1. Name and address of the controllerNexi Germany GmbH

Helfmann-Park 7
65760 Eschborn

Phone: +49 69 7922-0
Fax: +49 69 7922-4500
Email: serviceDE@nexigroup.com

Representatives of the controller are the managing directors Carola Wahl, Dr. Andreas Marra, Dr. Götz Möller.

2. Data Protection Officer

You can contact our data protection officer by email at DPO-DACH@nexigroup.com or by writing to our postal address for the attention of “The Data Protection Officer”.

3. Processing of personal data

3.1. Visiting our website
3.1.1. Scope of data processing

When you visit our website, your browser sends certain data to our webserver for technical reasons. This concerns the following data (known as server logfiles):

• IP-address

• Date and time of server request

• Time zone difference to Greenwich Mean Time (GMT)

• Subject of request (specific page)

• Operating system and access status / HTTP status code

• Data volume transmitted

• Website from which the request comes (“Referrer URL”)

• Browser, language and version of browser software
  

3.1.2 Purpose of data processing

These data must be stored in log files to guarantee the website’s functionality. In addition, we use the data to optimize our website and to ensure the security of our information technology systems.
3.1.3. Legal basis for processing

We collect these data based on our legitimate interest within the meaning of Art. 6 (1)f GDPR in order to display our website and ensure its security.

3.1.4. Duration of storageInformation in the logfiles is stored for security reasons (e.g., to investigate misuse or fraudulent activity) for a maximum of seven days and is then deleted. Data that must be retained as evidence is not deleted until the incident has been definitively clarified.

3.1.5. Objection and removal rightFor technical reasons the collection of data is absolutely necessary for the provision of the website and their storage in logfiles is absolutely necessary for its operation. There is therefore no option for users to object.

3.1.6. Underage usersOur website is not directed to minors and we do not knowingly collect personal data from minors.

If persons under the age of 16 transmit personal data to us, this is only permitted if the legal guardian has consented or agreed to the consent of the minor. For this purpose, in accordance with Art. 8 (2) GDPR, the contact details of the legal guardian must be communicated in order to convince us of the consent or consent of the legal guardian. This data, as well as the data of the minor, will then be processed in accordance with this privacy policy.

If we discover that a minor under the age of 16 has sent personal data to us without the consent of the legal guardian or without the legal guardian agreeing to the consent of the minor, we will delete the data immediately.

3.2. Access RightsAccess to your personal data stored by us is limited to our employees and the service providers commissioned by us, who must handle this personal data due to their tasks.

These service providers process the data exclusively on our instructions and have been obliged to comply with the applicable data protection regulations. All processors have been carefully selected and will only have access to your data to the extent and for the period required to provide the services or to the extent that you have consented to the processing and use of the data.

Insofar as third parties gain access to your data, we have specified the corresponding legal basis for the respective services.

An exchange of data within the group of companies to which we belong takes place exclusively within the EU/EEA and Switzerland as a third country with an adequate level of data protection in accordance with Art. 45 GDPR and is only used for internal administrative purposes. By group of companies we mean affiliated companies within the meaning of Art. 4 (19) GDPR.

The servers of some of the service providers we use are in the United States and other countries outside the European Union. Companies in these countries are subject to different legislation, that generally do not protect personal data to the same extent as is the case in the member states of the European Union.

If your data is processed in a country that does not have a recognized high level of data protection such as the European Union or Switzerland, we ensure that your personal data is adequately protected by means of contractual measures or other recognized instruments. Otherwise, your data will only be processed in third countries without an adequate level of data protection with your consent.

In exceptional cases, we transfer personal data to law enforcement and criminal investigation authorities. This is done on the basis of corresponding legal obligations, e.g., from the Code of Criminal Procedure, the Tax Code, the Money Laundering Act or the State Police Acts.

3.3. Contact Forms 3.3.1. Scope of data processing Contact forms are available on our website, which you are welcome to use to communicate electronically with us. When you make use of this opportunity, the data entered in the input mask are sent to us and processed. They consist of your title, first name, surname, business partner number, telephone number, email address, preferred means of contact and message text.

