We are pleased about your visit to our website. The protection of your privacy is very important to us and we want you to feel safe on our website.
The personal data referred to above is information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). This includes in particular your name and e-mail address, but also data about your use of our website (e.g. your IP address), details in your curriculum vitae, etc.
Below we inform you about the type, scope and purpose of the personal data processed by us and clarify the rights you are entitled to as a data subject.
1. Name and address of the person responsible
Responsible within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states and other data protection regulations:
Managing directors: Dr. Niklas Hellemann, Lukas Schaefer, Felix Schürholz
Landline: +49 221 2910 5993
2. Name and address of the data protection officer
The data protection officer of the controller is
Mister Benedikt Woltering
3. Type of personal data, processing purposes, legal basis (in case of processing controlled by us via the website and outside the website)
a. Website visit for informational purposes
If you visit our website for information purposes only, without actively providing personal data yourself, we will only store access data in so-called server log files. This includes
- the name of the requested file,
- Date and time of the retrieval,
- transferred data volume,
- used browser,
- the operating system used,
- IP address,
- requested URL,
- referrer URL (URL you visited immediately before) and
- the requesting provider.
The legal basis for the processing of this personal data is Art. 6 (1) f GDPR. Our legitimate interest is to enable you to access our website.
The listed personal data is automatically recorded by our IT systems when you visit our website. Without processing the personal data (in particular the IP address) for the duration of the session, the website may not be displayed optimally or only to a limited extent.
On our website, we provide information that enables rapid electronic contact with us and direct communication with us. This includes above all our . As far as you contact us by email or contact form, the personal data transmitted by you will be stored automatically.
In addition, on various social media presences, as listed in more detail under point 5, we also provide contact options via contact field and message (via the social media presence).
In this context, we usually process the following personal data of yours:
- First and last name
- E-Mail address,
- Telephone number and
- personal data contained in an individual contact message.
We use the personal data you provide exclusively for the processing of your specific inquiry. Your details may be stored in a customer relationship management system (so-called CRM system) or another organisation tool for customer data.
The data will be deleted as soon as they are no longer necessary for the purpose for which they were collected. This is the case when the respective conversation with you has ended or a contract that has been concluded is terminated and the data is no longer required.
In this respect, the legal basis is dependent on the information you provide when contacting us by sending an e-mail, the contact form or a message. If the purpose of the contact is the conclusion of a contract, the legal basis for processing is Art. 6 (1) b GDPR. If the contact is made for other purposes, the legal basis is Art. 6 (1) f GDPR.
The processing of certain personal data is also necessary in order to carry out an application procedure. We process the following personal data in connection with an application, which can be made via the applicant portal, via a social media presence, by e-mail or by post, until a decision is made on your application:
Personal details include in particular
- private contact details (e-mail addresses, telephone numbers, postal address),
- Date and place of birth,
- Marital status,
- Number of children,
- driving licence information and
- Disabled status.
Professional information also includes
- Letter of recommendation,
- Cover letter,
- Work permit,
- previous employment,
- Training history,
- spoken languages,
- employment-related skills, and
- Certificates and the like.
The aforementioned personal data are necessary for the selection of suitable employees, the notification of the decision on an application, the coordination of the application procedure (e.g. personal interview) as well as for the establishment of an employment relationship.
The legal basis for this processing of personal data is § 26 (1) 1 BDSG.
We collect the aforementioned personal data in the application and recruitment process directly from you as an applicant. If your application is unsuccessful, we will store this personal data for three months after informing you of this decision.
d. Collection and use of data for contract processing
In order to carry out the contractual relationship with you, the processing of certain personal data is unavoidable. In connection with the execution of the contract, including any registration as part of our awareness building services, we process in particular the following personal data
- Company name,
- Business address,
- e-mail address,
- Phone number and
- documents or texts submitted by you that contain personal data
and all data required to process payments and prevent fraud, in particular
- Credit card or EC card numbers,
- any security codes, and
- other billing information.
If we use this personal data (i) to coordinate the planning, execution, control and administration of your contractual relationship with us, (ii) to provide you with information on your registration or such as changes in our system or (iii) to carry out payment transactions, the legal basis for such processing is Art. 6 (1) b GDPR.
