Data privacy statement
We thank you for visiting our website and for your interest in our company and our products.
As the operator of this website, we take the protection of your personal data very seriously. We handle your personal data confidentially and in accordance with the statutory data protection regulations and this data privacy statement.
When you visit this website, various personal data is collected. Personal data is data that can be used to identify you personally. This data privacy statement explains what data we collect and what we use it for. It also explains how and for what purpose this is done.
We would like to point out that data transmission over the internet (e.g. when communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.
1 Who we are and how you can contact us
3 Information on the transfer of personal data to third countries
4 Which of your data is processed when you visit our website
1 Who we are and how you can contact us
Provider and responsible office as defined in the Data Protection Act
VITLAB GmbH
Linus-Pauling-Str. 1
63762 Großostheim
Telefon: +49 6026 977 990
www.vitlab.com
Please send general inquiries about data protection, such as the enforcement of data subject rights, to the following email address, which will redirect your inquiry to the data protection officer and our data protection team:
Confidential data protection inquiries can be sent to our data protection officer by telephone, regular mail, or email:
Ronald Baranowski
SIX DATENSCHUTZ GmbH
Kasseler Str. 30
61118 Bad Vilbel, Germany
Phone: +49 6101 982 9422
rb@six-datenschutz.de (for confidential inquiries)
2 General information
2.1 Area of applicability:
This data privacy statement applies to the following offers:
- our website, available in particular at www.vitlab.com
- whenever reference is made to this data privacy statement from one of our offers (e.g. websites, subdomains, mobile applications, web services, or integrations into third-party sites), regardless of how you access or use it.
All of these offers are also referred to collectively as “services”.
2.2 Integration of third-party services and content
Our website sometimes includes content and services from other providers. In order for this data to be accessed and displayed in the user’s browser, the transmission of the IP address is mandatory. The providers (hereinafter referred to as “third-party providers”) therefore perceive the IP address of the respective user.
Even if we endeavor to only use third-party providers who only need the IP address to be able to deliver content, we have no influence on whether the IP address may be stored for statistical purposes, among other things. Insofar as we are aware that the IP address is being stored, we will inform our users of this.
2.3 Transfer of data to third parties
Your data will not be transferred to unauthorized third parties. Insofar as external service providers receive your personal data, we have ensured that they implement appropriate technical and organizational measures and that they comply with the applicable data protection regulations and laws.
2.4 Data economy
We store personal data in accordance with the principles of data avoidance and data minimization and only for as long as is necessary or prescribed by law (statutory retention period). If the purpose of the data collected no longer applies or the storage period ends, we block or delete the data.
3 Information on the transfer of personal data to third countries
If we transfer data to third countries, i.e. countries outside the European Union, the transfer takes place exclusively in compliance with the legally regulated admissibility requirements.
If the transfer of data to a third country does not serve to fulfill our contract with you, we do not have your consent, the transfer is not necessary for the assertion, exercise or defense of legal claims and no other exception under Art. 49 of the General Data Protection Regulation (GDPR) applies, we will only transfer your data to a third country if an adequacy decision pursuant to Art. 45 GDPR or suitable guarantees pursuant to Art. 46 GDPR exist.
An adequate level of data protection in the USA was last stated by the adequacy decision “Data Privacy Framework (DPF)” adopted in July 2023. US companies must be certified in order to be listed in it. You can find the adequacy decision here: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.
Alternatively or additionally, the EU standard data protection clauses issued by the European Commission create suitable guarantees with the recipient body in accordance with Art. 46 para. 2(c) GDPR and an adequate level of data protection. Copies of the EU standard data protection clauses are available on the European Commission’s website, available here.
We have agreed EU standard data protection clauses with providers in third countries and in some cases data processing on servers in Germany and the EU. Timely deletion of data reduces the risk of unauthorized access.
4 Which of your data is processed when you visit our website
In the following, we inform you for what purpose, in what way, and to what extent your personal data may be processed when you visit our website.
4.1 Collection of personal data when you visit our website
If you use the website purely for information purposes, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (legal basis for this is Art. 6 para. 1 sentence 1(f) GDPR, legitimate interest):
the IP address, host name, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request originates (referrer), the specific pages of our website that you have accessed, browser: type, version, and set language, operating system: type and version
If JavaScript is activated, also the screen resolution, color depth, size of the browser window, installed browser plugins
4.2 Cookies
This website uses “cookies”. These are text files that are stored on your computer by the server. They may contain information about the browser, IP address, operating system, and internet connection. We do not pass this data on to third parties or link it to personal data without your consent.
Cookies fulfill two main tasks. They help us to make it easier for you to navigate through our website and enable the website to be displayed correctly. They are not used to introduce viruses or launch programs.
Users have the option of accessing our website without cookies. To do this, the corresponding settings must be changed in the browser. Please use the help function of your browser to find out how to deactivate cookies. However, we would like to point out that this may impair some of the functions of this website and limit the ease of use.
