Groenewold IT Solutions LogoGroenewold IT Solutions – Home
🇩🇪

Privacy Policy: Your Data and Our Data Protection Measures

Information about data protection and the processing of your personal data

Privacy Policy – Your Data at Groenewold IT Solutions

This privacy policy explains how we process personal data (below: "data") in our online services.

That includes our websites, features, and content. It also covers external presences such as social media profiles (together: "online offering").

For the terms we use — such as "processing" or "controller" — we refer to Article 4 of the General Data Protection Regulation (GDPR).

Controller

Groenewold IT Solutions GmbH
Mühlenstraße 157
26789 Leer (Ostfriesland)
Email address: info@groenewold-it.solutions
Managing Director / Owner: Björn Groenewold
Link to legal notice: Legal Notice

Types of Data Processed

  • Master data (e.g., names, addresses).
  • Contact data (e.g., email, phone numbers).
  • Content data (e.g., text input, photographs, videos).
  • Usage data (e.g., websites visited, interest in content, access times).
  • Meta/communication data (e.g., device information, IP addresses).

Categories of Data Subjects

Visitors and users of the online offering (referred to collectively as "users").

Purpose of Processing

  • Providing the online offering, its features, and content.
  • Responding to contact requests and communicating with users.
  • Security measures.
  • Reach measurement / marketing.

Terminology Used

"Personal data" means any information about an identified or identifiable person (the "data subject"). A person is identifiable if they can be identified — directly or indirectly — e.g. by name, ID number, location data, or an online identifier such as a cookie.

Identification can also occur through one or more factors specific to a person's physical, genetic, mental, economic, cultural, or social identity.

"Processing" means any operation performed on personal data — whether automated or not. The term is broad and covers virtually any handling of data.

"Pseudonymisation" means processing personal data so it can no longer be linked to a specific person without additional information. That additional information must be stored separately and protected by technical and organisational measures.

"Profiling" means automated processing of personal data to evaluate personal aspects of a person — for example, their work performance, financial situation, health, preferences, interests, reliability, behaviour, or location.

"Controller" means the person or organisation that decides the purposes and means of processing personal data — alone or jointly with others.

"Processor" means a person or organisation that processes personal data on behalf of the controller.

Applicable Legal Bases

Under Article 13 GDPR, we inform you of the legal bases for our data processing. Where no legal basis is stated in this policy, the following applies:

  • Consent: Article 6(1)(a) and Article 7 GDPR.
  • Contract performance and pre-contractual enquiries: Article 6(1)(b) GDPR.
  • Legal obligations: Article 6(1)(c) GDPR.
  • Legitimate interests: Article 6(1)(f) GDPR.
  • Vital interests: Article 6(1)(d) GDPR.

Security Measures

Under Article 32 GDPR, we implement appropriate technical and organisational measures to protect personal data. We take into account the state of the art, implementation costs, and the nature, scope, and purposes of processing — as well as the varying likelihood and severity of risks to people's rights and freedoms.

These measures include protecting the confidentiality, integrity, and availability of data through physical access controls, input controls, disclosure controls, and data separation.

We have procedures in place to handle data subject rights, delete data, and respond to data security threats. We also consider data protection when developing or selecting hardware, software, and processes (data protection by design and by default, Article 25 GDPR).

Cooperation with Processors and Third Parties

We share, transfer, or grant access to data only where we have a legal basis, your consent, a legal obligation, or a legitimate interest.

Examples: sharing data with payment providers for contract performance (Article 6(1)(b) GDPR), or using agents and web hosts.

Where we engage third parties to process data under a data processing agreement, this is done under Article 28 GDPR.

Transfers to Third Countries

We process data outside the EU/EEA — or share it with third parties there — only to fulfil contracts, on the basis of your consent, a legal obligation, or our legitimate interests.

Subject to legal or contractual permissions, we only send data to a third country if Articles 44 et seq. GDPR are met — for example, via an officially recognised level of data protection or standard contractual clauses.

Rights of Data Subjects

You have the right to ask whether we process data about you and to receive information about that data, including a copy, under Article 15 GDPR.

Under Article 16 GDPR, you can ask us to complete or correct inaccurate data about you.

Under Article 17 GDPR, you can ask us to delete your data without undue delay. Alternatively, you can ask us to restrict processing under Article 18 GDPR.

Under Article 20 GDPR, you have the right to receive your data in a structured, machine-readable format and to transfer it to another controller.

Under Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.

Right of Withdrawal

You can withdraw any consent given under Article 7(3) GDPR at any time, with effect for the future.

Right to Object

Under Article 21 GDPR, you can object to the processing of your data at any time. You can object in particular to processing for direct marketing purposes.

Cookies and Right to Object to Direct Marketing

"Cookies" are small files stored on your device. A cookie stores information about you or your device during or after a visit to an online offering.

  • Session cookies (transient): Deleted after you leave the offering and close your browser. They may store e.g. shopping cart content or login status.
  • Permanent cookies (persistent): Remain after the browser is closed — e.g. for login status on return visits or for reach measurement and marketing.
  • First-party and third-party cookies: First-party cookies are set by us. Third-party cookies are set by other providers.

We may use temporary and permanent cookies. We will explain this in the relevant sections of this policy.

If you do not want cookies stored on your device, you can disable them in your browser settings. You can also delete stored cookies there. Blocking cookies may limit some functions of this offering.

You can opt out of online marketing cookies for many services — especially tracking — via the EU site: Your Online Choices (EDAA, EU).

Note that blocking cookies may mean not all features of this offering are available.

