Privacy Policy of the IBA

1. Definitions

Where terms such as “personal data,” “processing,” or “controller” are used in this privacy policy, they are understood in accordance with the definitions in Article 4 of the GDPR.

2. ame and address of the responsible party

The controller within the meaning of Article 13(1)(a) of the GDPR, other data protection laws applicable in the Member States of the European Union, and other provisions of a data protection nature is:

Industrieverband Büro und Arbeitswelt e. V. (IBA)
Parkstraße 44 B
65191 Wiesbaden
Germany

Phone: +49 611 9457637–0
Email: info(at)iba.online
Website: iba.online

3. Cookies

Our website uses cookies. Cookies are small text files that are stored on your device via an Internet browser. The use of technically necessary cookies is based on Art. 6 (1) lit. f GDPR in conjunction with § 25 (2) TTDSG, the use of additional cookies is based exclusively on your consent in accordance with Art. 6 (1) lit. a GDPR.

Cookies serve to make the use of our website more convenient, secure, and effective, for example by storing settings or temporarily storing user input. Cookies make it possible to recognize a return visit to the website by reading a previously set cookie. This does not involve any direct identification of your person.

An example of this is the use of an online planning tool for room or furnishing concepts. The planning tool uses cookies to remember the room layouts, positions of furnishings, or configurations you have selected so that they are still available when you return to the site.

You can prevent cookies from being stored at any time by adjusting your browser settings or delete cookies that have already been set. Please note that if cookies are deactivated, you may not be able to use all the functions of our website to their full extent.

4. Collection of General Data and Information

The IBA website collects a range of general data and information each time the website is accessed, regardless of whether this is done by a user or an automated system. This general data and information is stored in the server’s log files. The following may be collected

(1) browser types and versions used

(2) the operating system used by the accessing system

(3) the website from which an accessing system reaches our website (so-called referrer)

(4) the subpages that are accessed via an accessing system on our website

(5) the date and time of access to the website

(6) an Internet Protocol address (IP address)

(7) the Internet service provider of the accessing system

(8) other similar data and information that serves to avert danger in the event of attacks on our information technology systems. Insofar as personal data is processed in this context, this is done on the basis of Art. 6 (1) lit. f GDPR.

When using this general data and information, the IBA does not draw any conclusions about your person. Rather, this information is required on the basis of legitimate interest pursuant to Art. 6 (1) lit. f GDPR in order to

(1) deliver the content of our website correctly

(2) optimize the content of our website and the advertising for it

(3) ensure the long-term functionality of our information technology systems and the technology of our website, and

(4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

This data and information, which is usually collected anonymously, is therefore evaluated by the IBA for statistical purposes and with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimal level of protection for the personal data we process. The anonymous data in the server log files is stored separately from all personal data you provide in order to comply with the principle of data minimization and storage limitation in accordance with Art. 5 (1) (c) and (e) GDPR.

The log file data is generally only stored for a limited period of time and then deleted, unless further storage is necessary for security reasons.

5. Registration on our Website

You can register on our website by providing personal data. The personal data transmitted to us is determined by the respective input mask used for registration. We collect and store the personal data you enter on the basis of Art. 6 (1) lit. b GDPR exclusively for internal use and for our own purposes. The data may be passed on to one or more processors within the meaning of Art. 28 GDPR, provided that they use the data exclusively on our behalf or for internal purposes.

When you register on our website, the IP address assigned by your Internet service provider (ISP), the date and the time of registration are also stored on the basis of Art. 6 (1) lit. f GDPR. This data is stored in order to prevent misuse of our services and, if necessary, to enable the investigation of criminal offenses. In this respect, the storage of this data is necessary for our protection in accordance with the legitimate interest pursuant to Art. 6 (1) lit. f GDPR. This data will not be passed on to third parties unless there is a legal obligation to do so or the disclosure serves the purpose of criminal prosecution.

The purpose of registration is to offer you content or services that, due to their nature, can only be offered to registered users. You have the option at any time to change or completely delete the personal data you provided during registration.

Within the scope of Art. 15 GDPR, you can request information at any time about which personal data is stored about you. Furthermore, your personal data will be corrected or deleted within the scope of Art. 16 and 17 GDPR upon request or notification, provided that there are no legal retention obligations to the contrary. Our employees are available to you at any time as contact persons for this purpose.

6. Newsletter-Tracking

The IBA newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in emails sent in HTML format to enable log file recording and analysis. This allows for a statistical evaluation of the success or failure of online marketing campaigns. Using the embedded tracking pixel, the IBA can recognize whether and when you opened an email and which links in the email you clicked on.

