THE
FLAG

Data Protection Policy Social Media

This Data Protection Policy contains information on the extent to which we process your personal data (referred to below as “data”) within the scope of our presence on social media.


1. Data controller

The data controller in accordance with the General Data Protection Regulation (GDPR) is:

THE FLAG Holding GmbH
Listertalstraße 73
57439 Attendorn

Web: www.the-flag.de
E-mail: datenschutz@the-flag.de


2. Data Protection Officer contact details

Matthias Rosa, RMPrivacy GmbH, Große Langgasse 1a, 55116 Mainz

E-mail: datenschutz@the-flag.de


3. Facebook

a) Joint responsibility for data processing

We operate a Facebook fan page on the social network online platform provided by Facebook Ireland Limited (“Facebook Ireland”). Together with Facebook Ireland, we are jointly responsible for processing data in connection with the fan page in accordance with the provisions of the GDPR. This includes in particular the processing of Page Insights data, cf. bb) Use of "Insights" und Cookies. When you visit our fan page, your personal data will be processed by Facebook Ireland and us as data controllers.

Facebook Ireland is the primary data controller in accordance with GDPR for the processing of Insights data. Consequently, Facebook Ireland also assumes all obligations under the GDPR with regard to the processing of Insights data (including Articles 12 and 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR). Facebook Ireland remains solely responsible for the processing of any personal data in connection with Page Insights that are not covered by the existing Page Insights Addendum.

On the basis of existing agreements with Facebook Ireland, including the agreement on joint responsibility for data, it is recommended that requests for information and the assertion of other data subject rights be addressed to Facebook Ireland directly. As it is the operator of the social network and has the ability to embed Facebook fan pages within it, Facebook Ireland is solely in the position to access the necessary information via its direct access options and to undertake any necessary measures and provide information directly. However, you can also submit requests to us. We will, of course, support you in this regard at any time, as well as fulfil our obligations as a data controller.

The underlying terms of use of Facebook Ireland (including the other terms and policies set out therein), can be found at:

https://www.facebook.com/legal/terms

which are supplemented by the Page Insights Addendum relating to the data controller and can be found at:

https://www.facebook.com/legal/terms/page_controller_addendum

b) What data do we process and for what purpose?

aa) Operating our fan page

The purpose of operating our Facebook fan page is to engage and interact with users of and visitors to the Facebook Ireland social media network. We occasionally post direct information on our company and related offers, e.g. events we have held or are currently holding, promotions and special offers, etc.

Our Facebook fan page also enables us to obtain statistics on site traffic and visitors. This information is compiled by Facebook Ireland and enables us to manage the marketing of our activities in a more effective and focused way. In this connection, we may occasionally obtain information on the Facebook profiles of individual users who like our fan page and/or use the applications on the page. This enables us to provide enhanced content and functionality to the relevant users via our Facebook fan page.

In order to further improve our content, we may also use the information collected during visits to perform demographic and geographic analyses based on this information. As a result, we can run specific advertisements based on users’ interests without gaining direct knowledge of their identities.

If you use several end-devices when visiting Facebook Ireland, collection and evaluation may also take place across devices, insofar as you visit our fan page as a registered user logged in under your Facebook profile.

Any visitor statistics collected are forwarded to us in anonymised form only. We do not have access to the underlying data.

bb) Use of “Insights” and cookies

We use the “Insights” service provided by Facebook Ireland to obtain anonymised statistical data on visitors to our fan page.

When you visit our fan page, Facebook Ireland stores a corresponding text file, known as a cookie, on your end-device, containing a user code that can be associated with each visit. If you are registered as a Facebook user, this user code can be linked to your data. The stored information is processed by Facebook. It is also possible that third parties can use the information contained in Facebook's cookies to provide services to companies advertising on Facebook.

Unless deleted, the cookie remains active for two years.

