DATA PRIVACY

Controller

GFA Consulting Group GmbH
Eulenkrugstraße 82
22359 Hamburg | Germany
Phone: +49 40 603 06 100
Fax: +49 40 603 06 199
E-mail: info[at]gfa-group.de
www.gfa-group.de

Contact details of the Data protection officer
E-mail: datenschutz@gfa-holding.de

Competent supervisory authority
Hamburg Commissioner for Data Protection and Freedom of Information
https://datenschutz-hamburg.de/

DATA PRIVACY

GFA Consulting Group GmbH, which operates this website, takes the protection of your person-al data very seriously. We treat your personal data confidentially in accordance with statutory data protection regulations and this Data Privacy Statement.

In principle, you can use our website without actively providing any personal data; however, for technical reasons, access data (e.g. server log files) is processed. Where personal data (such as your name, address or email address) is collected on our website, this is done on a voluntary basis wherever possible. This data will only be passed on to third parties where necessary.

Please note that data transmission via the internet (e.g., in the case of communication by e-mail) may be subject to security gaps. It is not possible to protect such data completely against access by third parties.

Purpose of data collection, processing or use

GFA Consulting Group GmbH is a consultancy firm with an international project portfolio within the GFA GROUP. Personal data may be collected, processed, used and, where necessary, transferred within the group for the purposes of acquiring, carrying out and invoicing contracts.

There is a separate expert database for acquisition and staffing purposes, in which only the contact details and CVs of experts are processed. To support the allocation of tenders and projects and to facilitate contact with suitable experts, expert data may be transferred internally within the Group to other group companies. Each group company processes the data under its own responsibility for its respective purposes (e.g. tender processing, project staffing, establishing contact).

Where we have already worked with you or where concrete project-related cooperation has been initiated, our legal basis for storing your data is Article 6(1)(f) of the GDPR (legitimate interest in identifying and contacting suitable experts for future similar projects and offers). Where registration takes place without prior collaboration, we process your data on the basis of your consent (Article 6(1)(a) of the GDPR); consent may be withdrawn at any time with effect for the future.

You may object to the processing of your data at any time pursuant to Article 21 of the GDPR, where such processing is based on Article 6(1)(f) of the GDPR. You may withdraw your consent pursuant to Article 6(1)(a) of the GDPR at any time with effect for the future. Please contact us at datenschutz[at]gfa-holding.de. We check at least every two years whether the data is still up to date and ask you to confirm this.

The Human Resources department collects, processes, uses and, where necessary, transfers personal data for internal purposes (human resources management, company pension schemes, applicant management, payroll, travel management) and to comply with social security and other legal obligations.

Description of affected groups and their related data / data categories

In the course of normal business operations, addresses, contractual and payment details, as well as data relating to electronic communications, are collected, processed and used for customers, employers, consultants, freelance experts and employees of partner companies.

The Human Resources department collects, processes and uses additional information regarding qualifications, start and end dates of employment, wage and salary information, pension and social security information, address details, security information, bank details, disciplinary notices, certificates and application documents.

Our legal basis for processing personal data in the context of ongoing contracts is Article 6(1)(b) and (c) GDPR, as such processing is necessary for the performance of the contract and for compliance with legal obligations.

Recipients / categories of recipients, to whom the data may be disclosed

Responsible internal administrators (bookkeeping, accounting, contracts department, project management, telecommunications and IT).

External clients (GIZ, KfW, Ministries, EU, World Bank and other development banks, etc.).

For staff management: any internal department involved in carrying out respective business processes (project management and administrative departments).

Public authorities on the basis of statutory regulations (social insurance carriers, tax authorities, health insurance companies); bank institutions (for salary transactions); creditors (in the case of wage / salary garnishment); travel agencies.

Standard periods for the deletion of data

Personal data is deleted on a regular basis when it is no longer required for the performance of a contract, provided that the data subject has not separately consented to further storage and that statutory retention obligations or retention periods do not require longer storage.

Planned transmission of data to third countries

As a general rule, personal data is not transferred electronically to third countries. Exceptions may apply where there is a specific legal basis for such a transfer.

