This privacy policy only applies to our website. If you are redirected to other websites via links provided on our pages, please consult the privacy policies on those respective websites to learn how your data is handled.

When a web page is accessed and loaded via a browser1, data is exchanged between the browser and the server2 each time.

If the website provides options to enter personal or business data (such as email addresses or names), the disclosure of this information by users is entirely voluntary.

¹ Computer program for displaying websites on the World Wide Web or documents and data in general. (Source: Wikipedia)

² A computer program or device that provides access to a central resource or service within a network. (Source: Wikipedia)

Description and scope

To respond to your data requests, our web server must “know” – i.e. be able to process – your IP address. Each time you visit our website, our system automatically collects data and information from your device’s system. The following data is processed:

1. Information about the browser type, the version used and the language used.
2. Your operating system.
3. Your Internet service provider.
4. Your IP address.
5. Information about the port number used.
6. Date and time of access.
7. Websites from which your system accesses our website or services.
8. Websites that are accessed by your system via our website or services

This data is usually stored automatically in a log file. This data is not merged with other personal data.

Purpose and legal basis

Temporary storage of the IP address by the system is necessary to enable the website to be delivered to your device. For this, your IP address must remain stored for the duration of the session.

Your data is processed in log files to ensure the functionality of our website. We also use the data to optimise our website and ensure the security of our information technology systems. Your data is not analysed for marketing purposes in this context.

These purposes also constitute our legitimate interest in processing the data.

The legal basis for the temporary storage of your data and the creation of log files is Art. 6 (1) (f) GDPR.

Storage and deletion

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collected for the provision of the website, this is when the respective session has ended.

In the case of log file processing, data will be deleted no later than 14 days after collection. Extended storage is possible, but in such cases, your IP address will be deleted or anonymised so that it can no longer be assigned to your end device.

The collection of data for providing the website and the processing of data in log files is essential for the operation of our online presence. Consequently, you cannot object to the data processing.

Our website www.expostock.de allows customers who store furniture or materials from events or trade fairs at Zeeh Design to view their own inventory of items with detailed specifications (type, quantity, description, packaging, weight, etc.).

Login data is transmitted in encrypted form (HTTPS). Passwords are not stored in plain text and are used solely to restrict access to your personal area. No data is processed in third countries.

In the paid version (EXPOSTOCK ‘Dispo’), clients have extended options. Using a “master account,” clients can generate additional user accounts with corresponding rights.

Clients can also create “events” in the Dispo version. The data recorded in these includes the event title, the time period, and collection and return dates. The nature and scope of the data stored there are the responsibility of the client. Disclosure of this data by the client is entirely voluntary and used solely for material planning and customer transparency.

When an order or event is deleted, the personal data as well as the billing and delivery addresses are also deleted.

IMPORTANT: For data protection reasons, we recommend that you regularly clean up events that have already been created or organised.

The data can be viewed by specifically authorised Zeeh Design employees. However, this personal data is not used or processed beyond this purpose.

If the client wishes to retrieve stored equipment, a “material request” can be submitted to Zeeh Design via the tool. This request is sent from the tool as an email (to expostock@zeeh-design.de) and is processed as a standard enquiry with a request for a quote. Again, data is disclosed voluntarily by the client. Processing of this data by Zeeh Design is solely for the purpose of handling the process.

We do not collect any further personal data when you visit our website (www.expostock.de) and we do not use cookies or similar technologies that could be used to track user behaviour.

(current version v006_EXPOSTOCK_2025_02_06).

Zeeh Design uses its own platform (SAAS) for the secure exchange of data. Clients and partner agencies working with Zeeh Design can exchange data via upload and download links using the HTTPS protocol with end-to-end encryption.

The only data required to generate these upload/download links is the recipient’s email address. No further data is collected. All data is deleted immediately after the download or upload is complete.

No data is logged that could be traced back to individual persons. The data is processed exclusively in Germany and is not passed on to third parties.

Our social media page on XING is accessible at: https://www.xing.com/companies/zeehdesigngmbh. Zeeh Design does not collect any personal data via XING. Access statistics are not traceable to individual users.

