Data privacy

General information

Experience One AG takes the protection of its staff, customers, partners and their data very seriously.

It is possible to make basic use of our website without providing any personal data. However, making use of particular services may require personal data to be collected and processed. Whenever the collection and processing of personal is necessary with no legal basis for requiring such data, then we will generally request the consent of the data subject.

Personal data (e.g. names, addresses, email addresses, IP addreses etc.) will always be handled in accordance with the General Data Protection Regulations (GDPR) and other data protection legislation included the German Data Protection Act (BDSG) and the Telemedia Act (TMG).

This privacy policy is intended to inform you about the type, scope and purpose of our collection, use and processing of personal data. Furthermore, data subjects are informed by means of this data protection declaration about the rights to which they are entitled.

As a data processor, Experience One AG has implemented a range of measures in order to ensure your data remains secure. Despite this, security holes cannot be entirely ruled out when transferring data over the Internet, meaning that absolute protection cannot be guaranteed. You therefore also have the option to provide us with your personal data via alternative means, such as by telephone.

Definitions

Experience One AG’s privacy policy is based upon the terms as used in the legal regulations, e.g. those of the GDPR. To make our privacy policy as easy to read and understand as possible, the most important terms are described in the following.

Personal data

Personal data is all information related to an identified or identifiable natural person (referred to in the following text as the “data subject”). A natural person is considered identifiable if they can be identified, either directly or indirectly, by association with identifying values such as a name, identification number, location information, online identifiers (e.g. IP address) or one or more special characteristics.

Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the data processor – e.g. by means of collection, storage, or use.

Processing

Processing is any activity applied to personal data, with or without the help of automated methods (e.g. electronic processing) or any such string of activities performed on personal data, e.g. collection, organisation, storage, modification, export or publication by transfer.

Restriction on processing

Saved personal data can be marked as restricted. This is intended to prevent or hinder any further processing.

Profiling

Profiling is any form of automated processing of personal data with the intention of using this personal data to assess particular personal aspects of a natural person. This particularly relates to analysing or predicting aspects such as employment, financial situation, personal preferences or interests.

Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that is it not possible to identify a specific data subject unless other additional information is also considered.

Data controller

The data controller or processor is a natural person, legal entity, authority, institution or other office that, alone or together with others, determines the purposes of the data processing and the means (i.e. tools) with which the personal data will be processed.

Commissioned data processor

The commissioned data processor is a natural person or legal entity, authority or other office that carries out the processing of personal data on behalf of the data controller.

Recipient

The recipient is a natural person or legal entity, authority or other office to which personal data is provided without being commissioned as a data processor on behalf of the data controller. Public authorities that receive personal data within the scope of their duties are not considered recipients.

Third party

A third party is a natural person or legal entity, authority or other office other than the data subject, data controller, commissioned data processor or other persons who are authorised under the direct responsibility of the data controller or commissioned data processor to process personal data, e.g. employees.

Consent

Consent is any expression of will (e.g. declaration or other unambiguous action of affirmation) given voluntarily by the data subject for specified purposes and in response to unambiguous notification and information about his or her rights by which the data subject indicates that he or she consents to have the personal data related to him or her processed.

Name and address of the data controller

The data controller according to the applicable data protection regulations is:

Experience One AG
Seidenstr. 19
70174 Stuttgart
Germany

Phone: +49 711 25 35 99 60
Email: hello@experienceone.com
Website: www.experienceone.com

Contact information for the data protection officer

The data controller has appointed a data protection officer in accordance with current legislation. The data protection officer can be reached at:

Tel.: +49 160 94 81 00 58 Email: datenschutz@experienceone.com

Data subjects may make direct contact with the data protection officer at any time with any questions and comments they may have regarding data protection and privacy issues.

Legal basis for data processing

Whenever we receive your consent for a particular processing purpose, this consent falls under Article 6 Paragraph 1 Item a of the GDPR. If personal data must be processed in order to fulfil a contract to which you are party (e.g. delivery of goods), then such processing will fall under Article 6 Paragraph 1 Item b of the GDPR.

Whenever Experience One AG has a legal obligation to process data, such as to meet tax related obligations, then such processing will fall under Article 6 Paragraph 1 Item c of the GDPR.

In rare cases, personal data may need to be processed in order to protect the life of the data subject or another natural person, e.g. if a visitor to our business were to get injured and their personal data needed to be passed on to a doctor, hospital or other third party. In these cases, processing falls under Article 6 Paragraph 1 Item d of the GDPR.

Most data processing activities fall under Article 6 Paragraph 1 Item f of the GDPR. This states that the documented legitimate interests of Experience One AG (e.g. notification of our services) are a sufficient basis for data processing, provided that the interests, fundamental rights and basic freedoms of data subjects are not infringed upon. Legitimate interests particularly include our ability to carry out business activities to ensure the wellbeing of our staff and partners.

Processing purpose

The personal data collected via our website serves a range of purposes, some of which make use of external service providers (see below). The primary purposes (unless otherwise stated below) are:

Web analysis / tracking:

• To provide evidence of possible attacks against the website and to provide information for prosecution

Application form

• To allow potential new members or partners of to register for the events using Microsoft Forms.

Cookies

Our website does not use cookies.

Data recipients

Experience One AG makes use of certain services from external providers who may be based outside of the EU. Such providers include:

• Microsoft Inc. (for Microsoft Forms)

For more detailed information about these recipients, please see data privacy statement inside the service.

