ThriveX places high priority on data protection and data privacy. In principle, our website can be used without entering any personal data.
However, if a person wishes to make use of certain services on ThriveX, we may need to request and process personal data. Should this be the case – and in the event that the processing of this data is not covered by any specific legislation – we will generally only do so with the prior consent of the data subject. Any data collected – such as the name, address, e-mail address or telephone number of the data subject – will be processed in accordance with the EU’s General Data Protection Regulation (GDPR) and in compliance with the national data protection regulations applicable to ThriveX.
This data privacy declaration is intended to inform the public about the type and scope of any personal data that ThriveX may collect, use and process as well as our purpose for doing so. It also explains the corresponding rights of the data subject. We have implemented numerous technical and organisational measures to ensure that any personal data processed via our website is protected to the fullest possible extent. Nevertheless, internet-based data transmissions can in principle have security gaps, and absolute protection therefore cannot be guaranteed. Accordingly, the data subject is at liberty to transmit personal data to us by alternative means such as by telephone or post.
ThriveX data privacy declaration is based on the terms used by the European legislator in the enactment of the General Data Protection Regulation (GDPR). Our data privacy declaration is intended to be easy to read and understandable both for our customers and business partners as well as for the general public. Accordingly, we will begin by providing definitions of the terms used therein. The following terms are used, inter alia, in this data privacy declaration:
Personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified – directly or indirectly – in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/she, by means of a statement or clear affirmative action, signifies agreement to the processing of his/her personal data.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of the personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or specific criteria for its nomination may be provided for by Union or Member State law.
Data subject means any identified or identifiable natural person whose personal data is processed by the controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Profiling means any form of automated processing of personal data consisting of the use the data in order to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Recipient means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
Restriction of Processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Name and Address of the Controller
For the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union and other data protection provisions, the controller in this case is:
Good Business GmbH
Am Eichenpfad 27
Rights of the Data Subject
The data subject shall have the right under the provisions of the GDPR to obtain from the controller confirmation as to whether or not the data subject’s personal data are being processed. A data subject who wishes to exercise this right to confirmation should contact the controller or an employee of the controller.
Right to Access/Information
The data subject shall have the right under the provisions of the GDPR to obtain from the controller without charge information about the data subject’s stored personal data and a copy thereof. The European legislator has also granted the data subject right of access to following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been/will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the period for which the personal data will be stored, or, if this is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- where personal data have not been obtained from the data subject, all available information as to their source;
- the existence of automated decision-making, including profiling, as referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
A data subject who wishes to exercise this right to access and information should contact the controller or an employee of the controller.
Right to Rectification
The data subject shall have the right under the provisions of the GDPR to obtain from the controller without undue delay the rectification of inaccurate personal data concerning the data subject. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
A data subject who wishes to exercise these rights should contact the controller, the controller’s data protection officer or an employee of the controller.
Right to Erasure (‘Right to Be Forgotten’)
The data subject shall have the right under the provisions of the GDPR to obtain from the controller without undue delay the erasure of personal data concerning the data subject when one of the following applies and the processing is not necessary:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws the consent on which the processing is based pursuant to Article 6 (1) (a) or Article 9 (2) (a) GDPR, and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing or the data subject objects to the processing pursuant to Article 21 (2) GDPR;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to information society services as referred to in Article 8 (1) GDPR.
Where one of the above-mentioned grounds applies and a data subject wishes to exercise the right to erasure of personal data concerning the data subject that is stored by the controller, he/she should contact the controller, the controller’s data protection officer or an employee of the controller, who will arrange for the data to be erased without delay.
Where the controller has made the personal data public and is obliged pursuant to Article 17 (1) GDPR to erase the personal data, the controller, taking account of the available technology and cost of implementation, shall take reasonable measures, including technical measures, to inform other controllers responsible for processing the data that the data subject has requested them to erase any links to, or copies or replications of, these personal data, to the extent that the processing is not necessary. The controller, an employee of the controller or the controller’s data protection officer will make the necessary arrangements in the given case.