The websites www.aboutads.info/choices/ (USA) and www.youronlinechoices.com/uk/your-ad-choices/ (Europe) allow you to manage interest-based advertising.
4.2.1 Use of essential cookies
Essential cookies do not require your consent and are processed by us in accordance with Art. 6 para. 1(f) GDPR. Our legitimate interest here is the smooth and optimal use and presentation of our website.
4.2.2 Consent to cookies / consent required for the use of services by third-party providers
On our website, we use the cookie consent tool “Cookiebot” from Usercentrics A/S, Danneskiold-Samsøes Allé 41, 1434 Copenhagen, Denmark. The purpose of this processing is to obtain your consent for the technically unnecessary cookies used on our website and to document them in accordance with applicable data protection regulations and laws.
When you visit our website, a cookie is stored in your browser in which the consents you have given or the revocation of these consents are documented.
The legal basis for this data processing is Art. 6 para. 1(c) GDPR – legal obligation, which consists in the fact that consent must be obtained for technically unnecessary cookies before they are used in accordance with the ECJ ruling of October 1, 2019, AZ C-673/17.
The data collected will be stored until you ask us to delete it or delete the cookie yourself or until the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected. Further details on data processing by the provider can be found here.
4.2.3 Social media
We maintain publicly accessible profiles in social networks, to which we provide links on our website.
As a rule, social networks comprehensively analyze your user behavior when you visit their websites. Visiting social media sites therefore triggers a number of data protection-related processing operations over which we have no influence.
If you are logged into your social media account and visit a social media platform, the operator of the social network can assign this visit to your user account. However, your personal data may also be collected under certain circumstances if you are not logged in or do not have an account with the respective social network. In this case, data is collected, for example, via cookies that are stored on your end device or by recording your IP address.
With the help of the data thus collected, the operators of the social networks can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you within and outside the respective social networks. Insofar as you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or have been logged in.
Please also note that we cannot track all of the social networks’ processing operations. Depending on the provider, further processing operations may therefore be carried out. For details, please refer to the terms of use and privacy policy of the respective social network (see below). Please note that when using the following services, personal data may be transferred outside the European Union. Further information can be found under item 3 of this data privacy statement.
The specific social network:
We have a profile on LinkedIn. The provider is LinkedIn Corporation (2029 Stierlin Court, Mountain View, CA 94043, USA LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland)
For details on how they handle your personal data, please refer to LinkedIn’s data privacy statement:
https://www.linkedin.com/legal/privacy-policy
4.3 Which of your data we process when you interact with us
4.3.1 Contact form
On our website, we offer you the option of contacting us via the online form or by email. In this case, the information you provide will be stored for the purpose of processing the contact. The disclosure of your data is completely voluntary.
The data you provide will be processed exclusively on the basis of your consent (Art. 6 para. 1(a) GDPR) or if you wish to conclude a contract with us or have any questions in this regard (Art. 6 para. 1(b) GDPR). You can revoke your consent at any time for the future. All you need to do is send us an informal email. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.
The data will not be passed on to unauthorized third parties. The data collected in this way is also not compared with data that may be collected by other components of our website. As far as technically possible and reasonable, the services offered can also be used without providing this data or by providing anonymized data or a pseudonym.
Your data will remain with us until you request deletion, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions – in particular retention periods – remain unaffected.
4.3.2 Newsletter
If you register for our newsletter, we will use the data you enter exclusively for this purpose or to inform you of circumstances relevant to this service or registration. We do not pass this data on to unauthorized third parties.
A valid email address is required in order to receive the newsletter. We also store the IP address you use to register for the newsletter and the date on which you order the newsletter. This data serves as proof in the event of misuse if a third-party email address is registered for the newsletter. In addition, to ensure that an email address is not misused by third parties in our mailing list, we work with the “double opt-in” procedure in accordance with legal requirements. As part of this process, the newsletter order, the sending of the confirmation email, and the receipt of the registration confirmation are recorded. The legal basis for this is your consent in accordance with Art. 6 para. 1(a) GDPR.
You have the option to revoke your consent to the storage of your data, your email address, and its use for sending the newsletter at any time. We provide you with a link to revoke your consent in every newsletter and on the website. You also have the option of informing us of your wish to withdraw your consent via the contact options listed in this document.
We use CleverReach for sending out our newsletters. The provider is CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. With this service, we can organize and analyze our newsletter mailing process. The data submitted in connection with the newsletter, such as your email address, is stored on CleverReach’s servers. The servers are located in Germany and Ireland.