Personal data will not be forwarded to third parties without your consent unless Experience One AG is legally obligated to do so.

Rights of data subjects

Where your personal data is processed by Experience One AG, you have the following rights as a data subject. If you would like to exercise one of these rights, you may contact our data protection officer or a member of our staff at any time.

Right to access

All data subjects are entitled to request information from the data controller at any time about whether or not their personal data is being processed, free of charge. Furthermore, a data subject may request to see the personal information held on them and receive a copy of this. This copy of the personal data contains information on:

• the processing purpose
• the categories of personal data
• the recipients or categories of recipients, particularly where recipients are based abroad
• the intended retention period, or where this cannot be given, the criteria used to determine the retention period
• an explanation of the rights of the data subject, particularly with regard to the right to rectify, delete or restrict their data and the right to withdraw consent
• the existence of a right to legal appeal by a regulating authority
• the source of the data (if data was not received from the data subject)
• the existence of an automated decision-making process including profiling and detailed information about the logic and weightings involved, if applicable information about the appropriate measures taken to ensure data is protected (when transferring data abroad)

Right to rectification

If the data held about you contains errors, you are entitled to have any incorrect personal data immediately rectified. This also applies to having missing data added, with supplementary consent given where necessary.

Right to deletion (right to be forgotten) and right to restrict processing

All data subjects are entitled to request the immediate deletion of their personal data by the data controller, provided that such a request is based upon one of the following reasons and insofar as processing is not required:

The processing purpose no longer applies, and the data is no longer required Consent has been withdrawn and there is no other legal basis for processing An objection to processing has been submitted and there are no overriding reasons why the objection should not be accepted Data has been processed unlawfully The data protection officer will review the request with regard to its legitimacy and the existence of any overriding obligations (e.g. minimum retention periods for tax reasons) and inform any data recipients of the request for deletion. If it is not possible to delete the data, you will be informed of the reasons why.

Whenever the purpose for processing no longer applies, but legal retention periods have not expired, or the data is required in order to make or defend against legal claims, then it is possible for your data to be restricted.

Right to data portability

You are entitled to receive a copy of the personal data you have provided us with in a structured, common and machine-readable format. This data can then be made available to another provider or service, or you may ask us to send this data directly to them. This right applies insofar as you have given us consent to process your data. This includes automatically collected data which does not infringe upon the rights and freedoms of other persons and where this is technically possible.

Right to object

Data subjects are entitled to object to their personal data being processed for reasons resulting from their particular circumstances at any time. This also applies to profiling performed according to these conditions. The data will then no longer be processed unless we can demonstrate compelling reasons to do so that outweigh your interests. The right to object applies in particular to the use of personal data for advertising purposes.

Automated decision making for individual cases including profiling

You are entitled to not be submitted to an exclusively automated decision-making process, including profiling, that has legal consequences for you or otherwise impacts you in a negative and significant way. This applies insofar as this automated decision-making process is not necessary for the conclusion of a contract between you and Experience One AG and you have not given your explicit consent to automated decision-making.

Right to withdraw consent

European lawmakers guarantee data subjects the right to withdraw consent to the processing of their personal data at any time.

Data subjects who would like to exercise this right can contact our data protection officer or one of the data controller’s staff at any time.

Right to lodge a complaint with supervisory authority

Data subjects whose data is processed by Experience One AG are entitled to lodge a complaint against the data controller. This applies in particular if you believe that Experience One AG has processed your data in breach of data protection regulations or you have not received a prompt response to an enquiry, or the response contained incorrect information. An overview of supervisory authorities for non-public sectors (e.g. businesses) can be found at

https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

Experience One AG is overseen by the supervisory authority of Baden-Württemberg (where the data controller is based). However, you may contact any supervisory authority (e.g. that for the place where you are resident).

Routine deletion and blocking of personal data

Personal data held about a data subject is stored only for the period necessary for the processing purpose, or for a legally required retention period. When the processing purpose no longer applies and/or legal retention periods have expired, personal data is routinely blocked or deleted in accordance with legal requirements.

• With regard to the tracking of visitors to the Experience One AG website, the period is generally a maximum of six months.
• For applications a period of six months also applies.
• All other deadlines are based on tax and commercial law requirements.

Our data protection officer can provide you with information about the specific ways in which your data is processed.

Legal or contractual regulations and requirements to provide personal data and possible consequences of failure to do so

It may be legally required for certain data to be processed (e.g. tax regulations) or for processing to be done due to the terms of a contract (e.g. providing information to the contractual partner). The same applies when concluding a contract (e.g. employment contract). Failure to provide data here would result in us being unable to conclude the contract with you. Our data protection officer will be happy to advise you as a data subject on a case by case basis.

Existence of an automated decision-making process

As a responsible company we do not make use of automated decision-making processes or profiling.

Contact options via the Internet site

Our website provides information on how you can get in touch with us via email and telephone as well as online application forms. This fulfils the legal regulations relating to the provision of a fast, electronic method of contact as all data is sent to a central email address and therefore enters a self-hosted ticket system.

When you choose to contact us via e-mail or via the application forms, the personal data you send to us will be stored. Data collected in this way is used for the purposes of handling your enquiry or getting back in touch with you. This data will not be sent to any third parties.

Should any further contact take place after the initial contact, e.g. making an appointment to meet, this data will be forwarded to the appropriate member of staff and processed. Further information can be found in the corresponding paragraph of this statement.