Every XING member who lists Zeeh Design GmbH in text on their private profile appears on our XING company page with further personal details. This is a link that is at the personal discretion of the respective user and can be changed by the user at any time and independently. Zeeh Design has no control over this.

A link on the page refers to the legal notice and data protection at www.zeeh-design.de.

Our LinkedIn company page is accessible at: https://www.linkedin.com/company/1409832/. Zeeh Design does not collect any personal data via LinkedIn. Access statistics are not traceable to individual users.

Every LinkedIn member who lists Zeeh Design GmbH in text on their private profile appears as a link on our LinkedIn company page. This linking is at the personal discretion of the individual user and can be changed by them.

The page refers to our homepage www.zeeh-design.de , where additional information about data protection can be found.

a. Description and scope of processing

With regard to the operation of our XING company profile, in accordance with Art. 4 No. 7 GDPR) we are, in part, jointly responsible with New Work SE. XING is a service of New Work SE, Dammtorstrasse 30, 20354 Hamburg. When you visit our XING company page, personal data is processed by the responsible parties. We operate our company profile on XING to present ourselves externally, primarily to provide users with information about our company, our products, services and vacancies, combined with the ability for users to interact with us directly.

XING Employer Branding is integrated on our website. In connection with the operation of our XING profile, we also use the Recruiter Insights tool to receive statistical data about users and how our profile is being used. XING stores a cookie on the user’s device to statistically evaluate the use of our page. The cookie contains a unique user ID. The information stored in the cookie is processed by XING, in particular when the user visits services provided by XING or other companies that use XING services. The visitor statistics provided to us by XING are only in aggregated form. We do not have access to the data collected by XING and do not receive any data that could be used to identify individual persons. You can find more information on the measurement and optimisation of advertising by XING here.

The agreement on joint responsibility primarily means that users can assert their data subject rights directly with XING and that no personal data about XING members is transmitted to us. We only receive aggregated statistical data from XING. If our assistance is nevertheless required in asserting your individual rights, you can contact us at any time. Further information on data protection can be found in XING’s privacy policy.

b. Purposes of the processing

The purpose of processing personal data in connection with our XING page is, firstly, to compile statistics on visitor flows. This enables us to better understand how users interact with our page and the presented products and services. It enables us to design our company page better and to adapt our products and services to the needs of the users. Secondly, we process users’ personal data to be able to communicate with you directly via the media of your choice.

c. Legal basis for data processing

We operate this XING page in order to present ourselves to XING users who visit our company page and to communicate with them directly. Your personal data is processed on the basis of our legitimate interest in an optimized company and product presentation as well as direct communication with XING users (Art. 6 Paragraph 1 lit. f GDPR).

When we publish pictures of people, this is done with consent (the legal basis for this is Art. 6 Para. 1 lit. a GDPR), on the basis of a contractual agreement (the legal basis for this is Art. 6 Para. 1 lit. b GDPR) and in exceptional cases on the basis of legitimate interests (the legal basis for this is Art. 6 Paragraph 1 lit. f GDPR) in conjunction with Section 23 Paragraph 1 No. 3 Art Copyright Act).

d. Objection and removal options

In accordance with Art. 21 GDPR, you have the right to object to the processing for reasons that arise from your particular situation at any time. You can exercise your right of objection via the XING settings or the objection form for XING data processing. As a XING user, you can influence settings for advertising preferences and thereby also provide information on the extent to which your user behaviour may be recorded when you visit our XING page. You can find more information on the right of objection here.

e. Period of retention

Since we, as the operator of a XING page, are not provided with any personal data, the criteria set by XING applies to the period of retention.

a. Description and scope of processing

With regard to the operation of our LinkedIn presence we are in accordance with Art. 4 No. 7 GDPR joint controller with LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. When you visit our LinkedIn company page, personal data is processed by the responsible parties. We operate our company profile on LinkedIn to present ourselves externally, primarily to provide users with information about our company, our products, services and vacancies, combined with the ability for users to interact with us directly.

