With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as "data") we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").
The terms used are not gender-specific.
Last Update: 17. February 2026
Table of contents:
Controller:
I-D Media GmbH
Kaiser-Wilhelm-Ring 26
50672 Köln
Authorised Representatives: Alexander Dohmen
E-mail address: datenschutz@idmedia.com
Phone: +49 221 399603-0
Legal Notice: https://www.idmedia.com/imprint
Contact information of the Data Protection Officer:
RAHN DATENSCHUTZ GmbH
Sven Rahn
Heinz-Nixdorf-Straße 12
41179 Mönchengladbach
T: +49 2161 277 173 0
E: dsb.idmedia@rahn-datenschutz.de
The following table summarises the types of data processed, the purposes for which they are processed and the concerned data subjects.
Categories of Processed Data
Categories of Data Subjects
Purposes of Processing
Relevant legal bases according to the GDPR: In the following, you will find an overview of the legal basis of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply. If, in addition, more specific legal bases are applicable in individual cases, we will inform you of these in the data protection declaration.
National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations apply to data protection in Germany. This includes in particular the Law on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). In particular, the BDSG contains special provisions on the right to access, the right to erase, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated individual decision-making, including profiling. Furthermore, data protection laws of the individual federal states may apply.
Reference to the applicability of the GDPR and the Swiss DPA: This privacy policy is intended to provide information in accordance with both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). Where references are made to concepts such as the processing of personal data, legitimate interests, or special categories of data, these references are to be understood in accordance with the applicable data protection laws. Within the scope of application of the Swiss FADP, the legal interpretation of these terms is determined exclusively by Swiss law.
We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data. In addition, we have established procedures to ensure that data subjects' rights are respected, that data is erased, and that we are prepared to respond to data threats rapidly. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and service providers, in accordance with the principle of privacy by design and privacy by default.
Securing online connections through TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we employ TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information that is transferred between the website or app and the user's browser (or between two servers), thereby safeguarding the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions conform to the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being securely and encryptedly transmitted.
In the course of processing personal data, it may happen that this data is transmitted to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include service providers tasked with IT duties or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and particularly conclude relevant contracts or agreements that serve to protect your data with the recipients of your data.
Data Transmission within the Group of Companies: Data transfer within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to it. This data sharing is based on our legitimate business and economic interests. By this, we mean, for example, the improvement of business processes, ensuring efficient and effective internal communication, the optimal use of our human and technological resources, as well as the ability to make informed business decisions. In certain cases, data sharing may also be necessary to fulfil our contractual obligations or may be based on the consent of the data subjects or a legal permission.
Data Transfer within the Organization: We may transfer personal data to other departments or units within our organisation or grant them access to it. If the data is shared for administrative purposes, it is based on our legitimate business and economic interests or occurs if it is necessary to fulfil our contractual obligations or if the data subjects have given their consent or a legal permission exists.
Data Processing in Third Countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or the disclosure or transfer of data to other individuals, entities, or companies (which becomes apparent either from the postal address of the respective provider or when explicitly mentioned in the privacy policy regarding data transfer to third countries), this is always done in accordance with legal requirements.
For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as a secure legal framework by the EU Commission's adequacy decision of July 10, 2023. Additionally, we have concluded Standard Contractual Clauses with the respective providers, which comply with the EU Commission's requirements and establish contractual obligations to protect your data.
This dual safeguard ensures comprehensive protection of your data: The DPF serves as the primary level of protection, while the Standard Contractual Clauses act as an additional security measure. Should any changes occur within the DPF framework, the Standard Contractual Clauses will serve as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.
For individual service providers, we will inform you whether they are certified under the DPF and if Standard Contractual Clauses are in place. The list of certified companies and further information about the DPF can be found on the U.S. Department of Commerce's website at https://www.dataprivacyframework.gov/.
For data transfers to other third countries, appropriate safeguards apply, particularly Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.
We will inform you which of our service providers are certified under the Data Privacy Framework as part of our data protection notices.