Your rights

You may at any time request access to your personal data (Article 15 GDPR) and request the rectification or erasure of your personal data (Articles 16 and 17 GDPR). You may also request restriction of processing of your personal data (Articles 18 and 19 GDPR), request data portability (Article 20 GDPR), or object to the processing of your personal data (Article 21 GDPR).

If you wish to exercise any of these rights, please send an e-mail to: datenschutz[at]gfa-holding.de. We will take the necessary measures as quickly as possible.

You also have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority is, in particular, the Data Protection Authority of the Free and Hanseatic City of Hamburg.

Data privacy regarding the use of web analytics service Matomo

We use Matomo to analyse website usage statistics and to improve our website. Matomo is only used if you have given your prior consent.

The legal basis for storing/reading information on your device is Section 25(1) of the TTDSG; the legal basis for the subsequent processing of personal data is Article 6(1)(a) of the GDPR.

You can withdraw your consent at any time via “Cookie Settings” with effect for the future.

In doing so, your IP address will be truncated/anonymised (IP masking), provided this is technically enabled.

Data privacy regarding the use of Google Fonts

This website uses Google Fonts provided by Google to ensure the consistent display of fonts. When you access a page, your browser loads the required fonts into its browser cache in order to display text and fonts correctly.

For this purpose, the browser you use must connect to Google’s servers. As a result, Google becomes aware that this website has been accessed via your IP address. The use of Google Fonts is based on Article 6(1)(f) GDPR. The website operator has a legitimate interest in the consistent presentation of the typeface on this website. Where corresponding consent has been requested, processing is carried out exclusively on the basis of Article 6(1)(a) GDPR and Section 25(1) TTDSG, insofar as the consent includes the storage of cookies or access to information on the user’s terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent may be withdrawn at any time with effect for the future.

If your browser does not support Google Fonts, a standard font installed on your computer will be used.

Further information on Google Fonts is available at: https://developers.google.com/fonts/faq

Further information on how Google processes personal data is available in Google’s privacy policy: https://policies.google.com/privacy?hl=en

Data privacy regarding the use of Google Maps

This site uses the map service Google Maps. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission. If Google Maps is activated, Google may use Google Fonts for the purpose of uniform display of fonts. When calling up Google Maps, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.

The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of the places indicated by us on the website. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission.Details can be found here:

https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

Data privacy regarding the use of Facebook plugins (Like button)

Our website contains plugins for the social network Facebook, the provider of which is Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. Facebook plugins on our website can be recognized by the Facebook logo or "Like” button. For an overview of the Facebook plugins, see: http://developers.facebook.com/docs/plugins/

When you visit our website, the plugin establishes a direct connection between your browser and the Facebook server. Facebook thereby receives the information that you have visited our website using your IP address. If you click the Facebook "Like” button while you are logged in to your Facebook account, you automatically link the contents of our website to your Facebook profile. This allows Facebook to assign your visit to our website to your user account. Please note that GFA, as the provider of this site, has no knowledge of the content of the data thus transmitted to or used by Facebook. Additional information can be found in the Facebook data privacy statement: https://www.facebook.com/privacy/policy/

Data privacy regarding the use of Instagram

Our website uses functions of Instagram. The Instagram Service is one of the Meta Platforms Ireland Limited provided Meta-products: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

Meta Platforms Ireland Limited is a company registered under the laws of the Republic of Ireland. Commercial registration number: 462932, e-mail: impressum@support.instagram.com

We would like to point out that you use this Instagram page and its functions on your own responsibility. This applies in particular to the use of the interactive functions (for example, commenting or rating).

When you visit our Instagram page, Instagram collects, among other things, your IP address and other information that is present on your PC in the form of cookies. This information is used to provide us, as operators of the Instagram pages, with statistical information about the use of the Instagram page.

