top of page

Privacy Policy

Last updated: October 30, 2025
 
 
Controller
 
 
Katharina Maria Schwarz
Martin Prech Strasse 3
94034 Passau, Germany
Email: info@kmsglobal.de
 
 
Overview of Processing Activities
 
 
The following overview outlines the categories of personal data we process, the purposes for which they are processed, and the categories of affected data subjects.
 
Categories of Data Processed:

  • Master data (e.g., name, address, contact details)

  • Payment data

  • Contact data

  • Content data

  • Contract data

  • Usage data

  • Metadata, communication, and procedural data

  • Log data

 
 
Categories of Data Subjects:
 

  • Clients and service recipients

  • Prospective clients

  • Communication partners

  • Users

  • Business and contractual partners

 
 
Purposes of Processing:
 

  • Performance and fulfillment of contractual obligations

  • Communication

  • Security measures

  • Audience measurement

  • Office and organizational management

  • Administrative and operational procedures

  • Feedback management

  • User profiling and personalization

  • Provision and optimization of online services

  • Information technology infrastructure

  • Public relations and marketing

  • Business and operational management

 
 
 
Applicable Legal Bases
 
Legal bases under the EU GDPR and UK GDPR:
The following section provides an overview of the legal bases under Article 6 of the General Data Protection Regulation (GDPR) on which we rely when processing personal data. Please note that national data protection laws may also apply in addition to the GDPR, depending on your or our place of residence or establishment. Where specific legal bases apply to certain processing activities, we will explicitly indicate them in this Privacy Policy.
 

  • Consent (Art. 6 (1)(a) GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.

  • Performance of a contract and pre-contractual inquiries (Art. 6 (1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.

  • Legal obligation (Art. 6 (1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Legitimate interests (Art. 6 (1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

 
 
National data protection law in Germany:

In addition to the GDPR, the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) applies. The BDSG contains specific provisions on the right of access, rectification, erasure, objection, and the processing of special categories of personal data. Similar provisions may apply under the data protection laws of the German federal states.
 
Applicability of the GDPR and the Swiss Federal Act on Data Protection (FADP):
These privacy notices are intended to comply with both the EU GDPR and the Swiss FADP. For ease of understanding, we primarily use terminology from the GDPR, such as “processing of personal data”, “legitimate interest”, and “special categories of data”. However, the corresponding meanings under Swiss law remain unaffected where the FADP applies.
 
 
Security Measures
 
In accordance with legal requirements, we implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons.
 
These measures include, in particular, safeguards for the confidentiality, integrity, and availability of data through control of physical and electronic access, data input, transmission, and separation. We have also established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and responses to data incidents. Moreover, we consider data protection principles when designing or selecting hardware, software, and procedures, following the principles of data protection by design and data protection by default.

 
Transfer of Personal Data
 
In the course of our processing activities, personal data may be transferred to other entities, companies, legally independent organizations, or individuals. Recipients of such data may include, for example, IT service providers, hosting companies, or providers of services and content that are integrated into our website.
Whenever personal data is disclosed to third parties, we do so in compliance with the applicable legal provisions, particularly by concluding data processing agreements or other contractual arrangements designed to ensure the protection of your personal data.
 
 
 
International Data Transfers
 
Data processing in third countries:
If we transfer personal data to a country outside the European Union (EU), the European Economic Area (EEA), or the United Kingdom, or if such data transfer occurs in the context of using services provided by third parties, we do so strictly in compliance with applicable legal requirements.
 
For data transfers to the United States, we primarily rely on the EU–US Data Privacy Framework (DPF), which was recognized by the European Commission on July 10, 2023, as providing an adequate level of data protection. Additionally, we have concluded Standard Contractual Clauses (SCCs) with relevant providers to ensure contractual safeguards for your data protection.
 
This dual safeguard guarantees comprehensive protection for your data: the DPF serves as the primary protection mechanism, while the SCCs act as a supplementary safeguard. Should the DPF’s legal status change, the SCCs will remain in force as a fallback solution. This ensures that your data remains appropriately protected at all times, even in the event of political or legal changes.
 
We will inform you in this Privacy Policy whether individual service providers are certified under the DPF and whether Standard Contractual Clauses are in place. You can find further information and a list of DPF-certified companies on the U.S. Department of Commerce’s website:
https://www.dataprivacyframework.gov/
 
For data transfers to other third countries, equivalent safeguards are applied—primarily through Standard Contractual Clauses, explicit consent, or legal requirements. Details regarding adequacy decisions and safeguards can be found on the European Commission’s website:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en
 
 
 
Data Retention and Deletion
 
We delete personal data in accordance with applicable data protection laws when consent is withdrawn, when the original purpose of processing no longer applies, or when no other legal basis for processing exists. Exceptions may apply if statutory retention obligations or overriding legitimate interests require a longer retention period.
 
