DATA PRIVACY -

DATA PRIVACY

Data protection

With the following privacy policy, we would like to inform you about how we process your personal data in accordance with the European General Data Protection Regulation (GDPR). The privacy policy also applies to the initiation of contracts and/or the contractual relationship with interested parties, customers, suppliers and business partners, our social media presence and our application process.

1. Controller
Controller in the sense of the GDPR is:
JoCos GmbH
Prinz-Ludwig-Straße 17
93055 Regensburg
Germany
Email: info@jocosregensburg.de
Phone: (+49) 941 463 703 0

2. Data protection officer
You can contact our data protection officer as follows:
secjur GmbH
Falkensteiner Ufer 40
22587 Hamburg
Telephone: +49 40/80 90 81 146
E-mail: dsb@secjur.com

You can contact our data protection officer directly at any time with any questions or suggestions regarding data protection and the exercise of your rights.

3. Definition of terms
This privacy policy is based on the terms used in the GDPR. To simplify matters, we would like to explain some important terms in this context in more detail:
Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

1. General information
In the following, we provide you with an overview of the personal data we process. To this end, we explain to what extent, for what purposes and on what legal basis we process personal data. We also indicate – if available – which third-party providers we use to receive your data. Finally, we will inform you whether a third country transfer takes place in the respective processing by the third party provider.
The provision of your personal data is always voluntary. However, it may be that the respective functionality only works if you provide your information (e.g. contact form).

1.1. Origin of the data
We may receive personal data in the following ways:

Information provided by you: You have the opportunity to provide information (e.g. contact details) about yourself on our website.

Automatically collected and generated data: data is automatically collected and generated through the use of our website.

Data collected by third parties: if we maintain a presence on social and professional networks, we may receive data from you via these networks (e.g. if you contact us via a social or professional network or respond to one of our contents shared there).

1.2. Legal basis of the processing
We will not pass on your personal data to third parties without your consent, unless this is permitted by law (e.g. because this is necessary for the performance of the contract).

The processing of your personal data may be based on the following legal bases:

Art. 6 (1)(a) GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing operation.

If the processing of personal data is necessary for the performance of a contract to which you are a party, the processing is based on Art. 6 (1)(b) GDPR. The same applies to such processing operations that are necessary to carry out pre-contractual measures.

If we are subject to a legal obligation that requires the processing of personal data, the processing is based on Art. 6 (1)(c) GDPR in conjunction with the respective standard from which the obligation arises.

Processing operations may also be based on Art. 6 (1)(f) GDPR. Processing operations are based on this legal basis if the processing is necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

1.3. Transfer to third countries
Insofar as we transfer personal data to a third country for processing, we ensure compliance with Art. 44 et seq. GDPR, i.e. before each transfer of personal data to third parties in a country outside the EU or the EEA (Norway, Iceland, Liechtenstein), we check how an adequate level of protection can be guaranteed. An adequate level of protection can be ensured, among other things, by the existence of an adequacy decision by the EU Commission, by the fact that we have concluded standard data protection clauses with the recipient and have taken further additional measures, or by the fact that the third country transfer is permitted under other guarantees regulated in Art 46 et seq. GDPR is permissible. If the data transfer takes place on the basis of Art. 46, 47 or 49 (1) GDPR, you can obtain a copy of the guarantees for the existence of an adequate level of data protection in relation to the data transfer or a reference to the availability of a copy of the guarantees from us. Please contact us for this purpose.

1.4. Transfer to third parties
As part of our processing of personal data, personal data may be transmitted to other recipients or disclosed to them. The recipients of this personal data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your personal data that serve to protect your personal data.

1.5. Deletion of data
The personal data processed by us will be deleted in accordance with the legal requirements as soon as the consent given for processing is revoked or other permissions cease to apply (e.g. if the purpose of processing this personal data no longer applies or it is not required for the purpose). If the personal data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted to these purposes. This means that the personal data is blocked and not processed for other purposes. This applies, for example, to personal data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defense of legal claims or to protect the rights of another natural or legal person.