3.3.2. Purpose of data processing We use the personal data from the input mask to process the contact request. The data are used to process the conversation, to respond to the request and to provide the required information.

Other data processed during the transfer process (e.g., date, time, IP-address) serve to prevent misuse of the contact form and ensure the security of our IT systems.

3.3.3. Legal basis for processingWhen the contact form is used, the sender’s data are used to process the contact request in accordance with Art 6 (1)b GDPR.

3.3.4. Recipients of processingWhen you contact us, your personal data are processed by the internal company functions responsible for the respective request. We use a logistics provider to process the order as part of data processing by a processor in accordance with Art. 28 GDPR.

3.3.5. Duration of storageWhen the contact request is an enquiry, the data are deleted as soon as they are no longer required for the purpose for which they were collected. For the personal data from the input mask in the contact form and those sent by email, this is the case when the conversation with the user comes to an end. The conversation comes to an end when the circumstances suggest that the matter has been definitively clarified.

If you contact us as part of a contractual relationship or during pre-contractual activities (e.g., to request an offer), the data are processed to execute the contract. The data stored by us are deleted as soon as they are no longer necessary for the purpose for which they were collected and there are no statutory recordkeeping obligations that require them to be retained. Recordkeeping obligations do exist under commercial and tax law, however. Data (e.g., accounting documents) are retained for 6 years in accordance with Section 257 para. 1 German Commercial Code (HGB) and for 10 years in accordance with Section 147 para. 1 Tax Code (AO) (e.g., accounting documents, commercial correspondence, tax relevant documents).

3.3.6. Objection and removal right
You have the option of revoking your consent to the processing of your personal data. In this case the conversation cannot be continued. Please send your revocation of consent to serviceDE@nexigroup.com. In this case, all the personal data stored when you contacted us will be deleted, to the extent that no recordkeeping obligations prevent us from doing so. Data processed in connection with an order or request for an offer are subject to recordkeeping obligations under commercial and tax law. There is therefore no option for users to object.

3.4. Portal for advertising material 3.4.1. Scope of data processingYou can order supplies and consumables (e.g., acceptance stickers for your business or imprinter payment slips) from our advertising material portal. If you are a new customer, you must register before using the portal for the first time. This means we process the following data: title, business partner number*, first name*, surname*, email address*, password*. The fields marked * are obligatory.

3.4.2. Purpose of data processingWe process these data to provide you with supplies and consumables as part of our contract.

3.4.3. Legal basis for processingThe data are processed to provide contractual services. The legal basis for this processing is Art. 6(1)(b) GDPR.

3.4.4. Recipients of processingThe data are processed by our responsible internal function. This is the Customer Service department.

3.4.5. Duration of storageThe data are processed to execute a contract. The data stored by us are deleted as soon as they are no longer necessary for the purpose for which they were collected and there are no statutory recordkeeping obligations that require them to be retained. Recordkeeping obligations do exist under commercial and tax law, however. Data (e.g., accounting documents) are retained for 6 years in accordance with Section 257 para. 1 German Commercial Code (HGB) and for 10 years in accordance with Section 147 para. 1 Tax Code (AO) (e.g., accounting documents, commercial correspondence, tax relevant documents).

3.4.6. Objection and removal right
Data processed in connection with an order for advertising material are subject to recordkeeping obligations under commercial and tax law. There is therefore no option for users to object.

3.5. Paymentletter 3.5.1. Scope of data processingYou can subscribe to a Paymentletter on our website. If you decide to do so, we process the following data: title, business partner number, first name, surname, email address, sector. For registration it is sufficient for you to tell us your name and email address.

We only send payment letters with the consent of recipients. This entails the use of a double opt-in procedure. After subscribing for the payment letter, you receive an email in which you have to confirm your subscription. We use this procedure so that no one can subscribe using someone else’s email address. We log subscriptions to the payment letter to document the subscription process in line with the statutory requirements. The data include the date, time and IP address at the time of subscription.

