 2131 109-501
Fax: +49 2131 109-557

E-Mail: info(at)boniversum.de
Website: www.boniversum.de

Further information about our company can be found in the legal notice on our website at www.boniversum.de/legal-notice/?lang=en

Contact details of the Data Protection Officer

You can reach our Data Protection Officer as follows:

Mr. Stefan Reyak (solicitor)
Hellersbergstraße 11
D-41460 Neuss
datenschutz(at)boniversum.de

Legal bases for processing personal data

Generally speaking, the following apply to our processing of personal data:

  • Point (a) of Article 6 (1) of the EU General Data Protection Regulation (GDPR) serves as the legal basis of our processing of personal data when we request your consent to data processing involving personal data.
  • Point (b) of Article 6 (1) GDPR serves as the legal basis of our processing of personal data if this is needed to perform a contract with you; the same applies if the processing is needed for preparatory measures prior to entering into a contract.
  • Point (c) of Article 6 (1) GDPR serves as the legal basis if the processing of personal data is needed for us to comply with an obligation which we have a legal duty to fulfil.
  • Point (d) of Article 6 (1) GDPR serves as the legal basis if your vital interests or those of another natural person necessitate the processing of personal data.
  • Point (f) of Article 6 (1) GDPR serves as the legal basis if the processing is needed for a legitimate interest pursued by ourselves or a third party, and provided that that interest is not overriden by your own interests, fundamental rights and fundemanteal freedoms.

Data erasure and data storage period

We generally erase or block personal data as soon as they are no longer needed for achieving the purpose for which they were originally collected. They may, however, be stored for a longer period of time if, in our capacity as controller, we are required to observe specific regulations, laws and / or other guidelines which European or national legislators have provided for under EU law. The data are also erased or blocked upon expiry of a storage period prescribed under the above-mentioned standards, unless the data need to be stored beyond that point for entering into, or performing, a contract.

In concrete terms, this means:
If we process your personal data by virtue of a consent to data processing (point (a) of Article 6 (1) of the General Data Protection Regulation (“GDPR”)), the processing ceases upon your withdrawal of that consent, unless another legal basis exists for the continued processing of the data – which would be the case if, at the time that the consent is withdrawn, we are still authorised to process your data for the purpose of performing a contract, or if the data processing is needed for us to pursue our legitimate interests (for further details, please see below).

If, in exceptional circumstances, we process the data by virtue of our legitimate interests (point (f) of Article 6 (1) GDPR) after having undertaken a balancing of interests, we will continue to store the data until the legitimate interest no longer exists, a subsequent balancing of interests reaches an opposing conclusion, or you effectively lodge an objection pursuant to Article 21 GDPR (for further details, please refer to the highlighted section “Right to object to processing for a legitimate interest” under C.).

If we process the data to perform a contract, we will store the data until the performance of the contract has been conclusively fulfilled and wound up, and no further claims from the contract can be exercised, in other words: until all claims become time-barred. The standard limitation period under Section 195 of the German Civil Code (Bürgerliches Gesetzbuch, BGB) is three (3) years. Certain claims, however, such as claims for damages, only become time-barred after thirty years (see Section 197 BGB).

If we have legitimate grounds to assume that this is relevant on a case-by-case basis, we will store the data beyond the end of this time period. The stated limitation periods commence at the end of the year (i.e. on 31 December) in which the claim is engendered and the obligee gains – or without gross negligence, should have been able to gain – knowledge of the underlying circumstances of the claim and the identity of the obligor.

Please note that we must also observe statutory retention periods for tax and accounting reasons. These require us to retain certain data – which can also include personal data – for a period of six (6) to ten (10) years as evidence of our accounting. These retention periods take precedence over the above-mentioned erasure duties. The retention periods commence, likewise, at the end of the year concerned, i.e. on 31 December.

Sources of personal data

The personal data we process originate primarily from the data subjects, themselves, for example, if:

  • as users of our website, they send information such as their IP address to our web server via their web browser and end device (e.g. their PC, smartphone, tablet or notebook)
  • as prospective customers, they request us to send them information material or an offer
  • as customers, the send us an order or enter into a contract with us
  • as press representatives, they request us to send them media releases, opinions etc.
  • as suppliers, they supply us with merchandise or render services for us etc., as agreed

Only under very exceptional circumstances will the personal data we process originate from third parties, for example, if a person is acting on behalf of a third party.

General categories, purposes and legal bases for processing personal data

We process the following categories of personal data:

  • Users of our website
  • Prospective customers
  • Press representatives
  • Customers
  • Suppliers

Depending on the category of data involved, we process personal data for the following purposes and by virtue of the legal basis of the General Data Protection Regulation (GDPR) named in each case::

User data: We do not collect or process data about our website users on a personal basis, so we are unable to connect them to a specific person. The IP address is only processed in anonymous form. If personal data do need to be processed under exceptional circumstances, we process them to pursue our legitimate interests on the basis of point (f) of Article 6 (1) GDPR. In this context, our legitimate interests are our interest in the security and integrity of our website, and of the data on our web server (in particular, for the detection of faults and malfunctions, and pursuit of unauthorised accesses), as well as marketing interests and interests in statistical surveys (for improving our web presence, services and offerings). After balancing the various interests, we concluded that data processing is necessary for pursuing the above-mentioned legitimate interests, and that your own interests or fundamental freedoms or fundamental liberties which necessitate a protection of personal data do not override them.

Data relating to prospective customers and press representatives: Insofar as we process data relating to press representatives and prospective customers of our services, we only do so if you send us these data in an input field or by email for the purpose of an inquiry to us. The entry of these data is voluntary for you. We will then process these data exclusively for dealing with your inquiry to us. These data – which you transmit to us on a voluntary basis for the purpose of receiving information about our services – are processed as a pre-contractual measure pursuant to point (b) of Article 6 (1) GDPR and / or on the basis of your given consent pursuant to point (a) of Article 6 (1) GDPR.