Our data protection notices also contain further information on the retention and deletion of personal data, which apply primarily to the respective processing operations.

2. Data for the provision of the website and the creation of log files
If you use this website for purely informational purposes without transmitting data to us in any other way (e.g. by registering or using the contact form), we collect technically necessary data via server log files, which are automatically transmitted to our server, e.g:

– IP address
– Date and time of access
– Amount of data transferred
– Notification of successful access
– Browser type and version
– User’s operating system
– Referrer URL (the previously visited page)
– IP address
– Requesting provider

The temporary storage of the data is necessary for the course of a website visit in order to be able to display our website to you. This processing is technically necessary to ensure the functionality of the website and the security of the information technology systems. The legal basis for processing is therefore Art. 6 (1)(f) (1)(f) GDPR to guarantee the provision, security and stability of our website.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the provision of the website, this is the case when the respective session has ended. The log files are stored directly for a maximum of 24 hours and are only accessible to administrators. After that, they are only indirectly available via the reconstruction of backup tapes and are permanently deleted after one week.

We use storage space, computing capacity and software that we rent or otherwise obtain from the server provider Host Europe GmbH (web host) to provide our online offering.

3. Newsletter and electronic notifications
If you would like to receive information about our new products and services, you can subscribe to our newsletter. As part of sending the newsletter, we process the following personal data, among others; the only mandatory information for sending the newsletter is your e-mail address.

– E-mail address
– First name

The advertised goods and services are named in the declaration of consent. We use the so-called double opt-in procedure to register for our newsletter. This means that after you have registered, we will send you an e-mail to the e-mail address provided, in which we ask you to confirm that you are the owner of the e-mail address provided and that you wish to receive the notifications. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store the IP addresses you use and the times of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data.

The legal basis for sending our newsletter is Art. 6 (1)(a) GDPR your given consent. You can revoke your consent to receive our newsletter at any time by clicking on the unsubscribe link in the emails or by sending your revocation by email to our email address or by post to the contact details given in the legal notice. Your personal data will then be removed from the mailing list.

In addition, you can also give your consent for us to evaluate your user behavior when sending the newsletter. Our newsletters contain so-called tracking links that enable us to analyze the behavior of newsletter recipients. For example, we can analyze how many recipients have opened the newsletter message and how often which link in the newsletter was clicked on. This enables us to statistically evaluate the success or failure of online marketing campaigns. The personal data collected through the tracking links is stored and evaluated by us in order to optimize the newsletter dispatch and to adapt the content of future newsletters even better to your interests.

You can object to this tracking at any time by clicking on the separate link provided in each email or by informing us via another contact method as described above and withdrawing your consent. The information will be stored for as long as you have subscribed to the newsletter. After unsubscribing, we store the data purely statistically and anonymously.

We use an external provider, Mailchimp, to send our newsletter. This service provider receives your email address and other necessary data in order to send the newsletter on our behalf. The personal data is transferred to the USA. An adequacy decision of the Commission pursuant to Art. 45 (3) GDPR is available. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the USA that are certified accordingly are permitted. Mailchimp is certified under the EU-U.S. Data Privacy Framework.

4. Kununu
We are listed as an employer profile on the kununu platform, a review platform of New Work SE, Am Strandkai 1, 20457 Hamburg (kununu). Users can leave reviews about their employment or application situation with us.

Kununu processes personal data on its own responsibility. When you submit a review, Kununu may process personal data (e.g. your IP address, meta/communication data, voluntary information in the review text). As a rule, we do not receive any direct personal data from the reviewers, but only aggregated information (e.g. star ratings, anonymous comments). It is not possible for us to identify the person giving the rating unless they identify themselves.

The legal basis for the presentation of our profile and the processing of any feedback is our legitimate interest pursuant to Art. 6 (1)(f) GDPR, in particular for external presentation, to improve our employer image and to communicate with (potential) employees.