Mailing our newsletters with CleverReach allows us to analyze the behavior of newsletter recipients. We can analyze, among other things, how many recipients have opened the newsletter message and how frequently links were clicked on in the newsletter. With the aid of “conversion tracking,” we can see whether a previously defined action was performed after clicking a link in the newsletter. Further details about data analysis by CleverReach can be found at: https://www.cleverreach.com/de-de/push-magazin/newsletter-reporting-und-tracking/
Data is processed on the basis of your consent (Art. 6 para. 1(a) GDPR). You can revoke your consent at any time. If you do not want your behavior analyzed by CleverReach, you must unsubscribe from the newsletter.
Details about the privacy policy of CleverReach can be found at: https://www.cleverreach.com/en-de/privacy-policy/
4.3.3 Data protection for applications and in the application process
The controller collects and processes the personal data of applicants for the purpose of handling the application process and for the decision on the establishment of an employment relationship. This is carried out on the basis of Art. 88 para. 1 GDPR in conjunction with Section 26 of the Federal Data Protection Act (BDSG) and Art. 6 para. 1(b) GDPR – pre-contractual measures. Processing may also be carried out electronically. This is particularly the case if an applicant submits relevant application documents to the controller by electronic means, for example by email or via a web form on the website. Your data will only be forwarded to the relevant departments responsible for the application process.
If the controller concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions.
If the controller does not conclude an employment contract with the applicant, the application documents will be stored for the duration of the application process and for a further six months and then deleted, insofar as deletion does not conflict with any contractual, legal, or other legitimate interests of the controller. Other legitimate interest in this sense might include, for example, a burden of proof in defense in proceedings under the General Equal Treatment Act (AGG).
The office responsible for all data arising in connection with the application process is BRAND INTERNATIONAL GMBH (BRAND INTERNATIONAL). BRAND INTERNATIONAL carries out all tasks for BRAND GMBH + CO KG, VACUUBRAND GMBH + CO KG and VITLAB GmbH which concern the services of a personnel department (e.g. personnel recruitment, personnel development and personnel administration).
5 Your rights
Information, blocking, deletion, and correction
Within the limits of the applicable legal provisions, you have the right at any time to obtain free information about your stored personal data, its origin and recipients and the purpose of the data processing and, if applicable, a right to rectify, block or delete this data. You can contact us or our data protection officer at any time at the address given in the legal notice if you have further questions on the subject of personal data.
Revoking your consent to data processing
Many data processing operations are only possible with your express consent. You can revoke any consent you have already given at any time with effect for the future. All you need to do is send us an informal message by email. The legality of data processing that has already been carried out remains unaffected.
Right to object to data collection and direct advertising (Art. 21 GDPR)
If data processing is based on Art. 6 para. 1(a) or (f) GDPR (consent or legitimate interest), you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this data privacy statement. If you file an objection, we will no longer process your personal data unless we can prove compelling reasons that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims (objection according to Art. 21 para. 1 GDPR).
If you are a customer of ours, your data may also be used for direct advertising if it concerns the same or similar topics in connection with the services commissioned by you. If your personal data is processed for the purpose of direct advertising, you have the right at any time to object to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is in connection with such direct advertising. If you object, your personal data will no longer be used for direct marketing purposes (objection according to Art. 21 para. 2 GDPR).
Right of complaint to the competent supervisory authority
In the event of infringements of the GDPR, those involved have the right to appeal to a supervisory authority, in particular in the member state of their habitual residence, their place of work or the place where the suspected infringement was committed. The right of appeal is without prejudice to other administrative or judicial remedies.
The supervisory authority responsible for us is:
Der Bayerische Landesbeauftragte für den Datenschutz
Postfach 22 12 19
80502 München
T: +49 89 212672 0
E: poststelle(at)datenschutz-bayern.de
Right to data portability
You have the right to have data, which we process automatically on the basis of your consent or in fulfillment of a contract, handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another responsible person, this will only take place if this is technically feasible.
Right to limitation of processing
You have the right to request limited processing of your personal data. You can contact us at any time at the address given in the legal notice. The right to limitation of processing exists in the following cases:
If you dispute the correctness of your personal data stored by us, we normally need time to review this. For the duration of the review process, you have the right to request limited processing of your personal data.
If your personal data was/is being processed unlawfully, you can request limited processing of your data instead of having the data deleted.
When we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request limited processing of your personal data instead of having the data deleted.
If you file an objection in accordance with Art. 21 para. 1 GDPR, a balance must be struck between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to request limited processing of your personal data.
When the processing of your personal data is limited, this data – apart from its storage – may only be processed with your consent, or in order to assert, exercise or defend legal claims, or to protect the rights of another natural person or legal entity, or for reasons of substantial public interest of the European Union or a member state.
6 Changes to our data privacy statement
We reserve the right to make changes at any time to ensure that our data privacy statements always comply with the current legal requirements. This also applies in the event that the data privacy statement has to be adapted due to new or revised services, for example new services. The new data privacy statements will then apply the next time you visit our website.
This data privacy statement is valid as of May 2024.