Privacy Policy

Privacy Policy

This Privacy Policy provides information about the nature, scope and purpose of the processing of personal data (hereinafter abbreviated to “data”) in connection with our online offering and the affiliated webpages, functions and content as well as external online services such as our social media profiles (hereinafter referred to as “online offering”). Regarding the terms used, e. g. “processing” or “controller”, please refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).


Stan Hema GmbH
Branding Agency
Hedemannstraße 14
10969 Berlin
Phone +49 30 232576 0
Fax +49 30 232576 11
Managing Director: Mathias Illgen

Type of processed data

  • Inventory data (e. g. names, addresses)
  • Contact information (e. g. email, phone numbers)
  • Content data (e. g. text entries, photos, videos)
  • Usage data (e. g. visited webpages, interest in content, access times)
  • Meta/communication data (e. g. device information, IP addresses)

Categories of data subjects

Visitors and users of our online offering (in the following, the data subjects will also be jointly referred to as “users”).

Purpose of the processing

  • Provision of the online offering, its functions and conte
  • Replies to contact requests and communication with users
  • Security measures
  • Coverage measurement/marketing

Terms used

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e. g. cookie) or to one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is comprehensive and covers practically every handling of data.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic circumstances, health, personal preferences, interests, reliability, behaviour, location or movements.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body who/which processes personal data on behalf of the controller.

Applicable legal bases

In accordance with Art. 13 GDPR, we hereby inform you about the legal bases of our data processing activities. If the legal basis is not mentioned in the Privacy Policy, the following applies: The legal basis for obtaining consent is Art. 6 (1) Point a and Art. 7 GDPR; the legal basis for the processing of data to provide our services and implement contractual measures as well as replying to requests is Art. 6 (1) Point b GDPR; the legal basis for the processing of data to comply with our legal obligations is Art. 6 (1) Point c GDPR; and the legal basis for the processing of data to protect our legitimate interests is Art. 6 (1) Point f GDPR. If processing is necessary to protect the vital interests of the data subject or another natural person, Art. 6 (1) Point d GDPR serves as the legal basis.

Security measures

In accordance with Art. 32 GDPR and taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the varying probabilities and severity of the risks for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The measures include, in particular, ensuring the ongoing confidentiality, integrity and availability of the data by controlling physical and digital access to the data and their use, input, disclosure, availability and separation. In addition, we have put procedures in place that ensure compliance with the rights of data subjects, the erasure of data and a reaction to hazards to data security. Furthermore, we take the protection of personal data into account as early as in the development and/or selection of hardware, software and procedures in accordance with the principle of data protection by design and by default (Art. 25 GDPR).

Cooperation with processors and third parties

If we disclose or transfer or make available data to other persons and companies (processors or third parties) during processing, this will only occur based on statutory admissibility (e. g. if a transfer of data to third parties such as payment service providers is required for the performance of a contract according to Art. 6 (1) Point b GDPR), your consent, a legal obligation that requires this or based on our legitimate interests (e. g. if an agent, webhosting provider, etc. is used).

If we commission third parties with the processing of data in the context of a so-called “data processing agreement”, this will occur based on Art. 28 GDPR.

Transfer to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if data are processed by using third-party services or based on the disclosure and/or transfer of data to third parties, this only occurs to fulfil our (pre)-contractual commitments, based on your consent, due to a legal obligation or based on our legitimate interests. Subject to any legal or contractual authorisations, we only process data or have data processed in a third country if the special preconditions of Art. 44 et seq. GDPR apply. This means that the processing is based, e. g., on special guarantees such as the officially recognised assessment that the level of data protection corresponds to that of the EU (e. g. “Privacy Shield” in the US) or on compliance with officially recognised special contractual commitments (referred to as “standard contractual clauses”).

Rights of the data subjects

You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and access to these data as well as further information and a copy of the data in accordance with Art. 15 GDPR.

According to Art. 16 GDPR, you have the right to request the completion or the rectification of inaccurate personal data concerning you.

According to Art. 17 GDPR, you have the right to demand the erasure of personal data without undue delay. Alternatively, you have the right to demand restriction of processing of the data according to Art. 18 GDPR.

According to Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, and to have them transmitted to other controllers.

Furthermore, you have the right to lodge a complaint with the competent supervisory authority pursuant to Art. 77 GDPR.

Right of withdrawal

You have the right to withdraw your consent with effect for the future in accordance with Art. 7 (3) GDPR.

Right of withdrawal

You have the right to object to the future processing of the personal data concerning you at any time according to Art. 21 GDPR. The right to object refers in particular to processing for direct marketing purposes.

