The exali.com Data Protection Declaration

Content:

  1. Responsible in terms of data protection laws
  2. Contact details for the data protection officer
  3. Automatic data processing when you visit the www.exali.com website
    1. Processing of the IP address
    2. Hosting on own servers
    3. Processing of server log files
    4. Use of Cookies
  4. Processing of personal data
    1. Data via the contact form
    2. Data when setting up a ‘My exali’ customer account
    3. Data when using the online questionnaire
    4. Data via Email
    5. Data in the newsletter / newsflash
    6. Data via telephone, callback service
    7. Data via fax
    8. Data as part of the application process
    9. Data by eKomi
    10. Processing of personal data when using/integrating the exali Liability Seal
  5. Social media presences
  6. Rights of the Data Subject
    1. Right to information - Art. 15 GDPR
    2. Right to rectification - Art. 16 GDPR
    3. Right to erasure - Art. 17 GDPR
    4. Right to restriction of processing - Art. 18 GDPR
    5. Right to notification - Art. 19 GDPR
    6. Right to data portability - Art. 20 GDPR
    7. Right of objection - Art. 21 GDPR
    8. Right to withdraw the declaration of consent under data protection laws
    9. Right to lodge a complaint with a supervisory authority - Art. 77 GDPR

Data Processing Carried out by exali

When you use the website www.exali.com and its functionalities, you contact us and you send us personal data.

This Privacy Policy informs you in accordance with Art. Art. 12, 13 GDPR on the type and scope of the processing carried out by us when you visit our website.

I. The Party Responsible in Terms of Data Protection Laws is:

exali AG
Franz-Kobinger-Str. 9
86157 Augsburg
Germany

Phone: +49 821 80 99 46-0
Fax: +49 821 80 99 46-29

Email: info@exali.com

II. Contact details for the data protection officer

If you have any questions about the processing of your personal data by us, please contact our data protection officer in writing or by email:

RDP Röhl Dehm & Partner Rechtsanwälte mbB
Moritzplatz 6
86150 Augsburg
Germany

dataprotection@exali.com

III. Automatic data processing when you visit the www.exali.com website

Personal data is processed as soon as the page is called up. This happens automatically, without you having to take any further actions such as filling out and sending a contact form.

This automated processing concerns:

1. Processing of the IP address

1. Description and Scope of the Data Processing

When this page is called up, inquiries are sent to the server, which it must answer. To do so, your IP address must be collected and processed in order to be able to answer the relevant server inquiries.

2. Legal Basis for Data Processing

The legal basis for processing this data is Art. 6 para. 1 lit. f GDPR.

3. Purpose of Data Processing

The purpose of processing your IP address is to establish and ensure the functionality of the website and to technically enable the website to be accessed.

4. Legitimate Interest

The legitimate interest in the temporary storage of the IP address lies in the fact that the functionality and provision of the technical accessibility of the website is not possible without this.

5. Duration of Storage

The data will be deleted as soon as further storage is no longer necessary due to the purpose being achieved. When collecting the data for the provision of the website, this is the case when the accessing process has ended.

6. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

7. Necessity of provision

The provision of the data is necessary; otherwise the website cannot be accessed.

8. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

2. Hosting on own servers

1. Description and scope of the data processing

We use our own servers for the technical implementation of the website and its accessibility.

This includes the provision of storage and database services as well as their maintenance and care.

2. Legal basis for data processing

The legal basis for processing this data is Art. 6 para. 1 lit. f) GDPR.

3. Purpose of data processing

The purpose of the processing is the execution of the online offer as well as the detection of malfunctions and break-in attempts.

4. Legitimate interest

The legitimate interest is the provision of a functional and uncompromised technical website environment.

5. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

6. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

3. Processing of server log files

1. Description and Scope of the Data Processing

The IP addresses collected when this page is access are also stored in so-called server log files in order to discover technical faults and / or attempts to manipulate and break into the server structure and make them remediable.

In addition, we automatically collect, store and process information in so-called server log files, which are automatically transmitted by your browser.

This information includes:

  • Browser type and browser version
  • Operating system
  • Referrer URL
  • Host name of accessing computer
  • Time of server request

However, this information is not merged with other data sources.

2. Legal Basis for Data Processing

The legal basis for processing this data is Art. 6 para. 1 lit. f) GDPR.

3. Purpose of Data Processing

The purpose of processing your IP address and the above information is to detect malfunctions and attempted break-ins. This serves the security structure of the website and the system integrity of the servers.