Such personal data collected via the tracking pixels contained in the newsletters is stored and evaluated by us on the basis of consent in accordance with Art. 6 (1) (a) GDPR in order to optimize the newsletter dispatch and to tailor the content of future newsletters even better to your interests. This personal data will not be passed on to third parties unless there is a legal obligation to do so. You are entitled to revoke your declaration of consent, which was given separately via the double opt-in procedure in accordance with Art. 7 GDPR, at any time. After revocation, we will delete this personal data. The IBA interprets unsubscribing from the newsletter as a revocation of consent within the meaning of Art. 7 (3) GDPR.

7. Contact Possibility via the Website

Due to legal requirements, the IBA website contains information that enables quick electronic contact with our company and direct communication with us, which also includes a general address for so-called electronic mail (e‑mail address). If you contact us by email or via a contact form, the personal data you provide will be automatically stored on the basis of Art. 6 (1) lit. b GDPR or Art. 6 (1) lit. f GDPR. Such personal data initially transmitted to us by you will be stored for the purpose of processing or contacting you. This personal data will not be passed on to third parties unless there is a legal obligation to do so.

8. Routine Erasure and Blocking of Personal Data

We process and store your personal data in accordance with Art. 5 (1) (e) GDPR only for the period necessary to achieve the purpose of storage or if this is required by law.

If the purpose of storage no longer applies or if a statutory storage period expires, the personal data will be routinely blocked or deleted in accordance with Art. 17 and Art. 18 GDPR and in accordance with the statutory provisions.

9. Rights of the Data Subject

Under the GDPR, you have the following rights with regard to your personal data:

a. Right to confirmation

Pursuant to Art. 15 GDPR, you have the right to request confirmation from us as to whether personal data concerning you is being processed.

b. Right to information

Pursuant to Art. 15 (1) GDPR, you have the right to obtain information free of charge about the personal data stored about you and to receive a copy of this data pursuant to Art. 15 (3) and (4) GDPR. The information includes in particular:

— the purposes of the processing

— the categories of data processed

— the recipients or categories of recipients

— the planned storage period, or otherwise the criteria for determining this period

— your other rights (e.g., rectification, erasure, restriction, objection)

— the existence of a right to lodge a complaint with a supervisory authority

— if the personal data was not collected from you: information about its origin

— the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR. If data has been transferred to a third country or to an international organization, you may request information about the safeguards provided for this purpose in accordance with Article 15(2) of the GDPR. We will respond to your requests without delay, but at the latest within one month, in accordance with Article 12(3) GDPR. The exercise of your rights is generally free of charge. Manifestly unfounded or excessive requests may be rejected or subject to a reasonable fee in accordance with Article 12(5) GDPR.

c. Right to rectification

In accordance with Art. 16 GDPR, you may request the immediate rectification of inaccurate data or the completion of incomplete data.

d. Right to erasure (right to be forgotten)

In accordance with Art. 17 GDPR, you may request the erasure of your data, in particular if:

— the data is no longer necessary,

— you have revoked your previously given consent,

— you have lodged an objection,

— the data has been processed unlawfully, or

— there is a legal obligation to erase the data.

If personal data has been made public and we are obliged to delete it in accordance with Art. 17 (1) GDPR, we will take appropriate measures within the scope of Art. 17 (2) GDPR to inform other controllers who process this data of your request for deletion. The right to erasure does not apply if processing is necessary in accordance with Art. 17 (3) GDPR, in particular due to legal obligations, for reasons of public interest or for the assertion, exercise or defense of legal claims.

e. Right to restriction of processing

You may request the restriction of the processing of your data in accordance with Art. 18 (1) GDPR if:

— you have contested the accuracy of the data,

— the processing is unlawful,

— we no longer need the personal data, or

— you have objected to the processing in accordance with Art. 21 (1) GDPR.

In the event of a restriction of processing, your personal data may – apart from its storage – only be processed in accordance with Art. 18 (2) GDPR with your consent or for the assertion, exercise or defense of legal claims or for reasons of important public interest.

f. Right to data portability

Pursuant to Art. 20 (1) and (2) GDPR, you have the right to receive your data in a structured, commonly used, and machine-readable format or, if technically feasible, to have it transferred to another controller, provided that the processing is based on your consent or on a contract.

This right only applies insofar as it does not conflict with the rights and freedoms of other persons or overriding public interests pursuant to Art. 20 (3) GDPR.

g. Right to object

Pursuant to Art. 21 GDPR, you may object at any time to the processing of your data on grounds relating to your particular situation, which is carried out on the basis of Art. 6 para. 1 letters e or f GDPR.

