Privacy Notice/Policy

We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of Stonebranch. The use of the Internet pages of Stonebranch is possible without any indication of personal data; however, if a data subject wants to use special enterprise services via our website, processing of personal data could become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we generally obtain consent from the data subject.

The processing of personal data, such as the name, address, e-mail address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to the test. By means of this data protection declaration, our enterprise would like to inform the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.

As the controller, the test has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g. by telephone.

Table of Contents:

  1. Definitions
  2. Name and Address of the controller
  3. What we need
  4. Why we need it
  5. What we do with it
  6. How long we keep it
  7. What are your rights?

1. Definitions

The data protection declaration of Stonebranch is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public, as well as our customers and business partners. To ensure this, we would like to first explain the terminology used.

In this data protection declaration, we use, inter alia, the following terms:

Personal data: Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject: Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

Processing: Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing: Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation: Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Controller or controller responsible for the processing: Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor: Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient: Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third party: Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent: Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Name and Address of the controller

Controller details for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection can be found in our imprint.

3. What we need

Our Personal Data Protection Policy governs the use and storage of your data. Stonebranch is a Controller of the personal data you (data subject) provide us. We collect the following types of personal data from you:

  • Names
  • Email addresses
  • Countries
  • Phone numbers
  • Cookies
  • Purchase history
  • General connection data and information
    • browser type and version
    • operating system used by the accessing system
    • the website from which an accessing system reaches our
      website (so-called referrers)
    • the date and time of access to the Internet site
    • IP Address
    • the Internet service provider of the accessing system
  • Application documents (e.g. CV, Employment History)

4. Why we need it

We need your personal data in order to provide you with the following services:

  • Collection of contact details. The website contains information that enables a quick electronic contact to our enterprise, as well as direct communication with us, which also includes an e-mail address. If a data subject contacts the controller by e-mail, via a contact form or via chat, the personal data transmitted by the data subject are automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the data controller are stored for the purpose of processing or contacting the data subject.
  • Collection of Cookies to recognize website users. This is used to provide more user-friendly services that would not be possible without the cookie setting and to optimize our website with the user in mind.
  • Collection of a series of general data and information when a data subject or automated system calls up the website. This general data and information are stored in the server log files and may be used to diagnose technical problems and in the event of attacks on our information technology systems.
  • Collection of application documents you provide to assess your suitability for the role you have applied for. We will use the contact details you provide to us to contact you to progress your application.

5. What we do with it

Your personal data is processed in our main offices located in Germany, Greece and the United States. Hosting and storage of your data takes place via the following.

Stonebranch, as the data controller, utilizes third party data processors that provide several marketing related services for us. Stonebranch has contracts in place with all data processors to ensure that your information is only processed for the intended purpose. Stonebranch also ensures that the third party will provide suitable technical and organizational measures to protect the personal data as required by the applicable law.

The third party processors are:

Entity Name Entity Type and Service Entity Type and Service
Salesforce.com Inc. Third-party service provider: Salesforce CRM, Pardot Marketing Automation United States
Zendesk Inc. Third-party service provider: Customer Support Software, Chat United States
Google Inc. Third-party service provider: Google Analytics United States
Mediatis AG Third-party service provider: Marketing Agency Germany
Artfiles Third-party service provider: Website Hosting United States
Workable Software Ltd. Third-party service provider: Recruitment platform (for applications in Greece) United States

6. How long we keep it

We retain personal information only for as long as necessary to carry out the intended functions, and in line with our retention schedule and the respective statutory retention period. After this period, your personal data will be irreversibly destroyed. Any personal data held by us for marketing and service update notifications will be kept by us until such time that you notify us that you no longer wish to receive this information. Please contact us for more information on our personal data retention schedule.

7. What are your rights?

Should you believe that any personal data we hold on you is incorrect or incomplete, you have the ability to request to see this information, rectify it or have it deleted. Please contact us through [Data Subject Access Request Form].

In the event that you wish to complain about how we have handled your personal data, please contact the Director Human Resources at Stonebranch roger.eickhoff(at)stonebranch(dot)com or in writing at

Roger Eickhoff
Stonebranch GmbH
Europa-Allee 54
60327 Frankfurt am Main
Germany

Our Privacy Team will then look into your complaint and work with you to resolve the matter.

If you still feel your personal data has not been handled appropriately according to the law, you can contact Federal Commissioner for Data Protection and Freedom of Information (BfDI) in Germany and file a complaint with them.