4. Legitimate Interest

The legitimate interest in processing the IP address and the above information is to provide a functional and uncompromised technical website environment.

5. Duration of Storage

The data will be deleted again within 30 days.

6. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

7. Necessity of provision

The provision of the data is necessary; otherwise the website cannot be accessed.

8. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

4. Use of Cookies

1. Description and scope of the data processing

The website www.exali.com uses so-called ‘cookies’. Cookies are text files that are stored in the memory and / or on a data carrier of the device used to visit the website and that are processed by your Internet browser in accordance with the settings stored there.

We process cookies that are absolutely necessary for the provision of the website and for its operation, otherwise a functional website cannot be provided.

In order to make the application as simple and clear as possible for the user, we have divided the online questionnaire into individual steps. We use a ‘session cookie’ to ensure that all data required for submitting a questionnaire can be saved up to the last application step and click-ing on ‘Submit questionnaire now’.

  • Name: PHPSESSID
  • Content: Session cookie in the form of a hash
  • Name: ProDL cookie
  • Content: ID (internal identifier) of the chosen professional activity.

This is used to save an internal ID of the selected professional activity so that information rel-evant to them can be displayed to the user.

2. Legal basis for data processing

The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR.

3. Purpose of data processing

These cookies contain technical information for the provision of the website functionalities as part of the order and customer account process. This enables the technical implementation of the offer and customer account process.

4. Legitimate interest according to Art. 6 para. 1 lit.f) GDPR

The cookies used only contain technical data. The use of these cookies is necessary in order to be able to offer the user the functionality of our website that meets their expectations.

5. Duration of storage as well as options for objection and removal

These technically necessary cookies are so-called ‘session cookies’. These cookies are automatically deleted from the browser cache / memory on your computer at the end of your website visit and / or when you close your browser, provided you have ac-tivated this functionality in your browser.

Please check the settings of your internet browser (e.g. Firefox, Internet Explorer, Edge, Chrome, Opera, Safari). Your internet browser also gives you the option of regulating the handling of cookies or of deactivating them entirely. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full ex-tent.

6. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

7. Necessity of provision

The provision of the data is necessary; otherwise the website cannot be accessed.

8. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

In addition, depending on your selection made via the Consent Manager, we process further cookies, which we only process on the basis of your consent. You can find information about these cookies in the settings in the Consent Manager.

IV. Processing of personal data

1. Data via the contact form

1. Description and scope of the sata processing

There is a contact form on our website that is only used for electronic contact. We process your personal data to answer your contact request.

The following data is processed for inquiries via the contact form:

  • Name
  • E-mail address*
  • Phone
  • Reason for your inquiry ‘My inquiry concerns’
  • Prospective / existing customer
  • Your message to us*

The fields marked with an ‘*’ symbol are mandatory fields, without which you cannot send an inquiry to us using this contact form.

The indication of the name is used to address you personally when processing your request.

Please only enter the telephone number if you would like to be contacted by telephone or if you would like us to call you back.

When you simply enter the data in the forms, no data is transmitted to us, this only happens after you have clicked ‘Submit’.

At the time the message is sent, the following data is also processed:

Date and time of the inquiry

2. Legal basis for data processing

The legal basis for the processing of personal data to process and answer your inquiries is Art. 6 para. 1 lit. f) GDPR.

The legal basis for the processing of personal data that is used to prepare and / or create a contractual relationship is Art. 6 para. 1 lit.b) GDPR.

3. Purpose of data processing

The processing of personal data via the contact form serves the sole purpose of establishing contact and enabling the company to address the customer for information on the customer's initiative.

Depending on the intention and content of your request, the purpose can also be the initiation and / or implementation of a contractual relationship, in this case the purpose is also to maintain the customer relationship.

4. Legitimate interest

The legitimate interest in data processing lies in the possibility of processing your request and being able to respond to your request accordingly. The data collected will be processed on the basis of a request made by you. This processing is also in your interest in order to be able to respond to your request according to your expectations.

5. Duration of storage

The data will be erased within 6 months once it is no longer required to achieve the purpose for which they were collected or is not subject to further statutory retention requirements (e.g. 10 years according to AO (German Tax Code), 6 years pursuant to HGB, the German Commercial Code). For your data entered in the contact form, this is the case when the re-spective conversation with the user has ended.

