• Follow us
Basic Page Teaser Fallback Image

Data privacy

Privacy Policy pursuant to Art. 12 et seq. EU GDPR

Table of Contents

  1. Name and Contact Information of the Data Controller
  2. Contact Details of the Data Protection Officer
  3. General Information on Data Processing
  4. Data Processing on Our Website
  5. Other Data Processing Activities Outside Our Website
  6. Categories of Recipients
  7. Data Transfers to Third Countries
  8. Your Rights as a Data Subject
  9. Right to Lodge a Complaint with the Supervisory Authority

1. Name and Contact Information of the Data Controller

The controller as defined in the General Data Protection Regulation (GDPR) and other national data protection laws is:

GOPA Gesellschaft für Organisation, Planung und Ausbildung mbH
Hindenburgring 18
61348 Bad Homburg
Germany
Tel.: +49 6172 930 0
Email: info [at] gopa.de (info[at]gopa[dot]de)
(hereinafter referred to as “we,” “us” or “our”).

2. Contact Details of the Data Protection Officer

The protection of your personal data is important to us. We have commissioned a consulting firm specializing in data protection and security to handle these matters. Our data protection officer is a member of this highly experienced group of experts:

MAGELLAN Säugling Rechtsanwaltsgesellschaft mbH
Raiffeisenallee 9
82041 Oberhaching
www.magellan-legal.de
Email: privacy_gopa_group [at] magellan-legal.de (privacy_gopa_group[at]magellan-legal[dot]de)
Tel.: +49 6172 930 0

For any data protection and data security related questions, please contact our data protection officer directly.

3. General Information on Data Processing

3.1 Scope of Processing

We generally process your personal data only to the extent necessary for the functional provision of our website, our content, and our services.

3.2 Legal Bases for Processing

If we have obtained your consent to the processing of your personal data, the legal basis for such processing is Art. 6 Sect. 1 S. 1 lit. a) EU GDPR.
If we process your personal data with the aim of meeting contractual mandates or in conjunction with the negotiation of a contractual relationship, the legal basis for the processing of such data is Art. 6 Sect. 1 S. 1 lit. b) EU GDPR.
If the processing of personal data is necessary in order for us to meet any legal obligations, the legal basis for the processing of such data is Art. 6 Sect. 1 S. 1 lit. c) EU GDPR.
If we process your personal data to protect our or any third party’s legitimate interests, provided your interests or fundamental rights and freedoms do not outweigh the preceding interests, the legal basis for the processing of such data is Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.

3.3 Retention Period

Your personal data will be deleted as soon as the purpose for its retention no longer applies or, if you have a right to revoke your consent, with declaration of your revocation. It is possible that your data will be stored longer if this has been defined in the respective European or domestic legislation, in Union-law provisions, acts or any other provisions we are subject to. In these cases, your personal data shall, however, be blocked.

3.4 External Links

If we provide links to external websites, this Privacy Policy shall not apply to the processing of your personal data by the data controller of the linked website. Hence, we recommend that you review the data privacy policies on external websites you visit. If such a linkage should require a legal basis for the resulting processing of your personal data, it shall be your consent pursuant to Art. 6 Sect. 1 S. 1 lit. a) EU GDPR, which you shall grant by clicking on the respective link.
As a rule, the clicking on any such links (hyperlinks) will result in the processing of your following personal data:

  • IP address
  • Screen resolution
  • Deployed browser
  • Bandwidth
  • Language settings

4. Data Processing on Our Website

In the context of providing our website, we process your personal data to ensure the error free presentation of our website on your PC or mobile device. Because of that, we have to store some of your personal data for the duration of your session.

Furthermore, we store your personal data temporarily in logfiles, to guarantee that our website will work properly and the operation of our IT systems is secure. Any other processing of your personal data in logfiles will not occur.

4.1 Provision of the Website and Log Files

Data processed: IP address, access date, access time, previously visited website (if applicable), used browser, used operating system.
Purpose: The purpose of this data processing is to provide the website, ensure its functionality and secure the IT systems used for this purpose.
Legal basis: Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
Retention period: Log files for 7 days; session data only for the duration of the session.
Objection: The processing and storage of your personal data in logfiles is absolutely mandatory for the provision of the website, to guarantee its functionality and to guarantee the security of the utilized IT systems. Consequently, you do not have an option to object.

4.2 Technically Necessary Cookies

Data processed: IP address, language settings of your browser, the browser you use, shopping cart information.
Purpose: The purpose of this data processing is the provision of the website functions and services.
Legal basis: Legitimate interest, § 25 Sect. 2 TDDDG in combination with Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
Retention period: For the duration of the respective session, unless otherwise specified.
Objection: You have the option to deactivate or restrict the transmission of cookies by changing your browser settings. Cookies that have already been stored can be deleted by you at any time. This may also be done automatically. If cookies for our website are deactivated, you may no longer be able to fully use the functions of our website.