Customer data: We process our customers’ personal data for the purpose of performing a contract pursuant to point (b) of Article 6 (1) GDPR and / or on the basis of a given consent pursuant to point (a) of Article 6 (1) GDPR. This also applies to requisite processing activities prior to entering into a contract (for example, in the context of preparing and negotiating offers).

Data relating to suppliers / business affiliates: We process our suppliers’ and business affiliates’ personal data for the purpose of performing a contract pursuant to point (b) of Article 6 (1) GDPR and / or on the basis of a given consent pursuant to point (a) of Article 6 (1) GDPR. This also applies to requisite processing activities prior to entering into a contract (for example, in the context of preparing and negotiating offers).

Recipients and categories of recipients of personal data

Your personal data will only be forwarded, or otherwise transmitted, to third parties if this is needed for performing a contract (e.g. for handling an order) or for billing purposes (e.g. for processing a payment transaction for the purchase of goods or services), or if a legitimate interest exists in the forwarding / transfer and you have no overriding interests or fundamental freedoms or liberties, or you have effectively given your consent beforehand.

Categories of recipients can be:

  • Service providers
  • Suppliers
  • Press representatives
  • Payment service providers (PSPs) and banks
  • Tax advisors

Data processing in connection with the mailing of newsletters

This section only refers to the German language version of the website.

You can use our website to send us a subscription request for a newsletter. In doing so, the data you enter into the input mask for the newsletter will be transmitted to us. The following personal data are involved:

  • your email address (mandatory), as well as
  • your first and last names (optional)
  • company (optional)

When you subscribe to the newsletter, the following data are also collected (as evidence of opt-in):

  • your IP address and
  • date and time of registration.

This serves to prevent misuse of the services or your email address, and lets us fulfil our legal duty to demonstrate that an opt-in (i.e. your explicit consent) to receive the newsletter actually originated from that email address.

A so-called “double opt-in” procedure is used to subscribe to our newsletter. This means that, after your registration, you receive an email requesting you to confirm your registration. This confirmation is needed to prevent registration with another person’s email address. When you click on the link to confirm your registration, your IP address and the precise time (date and time) at which you clicked on the link will be recorded. This data processing lets us fulfil our legal duty to demonstrate that an opt-in (i.e. your explicit consent) to receive the newsletter actually originated from this email address.

During the registration procedure, we obtain your consent to the data processing and refer to this Data Protection Policy.

Use of the newsletter service mailingwork
Your data are forwarded to our newsletter service provider mailingwork GmbH of Birkenweg 7, 09569 Oederan, Germany for the purposes of providing the newsletter, evaluating and analysing the usage patterns of the newsletters’ recipients, and for subscription management. The data are used exclusively in the context of providing the newsletter. mailingwork, in turn, observes all the guidelines required under data protection law. mailingwork is an wholly German company which processes all data on servers located exclusively in Germany. We have entered into a contract for commissioned data processing with mailingwork which incorporates adequate data protection guarantees, and safeguards our rights to instruct mailingwork on how to process the data. The data privacy policy of mailingwork can be found at mailingwork.de/datenschutz

Purpose of the data processing
The user’s email address is collected and processed for the purpose of providing the newsletter to the user. We use the email address for advertising purposes.

Your IP address, and time at which you clicked the confirmation link in the double opt-in email, are recorded to let us fulfil our statutory duty to demonstrate your explicitly given consent. Other personal data are collected in the course of the registration process to prevent misuse of the services or email addresses used. The data can potentially be stored for up to three (3) years after your cancellation of the newsletter to let us demonstrate a formerly given consent, respectively to defend ourselves against potential legal claims.

Legal basis for the data processing
The legal basis for processing your data after your registration for the newsletter is your consent pursuant to point (a) of Article 6 (1) GDPR.  The legal basis for storing your IP address, and the time at which you clicked the confirmation link in the double opt-in email, as well as for the potential storage of these data for up to three (3) years after your cancellation of the newsletter, is our legitimate interest pursuant to point (f) of Article 6 (1) GDPR. In this case, our legitimate interest is to let us demonstrate a formerly given consent, and to defend ourselves against any legal claims which could be derived therefrom.

Duration of storage
The data are erased as soon as they are no longer needed for achieving the purpose for which they were originally collected. Consequently, your email address will continue to be stored as long as your email subscription is active.

When a newsletter subscription is cancelled, we may store the associated email address, as well as data collected with your confirmation of consent to receiving the newsletter, for up to a further three (3) years before erasing them; in this case, the legal basis would be our legitimate interest to let us demonstrate a previously given consent. The processing of these data is limited to defending ourselves against potential legal claims. You can request us to erase these data at any time, provided that you simultaneously confirm to us your previously given consent.

The other personal data collected during the registration process will generally be erased after seven (7) days.

Possibility to object and to withdraw consent
Users can cancel their newsletter subscriptions, informally, at any time, and at no charge. Each newsletter contains an appropriate link for this purpose. This also allows users to withdraw their consent to the storage of the personal data collected during the registration process.

Data processing in connection with the press mailing lists

This section only refers to the German language version of the website.

You can subscribe to our press mailing list by sending an e-mail to our press agenca punctum pr-agentur GmbH, Neuer Zollhof 3, 40221 Düsseldorf, Deutschland. Your data will be used for the purposes of providing the press mailings, evaluating and analysing the usage patterns of the press list’ recipients, and for subscription management. The data are used exclusively in the context of providing the press mailings. punctum, in turn, observes all the guidelines required under data protection law. punctum is an wholly German company which processes all data on servers located exclusively in Germany. We have entered into a contract for commissioned data processing with punctum which incorporates adequate data protection guarantees, and safeguards our rights to instruct punctum on how to process the data.

Purpose of the data processing
The user’s email address is collected and processed for the purpose of providing the press mailings to the user. We use the email address for advertising purposes. The data can potentially be stored for up to three (3) years after your cancellation of the newsletter to let us demonstrate a formerly given consent, respectively to defend ourselves against potential legal claims.