The conversation has ended once the circumstances show that the matter in question has been conclusively clarified.

6. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

7. Necessity of provision

The provision of the data is necessary; otherwise the website cannot be accessed.

8. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

2. Data when setting up a ‘My exali‘ customer account

1. Description and scope of the data processing

You can create a customer account on our website to facilitate the application process and customer support process. This ‘My exali’ customer account helps you to make the application process and the administration of your contract data more efficient for you and to manage your insurance contracts. For this purpose, we offer you a registration process in which you transmit data as part of your online questionnaire. You will receive your access data for the ‘My exali’ customer area with the password you have chosen, which you assigned in the online questionnaire.

2. Legal basis for data processing

The legal basis for the processing of personal data that is used to prepare and / or create a contractual relationship is Art. 6 para. 1 lit.b) GDPR.

3. Purpose of data processing

The processing of personal data as part of the registration is used to create the customer account, with which you can manage your applications and your contract data more easily.

4. Duration of storage

Your personal data will be deleted when you order us to delete your customer account. This does not apply if the data is subject to further statutory retention requirements (e.g. 10 years according to AO, the German Tax Code, 6 years according to the HGB, the German Commercial Code). In this case, processing will be restricted until the retention period has ex-pired.

5. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

6. Necessity of provision

The provision of the data is necessary; otherwise the website cannot be accessed.

7. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

3. Data when using the online questionnaire

1. Description and scope of the data processing

There is an online questionnaire function on our website, which enables you to apply online and take out insurance benefits such as those made possible by professional indemnity insurance contracts.

You can submit applications for insurance benefits on our website, which we then check and document for you as part of our application process and provide the contracts in the ‘My exali’ customer account.

Depending on your professional affiliation, we collect application data in order to be able to initiate an insurance application for you that corresponds to your professional profile.

This information can include:

Headquarters, title, annual net sales, street / house number, title, postcode, last name, city, first name, country, company name (including legal form, if applicable), company formation, legal form, account number, telephone, bank code, mobile phone, IBAN, fax, BIC, email ad-dress, bank, website, account holder, GULP ID, Freelancermap ID, competent bar association, initial admission, number of professionals / partners, owner / main contact person - saluta-tion, owner / main contact person - title, owner / main contact person - first name, owner / main contact person - last name, other partners - salutation, other partners - title, other partners - first name, other partners - surname, focus areas / specialist lawyers, goods or services, insured portals / apps, main activity, secondary activity, email, application questions.

In addition, we have to ask certain risk questions in the application process. These differ depending on your profession. Therefore, the screenshot is only an example:

2. Legal basis for data processing

The legal basis for the processing of personal data that is used to prepare and / or create a contractual relationship is Art. 6 para. 1 lit.b) GDPR.

3. Purpose of data processing

The purposes of processing personal data in the context of the online application are the processing of the questionnaire, the obtaining of corresponding insurance offers, the payment processing, the processing of the insurance contract process with the conclusion of the contract and the enabling of any customer inquiries, as well as the care and maintenance of the customer relationship.

4. Duration of storage

The data will be erased within 6 months once they are no longer required to achieve the purpose for which they were collected or are not subject to further statutory retention requirements (e.g. 10 years according to the AO German Tax Code, 6 years pursuant to HGB, the German Commercial Code). In this case, processing will be restricted until the retention period has expired.

As a rule, the special legal documentation requirements apply to us as an insurance broker (In Denmark, Finland and Sweden exali AG acts as a tied agent for Markel Insurance SE) according to VVG. Since you can generally apply for insurance benefits for our insurance products up to 10 years after the contract has ended, your data must be stored for this period.’

If you take out insurance on our sites, you agree that exali and the insurer Markel may use personal data and other information for insurance purposes, such as: to produce insur-ance policies and certificates or to process damage claims. This permission also includes the transfer of parts of your personal details or other information to third parties in order to be able to provide insurance coverage. Such third parties can be, for example, the insurer, rein-surer, damage appraiser and insurance supervisory authorities. If such personal data belong to persons other than yourself, you must obtain the explicit consent of these persons and au-thorise us to use the information from these persons for the purposes described above.

5. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

6. Necessity of provision

The provision of the data is necessary; otherwise the website cannot be accessed.

7. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

4. Data via email

1. Description and scope of the data processing

For inquiries that you send us by email, personal data will be processed depending on the content of your email:

In any case, this is your e-mail address, the date and time and the content of the message. In addition, depending on the content of your e-mail, the following personal data are processed, as an example:

  • First name, last name
  • Telephone number
  • Position in the company
  • Departement
etc.

The data will only be used to process the conversation and / or to carry out and / or initiate a contractual relationship.

2. Legal basis for data processing

Based on the express request of the user via email, the legal basis for the processing of the data is Art. 6 para. 1 lit. f) GDPR. If contact by Email is also aimed at concluding and / or executing a contract, the additional legal basis for processing is Art. 6 para. 1 lit.b) GDPR.

3. Purpose of data processing

The processing of personal data from email communication serves the purpose of maintaining orderly business operations. Email communication has become indispensable in the business world, both for internal corporate communication and for communication with customers, suppliers and potential business partners.

4. Legitimate interest

The legitimate interest in communication via email lies in enabling a generally recognised standard of communication. Email communication enables us to reduce response times to a minimum and thus meet the expectations of customers, suppliers and business partners.

The data will be erased within 6 months once they are no longer required to achieve the purpose for which they were collected or are not subject to further statutory retention requirements (e.g. 10 years according to the AO German Tax Code, 6 years pursuant to HGB, the German Commercial Code).

As a rule, the special legal documentation requirements apply to us as an insurance broker according to the german VVG. As you can usually apply for insurance benefits for our insurance products up to 10 years after the contract has ended, it is essential that your data are stored for this period.

5. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

6. Necessity of provision

The provision of the data is necessary; otherwise the website cannot be accessed.

7. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

Data in the newsletter / newsflash

1. Brevo (former Sendinblue)

We use the service on our website.

We use the service for sending our newsletter.

For this purpose, the data you provide when registering for the newsletter is passed on to the provider. The provider uses the data to send and statistically evaluate the newsletter on our behalf. The newsletter emails contain web beacons or tracking pixels for this purpose. These are one-pixel-sized image files that are stored on our websites. This allows your user behavior to be tracked, in particular whether you have opened the newsletter email or which hyperlinks in the email you have clicked on. The provider can also perform conversion tracking, i.e. determine whether a previously desired action has taken place after clicking on the hyperlink in the newsletter e-mail. In addition, technical information such as the time of the retrieval, your IP address, data about your web browser as well as the operating system are collected. This data is collected exclusively pseudonymously. The data is not linked to other personal data. A direct reference to a person is therefore excluded.

The legal basis is Art. 6 para. 1 p. 1 lit. a) DSGVO (consent).

You can prevent the described processing and storage of your data by not using the service.

Provider:

Sendinblue GmbH

Köpenicker Str. 126

10179 Berlin

Germany

https://www.brevo.com/

https://www.brevo.com/de/legal/privacypolicy/

2. Description and Scope of the Data Processing

We offer a newsletter with promotional information for our customers and interested parties. The registration for our newsletter service uses the double-opt-in procedure to verify your registration.

In this case, you register using the newsletter form and after clicking the registration button you will receive an email with a link that you can click to confirm and complete the newsletter registration process. If you click on this confirmation link, you will receive mailings at regular intervals with the content specifically described when you registered for the newsletter. This registration process is also the process for obtaining your consent under competition law to send the newsletter within the meaning of the UWG. You can revoke this consent under com-petition law at any time with effect for the future by clicking on the unsubscribe link contained in every newsletter or by notifying us at newsletter@exali.com.

Our newsletter contains information about us, our offers and our services.

We log every newsletter registration so that we can provide evidence of the relevant registration in accordance with the legal requirements.

The time of registration and confirmation as well as your IP address are saved.

To register for our newsletter, it is sufficient if you enter your e-mail address in the registration form. However, we ask you to optionally provide a name so that we can address you personally in the newsletter.

In order to manage your consent in a legally secure manner, the data transmitted by you during registration will be processed in our CRM system.

If you no longer wish to receive the newsletter in the future, you can unsubscribe at any time by notifying us at newsletter@exali.com.

3. Legal Basis for Data Processing

The legal basis for the processing of your personal data for sending the newsletter is Section 7 UWG in conjunction with Art. 6 para. 1 lit a) GDPR.

The legal basis for processing and logging the registration procedure is Art. 6 para. 1 lit. f) GDPR.

4. Purpose of data processing

The sole purpose of data processing is to send our newsletter and to document your registra-tion in a legally secure manner, as well as to maintain customer relationships in order to be able to send you up-to-date information on your initiative.