Cookies and the right to object to direct marketing

“Cookies” are small files which are stored on the user’s computer. Different data can be stored in the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his or her visit to a website. Temporary cookies or “session cookies” or “transient cookies” are cookies that are deleted after a user leaves a website and closes their browser. In such a cookie, for example, the content of a shopping cart in an online shop or a login status can be stored. Cookies are referred to as “permanent” or “persistent” if they remain stored even after the browser is closed. For example, the login status can be stored when users visit the site after several days. Likewise, the interests of users can be stored in such a cookie and used for coverage measurement or marketing purposes. Third-party cookies are cookies that are offered by providers other than the controller operating the website (otherwise, if they are only their own cookies, they are referred to as “first-party cookies”).

We may use temporary and permanent cookies and will provide information about this within the framework of our Privacy Policy.

If users do not wish to have cookies stored on their computer, they are asked to disable the relevant option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The disabling of cookies may lead to restrictions regarding the functionality of the online offering.

A general objection to the use of cookies for online marketing purposes is possible with a number of services, in particular regarding tracking, via the American or the EU website Furthermore, the saving of cookies can be prevented by disabling cookies in the browser settings. Please note that in this case, it may no longer be possible to use all functions of this online offering.

Erasure of data

The data which are processed by us are erased or their processing will be restricted in compliance with Art. 17 and 18 GDPR. Unless expressly stated in this Privacy Policy, the data we have saved will be erased as soon as they are no longer required for their purpose and the erasure does not conflict with any legal obligation to preserve records. If the data are not erased, since they are required for other purposes which are permitted by law, their processing will be restricted. This means that the data are blocked and not processed for any other purposes. This applies, e. g., to data which must be retained due to commercial law or tax law.

According to legal requirements in Germany, data are retained, in particular, for 10 years in accordance with Section 147 para. 1 AO [German tax code], Section 257 para. 1 no. 1 and 4, para. 4 HGB [German Commercial Code] (books, records, management reports, accounting documents, trading books, documents relevant for taxation etc.) and 6 years in accordance with Section 257 para. 1 no. 2 and 3, para. 4 HGB (commercial letters).

According to the legal requirements in Austria, data are retained, in particular, for 7 years in accordance with Section 132 para. 1 BAO [Austrian federal fiscal code] (accounting documents, receipts/bills, accounts, receipts, business documents, list of income and expenditure, etc.), for 22 years in connection with real property and for 10 years in connection with electronically provided services, telecommunication, broadcasting and television services which are provided to non-entrepreneurs in EU member states and for which the Mini-One-Stop-Shop (MOSS) can be used.

Agency services

We process our customers’ data as part of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services.

In this context, we process inventory data (e. g. customer master data, such as names or addresses), contact data (e. g. email, phone numbers), content data (e. g. text entries, photos, videos), contract data (e. g., subject matter of the contract, term), payment data (e. g. bank details, payment history), usage data and metadata (e. g. as part of the evaluation and performance measurement of marketing measures). As a rule, we do not process special categories of personal data, unless these are part of commissioned processing. The data subjects include our customers, prospective customers and their customers, users, website visitors or employees, as well as third parties. The purpose of the processing is to provide contractual services, billing and our customer service. The legal basis for processing results from Art. 6 (1) Point b GDPR (contractual services), Art. 6 (1) Point f GDPR (analysis, statistics, optimisation, security measures). We process data which are necessary to justify and fulfil the contractual services and we point out the necessity of their disclosure. Disclosure to external parties only takes place if it is necessary within the framework of an order. When processing the data provided to us within the scope of an order, we act in accordance with the instructions of the client and the legal requirements for commissioned processing pursuant to Art. 28 GDPR and process the data for no other purposes than those stipulated in the order.

We will erase the data after the expiration of statutory warranty obligations and similar obligations; the necessity of data retention shall be verified every three years. If statutory archiving obligations apply, the data are erased after these obligations expire (6 years pursuant to Section 257, para. 1 HGB) and 10 years pursuant to Section 147, para. 1 AO). In the case of data disclosed to us within the scope of an order by the client, we erase the data in accordance with the specifications of the order, generally after the end of the order.

Administration, financial accounting, office organisation, contact management

We process data within the framework of administrative tasks as well as the organisation of our operations, financial accounting and compliance with legal obligations, such as archiving. We process the same data that we process in the course of providing our contractual services. The processing is based on Art. 6 (1) Point c. GDPR, Art. 6 (1) Point f. GDPR. The processing concerns customers, prospective customers, business partners and website visitors The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, and archiving of data, i.e. tasks which serve to maintain our business activities, the performance of our tasks and the provision of our services. The erasure of the data with regard to contractual services and contractual communication corresponds to the information provided in these processing activities.

We disclose or transmit data to the tax authorities, consultants, such as tax consultants or auditors, as well as other fee offices and payment service providers.

Furthermore, we store information on suppliers, event organisers and other business partners based on our business interests, e. g. for the purpose of making contact at a later date. We store this data, which is mainly company-related, permanently.

