We take the protection of your personal data very seriously. We treat your personal data strictly confidentially and in compliance with the provisions in the relevant data protection legislation, particularly the European General Data Protection Regulation (GDPR) and this data protection declaration.

Controller
The controller responsible for processing your personal data is
scan.up AG,
Zirkusweg 2,
20359 Hamburg
Tel. +49 (0)40 80 80 388 – 60
Fax +49 (0)40 80 80 388 – 95,
e-mail: info@scan-up.de.

“You can reach our data protection officer at the above postal address, with the addition of “To the data protection officer” or at the email address: dpo@wiehl.legal”

Data processing for the purpose of rendering contractual services
You can send inquiries relating to orders for contractual services, particularly the use of our potential analysis software, via our website using the contact details provided there. Should you transmit personal data to us in this or any other way for this purpose, we will process your data for the purpose of responding to your queries, executing your order/contract and invoicing you. For this, we require your name, the name of your company (if different), your address information and your e-mail address. We cannot fulfill our contract with you if this information is not provided. If you also give us the name or telephone number of a contact, we will use this information to clarify queries relating to your contract. Other data that you transmit to us in this or any other way will also be used in connection with your order; however, this data is not required for the conclusion of a contract.
Any of the following personal data provided by suppliers/service providers in this or any other way will be processed to order and request services and pay for the services rendered: your name, the name of your company (if different), your address information, your e-mail address and your bank account details. Depending on the service/contract, we may require additional data; this will be clarified in each individual case. If you place additional data at our disposal, this too will be used for the purposes mentioned above but is not essential for the conclusion of a contract.
The legal basis for the processing of this data is Art. 6(1) subpara. 1(b) GDPR, which permits the processing of data for the performance of a contract or to take steps prior to entering into a contract.

Data processing for contract-related correspondence
Along with the contract data, we process the communication data you provide (names of contacts, address, telephone number, fax number, e-mail address) so that we can contact and communicate with you. Personal data which you make available to us in writing, by e-mail or by phone will only be used for the purpose of corresponding with you, i.e. only for the purpose for which you provided it.
The legal basis for the processing of this data is Art. 6(1) subpara. 1(b) GDPR, which permits the processing of data for the performance of a contract or to take steps prior to entering into a contract.

Data processing for analyses of potential
On our website, we offer you the opportunity to participate in analyses of potential. The object and scope of these analyses are described in detail on our website. In order to take part, you are required to enter the PIN provided. The log-in procedure is not logged.
We process the personal data and information you provide for the scanning procedure for the purpose of obtaining a diagnosis, generating the analysis of potential and, if applicable, generating a supplementary explanation or appraisal in the context of our contractual relationship with our client. Your data and the results of each potential analysis performed are forwarded to our clients, if applicable with the explanations or appraisal mentioned above. If our client is an external company contracted by your employer, the data and results may also be forwarded to your employer unless you are explicitly informed beforehand that this will not occur.
For this purpose, your personal data and information you provide for the scanning procedure will be stored by us for a period of up to two years, unless you consent to longer storage, then the storage is uphold until the purpose does not exist anymore or you revoke your consent.
The data processing, transmission and storage described above is based on your consent as per Art. 6(1) subpara. 1(a) GDPR. You can withdraw your consent at any time with future effect. It is sufficient if you notify us of your withdrawal in text form (e.g. e-mail, fax, letter).

Data processing for improving our analytical procedure
The data and results obtained during the potential analysis will be statistically evaluated in a fully anonymized form for the purpose of updating and improving our analytical procedure and the norms on which it is based.
The legal basis for processing the data is Art. 6(1) subpara. 1 (f) GDPR, which permits the processing of data to preserve the legitimate interests pursued by the controller provided they are not overridden by the interests or fundamental rights and freedoms of the data subject. Our legitimate interest is the updating and improvement of our service.

Log files
Whenever our website is accessed, data relating to usage is transmitted by the respective web browser and stored in server log files. These files contain the following data: date and time of access, name of the web page accessed, IP address, referrer URL (URL from which you reached our web pages), the volume of data transmitted, product and version information relating to the browser used, and your PC’s operating system. User IP addresses are erased or anonymized after the users leave the website. The data is not used in any other way except for statistical purposes, in which case it is anonymized as a matter of principle. Neither are personal “surf profiles” or similar generated or processed.
The legal basis for processing this data is Art. 6(1) subpara. 1 (f) GDPR, which permits the processing of data to preserve the legitimate interests pursued by the controller provided they are not overridden by the interests or fundamental rights and freedoms of the data subject. Our legitimate interests lie in guaranteeing data security on our website and optimizing our online services.