5. Legitimate interest

Our legitimate interest lies in customer- and user-friendly advertising for the purpose of direct advertising (Recital 47 of the GDPR) and the legally secure logging of the registration process.

6. Duration of storage

If you no longer wish to receive the newsletter in the future, you can unsubscribe at any time by notifying us at newsletter@exali.com. The data you provided when registering for the newsletter will be deleted by us no later than 6 months after you unsubscribe from the news-letter.

7. Recipients of personal data

Our newsletter is sent by the shipping service provider Sendinblue GmbH.

8. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

9. Necessity of provision

The provision of the data is necessary; otherwise the website cannot be accessed.

10. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

Our shipping service provider is commissioned based on a processing agreement in accord-ance with Art. 28 para. 2 - 4 GDPR.

Our shipping service provider will not use your data to write to you.

6. Data via telephone, callback service

1. Description and scope of the data processing

In the case of telephone inquiries, personal data will be processed depending on the content of the conversation:

Depending on the information you provided during the telephone call, this may also include the following personal data:

  • First name, last name
  • Phone number
  • Customer number
  • Payment details
  • Contract data

The data will only be used to process the conversation and / or to carry out and / or initiate a contractual relationship.

When using the callback service, we collect:

  • Name
  • Name
  • Phone number
  • When can we reach you?
  • Reason for your inquiry and the request for a callback
  • Interested party / existing customer

2. Legal basis for data processing

Due to the express request of the user via telephone and / or the request for a telephone call back, the legal basis for the processing of the data is Art. 6 para. 1 lit. f) GDPR. If the con-tacting by phone is also aimed at concluding and / or executing a contract, the additional legal basis for the processing is Art. 6 para. 1 lit.b) GDPR.

3. Purpose of data processing

The processing of personal data via the telephone call serves the sole purpose of establishing contact and enabling the company to address the customer for informational purposes on the customer's initiative.

Depending on the intention and content of your request, the purpose can also be the initiation and / or implementation of a contractual relationship, as well as maintaining the customer relationship.

The legitimate interest in data processing lies in the possibility of processing your request and being able to respond to your request accordingly. The data collected will be processed on the basis of a request made by you. This processing is also in your interest in order to be able to respond to your request according to your expectations.

4. Duration of storage

The data will be erased within 6 months once it is no longer required to achieve the purpose for which it was collected or is not subject to further statutory retention requirements (e.g. 10 years according to the AO German Tax Code, 6 years pursuant to HGB, the German Com-mercial Code).

As a rule, the special legal documentation requirements apply to us as an insurance broker (In Denmark, Finland and Sweden exali AG acts as a tied agent for Markel Insurance SE) according to VVG. As you can usually apply for insurance benefits for our insurance products up to 10 years after the contract has ended, it is essential that your data are stored for this period.

5. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

6. Necessity of provision

It is also possible to contact us by email, telephone or post. This may result in limitations, especially with regard to response times.

7. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

7. Data via fax

1. Description and scope of the data processing

For inquiries made by fax, personal data will be processed depending on the content of your message.

In any case, this is your fax number, date and time and the content of the message. In addition, depending on the content of your message, the following personal data are processed for example:

  • First name, last name
  • Phone number
  • Customer number
  • Payment details
  • Contract data

The data will only be used to process the conversation and / or to carry out and / or initiate a contractual relationship.

2. Legal basis for data processing

Due to the express request of the user via fax, the legal basis for the processing of the data is Art. 6 para. 1 lit. f) GDPR. If contact by fax is also aimed at concluding and / or executing a contract, the additional legal basis for processing is Art. 6 para. 1 lit.b) GDPR.

3. Purpose of data processing

The processing of personal data about your request by fax serves the sole purpose of establishing contact and enabling the company to address the customer for informational purposes on the customer's initiative.

Depending on the intention and content of your request, the purpose can also be the initiation and / or implementation of a contractual relationship.

4. Legitimate interest

The legitimate interest in data processing lies in the possibility of processing your request and being able to respond to your request accordingly. The data collected will be processed on the basis of a request made by you. This processing is also in your interest in order to be able to respond to your request according to your expectations.

5. Duration of storage

The data will be erased within 6 months once they are no longer required to achieve the purpose for which they were collected or are not subject to further statutory retention requirements (e.g. 10 years according to the AO German Tax Code, 6 years pursuant to HGB, the German Commercial Code).