4.3 Non-Technically Necessary Cookies

If cookies that are not technically necessary should be used in conjunction with the use of our functions and services on our website, you will find a list of these cookies, their purpose, retention period and other information in our cookie banner.

4.4 YouTube Videos

Data processed: IP address, browser, screen resolution.
Legal basis: Consent, Art. 6 Sect. 1 S. 1 lit. a) EU GDPR.
Purpose: Integrating video content in an attractive, uniform and device independent manner.
Retention period: Only until you complete your visit to our website (expanded data protection mode). We do not have any control over the deletion of your personal data from YouTube.
Objection: You have the option to revoke your consent at any time. You can exercise this revocation option in particular by closing the application and/or by reloading the website.

4.5 Job Application Process

Data processed: Title, first name, last name, email address, phone number, available from, expected salary, work permit for the EU, visa required, referral, and other application data including voluntary information (e.g. photo, marital status, religious affiliation, disabilities, ethnic origin if apparent, etc.).
Legal basis: Consent, Art. 6 Sect. 1 S. 1 lit. a) EU GDPR, Art. 88 Sect. 1 EU GDPR in combination with § 26 Sect. 2 German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). Establishment of an employment relationship, Art. 6 Sect. 1 S. 1 lit. b) EU GDPR. When processing special categories of personal data: Consent, Art. 6 Sect. 1 S. 1 lit. a) EU GDPR Art. 9 Sect. 2 lit. a) EU GDPR.
Purpose: Conducting the application process with the goal to establish an employment relationship, fulfilling contractual, legal, collective agreement, and social security obligations.
Retention period: Application documents/data will be stored for up to 6 months after the decision not to fill the position with the applicant, for the purpose of providing evidence in cases of discrimination, in accordance with §§ 21 Sec. 5, 22 German General Equal Treatment Act (AGG). Other application documents: will be stored upon dissolution or termination of the employment relationship.
Objection: If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. In this case we can no longer consider your application. However, the processing of your personal data is mandatory for the establishment of an employment relationship. Hence you cannot object to such processing of your personal data.

4.6 Expert Database

Data processed: Application documents, CV, qualifications, skills, and other submitted information.
Legal basis: Consent, Art. 6 Sect. 1 S. 1 lit. a) EU GDPR.
Purpose: Specifically approach suitable experts for employment in projects.
Retention period: Until withdrawal or purpose no longer applies. Data may be stored longer if required by law.
Objection: The processing of your personal data is based on your consent, and you have the right to withdraw your consent at any time. In this case we can no longer consider your expert profile in future projects.

4.7 Contact Form / Email

Data processed: First name, last name, email address, content of the message.
Legal basis: Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
Purpose: Processing your inquiry.
Retention period: Stored until the respective purpose no longer exists.
Objection: You may object to the processing of your personal data in conjunction with the initiation of contacts at any time, which will affect any future transactions. In this case, we will not be able to continue to process your inquiry. All personal data that has been stored over the course of the initiation of contact will be deleted, unless statutory retention periods are in conflict with the deletion of your data.

4.7.1 Data Processing in Connection with the Whistleblower System

We offer a whistleblower system via our provider Personio which allows individuals to report potential violations of laws or internal policies anonymously. 

The anonymity of the whistleblower is technically ensured; even our IT department cannot identify the whistleblower unless the whistleblower voluntarily provides information (e.g., by signing the report or requesting contact).

Please note: If you upload documents (such as Word or Excel files), you are responsible for ensuring that no metadata (such as document authorship) is included that could identify you.

Legal basis: Legal obligation (Art. 6 Sect. 1 lit. c GDPR in conjunction with the German Whistleblower Protection Act)

Categories of data: Information about the whistleblower (if provided voluntarily), accused persons, witnesses, content and circumstances of the report

Purpose: Receiving, processing, and following up on reports; detecting and preventing legal violations

Confidentiality: Strictly confidential, access only for authorized persons

Retention period: After the conclusion of the procedure, unless statutory retention periods apply

Data subject rights: Access, rectification, erasure, restriction (see below)

International data transfers: Only with appropriate safeguards, e.g., standard contractual clauses

Note on anonymity: Anonymity is technically ensured, except where the whistleblower voluntarily discloses data or uploads files with metadata.