Right to Restriction of Processing
The data subject shall have the right under the provisions of the GDPR to obtain from the controller restriction of processing when one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period that will enable the controller to verify the accuracy of the personal data;
- the processing is unlawful, and the data subject opposes the erasure of the personal data and instead requests the restriction of their use;
- the controller no longer needs the personal data for the processing purposes, but the data are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21 (1) GDPR, and verification of whether the legitimate grounds of the controller override those of the data subject is still pending.
Should one of the above-mentioned grounds apply and a data subject wish to exercise his/her right to restrict the processing of personal data stored by the controller, he/she should contact the controller, the controller’s data protection officer or an employee of the controller, who will make the necessary arrangements in the given case.
Right to Data Portability
The data subject shall have the right under the provisions of the GDPR to receive the personal data concerning the data subject, which he/she has provided to a controller, in a structured, commonly used and machine-readable format. The data subject shall also have the right to transmit these data to another controller without hindrance from the controller to whom the data has already been provided when the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR and is carried out by automated means. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercising of official authority vested in the controller.
In exercising his/her right to data portability in accordance with Article 20 (1) GDPR, the data subject shall also have the right to have his/her personal data transmitted directly from one controller to another, where this is technically feasible and does not prejudice the rights and freedoms of others.
To exercise this right to data portability, the data subject should contact the controller, the controller’s data protection officer or an employee of the controller.
Right to Object
The data subject shall have the right under the provisions of the GDPR to object at any time on grounds relating to his/her particular situation to any processing of his/her personal data which is based on the provisions set down in Article 6 (1) (e) or (f) GDPR. This right to object shall also apply to profiling based on the aforementioned provisions.
Upon receipt of such an objection, the controller shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for this processing which override the interests, rights and freedoms of the data subject or serve to establish, exercise or defend legal claims.
Where the controller processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to the processing of his/her personal data for such marketing purposes. This right shall also apply to profiling to the extent that it is related to such direct marketing. In the event that the data subject should object to processing for direct marketing purposes, the controller will no longer process his/her personal data for these purposes.
The data subject shall also have the right to object on grounds relating to his/her particular situation to the processing of personal data concerning the data subject by the controller for scientific or historical research or statistical purposes pursuant to Article 89 (1) GDPR unless such processing is necessary to fulfil a task carried out in the public interest.
To exercise this right to object, the data subject should contact the controller, the controller’s data protection officer or an employee of the controller.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may also exercise his/her right to object by automated means using technical specifications.
Automated Individual Decisions, incl. Profiling
The data subject shall have the right under the provisions of the GDPR not to be subject to a decision based solely on automated processing, including profiling, which has a legal or comparable negative effect on the data subject. This provision shall not apply if the decision:
- is necessary for entering into or performing a contract between the data subject and the data controller,
- is valid under Union or Member State law applicable to the controller, which lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, or
- is based on the data subject’s explicit consent.
In the event that the decision is necessary for entering into or performing a contract between the data subject and the data controller or is based on the former’s explicit consent, the data controller shall implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, at least his/her rights to obtain human intervention on the part of the controller, express his/her point of view and contest the decision.
To exercise his/her rights with regard to automated decisions, the data subject should contact the controller, the controller’s data protection officer or an employee of the controller.
Right to Withdrawal of Consent
The data subject shall have the right under the provisions of the GDPR to withdraw his/her consent to the processing of his/her personal data at any time.
To exercise the right to withdraw consent, the data subject should contact the controller, the controller’s data protection officer or an employee of the controller.
Legal or Contractual Provisions Regarding the Provision of Personal Data
Necessity for conclusion of the contract; Obligation on the part of the data subject to provide personal data; Possible consequences of not providing personal data.
