Privacy Policy
Bräutigam & Rotermund GmbH, Borselstraße 16f in 22765 Hamburg ("we") operate the www.br.studio (the "Site").
We take the protection of your personal data seriously and provide you below with a simple overview of what happens to your personal data when you visit this website and in what way your personal data is processed by us.
A. General
(1) Name and address of the data controller
Stefan Bräutigam
at Bräutigam & Rotermund GmbH,
Borselstrasse 16f
22765 Hamburg
Telephone: +49 40 . 43 28 17 79
E-mail: info@br.studio
(2) Definitions
This data protection declaration is based on the following definitions in accordance with Art. 4 DS-GVO:
- „Personal data" (Art. 4 No. 1 DS-GVO) means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by means of information relating to his or her physical, physiological, genetic, mental, economic, cultural or social identity characteristics. The identifiability can also be given by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photographs, video or audio recordings may also contain personal data).
- „Processing" (Art. 4 No. 2 GDPR) means any operation which involves the handling of personal data, whether or not by automated (i.e. technology-based) means. This includes, in particular, the collection (i.e., acquisition), recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, as well as the change of a purpose or intended use on which a data processing was originally based.
- „Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
- „Third party" (Art. 4 No. 10 DS-GVO) means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or processor, are authorized to process the personal data; this also includes other group-affiliated legal entities.
- „Processor" (Art. 4 No. 8 DS-GVO) is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller, in particular in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.
- „Consent" (Art. 4 No. 11 DS-GVO) of the data subject means any voluntary expression of will in the form of a declaration or other unambiguous affirmative act, given in an informed and unambiguous manner for the specific case, by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.
(3) Data subjects
For example, the following persons may be affected by data processing when visiting our website or contacting us electronically/by telephone:
- Employees (e.g. employees, applicants, former employees);
- Business and contractual partners;
- interested parties;
- communication partners;
- customers;
- Users (e.g. website visitors).
The terms used, e.g. "user", are to be understood as gender-neutral.
(4) Types of data processed
The personal data of the data subjects processed within the scope of this online offer include the following
- Inventory data (e.g. names and addresses of customers);
- Contact data (e.g. e-mail, telephone number);
- Contract data (e.g. subject matter of the contract, customer category);
- Payment data (e.g. invoices),
- Content data (e.g. e-mail communication, telephone notes).
- Usage data (e.g. web pages visited on our online offer, interest in our products, access times);
- Meta/communication data (e.g. device information, IP addresses);
- Location data (information on the geographical position of a device or person).
(5) Legal basis for data processing
According to the legal provisions, any processing of personal data is generally prohibited. Data processing is only permitted if it falls under one of the following justifications:
- Art. 6 (1) p. 1 lit. a DS-GVO ("consent"): If the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous confirmatory act that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;
- Art. 6 (1) p. 1 lit. b DS-GVO: If the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject's request;
- Art. 6 (1) p. 1 lit. c DS-GVO: If the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., a legal obligation to preserve records);
- Art. 6 para. 1 p. 1 lit. d DS-GVO: If the processing is necessary to protect vital interests of the data subject or another natural person;
- Art. 6 (1) p. 1 lit. e DS-GVO: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Art. 6 (1) p. 1 lit. f DS-GVO ("Legitimate Interests"): If the processing is necessary to protect legitimate (in particular legal or economic) interests of the controller or a third party, unless the conflicting interests or rights of the data subject override (in particular if the data subject is a minor).
- For the following processing operations, we are happy to indicate the applicable legal basis in each case. A processing operation may also be based on several legal bases.
(6) Data deletion and storage period
(6.1) For our data processing operations, we specify below how long the data will be stored by us, when it will be deleted and/or blocked. If we do not specify any specific storage periods below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies.
(6.2) However, storage may take place beyond the specified time, for example in the event of a (threatened) legal dispute with you or other legal proceedings. There are, for example, special legal storage obligations for certain documents according to § 257 HGB and § 147 AO as well as social security and labor law regulations. These documents may also contain personal data. The aforementioned documents include, for example: Books and records, inventories, annual financial statements, individual financial statements pursuant to Section 325 (2a) HGB, management reports, the opening balance sheet as well as the operating instructions and other organizational documents required for their understanding, accounting vouchers, documents pursuant to Article 15 (1) and Article 163 of the Union Customs Code. These documents must be kept for a period of 10 years. Received commercial or business letters, reproductions of sent commercial or business letters, other documents, as far as they are relevant for taxation. These documents must be kept for a period of 6 years.
(6.3) The respective retention period shall begin at the end of the calendar year in which the last entry in the accounting records, inventory, opening balance sheet, annual financial statements or prepared management report, received or sent commercial or business letter, prepared accounting record, prepared minutes or other documents were prepared.
