The grow.inc spaces GmbH and its subsidiaries (hereinafter jointly referred to as “grow.inc spaces”) are very delighted that you have shown interest in our enterprises and in our joint online appearances.
Data protection is of a particularly high priority for the management of the grow.inc spaces. The use of all Internet pages and social media appearances of the grow.inc spaces is generally possible without the indication of personal data that reveal your identity directly to us and in addition, certain information regarding your end devices or technical equipment are processed in the course of visiting web services which, although it does not allow any direct conclusions to be drawn about your identity, qualify as personal data by law or are protected by law for other legal reasons; however, if a data subject wants to use special services via our websites or our offerings on social media, processing of personal data may become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we generally obtain consent from the data subject.
1. Purpose of this Data Protection Notice
This Data Protection Notice generally applies to the online offerings and appearances of grow.inc spaces, which can be accessed on the websites available under the URL "growinc.io" and further URLs, also including its presences on social media, wherever they are linked to this Data Protection Notice (hereinafter jointly referred to as "our website(s)" or as well our “web service(s)”).
As a person affected by data processing through our websites, you are entitled to several rights concerning your personal data under the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection. In particular, you have the legal right to information on your processed personal data and by means of this Data Protection Notice, we would therefore like to inform you comprehensively about the processing of your personal data when using our websites.
Further, you may as well have the rights to deletion and correction of the personal data we may process and to objection against the processing of your personal data. With regard to all your rights and the exercise thereof, please refer to the following section "Rights of Data Subjects" within this Data Protection Notice.
This Data Protection Notice can be retrieved, downloaded and printed out at any time under the URL https://growinc.io/en/legal/cookies. We reserve the right to adapt this Data Protection Notice at any time so that it always meets the current legal requirements or to reflect changes in the application procedure or the like. Since changes in the law or changes in our internal processes may make it necessary to adapt, we ask you to read this Data Protection Notice regularly.
2. Personal data
Personal data is information about personal or factual circumstances of a specific or identifiable natural person. This includes information such as your name, address, telephone number and date of birth, but also data about your specific career, etc., which can be assigned to a specific person with reasonable effort.
Information that is anonymized and not associated with your identity, however, is not personal data.
3. Purposes of the processing of personal data
Some of the personal data and further information we may collect from you is necessary to enable us to provide you with the services you request, to fulfil our contracts with you, to comply with legal requirements or if we have a legitimate interest in the use of your information, for example, when we use your personal data to be able to offer you an extensive and interesting offer via our websites and our web services and to constantly improve these.
When we collect data directly from you, we may ask you for your consent and clearly mark mandatory information (e.g. with an asterisk (*)). You voluntarily provide us with any other information that is not marked.
We will generally collect, process and use the personal data you provide online only within the legal bases provided for within the applicable data protection legislation or within the borders of your consent and as well only for the purposes disclosed to you.
4. General legal bases
The legal bases for the processing of your personal data may be the following:
- Article 6 para. 1 s. 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose.
- If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6 para 1 s. 1 lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services.
- Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfilment of tax obligations, the processing is based on Article 6 para. 1 s. 1 lit. c GDPR.
- In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Article 6 para. 1 s. 1 lit. d GDPR.
- Finally, processing operations could be based on Article 6 para. 1 s. 1 lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
5. Which personal data is collected and processed?
You can generally browse our websites without providing us with personal data (e.g. name, address, telephone number or e-mail address) that reveal your identity directly to us, unless you make them available to us voluntarily (e.g. for registrations for events, enquiries or surveys) or you have consented to the intended use or otherwise the corresponding legal provisions on the protection of your data permit the specific use of your personal data according to the aforementioned legal bases for specific purposes.
Particularly, your personal data may be used as follows:
6.1 Applications and the application procedures
If you apply to us electronically, i.e. by e-mail or via our web form, we collect and process your personal data for the purpose of handling the application procedure and carrying out pre-contractual measures.
6.1 By submitting an application on our recruiting page and sending us your application documents, you express your interest in joining us to work for our companies and make your personal data available to grow.inc spaces for the purpose of applying for a specific position advertised by us. In this context, you provide us with personal data which we use and store exclusively for the purpose of your job search/application.
