de

Privacy Policy

Information on the processing of your personal data

1. Controller

This privacy policy provides information about the processing of personal data when you visit our website.

 

The controller within the meaning of Art. 4 No. 7 GDPR is:

BuP. Boll Beraten und Planen
Ingenieurgesellschaft mbH & Co. KG
Etzelstraße 11
70180 Stuttgart

 

Phone: 0711 / 64954 – 99
Email: info@bup-ing.de

 

Under the current legal situation, we are not required to appoint a Data Protection Officer by law. If you have any questions regarding data protection, you may contact us at any time using the contact details provided above.

2. General Information on Data Processing

We take the protection of your personal data very seriously.

 

We process personal data (e.g. name, address, email address, IP address) exclusively in accordance with the applicable data protection laws, in particular the GDPR and the German Federal Data Protection Act (BDSG).

 

“Personal data” and other terms used in this Privacy Policy correspond to the definitions set out in Article 4 GDPR.

 

We only process personal data:

  • where this is necessary to provide a functional website and our content and services (Article 6(1)(b) and (f) GDPR),
  • where we are legally obliged to do so (Article 6(1)(c) GDPR), or
  • where you have given us your consent (Article 6(1)(a) GDPR).

3. Provision of the Website and Server Log Files

When you access our website, information transmitted by your browser is automatically collected by the web server we use. This information is temporarily stored in so-called server log files.

 

The following data may be processed in this context:

  • visited page / requested file
  • date and time of access
  • amount of data transferred
  • source/reference (referrer URL)
  • browser used and browser version
  • operating system used
  • hostname of the accessing computer
  • IP address

 

Purposes of processing:

  • ensuring a smooth connection to the website
  • ensuring convenient use of our website
  • evaluating system security and stability
  • preventing and investigating misuse or attack scenarios (e.g. DoS attacks)

 

Legal basis:

Article 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of our website).

 

Storage period:

Log files are generally deleted as soon as they are no longer required for the purposes stated above. Data will only be stored for a longer period if there are concrete indications of unlawful use and the data is required for clarification or investigation.

4. Cookies

Our website uses cookies. Cookies are small text files that are stored on your device and saved by your browser. They do not cause any damage to your device and do not contain viruses or other malware.

 

4.1 Types of Cookies

 

Technically Necessary Cookies

These cookies are required for the operation of our website and the provision of basic functions (e.g. page navigation, session control). Without these cookies, the website cannot be displayed or used properly.

At present, we use only technically necessary cookies, in particular:

  • Session-Cookies, which store a so-called session ID and thereby assign several requests from your browser to the same session. These cookies are generally deleted when you close your browser.

 

Legal basis:

Article 6(1)(f) GDPR (legitimate interest in the secure and functional operation of the website).

 

4.2 Cookie Settings in the Browser

 

You can configure your browser settings so that:

  • cookies are not stored,
  • cookies are permitted only in individual cases,
  • acceptance of cookies is excluded for certain cases, or
  • cookies are automatically deleted when the browser is closed.

 

Please note that if cookies are deactivated, the functionality of this website may be restricted.

5. Presence on Social Media Platforms (Instagram, LinkedIn)

5.1 General Information

 

We maintain corporate profiles on social media platforms in order to communicate with interested parties, customers, applicants, and other users, and to provide information about our company and our services.

 

We currently maintain profiles in particular on:

  • Instagram (Meta Platforms): https://www.instagram.com/bup.bollberatenundplanen/
  • LinkedIn: https://www.linkedin.com/company/bup-boll-dp

 

When you visit our profiles on social media platforms, personal data is processed by the respective platform operator. We have only limited influence over the nature and scope of this data processing; the privacy notices of the respective platform primarily apply.

 

5.2 Joint Controllership (Page Insights, etc.)

 

Insofar as we receive statistical evaluations from the platforms regarding the use of our pages (e.g. “Page Insights,” reach statistics, and interaction statistics), we are jointly responsible with the respective platform operator under data protection law (Article 26 GDPR).

 

In particular, the platform operators assume primary responsibility for:

  • fulfilling the information obligations pursuant to Articles 13 and 14 GDPR,
  • handling data subject rights (e.g. access, erasure, objection),
  • data security and the notification of personal data breaches.

 

We process the statistics provided to us by the platforms exclusively in aggregated form in order to align our content more closely with users’ interests.

 

5.3 Instagram

 

We maintain a corporate profile on the Instagram platform:  https://www.instagram.com/bup.bollberatenundplanen/

 

The service provider is:

Meta Platforms Ireland Limited
4 Grand Canal Square
Grand Canal Harbour
Dublin 2, Irland

 

When you visit our Instagram profile, Meta processes, among other things:

  • IP address and other device/system information,
  • content and interactions (e.g. views, likes, comments, messages),
  • location data (where enabled on your device),
  • usage behavior for the creation of usage and interest profiles.

