Data Protection Officer
Data Protection Declaration
1) Information on the Collection of Personal Data and Contact Details of the
1.1 We are pleased that you are visiting our website and thank you for your interest. On
the following pages, we inform you about the handling of your personal data when using
our website. Personal data is all data with which you can be personally identified.
1.2 The controller in charge of data processing on this website, within the meaning of
the General Data Protection Regulation (GDPR), is “KODIAK GmbH, Brandsende 12,
20095 Hamburg, Phone: +49 (0) 40 739 298 67, Email: firstname.lastname@example.org”. The controller
in charge of the processing of personal data is the natural or legal person who alone or
jointly with others determines the purposes and means of the processing of personal
1.3 This website uses SSL or TLS encryption for security reasons and to protect the
transmission of personal data and other confidential content (e.g. orders or inquiries to
the controller). You can recognize an encrypted connection by the character string
https:// and the lock symbol in your browser line.
2) Data Collection When You Visit Our Website
When using our website for information only, i.e. if you do not register or otherwise
provide us with information, we only collect data that your browser transmits to our
server (so-called “server log files”). When you visit our website, we collect the following
data that is technically necessary for us to display the website to you:
– Our visited website
– Date and time at the moment of access
– Amount of data sent in bytes
– Source/reference from which you came to the page
– Browser used
– Operating system used
– IP address used (if applicable: in anonymized form)
Data processing is carried out in accordance with Art. 6 (1) point f GDPR on the basis of
our legitimate interest in improving the stability and functionality of our website. The
data will not be passed on or used in any other way. However, we reserve the right to
check the server log files subsequently, if there are any concrete indications of illegal
In order to make your visit to our website attractive and to enable the use of certain
functions, we use so-called cookies on various pages. These are small text files that are
stored on your end device. Some of the cookies we use are deleted after the end of the
browser session, i.e. after closing your browser (so-called session cookies). Other
cookies remain on your terminal and enable us or our partner companies (third-party
cookies) to recognize your browser on your next visit (persistent cookies). If cookies are
set, they collect and process specific user information such as browser and location data
as well as IP address values according to individual requirements. Persistent cookies are
automatically deleted after a specified period, which may vary depending on the cookie.
You can check the duration of the respective cookie storage in the overview of the
cookie settings of your web browser.
If personal data is also processed by individual cookies set by us, the processing is
carried out in accordance with Art. 6 (1) point b GDPR either for the execution of the
contract or in accordance with Art. 6 (1) point f GDPR to safeguard our legitimate
interests in the best possible functionality of the website and a customer-friendly and
effective design of the page visit.
Please note that you can set your browser in such a way that you are informed about
the setting of cookies and you can decide individually about their acceptance or exclude
the acceptance of cookies for certain cases or generally. Each browser differs in the way
it manages the cookie settings. This is described in the help menu of each browser,
which explains how you can change your cookie settings. You will find these for the
respective browsers under the following links:
– Microsoft Edge:
– Chrome: https://support.google.com/chrome/answer/95647?hl=en&hlrm=en
– Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac
– Opera: https://help.opera.com/en/latest/web-preferences/#cookies
Please note that the functionality of our website may be limited if cookies are not
4) Contacting Us
When you contact us (e.g. via contact form or e-mail), personal data is collected. Which
data is collected in the case of a contact form can be seen from the respective contact
form. This data is stored and used exclusively for the purpose of responding to your
request or for establishing contact and for the associated technical administration. The
legal basis for processing data is our legitimate interest in responding to your request in
accordance with Art. 6 (1) point f GDPR. If your contact is aimed at concluding a
contract, the additional legal basis for the processing is Art. 6 (1) point b GDPR. Your
data will be deleted after final processing of your enquiry; this is the case if it can be
inferred from the circumstances that the facts in question have been finally clarified,
provided there are no legal storage obligations to the contrary.