Legal basis for the data processing
The legal basis for processing your data after your registration for the press mailings is your consent pursuant to point (a) of Article 6 (1) GDPR.

Duration of storage
The data are erased as soon as they are no longer needed for achieving the purpose for which they were originally collected. Consequently, your email address will continue to be stored as long as your email subscription is active.

When a press mailings subscription is cancelled, we may store the associated email address, as well as data collected with your confirmation of consent to receiving the press mailings, for up to a further three (3) years before erasing them; in this case, the legal basis would be our legitimate interest to let us demonstrate a previously given consent. The processing of these data is limited to defending ourselves against potential legal claims. You can request us to erase these data at any time, provided that you simultaneously confirm to us your previously given consent.

Possibility to object and to withdraw consent
Users can cancel their press mailings list subscriptions, informally, at any time, and at no charge. Each newsletter contains an appropriate link for this purpose. This also allows users to withdraw their consent to the storage of the personal data collected during the registration process.

Contacting us by email, fax or phone

We process the personal data conveyed to us by email, fax or phone to let us handle your contact / request. As your email address or fax / phone number are unavoidably needed to be able to reply to you in the first place, this also constitutes our legitimate interest in processing these data.

Legal basis for the data processing
The legal basis for the data processing is – where consent has been given (which is inherent in the contact) – point (a) of Article 6 (1) GDPR, and, otherwise, our legitimate interest in the data processing pursuant to point (f) of Article 6 (1) GDPR. If the objective of your contact or request is to enter into a contract, then the legal basis for the data processing is additionally point (b) of Article 6 (1) GDPR (taking steps prior to entering into a contract).

Duration of storage
The data are erased as soon as they are no longer needed for achieving the purpose for which they were originally collected. For personal data sent by email, this is the case when the respective dialogue with you had been brought to a close and, after that, upon expiry of a three- (3-) month waiting period – which will enable us to contact you again with respect to your inquiry or details of the dialogue, should this be necessary. The dialogue is deemed to have been brought to a close if the circumstances plainly indicate that the matter has been conclusively clarified.

The fax device stores fax data separately from the print data in its memory. After a fax has been printed, the reserved memory is freed up again, enabling the next fax to be received and stored there. After a fax has been printed, parts of the text may remain stored temporarily in the device’s memory until they are overwritten by a subsequently received fax. This generally results in the data being erased automatically after approximately 1-2 weeks. When messages are received by computer faxes, the fax is received in the form of an email, so, in this case, the descriptions for emails apply accordingly.

When we receive an inbound or make an outbound phone call, our phone system will store your phone number and / or your name / company name saved by your telephone provider, as well as the date and time of the call, in a so-called ring buffer which overwrites the oldest data with the newest data. This generally results in the data being erased automatically from the telephone system after approximately 3-4 months.

Some communication may be subject to retention periods under commercial and / or tax law, in which case these take precedence (see previous section on “Data erasure and storage period”).

Possibility to object and to withdraw consent
You may withdraw your given consent to the processing of your personal data, or object to their further processing at any time on the grounds of a legitimate interest (see section “Right to object to processing for a legitimate interest” under C. of this Data Protection Policy). In this case, the dialogue cannot be continued. You can withdraw your consent or object to the further data processing by sending us an informal notification (e.g. by email). In this case, all the personal data which were stored in the course of the dialogue will be erased.

B. Scope of the processing of personal data via our website

Personal data of website visitors are principally only collected and used if this is needed to offer a usefully functioning website, and is necessary for our contents and services. We will generally only collect personal data of our users after they have given their consent. This does not apply where there are factual reasons that prevent the prior procurement of consent and / or where legal regulations allow the data processing.

Website provision and collection of data in logfiles

Whenever our website is called, our system automatically collects data and information for technical reasons. These data are stored in the server’s logfiles. The following information is involved:

  • Date and time of the access
  • URL (address) of the referring website (referrer)
  • Web pages that the user’s system call up via our website
  • User’s screen resolution
  • Retrieved file(s), and notification of whether the retrieval was successful
  • Transmitted data volume
  • User’s Internet Service Provider (ISP)
  • Browser, browser type and browser version, browser engine and engine version
  • Operating system, operating system version, operating system type
  • User’s anonymised IP address and Internet Service Provider

These data are processed separately from other data, and are not processed with other personal data of the user. We are not able to associate these data with a specific person.

Purpose of the data processing
The system must temporarily process the data to allow delivery of our website content to the user’s computer. For this, the user’s IP address must be stored for the duration of the session. Data are stored in logfiles to ensure the correct functioning of the website. The data also allow us to optimise our offering and the website, and ensure the safety of our information technology systems. The data will not be evaluated for marketing purposes in this context.

Legal basis for the data processing
The legal basis for temporarily storing the data in logfiles is point (f) of Article 6 (1) GDPR. Our overriding legitimate interest in this data processing lies in the above-mentioned purposes.

Duration of storage
The data are erased as soon as they are no longer needed for achieving the purpose for which they were originally collected. Where data are collected for providing the website, the erasure occurs when the respective session is terminated. Where data are stored in logfiles, the data are erased after no more than seven (7) days. Data may, however, be stored for a longer period. In this case, the users’ IP addresses are erased, or anonymised such that it is no longer possible to identify the calling client.

Possibility to object and to withdraw consent
Data collection needed for providing a website, and the storage of data in logfiles, are unavoidable for operating an Internet website. The user has therefore no possibility to object to this processing. Users can, however, terminate their website usage at any time, and thereby prevent further collection of the stated data.

Data processing in connection with job applications

This section only refers to the German language version of the website.

Job applications can also be sent to us directly from our website. Detailed information on how we process your job application can be found on the dedicated page: www.boniversum.de/unternehmen/karriere/informationen-zur-bewerberdatenverarbeitung.

Contact forms and email contact

Our website contains various contact forms for contacting us electronically about different subject areas and topics. If you use this option, the data entered into the contact form will be transmitted to us and stored in encrypted form. The subsequent data processing will be fundamentally limited to the topic connected with the used contact form.