The data collected about you in this context is processed by Instagram Inc. and may be transferred to countries outside the European Union in the process. What information Instagram receives and how it is used is described in general terms by Instagram in its privacy policy:

https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect

Data privacy regarding the use of LinkedIn

Our website uses functions from the LinkedIn network. The provider of that service is the LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Each time a page of this website containing a LinkedIn function is called up, a connection is established with the LinkedIn servers. LinkedIn is informed that you have visited our website using your IP address. If you click the Recommend button from LinkedIn and are logged in to your LinkedIn account, LinkedIn is able to assign your visit to our website to your user account. Please note that GFA, as the provider of this site, has no knowledge of the content of the data thus transmitted to or used by LinkedIn. Additional information can be found in the LinkedIn data privacy statement:

https://www.linkedin.com/legal/privacy-policy

Data privacy regarding the use of Xing

Our website uses functions of Xing network. The provider of that service is XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. Each time a page of this website containing a Xing function is called up, a connection is established with the Xing servers. To our knowledge, no personal data is stored when doing so. In particular, no IP address is stored and usage behaviour is not evaluated.

Additional information concerning data privacy and the Xing share button can be found in the Xing data privacy statement:

https://privacy.xing.com/en/privacy-policy

Server log files

The provider of this website automatically collects and stores information in so-called server log files which your browser automatically transmits to us. This information includes:

• Browser type/ browser version
• Operating system being used
• Referrer URL
• Host name of accessing computer
• Time of server request

The data thus collected cannot be connected to a specific person. The data is not merged or compared with data from other sources. We reserve the right to subsequently examine this data if concrete evidence of unlawful use is made known to us.

Cookies

This website uses cookies in some cases. Cookies do not cause any damage to your computer and do not contain viruses. Cookies serve to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Most of the cookies we use are so-called ‘session cookies’. These session cookies are automatically deleted at the end of your visit. Other cookies are stored on your computer (device) until you delete them. These cookies enable us to recognise your browser the next time you visit our website.

You can configure your browser so that you are informed about the use of cookies, so that you can accept them on a case-by-case basis, so that you can prohibit the use of cookies in certain cases, or so that you can block cookies generally or have them deleted automatically when you close your browser.

Disabling cookies may restrict the functionality of this website.

Contact form

When you send us an enquiry via the contact form, we will store the details you provide in the enquiry form, including your contact details, so that we can process your enquiry and in case of any follow-up enquiries. We will only pass on your data where this is necessary for processing the enquiry (e.g. to IT service providers) or where there is a legal basis for doing so.

Objection to unsolicited advertising

The use of the contact information included in the Legal Notice to send unsolicited advertising and informational materials is herewith prohibited. The operators of this website expressly reserve the right to take legal steps in the event that unsolicited advertising materials are sent, specifically through spam e-mail.

Newsletter data

If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. Further data is not collected or only on a voluntary basis. For the handling of the newsletter, we use newsletter service providers, which are described below.

CleverReach

GFA currently uses the service provider CleverReach GmbH & Co. KG, Rastede (CleverReach). CleverReach processes your data on behalf of GFA on secure servers within the EU. GFA and CleverReach have signed a data processing agreement in accordance with the provisions of the General Data Protection Regulation. In this agreement, CleverReach agrees to provide full data protection in accordance with the European General Data Protection Regulation.

For more details, please refer to the data protection provisions of CleverReach at:

https://www.cleverreach.com/de/datenschutz

Your personal data (first name, last name, gender and email address) are encrypted by CleverReach using SSL. The provision of your name and gender is voluntary and only used for the purpose of personal address. These data as well as your IP address are only stored and used for registration and for sending the GFA newsletter. They will not be passed on to third parties. Your e-mail address is encrypted by CleverReach SSL.

The legal basis for the data processing is your consent with the registration to receive our newsletter. Recipients can unsubscribe from the newsletter or revoke their consent to the storage of data at any time. The revocation can be made via a link in the newsletter itself or by sending a message to the contact person listed in the imprint.

The report data will be stored by CleverReach for a maximum of six months. Your personal data will be stored until you unsubscribe from GFA's newsletter. After cancellation, your data will be stored for a period of two weeks.