(6.4) If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.
(7) Data security
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties (e.g. SSL or TSL encryption for our website), taking into account the state of the art, implementation costs and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.
We will be happy to provide you with more detailed information on request. Please feel free to contact us (see under A.(1)).
(8) Cooperation with processors
As with any other company, we also use external domestic and foreign service providers to process our business transactions (e.g. for the areas of IT, telecommunications, shipping). They will only act on our instructions and have been contractually obligated to comply with data protection regulations in accordance with Art. 28 DS-GVO.
(9) Hosting at DomainFactory
We host our website and content at DomainFactory GmbH, c/o WeWork, Neuturmstraße 5, 80331 Munich.
When you visit our website, DomainFactory collects various log files including your IP addresses. For more information, please refer to DomainFactory's privacy policy at https://www.df.eu/de/datenschutz/.
The data processing by DomainFactory is based on Art. 6 para. 1 lit. f DSGVO. We have a legitimate interest in ensuring that our website is presented as reliably as possible. If a corresponding consent has been requested, the processing is based exclusively on Art.6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. for device fingerprinting) as defined by the TTDSG.
The consent can be revoked at any time.
We have concluded a contract on order processing (AVV) with DomainFactory. This contract ensures that DomainFactory will only process the personal data of visitors to our website in accordance with our instructions and in compliance with the GDPR.
(10) Conditions for the transfer of personal data to third countries
In the course of our business relationships, your personal data may be transferred or disclosed to third party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively for the fulfillment of contractual and business obligations and to maintain your business relationship with us. We will inform you about the respective details of the transfer below at the relevant points.
Some third countries are certified by the European Commission through so-called adequacy decisions to have data protection comparable to the EEA standard (a list of these countries as well as a copy of the adequacy decisions can be found here: Adequacy decisions (europa.eu).
However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct. Please contact us (see under A.(1)) if you would like more information on this.
(11) No automated decision making (including profiling)
We do not intend to use any personal data collected from you for any automated decision making process (including profiling).
(12) No obligation to provide personal data
We do not make the conclusion of contracts with us dependent on you providing us with personal data in advance. For you as a customer, there is also basically no legal or contractual obligation to provide us with your personal data; however, it may be that we can only provide certain offers to a limited extent or not at all if you do not provide the data required for this. If this should exceptionally be the case in the context of the products we offer presented below, you will be informed of this separately.
(13) Legal obligation to transmit certain data
We may, under certain circumstances, be subject to a specific legal or statutory obligation to provide the lawfully processed personal data to third parties, in particular public bodies (Art. 6 (1) p. 1 lit. c DS-GVO).
(14) Your rights
You may assert your rights as a data subject regarding your processed personal data at any time by contacting us using the contact details provided at the beginning of A.(1). As a data subject, you have the right to:
- in accordance with Art. 15 DS-GVO to request information about your data processed by us. In particular, you can request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
- in accordance with Art. 16 DS-GVO, to demand the correction of incorrect data or the completion of your data stored by us without delay;
- pursuant to Art. 17 DS-GVO, to request the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims;
- in accordance with Art. 18 DS-GVO, to demand the restriction of the processing of your data, insofar as the accuracy of the data is disputed by you or the processing is unlawful;
- pursuant to Art. 20 DS-GVO, to receive your data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller ("data portability");
- object to the processing in accordance with Art. 21 DS-GVO, provided that the processing is based on Art. 6 (1) p. 1 lit. e or lit. f DS-GVO. This is particularly the case if the processing is not necessary for the performance of a contract with you. Unless it is an objection to direct marketing, when exercising such an objection, we ask you to explain the reasons why we should not process your data as we have done. In the event of your justified objection, we will examine the merits of the case and either discontinue or adjust the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing;
- in accordance with Article 7 (3) of the GDPR, to revoke your consent given once (also before the GDPR came into force, i.e. before 25.5.2018) - i.e. your voluntary will, made understandable in an informed manner and unambiguously by a statement or other unambiguous confirming act, that you agree to the processing of the personal data in question for one or more specific purposes - at any time vis-à-vis us, if you have given such consent. This has the consequence that we may no longer continue the data processing based on this consent for the future and
- pursuant to Art. 77 DS-GVO, to lodge a complaint with a data protection supervisory authority - a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement - about the processing of your personal data in our company.
(15) Changes to the data protection notice
In the context of the further development of data protection law and technological or organizational changes, our data protection notices are regularly reviewed to determine whether they need to be adapted or supplemented. You will be informed of changes in particular on our German website at www.br.studi/datenschutz. This data protection notice is current as of March 2023.
B. Visiting our web pages
(1) Explanation of the function
When you visit our web pages, personal data may be processed.