In part of operating of our LinkedIn page, we use the Page Insights function to obtain statistical data about users and how they engage with our page. In order to statistically evaluate usage, LinkedIn stores a cookie on the user’s device. The cookie contains a unique user ID. The information stored in the cookie is processed by LinkedIn, especially when the user visits LinkedIn services or services provided by companies that use LinkedIn tools. The visitor statistics provided to us by LinkedIn are in aggregated form only. We do not have access to the data collected by LinkedIn and do not receive any data that could be used to identify individual persons. More information on the use of cookies by LinkedIn can be found in their cookie policy.

The agreement on joint responsibility primarily means that users can assert their data subject rights directly with LinkedIn and that no personal data about LinkedIn members is transmitted to us. We only receive aggregated statistical data from LinkedIn. If our assistance is nevertheless required in asserting your individual rights, you can contact us at any time. Further information on data protection can be found in LinkedIn’s privacy policy.

It is possible that your data will be processed outside the European Union by LinkedIn Corporation in the USA. LinkedIn Corporation is certified under the US-EU- Privacy Shield and thereby undertakes to comply with European data protection regulations We do not pass on any personal data.

b. Purposes of the processing

The purpose of processing personal data in connection with our LinkedIn page is, firstly, to compile statistics on visitor flows. This enables us to better understand how users interact with our page and the products and services presented, It enables us to design our company page better and to adapt our products and services to the needs of the users. Secondly, we process users’ personal data to be able to communicate with you directly via the media of your choice.

c. Legal basis for data processing

We operate this LinkedIn page in order to present ourselves to LinkedIn users who visit our company page and to communicate with them directly. Your personal data is processed on the basis of our legitimate interest in an optimized company and product presentation as well as direct communication with LinkedIn users (Art. 6 Paragraph 1 lit. f GDPR).

When we publish pictures of people, this is done with consent (legal basis: Art. 6 Para. 1 lit. a GDPR), on the basis of a contractual agreement (legal basis: Art. 6 Para. 1 lit. b GDPR) and in exceptional cases on the basis of legitimate interests (legal basis: Art. 6 Paragraph 1 lit. f GDPR) in conjunction with Section 23 Paragraph 1 No. 3 Art Copyright Act).

d. Objection and removal options

In accordance with Art. 21 GDPR, you have the right to object to the processing for reasons that arise from your particular situation at any time. You can exercise your right of objection via the LinkedIn settings or the form for objecting to LinkedIn data processing. As a LinkedIn user, you can influence settings for advertising preferences and thereby also provide information on the extent to which your user behaviour may be recorded when you visit our LinkedIn page. You can find more information on the right of objection here.

e. Period of retention

Since we, as the operator of a LinkedIn page, are not provided with any personal data, the criteria set by LinkedIn applies to the period of retention.

This section covers information about the processing of personal data in connection with online meetings.

Responsible organisation

Zeeh Design GmbH is the responsible organisation for data processing directly related to the implementation of online meetings.

Note

If you visit the internet sites of our software tool suppliers, the provider of the respective software tool is responsible for data processing. For the purposes of using the tool, visiting the supplier’s website is only necessary for downloading the software.

You can also use the tools by entering the respective meeting ID and any other meeting access data directly in the tool’s app.

If you do not wish to or cannot use the tool apps, the basic functions are also available via a browser version, which can also be found on the respective tool supplier’s website.

Subject of the data protection

The subject of the data protection is personal data. According to Art. 4 (1) of the GDPR, this refers to any information relating to an identified or identifiable person. This includes data such as first and last names, email addresses, as well as usage data such as the IP address.

Purpose of the processing

We use the Zoom service for telephone conferences, online meetings, video conferences and / or webinars (hereinafter: “Online Meetings”). Zoom is a service from Zoom Video Communications, Inc., based in the United States.

What data is processed?