As a rule, the special legal documentation requirements apply to us as an insurance broker (In Denmark, Finland and Sweden exali AG acts as a tied agent for Markel Insurance SE) according to VVG. As you can usually apply for insurance benefits for our insurance products up to 10 years after the contract has ended, it is essential that your data are stored for this period.

6. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

7. Necessity of provision

It is also possible to contact us by email, telephone or post. This may result in limitations, especially with regard to response times.

8. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

8. Data as part of the application process

1. Description and scope of the data processing

In job advertisements or on our website, we regularly provide information about current va-cancies. You have the opportunity to apply for these positions. You can send us this applica-tion data either by post or by email.

Data that you send us as part of the application process can be:

  • Name, address and contact details
  • CV including all further specifications
  • Personal cover letter
  • Qualifications
  • Interests

If you send us your data by email, we will also process your email address, the date and time and the content of the message. In addition, depending on the content of your email, the fol-lowing personal data is processed, as an example:

  • First name, last name
  • Phone number

The data will only be used in the context of the application process to decide on the vacancy.

2. Legal basis for data processing

The legal basis for processing the data in the application process is Art. 6 para. 1 lit. b) GDPR, § 26 para. 1 BDSG.

If, in the contact of the application process, you provide us with special categories of personal data such as, for example, an existing severely disabled status or health data that are necessary for the assessment of your employability for a certain position, the processing of this data communicated on your initiative takes place in accordance with Art. 9 para 2 lit. b), lit. h) GDPR, Section 26 paragraph 3 BDSG.

3. Purpose of data processing

The processing of personal data as part of the application process serves the sole purpose of personnel planning and the establishment of employment relationships.

4. Duration of Storage

If an application is rejected, the data will be deleted within 6 months of the rejection. Data from successful applications are subject to the retention requirements that result from labour and social law regulations, the AO and the HGB.

5. Recipients of personal data

The address data are processed by the following service providers on the basis of an order processing agreement in accordance with Art. 28 para. 2 - 4 GDPR:

BITE GmbH
Resi-Weglein-Gasse 9
89077 Ulm
Germany

6. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

7. Necessity of provision

It is also possible to contact us by email, telephone or post. This may result in limitations, especially with regard to response times.

8. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

9. Data by eKomi

1. Description and scope of the data processing

This website uses the customer rating functionality eKomi. Customers can rate us using this functionality. The rating is always voluntary. You will find a link for this on exali, and you will also receive the link in individual cases by email. If you click on this link, you will be redirected to the eKomi website and can rate us. For this purpose, we occasionally forward a randomly generated number to eKomi via the link in order to be able to determine that it is one of our customers and to receive feedback that a rating has been made. This ensures that a customer who has already rated will not be asked to rate again.

2. Legal basis for data processing

The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR.

3. Purpose of data processing

The data processing serves the purpose of enabling our customers to evaluate our offer in order to enable us and other customers/interested parties to classify our services.

4. Legitimate interest

Our legitimate interest in data processing results from the purpose of continuous improvement of our offer and the orientation of interested parties with regard to the evaluation by existing customers.

5. Duration of storage

The data is currently stored permanently until further notice.

6. Recipients of personal data

The ratings are processed by the following service provider on the basis of a processing agreement in accordance with Art. 28 para. 2 - 4 GDPR:

BeKomi Ltd.
Markgrafenstr. 11
10969 Berlin
Germany

7. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

8. Necessity of provision

It is also possible to contact us by email, telephone or post. This may result in limitations, especially with regard to response times.

9. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

10. Processing of personal data when using/integrating the exali Liability Seal

1. Description and scope of the data processing

Most customers of exali have the possibility to embed a Liability Seal from exali on their own website using HTML code. By clicking on the Liability Seal, visitors of the exali custom-er will see a confirmation of the exali customer’s insurance contract. Every exali customer has the option of requesting the HTML code in their personal My Exali area, which makes it possible to display the seal.

If you as an exali customer would like to request the Liability Seal for integration on your website, by clicking the button “>> Agree to terms of use” you agree that we may process your personal data only for the purpose of providing the Liability Seal. Without this consent, we cannot provide you with the Liability Seal for embedding.