If we process your data (including profiling) for direct marketing purposes, you may object to the processing at any time.

If we process data for scientific or statistical purposes in accordance with Art. 89 (1) GDPR, you may object to this for reasons arising from your particular situation.

h. Automated decisions in individual cases

Pursuant to Art. 22 (1) GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Such a decision shall only be made in accordance with Art. 22 (2) GDPR if it is necessary for the conclusion or performance of a contract, is based on a legal basis, or is made with your express consent.

In these cases, we take appropriate measures to protect your rights, freedoms, and legitimate interests, in particular the right to human intervention, to express your own point of view, and to contest the decision, in accordance with Art. 22(3) GDPR.

Exclusively automated decision-making based on special categories of personal data within the meaning of Art. 9 (1) GDPR does not take place, unless it is exceptionally permissible under Art. 22 (4) GDPR.

i. Right to revoke consent under data protection law

Every person affected by the processing of personal data has the right, granted by the European legislator, to revoke consent to the processing of personal data at any time.

You can contact us at any time to exercise your rights. If you assert your rights to rectification, erasure, or restriction, we will inform the recipients of your personal data of this, insofar as this is necessary in accordance with Art. 19 GDPR.

10. Data Protection Provision about the Application and Use of Google

Our website uses the advertising analysis service Google Analytics 4. Google Analytics 4 enables us to analyze how visitors use our website and to optimize our offering. Google Analytics 4 is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When you visit our website, your usage behavior, the pages you visit, your clicks, your length of stay, your approximate location, technical information (e.g., browser, device), and a pseudonymized user ID are recorded. According to Google, the IP address is truncated by default in EU member states or other EEA contracting states and only then transferred to servers in the USA or other third countries for further processing (IP anonymization). The data collected by Google Analytics is generally stored for up to 14 months. Storage beyond this period only takes place if and as long as there are legal retention obligations.

The use of Google Analytics is based on your express consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TTDSG. If you do not wish to have such information transmitted to Google, you can revoke your previously given consent at any time via our cookie banner.

We use Google Tag Manager, a service provided by Google Ireland Limited, on the basis of our legitimate interest in the efficient administration and control of our website in accordance with Art. 6 (1) lit. f GDPR. The tool is used in particular to check the success of Google Ads campaigns. Tag Manager itself does not collect any personal data. It is used solely to manage and trigger tags, which may collect further data.

When using this tool, it cannot be ruled out that data may be transferred to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If such a transfer takes place, it is based on an adequacy decision pursuant to Art. 45 or appropriate safeguards pursuant to Art. 46 GDPR. Where necessary, processing is carried out on the basis of contractual agreements for order processing in accordance with Art. 28 GDPR.

Further information and Google’s applicable data protection provisions can be found at https://www.google.de/intl/de/policies/privacy/, http://www.google.com/analytics/terms/de.html, at https://www.google.com/intl/de_de/analytics/, and at http://www.google.com/analytics/terms/de.html https://support.google.com/analytics/answer/6004245?hl=de.

11. Data Protection Provisions about the Application and Use of Instagram

We have integrated components of the Instagram service into our website. Instagram is a service that qualifies as an audiovisual platform and enables users to share photos and videos and also to redistribute such data on other social networks.

The operating company of Instagram’s services is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. When you visit a page on our website that has an Instagram component (Insta button) integrated into it, your browser is automatically prompted to load the corresponding display directly from Instagram. This is done on the basis of your consent in accordance with Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TTDSG. As part of this technical process, Instagram receives information about which specific page of our website you have visited.

If you are logged into Instagram at the same time, Instagram recognizes which specific page you are visiting each time you visit our website and for the entire duration of your visit to our website, whereby the processing of the data by Instagram is carried out under its own data protection responsibility. This information is collected by the Instagram component and assigned to your respective Instagram account by Instagram. If you click on one of the Instagram buttons integrated on our website, the data and information transmitted will be assigned to your personal Instagram user account and stored and processed by Instagram.

In this context, joint responsibility within the meaning of Art. 26 GDPR may exist between us and Instagram.

Instagram always receives information via the Instagram component that you have visited our website if you are logged into Instagram at the same time as you visit our website; this takes place regardless of whether you click on the Instagram component or not. The transfer of personal data to servers in third countries cannot be ruled out. If this occurs, it is based on an adequacy decision pursuant to Art. 45 or appropriate safeguards pursuant to Art. 46 GDPR.

If you do not want such information to be transferred to Instagram, you can prevent the transfer by logging out of your Instagram account before visiting our website; alternatively, you can revoke your previously given consent via the cookie banner.