For more information about Page Insights, please see the Page Insights Addendum concluded between Facebook Ireland and our company:

https://www.facebook.com/legal/terms/page_controller_addendum

For more information on the use of cookies by Facebook Ireland, please refer to Facebook’s cookie policy:

https://www.facebook.com/privacy/policies/cookies/

c) Legal basis

The processing of personal data by our company is based on our legitimate interests in an effective exchange with the users of our social media sites, the visitors to our profiles as well as in connection with the communication with users on our social media profiles including the representation of our company in accordance with Art. 6 (1) f) GDPR.

d) Data sharing and data transfer to the USA

It is possible that the data collected when you visit our fan pThere is no EU Commission adequacy decision for data transfers to the USA. The EU Commission has issued an adequacy decision on the transfer of data to the United States. Meta is certified under the EU-US Data Privacy Framework and is covered by the EU adequacy decision for the USA.

We do not pass on data in the course of operating our fan page.

e) Option to object via your Facebook account

As a Facebook user, you can use the settings for advertising preferences in your Facebook account to specify the extent to which your user behaviour may be recorded when you visit our fan page. Facebook also has an objection form available at:

https://www.facebook.com/help/contact/1994830130782319


4. Instagram

a) Joint responsibility for data processing

Instagram is a Facebook product provided by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”). Together with Facebook Ireland, we are jointly responsible for processing data in connection with this fan page in accordance with the provisions of the GDPR, Art. 4 (7) GDPR. This includes in particular the processing of Page Insights data, cf. section b) bb) Use of "Insights" and cookies. When you visit our Instagram company page, your personal data will be processed by Facebook Ireland and us as the data controllers.

Facebook Ireland is the primary data controller in accordance with GDPR for the processing of Insights data. Consequently, Facebook Ireland also assumes all obligations under the GDPR with regard to the processing of Insights data (including Articles 12 and 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR). Facebook Ireland remains solely responsible for the processing of any personal data in connection with Page Insights that are not covered by the existing Page Insights Addendum

On the basis of existing agreements with Facebook Ireland, including the agreement on joint responsibility for data, it is recommended that requests for information and the assertion of other data subject rights be addressed to Facebook Ireland directly. As it is the operator of the social network and has the ability to embed Facebook fan pages within it, Facebook Ireland is solely in the position to access the necessary information via its direct access options and to undertake any necessary measures and provide information directly. However, you can also submit requests to us. We will, of course, support you in this regard at any time, as well as fulfil our obligations as a data controller.

The underlying Page Insights Addendum relating to the data controller can be found at:

https://www.facebook.com/legal/terms/page_controller_addendum

Use of the service is governed solely by Instagram’s terms of use (including any other terms and policies set out therein). These can be found at https://help.instagram.com/581066165581870.

For information on data processing by Facebook, please refer to Instagram’s privacy policy at: https://privacycenter.instagram.com/policy/.

b) What data do we process and for what purpose?

aa) Operation of our Instagram account

The purpose of operating our Instagram account is to engage and interact with users of and visitors to the Instagram social media network. We occasionally post direct information on our company and related offers, e.g. events we have held or are currently holding, promotions and special offers, etc.

We are also in the position to obtain statistics regarding visits and interactions with our account. This information is compiled by Facebook Ireland and enables us to manage the marketing of our activities in a more effective and focused way. In this connection, we may occasionally obtain information on the Instagram profiles of individual users who like our fan page and/or use the applications on the page. This enables us to provide enhanced content and functionality to the relevant users via our Instagram fan page.

In order to further improve our content, we may also use the information collected during visits to our account to perform demographic and geographic analyses based on this information. As a result, we can run specific advertisements based on users’ interests without gaining direct knowledge of their identities.

If you use several end-devices when visiting Instagram, collection and evaluation may also take place across devices, insofar as you visit our fan page as a registered user logged in under your Instagram profile.

Any visitor statistics collected are forwarded to us in anonymised form only. We do not have access to the underlying data.

bb) Use of "Insights" and cookies

We use the “Insights” service provided by Facebook Ireland to obtain anonymised statistical data on visitors to our fan page.

When you visit our fan page, Facebook Ireland stores a corresponding text file, known as a cookie, on your end-device, containing a user code that can be associated with each visit. If you are registered as an Instagram user, this user code can be linked to your data. The stored information is processed by Facebook. It is also possible that third parties can use the information contained in Facebook's cookies to provide services to companies advertising on Facebook.

