Privacy Notice pursuant to Art. 13, 14 GDPR

As of 13 December 2024

We appreciate your interest in our company and our products. As the controller under data-protection law, we want you to feel confident about how we and our employees protect your personal data. We take the protection of your personal data very seriously. Compliance with German and European data-protection regulations is a matter of course for us. Protecting your personal data therefore has top priority for us. With the following information, we would like to explain in detail how we handle your personal data.

For readability, the generic masculine form is used. It is expressly pointed out that the exclusive use of the masculine form is to be understood as gender-neutral.

Information on the processing of your personal data when you use our website can be found in our Privacy Policy.

Contents:

General information – valid for all following descriptions of data processing

1. Name and contact details of the controller

The controller responsible for processing your personal data in the context of this contact is:

prognostica GmbH
Prymstr. 3
97070 Würzburg
Germany

Tel.: +49 931 4973860
E-mail: info@prognostica.de
Website: www.prognostica.de

2. Contact details of the data-protection officer

You can reach our data-protection officer as follows:

DataCo GmbH
Nymphenburger Str. 86
80636 Munich
Germany

Tel.: +49 89 7400 45840
E-mail: info@dataguard.de
Website: www.dataguard.de

Rights of data subjects

1. Right of access (Art. 15 GDPR)

If your personal data are processed, you have the right to obtain from the controller information about the data stored concerning you (Art. 15 GDPR).

2. Right to rectification (Art. 16 GDPR)

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you and the completion of incomplete personal data (Art. 16 GDPR).

3. Right to erasure (Art. 17 and 18 GDPR)

Where the legal requirements are met, you may request the immediate erasure of your personal data or the restriction of processing (Art. 17 and 18 GDPR).

4. Duty of notification (Art. 19 GDPR)

If you have exercised your right to rectification, erasure or restriction of processing with the controller, the latter is obliged to communicate any rectification or erasure of data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed about those recipients (Art. 19 GDPR).

5. Right to data portability (Art. 20 GDPR)

If you have consented to data processing or a contract exists and the processing is carried out by automated means, you may have a right to data portability (Art. 20 GDPR). In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible, provided that the freedoms and rights of others are not adversely affected.

6. Right to object to processing (Art. 21 para. 1 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on those provisions. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims (Art. 21 para. 1 GDPR).

7. Right to object to direct marketing (Art. 21 para. 2 GDPR)

Where personal data concerning you are processed for direct-marketing purposes, you have the right to object at any time to processing of your personal data for such marketing; this includes profiling to the extent that it is related to such direct marketing (Art. 21 para. 2 GDPR). If you object to processing for direct-marketing purposes, the personal data concerning you will no longer be processed for these purposes.

8. Right to withdraw consent (Art. 7 para. 3 GDPR)

You have the right to withdraw your data-protection consent declaration at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (Art. 7 para. 3 GDPR).

9. Automated decision-making in individual cases including profiling (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning you or similarly significantly affects you. If the legal requirements are met, you have the right to obtain human intervention, to express your point of view and to contest the decision (Art. 22 GDPR).

10. Right to lodge a complaint (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR). The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint including the possibility of a judicial remedy under Art. 78 GDPR.

For applicants

1. Processing of your personal data

prognostica collects the following personal data from you in the application process:
  • Salutation,
  • Title,
  • First name,
  • Surname,
  • Your mobile number,
  • Your landline number,
  • Your e-mail address,
  • Address,
  • Availability,
  • Salary expectation,
  • All personal data contained in the application (CV, cover letter, school education, professional qualifications and further training, certificates, etc.),
  • Other data that you voluntarily share with us during the application process.
prognostica collects personal data from applicants in the following ways:
  • Direct application via the prognostica careers page,
  • Application by e-mail sent directly to a prognostica employee,
  • Candidates contacted by prognostica on LinkedIn.

2. Purposes of processing and legal basis

Your personal data are processed for the following purposes:
  • Conducting the application procedure and deciding on the establishment of the employment relationship,
  • Communication (telephone, e-mail),
  • Carrying out pre-contractual measures (initiating the employment relationship),
  • Assertion, exercise or defence of legal claims arising from the application process.

Processing of special categories of personal data that have been made public – Art. 9 para. 2 lit. e GDPR

Insofar as special categories of personal data that you have obviously made public are processed, your data are processed in accordance with Art. 9 para. 2 lit. e GDPR.