5) Web Analysis Services
Google (Universal) Analytics
This website uses Google (Universal) Analytics, a web analytics service provided by
Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
(“Google”). Google (Universal) Analytics uses “cookies”, which are text files placed on
your computer, to help the website analyze how users use the site. The information
generated by the cookie about your use of this website (including the abbreviated IP
address) is usually transferred to a Google server and stored there and may also be
transferred to the servers of Google LLC. in the USA.
This website uses Google (Universal) Analytics exclusively with the extension
“_anonymizeIp()”, which ensures anonymization of the IP address by shortening it and
excludes the possibility of direct personal reference. Through the extension, your IP
address will be shortened by Google within member states of the European Union or in
other signatory states of the Agreement on the European Economic Area before. Only in
exceptional cases will the full IP address be transferred to a server of Google LLC. in the
USA and shortened there. On our behalf, Google will use this information to evaluate
your use of the website, to compile reports on the website activities and to provide us
with further services related to the use of the website and the Internet. The IP address
transmitted by your browser within the framework of Google (Universal) Analytics is not
combined with other Google data.
Via a special function called “Demographics”, Google Analytics also enables the
compilation of statistics with statements about the age, gender and interests of site
visitors based on an evaluation of interest-related advertising and with the use of
third-party information. This allows the definition and differentiation of user groups of
the website for the purpose of target-group-optimized marketing measures. However,
data sets collected via “Demographics” cannot be assigned to a specific person.
Details on the processing operations initiated and on Google’s handling of data collected
from websites can be found here:
All the processing described above, in particular the setting of Google Analytics cookies
for reading information on the terminal device used, is only carried out if you have given
us your express consent in accordance with Art. 6 Para. 1 letter a GDPR. Without this
consent, the use of Google Analytics during your visit to our website will not take place.
You can withdraw your consent at any time with effect for the future. To exercise your
right of withdrawal of consent, please deactivate this service in the
“Cookie-Consent-Tool” provided on the website. We have concluded a data processing
agreement with Google for the use of Google Analytics, which obliges Google to protect
the data of our site visitors and not to pass it on to third parties.
On this website, the “Google Signals” service can also be used as an extension of Google
Analytics. With Google Signals, cross-device reports can be created by Google (so-called
“cross-device tracking”). If you have activated “personalised ads” in your Google
account settings and you have linked your internet-enabled devices to your Google
account, Google can analyse user behaviour across devices and create database models
based on this, provided you have given your consent to the use of Google Analytics in
accordance with Art. 6 Para. 1 letter a GDPR (see above). The logins and device types of
all page visitors who were logged into a Google account and performed a conversion are
taken into account. The data shows, among other things, on which device you first
clicked on an ad and on which device the associated conversion took place. Insofar as
Google Signals is used, we do not receive any personal data from Google, but only
statistics compiled on the basis of Google Signals. You have the option of deactivating
the “personalised ads” function in the settings of your Google account and thus turning
off the cross-device analysis. To do this, follow the instructions on this page:
Further information can be found here:
As an extension of Google Analytics, the “UserIDs” function can also be used on this
website. By assigning individual UserIDs, we can have Google create cross-device
reports (so-called “cross-device tracking”). This means that your usage behaviour can
also be analysed across devices if you have given your corresponding consent to the use
of Google Analytics in accordance with Art. 6 Para. 1 letter a GDPR, if you have set up a
personal account by registering on this website and are logged into your personal
account on different end devices with your relevant login data. The data collected in this
way shows, among other things, on which end device you clicked on an ad for the first
time and on which end device the relevant conversion took place.
For the transmission of data from the EU to the USA, Google relies on so-called standard
data protection clauses of the European Commission, which are intended to ensure
compliance with the European data protection level in the USA.
Further information about Google (Universal) Analytics can be found here:
6) Site functionalities
Applications for job advertisements using a form
On our website, we offer those interested in a job the possibility to apply online using an
appropriate form. In order to be included in the application process, applicants must
provide us with all personal data required for a well-founded and informed assessment
The required data includes general personal information (name, address, telephone or
electronic contact details) as well as performance-specific evidence of the qualifications
required for a position. Where appropriate, health-related information may also be
required, which, in the interests of social protection, must be given special consideration
in the applicant’s own person under labour and social law.