In particular, data that must be retained for commercial or tax reasons, or where storage is necessary for the defense or assertion of legal claims, will be archived in compliance with legal requirements.
 
Where multiple retention periods could apply to a data category, the longest legally permissible period will prevail. If data are retained solely for compliance or evidentiary purposes, they are processed exclusively for those purposes.
 

Retention periods under German law:
 

  • 10 years: Accounting records, annual financial statements, inventories, management reports, opening balance sheets, and related supporting documentation (§ 147 (1) AO, § 257 (1) HGB).

  • 8 years: Accounting vouchers such as invoices and receipts (§ 147 (1)(4) AO, § 257 (1)(4) HGB).

  • 6 years: Business correspondence, calculations, cost sheets, payroll documentation, and other business-related records relevant for taxation (§ 147 (1)(2–5) AO, § 257 (1)(2–3) HGB).

  • 3 years: Data necessary to consider potential warranty or compensation claims, based on standard statutory limitation periods (§§ 195, 199 BGB).
     

 
 
Rights of Data Subjects
 
Under the EU GDPR and UK GDPR, you, as a data subject, have the following rights regarding the processing of your personal data. These rights are outlined in Articles 15 to 21 of the GDPR.
 

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on Article 6(1)(e) or (f) GDPR, including profiling based on these provisions. Where your data are processed for direct marketing purposes, you may object at any time to such processing, including profiling related to direct marketing.

  • Right to withdraw consent: You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

  • Right of access: You have the right to obtain confirmation as to whether personal data concerning you are being processed, as well as access to such data and additional information in accordance with legal requirements.

  • Right to rectification: You have the right to request the correction of inaccurate personal data or the completion of incomplete data concerning you, in accordance with legal requirements.

  • Right to erasure and restriction of processing: You have the right to request the deletion of personal data concerning you without undue delay where one of the grounds set out in Article 17 GDPR applies. Alternatively, you may request restriction of processing under Article 18 GDPR.

  • Right to data portability: You have the right to receive your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller, where technically feasible.
     

Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR.


Business Services
 
We process the data of our contractual and business partners—such as clients and prospective clients (collectively referred to as “contractual partners”)—within the framework of contractual or comparable legal relationships, including all pre-contractual communications and subsequent administrative processes.
 
The processing of personal data is necessary to fulfill our contractual obligations, including the provision of agreed services, maintenance, updates, and support in the event of performance issues or warranty claims. Furthermore, we process such data for legitimate business purposes, including administrative management, safeguarding our rights, and ensuring operational security.
 
This may include, for example, collaboration with telecommunication, logistics, subcontracting, banking, legal, or accounting partners, as well as the fulfillment of legal reporting obligations. Data are shared only to the extent required for these purposes or where legally mandated.
 
Data are deleted following the expiration of statutory retention and warranty periods (generally after four years), unless a longer retention period is required by law—for example, for tax-related archiving (typically ten years).
 
Categories of data processed:
 

  • Master data (e.g., name, address, contact information, customer number)

  • Payment data (e.g., bank account details, invoices, payment history)

  • Contact data (e.g., postal address, email, phone number)

  • Contract data (e.g., service type, duration, client category)

 
 
Legal bases:
 

  • Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR)

  • Legal obligation (Art. 6(1)(c) GDPR)

  • Legitimate interests (Art. 6(1)(f) GDPR)

 
 
 
 
Provision of Online Services and Web Hosting
 
We process user data to provide and maintain our online services. This includes processing the IP address necessary to deliver content and functions to the user’s browser or device.
 
Categories of data processed:
 

  • Usage data (e.g., pages visited, duration of visits, interaction behavior, device and operating system information)

  • Metadata and communication data (e.g., IP addresses, timestamps, session identifiers)

  • Log data (e.g., login information, access times, error logs)

 
 
Purposes of processing:
 

  • Provision and functionality of online services

  • IT infrastructure management

  • Security and operational stability

 
 
Retention:

Data are stored only as long as necessary for these purposes or as required by law. Log files are typically deleted or anonymized after 30 days, unless their continued storage is necessary for security or evidentiary purposes (e.g., in the event of a cyberattack).
 