Processing for the purpose of asserting, exercising or defending legal claims or for acts of the courts – Art. 6 para. 1 lit. f GDPR, Art. 9 para. 2 lit. f GDPR

Where necessary, your data are processed for the purpose of asserting, exercising or defending legal claims and for acts of the courts pursuant to Art. 6 para. 1 lit. f GDPR and Art. 9 para. 2 lit. f GDPR.

Processing based on consent – Art. 6 para. 1 lit. a GDPR in conjunction with Art. 7 GDPR, Art. 88 para. 1 GDPR in conjunction with § 26 para. 2 BDSG

If you have given your consent to data processing, your data are processed pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with Art. 7 GDPR, Art. 88 para. 1 GDPR in conjunction with § 26 para. 2 BDSG.

Decision on the establishment of the employment relationship – Art. 6 para. 1 lit. b GDPR, Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 BDSG

We process your data to decide on the establishment of the employment relationship. In the event of employment in our company, your data will be processed for the purpose of implementing and terminating the employment relationship. You will receive separate information on the processing of your personal data for this purpose.

Processing on the basis of legitimate interest – Art. 6 para. 1 lit. f GDPR

Where processing is necessary to protect a legitimate interest of ours or a third party and your interests or fundamental rights and freedoms do not override that interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis. Our legitimate interest arises in particular for the following reasons:
  • Proper execution and optimisation of the application procedure,
  • Assertion, exercise or defence of legal claims.

Processing of special categories of personal data – Art. 9 para. 2 lit. a GDPR

If you have consented to the processing of special categories of personal data, such as health data or religious affiliation, your data are processed pursuant to Art. 9 para. 2 lit. a GDPR.

3. Recipients or categories of recipients of the personal data

In the course of processing your personal data, we may disclose the personal data concerning you to the following recipients:
  • Within our company, only authorised employees have access to an applicant's data,
  • External tax advisor and payroll accountant,
  • Processors,
  • Affiliated companies.
Data are otherwise only transferred to recipients outside the company where permitted or required by law, where the transfer is necessary to fulfil legal obligations or where we have your consent.

In addition, your personal data may be transferred to the following service providers located in a country outside the EU/EEA:
  • Google LLC, 1600 Amphitheatre Pkwy, Mountain View, California 94043, United States
To make the third-country transfer as data-protection-friendly as possible, we have concluded processing agreements containing standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR with all providers in insecure third countries. A copy of the standard data-protection clauses can be requested from us by informal e-mail. We are currently working to adapt to the ECJ ruling of 16 July 2020 (Schrems II, Case C-311/18), including additional safeguards.

4. Transfer of personal data to a third country

As a rule, your personal data collected and generated during your application phase are stored on servers in the European Union. Because our service providers offer their products and/or services on the basis of available resources and servers worldwide, your personal data may be transferred to or accessed from another jurisdiction outside the European Union and the European Economic Area. In particular, personal data are transferred to the third country USA within the meaning of Art. 15 para. 2 GDPR. To ensure the continued protection level required when transferring data to a third country, contractual measures are agreed for this purpose.

The software provider Google LLC is headquartered in the United States of America, which has not been recognised as providing an adequate level of data protection. To ensure appropriate safeguards for the transfer and processing of personal data outside the EU, data are transferred to and processed by our service providers on the basis of appropriate safeguards under Art. 46 et seq. GDPR, in particular by concluding so-called standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR.

5. Duration of storage of the personal data

We will delete your personal data as soon as the purposes set out in section 2 cease to apply or you object to the use of your personal data (in the case of processing based on legitimate interests) or withdraw your previously given consent. Your personal data may, however, continue to be stored, in particular in the following cases:
  • where contractual, statutory (especially under the German Commercial Code, Criminal Code and Fiscal Code) or constitutional retention periods prevent deletion,
  • for the assertion, exercise or defence of legal claims,
  • where required under European or national law to fulfil a legal obligation to which we are subject.
The following retention periods arise for us in particular from statutory provisions:
  • After a decision not to hire: 6-month retention period for application documents (§ 15 para. 4 German General Equal Treatment Act (AGG), § 224 Code of Civil Procedure (ZPO)).
In the event of employment with our company, your personal data will be deleted once the purpose no longer applies, at the latest after termination of the employment relationship, unless statutory retention periods prevent deletion.