You can send us a message at any time using our contact form. The details to be provided can be found in the web form. Any mandatory fields are clearly marked with an asterisk. The data marked as mandatory inputs must be provided, otherwise we will be unable to process your request.

Our website also offers a separate contact form, specifically for businesses. Here, too, the details to be provided can be found in the web form. Any mandatory fields are clearly marked with an asterisk. The data marked as mandatory inputs must be provided, otherwise we will be unable to process your request.

We also offer a form for supplementing general terms and conditions of business. Businesses which avail themselves of our services can use this form to request a text passage in connection with GDPR which they can then incorporate into their own data protection policies. This form is intended exclusively for our business customers and may not be used for any other purpose. For this reason, we also require that, amongst others, the customer number and company name be entered here as mandatory inputs to allow us to verify them. These data inputs are used for this purpose, and are also processed and recorded in our CRM system for reconstructing such requests later on. As this functionality is only available to existing customers, the legal basis is – in derogation from the legal basis stated below – point (b) of Article 6 (1) GDPR: in the course of performing a contract.

Finally, our website offers a form for directly requesting a self-credit-check. To verify your identity, we need, amongst others, your date of birth, as well as other essential information that allows us to process your request for a self-credit-check. This is necessary, as we must convince ourselves beforehand of your entitlement to request the self-credit-check concerned. Once you have sent us these data, they will be stored in our database and processed by us, before being forwarded to our Consumer Service for downstream handling.

When you submit your message / request, the following data will also be recorded:

  • User’s IP address
  • Date and time of submission

Alternatively, you can contact us using the stated email address. In this case, the user’s personal data which are sent with the email will be stored. The data are will not be forwarded to third parties in this context. The data are used exclusively for dealing with and clarifying your matter.

Purpose of the data processing
We use the personal data from the input mask to process your contact and to handle your request. If you contact us by email or by means of an online form, this establishes the legitimate interest in processing these data. The other personal data processed in the course of the sending procedure serve to prevent misuse of the contact form and ensure the security of our information technology systems.

Legal basis for the data processing
The legal basis for the data processing is our legitimate interest in the data processing pursuant to point (f) of Article 6 (1) GDPR. The legitimate interest lies in the unavoidable necessity to process your data if we are to be able to handle, and possible reply to, your request or contact. If the objective of your contact or request is to enter into a contract, then the legal basis for the data processing is additionally point (b) of Article 6 (1) GDPR (taking steps prior to entering into a contract). The legal basis for processing the other personal data conveyed in the course of the sending procedure is our legitimate interest in the data processing pursuant to point (f) of Article 6 (1) GDPR which, in this case, is to prevent misuse of the contact form and ensure the security of our information technology systems.

Duration of storage
The data are erased as soon as they are no longer needed for achieving the purpose for which they were originally collected. For the personal data from the input mask of the contact form, or such data sent by email, this is the case when the respective dialogue with you had been brought to a close. The dialogue is deemed to have been brought to a close if the circumstances plainly indicate that the matter has been conclusively clarified. Some communication may be subject to retention periods under commercial and / or tax law, in which case these take precedence (see previous section on “Data erasure and storage period”). The other personal data collected in the course of the sending procedure will be erased after a deadline of no more than seven (7) days.

Possibility to object and to withdraw consent
You may object to the further data processing at any time on the grounds of a legitimate interest (see section “Right to object to processing for a legitimate interest” under C. of this Data Protection Policy). In this case, the dialogue cannot be continued. You can object to the further data processing by sending us an informal notification (e.g. by email). In this case, all the personal data which were stored in the course of the dialogue will be erased.

Use of cookies by ourselves and by third-party service providers

So-called cookies are used when you call up some pages of our website. These are small text files which are saved on your end device (PC, smartphone, tablet etc.). If you call up such a web page, a cookie may be saved by your browser. This cookie contains a characteristic sequence of characters which allows unambiguous identification of the browser when you next visit the website.

Apart from these, cookies of third-party service providers can be used, as well. Such cookies could potentially also enable an analysis of a user’s surfing behaviour. These cases are specifically described in this Data Protection Policy, directly with the information on the respective third-party tools (e.g. analytics tools, plugins etc.).

When you call up our website, we inform you about the use of cookies for analytical purposes and obtain your consent to the processing of the personal data used in this connection.

Cookies are used to render our website usable and improve its user-friendliness. Some of the elements on our website require the calling browser to remain identifiable, even after a page change. In this case, the cookies temporarily save the following data:

  • Language settings
  • Form validations
  • Processing of intra-page search requests
  • Calculation of the number of visitors for statistical evaluation (anonymised)

Additionally to this, our content management system, WordPress, uses technically-necessitated cookies to enable functions such as logging into the administrators’ area or possibly writing and posting commentaries for registered users (if we have enabled this). Cookies need to be set to allow recognition of logged-in users.

Purpose of the data processing
Technically-required cookies are used for the purpose of simplifying website usage for users. Some of the functions on our website cannot be offered without using cookies. For these functions, it is necessary that the browser be recognised after a page change. The user data collected by technically-required cookies are not used to create user profiles.

The analytics cookie is used for the purpose of improving the quality and contents of our website. Analytics cookies inform us on how the website is used, thereby letting us permanently optimise our offering.

Legal basis for the data processing
The legal basis for processing personal data in combination with the use of cookies is point (f) of Article 6 (1) GDPR, i.e. our own legitimate interest in the data processing – namely for above-mentioned purposes. The legal basis for processing personal data in combination with the use of analytics cookies is – subject to the prior provision of the data subject’s appropriate consent – point (a) of Article 6 (1) GDPR and, apart from that, also our own legitimate interest – namely in the above-mentioned purposes – pursuant to point (f) of article 6 (1) GDPR.

Duration of storage
Some of the cookies we use are erased at the end of the browser session, i.e. after the browser is closed (so-called session cookies). Other cookies remain on your end device and let us, or other service providers (third-party service providers), recognise your browser when you next visit our website (permanent cookies).