In particular, the following data is collected:
- Your name (first and last name)
- Your e-mail address
- Your resume/CV
- Salary expectations
- Your possible start date
- Information on how you heard about the vacant position
- You also have the opportunity to upload relevant documents such as a cover letter, references and certificates, and further documents that you consider significant in the context of your application. These documents, just like CVs, may contain further personal data such as date of birth, address, etc.
- Finally, you have to confirm that you have read our Data Protection Notice before submitting your application.
The scope of personal data that you need to provide to us as part of your application depends on the scope and type of your application or the position advertised with us. You are generally free to decide which data you provide us with. However, we may not be able to consider your application without certain information that is required in the individual case or according to the job posting. If necessary, please refer to the job posting for which you wish to apply to find out whether certain information is required.
We clearly mark mandatory information there (e.g., with an asterisk (*)). In these cases, you provide us with all other information not marked with an asterisk voluntarily.
Note on special categories of personal data
We would like to point out that job applications, in particular resumes, references and other data you send us, may contain particularly sensitive information about your state of health, your racial or ethnic origin, your political opinions, your religious or philosophical beliefs, your memberships in a trade union or political party, or your sex life. However, we do not request such data from you and you provide us with such information voluntarily and on the basis of your consent. This consent also relates to the processing of all personal data of a special nature submitted as part of your application in accordance with the provisions of this data protection declaration.
In the further course of the application process, we may also collect further data from you and process them, together with the information you provided in the course of your application, for the purposes stated here. This may also include our assessment of whether you are qualified and suitable for filling vacancies in our company.
If you apply to us, your any of your above mentioned personal data is stored and used exclusively for the purpose of filling the vacant position for which you have applied and to be able to contact you personally on the basis of your application and, if necessary, to initiate a possible employment relationship with you.
You will have to confirm that you have read our Data Protection Notice before submitting your application.
Only authorized employees from our personnel department or employees involved in the application process have access to your data. A transfer of your personal data to third parties or a use of your data for advertising purposes will not take place unless you have expressly consented to it. A use of your personal data beyond the uses mentioned in this Data Protection Notice does not take place.
6.1.1. Retention of your application data
Your data will generally be stored for a period of 180 days after the end of the application process. As a rule, this is done to fulfil legal obligations or to defend against any claims arising from legal regulations. We are then obliged to delete or anonymize your data. In this case, the data is only available to us as so-called metadata without direct personal reference for statistical evaluations (for example, proportion of applications regarding gender, number of applications per period, etc.).
The legal basis for this data processing is that of Article 6 para. 1 s. 1 lit. b GDPR (which permits the processing of data to fulfil a contract or pre-contractual measures), in this context directed towards the conclusion of an employment contract with you and Article 6 para. 1 s. 1 lit. f GDPR (which permits the processing of data to safeguard the data controller's legitimate interests), in this context, directed at our legitimate interest in being able to defend ourselves in the event of legal claims being brought against us on the basis of general equality legislation. With regard to the processing of (possibly special categories of) personal data provided in addition to the mandatory data, the legal basis is that of Article 6 para. 1 s. 1 lit. a GDPR (which permits data processing on the basis of your consent)
6.1.2. Data processing within the scope of the employment relationship
If you receive and accept an offer of employment with us as part of the application process, we will store the personal data collected during the application process at least for the duration of the employment relationship.
The legal basis for this data processing is that of Article 6 para. 1 s. 1 lit. b GDPR (which permits the processing of data to fulfil a contract or pre-contractual measures), in this context directed towards the conclusion of an employment contract with you and Article 6 para. 1 s. 1 lit. f GDPR (which permits the processing of data to safeguard the data controller's legitimate interests), in this context, we use your personal data mainly for the purpose of establishing, implementing and, if necessary, processing and terminating the employment relationship entered into with you. You will be informed in detail about the processing of your personal data and the legal bases thereof within the scope of the employment relationship entered into with the companies of the grow.inc spaces when the employment contract is concluded.
6.2 Contact forms on our websites
For general inquiries and contact requests, please use our contact form at growinc.io or send us an e-mail [email protected] When you contact us via our contact form or via e-mail, we use your personal data exclusively to answer your inquiries according to your requests and to your satisfaction. To do so, we generally process your full name (name and last name) and also e-mail address to reply to your individual inquiry. Further, it is generally your free decision which data you provide to us. However, we may not be able to fulfil your contact request without certain details required in individual cases.