 

Meta may use this data for, among other things, the following purposes:

  • operation and improvement of the platform,
  • market research and reach measurement,
  • personalized content and advertising,
  • the use and training of AI systems in accordance with Meta’s then-current privacy provisions.

 

Meta may transfer data to countries outside the EU/EEA, in particular to the United States. According to Meta, such transfers are carried out on the basis of appropriate safeguards pursuant to Chapter V GDPR (e.g. EU Standard Contractual Clauses or the Data Privacy Framework, where applicable).

 

Legal basis for our use of Instagram:

Article 6(1)(f) GDPR – our legitimate interest lies in maintaining a modern public presence, corporate communication, and the analysis and improvement of our content.

 

Further information on data processing by Instagram/Meta and on your rights can be found in Meta’s/Instagram’s privacy policy:

https://www.instagram.com/legal/privacy/

 

You may assert your data subject rights (e.g. access, erasure, restriction, objection) both against us and directly against Meta. In practice, it is often more efficient to contact Meta directly, as Meta has access to the full user data.

 

5.4 LinkedIn

 

We maintain a company page on LinkedIn:

https://www.linkedin.com/company/bup-boll-dp

 

The service provider is:

LinkedIn Ireland Unlimited Company
Wilton Place
Dublin 2, Irland

 

When you visit our LinkedIn page, LinkedIn processes, among other things:

  • registration data (profile information),
  • IP address and other technical data (device, browser, settings),
  • interaction data (e.g. profile and page views, reactions, comments, messages),
  • professional information (industry, role, qualifications).

 

LinkedIn uses this data in particular for:

  • providing and operating the platform,
  • generating statistics (“Page Insights”) on the use of our page,
  • audience-targeted content and advertising,
  • analytics and, where applicable, AI-related purposes in accordance with the applicable privacy provisions (including the training of AI models based on user and content data, where legally permissible).

 

LinkedIn may also transfer personal data to third countries outside the EU/EEA. According to LinkedIn, this is done on the basis of appropriate safeguards (e.g. Standard Contractual Clauses) and additional protective measures.

 

Legal basis for our use of LinkedIn:

Article 6(1)(f) GDPR – our legitimate interest lies in maintaining a professional public presence, fostering professional networks, recruitment, and targeted corporate communication.

 

Further information on data processing by LinkedIn can be found in LinkedIn’s current privacy policy:

https://www.linkedin.com/legal/privacy-policy

 

Here too, you may assert your data subject rights both against us and directly against LinkedIn. For information about the data stored by LinkedIn, it is generally advisable to contact LinkedIn directly.

6. Contacting Us (Email, Telephone, Mail, Contact Form)

If you contact us by email, telephone, post, or via a contact form, we process the data you provide to us, in particular:

  • salutation, name, and, where applicable, company name,
  • contact details (address, email address, telephone number),
  • the content of your inquiry and any documents attached,
  • technical metadata (e.g. IP address, time of submission), where collected.

 

Purposes of processing:

  • processing your inquiry and any further correspondence,
  • initiating, establishing, and performing contractual relationships,
  • documentation and record-keeping (e.g. in order to comply with legal obligations).

 

Legal bases:

  • Article 6(1)(b) GDPR (pre-contractual measures and performance of a contract), insofar as your inquiry relates to the conclusion or performance of a contract,
  • Article 6(1)(f) GDPR (legitimate interest), insofar as the matter concerns general inquiries,
  • Article 6(1)(c) GDPR, where statutory retention obligations apply (e.g. under tax or commercial law).

 

Storage period:

Your data will be stored for as long as necessary to process your inquiry. Where statutory retention periods apply or where the matter concerns contractual documentation, the data will be stored for the duration of those periods.

Your data will not be passed on to third parties without your consent unless this is strictly necessary for the performance of a contract or we are legally required to do so.

7. Applications (Email, Post, Application Form)

If you apply to us (e.g. on your own initiative or in response to a job advertisement) and submit contact details or application documents to one of our contact addresses, we process your personal data for the purpose of reviewing your application and deciding whether to establish an employment relationship.

 

Legal basis:

  • Article 6(1)(b) GDPR in conjunction with Section 26 BDSG (establishment of an employment relationship),
  • Article 6(1)(a) GDPR, if you consent to a longer retention of your application documents (e.g. inclusion in an applicant pool).

 

Storage period:

If no employment relationship is established, the application documents will generally be deleted no later than 6 months after completion of the application process, unless statutory retention obligations prevent deletion or you have consented to longer storage.