Apart from that, we continue to hold data that are collected by virtue of a legitimate interest until that legitimate interest lapses, a balancing of interests reaches an opposing conclusion, or you effectively lodge an objection pursuant to Article 21 GDPR (for further details, please refer to the highlighted section “Right to object to processing for a legitimate interest” under C.). Our legitimate interest is reviewed regularly, at least once a year, to determine its continued soundness. Our legitimate interest lapses particularly if, over time, the data become insufficiently relevant for us to evaluate and compile website usage statistics – which can be reasonably assumed after a maximum of three years.

Possibility to object and to withdraw consent
The cookies are saved on your computer which, in turn, forwards them to our website. Users therefore have full control over the use of cookies. You can disable or restrict the transfer of cookies by changing the settings in your web browser. Cookies which have already been set can be erased at any time. This can also be achieved automated. If you configure your browser with the “do not track” setting, we will construe this as your objection to our further collection and usage of your personal data. Please note, however, that disabling cookies for our website may possibly prevent you from using the website’s full functionality.

Website backups (backups)

For security reasons and in order to maintain the integrity of the website and the data contained therein, we regularly back up the contents of our website. This data processing is not intended to process the personal data of users. However, it cannot be ruled out that personal user data may also be backed up.

We use the backup plugin UpdraftPlus to create backups, which stores the blog data exclusively in encrypted form directly in a cloud folder of the company Dropbox, Inc., which in turn belongs to our Internet agency Design4u Köln e.K., Amsterdamer Str. 230, 50735 Köln.

We have entered into a contract for commissioned data processing with the internet agency which guarantees us the right to issue instructions and provides sufficient guarantees that suitable technical and organisational measures will be implemented in such a way that processing is carried out in accordance with the requirements of the DSGVO and guarantees the protection of the rights of the persons concerned. The Internet Agency, in turn, has also entered into such a contract for commissioned data processing with Dropbox, Inc.

Purpose of data processing
The purpose of this data processing is to secure the data of our blog so that it can be quickly and securely restored in an emergency, e.g. in the event of attacks on the website or other cases of data loss or data modification.

Legal basis for data processing
The legal basis for the processing of personal data is Art. 6 para. 1 letter f) DSGVO, i.e. a justified interest on our part. Our legitimate interest lies in the above-mentioned purposes. We have a legitimate interest in taking appropriate measures to ensure the security and integrity of the blog’s data. Moreover, the encryption of the data directly from our backend ensures a high level of security during the transmission of the backups.

The backups are imported regularly and replace the “old” backups by overwriting the data. We perform a weekly backup. The backup files are stored by us for a maximum of 3 months and then deleted automatically.

Objection and removal possibility
The security of the data to maintain the security and integrity of our website is necessary for the safe operation of the website. Consequently, there is no possibility for the user to object or remove the data. However, you can stop using the website at any time and thus prevent further processing of the data for backup purposes.

Use of the analytics tool Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc. of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses so-called cookies, text files which are placed on your computer and enable us to analyse how you use the website.

Please note that, on this website, Google Analytics code is supplemented by “anonymizeIp” to ensure an anonymised collection of IP addresses (so called IP-masking). By activating IP anonymisation on this website, Google will truncate your IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP address be sent to and shortened by Google servers in the USA. On behalf of the website provider, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators, and providing other services relating to website activity and internet usage to the website provider. Google will not associate your IP address which is transmitted by your browser with any other data held by Google.

Further information concerning the terms and conditions of use, and data privacy, can be found at http://www.google.com/analytics/terms/gb.html or at https://www.google.de/intl/en_uk/policies/.

Purpose of the data processing
The analytics tool and analytics cookie are used for the purpose of improving the quality of our website and its content. They allow us to determine how our website is used and, thereby, to permanently optimise our offering. The information which the cookie generates about your usage of this website is generally transmitted to, and saved on, a server of Google in the USA.

Legal basis for the data processing
The legal basis for the data processing of personal data is point (f) of Article 6 (1) GDPR, i.e. our own legitimate interest in the data processing – namely for above-mentioned purposes. Google Inc. has acceded to the “EU US Privacy Shield”, so the transmission of data to the USA is lawful.

Duration of storage
The cookies are saved on your computer which, in turn, forwards them to our website. Users therefore have full control over the use of cookies. You can disable or restrict the transfer of cookies by changing the settings in your web browser. Cookies which have already been set can be erased at any time. This can also be achieved automated. Please note, however, that disabling cookies for our website may possibly prevent you from using the website’s full functionality.

Apart from that, we continue to hold data that are collected by virtue of a legitimate interest until that legitimate interest lapses, a balancing of interests reaches an opposing conclusion, or you effectively lodge an objection pursuant to Article 21 GDPR (for further details, please refer to the highlighted section “Right to object to processing for a legitimate interest” under C.). Our legitimate interest is reviewed regularly, at least once a year, to determine its continued soundness. Our legitimate interest lapses particularly if, over time, the data become insufficiently relevant for us to evaluate and compile website usage statistics – which can be reasonably assumed after a maximum of three years.

Possibility to object and to withdraw consent
You can prevent the storage of cookies by selecting the appropriate configuration in your browser; please note, however, that doing so may possibly prevent you from using the website’s full functionality. You can also prevent collection of the information regarding your website usage (including your IP address) which is generated by the cookie for Google, as well as the processing of these data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

You can also prevent the collection of data by Google Analytics by clicking on the following link. This will set an opt-out cookie which will prevent any future collection of your data when visiting this website: https://tools.google.com/dlpage/gaoptout?hl=en

Use of Google Maps

This website uses the product Google Maps, a map service provided by Google Inc. of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) to display an interactive map. By using Google Maps, information on your usage of this website (including your IP address) may be transmitted to, and saved on, a server of Google in the USA.