Various types of data are processed during use. The scope of the data also depends on the data you provide before or while participating in an online meeting. The following personal data is subject to processing:

• To take part in an online meeting or to enter the meeting room, you as a guest must provide information about your name as a minimum.
• Details of registered users of the apps: First name, surname, email address and password (also depending on the use of “single sign-on”), telephone, profile picture and department can be entered optionally.
• Meeting metadata: The topic, participant IP addresses, device and hardware information, the description of the meeting and the topic are optional.
• For recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
• When dialling in by phone: Information on the incoming and outgoing phone number, country, start and end time. If necessary, further connection data, such as the IP address of the device, can be saved.
• Text, audio and video data: Where necessary, options to use chat, question or survey functions in an online meeting are available. In this respect, the text you enter is processed in order to display it in the online meeting and, if necessary, to record it. For display of video and playback of audio, the data from your device’s microphone and any video camera on the device will be processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the tool apps.

Scope of processing

We use the tools mentioned to hold online meetings. If we want to record online meetings, we will inform you transparently in advance and – if necessary – ask for your consent. When recording is taking place, this will be displayed in the respective tool app.

We will log the chat content where necessary for the purpose of logging the results of an online meeting. However, this will not usually be the case.

In the case of webinars, we may also process questions submitted by participants for follow up purposes.

No automated decision-making within the meaning of Art. 22 of the GDPR is used.

Legal basis for data processing

Insofar as personal data is processed by employees of Zeeh Design GmbH, Section 26 (1) S. 1 of the BDSG or Article 6 (1) lit. f of the GDPR provide the legal basis for data processing. If, in connection with the use of the respective tool, personal data is not required for the implementation, establishment or termination of the employment relationship, but is an elementary part of the use of the tool, Art. 6 Para. 1 lit. f of the GDPR provides the legal basis for data processing. Our interest in these instances relates to the efficient implementation of online meetings.

The legal basis for data processing in the implementation of online meetings is Art. 6 (1)(b) GDPR, insofar as the meetings are held in the context of contractual relationships.

If no contractual relationship exists, processing is based on Art. 6(1)(f) GDPR, Our interest in these instances also relates to the efficient implementation of online meetings.

Recipients / transfer of data

Personal data processed as a result of participation in online meetings are generally not passed on to third parties unless they are so intended.

Other recipients: The above-mentioned data is shared with the respective tool provider where it is required as part of our contractual agreement with them.

Data processing outside the European Union

The services are provided by tool providers based in the USA. Personal data is therefore also processed in a third country. Our data processing contracts with these providers comply with the requirements of Art. 28 GDPR.

An adequate level of data protection is guaranteed by the inclusion of EU Standard Contractual Clauses.

You have the right at any time to request specific information about the data we hold about you, to view this data and to request that incorrect information be corrected or that the stored data be deleted – either completely or partially.

You can revoke your consent to processing and use at any time with future effect. The relevant data will then be deleted or blocked immediately, taking statutory retention periods into account.

You can send your cancellation to the following postal or e-mail address, stating your full name and e-mail address:

Zeeh Design GmbH
– Data protection –
Boschstrasse 16
82178 Puchheim
Tel. +49 (0) 89 / 89 01 33 – 0 +49 (0) 89 / 89 01 33 – 0
datenschutz@zeeh-design.de

If you have any questions about data protection, you can contact us at the following address:

datenschutz@zeeh-design.de

If you have any questions about the collection, processing or use of your personal data on this website, please contact us in writing:

Zeeh Design GmbH
– Data protection –
Boschstrasse 16
82178 Puchheim
Tel. +49 (0) 89 / 89 01 33 – 0
Fax +49 (0) 89 / 89 01 33 – 10

You can reach the competent authority for compliance with data protection law in the private sector3 in Bavaria at:

Bavarian State Office for Data Protection Supervision
Promenade 27
91522 Ansbach
Tel. +49 (0) 981 / 53 12 – 28
www.lda.bayern.de

³ for private commercial enterprises, freelancers, in clubs and associations and on the Internet

We link to information videos on our website. Videos are a good way of conveying content more clearly. Since local hosting is not powerful enough to provide smooth playback, we use the external provider YouTube. By default, only deactivated preview images of the YouTube video are embedded, which means that no automatic connection to the provider’s servers is established. This prevents your data being transmitted to YouTube and its operator Google as long as you only visit our website. Only when you actively click on a video is a connection to YouTube be established, allowing the video to be displayed for you on our site. By embedding the video, the provider’s server is called up for technical reasons. Regarding the use of data from your browser or end device associated with this, please refer to YouTube’s data protection policy, as it is responsible for the corresponding data processing. You can view YouTube’s data protection information here.