8. Disclosure of Personal Data

Your personal data will only be transferred to third parties:

  • where this is necessary for the performance of a contract (Article 6(1)(b) GDPR),
  • where we are legally obliged to do so (Article 6(1)(c) GDPR),
  • where the disclosure is permissible on the basis of our legitimate interests (Article 6(1)(f) GDPR), or
  • where you have expressly consented to such disclosure (Article 6(1)(a) GDPR).

 

Recipients may include, in particular:

  • IT service providers (e.g. hosting providers, maintenance service providers),
  • suppliers, subcontractors, or service providers in connection with projects,
  • tax advisors, auditors, or legal advisors,
  • authorities and public bodies, where required by law.

 

Where we use service providers as so-called processors pursuant to Article 28 GDPR, they are contractually obliged to process personal data only in accordance with our instructions and in compliance with the applicable data protection provisions.

 

A transfer to third countries outside the EU or the EEA will only take place where the special requirements of Articles 44 et seq. GDPR are met (e.g. an adequacy decision by the European Commission or appropriate safeguards such as Standard Contractual Clauses).

9. Storage Period

Unless different storage periods are specified in this Privacy Policy, the following applies:

  • We process and store personal data only for as long as necessary for the respective purposes.
  • After that, the data will be deleted unless statutory retention periods (e.g. under commercial, tax, or professional law) prevent such deletion.

 

In the latter case, processing will be restricted, i.e. the data will be blocked and will not be processed for any other purposes.

10. Your Rights as a Data Subject

Subject to the applicable legal requirements, you have the following rights with regard to your personal data:

  • Right of access (Article 15 GDPR): You may request information as to whether we process personal data relating to you and, if so, which data.
  • Right to rectification (Article 16 GDPR): You may request the correction of inaccurate data or the completion of incomplete data.
  • Right to erasure (Article 17 GDPR): You may request the deletion of your personal data, provided that no statutory retention obligations or other legal grounds prevent this.
  • Right to restriction of processing (Article 18 GDPR): In certain cases, you may request that we process your data only in a restricted manner.
  • Right to data portability (Article 20 GDPR): You have the right to receive the data you have provided to us in a structured, commonly used, and machine-readable format, or to have it transmitted to another controller, insofar as this is technically feasible.
  • Right to object (Article 21 GDPR): For reasons arising from your particular situation, you may object at any time to the processing of your personal data where we base such processing on Article 6(1)(e) or (f) GDPR (see Section 10).
  • Right to withdraw consent (Article 7(3) GDPR): You may withdraw any consent you have given at any time with effect for the future (see Section 11).
  • Right to lodge a complaint with a supervisory authority (Article 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection law. The competent authority is, in particular, the supervisory authority at your habitual residence, place of work, or the place of the alleged infringement.

 

For the federal state of Baden-Württemberg, the competent supervisory authority is in particular:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW).

 

To exercise your rights, you may contact us at any time at info@bup-ing.de or via the contact details stated in Section 1.

11. Right to Object under Article 21 GDPR

Individual Right to Object:

 

Where we process your personal data on the basis of Article 6(1)(e) or (f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation.

 

We will then no longer process the personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or unless the processing serves the establishment, exercise, or defence of legal claims.

 

Objection to Direct Marketing:

 

If we use personal data for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing.

If you object, your personal data will no longer be processed for these purposes.

 

You may submit your objection informally by email to info@bup-ing.de.

 

12. Withdrawal of Consent

Where we process your personal data on the basis of your consent (Article 6(1)(a) GDPR), you may withdraw that consent at any time with effect for the future.

The lawfulness of the processing carried out before the withdrawal remains unaffected.

13. Obligation to Provide Data

As a general rule, you are not required to provide personal data when using our website. However, for certain functions (e.g. contact inquiries), it may be necessary for you to provide specific data. Without this data, we may not be able to provide the relevant function or respond to your inquiry.

14. Data Security / SSL or TLS Encryption

We implement technical and organizational security measures to protect your data against manipulation, loss, destruction, or unauthorized access, and we continuously improve these measures in line with the current state of the art.

 

For security reasons and to protect the transmission of confidential content (e.g. inquiries submitted via a contact form), our website uses SSL or TLS encryption. You can usually recognize an encrypted connection by the “https://” in your browser’s address bar and by the padlock symbol displayed in the browser bar.

15. Prohibition of Unauthorised Use of the Contact Details Published on this Website

The use by third parties of the contact details published as part of our legal notice obligations or in this Privacy Policy for the purpose of sending unsolicited advertising, informational materials, spam emails, or similar communications is hereby expressly prohibited.

 

We expressly reserve the right to take legal action in the event of the unsolicited sending of such promotional information.

16. Current Version and Amendments to this Privacy Policy

As our website continues to develop, as new technologies are introduced, or due to changes in legal or regulatory requirements, it may become necessary to amend this Privacy Policy.

 

The current version of this Privacy Policy can be accessed on our website at any time and may be saved or printed out.