Unless deleted, the cookie remains active for two years.

For more information about Page Insights, please see the Page Insights Addendum concluded between Facebook Ireland and our company:

https://www.facebook.com/legal/terms/page_controller_addendum

For more information on the use of cookies by Facebook Ireland, please refer to Facebook’s cookie policy:

https://www.facebook.com/privacy/policies/cookies/

c) Legal basis

The processing of personal data by our company is based on our legitimate interests in an effective exchange with Instagram users, the visitors to our profiles as well as in connection with the communication with users on our social media profiles including the representation of our company in accordance with Art. 6 (1) f) GDPR.

d) Data sharing and data transfer to the USA

It is possible that data collected during visits to our fan page will be forwarded to Facebook Inc. based in the USA, where they will be processed. The EU Commission has issued an adequacy decision on the transfer of data to the United States. Meta is certified under the EU-US Data Privacy Framework and is covered by the EU adequacy decision for the USA.

We do not pass on data in the course of operating our company page.

e) Option to object via your Instagram account

As an Instagram user, you can use the settings for advertising preferences in your account to specify the extent to which your user behaviour may be recorded when you visit our fan page. Facebook also has an objection form available at:

https://www.facebook.com/help/contact/1994830130782319


5. YouTube

a) What data do we process and for what purpose?

YouTube is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. We do not directly process any personal data in connection with the operation of our YouTube channel.

However, if as a logged-in user, you enter data on YouTube itself, such as your user name and any content posted under your own account, these data will be processed by us when we share your comments, reply to your comments, or create a post that links to your profile. In this case, the data you enter in YouTube, in particular your (user) name and content posted under your account, are processed insofar as they are included in our offer and made accessible to our followers.

For all further data processing in the context of the use of the YouTube service and its functionalities, Google Ireland Limited is the data controller within the meaning of Art. 4 (7) GDPR. We have no influence on the type and scope of the data processed by Google as part of its YouTube service, the way in which the data are processed, how they are used or whether they are forwarded to third parties.

Information on what data are processed by YouTube and for what purposes can be found in Google’s privacy policy: https://www.google.de/policies/privacy/.

b) Legal basis

The processing of personal data by our company is based on our legitimate interests in an effective exchange with YouTube users, visitors to our profiles as well as in connection with the communication with users on our social media profiles including the representation of our company in accordance with Art. 6 (1) f) GDPR.

c) Data sharing and data transfer to the USA

It is possible that data collected during visits to our YouTube channel will be forwarded to Google LLC,1600 Amphitheatre Parkway, Mountain View, CA 94043, based in the USA, where they will be processed. There is no EU Commission adequacy decision for data transfers to the USA. Google ensures an adequate level of data protection via the EU standard contractual clauses. Copies of the relevant EU standard contractual clause will be provided upon request. Please contact datenschutz@the-flag.de for this.

Google is certified under the EU-US Data Privacy Framework and as such is subject to the EU adequacy decision for the USA.

Moreover, we do not pass on data in the course of operating our company profile to third parties.


6. Vimeo

d) What data do we process and for what purpose?

Vimeo is a service provided by Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA (“Vimeo Inc.”). We do not directly process any personal data in connection with the operation of our Vimeo channel.

However, if as a logged-in user, you enter data on Vimeo itself, such as your user name and any content posted under your own account, these data will be processed by us when we respond to your requests, reply to your comments, or create a post that links to your profile. In this case, the data you enter on Vimeo, in particular your (user) name and content posted under your account, are processed insofar as they are included in our offer and made accessible to our followers.

For all further data processing in the context of the use of the Vimeo service and its functionalities, Vimeo Inc. is the data controller within the meaning of Art. 4 (7) GDPR. We have no influence on the type and scope of the data processed by Vimeo as part of the Vimeo service, the way in which the data are processed, how they are used or whether they are forwarded to third parties.