In the course of sending the form, the applicant’s data will be encrypted according to the
state of the art, transmitted to us, stored by us and evaluated exclusively for the
purpose of processing the application.
The legal basis for these processing operations is generally Art. 6 Para. 1 lit. b, in the
sense of which passing through the application procedure is considered to be the
initiation of an employment contract.
Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR
(e.g. health data such as information on the status of severely disabled persons) are
requested from applicants in the context of the application procedure, processing is
carried out in accordance with Art. Art. 9 para. 2 lit. b. GDPR so that we can exercise the
rights arising from labour law and social security and social protection law and fulfil our
obligations in this respect.
Cumulatively or alternatively, the processing of the special categories of data may also
be based on Art. 9 para. 1 lit. h GDPR, if it is carried out for purposes of preventive
health care or occupational medicine, for the assessment of the applicant’s ability to
work, for medical diagnosis, care or treatment in the health or social field or for the
management of systems and services in the health or social field.
If, in the course of the evaluation described above, the applicant is not selected, or if an
applicant withdraws his or her application prematurely, the data submitted on the
application form will be deleted after 6 months at the latest after notification. This
period is calculated on the basis of our legitimate interest in being able to answer any
follow-up questions about the application and, if necessary, to comply with our
obligation to provide evidence in accordance with the regulations on the equal
treatment of applicants.
In the event of a successful application, the data provided will be further processed on
the basis of Art. 6 para. 1 lit. b GDPR for the purposes of the employment relationship.
7) Tools and Miscellaneous
This website uses a so-called “cookie consent tool” to obtain effective user consent for
cookies and cookie-based applications that require consent. The “cookie consent tool” is
displayed to users in the form of an interactive user interface when they access the
page, on which consent for certain cookies and/or cookie-based applications can be
given by ticking the appropriate box. Through the use of the tool, all cookies/services
requiring consent are only loaded if the respective user provides the corresponding
consent by ticking the corresponding box. This ensures that such cookies are only set on
the respective end device of the user if consent has been granted.
The tool sets technically necessary cookies to save your cookie preferences. Personal
user data is generally not processed.
If, in individual cases, personal data (such as the IP address) is processed for the
purpose of storing, assigning or logging cookie settings, this is done in accordance with
Art. 6 (1) point f GDPR on the basis of our legitimate interest in legally compliant,
user-specific and user-friendly consent management for cookies and thus in a legally
compliant design of our website.
Further legal basis for the processing is Art. 6 (1) point c GDPR. As the responsible party,
we are subject to the legal obligation to make the use of technically unnecessary
cookies dependent on the respective user consent.
Further information on the operator and the setting options of the cookie consent tool
can be found directly in the corresponding user interface on our website.
8) Rights of the Data Subject
8.1 The applicable data protection law grants you the following comprehensive rights of
data subjects (rights of information and intervention) vis-à-vis the data controller with
regard to the processing of your personal data:
– Right of access by the data subject pursuant to Art. 15 GDPR: You shall have the right
to receive the following information: The personal data processed by us; the purposes of
the processing; the categories of processed personal data; the recipients or categories
of recipients to whom the personal data have been or will be disclosed; the envisaged
period for which the personal data will be stored, or, if not possible, the criteria used to
determine that period; the existence of the right to request from the controller
rectification or erasure of personal data or restriction of processing personal data
concerning the data subject or to object to such processing; the right to lodge a
complaint with a supervisory authority; where the personal are not collected from the
data subject, any available information as to their source; the existence of automated
decision-making, including profiling and at least in those cases, meaningful information
about the logic involved, as well as the significance and envisaged consequences of
such processing for the data subject; the appropriate safeguards pursuant to Article 46
when personal data is transferred to a third country.