(2) Processed personal data
During the informational use of the web pages, the following categories of personal data are collected, stored and processed by us:
(2.1) "Usage data and meta/communication data"
When you, i.e. as a website visitor, user of online services, visit our websites, a so-called log data record (so-called server log files) is stored temporarily and anonymously on our web server. This consists of:
- the page from which the page was requested (so-called referrer URL)
- the name and URL of the requested page
- the date and time of the request
- the description of the type, language and version of the web browser used
- the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established
- the amount of data transferred
- the operating system
- the message whether the call was successful (access status/http status code)
- the GMT time zone difference
(2.2) "Inventory, contact and content data"
You as a communication partner can contact us, e.g. by writing an e-mail to us. In this case, we process the personal data you provide in order to respond to your inquiry. This includes, for example, surname and first name, gender, address, company, e-mail address and the time of transmission, the subject of your message and the message itself.
(3) Purpose and legal basis of data processing
We process the personal data described in more detail above in accordance with the provisions of the DS-GVO, the other relevant data protection regulations and only to the extent necessary. Insofar as the processing of personal data is based on Art. 6 (1) p. 1 lit. f DS-GVO, the aforementioned purposes also represent our legitimate interests.
The processing of "usage data and meta/communication data" serves statistical purposes and the improvement of the quality of our website, in particular the stability and security of the connection (legal basis is Art. 6 para. 1 p. 1 lit. f DS-GVO).
The processing of "inventory, contact and content data" is carried out for the processing of customer inquiries (legal basis is Art. 6 para. 1 p. 1 lit. b DSGVO, insofar as your contact request is related to an existing or upcoming contract with you. Otherwise, the legal basis is Art. 6 para. 1 p. 1 lit. f DSGVO, as the processing is necessary to fulfill our legitimate interest in proper processing of contact requests. In order to be able to properly allocate inquiries, the provision of personal data is required in this regard.
(4) Duration of data processing
Your data will only be processed for as long as is necessary to achieve the above-mentioned processing purposes; the legal bases stated in the context of the processing purposes apply accordingly.
After visiting our websites, log file information is stored for a maximum of seven days for security reasons (e.g. to clarify misuse or fraud) and then deleted. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been conclusively clarified.
As far as contact and content data is concerned, we will keep your messages until we have completely fulfilled your request. At the end of the year, after the inquiry has been fully processed, we will check whether your data will be deleted or whether your data will be restricted for further processing and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.
Third parties engaged by us will store your data on their systems for as long as is necessary in connection with the provision of services for us in accordance with the respective order.
(5) Transfer of personal data to third parties; basis for justification
The following categories of recipients, which are usually order processors (see A.(8)), may receive access to your personal data:
- Service providers for the operation of our website, the sending and receiving of e-mails and the processing of data stored or transmitted by the systems (e.g. for data center services, IT security). The legal basis for the transfer is then Art. 6 para. 1 p. 1 lit. b or lit. f DS-GVO, insofar as it does not involve order processors;
- Government agencies/authorities, insofar as this is necessary for the fulfillment of a legal obligation. The legal basis for the transfer is then Art. 6 para. 1 p. 1 lit. c DS-GVO;
- Persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities). The legal basis for the disclosure is then Art. 6 para. 1 p. 1 lit. b or lit. f DS-GVO.
For the guarantees of an adequate level of data protection in the event of a transfer of data to third countries, see A.(9).
In addition, we will only share your personal data with third parties if you have given your express consent to do so in accordance with Art. 6 para. 1 p. 1 lit. a DS-GVO.
(6) Use of cookies and other services on our website
(6.1) Use of cookies
In order to make visiting our website attractive and to enable the use of certain functions, we use cookies, pixels, web beacons and similar technologies (hereinafter: "cookies"). These are small text files that are stored on your terminal device. The cookies can be transmitted to a page when it is called up and thus enable the user to be identified. Cookies help to simplify the use of Internet pages for users. Some of the cookies we use are deleted after the end of the browser session, i.e. after you close your browser (so-called session cookies). Other cookies remain on your terminal device and enable us to recognize your browser on your next visit (so-called persistent cookies). You can set your browser so that you exclude the acceptance of cookies for certain cases or generally. You can delete cookies that have already been set. If you do not accept cookies, the functionality of our website may be limited. Cookies from third-party providers are also used on our website (e.g. when using tracking tools to evaluate user behavior).
For details on this, in particular on the purposes and legal bases of the processing of such third-party cookies and technologies, please refer to the information below and the further information on the cookie page.
(6.2) Use of essential and functional technologies
So-called essential and functional cookies or technologies are used on our website. Essential technologies are required to enable the core functionality of the website. Functional technologies allow us to analyze the use of the website in order to measure and improve its performance. For the essential technologies used on our website, as well as details on the purposes and legal bases of the processing of such technologies, please refer to the information below on the cookie page.