Further information on data processing by kununu can be found at: https://privacy.xing.com/de/datenschutzerklaerung

5. Application by e-mail or by post
If you apply to our company by e-mail or by post, we will process your application data exclusively for purposes related to the processing of your application. By submitting an application, you express your interest in taking up employment with us. In this context, you provide us with personal data that we use and store exclusively for the purpose of your job search/application. In particular, the following data will be collected:

– Name (first name and surname)
– E-mail address

You also have the option of attaching informative documents such as a cover letter, your CV and references. These may contain further personal data such as date of birth, address, etc.

Your application will only be processed and acknowledged by the relevant contact persons at our company. The legal basis for the processing of your data is the initiation of a contract in accordance with Art. 6 (1)(b) GDPR, which takes place at your request. If we obtain your consent (e.g. for inclusion in our applicant pool), this constitutes consent pursuant to Art. 6 (1)(a) GDPR constitutes the legal basis for this storage.

If you receive an offer of employment with us during the application process and accept it, we will store the personal data collected during the application process for at least the duration of the employment relationship.

If we are unable to offer you employment, we will retain the data you have provided for up to six months after any rejection for the purpose of answering any questions in connection with your application and rejection. This does not apply if statutory provisions prevent deletion, if further storage is necessary for the purpose of providing evidence or if you have expressly consented to longer storage.

6. Contract initiation and/or contractual relationship with interested parties, customers, suppliers and business partners
We process your personal data that we receive from you as part of our business relationship or business initiation. In addition, we process personal data that we have received from you in your capacity as a representative/authorized representative of a legal entity (prospective customer and/or customer or other contractual partner). Insofar as this is permitted, we also obtain certain data from publicly accessible sources (e.g. commercial register, press, Internet) or from authorities. In addition to the data that you provide to us directly, the categories of personal data that we receive about you from third parties include, in particular, information from public registers, information that we learn in connection with official and legal proceedings, information in connection with your professional functions and activities (e.g. so that we can conclude and process transactions with your employer with your help).

We process the following personal data in the context of contract initiation and/or contract fulfillment:

– Master data (e.g. first and last name, address)
– Contact details (e.g. email address, telephone number) and of affiliated companies
– Contact person data: company, sector and job title, contact details
– Bank details for SEPA procedures, invoice and payment data.

We process your personal data insofar as this is necessary for the establishment, execution and fulfillment of a contract and for the implementation of pre-contractual measures. The purposes of the processing depend on the contractual services and the respective contractual documents and include, among other things, the purchase of products and services from our suppliers and subcontractors, the provision of services to our customers and to comply with our legal obligations.

Insofar as the provision of personal data is necessary for the initiation or execution of a contractual relationship or in the context of the implementation of pre-contractual measures, processing is lawful pursuant to Art. 6 (1)(b) GDPR. If necessary and legally permissible, we process your data beyond the actual contractual purposes to fulfill legal obligations in accordance with Art. 6 (1)(c) GDPR. Where necessary, we process personal data in accordance with Art. 6 (1)(f) GDPR to protect our legitimate interests or those of third parties (e.g. customer/complaint management, ensuring the IT security and IT operations of our company, provided that the interests or fundamental rights and freedoms of the data subject do not prevail.

We store your personal data for as long as it is necessary for the specific purpose. It will then be deleted. In particular, we would like to draw your attention to the fact that we are subject to some statutory retention periods, such as § 147 AO or § 257 HGB, which, for example, provide for the storage of your personal data for up to 10 years.

We only pass on your personal data within our company to those areas and persons who need this data to fulfill contractual and legal obligations or to implement our legitimate interest.

Affiliated companies, service providers, processors and vicarious agents as well as other third parties used by us, in particular for the provision of services, may also receive data for the aforementioned purposes in accordance with the provisions of the GDPR. These are, for example, companies in the categories of IT service providers, accounting services, telecommunications, logistics, debt collection, public bodies/institutions (e.g. financial + customs authorities, law enforcement authorities, courts) in the event of a legal or official obligation, insolvency administrators in the context of insolvency proceedings, insurance companies, auditors, tax consultants, lawyers.

7. Credit check
To protect against payment defaults and as part of fraud prevention, we reserve the right to carry out a credit check on new customers and, in certain cases, on existing customers.