Google could possibly transfer the information collected by Google Maps to third parties, provided that this is legally prescribed and / or the third parties process these data on Google’s behalf. Google will under no circumstances associate your IP address with any other data held by Google. This notwithstanding, it would be technically possible for Google to identify at least individual users by virtue of the data held. It would also be possible for the personal data and personality profiles of Google website users to be processed for other purposes which we are unable to influence.

Purpose of the data processing
We use Google Maps for the purposes of improving the quality and contents of our website, and offering you a simple, useful and familiar map service for orientation, showing our registered address, and planning your journey to us etc.

Legal basis for the data processing
The legal basis for the data processing of personal data in connection with Google Maps is point (f) of Article 6 (1) GDPR, i.e. our own legitimate interest in the data processing – namely for above-mentioned purposes. Google Inc. has acceded to the “EU US Privacy Shield”, so the transmission of data to the USA is lawful.

Duration of storage
Users can decide freely on running the JavaScript code needed for the tool by setting their browser configurations accordingly. Changing these settings allow you to disable or restrict the execution of JavaScript. Please note, however, that disabling the execution of JavaScript may possibly prevent you from using the website’s full functionality.

Apart from that, we continue to hold data that are collected by virtue of a legitimate interest until that legitimate interest lapses, a balancing of interests reaches an opposing conclusion, or you effectively lodge an objection pursuant to Article 21 GDPR (for further details, please refer to the highlighted section “Right to object to processing for a legitimate interest” under C.). Our legitimate interest is reviewed regularly, at least once a year, to determine its continued soundness. Our legitimate interest lapses particularly if, over time, the data become insufficiently relevant for us to evaluate and compile website usage statistics – which can be reasonably assumed after a maximum of three years.

Possibility to object and to withdraw consent
You can easily disable the Google Maps service, and thereby prevent data transfers to Google, by disabling JavaScript in your browser. To prevent execution of JavaScript code in general, you can also install a JavaScript blocker such as the “NoScript” browser plugin (e.g. www.noscript.net or www.ghostery.com). lease note, however, that disabling JavaScript may possibly prevent you from using the website’s full functionality.

The Product Privacy Guide and terms and conditions of use of Google products, and Google Maps in particular, can be found at https://policies.google.com/technologies/product-rivacy?hl=en

Use of Google Ads and Google conversion tracking

This website uses Google Ads, an online advertising program provided by Google Inc. of 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”).

Google Ads uses so-called conversion tracking. When you click on an advertisement placed by Google, a conversion tracking cookie is set. Cookies are small text files which your browser saves on your computer. These cookies are not used to personally identify users. If you visit certain pages of this website and the cookie has not yet expired, Google and we can recognise that the user clicked the advertisement and was referred to this page. Each AdWords customer receives a different cookie. Cookies cannot therefore be tracked via the websites of Ads customers.

Further information on Google Ads and Google conversion tracking can be found in Google’s data privacy policy at https://policies.google.com/privacy?hl=en

Purpose of the data processing
The information obtained with the conversion cookie is used to compile conversion statistics for us. We receive information on the total number of users who clicked on our Ads advertisement and were redirected to our website. We do not, however, receive any information which allows users to be personally identified. This serves the purpose of letting us analyse and optimise our advertising and marketing activities.

Legal basis for the data processing
Conversion cookies are saved on the basis of point (f) of Article 6 (1) GDPR. We have a legitimate interest in analysing user behaviour to optimise are online offering and advertising.

Duration of storage
The cookies which Google sets expire after thirty (30) days.

Apart from that, we continue to hold data that are collected by virtue of a legitimate interest until that legitimate interest lapses, a balancing of interests reaches an opposing conclusion, or you effectively lodge an objection pursuant to Article 21 GDPR (for further details, please refer to the highlighted section “Right to object to processing for a legitimate interest” under C.). Our legitimate interest is reviewed regularly, at least once a year, to determine its continued soundness. Our legitimate interest lapses particularly if, over time, the data become insufficiently relevant for us to evaluate and compile website usage statistics – which can be reasonably assumed after a maximum of three years.

Possibility to object and to withdraw consent
You can disable or restrict the transfer of cookies by changing the settings in your web browser. Cookies which have already been set can be erased at any time. This can also be achieved automated. Please note, however, that disabling cookies for our website may possibly prevent you from using the website’s full functionality. If you wish to opt out of tracking, you can object to this usage by disabling the Google Conversion Tracking cookie in your browser’s user settings. After that, you will no longer be included in the conversion tracking statistics.

Use of Google Fonts

Our website uses external fonts (Google Fonts). Google Fonts is a service of Google Inc. (“Google”), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. These web fonts are integrated by a server call, usually a Google server in the USA. This transfers to the server which of our Internet pages you have visited. The IP address of the browser of the visitor’s device is also stored by Google.

If you have Java-Script activated in your browser and have not installed a Java-Script-Blocker, your browser may transmit personal data to Google. We do not know what data Google links to the data received and for what purposes Google uses this data specifically.

For more information about Google Web Fonts, please visit https://developers.google.com/fonts/faq and the Google Privacy Policy.

Purposes of data processing
We use the fonts from an external source to make our site faster and visually appealing.

For further information on the purpose and scope of data collection and the further processing and use of the data by Google, as well as the terms of use and the data protection declaration of Google, and your rights and setting options for the protection of your privacy, please refer to the Google Privacy Policy.

Legal basis for data processing
The legal basis for processing personal data in combination with the use of cookies is point (f) of Article 6 (1) GDPR, i.e. our own legitimate interest in the data processing – namely for above-mentioned purposes.

Duration of storage
You can decide how to execute the Java script code required for the tool using your browser settings. By changing the settings in your Internet browser, you can deactivate or restrict the execution of Java Script and thus also prevent its storage. Note: If the execution of Java-Script is deactivated, it may not be possible to use all functions of the website to their full extent. Your browser will then load the default fonts instead of Google’s fonts.

Possibility to object and to withdraw consent
If you are a Google+ member and do not want Google to collect information about you through our website and link to your membership information stored by Google, you must log out of Google+ before visiting our website.