The legal basis for this data processing is that of Article 6 para. 1 s. 1 lit. b GDPR (which permits the processing of data to fulfil a contract or pre-contractual measures), Article 6 para. 1 s. 1 lit. f GDPR (which permits the processing of data to safeguard the data controller's legitimate interests) . Our legitimate interest within the meaning of the GDPR is the optimization and fulfilment of our online offers and our web services.
6.3 Server-Log files
Your visit to our websites is automatically logged by our web servers. In connection with the retrieval of the information you requested from our web services, data is collected for the provision of our various services or for evaluation and security purposes and, if necessary, stored in anonymized form (without personal reference). The web servers we use automatically store data about the retrieval of our web services in so-called server log files. These are the following data:
- Your IP address
- The URLs you accesss on our web pages
- Referrer URL (the page from which you visit us)
- Time of the server request
- Host name of the accessing terminal (the name of your Internet service provider)
- Browser type and browser version
- Operating system used and its settings
The processing of the above data is done for security purposes, for general fraud prevention and as a precaution against attacks on our web services. An automated combination of this data with data from other data sources does not take place.
If we also automatically log your IP address, this is automatically deleted after 30 days at the latest.
Furthermore, we store the URL accessed with the associated page title and optional information on the page content; information on the terminal device used, operating system and browser. This information is generally transmitted with each individual page request when using the Internet. However, unlike cookies and similar technologies, no information is read from the memory of the user's terminal device and no information is stored on this terminal device.
Since the privacy of our visitors is important to us, this data is processed without being merged with other data provided by you, such as your contact details, and furthermore, data that may allow a reference to an individual person, such as the IP address, login or device identifiers, are anonymized or pseudonymized immediately after collection by deleting the last number block. No other use, combination with other data or disclosure to third parties takes place.
This data processing is based on the legal basis of Article 6 para.1 s. 1 lit. f GDPR, which allows data processing based on our legitimate interest. Our legitimate interest within the meaning of the GDPR is the optimization and technical security of our online offers and our web services.
Apart from that, only general information is recorded, e.g. when which content from our offer is called up or which pages are visited most frequently, the names of the requested files as well as their call-up date and time. These data are evaluated to improve our offer and do not allow any conclusions about your person. We will not use this information for any other purpose.
The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. f GDPR, which allows the processing of data to protect the legitimate interests of the data controller.
7. Our social media appearances
We maintain publicly available profiles in social networks. The individual social networks we use can be found below.
7.1 Data processing through social networks
Social networks such as Facebook, Twitter etc. can generally analyze your user behavior comprehensively if you visit their website or a website with integrated social media content (e.g., like buttons or banner ads). When you visit our social media pages, numerous data protection-relevant processing operations are triggered. In detail:
If you are logged in to your social media account and visit our social media page, the operator of the social media portal can assign this visit to your user account. Under certain circumstances, your personal data may also be recorded if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies stored on your device or by recording your IP address.
Using the data collected in this way, the operators of the social media portals can create user profiles in which their preferences and interests are stored. This way you can see interest-based advertising inside and outside of your social media presence. If you have an account with the social network, interest-based advertising can be displayed on any device you are logged in to or have logged in to.
7.2 Legal bases
Our social media appearances should ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Article 6 para. 1 s. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on divergent legal bases to be specified by the operators of the social networks (e.g., consent within the meaning of Article 6 para. 1 s. 1 lit. a GDPR).
7.3 Responsibility and assertion of rights
If you visit one of our social media sites (e.g., Facebook), we, together with the operator of the social media platform, are responsible for the data processing operations triggered during this visit. You can in principle protect your rights (information, correction, deletion, limitation of processing, data portability and complaint) vis-à-vis us as well as vis-à-vis the operator of the respective social media portal (e.g., Facebook).
Please note that despite the shared responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are determined by the company policy of the respective provider.
7.4 Storage time
The data collected directly from us via the social media presence will be deleted from our systems as soon as you ask us to delete it, you revoke your consent to the storage or the purpose for the data storage lapses. Mandatory statutory provisions - in particular, retention periods - remain unaffected.