For this purpose, we may transmit personal data (name, address, date of birth if applicable) to the credit agency Creditreform Boniversum GmbH, from which we receive creditworthiness information. This information includes probability values (score values), which are calculated using recognized mathematical-statistical methods (scoring) and whose calculation may include address data.

The legal basis for the credit check is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, which consists of protecting us from payment defaults and ensuring proper contract processing.

You can object to the processing of your data for the purpose of a credit check at any time. In this case, however, you may only be able to pay in advance or use our services to a limited extent.

We use the information received exclusively for our own decision on the commencement or continuation of a contractual relationship and do not pass it on to third parties.

For a description of the scoring procedure and information on the source of the personal data and, if applicable, whether it comes from publicly accessible sources, please contact the credit agency at https://www.boniversum.de/eu-dsgvo/informationen-nach-eu-dsgvo-fuer-verbraucher/

8. Presence in social networks (social media)
We maintain publicly accessible profiles in various social networks. Your visit to these profiles triggers a variety of data processing operations. Below we provide you with an overview of which of your personal data is collected, used and stored by us when you visit our profiles.

When you visit our profiles, your personal data is not only collected, used and stored by us, but also by the operators of the respective social network. This happens even if you yourself do not have a profile on the respective social network. The individual data processing operations and their scope differ depending on the operator of the respective social network and they are not necessarily traceable for us. For details on the collection and storage of your personal data as well as the type, scope and purpose of its use by the operator of the respective social network, please refer to the following explanations.

8.1. Facebook
When you visit our Facebook page, certain information about you is processed. We can only view the information stored in your public Facebook profile (such as your profile picture or information that you share on a Facebook profile) – and only if you have such a profile and are logged into it when you visit our Facebook page.

In addition, the operator of the platform, Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland (Meta), provides us with anonymized statistics and insights for our Facebook page, which help us gain insights into the types of actions people take on our page (so-called page insights). These Page Insights are created on the basis of certain information about people who have visited our page.

The processing of your personal data in connection with the operation of our Facebook company profile is based on a balancing of interests in accordance with Art. 6 (1)(f) GDPR in order to offer you an up-to-date and supportive information and interaction opportunity with and about us. Furthermore, the processing serves our legitimate interest in evaluating the types of actions taken on our Facebook company profile and improving our company profile based on these findings. The legal basis for this processing is therefore Art. 6 (1)(f) GDPR. If the contact is aimed at the conclusion of a contract, the legal basis for the processing is Art. 6 (1)(b) GDPR.

Page Insights are processed by Meta and us as joint controllers. We cannot assign the information obtained via Page Insights to individual Facebook profiles that interact with our Facebook page. We have entered into a joint controllership agreement with Meta, which sets out the allocation of data protection obligations between us and Meta. Details of the processing of personal data for the creation of Page Insights and the agreement concluded between us and Meta can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data. With regard to this data processing, you have the option of asserting your rights as a data subject (see “Your rights as a data subject”) against Meta. Further information on this can be found in Facebook’s privacy policy (https://www.facebook.com/privacy/policy?locale=de_DE) Meta offers the possibility to object to certain data processing; you will find information and opt-out options in your account.

Please note that user data is also processed in the USA or other third countries in accordance with the meta data protection provisions. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the USA that are certified accordingly are permitted. Meta is certified under the EU-U.S. Data Privacy Framework.

9. Cookie banner
When you visit our website or a sub-website for the first time and it contains cookies, a “cookie banner” will be displayed. There you will be informed about the individual cookies that we use. You can find out the name of each individual cookie, the provider, the purpose of processing and the storage period.

Our cookie banner informs you about the specific cookies we use. In addition, we give you the opportunity to decide whether you want to consent to the setting of non-essential cookies. You can also allow us to use non-essential cookies and revoke this decision at any time. The following are processed:

Usage data (e.g. websites visited, time of access)

Meta and communication data (e.g. IP address)

The legal basis for the use of the cookie banner is Art. 6 (1)(f) GDPR. We have an overriding legitimate interest in using the cookie banner, which enables us to obtain the legally required consent for the use of non-essential cookies and to comply with our duty to provide information regarding cookies.