Further information and Instagram’s applicable privacy policy can be found at https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy/. Instagram is solely responsible for the content and data processing on the linked pages.

12. Data Protection Provisions about the Application and use of LinkedIn

We have integrated components from LinkedIn Corporation into our website. LinkedIn is an Internet-based social network that enables users to connect with existing business contacts and establish new business contacts. Over 400 million registered users use LinkedIn in more than 200 countries. This makes LinkedIn currently the largest platform for business contacts and one of the most visited websites in the world.

LinkedIn is operated by LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland. For users outside the EU, LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA, is responsible.

Each time you visit our website, which is equipped with a LinkedIn component (LinkedIn plug-in), your browser downloads a corresponding representation of the LinkedIn component. This is done on the basis of your consent in accordance with Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TTDSG. As a result, LinkedIn receives information about which specific page of our website you have visited.

If you are logged in to LinkedIn at the same time, LinkedIn recognizes which specific page of our website you are visiting each time you visit our website and for the entire duration of your visit to our website. This information is collected by the LinkedIn component and assigned to your LinkedIn account by LinkedIn. If you click on a LinkedIn button integrated into our website, LinkedIn assigns this information to your personal LinkedIn user account and stores your personal data. In this context, joint responsibility may exist between us and LinkedIn in accordance with Art. 26 GDPR.

LinkedIn always receives information via the LinkedIn component that you have visited our website if you are logged into LinkedIn at the same time as you visit our website; this occurs regardless of whether you click on the LinkedIn component or not.

In this context, the transfer of personal data to servers in third countries cannot be ruled out. If this occurs, it is based on an adequacy decision pursuant to Art. 45 or appropriate safeguards pursuant to Art. 46 GDPR.

If you do not want such information to be transferred to LinkedIn, you can log out of your LinkedIn account before visiting our website or, alternatively, revoke your previously given consent at any time via our cookie banner.

LinkedIn offers you the option to unsubscribe from email messages, SMS messages, and targeted ads, as well as to manage ad settings, at https://www.linkedin.com/psettings/guest-controls. LinkedIn also uses partners such as Quantcast, Google Analytics, BlueKai, Doubleclick, Nielsen, Comscore, Eloqua, and Lotame, which may set cookies. You can opt out of such cookies at https://www.linkedin.com/legal/cookie-policy. You can view LinkedIn’s current privacy policy at

https://www.linkedin.com/legal/privacy-policy, LinkedIn’s cookie policy at https://www.linkedin.com/legal/cookie-policy, and information about LinkedIn plugins at https://developer.linkedin.com/plugins.

13. Data protection provisions about the application and use of YouTube

We have integrated YouTube components into our website. YouTube is an Internet video portal that allows video publishers to upload video clips free of charge and other users to view, rate, and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete films and television programs, as well as music videos, trailers, and videos created by users themselves, are available via the internet portal. YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.

Each time you visit one of the pages of our website on which a YouTube component (YouTube video) has been integrated, your browser automatically downloads a representation of the corresponding YouTube component from YouTube.

This is done on the basis of your prior consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TTDSG. YouTube and Google are informed about which specific page of our website you have visited. YouTube is responsible for the content of the externally linked page. We have no influence on the content and data processing on this page.

If you are logged into YouTube at the same time, YouTube recognizes which specific page of our website you are visiting when you call up a page that contains a YouTube video. This information is collected by YouTube and Google and assigned to your respective YouTube account. In this context, there may be joint responsibility between us and YouTube in accordance with Art. 26 GDPR.

YouTube and Google always receive information via the YouTube component that you have visited our website if you are logged into YouTube at the same time as visiting our website; this occurs regardless of whether you click on a YouTube video or not.

In this context, the transfer of personal data to servers in third countries cannot be ruled out. If this occurs, it is based on an adequacy decision pursuant to Art. 45 or appropriate safeguards pursuant to Art. 46 GDPR.

If you do not want such information to be transferred to YouTube and Google, you can log out of your YouTube account before visiting our website or, alternatively, revoke your previously given consent at any time via our cookie banner. Google’s applicable data protection provisions, which also apply to the YouTube service, are available at https://www.google.de/intl/de/policies/privacy/.

14. Data protection provisions about the application and use of Spotify

We have integrated components of the Spotify service into our website. Spotify is a music streaming service that allows users to access audio files and music via the Internet. Spotify allows users to play music tracks as well as podcasts and other audio content provided by providers and users. Spotify is operated by Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden.

When you visit a page on our website that contains a Spotify component, such as an embedded player or a Spotify button, your browser automatically downloads the corresponding display directly from the Spotify servers. This is done on the basis of your prior consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TTDSG. In doing so, Spotify receives information about which specific page of our website you have visited.