– Right to rectification pursuant to Art. 16 GDPR: You have the right to obtain from the
controller without undue delay the rectification of inaccurate personal data concerning
you and/or the right to have incomplete personal data completed which are stored by
– Right to erasure (“right to be forgotten”) pursuant to Art. 17 GDPR: You have the right
to obtain from the controller the erasure of personal data concerning you if the
conditions of Art. 17 (2) GDPR are fulfilled. However, this right will not apply for
exercising the freedom of expression and information, for compliance with a legal
obligation, for reasons of public interest or for the establishment, exercise or defense of
– Right to restriction of processing pursuant to Art. 18 GDPR: You have the right to obtain
from the controller restriction of processing your personal data for the following reasons:
As long as the accuracy of your personal data contested by you will be verified. If you
oppose the erasure of your personal data because of unlawful processing and you
request the restriction of their use instead. If you require the personal data for the
establishment, exercise or defense of legal claims, once we no longer need those data
for the purposes of the processing. If you have objected to processing on grounds
relating to your personal situation pending the verification whether our legitimate
grounds override your grounds.
– Right to be informed pursuant to Art. 19 GDPR: If you have asserted the right of
rectification, erasure or restriction of processing against the controller, he is obliged to
communicate to each recipient to whom the personal date has been disclosed any
rectification or erasure of personal data or restriction of processing, unless this proves
impossible or involves disproportionate effort. You have the right to be informed about
– Right to data portability pursuant to Art. 20 GDPR: You shall have the right to receive
the personal data concerning you, which you have provided to us, in a structured,
commonly used and machine-readable format or to require that those data be
transmitted to another controller, where technically feasible.
– Right to withdraw a given consent pursuant to Art. 7 (3) GDPR: You have the right to
withdraw your consent for the processing of personal data at any time with effect for the
future. In the event of withdrawal, we will immediately erase the data concerned, unless
further processing can be based on a legal basis for processing without consent. The
withdrawal of consent shall not affect the lawfulness of processing based on consent
before its withdrawal.
– Right to lodge a complaint pursuant to Art. 77 GDPR: Without prejudice to any other
administrative or judicial remedy, you have the right to lodge a complaint with a
supervisory authority, in particular in the Member State of your habitual residence, place
of work or place of the alleged infringement if you consider that the processing of
personal data relating to you infringes the GDPR.
8.2 Right to Object
If, within the framework of a consideration of interests, we process your personal data
on the basis of our predominant legitimate interest, you have the right at any time to
object to this processing with effect for the future on the grounds that arise from your
particular situation. If you exercise your right to object, we will stop processing the data
concerned. However, we reserve the right to further processing if we can prove
compelling reasons worthy of protection for processing which outweigh your interests,
fundamental rights and freedoms, or if the processing serves to assert, exercise or
defend legal claims.
If we process your personal data for direct marketing purposes, you have the right to
object at any time to the processing of your personal data which are used for direct
marketing purposes. You may exercise the objection as described above.
If you exercise your right to object, we will stop processing the data concerned for direct
9) Duration of Storage of Personal Data
The duration of the storage of personal data is based on the respective legal basis, the
purpose of processing and – if relevant – on the respective legal retention period (e.g.
commercial and tax retention periods).
If personal data is processed on the basis of an express consent pursuant to Art. 6 (1)
point a GDPR, this data is stored until the data subject revokes his consent.
If there are legal storage periods for data that is processed within the framework of legal
or similar obligations on the basis of Art. 6 (1) point b GDPR, this data will be routinely
deleted after expiry of the storage periods if it is no longer necessary for the fulfillment
of the contract or the initiation of the contract and/or if we no longer have a justified
interest in further storage.
When processing personal data on the basis of Art. 6 (1) point f GDPR, this data is stored
until the data subject exercises his right of objection in accordance with Art. 21 (1)
GDPR, unless we can provide compelling grounds for processing worthy of protection
which outweigh the interests, rights and freedoms of the data subject, or the processing
serves to assert, exercise or defend legal claims.
If personal data is processed for the purpose of direct marketing on the basis of Art. 6
(1) point f GDPR, this data is stored until the data subject exercises his right of objection
pursuant to Art. 21 (2) GDPR.
Unless otherwise stated in the information contained in this declaration on specific
processing situations, stored personal data will be deleted if it is no longer necessary for
the purposes for which it was collected or otherwise processed.