 

4.8 Web Analytics (Matomo)

Data processed: Two bytes of the IP address, accessed website, referrer, sub-pages, duration of visit, frequency of access.
Legal basis: Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
Purpose: Analysis of browsing patterns to optimize the website and its user-friendliness.
Retention period: 12 months.
Objection: You have the option to object to the processing of your personal data in conjunction with web analysis activities at any time. You may deactivate or restrict the storage of cookies at any time by changing your browser settings.

4.9 Social Wall (YouTube, LinkedIn)

Data processed: IP address, browser, screen resolution.
Legal basis: Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
Purpose: Integration of social media posts in an engaging, uniform manner, regardless of your end device.
Retention period: Until you leave our website. We have no influence over the deletion of your personal data by LinkedIn, Google, or Walls.io.
Objection: If you do not want your personal data to be collected in relation to the display of social media profiles, you can object to the future processing of your personal data in this context at any time.

5. Other Data Processing Activities Outside Our Website

5.1 LinkedIn Page

Data processed: Interactions, Page Insights, messages sent by users.
Legal basis: Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
Purpose: Analysis of our achievements with our LinkedIn Page, organizing the Page to match your interests, processing inquiries.
Retention period: See LinkedIn’s privacy policy.
Objection: You can object at any time to the processing of your personal data within the scope of the operation of our LinkedIn Page.

5.2 YouTube Channel

Data processed: Interactions, analytics, messages, comments.
Legal basis: Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
Purpose: Analysis of visit patterns, analysis of video success, processing inquiries.
Retention period: See Google’s privacy policy.
Objection: You can object at any time to the processing of your personal data within the scope of the operation of our YouTube channel.

5.3 Detailed Job Application Process

Data processed: Comprehensive application data, including voluntary information (see section 4.5 for full details).
Legal basis: Consent, contract, legal obligation, legitimate interest (Art. 6(1)(a), (b), (c), (f) GDPR; §26 BDSG).
Purpose: Application process, possible employment.
Retention period: 6 months after rejection, longer if employed.

5.4 Microsoft Teams Project Meetings

a) Transcription

Data processed: First name, last name, language, audio content, account image, chat record.
Legal basis: Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
Purpose: Project organization.
Retention period: 60 days.
Objection: The processing of your personal data in the context of transcription is absolutely necessary for our project organization. Consequently, you have no option to object.

b) Recording

Data processed: First name, last name, language, audio content, video content, shared content, account image, chat record.
Legal basis: Consent, Art. 6 Sect. 1 S. 1 lit. a) EU GDPR.
Purpose: Project organization.
Retention period: 60 days.
Objection: You have the option to revoke your consent to the recording at any time.

c) Project Minutes/Planning

Data processed: Data from transcription/recording.
Legal basis: Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
Purpose: Creation of project-related meeting minutes, project organization.
Retention period: Until project completion.
Objection: The processing of your personal data in the context of management of project plans and creation of meeting minutes is absolutely necessary for our project organization. Consequently, you have no option to object.

6. Categories of Recipients

Within our company, only those departments and positions that require your data for the above-mentioned purposes will receive access. In addition, data may be shared with the following recipients:

  • Works council
  • Data protection officer
  • Representative for severely disabled employees
  • Equal opportunities officer
  • Employment agency
  • Integration office (in case of severe disability)
  • Printing companies
  • Lettershops
  • Scanning services
  • Banking institutions
  • IT service providers
  • Cooperation partners
  • Lawyers, tax advisors, and courts
  • Authorities

7. Data Transfers to Third Countries

Data is transferred to service providers outside the EU/EEA only if adequate data protection guarantees exist (e.g., EU Standard Contractual Clauses or adequacy decisions). Details can be requested from us. We only work with service providers who ensure compliance with European data protection standards.

8. Your Rights as a Data Subject

You have the following rights:

  1. Right of access (Art. 15 GDPR): Information about whether and which personal data we process, and further details.
  2. Right to rectification (Art. 16 GDPR): Correction or completion of inaccurate or incomplete data.
  3. Right to restriction of processing (Art. 18 GDPR): Under certain circumstances (e.g., contesting accuracy, unlawful processing, etc.).
  4. Right to erasure (Art. 17 GDPR): Deletion of your data under specific conditions.
  5. Right to notify: We inform all recipients of your data about corrections, deletions, or restrictions.
  6. Right to data portability (Art. 20 GDPR): Receive your data in a structured, commonly used, machine-readable format.
  7. Right to object (Art. 21 GDPR): Object to processing on special grounds or for direct marketing.
  8. Right to withdraw consent (Art. 7(3) GDPR): Withdraw consent at any time.
  9. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

9. Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Germany
Tel.: +49 611 1408 0
Email: poststelle [at] datenschutz.hessen.de (poststelle[at]datenschutz[dot]hessen[dot]de)

Status: 2025

Stay informed about GOPA

Join Today
  • Our units