For customers and prospects

1. Processing of your personal data

In the context of an existing customer relationship and contract initiation, we process the following data relating to you:
  • First name,
  • Surname,
  • Salutation,
  • Title and academic degrees,
  • Company name,
  • Position in the company,
  • Department in the company,
  • Your e-mail address,
  • Business address,
  • Tax ID,
  • Bank details,
  • Your mobile number,
  • Your landline number,
  • Your fax number,
  • All personal data provided to us in customer communications.
prognostica collects data from interested parties and customers in the following ways:
  • Enquiries via the contact form on the prognostica website,
  • Enquiries via messages to prognostica employees, e.g. via e-mail, LinkedIn messages or other communication channels (e.g. Discord),
  • Enquiries at trade fairs, conferences or other events where data are passed to prognostica employees for the purpose of making contact,
  • Own research on potential prospects via industry directories, contact details on websites or professional networks,
  • Collection of personal data after conclusion of a contract with prognostica from the person themselves or receipt of personal data from an employee of the customer company. This may also affect employees of service providers of the customer company.

2. Purposes of processing and legal basis

In the context of an existing customer relationship and contract initiation, your personal data are processed for the following purposes:
  • To process your enquiry as a prospect. For this purpose, we use your contact details to answer your enquiry.
  • To prepare and carry out pre-contractual measures – this includes, for example, preparing and sending an individual offer or individually agreeing and transmitting contract terms with the aim of concluding a contract.
  • To enter your contact details in our customer and contact database.
  • Contact (e-mail, telephone).
  • Establishment, execution and termination of the contractual relationship.
  • Customer management and support – in particular handling customer enquiries.
  • To keep you optimally informed about our products and services. This also includes sending (direct) advertising by e-mail or telephone.
  • To provide you with the best possible support as our customer. This includes in particular communication with you by e-mail, mobile, landline or fax.
  • To ensure smooth billing of the services provided. For this purpose, your personal data are processed so that invoices can be issued.
  • To comply with our legal obligations. This includes, for example, transmitting your personal data to the tax office.
  • For the purpose of providing information about services and products of prognostica.
  • For the purpose of carrying out marketing initiatives such as newsletters, product updates, invitations to events and webinars.
  • To fulfil post-contractual measures.
  • For the assertion, exercise or defence of legal claims.
  • To carry out product test phases.
  • To survey your satisfaction with our products and services.

Processing of your personal data based on consent

If we obtain your consent for the processing of your personal data, processing takes place on the basis of Art. 6 para. 1 lit. a GDPR in conjunction with Art. 5, 7 GDPR.

Processing for the purpose of performing the contract with you

Where we process your personal data for the purpose of fulfilling the contract, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations necessary to carry out pre- and post-contractual measures.

Processing to fulfil a legal obligation

Where processing your personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis. Our statutory obligation to process data arises, for example, from tax and/or commercial retention obligations.

Processing on the basis of legitimate interest

The legal basis for direct-marketing purposes can be Art. 6 para. 1 lit. f GDPR where our legitimate interests are present and are not overridden by your interests or fundamental rights and freedoms requiring the protection of personal data. The legitimate interests we pursue—in addition to the purposes listed in section 2—include:
  • To inform you optimally about our products, offers and services by way of direct marketing,
  • To communicate with you, in particular to respond to your enquiries by e-mail, telephone and/or fax,
  • To conduct due diligence with our potential business partner,
  • To obtain customer feedback to improve the customer experience and our products and services.
The legal basis for processing activities in connection with the assertion, exercise or defence of legal claims is likewise our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

3. Recipients or categories of recipients of the personal data

In the course of processing your personal data, we may disclose the personal data concerning you to the following recipients. We only transfer your personal data to external recipients if you have given your consent or if this is permitted by law. External recipients of your personal data in particular include:
  • External staff,
  • Processors,
  • Authorities, e.g. tax offices, courts, trade supervisory office, data-protection supervisory authorities, Federal Office for Economic Affairs and Export Control (BAFA),
  • Debt-collection agencies,
  • Credit institutions,
  • Parcel service providers,
  • Postal services,
  • Lawyers, tax advisors,
  • Auditors,
  • Affiliated companies.
Your personal data are transferred to the following service providers:
  • Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
  • Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany
  • LinkedIn Ireland Unlimited Company, Dublin, Ireland
  • HubSpot Inc., Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland
prognostica uses Hetzner to host internal and external IT systems and Strato to host the website.

prognostica uses the HubSpot platform to send newsletters and for other marketing activities.