Information on what data are processed by Vimeo and for what purposes can be found in the Vimeo Inc. privacy policy: https://vimeo.com/privacy.

e) Legal basis

The processing of personal data by our company is based on our legitimate interests in an effective exchange with Vimeo users, the visitors to our profiles as well as in connection with the communication with users on our social media profiles including the representation of our company in accordance with Art. 6 (1) f) GDPR.

f) Data sharing and data transfer to the USA

It is possible that data collected during visits to our Vimeo channel will be forwarded to Vimeo Inc., 555 West 18th Street, New York, New York 10011, based in the USA, where they will be processed.

For the transfer of data to the USA, Vimeo ensures an adequate level of data protection by way of EU standard contractual clauses. A copy of the corresponding EU standard contractual clauses will be provided upon request. In this regard, please contact datenschutz@the-flag.de.

Moreover, we do not pass on data in the course of operating our company profile to third parties.


7. LinkedIn

a) Joint responsibility for data processing

LinkedIn is a product offered by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Together with LinkedIn, we are jointly responsible for processing data in connection with our company profile, in particular, in connection with the Page Insights feature, in accordance with the provisions of the General Data Protection Regulation (GDPR), Art. 4 (7) GDPR. When you visit our fan page, your personal data will be processed by LinkedIn and us as data controllers.

LinkedIn is the primary data controller in accordance with GDPR for the processing of Insights data, see also section b) cc) User analysis. Consequently, LinkedIn also assumes all obligations under the GDPR with regard to the processing of Insights data (including Articles 12 and 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR). LinkedIn remains solely responsible for the processing of any personal data in connection with Page Insights that are not covered by the existing Page Insights Joint Controller Addendum.

The Page Insights Joint Controller Addendum can be found at: https://legal.linkedin.com/pages-joint-controller-addendum.

LinkedIn’s privacy policy can be found at: https://www.linkedin.com/legal/privacy-policy

b) What data do we process and for what purpose?

aa) Interaction and communication

The purpose of operating our company profile on LinkedIn is to enter into contact and interact with the LinkedIn social media network’s users and visitors. In this context, we provide direct information on our company and related offers.

As the user of a LinkedIn profile, we may process the data provided by you as a member of LinkedIn. This includes all the information you have entered in your profile, messages that you send us, in addition to interaction with our content. This occurs in particular when you share or recommend our content, comment on it, get in touch with us or when you refer to our profile on LinkedIn.

The processing of personal data by our company is based on our legitimate interests in an effective exchange with LinkedIn users, the visitors to our profiles as well as in connection with the communication with users on our social media profiles including the representation of our company in accordance with Art. 6 (1) f) GDPR.

bb) Job applications

If you submit a job application to us via LinkedIn, or if you indicate that you are interested in a job offer that we have made to you, the data you provide (e.g. name, e-mail address, desired job location, data contained in your LinkedIn profile, etc.), your message and the application documents submitted will be processed exclusively for the purpose of processing and handling your application.

We process these application-related personal data on the basis of section 26 (1), Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which states that data may be processed which are required in connection with making a decision about concluding an employment contract with an applicant.

Should the data be required once the application process has been completed, i.e. for litigation purposes, the data may be processed to maintain our legitimate interests in accordance with Art. 6 (1) f) GDPR, namely for the assertion and/or defence of claims.

cc) User analysis

LinkedIn provides us with a range of information on visits and visitors to our company page via the “Page Insights” service. This information is provided by LinkedIn and enables us to manage the marketing of our activities in a more effective and focused way. This concerns what is known as aggregated data; it does not permit any link to be established to you personally. Data processing within the scope of the “Pages Insights” service is the sole responsibility of LinkedIn. We do not have access to personal data, except in aggregated form.

The processing of personal data by our company is based on our legitimate interests in an effective exchange with LinkedIn users, the visitors to our profiles as well as in connection with the communication with users on our social media profiles including the representation of our company in accordance with Art. 6 (1) f) GDPR.

c) Data sharing and data transfer to the USA

It is possible that data collected during visits to our company page will be forwarded to LinkedIn Corporation, based in the USA, where they will be processed.