As an additional protective measure against tracking, we embed all videos using YouTube’s “extended data protection mode” which ensures that minimal personal data is transmitted to YouTube.

The legal basis for embedding YouTube videos and the resulting transmission of technically necessary data to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is Art. 6 (1)(f) GDPR.

Our videos are embedded using a 2-click solution that provides users with the option of giving consent. By clicking to play the videos, you consent to transmission of the data required for the video integration (including the Internet address of the current page and your IP address) to Google. You can revoke this consent at any time by deleting the cookies set by our website via your browser settings.

This site uses the Google Maps map service via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. To use the functions of Google Maps, it is necessary to store your IP address. This information is typically transferred to a Google server in the USA and stored there. The provider of this website has no influence over this data transmission. The use of Google Maps is in the interest of an appealing presentation of our online offerings and to make it easy to locate the places mentioned on the website. This constitutes a legitimate interest as defined by Art. 6 (1)(f) GDPR. You can find more information on the handling of user data in Google’s privacy policy: https://www.google.de/intl/de/policies/privacy/

Our website uses cookie consent technology from Borlabs Cookie to obtain your consent to the storage of certain cookies in your browser and to document them in compliance with data protection regulations. The provider of this technology is Borlabs – Benjamin A. Bornschein, Georg-Wilhelm-Str. 17, 21107 Hamburg (hereinafter referred to as Borlabs).

When you access our website, a Borlabs cookie is stored in your browser, which records the consents you have given or the revocation of these consents. This data is not transmitted to the provider of Borlabs Cookie. The data collected is stored until you request its deletion, delete the Borlabs cookie yourself, or the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected. Details on the data processing of Borlabs Cookie can be found at https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/

Borlabs cookie consent technologies are used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 (1)(c) GDPR. C GDPR.

Description and scope of data processing

Google Analytics (with anonymisation function) is integrated into our website. Google Analytics is a web analytics service. Web analytics involves the collection, aggregation, and evaluation of data on the behaviour of visitors to websites. A web analytics service gathers, among other things, data about the website from which a user accessed our site (so-called referrers), which subpages were visited, how often, and for how long a subpage was viewed. We use web analysis primarily to optimise our website and to analyse the costs and benefits of internet advertising.

The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA.

The data controller uses the ”_gat._anonymizeIp” extension for Google Analytics. This extension ensures that the IP address of the data subject’s internet connection is shortened and anonymised by Google when access to our website occurs from a Member State of the European Union or from another state that is a party to the Agreement on the European Economic Area.

Google Analytics sets a cookie on the user’s information technology system of the data. Setting this cookie enables Google to analyse how our website is used. Each time a page on this website that includes a Google Analytics component is accessed and operated by the data controller, the user’s internet browser automatically transmits data through the Google Analytics component to Google for the purpose of online analysis As part of this technical process, Google obtains knowledge of personal data, such as the IP address of the data subject, which Google uses, among other things, to trace the origin of visitors and clicks and subsequently to enable commission settlements.

Cookies are used to store personal information, such as the access time, the location from which access was made and the frequency of visits to our website by the data subject. Each time our website is visited, this personal data, including the IP address of the internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected via the technical process to third parties.

Purpose of the data processing

The purpose of the Google Analytics component is to analyse visitor flows on our website. Google uses the data and information obtained, among other things, to evaluate the use of our website, to compile online reports for us which show the activities on our websites and to provide other services related to the use of our website.

The purpose of the processing is to address users as part of a target group in a specific way and to display personalised content based on the processed personal data, thereby continuously improving the website and its user-friendliness.