If, on the other hand, the personal data are used for the settlement of disputes, the enforcement of the contractual agreement and the establishment, exercise or defence of legal claims, the legal basis for this processing depends on the claims Art. 6 (1) b or f GDPR.
We collect personal data in connection with the execution of the contract directly from you by providing the personal data yourself during the order/registration process, either via the self-service portal at https://app.sosafe.de/ or by other means.
After complete execution of the contract, your data will be blocked for further use and deleted after expiry of the statutory retention periods, unless you have expressly consented to further use of your data or we reserve the right to use your data for other purposes which are permitted by law and about which we inform you below.
Furthermore, we process your personal data when you register for our newsletter.
Newsletter2GO uses this information to send and evaluate the newsletter. The evaluation takes place on our behalf, but Newsletter2GO can also use the data for quality assurance and improvement of its own service.
To register you have to give us your e-mail address. You can voluntarily give us additional information, such as your name. The registration takes place in a so-called double opt-in procedure. After registration, you will receive a confirmation e-mail from us in which you must confirm your registration once again. This entire process is documented and saved. This includes the storage of the registration and confirmation time as well as your IP address.
The legal basis for the processing of personal data in connection with the sending of the newsletter is Art. 6 (1) a GDPR.
You can withdraw your consent to the processing of your personal data in connection with the sending of the newsletter at any time by cancelling the newsletter. Please use the link provided at the end of the newsletter to cancel. The legality of the data processing operations already carried out remains unaffected by the revocation.
f. Demo mail sender
Personal data is also processed if you register for a demo mail delivery to test the suitability of our services for your company.
For sending demo mails as part of our demo (at demo.sosafe.de), but not for our phishing simulations as part of an order, we use the services of SendGrid, Inc., 1801 California Street, Suite 500, Denver, CO 80202, USA. Cookies and web beacons (tracking pixels) are used within the e-mails sent by SendGrid when sending demo mail. We use SendGrid to analyze the sending of the demo emails. The analysis is used exclusively for the statistical analysis of the messages and for creating the evaluation of the demo mail dispatch. The personal data is transferred to the SendGrid server in the USA. This personal data may also be accessed by government agencies in the USA. SendGrid is certified according to the “EU-US Privacy Shield”. The “Privacy-Shield” is an agreement between the European Union (EU) and the USA, which is intended to ensure compliance with European data protection standards in the USA.
We process the following registration data for the demo mail dispatch
- e-mail address.
As well as the following analysis data
- a message was opened,
- which links were clicked on, if any, and
- Time of access, IP address, browser type and operating system.
The data processing takes place on the basis of your consent in accordance with Art. 6 (1) a GDPR.
You can revoke your consent to the processing of your personal data in connection with the demo mailings at any time by canceling the demo mailings (by e-mail to email@example.com). The legality of the data processing operations already carried out remains unaffected by the revocation.
Without the corresponding processing of personal data, the demo mailings may not be available or may only be available to a limited extent.
g. Feedback surveys
In addition, personal data is processed when users (employees of our customers) provide personal data in the feedback surveys included in our awareness building services.
We offer you (as a user) the opportunity to leave feedback, praise or criticism on the awareness pages associated with our simulated phishing mails (links start with https://learning.sosafe.de/…) and within the eLearning platform (at https://elearning.sosafe.de). The rating you enter (on a scale of 1-5) as well as the optional free text will be made available to your employer on the one hand to give them an overview of the feedback from the workforce on the IT security training offered, and on the other hand will be used by us to improve our services. Therefore, if you provide identifiers in the free text or leave your e-mail address for feedback (not reported to employers), we will process this personal data for the purpose stated.
The legal basis for the processing of this personal data by us is Art. 6 (1) a GDPR.
4. Usage of cookies
To make visiting our website attractive and to enable the use of certain functions, we use so-called “cookies” on our website. These are small text files which are stored on your end device.