Sie können die Ausführung des für das Tool erforderlichen Java-Script-Codes durch eine entsprechende Einstellung Ihrer Browser-Software verhindern.
Um die Ausführung von Java-Script Code insgesamt zu verhindern, können Sie auch einen Java-Script-Blocker, wie z.B. das Browser-Plugin NoScript oder Ghostery installieren.

Use of the Google APIs interface

Our website uses Google APIs provided by Google Inc. of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google APIs is a programming interface provided by Google. When this is used, data, such as, and in particular, the IP address, may be transferred to Google.

Further information on how Google processes data can be found in Google’s data privacy policy. Dort können Sie im Datenschutzcenter auch Ihre Einstellungen verändern, so dass Sie Ihre Daten verwalten und schützen können. Click here for further guides on how to manage your data when using Google’s products.

Purpose of the data processing
We use the Google API as the interface between our website and the Google products – Google Analytics and Google Maps – which it uses. These products are used for: analysis purposes; fault rectification; optimisation and economical operation of our website; as well as for improving and optimising our website’s user experience.

Legal basis for the data processing
The legal basis for processing personal data using Google APIs is point (f) of Article 6 (1) GDPR, i.e. our own legitimate interest in, specifically: the conducting of analyses; optimisation and economical operation of our website and online offerings; and enabling us to localise and rectify faults by analysing and displaying error messages and the causes of crashes.

Duration of storage
Users can decide freely on running the JavaScript code needed for the tool by setting their browser configurations accordingly. Changing these settings allow you to disable or restrict the execution of JavaScript. Please note, however, that disabling the execution of JavaScript may possibly prevent you from using the website’s full functionality.

Apart from that, we continue to hold data that are collected by virtue of a legitimate interest until that legitimate interest lapses, a balancing of interests reaches an opposing conclusion, or you effectively lodge an objection pursuant to Article 21 GDPR (for further details, please refer to the highlighted section “Right to object to processing for a legitimate interest” under C.). Our legitimate interest is reviewed regularly, at least once a year, to determine its continued soundness. Our legitimate interest lapses particularly if, over time, the data become insufficiently relevant for us to evaluate and compile website usage statistics – which can be reasonably assumed after a maximum of three years.

Possibility to object and to withdraw consent
If you are a Google+ member and do not want Google to collect information about you through our website and link to your membership information stored by Google, you must log out of Google+ before visiting our website.

You can prevent execution of the JavaScript code needed for the tool by setting your browser configuration accordingly. Please note, however, that disabling JavaScript may possibly prevent you from using the website’s full functionality. To prevent the execution of JavaScript code as a whole, you can also install a JavaScript blocker, such as the browser plug in NoScript or the RequestPolicy available as a Firefox add on. Your browser will then load the default fonts instead of Google’s fonts.

Use of the WordPress Plugin Wordfence

Our website uses the WordPress plugin Wordfence which records IP addresses in logfiles held on Wordfence servers for security reasons, namely for protecting against brute-force and DDoS attacks or commentary spam emails. We have entered into a contract for commissioned data processing with the provider; this contract is based on EU standard contractual clauses which incorporate adequate guarantees for the secure processing of data, and safeguard our rights to prescribe the nature and scope of the data processing. Further information about the service provider, Defiant, Inc., can be found at: https://www.wordfence.com/help/general-data-protection-regulation/

Purpose of the data processing
The temporary processing of IP addresses is necessary to safeguard the security, and thereby the correct functioning, of our website. Use of the plugin safeguards our website against attacks, thereby also ultimately protecting the data of other website users that are processed on the web server.

Legal basis for the data processing
The legal basis for processing personal data is point (f) of Article 6 (1) GDPR, i.e. our own legitimate interest in the data processing – namely for above-mentioned purposes.

Duration of storage
The data are erased as soon as they are no longer needed for achieving the purpose for which they were originally collected. For data held in logfiles for the purpose of defending against attacks, this is the case after seven (7) days. Data may, however, be stored for a longer period. In this case, the users’ IP addresses are erased, or anonymised such that it is no longer possible to identify the calling client.

Possibility to object and to withdraw consent
The data processing is unavoidable for operating the website. You therefore have no possibility to object. You can, however, terminate your website usage at any time, and thereby prevent further collection of the stated data.

Use of the chatbot “BoniBot”

This section only refers to the German language version of the website.

We use the chatbot “BoniBot” of Dr. Schengber & Friends GmbH, Schorlemerstr. 12-14, D-48143 Münster (DSAF) on our website to improve accessibility and communication with users and interested parties.

Information on data protection at the provider DSAF can be found here: https://www.messengerbot.ai/datenschutz

We have entered into a contract for commissioned data processing with DSAF that incorporate adequate guarantees for the secure processing of data.

The chatbot software used on this page uses machine learning to better understand and respond to user input. For this purpose, the entries are sent to external servers and evaluated there. This is the only way to enable the function of the chatbot. Within the chatbots, no personal data is requested or required at any point. Users are therefore not identifiable unless they enter personal data. The non-personal data entered will be used for learning and stored for training purposes. This represents a legitimate interest within the meaning of Art. 6 para. 1 letter f) DSGVO. When used, your IP address is collected by the system.

Purpose of data processing
The use of the chat bot serves us to be able to react fast and reliably to user inquiries on our website and to increase our accessibility for our customers an other user. The use of our services also serves our advertising and marketing interests, as it enables us to get in touch with interested parties faster and better. The collection of your IP address serves to distinguish you from other visitors and chatters, so that not several chats are opened simultaneously by the same user. If you enter further data in the chat window, this is voluntary and the purpose results from your request.

Legal basis of data processing
The legal basis for the data processing is our legitimate interest in the data processing pursuant to point (f) of Article 6 (1) GDPR. Our legitimate interest in this data processing lies in the aforementioned purposes and in being able to process your request at all.

Duration of storage
The data and contents of the chats are stored on the servers of DSAF for a maximum of 3 months on the system side, partly also deleted beforehand by us by manual deletion.