We delete personal data that we process in accordance with legal regulations as soon as the underlying consents are revoked or no further legal bases for processing exist. This applies to cases where the original purpose of processing is no longer applicable or the data is no longer needed. Exceptions to this rule exist if statutory obligations or special interests require a longer retention or archiving of the data.
In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or protection of the rights of other natural or legal persons, must be archived accordingly.
Our privacy notices contain additional information on the retention and deletion of data specifically applicable to certain processing processes.
In cases where multiple retention periods or deletion deadlines for a date are specified, the longest period always prevails.
Data that is no longer stored for its originally intended purpose but due to legal requirements or other reasons are processed exclusively for the reasons justifying their retention.
Data Retention and Deletion: The following general deadlines apply for the retention and archiving according to German law:
Start of the period at the end of the year: If a period does not expressly start on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in the context of which data is stored, the event triggering the deadline is the time at which the termination or other termination of the legal relationship takes effect.
Rights of the Data Subjects under the GDPR: As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:
We process user data in order to be able to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online services to the user's browser or terminal device.
Further information on processing methods, procedures and services used:
When contacting us (e.g. via mail, contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.
Further information on processing methods, procedures and services used:
Web analytics (also referred to as "reach measurement") is used to evaluate the visitor flows of our online services and may include pseudonymous values related to visitor behavior, interests, or demographic information such as age or gender. Through reach analysis, we can, for example, identify when our online services or their functions and content are most frequently used or likely to encourage repeat visits. It also enables us to determine which areas need optimization.
In addition to web analytics, we may also use testing procedures to test and optimize different versions of our online services or their components.
Unless otherwise specified below, profiles (i.e., data combined from a usage process) may be created for these purposes, and information can be stored in and later retrieved from a browser or device. The data collected includes, in particular, visited websites and elements used on them, as well as technical information such as the browser used, the computer system, and information about usage times. If users have given consent to the collection of their location data to us or to the providers of the services we use, the processing of location data is also possible.
Additionally, users' IP addresses are stored. However, we use an IP masking process (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored as part of web analytics, A/B testing, or optimization. Instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, only the information stored in their profiles for the respective procedures.
Legal basis information: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in efficient, economic, and user-friendly services). In this context, we would also like to point out the information on the use of cookies in this privacy policy.
Further information on processing methods, procedures and services used:
We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.
We would like to point out that user data may be processed outside the European Union. This may entail risks for users, e.g. by making it more difficult to enforce users' rights.
In addition, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the associated interests of users. The user profiles can then be used, for example, to place advertisements within and outside the networks which are presumed to correspond to the interests of the users. For these purposes, cookies are usually stored on the user's computer, in which the user's usage behaviour and interests are stored. Furthermore, data can be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective networks or will become members later on).
For a detailed description of the respective processing operations and the opt-out options, please refer to the respective data protection declarations and information provided by the providers of the respective networks.
Also in the case of requests for information and the exercise of rights of data subjects, we point out that these can be most effectively pursued with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, please do not hesitate to contact us.
Further information on processing methods, procedures and services used:
We use services, platforms and software from other providers (hereinafter referred to as " third-party providers") for the purposes of organizing, administering, planning and providing our services. When selecting third-party providers and their services, we comply with the legal requirements.
Within this context, personal data may be processed and stored on the servers of third-party providers. This may include various data that we process in accordance with this privacy policy. This data may include in particular master data and contact data of users, data on processes, contracts, other processes and their contents.
If users are referred to the third-party providers or their software or platforms in the context of communication, business or other relationships with us, the thirdparty provider processing may process usage data and metadata that can be processed by them for security purposes, service optimisation or marketing purposes. We therefore ask you to read the data protection notices of the respective third party providers.
Further information on processing methods, procedures and services used:
In this section, you will find information on how we handle data from individuals who provide tips (whistleblowers), as well as from affected and involved parties within the framework of our whistleblower procedure. Our aim is to offer a straightforward and secure means of reporting potential misconduct by us, our employees, or service providers, especially for actions that violate laws or ethical guidelines. Furthermore, we ensure appropriate processing and handling of the reports.