7.5 Our profiles on individual social networks
Specifically, we maintain profiles on the following social media platforms. For detailed information on the processing of your personal data by their providers, please refer to the respective information and links:
We have a profile on Instagram. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381.
We do not create personal user profiles. In connection with the viewing of the information you have requested form our websites, data is only stored on our servers in anonymised form for the provision of our various services or for evaluation purposes. In this context, general information in accordance with section 6.3 of this Data Protection Notice is also logged in order to determine the frequency of use and the number of users of our web pages. In this way, we learn which area of our websites our users have visited.
However, this usage data does not contain personal data and does not allow any conclusions to be drawn about the identity of the individual user. All of this anonymised usage data is not combined with your personal data and is deleted immediately after the end of the statistical evaluation.
The legal basis for this data processing is that of Art. 6 para. 1 s. 1 lit. f GDPR (which permits the processing of data to protect the legitimate interests of the data controller).e.g. when which content from our offer is accessed or which pages are visited most frequently.
With regard to the use of such technologies by the respective providers of these social media platforms, we kindly ask you to inform yourself in this regard under the specified information sources supplied by the providers themselves.
9. Period for which the personal data will be stored
We only store personal data that you provide to us for as long as they are needed to fulfil the purposes for which these data were provided or as long as this is required by law:
If you conclude contracts with us, we store and process your personal data for the duration of your contractual relationship with us and also for the fulfilment of legal post-contractual archiving obligations and for the duration of the statutory retention periods (maximum 10 years);
If you apply through us for vacant positions with us, we will delete your application data at the latest 180 days after completion of the application procedure, unless you have given us your consent to permanently store your data for future job vacancies;
If you send us an inquiry, we process your personal data for the duration of processing your inquiry and for the period we may need to document the inquiry process and our answers.
Generally, we delete or anonymize your personal data from our systems and records, so that you can no longer be identified, when they are no longer needed. We may retain certain personal data in order to comply with our legal and regulatory obligations and to enable us to administer our rights (e.g. to enforce our claims in court), or for statistical purposes (in anonymous form).
10. With whom do we share Personal Data?
If these cases are not listed in this Data Protection Notice, we will not sell or market your personal data to third parties or forward them on for any other reason.
In addition to the other cases mentioned in this Data Protection Notice, your personal data will only be passed on without your express prior consent in the following cases:
If it is necessary for the clarification of an illegal or abusive of our web services or for the prosecution, personal data are passed on to the prosecution authorities as well as if necessary, to damaged third parties. However, this only happens if there are concrete indications of illegal or abusive behaviour. A disclosure to third parties bound to professional secrecy can take place if this is necessary to enforce the contractual conditions or other agreements as well as our claims arising from contracts that you have concluded with us. The legal basis for data transmission is Article 6 para. 1 s. 1 lit. b GDPR, which permits the processing of data in order to fulfil a contract or pre-contractual measures and Article 6 para. 1 s. 1 lit. f GDPR, which permits the processing of data in order to safeguard the data controller's legitimate interests.
Further, we may also be legally obliged to provide information to certain public authorities upon request. These are law enforcement authorities, authorities that prosecute fined offences and the tax authorities.
As our business develops, the structure of our company may change as its legal form changes, subsidiaries, parts of companies or components are established, purchased or sold. In such transactions, customer information will be shared with the part of the company to be transferred with your consent. Whenever personal data is passed on to third parties to the extent described above, we will ensure that it is used in accordance with this data protection declaration and the relevant data protection laws and ask you for your consent.