Legal basis for data processing

The legal basis for the processing of users’ personal data is consent in accordance with Art. 6 para. 1 lit. a GDPR.

Duration of storage

The data stored by the tracking process is deleted as soon as it is no longer required for our recording purposes. In our case, this is after 12 months.

Right to object and possibility of removal

The data subject may, as described above, prevent the setting of cookies by our website at any time by adjusting the settings of the internet browser used and thereby permanently object to the setting of cookies. Such an adjustment to the Internet browser used would also prevent Google from setting a cookie on the data subject’s IT system. In addition, cookies already set by Google Analytics can be deleted at any time via the internet browser or other software programmes.

Furthermore, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) being sent to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

Alternatively, you can prevent Google Analytics from collecting your data – particularly on mobile device browsers – by clicking the following link: https://tools.google.com/dlpage/gaoptout?hl=de

Deactivate Google Analytics

This places an opt-out cookie on your device, which prevents Google Analytics from collecting your data when you visit this website in the future.

Please note that if you delete cookies in your browser settings, this may also delete the Google Analytics opt-out cookie, meaning you may need to activate it again.

Further information and Google’s applicable privacy policy can be found at: https://www.google.de/intl/de/policies/privacy/ and at http://www.google.com/analytics/terms/de.html. Google Analytics is explained in more detail at https://www.google.com/intl/de_de/analytics/.

We use service providers when delivering our services, particularly for the provision, maintenance, and upkeep of IT systems and for the operation of cloud-based applications. Our service providers process your personal data on our behalf and according to our instructions within the European Union, unless otherwise specifically stated in this data protection notice, (in particular XING and LinkedIn)

We have concluded the EU Standard Contractual Clauses with our US providers. Please note that these providers undertake to comply with the EU data protection standards, thereby ensuring an appropriate level of protection for your personal data under the data protection law.

Due to the dynamic development of internet services, it may become necessary to update our privacy policy from time to time. Please therefore refer to the currently applicable version of our privacy policy.

ZEEH DESIGN GmbH (hereinafter also referred to as “ZEEH DESIGN”, “we”, or “us”) is obliged under Section 12 of the German Whistleblower Protection Act (HinSchG) to establish an internal reporting office and operate it in accordance with Sections 13 to 18 HinSchG. To this end, ZEEH DESIGN has set up reporting channels through which you as an employee, agency worker assigned to the organisation, client, or supplier can contact the internal reporting office to report information about breaches that they have become aware of in connection with their professional activity or prior to taking up such activity.

Below we inform you of the purpose and legal basis on which we process your personal data, the duration of processing, and your rights with regard to this data processing if you use the reporting channels.

Please take the time to read this data protection notice, as it contains important information on how we handle your personal data.

Contents of this notice

Where the term “data” is used in the text, this refers exclusively to personal data, including special categories of personal data as defined under the GDPR

Nature and scope

General information

ZEEH DESIGN is obliged to establish an internal reporting office to fulfil the requirements of the Whistleblower Protection Act (HinSchG), which implements the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (“Whistleblower Directive”) in the Federal Republic of Germany.

The aim of the Whistleblower Directive is to improve enforcement of European Union law in certain areas by providing special protection to individuals who report breaches. Even if this goal is not explicitly stated in the HinSchG, it must be considered through EU-compliant interpretation of the legislation. The express purpose enshrined in the HinSchG is the protection of natural persons who, in connection with their professional activities or prior to taking them up, acquire information about breaches and report or disclose them to the reporting office. The HinSchG also aims to protect persons who are the subject of a report or disclosure, as well as other persons affected by a report or disclosure.

Accordingly, ZEEH DESIGN has established a reporting office and operates the relevant reporting channels to allow such breaches to be reported in line with the above objectives.

