Privacy Policy

Last Updated: March 18, 2024

Table of Contents

Person in charge

Enrico Carlo Rossini
XPS Logistic Solutions GmbH
Dreieichweg 10
65428 Rüsselsheim

Email Address: info@xps-ls.com
Impressum: www.xps-ls.com/impressum
Phone: 01556 6032988

Overview of Processing

The following overview summarizes the types of processed data and the purposes of their processing and refers to the affected persons.

Types of Processed Data

  • Contact data.
  • Content data.
  • Usage data.
  • Meta, communication, and procedural data.

Categories of Affected Persons

  • Communication partners.
  • Users.

Purposes of Processing

  • Contact inquiries and communication.
  • Security measures.
  • Management and response to inquiries.
  • Feedback.
  • Provision of our online offer and user-friendliness.
  • Information technology infrastructure.

Relevant Legal Bases

Relevant Legal Bases under the GDPR: The following is an overview of the legal bases of the GDPR on which we process personal data. Please note that national data protection regulations in your or our country of residence may apply alongside the provisions of the GDPR. If specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of personal data concerning them for one or more specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the data subject's request before entering into a contract.
  • Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data.

National Data Protection Regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (BDSG). The BDSG contains specific regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transfer and automated decision-making in individual cases, including profiling. Additionally, data protection laws of the individual federal states may apply.

Note on the Applicability of the GDPR and Swiss DPA: This privacy notice serves both to provide information under the Swiss Federal Data Protection Act (Swiss DPA) and the General Data Protection Regulation (GDPR). Therefore, please note that due to broader territorial applicability and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss DPA "processing" of "personal data," "overriding interest," and "sensitive personal data," the GDPR terms "processing" of "personal data" and "legitimate interest" and "special categories of data" are used. However, the legal meaning of the terms is still determined according to the Swiss DPA within the framework of the applicability of the Swiss DPA.

Security Measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, considering the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying degrees of likelihood and severity of risks to the rights and freedoms of natural persons.

The measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, transfer, availability, and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data, and responses to data breaches. We also consider the protection of personal data already in the development or selection of hardware, software, and procedures according to the principle of data protection through technology design and through privacy-friendly default settings.

TLS/SSL Encryption (https): To protect the data of users transmitted via our online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the standard technology for securing internet connections by encrypting data transmitted between a website or app and a browser (or between two servers). Transport Layer Security (TLS) is an updated and more secure version of SSL. Hyper Text Transfer Protocol Secure (HTTPS) is displayed in the URL when a website is secured by an SSL/TLS certificate.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if the processing occurs as part of the use of third-party services or the disclosure or transfer of data to other persons, entities, or companies, this is done only in accordance with legal requirements. If the level of data protection in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers occur only if the data protection level is otherwise ensured, particularly through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent, or in the case of contractual or legally required transfer (Art. 49 para. 1 GDPR). We will inform you of the bases for third-country transfers in the context of the individual providers from the third country, whereby adequacy decisions take precedence as the basis. Information on third-country transfers and existing adequacy decisions can be found on the EU Commission's information offering: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: Under the "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection for certain companies from the USA as secure under the adequacy decision of 10.07.2023. The list of certified companies and more information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We will inform you within the privacy notices which service providers we use are certified under the Data Privacy Framework.

Rights of Data Subjects

Rights of Data Subjects under the GDPR: As a data subject, you have various rights under the GDPR, in particular as set out in Art. 15 to 21 GDPR:

  • Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is based on Art. 6 para. 1 lit. e or f GDPR, including profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing.
  • Right to Withdraw Consent: You have the right to withdraw consent at any time.
  • Right of Access: You have the right to obtain confirmation as to whether personal data concerning you is being processed and to access this data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to Rectification: You have the right to request the completion or correction of your data in accordance with legal requirements.
  • Right to Erasure and Restriction of Processing: You have the right to request the immediate deletion of your data in accordance with legal requirements, or alternatively to request the restriction of the processing of your data in accordance with legal requirements.
  • Right to Data Portability: You have the right to receive the data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request the transfer of this data to another controller, in accordance with legal requirements.
  • Complaint to Supervisory Authority: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Provision of the Online Offer and Web Hosting

We process the data of users to be able to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the contents and functions of our online services to the user's browser or device.

  • Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status). Content data (e.g., inputs in online forms).
  • Affected Persons: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)). Security measures.
  • Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

  • Provision of Online Offer on Rented Storage Space: We use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called "web hoster") for the provision of our online offer; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Collection of Access Data and Log Files: Access to our online offer is logged in the form of so-called "server log files." Server log files can include the address and name of the accessed websites and files, the date and time of the access, transferred data volumes, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and typically IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure server stability; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of Data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidence purposes is exempt from deletion until the respective incident is finally resolved.
  • Email Sending and Hosting: The web hosting services we use also include the sending, receiving, and storing of emails. For these purposes, the addresses of the recipients and senders, as well as further information regarding the email dispatch (e.g., the involved providers) and the contents of the respective emails, are processed. The aforementioned data can also be processed for spam detection purposes. Please note that emails on the internet are generally not sent encrypted. As a rule, emails are encrypted during transport, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. Therefore, we cannot take responsibility for the transmission path of the emails between the sender and the reception on our server; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • STRATO: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service Provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.strato.de; Privacy Policy: https://www.strato.de/datenschutz/. Data Processing Agreement: Provided by the service provider.
  • WordPress.com: Hosting and software for creating, providing, and operating websites, blogs, and other online offers; Service Provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://wordpress.com; Privacy Policy: https://automattic.com/de/privacy/; Data Processing Agreement: https://wordpress.com/support/data-processing-agreements/. Basis for Third-Country Transfers: Data Privacy Framework (DPF).

Use of Cookies

Cookies are small text files or other memory notes that store information on end devices and read information from the end devices. For example, to save the login status in a user account, a shopping cart content in an e-shop, the accessed content, or the functions used in an online offer. Cookies can also be used for various purposes, such as for the functionality, security, and comfort of online offers, as well as for creating analyses of visitor flows.

Notes on Consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users, except when this is not required by law. Consent is not necessary, in particular, if the storage and reading of information, including cookies, is absolutely necessary to provide the telemedia service expressly requested by the users (i.e., our online offer). The absolutely necessary cookies usually include cookies with functions that serve the display and functionality of the online offer, load balancing, security, the storage of user preferences and choices, or similar purposes related to the provision of the main and secondary functions of the online offer requested by the users. The revocable consent is clearly communicated to the users and includes information on the respective cookie usage.

Notes on Data Protection Legal Bases: The data protection legal basis on which we process the personal data of users using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed with the help of cookies is based on our legitimate interests (e.g., in the business operation of our online offer and improvement of its usability) or, if this is done in the context of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We clarify the purposes for which the cookies are processed within this privacy policy or in the context of our consent and processing processes.

Storage Duration: Regarding the storage duration, the following types of cookies are distinguished:

  • Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online offer and closes their end device (e.g., browser or mobile application).
  • Permanent Cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved, or preferred content can be displayed directly when the user visits a website again. Likewise, the data collected with the help of cookies can be used for reach measurement. Unless we provide explicit information on the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and the storage duration can be up to two years.

General Notes on Withdrawal and Objection (so-called "Opt-Out"): Users can withdraw the consents they have given at any time and object to processing in accordance with the legal requirements. Users can, among other things, restrict the use of cookies in their browser settings (which may limit the functionality of our online offer). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

  • Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

  • Processing of Cookie Data Based on Consent: We use a consent management solution where the consent of users to the use of cookies or the procedures and providers mentioned within the consent management solution is obtained. This procedure serves the obtaining, logging, managing, and withdrawing of consents, particularly related to the use of cookies and similar technologies that are used for storing, reading, and processing information on the users' end devices. Within this procedure, the consents of the users for the use of cookies and the related processing of information, including the specific processing and providers mentioned in the consent management procedure, are obtained. Users also have the opportunity to manage and withdraw their consents. The consent declarations are stored to avoid re-queries and to provide proof of consent in accordance with legal requirements. The storage is server-side and/or in a cookie (so-called opt-in cookie) or using comparable technologies to assign the consent to a specific user or their device. Unless specific information on the providers of consent management services is provided, the following general information applies: The storage duration of consent is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, information on the scope of consent (e.g., concerning categories of cookies and/or service providers), as well as information on the browser, system, and end device used; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Contact and Request Management

When contacting us (e.g., by post, contact form, email, phone, or via social media) and within the scope of existing user and business relationships, the information of the requesting persons is processed to the extent necessary to respond to the contact requests and any requested measures.

  • Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., inputs in online forms); Usage data (e.g., visited websites, interest in content, access times). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Affected Persons: Communication partners.
  • Purposes of Processing: Contact inquiries and communication; management and response to inquiries; feedback (e.g., collecting feedback via online form). Provision of our online offer and user-friendliness.
  • Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

  • Contact Form: If users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to handle the communicated request; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Created with the free privacy policy generator from Dr. Thomas Schwenke