Privacy statement

Your privacy is important

1. Overview and scope of application

The following privacy statement provides you with information about the scope of application, the data controller and an overview of the type, scope and purpose of personal data collected by the GGW GROUP GmbH when you visit this website, as well as in other data processing activities at our responsibility which are unrelated to the website.

1.1 Data controller
The data controller, i.e. person or company deciding on the purposes and means of processing personal data is

GGW Group GmbH
Fischertwiete 1, Chilehaus B
20095 Hamburg

1.2 Data protection officer
You can contact our data protection officer at the following address:

Marc Althaus
Frapanweg 22
D-22589 Hamburg

Contact form:

2. Data processing

2.1 Information about data processing
Diligence and transparency are the foundations of trust-based relationships. That is why we are informing you about how we process your data and the rights accorded to you as a data subject by the General Data Protection Regulation (GDPR).

2.1.1 Scope of processing personal data
We only process the personal data of our website users if it is necessary to provide website functions, content or services.
Personal data of our website users is generally only processed with their consent. An exception applies in those cases in which the processing of the data is permitted by law or on another legal basis.

2.1.2 Legal basis for the processing of personal data
The processing of personal data is lawful under Article 6 (1) a) of the GDPR provided we obtain the consent of the data subject.
If it is necessary to process personal data for the purpose of executing a contract with the data subject, the legal basis is Article 6 (1) b) GDPR. This also applies if the data is being processed prior to entering into a contract. If the personal data is processed for the purpose of our legitimate interests, the legal basis is Article 6 (1) f) GDPR.

2.1.3 Data erasure and storage period
We only store your data for as long as it is required for the processing purpose. When the data is no longer necessary for the processing purpose it is regularly deleted unless we have to continue storing it for a limited time period. This may be necessary for the following reasons:

  • Compliance with commercial or tax law archiving requirements
  • As evidence in legal disputes within the scope of the statutory limitation periods

We may also continue to store your data if you have provided your explicit consent.

2.1.4 No legal obligation to provide personal data
There is no contractual or legal obligation to provide personal data.
If necessary data (entries that are designated as mandatory in the entry mask) are not provided, we may not be able to provide the respective service. Otherwise, failure to provide necessary data may result in us being unable to provide our services in the same form and quality.

2.1.5 Transfer of personal data to government authorities
We only transfer personal data to government authorities (including criminal investigation agencies) if this is necessary to comply with a legal obligation (legal basis: Article 6 (1) c) GDPR) or for the purpose of asserting, exercising or defending legal rights (legal basis Article 6 (1) f) GDPR).

2.1.6 Hosting by external service providers
Most of our data processing is performed in conjunction with external hosting service providers who provide the necessary storage space and processing capacity at their data centres and process personal data on our behalf and in accordance with our instructions. These service providers only process the data in the EU.
It is in our legitimate interest (i.e. in the interest of the analysis, optimisation and efficient operation of our website pursuant to Article 6 (1) f) GDPR to integrate third party content or services such as videos or fonts our website (referred to in the following as “content”).
This is only possible with the third party content provider’s knowledge of the user’s IP address, because without the IP address it would not be possible send the content to the user’s browser. Without the IP address this content cannot be displayed. Whenever possible, we ensure that third party content providers only use the IP address to provide the content. Some third party content providers also use pixel tags (small blocks of code, also called web beacons) for statistical or marketing purposes. The pixel tags can evaluate information such as visitor traffic on our website pages. Other pseudonymous data can be stored in cookies on the user’s terminal and provide information about the user’s browser and operating system, referrer URLs, length of visit and other information about the use of our website and combine it with information from other sources.

2.1.7 Categories of recipients
We share your personal data with various public and internal departments, as well as external service providers, in order to comply with our contractual and legal obligations.
Data can be shared between the GGW GROUP GmbH companies. Upon request we will provide you with a current list of the GGW GROUP GmbH companies.