Deletion of Data

We delete or restrict data under Articles 17 and 18 GDPR. Unless stated otherwise here, we delete stored data as soon as it is no longer needed and no legal retention obligations apply.

If data is needed for other legally permitted purposes, processing is restricted (data is blocked) — e.g. for commercial or tax retention requirements.

  • Germany: Retention of 10 years (Sections 147(1) AO, 257(1) Nos. 1 and 4, (4) HGB) and 6 years (Section 257(1) Nos. 2 and 3, (4) HGB — commercial letters).
  • Austria: 7 years (Section 132(1) BAO), 22 years for real property, 10 years for MOSS-relevant documents.

Business-Related Processing

We also process contract data (e.g., subject matter, term, customer category) and payment data (e.g., bank details, payment history) of our customers, prospects, and business partners. This is done to provide contractual services, customer care, marketing, and market research.

Agency Services

We process customer data as part of our contractual services. This includes consulting, campaign planning, software and design development or maintenance, campaign execution, server administration, data analysis, and training.

We process master data, contact data, content, contract data, payment data, usage data, and metadata (e.g. for measuring marketing success). We do not normally process special categories of personal data unless this is part of a commissioned processing assignment. Data subjects include our customers, prospects, their customers, users, website visitors, employees, and third parties.

Purpose: providing contractual services, billing, and customer service. Legal bases: Article 6(1)(b) GDPR (contract) and Article 6(1)(f) GDPR (analysis, statistics, security). We process only the data that is necessary and share it with third parties only when required for an assignment.

For data provided to us under an assignment, we follow the client's instructions and Article 28 GDPR. We do not use that data for any purpose beyond the assignment.

We delete data after statutory warranty and similar obligations expire. We review the need to retain data every three years. Statutory retention periods apply (6 years under Section 257(1) HGB, 10 years under Section 147(1) AO). Data shared with us under an assignment is deleted according to the assignment terms — usually at the end of the assignment.

Contractual Services

We process the data of our contractual partners, prospects, and clients (collectively "contractual partners") under Article 6(1)(b) GDPR to provide our contractual or pre-contractual services. The data processed and the scope, purpose, and necessity of its processing depend on the underlying contract.

Processed data includes: master data (e.g., names and addresses), contact data (e.g., email and phone numbers), contract data (e.g., services used, contract content, names of contact persons), and payment data (e.g., bank details, payment history).

We do not normally process special categories of personal data unless this is part of a commissioned or contractual processing.

We process only the data needed to provide contractual services and point out which data is required. We share data with third parties only when a contract requires it. When processing data provided under an assignment, we follow the client's instructions and legal requirements.

When you use our online services, we may store your IP address and the time of the action — based on our legitimate interests and your interest in protection against misuse. We do not pass this data to third parties unless we need to pursue claims (Article 6(1)(f) GDPR) or are required to by law (Article 6(1)(c) GDPR).

We delete data when it is no longer needed to fulfil contractual or legal obligations, including warranty and comparable obligations. We review retention needs every three years. Statutory retention periods apply.

Administration, Financial Accounting, Office Organisation, Contact Management

We process data for administration, operations management, financial accounting, and legal obligations (e.g. archiving). We process the same categories of data as for our contractual services. Legal bases: Article 6(1)(c) and (f) GDPR.

Data subjects include customers, prospects, business partners, and website visitors. Purpose: administration, accounting, office organisation, and archiving. Deletion follows the same rules as for contractual services and communication.

We share data with tax authorities, advisors such as tax advisors or auditors, and other offices and payment service providers.

We also store information about suppliers, event organisers, and other business partners for follow-up contact. This data is mostly company-related and is generally stored permanently.

Contact

When you contact us — via contact form, email, phone, or social media — we process your information to handle your request under Article 6(1)(b) GDPR. Your information may be stored in a CRM system or similar tool. We delete requests once they are no longer needed. We review this every two years. Statutory retention obligations apply.

Hosting and Email Delivery

Our hosting services provide infrastructure, platform, computing capacity, storage, databases, email delivery, security, and technical maintenance for this online offering.

We or our hosting provider process master data, contact data, content, contract data, usage data, and metadata of customers, prospects, and visitors. Legal basis: legitimate interest in efficient and secure provision (Article 6(1)(f) GDPR) in conjunction with Article 28 GDPR (data processing agreement).

Google Analytics

We use Google Analytics, a web analytics service from Google LLC, based on our legitimate interests in analysis, optimisation, and economic operation (Article 6(1)(f) GDPR). Google uses cookies. Information the cookie generates about your use of our offering is typically sent to a Google server in the USA and stored there.

Google is certified under the Privacy Shield Agreement and thereby offers a guarantee of compliance with European data protection law: Privacy Shield participant listing: Google LLC.

Google evaluates your use of our offering, compiles reports, and provides related services. Pseudonymous user profiles may be created from the processed data.

We use Google Analytics with IP anonymisation only. Your IP is shortened by Google within the EU/EEA. Only in exceptional cases is the full IP sent to a US server and shortened there.

Your IP address is not combined with other Google data. You can disable cookies in your browser settings or prevent Google from collecting and processing your data by installing the browser add-on: Google Analytics opt-out (browser add-on).

For more information about Google's use of data and your opt-out options, see Google's privacy and technology information (how Google uses data in ads) and the settings for ad display (Google ad display settings).

Personal data is deleted or anonymised after 14 months.

Next Step

Ready for the next step? So are we.

Identifying opportunities and risks together – direct, pragmatic, solution-oriented.

Request Free Project CheckBook a Meeting

30 min strategy call – 100% free & non-binding

Privacy Policy & GDPR | Groenewold IT Solutions