11. Who is involved in processing your Personal Data?
We process your personal data collected through the website and may also engage third parties to assist us according to our instructions and therefore, your personal data can also be processed on our behalf by our reliable, external service providers ("contract processors"). We solely rely on trusted and reliable contract processors who conduct a number of business processes on our behalf and only provide them with the information they need to provide their services to us. We make every effort to ensure that all contract providers with whom we work strictly protect your personal data and use them only for the purposes to which we assign them and on our behalf. For example, we can commission the following services for which the processing of your personal data is necessary to our contract processors or our contract processors may be
- Third parties who support and help us to provide digital and e-commerce services, including CRM, web analytics and search engine and user content maintenance tools;
- Advertising, marketing, digital and social media agencies to assist us with advertising, marketing and campaign activities, to analyse their effectiveness and to manage your contact requests and questions;
- Third parties who assist us in providing IT services, including platform providers, hosting services, maintenance and support for our databases, and our software and applications that contain information about you (in some cases, such services simply include access to your data to perform the desired task);
The legal basis for data transmission is Article 6 para. 1 s. 1 lit. b GDPR, which permits the processing of data in order to fulfil a contract or pre-contractual measures and Article 6 para. 1 s. 1 lit. f GDPR, which permits the processing of data in order to safeguard the data controller's legitimate interests.
We have concluded a contract with all our contract processors on the commissioned data processing on our behalf in accordance with Article 28 GDPR and fully implement the strict requirements of the German data protection authorities when using their services.
12. Data transfers to “Third Countries”
If we process data in a Third Country (i.e., outside the European Union (EU), the European Economic Area (EEA), where the privacy laws may not be as protective as those in your location) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, entities or companies, this is only done in accordance with the strict legal requirements of the EU and we ensure that your data is treated in accordance with the provisions of this Data Protection Notice.
Subject to express consent or contractually or legally required transfer, we only process or have the data processed in third countries with a recognized level of data protection, contractual obligation through the so-called standard protection clauses of the EU Commission (SCC), in the presence of certifications or binding internal data protection regulations according to Articles 44 to 49 GDPR; further information can be found on the websites of the EU Commission under the URL https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en. Where necessary, we and our contract processors will, where applicable, also take supplementary measures to ensure the protection of your privacy rights, the confidentiality of your personal data and compliance with the applicable laws and regulations of the EU.
13. Data Security
We make every effort to take extensive technical and organisational security measures to protect your personal data against unintentional or unlawful deletion, alteration or loss and against unauthorised disclosure or access. All our employees are accordingly bound to secrecy and data protection. Insofar as it is within our sphere of influence, we use modern encryption techniques and a large number of other measures in particular to prevent unauthorised access by third parties. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption exists, the data you exchange with us cannot be read by third parties.
Further, our security precautions are regularly checked and adapted to technological progress.
However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures may not be observed by other persons or institutions for which we are not responsible. In particular, unencrypted data can be accessed by third parties - particularly if this is done by e-mail. We have no technical influence on this. In such cases, it is the responsibility of the user to protect the data provided by him against misuse by encryption or in any other way.
14. Rights of the data subject
If we process personal data as the data controller, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and purpose of the processing, in particular the right of access (Article 15 GDPR), the right to rectification (Article16 GDPR), the right to erasure (‘right to be forgotten’) (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), the right to data portability (Article 20 GDPR), the right to object (Article 21 GDPR). If the processing of personal data is based on your consent, you have the right to revoke this data protection consent in accordance with Article 7 para. 3 GDPR.
If you wish to exercise your above rights, please contact us using the contact details given in section 2.
Please note that we may require proof of identity and full details of your request before we can process your request.
15. Right to lodge a complaint with the competent supervisory authorities
In the event of data protection violations on our part, you have a right of appeal to the responsible supervisory authority.
- The supervisory authority responsible in data protection issues for the activities of the grow.inc spaces GmbH is The State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia (LDI NRW), whose contact data can be found under the following URL: https://www.ldi.nrw.de/metanavi_Kontakt/index.php.
16. Name and Address of the Data Protection Officer
Within our companies, everyone is responsible for privacy and data protection issues. In addition, we have decided to appoint a data protection officer for each of our companies. To ensure the independence of the data protection officer, we have appointed an external data protection officer:
Mr Stephan Krämer, LL.-M. (Attorney at law, Germany) KINAST Rechtsanwaltsgesellschaft mbH Hohenzollernring 54 50672 Cologne
You can contact our data protection officer via his website at http://www.kinast.eu
17. Hyperlinks to other websites
Our websites contain so-called hyperlinks to websites of other providers. When these hyperlinks are activated, you are redirected from our website directly to the websites of other providers. Despite careful control we assume no liability for the content of external links. The operators of the sites we link to are solely responsible for the content of linked pages and any processing of personal data on these websites.
Last updated: March 2022