Cookies enable us, for example, to track and determine your preferences and to identify you individually during your visit to our website. After the end of the browser session, most of the cookies we use are deleted again (“session cookies”). The permanent cookies (“persistent cookies”), on the other hand, remain on your end device and thus enable us, for example, to recognise you on your next visit or to analyse your usage behaviour. You can revoke your consent at any time with effect for the future here: Cookie settings
a. Usage of necessary cookies
The purpose of using technically necessary cookies is to simplify the use of our websites for you. Some functions of our website cannot be offered without the use of these cookies. For these, it is sometimes necessary that your browser is recognized even after a page change. If you do not accept or deactivate cookies, the functionality of our website may be limited.
For these purposes, we have a legitimate interest in the processing of personal data for this purpose in accordance with Art. 6 (1) f GDPR.
b. Cookie usage for the purpose of analytics
Our website uses the web analysis service software of Google Inc. (Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) for statistical analysis of user behaviour and thus for optimisation and marketing purposes. The personal data includes among other things
- IP address,
- Date and time of the page view,
- Click path,
- Information about the browser and device you are using,
- visited pages,
- Referrer URL (website from which you accessed our website),
- location data, and
- Ordering activities.
Pseudonymised usage profiles can be created and evaluated from this data for the same purpose.
Google uses this information to evaluate the use of the website by visitors and to compile reports on website activities. By evaluating the data obtained, we are able to compile information on the use of the individual components of our website. This helps us to constantly improve our website and its user-friendliness. The personal data can be transferred to the Google server in the USA. Google has a certification according to the “EU-US-Privacy-Shield”.
The legal basis for the processing of your personal data by Google Analytics is Art. 6 (1) a GDPR.
You can terminate this consent at any time with the following button. The legality of the data processing operations that have already taken place remains unaffected by the revocation.
The data is deleted as soon as it is no longer required for our recording purposes. In our case this is after 14 months.
5. Social Media
In addition to this website, we also maintain presences at various social media providers (see the social media providers listed under 5. b.) in order to communicate with the customers, interested parties and applicants active there and to inform them about our services and job vacancies.
a. Icons on our website
In this context, only simple links are used for the icons on this website https://sosafe.de/, which do not establish a connection to the respective social media presence when the website loads. Thus, the social media links used here differ from the widely used Gefällt-mir buttons, which transmit data to the social media providers as soon as the website loads, without the button having to be clicked.
b. Processing of your data when visiting the website of the social media providers
As far as you visit such a social media presence by clicking on the link or directly, your personal data will be processed by us there only to the extent specified under 3. b. and c.
In addition, however, your personal data will also be transmitted on the social media provider’s website to the provider of the social media platform. It is possible that, in addition to the storage of the data you specifically enter on this social media platform, further information may also be collected, processed or used by the social media provider. If you are logged in with your personal user account of the respective network while visiting such a social media platform, the social media platform can assign the visit to your account. If you do not wish such an assignment, you must log out of your account and delete the cookies before visiting our social media presence.
We cannot trace which data is actually processed by the social media providers. For further information on the purpose and scope of data collection there and on the further processing and use of your data, please refer to the data protection regulations of the respective social media provider:
Facebook is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Twitter is operated by Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
LinkedIn is operated by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland.
Xing is operated by New Work SE, Dammtorstraße 29-32, 20354 Hamburg, Germany.
6. Embedded content and services of third parties
We sometimes include third-party content on our website, such as YouTube and Vimeo videos, maps from Google Maps or graphics from other websites.
This content is embedded in “enhanced privacy mode”, which means that no data about you as a user is transferred if you do not play or click on content. Only when you agree to the data transfer and play or click on the content will the data mentioned in the next paragraph be transferred. We have no influence on this data transfer. The legal basis for processing the data after you have given your consent is Art. 6 (1) a GDPR.
a. Third party graphics
In the case of graphics from other websites, the transmission of your IP address to the third party provider is necessary to display this content. Unfortunately, we have no influence on whether the third party provider collects or stores the IP address for other purposes beyond the mere display of the content. If we become aware of such use, we will inform you about it in this privacy statement.
c. Google Maps
You can terminate this consent at any time by clicking the following button. The legality of the data processing operations already carried out remains unaffected by the revocation.
reCAPTCHA (provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). is intended to check whether the data input on our websites (e.g. in the demo form) is done by a human being or by an automated program. For this purpose, reCAPTCHA analyses the behaviour of the website visitor on the basis of various characteristics. This analysis starts automatically as soon as the website visitor enters the website. For analysis purposes, reCAPTCHA evaluates various information (e.g. IP address, time spent on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The data processing is based on Art. 6 (1) f GDPR. We have a legitimate interest in protecting our web offers from abusive automated queries.