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
 
 
 
Use of Cookies
 
“Cookies” are small data files that are stored on a user’s device and retrieved later. Cookies serve various purposes, such as enabling core website functionality, ensuring security, improving usability, or analyzing traffic patterns.
 
We use cookies in accordance with legal requirements. Where consent is required, we obtain it beforehand; where not required, we rely on legitimate interests, such as ensuring the proper functionality and security of our website.
 
Types of cookies:
 

  • Session cookies: Temporary cookies deleted after the session ends.

  • Persistent cookies: Stored beyond a session to recognize users, retain preferences, or analyze site usage. Unless otherwise specified, these may be retained for up to two years.

 
 
Withdrawal and opt-out options:

Users may withdraw their consent or object to processing at any time through browser settings or consent management tools.
 
Legal bases:
 

  • Consent (Art. 6(1)(a) GDPR)

  • Legitimate interests (Art. 6(1)(f) GDPR)

 
 
Consent management:
We use a consent management system to document and manage user preferences regarding cookies and similar technologies. Each consent is stored securely and may be withdrawn at any time.
 
 
 
Contact and Inquiry Management
 
When contacting us (e.g., by post, email, phone, contact form, or via social media), we process the information provided to respond to the inquiry and to manage any related administrative processes.
 

Categories of data processed:
 

  • Master data (e.g., name, address, contact details)

  • Contact data (e.g., email, phone)

  • Content data (e.g., messages, attachments, or other provided information)

  • Usage and communication data (e.g., timestamps, IP addresses, interaction logs)

 
 
Purposes of processing:
 

  • Communication and response to inquiries

  • Administrative and organizational purposes

  • Feedback collection

  • Maintenance of customer and user relationships

 
 
Legal bases:
 

  • Performance of a contract or pre-contractual inquiries (Art. 6(1)(b) GDPR)

  • Legitimate interests (Art. 6(1)(f) GDPR)

 
 
 
 
Web Analytics, Monitoring, and Optimization
 
We use web analytics tools (also known as “audience measurement”) to evaluate user behavior and measure the reach of our online services. This helps us understand how users interact with our website, identify areas for improvement, and optimize content.
 
Analytics data may include pseudonymized information about user demographics (e.g., age or region), browsing behavior, devices used, and interaction frequency. IP addresses are anonymized using IP masking to protect user privacy.
 
We may also use testing tools (A/B testing) to compare versions of our website and improve usability and performance.
 
Categories of data processed:
 

  • Usage data (e.g., interactions, page views, duration, navigation)

  • Metadata and communication data (e.g., IP addresses, session identifiers, timestamps)

 
 
Purposes of processing:
 

  • Audience measurement and usage analysis

  • Optimization of content and design

  • Development of pseudonymized user profiles

 
 
Retention:
Cookies or similar identifiers used for analytics are generally stored for up to two years.
 
Legal bases:
 

  • Consent (Art. 6(1)(a) GDPR)

  • Legitimate interests (Art. 6(1)(f) GDPR – for performance optimization and security)

 
 
 
 
Social Media Presence
 
 
We maintain online profiles on social media platforms to communicate with users and provide information about our organization and services.
 
Please note that user data may be processed outside the European Union or the United Kingdom. This could pose risks to users, such as difficulties in enforcing their data protection rights.
 
Social networks often use user data for market research and advertising purposes, creating user profiles to deliver targeted advertising both within and outside their platforms. These profiles may include cross-device data, especially for registered users.
 
For detailed information on data processing and opt-out options, please refer to the respective social media providers’ privacy policies.
 
In cases of data subject requests (e.g., access or deletion), users are encouraged to contact the platform providers directly, as they have exclusive access to relevant user data.
 
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
 
Example – LinkedIn:
 
We share joint responsibility with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of data related to “Page Insights” of our LinkedIn profiles. This includes statistics about viewed content, interactions, and device information (such as IP address, operating system, browser type, and language settings).
Further information is available in LinkedIn’s Privacy Policy:
https://www.linkedin.com/legal/privacy-policy
 
A joint controller agreement (“Page Insights Joint Controller Addendum”) defines LinkedIn’s obligations regarding data protection and the exercise of data subject rights. Users may exercise their GDPR rights directly with LinkedIn.
Data transfers to the United States are protected under the Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs).
 
Opt-out options for targeted advertising:
https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
 
 
Generated using the Data Protection Generator by Dr. Thomas Schwenke, adapted and translated for international legal compliance (EU GDPR, UK GDPR, FADP).

bottom of page