For the transfer of data to the USA, LinkedIn ensures an adequate level of data protection by way of EU standard contractual clauses. A copy of the corresponding EU standard contractual clauses will be provided upon request. In this regard, please contact datenschutz@the-flag.de.

Moreover, we do not pass on data to third parties in the course of operating our company profile.


8. Xing

a) What data do we process and for what purpose?

aa) Interaction and communication

We operate a company profile on the online platform provided by the social network "XING", New Work SE., Dammtorstrasse 30, 20354 Hamburg, Germany (“Xing”), which processes personal data. The purpose of operating our company profile on Xing is to enter into contact with and interact with the Xing social media network’s users and visitors as well as the ability to receive applications submitted by users directly on Xing. In this context, we provide direct information on our company and related offers.

As the user of a Xing profile, we may process the data provided by you as a member on Xing. This includes all the information you have entered in your profile, messages that you send us in addition to interaction with our content. This occurs in particular when you share or recommend our content, comment on it or when you refer to our profile on Xing.

Information on what data are processed by Xing and for what purposes can be found in its privacy policy: https://privacy.xing.com/de/datenschutzerklaerung

The processing of personal data by our company is based on our legitimate interests in an effective exchange with Xing users, visitors to our profiles, and the ability to receive applications submitted by users directly on Xing, as well as in connection with communication with users on our social media profiles including the representation of our company in accordance with Art. 6 (1) f) GDPR.

bb) Job applications

If you submit a job application to us via Xing, or if you indicate that you are interested in a job offer that we have made to you, the data you provide (e.g. name, e-mail address, desired job location, data contained in your Xing profile, etc.), your message and the application documents submitted will be processed exclusively for the purpose of processing and handling your application.

We process these application-related personal data on the basis of section 26 (1), Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which states that data may be processed which are required in connection with making a decision about concluding an employment contract with an applicant.

Should the data be required once the application process has been completed, i.e. for litigation purposes, the data may be processed to maintain our legitimate interests in accordance with Art. 6 (1) f) GDPR, namely for the assertion and/or defence of claims.

b) Data sharing and data transfer to the USA

We do not pass on data to third parties in the course of maintaining our company profile.


9. Data retention periods

We store your personal data only as long as it is required for the purposes for which it is processed or until you withdraw your previous consent for us to do so. The retention period for certain data may be up to 10 years in the event of us having to comply with statutory retention periods, irrespective of the processing purposes.


10. Your rights as a data subject

a) Information

You can request information on all of your personal data that we have stored free of charge and at any time.

b) Correction, deletion, restriction of processing (blocking), objection

If you no longer agree to your personal data being stored or if they are no longer correct, upon your instructions, we will delete or block your data or correct them as necessary (insofar as this is permitted under the applicable law). The same applies if we are to process data only to a limited extent in the future. You have the right to object to the processing of your data especially in cases where they are required in order to perform a task which is in the public interest or in our legitimate interest, as well as where profiling is performed on the basis of your data. You also have the right to object to the processing of your data for direct marketing purposes.

c) Right of revocation of consent with future effect

You may revoke any consent you have already given with future effect at any time. Revoking your consent will not affect the legitimacy of the processing up to the point when you revoke your consent.

d) Data transferability

You may exercise your right to transfer your data in cases where they are processed on the basis of a contract, pre-contractual negotiations, consent or by automated means. Upon request, we will provide you with your data in a standard, structured and machine-readable format to enable you to transfer them to another data controller if you so wish.

e) Restriction of processing

Data that do not enable us to identify the data subject, for example where the data have been anonymised for analysis purposes, are not covered by the rights set out above. Information, deletion, blocking, correction and transfer to another company may be feasible in respect of these data if you provide us with additional information enabling us to identify the data subject.

f) Exercising your rights as a data subject and right of complaint

Should you have questions regarding the processing of your personal data as well as information on, the correction, blocking and deletion of, and objection to data, or wish to transfer the data to another company, please contact: datenschutz@the-flag.de.

You may also lodge a complaint regarding your rights as a data subject with a supervisory authority.

Stay UP TO DATE with our newsletter