In some instances, the provision of personal data is required by law (e.g. tax regulations) or can result from contractual arrangements (e.g. details on the contractual partner). To conclude a contract, it may be necessary that a data subject provides us with personal data that we must subsequently process. The data subject is, for instance, obliged to provide us with his/her personal data when we conclude a contract with him or her. If the data subject does not provide this data, we would not be able to conclude this contract. Prior to providing us with personal data, the data subject can, if necessary, contact the controller or the controller’s data protection officer. The controller or the controller’s data protection officer will explain whether the provision of personal data constitutes a legal or contractual requirement or is required to conclude the contract in a specific case, whether the data subject is obliged to provide personal data and what consequences would result from non-provision of such data.
Routine Erasure and Blocking of Personal Data
The controller shall only process and store personal data for the period of time required to achieve the purpose of the storage or unless so foreseen in laws or provisions issued by the European legislator or another legislator in the controller’s jurisdiction.
Should the purpose of the storage cease to apply, or the period of duration stipulated by the European legislator or another applicable legislator run out, the personal data will be routinely blocked or erased in accordance with the legal provisions.
Storage Period for Personal Data
Personal data will be stored for the period defined in the applicable legislation. When this period runs out, the corresponding data will be routinely erased as long as they are no longer required to fulfil or initiate a contract.
Legitimate Interests for Data Processing by the Controller or a Third Party
If the processing of personal data is based on Article 6 (1) (f) GDPR, ThriveX legitimate interest for doing so is the pursuit of our business activities to the benefit of our staff and shareholders.
Legal Basis for the Processing of Personal Data
Article 6 (1) (a) constitutes the legal basis for any data processing by the controller for which consent must be obtained for a specific processing purpose. If personal data are processed to perform a contract to which the data subject is party, as is the case, for instance, with data processing that is required to ensure a delivery of goods or provide some other service or return service, this processing is based on Article 6 (1) (b) GDPR. The same applies to processing that is required to carry out precontractual measures such as responses to inquiries about our products or services. In the event that the controller is subject to any legal obligations that necessitate a processing of personal data, such as the fulfilment of tax obligations, this processing is carried out on the basis of Article 6 (1) (c). In rare cases, ThriveX may be required to process personal data to protect the vital interests of the data subject or another natural person. This would be the case, for instance, if a visitor were to be injured in our offices, and we were required to pass on details of his/her name, age, health insurance or other vital information to a doctor, a hospital or other relevant third party. In such a case, the processing would be based on Article 6 (1) (d) GDPR. Finally, we could also process data on the basis of Article 6 (1) (f) GDPR. Data would be processed on this legal basis when none of the aforementioned legal foundations are applicable, and the processing is deemed necessary to pursue the legitimate interests of the controller or a third party, except in the event that such interests are overridden by the interests, fundamental rights and freedoms of the data subject. Such data processing is permitted in particular because it is expressly referred to by the European legislator, who deemed that such legitimate interest could exist when the data subject is a client of the controller (Recital 47, Sentence 2, GDPR).
Collection of General Data and Information; Server Log Files
Every time ThriveX website is accessed by a data subject, it automatically collects general data and information. This data and information are stored in the server log files. The following data and information may be collected:
- browser type and browser version,
- operating system used on the accessing device,
- referrer URL,
- pages accessed on our website by an accessing device,
- date and time of server request,
- Internet Protocol address (IP address),
- accessing system’s internet service provider,
- other similar data and information that serve to avert the threat in the event of attacks on our IT systems.
ThriveX does not utilise such general data and information to identify the data subject. Instead, this information is required to:
- correctly deliver our website content,
- optimise the contents of this website and the advertising of this content,
- ensure availability of our IT systems and the technology behind this website, and
- provide law enforcement agencies with the necessary information to prosecute offenders in the event of a cyber-attack.
We therefore use these anonymous data and information for statistical purposes and to improve data protection, data privacy and data security in our organisation with the ultimate aim of ensuring an optimal level of protection, privacy and security for the personal data we process.
The anonymous data in the server log files is stored separately from all personal data provided by a data subject. These data are not merged with any other data sources.
Use of Automated Decision-Making
As a responsible company, ThriveX does not make use of automated decision-making or profiling on our website.