In addition, your personal data may be transferred to the following service providers located in a country outside the EU/EEA:
  • Google LLC, 1600 Amphitheatre Pkwy, Mountain View, California 94043, United States
  • Discord, Inc., 444 De Haro St, Suite 200, San Francisco, California 94107, United States
Google LLC processes its data, among other places, in the United States of America. prognostica uses Google services, including Google Meet, as well as LinkedIn and Discord for business communications with customers and prospects. Further information on Google's data processing can be found at: https://policies.google.com/privacy?gl=DE&hl=en . Further information on Discord's data processing can be found at: https://discord.com/privacy.

4. Transfer of personal data to a third country

As a rule, personal data collected and generated while providing relevant products and services are stored on servers in the European Union. Because the providers of our software solutions offer their products and/or services on the basis of available resources and servers worldwide, your personal data may be transferred to or accessed from another jurisdiction outside the European Union and the European Economic Area. In particular, personal data are transferred to the third country USA within the meaning of Art. 15 para. 2 GDPR. To ensure the continued protection level required when transferring data to a third country, contractual measures are agreed for this purpose.

The software providers Google LLC and Discord Inc. are headquartered in the United States of America, which has not been recognised as providing an adequate level of data protection. To ensure appropriate safeguards for the transfer and processing of personal data outside the EU, data are transferred to and processed by our service providers on the basis of appropriate safeguards under Art. 46 et seq. GDPR, in particular by concluding so-called standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR.

In the case of the US company HubSpot with its European headquarters in Ireland, data processing primarily takes place on servers in the European Union (Germany). The processing agreement with standard contractual clauses used by HubSpot and concluded with us to secure data transfer to third countries and for processing that may also take place at HubSpot's parent company in the USA can be found at https://legal.hubspot.com/de/dpa. Further information on HubSpot's privacy policy can be found at https://legal.hubspot.com/de/privacy-policy.

5. Duration of storage of the personal data

We do not store your personal data longer than necessary for the purpose for which they were collected. This means that data in our systems are destroyed or deleted once they are no longer required. We take appropriate measures to ensure that your personal data are processed only under the following conditions:
  • For the duration the data are used to provide you with a service,
  • As required by applicable law, contract or with regard to our legal obligations,
  • Only as long as necessary for the purpose for which the data were collected, or longer if required by contract or applicable law, subject to appropriate safeguards.
A requirement may exist in particular if the data are still needed to fulfil contractual services, to be able to check and grant or defend warranty and, if applicable, guarantee claims. If the data are no longer required to fulfil contractual or legal obligations, they are regularly deleted, unless their—temporary—retention continues to be necessary, in particular to comply with statutory retention periods of up to ten years (including those arising from the Commercial Code, the Fiscal Code and the Money Laundering Act). In the case of statutory retention obligations, deletion is only possible after expiry of the respective retention obligation.

For suppliers and service providers

1. Processing of your personal data

prognostica processes personal data of suppliers and service providers. This is necessary for business operations. The following data are processed:
  • First name,
  • Surname,
  • Salutation,
  • Title and academic degrees,
  • Company name,
  • Position in the company,
  • Department in the company,
  • Your e-mail address,
  • Business address,
  • Tax ID,
  • Bank details,
  • Your mobile number,
  • Your landline number,
  • Your fax number,
  • All personal data provided to us in communications.
prognostica collects data from suppliers and service providers in the following ways:
  • Receipt of personal data directly from the data subject when suppliers/service providers contact us,
  • Receipt of personal data directly from the data subject when prognostica contacts them,
  • Research in industry directories or websites,
  • Enquiries at trade fairs, conferences or other events where data are passed to prognostica employees for the purpose of making contact.

2. Purposes of processing and legal basis

We process your data for the following purposes:
  • Initiation, execution and termination of a contractual relationship,
  • Placing orders,
  • Review and optimisation of procedures for needs analysis,
  • Obtaining information and exchanging data with credit agencies to determine creditworthiness or risk of default,
  • Market and opinion research, unless you have objected to the use of these data for these purposes,
  • Assertion, exercise or defence of legal claims,
  • Measures to manage the business and further develop our products.