Apart from that, we continue to hold data that are collected by virtue of a legitimate interest until that legitimate interest lapses, a balancing of interests reaches an opposing conclusion, or you effectively lodge an objection pursuant to Article 21 GDPR (for further details, please refer to the highlighted section “Right to object to processing for a legitimate interest” under C.). Our legitimate interest is reviewed regularly, at least once a year, to determine its continued soundness. Our legitimate interest lapses particularly if, over time, the data become insufficiently relevant for us to evaluate and compile website usage statistics – which can be reasonably assumed after a maximum of three years.

Possibility of objection and elimination
You have the right at any time, and on grounds relating to your particular situation, to object to processing of personal data concerning yourself. If we cannot demonstrate any compelling, legitimate reasons for continuing the processing which override your own interests, liberties and freedoms, we will cease processing your data (Article 21 GDPR). You can contact us by email or regular post if you would like to exercise this right. But our conversation ends with the contradiction.

In this case, all personal data stored in the course of contacting us will be deleted insofar as we have no grounds for any warranty or liability claims under contract law or we have no claims against you. In all other cases, the data is blocked so that only our management has access to this data and also only for the purpose of legal reasons for storage or for the purpose of defending or asserting actual or possible claims until expiry of the limitation period (see previously our information on the duration of storage).

Website encryption

The website, and consequently all data transfers via the website, are encrypted using the SSL standard (https protocol / TLS). A 2048-bit-strong certificate-encryption algorithm is used.

Transmission of personal data to a third country (country outside the EU)

It is intended to transmit personal data to the United States of America (USA).

The intention relates specifically to a transmission of data to the following organisation:

  • Google Inc. of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) in its capacity as provider of the web analytics tool Google Analytics and the map service Google Maps.

An adequacy decision enacted by the EU Commission states that personal data may be transmitted to the USA if the recipient has acceded to the “EU-US Privacy Shield”. Google, Inc. has acceded to the EU-US Privacy Shield.

Data are additionally transmitted to the following providers:

  • Defiant, Inc. in its capacity as operator of the security software Wordfence (http://defiant.com/).

EU standard contractual clauses have been agreed with this organisation which guarantee adequate of data protection and thus permit the tranmission of data to the organisation’s servers in the USA.

C. Your rights as a data subject

If we process your personal data, then you are the affected party (“data subject”), and can exercise the following rights against us, as the party responsible for the processing (“controller”):

Right to information access

You have the right to demand us, at no charge, to confirm whether we process personal data concerning yourself. If this is the case, you have the right to information about these personal data and to further specific information set out under Article 15 GDPR. You can contact us by email or regular post if you would like to exercise this right.

Right to rectification

You have the right to demand us to rectify inaccurate personal data concerning yourself without undue delay. You also have the right – after taking the above-mentioned processing purposes into account – to demand us – also by means of a supplementary explanation – to complete incomplete personal data (Article 16 GDPR). You can contact us by email or regular post if you would like to exercise this right.

Right to erasure

You have the right to demand us to erase personal data concerning yourself without undue delay, provided that one of the specific grounds under Article 17 GDPR applies. You can con-tact us by email or regular post if you would like to exercise this right.

Right to restriction of processing

You have the right to demand us to restrict processing where one of the conditions set out under Article 18 GDPR is satisfied. You can contact us by email or regular post if you would like to exercise this right.

Right to notification

f you have exercised your right to demand us to rectify, erase or restrict the processing of your personal data, we have the duty to notify all recipients to whom your personal data were disclosed of this rectification, erasure or restriction of processing of the data, unless this were to prove impossible, or only possible with disproportionate effort. You have the right to demand us to notify you of these recipients. You can contact us by email or regular post if you would like to exercise this right.

Right to data portability

You have the right to receive, in a structured, commonly used and machine-readable format, personal data concerning yourself which you have provided to us. You also have the right to transmit these data to another controller without hindrance by us, provided that the conditions of Article 20 GDPR are satisfied. You can contact us by email or regular post if you would like to exercise this right.

Right to object to processing by virtue of a legitimate interest

Provided that, under exceptional circumstances, we process personal data on the basis of point (f) of Article 6 (1) GDPR (i.e. by virtue of a legitimate interest), you have the right at any time, and on grounds relating to your particular situation, to object to processing of personal data concerning yourself. If we cannot demonstrate any compelling, legitimate reasons for continuing the processing which override your own interests, liberties and freedoms, but also if we process your personal data concerned for the purpose of direct advertising, we will cease processing your data (Article 21 GDPR). You can contact us by email or regular post if you would like to exercise this right.

In this context, your use of a technical process, such as an unambiguous technical notification sent by your web browser (“do not track” notification), also qualifies as an objection.

Right to withdraw a consent once given

You have the right to withdraw your given consent to the collection and use of personal data, at any time, with effect for the future. You can contact us by email or regular post if you would like to exercise this right. The withdrawal has no influence on the lawfulness of the processing before your consent was withdrawn.

Automated decision-making including profiling

You have the right to be excluded from decision-making based entirely on automated processing – including profiling – which legally impacts you, or significantly affects you in a similar manner – unless the decision is: necessary for entering into, or performing, a contract between you and ourselves; authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or the decision is based on your explicit consent. We do not perform automated decision making of this nature.

Voluntary nature of the provision of data

If personal data need to be provided for legal or contractual reasons, we will principally inform you of this when collecting the data. Some of the data we collect are necessary for entering into contract, namely if we would be unable, or insufficiently able, to fulfil our duties in a contract with you by alternative means. You are under no obligation to provide us with personal data. A failure to provide personal data could, however, prevent us from implementing or offering the desired service, action, measure etc. or make it impossible to enter into contract with you.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other remedy, you have the right to lodge a complaint at any time with a supervisory authority for data protection, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning yourself infringes data protection regulations (Article 77 GDPR).

Wording of this Data Protection Policy as at: 25 May 2018

Entdecken Sie Wissen
rund um Bonität,
Scoring und Datenschutz