Data Privacy for Job Applications and Job Application Procedures
ThriveX collects and processes the personal data of job applicants for the purpose of carrying out the job application process. In this regard, we may also process these data electronically. This is the case in particular when an applicant submits a job application to us by e-mail or via an online application form on our website. If we enter into an employment contract with an applicant, his/her personal data are stored for the purposes of managing the employment relationship in accordance with the applicable legal provisions. If we do not enter into an employment contract with an applicant, the application documents are automatically erased two months after the applicant has been informed of this decision unless such erasure is prevented on grounds of another legitimate interest on our part. Another legitimate interest in this sense would be, for instance, a burden of proof in a process covered by the General Equal Treatment Act.
ThriveX website contains links to external webpages, which are clearly identified and whose contents are not located on our own servers. The external contents of these links were verified at the time of their inclusion on our website. However, we cannot guarantee that the content on such external websites has not been subsequently changed. Should you notice that the content provided on such external websites breaches applicable law, please inform us of this situation.
This data privacy declaration only applies to the content on our own servers.
There are three different categories of cookies:
- essential cookies that are necessary to provide the basic functions of the website,
- functional cookies to ensure the performance of the website, and
- tracking cookies to improve the user experience.
Cookies are widely used by websites and servers. Many cookies contain a unique identifier known as a cookie ID. This identifier consists of a string of characters that websites and servers associate with the browser on which the cookie is stored. This allows websites and browsers to distinguish the data subject’s browser from other internet browsers that store different cookies. A specific internet browser can be recognised and identified by its unique cookie ID.
The links below contain detailed information on how to deactivate cookies in commonly used browsers:
Contact Options via this Website
In accordance with legal provisions, ThriveX website contains information that facilitates rapid contact to and direct communication with us by electronic means and thus includes a general address for electronic mail (e-mail address). Should a data subject contact the data controller by e-mail or via a contact form on this website, the personal data thereby transmitted by the data subject will be stored automatically. Any such personal data voluntarily transmitted to us by a data subject will be stored for the purposes of processing or responding to the data subject.
These personal data will not be forwarded to any third parties.
ThriveX website uses Google Analytics, a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to obtain anonymised usage statistics.
This web analytics software collects anonymised user data like geographical origin (IP address of the internet provider), webpages accessed, browser type and time of access. The information collected will used to optimise our website. The anonymisation of the data means that it cannot be associated with the user’s IP address.
Google Analytics uses “cookies”, i.e. text files placed on your computer, to help analyse how users use our website. The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on a server in the United States. The use of the “anonymizeIP” feature guarantees that the last octet is stripped from the IP address in European Union or European Economic Area Member States, thus eliminating the collection of personal data and ensuring the data transmitted can no longer be associated with your IP address. Google uses the information collected for the purpose of evaluating your use of the website, compiling reports on website activity for the website operator and providing other services relating to website activity and internet usage.
Access to the data collected is provided to the website operator and external service providers who have contractually undertaken to only use the data as instructed by the website operator and to delete them upon conclusion of this work. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf.
Third party suppliers and Google may place adverts on internet websites. Google and such third parties may use the data to place adverts on third party websites.
You can refuse the collection and storage of your data for all future use by downloading and installing the corresponding browser plugin via the following link: https://tools.google.com/dlpage/gaoptout.
For uniform representation of fonts, ThriveX website uses so-called web fonts provided by Google. When you open a page on our website, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.
Supplier: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
If your browser does not support web fonts, a standard font is used by your computer.
For this purpose, your browser has to establish a direct connection to Google servers. Google thus becomes aware that our website was accessed via your IP address. We use Google Web fonts to provide a uniform and attractive presentation of our website. This constitutes a justified interest pursuant to Art. 6 (1) (f) GDPR.
Changes to this Data Privacy Declaration
In the event that ThriveX should introduce new services, change our internet procedures or make use of new internet and/or IT security technologies, we reserve the right to update our data privacy regulations. Our data privacy regulations can be amended or extended in the above cases without prior notification.