Managerial analyses and market research

In order to be able to operate our business economically and to recognise market tendencies, the wishes of the contracting parties and users, we analyse the data available to us regarding business processes, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata based on Art. 6 (1) Point f. GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online offering.

The analyses are carried out for the purpose of economic evaluations, marketing and market research. In doing so, we can consider the profiles of registered users with information, e. g. on the services they have used. We use the analyses to increase the user-friendliness, to optimise our services and to ensure the economic efficiency. The analyses serve only for our own purposes and are not disclosed externally, unless they are anonymous analyses with aggregated values.

If these analyses or profiles are personal, they will be deleted or made anonymous upon termination by the users, otherwise after two years from the conclusion of the contract. Otherwise, macroeconomic analyses and general trend determinations are prepared anonymously wherever possible.

Data protection information in the application process

We will process the applicant data only for the purpose and in the context of the application procedure in accordance with the legal requirements. The processing of the applicant data takes place in order to fulfil our (pre-)contractual obligations in the context of the application procedure within the meaning of Art. 6 (1) Point b. and GDPR Art. 6 (1) Point f. GDPR if data processing becomes necessary for us, e. g. within the framework of legal procedures (in Germany, Section 26 Federal Data Protection Act (BDSG) additionally applies).

The application procedure requires that applicants provide us with their data. The necessary applicant data result from the job descriptions (which are common for our agency type). In principle, this includes personal data, postal and telecommunication contact addresses as well as the documents appertaining to the application, such as cover letter, curriculum vitae, portfolio and certificates. In addition, applicants may voluntarily provide us with additional information.

By submitting the application to us, applicants agree to the processing of their data for the purposes of the application procedure in accordance with the type and scope set out in this data protection declaration.

Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are voluntarily communicated within the scope of the application procedure, they are additionally processed in accordance with Art. 9 (2) Point b GDPR (e. g. health data, such as severely disabled status or ethnic background). Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are requested from applicants within the scope of the application procedure, these data are additionally processed in accordance with Art. 9 (2) Point a GDPR (e. g. health data, if these are required for exercising the profession).

Applicants will send us their applications by email. Please note, however, that emails are generally not sent in encrypted form and that the applicants themselves must ensure that they are encrypted. Therefore, we cannot accept any responsibility for the transmission of the application between the sender and reception on our server and recommend sending it by post.

If the application is successful, the data provided by the applicants can be further processed by us for the purpose of employment. Otherwise, if the application for a job offer is not successful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which the applicants are entitled to do at any time.

The erasure will take place after a period of six months, subject to a justified revocation by the applicant, so that we can answer any follow-up questions to the application and meet our obligations under the Equal Treatment Act. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.

Pool “applicants” and “external resources”

As part of the application process, we offer applicants the opportunity to be included in our pool of “applicants” and “external resources” for a period of ten years on the basis of consent within the meaning of Art. 6 (1) Point b. and Art. 7 GDPR.

The application documents in the pool will only be processed within the framework of future job offers and the search for employees and will be destroyed at the latest upon expiry of the deadline. Applicants are informed that their consent to inclusion in the pool is voluntary, has no influence on the current application procedure and they can revoke this consent at any time for the future and declare their objection within the meaning of Art. 21 GDPR.

Hosting and email dispatch

The hosting services used by us serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services and technical maintenance services which we use for the purpose of operating this online offering.

Hereby, we and/or our hosting service providers process inventory data, contact data, content data, contractual data, usage data, meta and communication data of customers, prospective customers and visitors to this online offering based on our legitimate interest in an efficient and secure provision of this online offering in accordance with Art. 6 (1) Point f GDPR in conjunction with Art. 28 GDPR (conclusion of the processing agreement).

Collection of access data and log files

We (or our hosting service provider) will collect data on each access to the server where the service is hosted (referred to as server log files) based on our legitimate interests as defined by Art. 6 (1) (f) GDPR. Access data include the name of the visited web page, file, date and time of access, the transferred volume of data, notification of successful access, browser type including version, the user’s operating system, referrer URL (previously visited web page), IP address and the requesting provider.

Log file information will be saved for a maximum of seven days for security reasons (e. g. clarification of acts of misuse or fraud) and shall be erased afterwards. Data which must be retained for longer periods for the purpose of providing proof are exempted from erasure until the incident has been clarified definitively.

Online presence in social media

We have an online presence in social networks and platforms to communicate with customers, interested parties and users who are active there and to be able to inform them about our services. Regarding the use of these networks and platforms, the relevant operator’s terms and conditions as well as their data processing regulations apply.

Unless otherwise indicated in our Privacy Policy, we will process the data of users if they communicate with us via social networks and platforms, e. g. write posts in our online presence or send us messages.

Prepared by Datenschutz-Generator of lawyer Dr. Thomas Schwenke, Berlin.