7. Data deletion and storage duration
Unless otherwise specified in the individual sections, the stored personal data will be deleted if you revoke your consent to storage or if knowledge of this data is no longer required to fulfil the purpose for which it was stored. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the person responsible is subject.
We regularly check whether the purpose pursued with the storage is still given and delete your data immediately if this should no longer be the case. However, with regard to the relevant data, the deletion will only take place after the expiry of the periods stipulated by tax and commercial law regulations.
8. Disclosure of personal data and recipients
We will not pass on personal data without your express consent, unless we are legally obliged to do so, e.g. if we are legally obliged to release data (information to law enforcement agencies and courts; information to public bodies which receive data on the basis of legal regulations, e.g. social insurance institutions, tax authorities, etc.) or if we involve third parties who are bound to professional secrecy in order to enforce our demands. We share your personal data with the following recipients:
- For the processing of personal data for the above-mentioned purposes, we use contract processors who process the personal data on our behalf. We always retain control of the respective personal data and remain responsible for the data processing.
- For payment processing in the course of orders, we transmit payment data to banks and payment service providers, if the payment method requires it.
- In individual cases, we transmit personal data to courts, law enforcement agencies, supervisory authorities, other authorities, tax consultants and lawyers, if this is legally permissible and necessary.
9. Automated decision making
We will not use your personal data to make automated decisions (including profiling) concerning you that have legal effect on you or that significantly affect you in a similar manner.
10. Your rights
You have the following rights:
a. Right of access
In accordance with Art. 15 GDPR, you have the right to request information free of charge about your personal data stored by us. This also enables you to obtain a copy of the personal data we process about you and to check whether we are processing it in a lawful manner.
b. Right of rectification
In the event of incorrect data, you have the right of correction in accordance with Art. 16 GDPR. We are obliged to make the correction immediately.
c. Right to restrict processing
In accordance with Art. 18 GDPR, you have the right to demand that we restrict processing. This allows you to request the suspension of the processing of your personal information, for example, if you want us to determine its accuracy or the basis for processing.
d. Right of erasure
In accordance with Art. 17 GDPR, you have the right to demand that the personal data concerning you be deleted immediately if the data are no longer needed for the purposes for which they were collected or, if the processing is based on your consent, you have revoked your consent. In this case we must stop processing your personal data and remove it from our IT systems and databases. A right to deletion does not exist, if
- the personal data must not be deleted or processed by virtue of a legal obligation; or
- the data processing is necessary for the assertion, exercise or defence of legal claims
e. Right to data portability
Pursuant to Art. 20 GDPR, you have the right, under certain circumstances, to transfer the personal data concerning you which you have provided us with, in a structured, common and machine-readable format, to another responsible party.
f. Right to object
You have the right to object to the processing of your personal data if the processing is based on our legitimate interests (or those of a third party) and if your particular situation gives rise to reasons for you to object to the processing on that basis. In particular, you have the right to object if we process your data for direct marketing purposes.
g. Right to revoke consent under data protection law
You have the right to revoke your consent to the processing of personal data at any time. Revocation of your consent does not affect the lawfulness of the processing that has taken place on the basis of your consent until revocation.
h. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you is in breach of the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.
If you have any questions regarding the collection, processing or use of your personal data, for information, correction, blocking or deletion of data or general questions and suggestions regarding data protection, please contact us directly:
Appointed as data protection officer: Mr. Benedikt Woltering, Internal Data Protection Officer, can be reached at privacy(at)sosafe.de.
Managing directors: Dr. Niklas Hellemann, Lukas Schaefer, Felix Schürholz
Commercial register: HRB96220, Amtsgericht Köln
Stand: Juli 2020