The Paymentletter contain a “web beacon”, i.e., a pixelsized file that is retrieved by the server of our mailing service provider when the Paymentletter is opened. When it is retrieved, technical information about the browser and the IT system used are collected, as are the IP-address and the time of retrieval. This information is used to improve services using technical data or target groups and their reading patterns by means of retrieval locations (which can be determined with the help of the IP-address) or access times. The analytical data gathered also includes whether the Paymentletter is opened, when it is opened, and which links are clicked. For technical reasons we are able to attribute this information to individual subscribers. Neither we nor our service providers intend to observe individual recipients of the payment letter, however. The analysis rather helps us to identify the reading patterns of our subscribers and adapt our contents to them or to send different contents depending on their interests.

3.5.2. Purpose of data processingWe send payment letters for advertising purposes, to inform our subscribers about products, offers and promotions from our company.

3.5.3. Recipients of data processingOur newsletters are sent by various third-party providers with whom we have concluded corresponding contracts for order processing in accordance with Art. 28 GDPR or the applicable data protection laws.

3.5.4. Legal basis for processingWe send payment letters with the consent of recipients. The legal basis for this is Art. 6(1)(a) GDPR.

The use of the mailing service provider Campaign Monitor, the statistical data gathering, and analysis and the logging of the subscription process take place on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR, which consist of operating a user friendly, cost effective and secure payment letter system.

3.5.5. Duration of storageWe store the personal data given when you subscribe to the payment letter until you revoke your consent.

3.5.6. Objection and removal rightIf you no longer want to receive our payment letter you can cancel the subscription at any time and so revoke your consent. At the end of the payment letter you will find a cancellation link. Alternatively, you can send an email to marketing-dach@nexigroup.com. When you cancel your subscription to the newsletter, your personal data will be deleted.

3.6. CandidatesWe offer you the opportunity to apply online via our application portal. After appropriate registration with our portal, your data will be securely forwarded to us. As part of the registration process, you will be shown the privacy policy for the use of the online portal. Your submitted application documents will be received by the central recruiting department and forwarded exclusively to the persons entrusted with the selection of applicants.
All parties involved will treat your application documents with due care and absolute confidentiality.

Nexi Germany GmbH is part of an international group of companies with cross border cooperation of employees in their functions. We would like to point out that when filling positions with an international reach, it is possible that people who work in a different company in the group of companies than the one for which you have applied may be involved in the selection process.

It is therefore also possible that in such cases the applicant information will be passed on to other companies in the group during the selection process.

3.7. Cookies3.7.1. Scope of data processingOur website uses cookies. Cookies are small text files that are stored on your computer when you visit our website. Cookies do no harm to your computer and contain no malware, such as viruses. Cookies contain a unique string of characters that uniquely identifies the user’s browser when the user returns to the website. Some elements of our website make it necessary for the browser to be identified after changing pages. This website uses transient and persistent cookies.

a) Transient cookies are deleted automatically when you close the browser. They particularly include the session cookies. These store a session ID, with which various requests by your browser can be attributed to a joint session. When you return to our website, your computer can be recognized. The session cookies are deleted when you log out or close the browser.

b) Persistent cookies are deleted automatically after a defined period, which can vary from one cookie to another. You can delete the cookies at any time in the security settings of your browser.

3.7.2. Purpose of data processingWe use cookies to make our website attractive and user-friendly, to improve it and to expedite enquiries. Some elements of our website make it necessary for the browser to be identified after changing pages. For these it is necessary to recognize the browser after the page has been changed. They include our bookmark function for downloading information brochures, for instance.

3.7.3. Legal basis for data processingThe legal basis for the processing of personal data using the technically necessary cookies is Art. 6(1)(f) GDPR.

3.7.4. Duration of storageSession cookies are deleted as soon as the browser is closed.

Persistent cookies are deleted automatically after a defined period.

3.7.5. Objection and removal right You as the user have full control over the use of cookies. You can alter the settings in your internet browser so that cookies are not stored at all or are deleted automatically at the end of your session. To do this, select the option “accept no cookies” in your browser settings. In Microsoft Internet Explorer you select „Extras > Internet options > Data protection > Setting"; In Firefox you select "Extras > Settings > Data protection > Cookies"); If you use another internet browser, please use its help function to find instructions on how to prevent and delete cookies.