Whistleblowers

If you contact the internal reporting office to provide information about breaches or to make a disclosure, the reporting office will process your data only to the extent necessary to document the report and its status, and to confirm receipt of your report. We also process your data to assess whether the reported breach falls within the material scope of the Whistleblower Protection Act (HinSchG) and therefore falls under the responsibility of the internal reporting office; to assess the validity of the report; and, where required for handling the report – in particular for fact-finding – to communicate with you regarding further information. We take notes and produce records for this purpose. We also process your data in order to take appropriate follow-up action, and to inform you of such action and/or any planned measures, along with the reasons. No feedback will be provided if the rights of persons named in connection with the report are affected during the course of internal investigations.

Accused persons

If you are named in a report or are the subject of a report, we will process your data only to the extent necessary to document the report and its status, to assess whether the reported breach falls within the material scope of the Whistleblower Protection Act and thus falls within the responsibility of the internal reporting office. We also process your data to assess the validity of the report. If the report is found to be valid, we will process your data to carry out the investigations required to establish the facts and to take appropriate follow-up measures.

Reporting office officers and staff assigned to the reporting office

If you are appointed as a reporting officer or work in the internal reporting office, we process your data to provide you with access to the reporting channel. In addition, we process your data to the extent necessary to document the reports and the respective status.

Purpose and legal basis

The purposes of the processing – with reference to the legally defined objectives of improved enforcement of Union and national law – are:

• the establishment and operation of reporting channels in accordance with Section 16 HinSchG;
• the documentation of reports from whistleblowers in accordance with Section 11 HinSchG;
• the confirmation of receipt to whistleblowers, the review of whether the report falls within the material scope, and the assessment of the validity of reports as well as communication with whistleblowers pursuant to Section 17(1) HinSchG;
• the implementation of follow-up measures under Section 18 HinSchG;
• feedback to whistleblowers in accordance with Section 17 (2) HinSchG.

The legal basis for this is Article 6(1)(c) and Article 9(2)(j) GDPR in conjunction with Section 10 HinSchG.

Recipients

Only those individuals who are responsible for handling reports will have access to or be able to view your data. These are usually the appointed reporting officers and staff assigned to the reporting office. Where the disclosure of information that could reveal your identity as a whistleblower is required as part of follow-up measures, we will only pass this information on to authorities or bodies outside the reporting office if you have previously given your consent in accordance with Section 9(3) HinSchG. In the context of criminal prosecution or due to other legal obligations, it may be necessary to disclose your personal data to government investigative bodies or other competent public authorities. In such cases, you will be informed in advance and provided with reasons for the disclosure – unless the competent authority has informed us that doing so would jeopardise ongoing investigations, inquiries, or legal proceedings.

We have established the following reporting channels:

• by e-mail to hinweis@zeeh-design.de
• via the online form at https://www.zeeh-design.com/hinweis-beschwerdesystem
• by post to ZEEH DESIGN GmbH, – information team *confidential* -, Boschstr.16, 82178 Puchheim
• in person

All persons with access to the data are obliged to maintain confidentiality.

Deletion and retention

We will delete your data as soon as it is no longer required for the purpose for which it was collected. As a rule, this is three years after the end of the calendar year in which the procedure was concluded. The legal basis for this is Section 11 (5) HinSchG. In individual cases, data may be retained for longer periods in order to comply with legal requirements.

Further information on data protection and your rights

You have the right to request information at any time about the data stored about you. In individual cases, access may be denied in accordance with Section 34(2) of the German Federal Data Protection Act (BDSG) in order to protect the identity of the whistleblower. You also have the right to request rectification, erasure, or restriction of the processing (blocking) of your personal data, provided this is legally permissible and possible within an existing contractual relationship. You have the right to lodge a complaint with any data protection supervisory authority. You may object to the processing of your data on grounds relating to your particular situation, if the data is processed on the basis of our legitimate interests or is necessary for the performance of a task carried out in the public interest.

Further information on data protection, especially regarding your rights as a data subject as well as information about the data controller and data protection officer, can be found at: https://www.zeeh-design.com/datenschutz

Section 4 of the Whistleblower Protection Act (HinSchG) legally guarantees protective measures for whistleblowers and other protected individuals, including exclusion of liability, protection against reprisals, and liability for damages.