Functional technologies used on our website include:
Google Analytics
We use "Google Analytics" on our website. This is a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: Google). Google uses cookies, i.e. small text files that are stored on your terminal device and enable an analysis of your use of our website. The information generated by the cookie about the use of our website is usually transmitted to a Google server in the USA and stored there. If anonymization of the IP address to be transmitted by the cookie is activated on the website ("IP anonymization" ), your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity and providing other services relating to website activity and internet usage on our behalf. In doing so, pseudonymous usage profiles can be created from the processed data. The creation of profile data only takes place with your consent, i.e. on the legal basis of Art. 6 para. 1 lit. a) DSGVO. The IP address transmitted when using Google Analytics is not merged with other data from Google.
We use Google Analytics only with the previously described activated IP anonymization. This means that your IP address is only processed by Google in a shortened form. A personal reference can thus be excluded.
We also use Google Analytics for the purpose of analyzing the use of our website and to be able to continuously improve individual functions and offers as well as the user experience. Through the anonymous statistical evaluation of user behavior, we can improve our offer and make it more interesting for you as a user. The processing of the above data by Google, this is based on Art. 6 para. 1 lit. a) DSGVO.
You can revoke your consent at any time by calling the checkbox.
Google Analytics Opt-Out:
Opt-Out Google Analytics
You can prevent the storage of cookies generated by Google Analytics by making the appropriate settings in your web browser. In this respect, we would like to point out that in this case you may not be able to use all the functions of our website. If you wish to prevent the collection of data generated by the cookie and related to your user behavior (including your IP address) as well as the processing of this data by Google, you can download and install the web browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
In order to oblige Google to process the transmitted data only in accordance with our instructions and to comply with the applicable data protection regulations, we have concluded an order processing agreement with Google. Further details on data transfer to third countries can be found in PART I: General.
Further information on data use by Google, on setting and objection options, and on data protection can be found on the following Google web pages:
- Terms of use: http://www.google.com/analytics/terms/de.html
- Privacy policy: http://www.google.de/intl/de/policies/privacy
- Data use by Google when you use websites or apps of our partners: https://www.google.com/intl/de/policies/privacy/partners
- Data use for advertising purposes: http://www.google.com/policies/technologies/ads
- Settings for personalized advertising by Google: http://www.google.de/settings/ads
(6.3) Vimeo without tracking
This website uses plugins of the video portal Vimeo. The provider is Vimeo Inc, 555 West 18th Street, New York, New York 10011, USA.
If you call up one of our websites that contains a Vimeo video, a connection is established to the Vimeo servers. In the process, the Vimeo server is informed which of our pages you have visited. In addition, Vimeo obtains your IP address.
However, we have set Vimeo so that Vimeo will not track your user activity and will not set any cookies.
The use of Vimeo represents a legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO, because we have an interest in the appealing presentation of our online offers. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 (1) lit. a DSGVO; the consent can be revoked at any time:
Vimeo Opt Out:
Data transfer to the USA is based on the standard contractual clauses of the EU Commission and, according to Vimeo, on "legitimate business interests". Details can be found here:
https://vimeo.com/privacy.
Further information on the handling of user data can be found in Vimeo's privacy policy at: https://vimeo.com/privacy.
(6.4) Social media links
We put links on our website to social media platforms: Facebook, Instagram and LinkedIn.
These links are inactive and not unrestricted as plugins, but only integrated into our website using an HTML link. This type of integration offers you the guarantee that when you call up a web page of our Internet presence that contains such links, there is still no connection with the servers of the service provider of the respective social network.
If you click on one of the links, a new window will open in the browser you are using. The page of the respective service provider is called up, on which you can (if necessary after entering your login data) e.g. click the Like or Share button.
On social networks and other external platforms, the respective companies' own data protection provisions apply, even if we disseminate information and maintain presences there with our brands.
For the purpose and scope of the data collection and the further processing and use of the data by the providers on their pages, as well as a contact option and your rights and setting options in this regard to protect your privacy, please refer to the privacy notices of the providers. You can inform yourself under the following links:
Facebook: https://www.facebook.com/privacy/explanation
Instagram: https://privacycenter.instagram.com/policy/
LinkedIn: https://privacycenter.instagram.com/policy/
C. Applications
If you apply for a job with us, we process your personal data as part of the application process on the basis of Art. 6 (1) lit. b of the European Data Protection Regulation (DSGVO) in conjunction with. § Section 26 of the German Federal Data Protection Act (BDSG). If your application is unsuccessful, we will retain your personal data for a further 6 months, starting at the end of the month in which we decide on your application. The legal basis for this processing is Art. 6 para. 1 lit. c) DSGVO.