The cookie banner stores the preferences until you reset or customize them.

The cookie banner is provided by the provider Complianz BV.

10. Use of cookies
We use cookies on our website. Detailed information, in particular on the individual cookies used, can be found in our cookie policy.

11. Other external services on the website
As part of our website offering, we use other third-party services to provide certain functions, improve user-friendliness or display content efficiently. This may involve the transfer of personal data, such as IP addresses or usage data, to these third-party providers. Processing is based on legitimate interests in accordance with Art. 6 (1)(f) GDPR or on your consent in accordance with Art. 6 (1)(a) GDPR, depending on the type and purpose of the respective service.

11.1. Google Analytics
We use Google Analytics from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as an analysis service for the statistical evaluation of our online offering. This includes, for example, the number of visits to our website, the subpages visited and the time spent by visitors. Google Analytics uses cookies and other browser technologies to evaluate user behaviour and recognize users. This information is used, among other things, to compile reports on website activity.

We process data with the help of Google Analytics for the purpose of optimizing our website and for marketing purposes on the basis of your consent in accordance with Art. 6 (1)(a) GDPR, provided that you have given your consent via our cookie banner. Consent is voluntary and can be revoked at any time with effect for the future.

The specific storage period of the processed data is determined by Google Ireland Limited and cannot be influenced by us. However, we have configured Google Analytics so that user data is automatically deleted after 14 months. Further information can be found in Google’s privacy policy (https://policies.google.com/privacy?hl=en-US).

Further information on the individual Google Analytics cookies we use can be found in the cookie banner.

The personal data may also be transferred to the USA or other third countries. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the USA that are certified accordingly are permitted. Google is certified under the EU-U.S. Data Privacy Framework. In addition, the EU standard contractual clauses issued by the European Commission have been concluded with Google. This is intended to ensure that an appropriate level of data protection is also guaranteed for processing outside the EU.

11.2. Google Tag Manager
We use Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a solution with which website tags can be managed and integrated via an interface – e.g. for the integration of analysis or marketing services (such as Google Analytics). Google Tag Manager itself does not process any personal user data. However, the triggering of other tags can, under certain circumstances, trigger the processing of personal data. Google Tag Manager itself does not interfere with this data processing. However, a connection to Google’s servers is established when the Google Tag Manager is loaded. This may result in the transmission of data (e.g. IP address) to Google.

The integration of Google Tag Manager takes place on the basis of Art. 6 (1)(a) GDPR, provided that you have given your consent via our cookie banner. Consent is voluntary and can be revoked at any time with effect for the future by changing the settings in the cookie banner.

The Google Tag Manager itself does not store any personal data. The storage period of the data processed via individual tags (e.g. by Google Analytics) depends on the respective services. Information on the storage period and deletion of this data can be found in the relevant sections of this privacy policy and in the privacy policies of the respective providers. You can find more information about Google Tag Manager in Google’s privacy policy at https://policies.google.com/privacy.

12. Your rights as a data subject
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR. If you wish to exercise any of your rights, please contact us via the contact addresses given above or our data protection officer.

12.1. Right of objection
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on lit. Article 6(1)(f) or (e) GDPR, including profiling based on those provisions. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

12.2. Right to information
You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to obtain information about this personal data and further information and a copy of the personal data in accordance with the legal requirements.

12.3. Right to rectification
In accordance with the statutory provisions, you have the right to request the completion of personal data concerning you or the rectification of inaccurate personal data concerning you.

12.4. Right to erasure and restriction of processing
You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the grounds provided for by law applies and insofar as the processing or storage is not necessary.

12.5. Restriction of processing
You have the right to demand that we restrict processing if one of the legal requirements is met.

12.6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.

12.7. Right to withdraw consent
You have the right to withdraw your consent at any time.

12.8. Complaint to the supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

13. Amendment and updating of the privacy policy
We will amend the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

If we further develop our website and our offers or if legal or official requirements change, it may be necessary to amend this data protection notice. You can access the current data protection information at any time here.

Status: August 2025