If you are logged in to Spotify at the same time, Spotify can assign your visit to our website to your Spotify user account. This applies regardless of whether you click on the Spotify component or not. We have no influence on the scope and further use of your data by Spotify.

In this context, the transfer of personal data to servers in third countries cannot be ruled out. If this occurs, it is based on an adequacy decision in accordance with Art. 45 or appropriate safeguards in accordance with Art. 46 GDPR.

If you do not wish to be linked to your Spotify user account, you can log out of your Spotify account before visiting our website or, alternatively, revoke your previously given consent at any time via our cookie banner. You can view Spotify’s privacy policy at

https://www.spotify.com/de/legal/privacy-policy/.

15. Privacy policy for the use of the IBA OfficePlaner

We have integrated an interface to the online planning tool IBA OfficePlaner on our website. The online planning tool (‘room planner’) allows you to plan rooms digitally and place furniture virtually. Interactive functions are provided for this purpose, with which room dimensions can be entered, floor plans created and furnishings visualised. The tool is designed for convenient and customised planning of room concepts directly in your browser. The planning tool is operated by EasternGraphics GmbH, Albert-Einstein-Straße 1, 98693 Ilmenau, Germany.

When you open the page https://iba.online/planer/, data from https://www.easterngraphics.com/de/pcon-roomplanner.html, a website of EasternGraphics GmbH, is loaded into your browser window. For this purpose, your IP address is forwarded to EasternGraphics GmbH, which processes the data. This is done on the basis of your prior consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TTDSG.

In this context, joint responsibility within the meaning of Art. 26 GDPR may exist between us and EasternGraphics GmbH.

You can view the data protection provisions of EasternGraphics GmbH at https://pcon-planner.com/de/impressum/#terms.

16. Ordering IBA publications

Users of this website have two options for ordering IBA publications:

• Free of charge. In return, you provide us with your contact details. These will be used to inform you about new publications, events involving the IBA Forum and similar activities.

The data will not be marketed in the form of disclosure to third parties for their advertising purposes. You can revoke the permission granted with the order to use your data to the extent described at any time, free of charge and without formal requirements, with effect for the future, in accordance with Art. 7 (3) GDPR.

• Subject to a fee. In this case, your data will be stored on the basis of Art. 6 (1) lit. b GDPR solely for the purpose of sending the ordered documents and calculating the fees incurred, including all subsequent processes within the framework of proper accounting, insofar as statutory retention obligations exist in accordance with Art. 6 (1) (c) GDPR in conjunction with commercial and tax law regulations.

17. Legal Basis for the Processing

Insofar as the processing of personal data in the above sections is based on your consent in accordance with Art. 6(1)(a) GDPR, this does not constitute the exclusive legal basis for all processing operations. Depending on the individual case, processing may also be based on Art. 6(1)(b–f) GDPR.

If the processing of personal data is necessary for the performance of a contract to which you are a party, the processing is based on Article 6(1)(b) GDPR. The same applies to processing operations that are necessary for the implementation of pre-contractual measures.

If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfilment of tax obligations, the processing is based on Article 6(1)(c) of the GDPR.

In rare cases, the processing of personal data may be necessary to protect your vital interests or those of another natural person. In these cases, the processing is based on Art. 6 para. 1 lit. d GDPR. Finally, processing operations may be based on Art. 6 (1) lit. f GDPR if the processing is necessary to safeguard a legitimate interest of our company or a third party and there are no overriding interests, fundamental rights and freedoms on your part. A legitimate interest may exist in particular if you are our customer, Recital 47 GDPR.

18. Legitimate interests in processing

If the processing of personal data is based on Article 6(1)(f) GDPR, our legitimate interest lies in the proper execution of our business activities, ensuring IT security and optimising our online offering.

19. Storage period

The duration of the storage of personal data depends on the respective processing purpose and the applicable statutory retention periods. Personal data will be deleted as soon as it is no longer required to fulfil the purpose of the contract. Longer storage will only take place if and as long as statutory retention periods exist or the data is still required to fulfil or initiate the contract.

20. Provision obligations

We would like to inform you that the provision of personal data is sometimes required by law (e.g. tax regulations) or may also arise from contractual provisions (e.g. information about the contractual partner). In certain cases, it may be necessary for you to provide us with personal data in order to conclude a contract, which we will then process. If you do not provide us with the personal data required to conclude the contract, a contract cannot be concluded. In individual cases, we will inform you separately whether the provision of personal data is required by law or contract or is necessary for the conclusion of the contract and what the consequences of not providing it may be, Art. 13 (2) (e) GDPR.