Processing of your personal data based on consent

If we obtain your consent for the processing of your personal data, processing takes place on the basis of Art. 6 para. 1 lit. a GDPR in conjunction with Art. 5, 7 GDPR.

Processing for the purpose of performing the contract with you

Where we process your personal data for the purpose of fulfilling the contract, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations necessary to carry out pre- and post-contractual measures.

Processing to fulfil a legal obligation

Where processing your personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis. Our statutory obligation to process data arises, for example, from tax and/or commercial retention obligations.

Processing on the basis of legitimate interest

The legal basis for direct-marketing purposes can be Art. 6 para. 1 lit. f GDPR where our legitimate interests are present and are not overridden by your interests or fundamental rights and freedoms. The legitimate interests we pursue—alongside the purposes set out in section 2—include:
  • To inform you optimally about our products, offers and services by way of direct marketing,
  • To communicate with you, in particular to respond to your enquiries by e-mail, telephone and/or fax,
  • To conduct due diligence with our potential business partner.
The legal basis for processing activities in connection with the assertion, exercise or defence of legal claims is likewise our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

3. Recipients or categories of recipients of the personal data

In the course of processing your personal data, we may disclose the personal data concerning you to the following recipients. We only transfer your personal data to external recipients if you have given your consent or if this is permitted by law. External recipients of your personal data in particular include:
  • External staff,
  • Processors,
  • Potential business partners in the context of a (future) due-diligence review,
  • Authorities, e.g. tax offices, courts, trade supervisory office,
  • Billing partners,
  • Credit institutions,
  • Parcel service providers,
  • Postal services,
  • Lawyers, tax advisors,
  • Auditors,
  • Affiliated companies.
Your personal data are transferred to the following service providers:
  • Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
  • Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany
In addition, your personal data may be transferred to the following service providers located in a country outside the EU/EEA:
  • Google LLC, 1600 Amphitheatre Pkwy, Mountain View, California 94043, United States
prognostica uses Google services, including Google Meet, for business communications with suppliers and service providers. Further information on Google's data processing can be found at https://policies.google.com/privacy?gl=DE&hl=en. In the case of processors and service providers outside the EU/EEA, your above-mentioned personal data are processed only where covered by our standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR with these recipients.

4. Transfer of personal data to a third country

As a rule, personal data collected and generated while supplying products and services are stored on servers in the European Union. Because the providers of our software solutions offer their products and/or services on the basis of available resources and servers worldwide, your personal data may be transferred to or accessed from another jurisdiction outside the European Union and the European Economic Area. In particular, personal data are transferred to the third country USA within the meaning of Art. 15 para. 2 GDPR. To ensure the continued protection level required when transferring data to a third country, contractual measures are agreed for this purpose.

The software provider Google LLC is headquartered in the United States of America, which has not been recognised as providing an adequate level of data protection. To ensure appropriate safeguards for the transfer and processing of personal data outside the EU, data are transferred to and processed by our service providers on the basis of appropriate safeguards under Art. 46 et seq. GDPR, in particular by concluding so-called standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR.

5. Duration of storage of the personal data

We do not store your personal data longer than necessary for the purpose for which they were collected. This means that data in our systems are destroyed or deleted once they are no longer required. We take appropriate measures to ensure that your personal data are processed only under the following conditions:
  • As required by applicable law, contract or with regard to our legal obligations,
  • Only as long as necessary for the purpose for which the data were collected, or longer if required by contract or applicable law, subject to appropriate safeguards.
A requirement may exist in particular if the data are still needed to fulfil contractual services, to be able to check and grant or defend warranty and, if applicable, guarantee claims. If the data are no longer required to fulfil contractual or legal obligations, they are regularly deleted, unless their—temporary—retention continues to be necessary, in particular to comply with statutory retention periods of up to ten years (including those arising from the Commercial Code, the Fiscal Code and the Money Laundering Act). In the case of statutory retention obligations, deletion is only possible after expiry of the respective retention obligation.

6. Obligation to provide data

To conclude and perform the contract with you (or a planned contract), you must provide the personal data necessary for establishing and carrying out the contractual relationship and fulfilling the associated contractual obligations or personal data we are legally obliged to collect. Without these data, we will generally not be able to conclude and perform the contract with you.



This privacy notice was created with the support of DataGuard.
You are about to leave our website via an external link. Please note that the content of the linked page is beyond our control.