2.1.8 Data categories
We process your personal data when you contact us We also process your personal data for the purposes of compliance with legal obligations, the legitimate interests pursued by us or if you have provided your consent. We may also make use of data provided to us by third parties in connection with all the above purposes.
We process the following categories of personal data in accordance with the relevant legal bases:

  • Personal master data: title, salutation/gender, first name, surname, date of birth
  • Address data: street, house no., post code, town/city, country
  • Communication data: telephone no., email address, fax no.
  • Nationality
  • Application data: profession, career path, certificates, CV, references, photos
  • Marital status
  • Access data: date and time of access; referrer URL; pages accessed; session identification (session ID) data; as well as the following data pertaining to the accessing computer system: Internet protocol address (IP address), browser type and version, device type, operating system and similar technical information.

2.2 Website access
This section describes how we process your personal data when you visit our website. In particular, we would like to point out that access data transmission to external content providers is unavoidable due to Internet information transmission technology.

Information on processing
When you visit our website at your browser automatically sends information to our web servers. This information is temporarily stored in a so-called log file. The following information is collected and stored until it is automatically erased.

For example: a) Requesting IP address, b) Date and time of access, c) Name and URL of the file being accessed, d) Referrer URL, e) Browser type and possibly your device’s operating system and the name of your access provider. These data are processed by us for the following purposes: a) To ensure you experience no problems accessing our website, b) To ensure the convenience of use of our website, c) To assess system security and stability and for other administrative purposes. The legal basis for data processing is Article 6 (1) f) GDPR. It is in our legitimate interest to collect data for the above-listed purposes.

  • Data category: access data
  • Purpose: connection establishment, display of website content, identification of attacks on our website on the basis of unusual activities, troubleshooting
  • Legal basis: pursuance of legitimate interests (Article 6 (1) f) GDPR)
  • Legitimate interests include: proper function of the services, security of data and business processes, prevention of misuse, protection against damages resulting from information system security breaches
  • Duration of storage: 7 days
  • Recipients: IT service providers, hosting service providers, consent tool providers

2.3 Applications
We process personal data in application processes as follows:

2.3.1 Information on processing

  • Data category:
    a. Personal master data
    b. Address data
    c. Contact data
    d. Application data
  • Purpose:
    a. Identification, contact, age verification.
    b. Identification, contact, communication prior to entry into a contract.
    c. Identification, contact, communication prior to entry into a contract.
    d. Candidate selection.
  • Legal basis: Article 6 (1) b) GDPR
  • Duration of storage: 6 months.
  • Recipients: HR department.

3. Data subject rights

3.1 Right to obtain information
You have the right to obtain confirmation as to whether personal data are being processed by us, which personal data are being processed and other information in accordance with Article 15 GDPR.

3.2 Right to rectification
You have the right to the rectification without undue delay of inaccurate personal data concerning you. (Article 16 GDPR). Taking into account the purposes of the processing, you have the right – including by means of providing a supplementary statement– to have incomplete personal data completed.

3.3 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the future processing of personal data concerning you on the basis of Article 6 (1) e) or f) GDPR.
There will be no charge to you for exercising your right to object.

3.4 Right to erasure (‘right to be forgotten’)
You have the right to obtain from us the erasure of personal data concerning you without undue delay if one of the grounds listed in Article 17 (1) GDPR applies and processing for a purpose stated in Article 17 (3) is not necessary.

3.5 Right to restriction of processing
You have the right, under Article 18 (1) a) to d) GDPR, to restrict the processing of personal data concerning you if one of the listed grounds applies.

3.6 Right to data portability
You have the right to receive your personal data which you have provided to a controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transfer these data to another data controller without hindrance from us or to request us to transfer the data directly, insofar as this is technically possible. This always applies if the basis of the data processing is consent or a contract and the data are processed automatically. It does not apply to data stored on paper only.

3.7 Right to revoke consent
If your data are processed on the basis of your consent you have the right to revoke your consent with future effect at any time. This does not affect the lawfulness of processing up to the time of consent revocation.

3.8 Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for data protection issues is the State Data Protection Officer in the state where the company has its registered office. The following link takes you to a list of data protection officers and their contact details:

Version of: 14.11.2023