Processed types of data:
In the course of receiving and processing reports, as well as in the subsequent whistleblower procedure, we may collect various data. These particularly include information provided by a whistleblower, such as:
For the purposes of fact-finding and further proceedings, we also process the following personal data:
Special categories of personal data:
It may occur that we collect special categories of personal data in the course of our activities, especially when they are provided by a whistleblower. These include:
These data are only processed if they are relevant to the handling of the respective report and have been explicitly provided by the whistleblower.
Use of our online forms: Please note that you have the option to submit tips anonymously. To ensure the security of your data when using our online forms, we recommend accessing them in the so-called 'Incognito Mode' of your browser. Here's how you can open an Incognito window: a) On a Windows PC: Open your browser and press Ctrl+Shift+N; b) On a Mac: Open your browser and press Command+Shift+N; c) On mobile devices: Switch to private mode via the tab menu.
When accessing our website in normal mode, your browser automatically sends certain information to our server, such as browser type and version, date and time of your access. This also includes the IP address of your device. These data are temporarily stored in a log file and automatically deleted after no more than 30 days.
The processing of the IP address serves technical and administrative purposes for establishing a connection to our website. It ensures the security, stability, and functionality of the whistleblower form and is an essential part of our measures to ensure the confidential submission of reports.
The processing of logged data is based on Article 6 (1)(f) GDPR. Our legitimate interest lies in the need for security and the necessity to ensure the technical conditions for a smooth and uninterrupted submission of reports.
Disclosure of names: You have the option to submit reports anonymously. However, unless prohibited by national legislation, we recommend that you provide your name and contact details. This enables us to follow up on the report more effectively and, if necessary, to contact you directly.Should you choose to provide your name and contact information, your identity will be treated with strict confidentiality. Exceptions to this confidentiality exist only if we are legally obliged to disclose your identity. This may be necessary in order to protect or defend our rights or the rights of our employees, customers, suppliers, or business partners. Another exception is if it is determined that the allegations were made with malicious intent.
Disclosure of data to third parties: Data related to the report provided will only be disclosed to third parties under certain circumstances. This occurs either a) if you have given us your explicit consent according to Art. 6 (1)(a) of the GDPR, or b) if there is a legal obligation to disclose the data pursuant to Art. 6 (1)(c) of the GDPR. Possible third parties include public authorities, government, regulatory or tax agencies, if disclosure is necessary for compliance with a legal or regulatory obligation. Furthermore, within the scope of legal provisions, we may engage lawyers and other professional advisers who are authorised to investigate suspected misconduct and take necessary actions following an investigation, such as initiating disciplinary or legal proceedings. Additionally, carefully selected and supervised service providers whom we employ may also receive data for these purposes (such as operators of a web-based reporting tool). However, these providers are contractually bound to comply with the prevailing data protection regulations under a so-called data processing agreement.
Data retention and deletion: Personal data will be processed only for as long as necessary to fulfil the purposes of processing described above. If the data are no longer needed for these purposes, they will be deleted. However, in certain situations, the data may be retained for longer periods to meet legal requirements, provided this is necessary and proportionate. In such cases, the data will be deleted as soon as they are no longer required for these purposes.
Technical and organisational measures: We have implemented the necessary contractual, technical, and organisational measures to ensure the security of all data processed by us. This data is processed exclusively for the purposes set out. The incoming hints are handled by authorised individuals who gain access to the respective reports and carry out the subsequent examination of the facts. Our employees are specifically trained, educated, and bound to strict confidentiality in the proper execution of these examinations of facts.
We kindly ask you to inform yourself regularly about the contents of our data protection declaration. We will adjust the privacy policy as changes in our data processing practices make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that addresses may change over time and to verify the information before contacting us.
Terminology and Definitions
In this section, you will find an overview of the terminolog used in this privacy policy. Where the terminology is legally defined, their legal definitions apply. The following explanations, however, are primarily intended to aid understanding.