You should be aware, however, that in this case you may not be able to use all the functions of our website.

We only set cookies that are not technically necessary after your express consent, which you can of course revoke at any time. As part of our cookie information on our website, you have agreed to the following declaration in this regard:

This website uses cookies that are necessary for operation, provide statistical evaluations that enable you to share content on social networks or to show you interest based advertising. Depending on the activated level, you accept the previous levels by clicking on the respective button. By clicking on "Confirm selection" or "Select & confirm all", you also consent to the processing of your data in accordance with Art. 49 (1) (a) GDPR that your data will be processed by the corresponding services in the USA.

4. Social Media Plug-Ins We embed external services and contents in our website. Via the plug-in we give you the opportunity to interact with social networks and other users, so that we can improve our offering and make it more interesting for you as a user. The legal basis for the use of these plug-ins is Art. 6(1) sentence 1(f) GDPR.

When we use such services or display third-party contents, communication data such as data, time and IP-address are exchanged between you and the respective provider. This particularly entails your IP-address, which is required to display contents in your browser.

It may be that the provider of the respective services or contents process your data for their own, additional purposes. Since we have no influence over the data collected by third parties and their processing by them, we cannot provide any binding information on the purpose and scope of their processing of your data. For further information about the purpose and scope of data collection and processing, you should therefore consult the data protection policies of the providers responsible under data protection law for the services and contents embedded by us. Here you will also find further references to data processing and opt-out options.

We use the following social media plug-ins: Facebook, Google +, Twitter, XING, LinkedIn and Youtube. You can identify the provider of the plug-in by means of the mark on the box over its first letter or its logo. We give you the opportunity to communicate directly with the provider of the plug-in via the button. When you click on the marked field and so activate it, the plug-in provider receives information that you have retrieved the corresponding webpage of our online offering.

By activating the plug-in, your personal data are sent to the plug-in provider and stored there (for US providers in the USA). Since the plug-in provider mainly uses cookies to gather data, we advise you to delete all cookies via the security settings of your browser before you click on the greyed-out box.
We neither have control over the data collected and the data processing, nor do we know the full extent of data collection, the purposes of processing or the retention periods. We also have no information about deleting the data collected by the plug-in provider.

The plug-in provider stores the data collected about you as a user profile and uses this for the purposes of advertising, market research and/or for the design of its website. Such use takes place particularly (also for users who are not logged in) to present interest-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the compilation of this user profile, whereby you must address the respective plug-in provider to exercise it.

Data are transferred regardless of whether you have an account with the plug-in provider or are logged in there. If you are logged in with the plug-in provider, the data gathered from our website is ascribed directly to your account with the plug-in provider. When you click the active button and link the page for example, the plug-in provider stores this information in your user account and shares it with your public contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, since this enables you to avoid the data being added to your profile with the plug-in provider.

Further information about the purpose and scope of data collection and processing by the plug-in provider can be found in the data protection policies of these providers, links to which are provided below. There you will also find further information about your rights and optional settings to protect your privacy.

Addresses of the respective plug-in providers and URL with data protection policies:

• Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; further information on data collection: Meta Privacy Policy - How Meta collects and uses user data | Privacy Center | Manage your privacy on Facebook, Instagram and Messenger | Facebook Privacy , and https://www.facebook.com/help/186325668085084 .
• Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; further information about data protection: https://www.google.com/policies/privacy/partners/?hl=de .
• Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; further information about data protection: https://twitter.com/privacy .
• Videos on the platform “YouTube” from the third-party provider Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Further information on data protection: https://www.google.com/policies/privacy/ . You can opt out at https://www.google.com/settings/ads/.
• LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; further information about data protection: https://www.linkedin.com/legal/privacy-policy .
• Xing AG, Gänsemarkt 43, 20354 Hamburg, Germany; further information about data protection: https://www.xing.com/privacy.