Cookies
We use so-called cookies. Cookies are small text files that are stored on the user’s computer and contain data relating to the respective user that facilitates his/her access to various functions. Our website uses session cookies. Session cookies are stored temporarily on your computer while you are navigating the website. Session cookies are deleted as soon as you close your web browser or when your session expires after a specific time. Storing cookies guarantees that you will not have to re-enter your personal settings and preferences every time you visit our website. This saves time and makes use of our website more convenient. The cookie solely serves the purpose of improving usability.
Most browsers accept cookies automatically; if you wish to prevent the use of cookies, you may therefore have to actively delete or block them or prevent them from being stored by changing the settings of your browser software. However, please note that if you refuse cookies, you will be able to continue visiting our website but may find that some of its functions are impaired.
The legal basis for processing this data is Art.6(1) subpara.1 (f) GDPR, which permits the processing of data to preserve the legitimate interests pursued by the controller provided they are not overridden by the interests or fundamental rights and freedoms of the data subject. Our legitimate interest lies in improving the design and usability of our website.

Data processing for compliance with legal obligations
We also process your data for the purpose of complying with legal obligations (e.g. specifications in supervisory law, retention and documentation requirements under commercial and fiscal law).
The legal basis for the processing of this data is Art. 6(1) subpara. 1 (c) GDPR, which permits the processing of data for the purpose of complying with legal obligations.

Categories of recipients of personal data
Your personal data is transferred to competent staff within our company for the purpose of executing and fulfilling contracts and communicating with you with regard to these contracts.
Data may also be forwarded to partner companies who have been contracted to assist with the execution of the contract insofar as this is necessary for the purpose of fulfilling the contract, dispatching and delivering products, or rendering our services. Our partners are bound to observe and comply with data protection regulations. They are not permitted to use the data for any purpose other than fulfilling the contract.
The legal basis for this is Art. 6(1) subpara.1 (b) GDPR, which permits the processing of data for the performance of a contract or to take steps prior to entering into a contract.
The personal data and information provided for the scanning procedure are sent to our client and – if our client is an external company contracted by your employer – to your employer unless you were explicitly informed beforehand that this will not occur. This takes place on the basis of your consent as per Art. 6(1) subpara.1 (a) GDPR. You can withdraw your consent at any time with future effect.
Your personal data will otherwise only be forwarded or transmitted to third parties outside our company if this is necessary for the purpose of fulfilling the contract and/or invoicing the services rendered, if you consented to this beforehand, or if there is a legal basis or obligation requiring the transfer of your data.
If we make use of external services for processing purposes, the provisions in the General Data Protection Regulation will be complied with. The service providers who assist us in rendering our service to you are IT service providers, diagnostic service providers, e-mail providers and hosting providers.

Duration of data storage
In principle, we delete your data as soon as we no longer require it for the purposes specified above, e.g. if you withdraw your consent or the period for which your consent was valid has expired, unless you have consented to a longer storage or the temporary storage is still necessary. However, there are cases in which we may be required to store your data temporarily for longer periods. We may, for example, store data to fulfill retention and documentation requirements specified in commercial and fiscal law. In these cases, the obligatory retention periods may be up to ten full years. We also store data for the period during which claims can be asserted against our company (usually for the statutory limitation period of three years to the end of the respective year).

Data security
We ensure that your personal data is encrypted for secure transmission. For this, we use the coding system SSL (Secure Socket Layer). We also implement technical and organizational measures to back up our website and other systems and protect your data from being lost, destroyed, accessed, modified or disseminated by unauthorized persons. Our security measures are continually updated in line with technical advances. However, we herewith expressly state that data transmission through the Internet is susceptible to security loopholes and cannot be continually protected against third-party access; this applies in particular and above all to communication by e-mail.

Links to external websites
Our website contains links to external websites. The respective website provider is responsible for processing data on these websites. Data processing on these websites begins as soon as you click on the respective link or follow the URL stored there.
Our website contains links to a map hosted by Google Maps that shows our company locations. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The purpose and scope of the collection of personal data by Google Maps, the further processing and use of the data by Google Maps and the relevant rights are described in Google’s privacy policy: https://policies.google.com/privacy?hl=en&gl=de.

Rights of data subjects
According to the applicable legislation, you have the right to receive information free of charge at any time pertaining to your stored personal data, its origin and recipients, the purpose for which it is processed and, if applicable, the right to have this data modified, blocked or erased.
You are also entitled to have the processing of your data restricted and to receive the personal data you provided in a structured, commonly used and machine-readable format.
If you have given us your consent to the processing of your personal data for specific purposes, you may withdraw your consent at any time with future effect.
If we are processing your data to preserve our legitimate interests, you may object to this processing on grounds relating to your specific situation.
You also have the right to contact a data protection supervisory authority to lodge a complaint.