5. Data securityWe take technical, contractual and organizational measures to ensure the state of the art security of data processing. We ensure that the provisions of data protection legislation, particularly the General Data Protection Regulation, are adhered to and that the data processed by us are protected against destruction, loss, alteration, and unauthorized access. These security measures also include the encrypted transmission of data between your browser and our servers. Please note that for transfers via the internet, the SSL encryption is only activated when the key symbol appears in the lower menu bar of your browser window and the address begins with. The SSL technology (Secure Sockets Layer) uses encryption to protect the data being transferred from illegal third-party access. If this option is not available, you can decide not to send us certain data via the internet.

All the information you send us is stored and processed on our servers in the Federal Republic of Germany.

6. Collaboration with processors and third partiesData are only transferred to third parties within the framework of statutory provisions. We only transfer user data to third parties, when necessary, e.g. for contractual purposes pursuant to Art. 6(1)(b) or on the basis of our legitimate interest in the economical and effective operation of our business pursuant to Art. 6(1)(f) GDPR.

To provide our services we use processors as defined in Art. 28 GDPR, particularly for the operation, maintenance and hosting of the website and IT systems. We have taken the appropriate legal precautions and corresponding technical and organisational measures to ensure the protection of personal data in accordance with applicable statutory provisions.

7. Transfers to third countriesWhen we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in connection with third-party services, it only takes place to perform our pre-contractual obligations, with your consent, based on a legal obligation or on our legitimate interests. In these cases, we process the data subject to the conditions of Art. 44 et seq. GDPR, i.e., based on special guarantees, such as adequacy decisions, or standard contractual clauses (SCCs).

8. Your rightsWhen we process your personal data, you are a data subject within the meaning of the General Data Protection Regulation (GDPR) and have the following rights to your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

9. Data processing for the purpose of direct marketing

Data from our customer database

To the extent permitted by law, we may also use your name, company affiliation and the postal address known to us for sending advertising for our own offers or the telephone number provided, for calls, if we can assume that you are interested. The legal basis is Art. 6 para. 1 lit. f) in conjunction with Recital 47 GDPR, for telephone calls in connection with § 7 para. 3 no. 2 German Act against unfair competition (UWG). Our legitimate interest is the promotion of sales of our products.

You may object to the processing of your data for advertising purposes at any time for the future. A notification in text form to the contact data mentioned under point 2 is sufficient. We will then delete your data from our active distribution list. We will then keep the data that proves your objection for a further 6 years in accordance with Art. 17 Para. 3 lit e) GDPR. During this time, however, your personal data will be blocked against further processing.

Data from public sources

We collect your data from public sources, by purchase from third parties if you have consented, by our own research in digital or print media, and if you provide us with this information personally, e.g., by passing on your business card and in communication with our company.

The legal basis for the processing of the data is Art. 6 paragraph 1 lit. f) in connection with Recital 47 GDPR, for telephone calls in connection with § 7 paragraph 3 no. 2 German Act against unfair competition (UWG). Our legitimate interest is to promote the sale of our products.

You have the right to object to the processing of your data for advertising purposes by us at any time, cf. Art. 21 para. 2 GDPR. If you would like to object to the processing of your data by us or if you would like to know exactly from whom we have obtained your data, please contact us by using the contact details given above. All your rights are listed under "Your rights" in this privacy policy.

The following personal data or data categories are collected by us, if available:

• Master data (name, first name, form of address, title)
• Address/contact information (address, phone number, e-mail address, website)
• Group affiliation (profession/function)
• Employer information of the data subject (name/address)
• Content data (emails, documents, files, phone & conversation notes, messages transmitted & received)

The data will be deleted by us upon your revocation in accordance with Art. 17 para. 1 lit. c), Art. 21 para. 2 GDPR or, at your choice, blocked for further processing in accordance with Art. 18 para. 1 lit. b) GDPR to ensure that you will not be contacted again against your wish

10. Changes to the data protection policy

We reserve the right to amend the data protection policy to adapt it to changes in the law or if services and data processing should change. This only applies to statements on data processing, however. To the extent that the consent of users is required, or elements of the data protection policy include provisions from the contract with users, these changes will only take place with the agreement of the users. Please consult the data protection policy on a regular basis.