If you enter this data (voluntarily) in the profile settings, the following data will be processed:

  • Profile name
  • Website
  • Company description
  • Logo
  • Web profile

Clicking on the Liability Seal on the website of a customer who has embedded the HTML code displays confirmation of the customer’s insurance contract. In order to be able to create this confirmation of the insurance contract, the following data of the exali customer is processed:

  • Policyholder
  • Insurance number
  • Start of insurance
  • End of insurance
  • Insured sum
  • Scope of validity

When visiting the exali customer’s website with the Liability Seal, the following visitor data is transmitted:

  • Browser type and browser version
  • Operating system
  • Referrer URL
  • Host name of accessing computer
  • Time of server request
  • This information is absolutely necessary and will not be saved.

2. Legal basis for data processing

The legal basis is Art. 6 (1) (b) and (c) GDPR since the processing of data is necessary for executing pre-contractual measures and is performed on the basis of our statutory retention obligations.

3. Purpose of data processing

The exali Liability Seal is intended to give exali customers the opportunity to show potential clients on their own website that they have professional indemnity insurance that will apply in a damage event. This allows exali customers to stand out from the competition and to come across as a responsible service provider. The processing of personal data is absolutely necessary in order to create the exali Liability Seal and the associated confirmation of insurance contract.

Personal data is processed for the purpose of generating the HTML code for the Liability Seal and the confirmation of insurance contract.

4. Duration of storage

The data will be erased within 6 months once it is no longer required to achieve the purpose for which it was collected or is not subject to further statutory retention requirements (e.g. 10 years according to the AO German Tax Code, 6 years pursuant to HGB, the German Commercial Code).

5. Transmission to a third country

It is not intended to transfer the personal data to a third country or to an international organisation.

6. Necessity of provision

The provision of the data is necessary, otherwise the service cannot be used.

7. Automated decision making / profiling

There is no automated decision-making or so-called profiling.

V. Social media presences

Description and scope of the data processing

We maintain online presences in various social networks. We process your data here in order to communicate with you and to inform you about our products and services. The data we process is contact data, content data, usage data and meta/communication data.

You can find our presence on the following social networks:

Facebook and Instagram

fan pages of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

LinkedIn

company page of LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland

Twitter

profile of Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland

Xing

company profile of XING SE, Dammtorstraße 30, 20354 Hamburg

The operators of the social networks may provide us with statistics on the use of our online presence. These statistics are aggregated and may include demographic information, employment-related information and data on how you interact with our online presence and the posts and content distributed through it.

You can find more information on this in the data protection notices of the social networks:

Facebook:
www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0

Instagram:
https://instagram.com/about/legal/privacy

LinkedIn:
https://de.linkedin.com/legal/privacy-policy?

Twitter:
https://twitter.com/de/privacy

Xing:
https://privacy.xing.com/de/datenschutzerklaerung

We have no influence on data that the social network processes on its own responsibility.

If so-called joint control applies, you can find more information about the social network at:

Facebook:

Information on Page Insights data at:
https://de-de.facebook.com/legal/terms/information_about_page_insights_data

Page Insights addendum at: https://www.facebook.com/legal/terms/page_controller_addendum

With regard to the Facebook pages, we are a joint controller with Meta Platforms Ireland Limited for the collection (but not further processing) of your data when you visit our Facebook page (so-called “Fan Page”). This data includes information about the types of content you view or interact with, or the actions you take, and information about the devices you use. Facebook also collects and uses information to provide analysis services, so-called “Page Insights”, for site operators, i.e. us, so that we can gain insights into how people interact with our pages and the content associated with them. We have concluded a special agreement with Facebook, which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfil the rights of data subjects. Your rights are not restricted by the agreements with Facebook.

LinkedIn:

Page Insights joint controller addendum at: https://legal.linkedin.com/pages-joint-controller-addendum

2. Legal basis for data processing

The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR based on our legitimate interest in effective information and communication with our users.

3. Purpose of data processing

The processing of personal data via social media serves the sole purpose of establishing contact and enabling informational contact.

Depending on the intention and content of the communication, the purpose can also be the initiation and/or implementation of a contractual relationship.

4. Legitimate interest

The legitimate interest in data processing lies in the possibility of effective information and communication with our users.

5. Duration of storage

The data will be erased within 6 months once it is no longer required to achieve the purpose for which it was collected or is not subject to further statutory retention requirements (e.g. 10 years according to the AO German Tax Code, 6 years pursuant to HGB, the German Commercial Code).

As a rule, the special legal documentation requirements apply to us as an insurance broker (In Denmark, Finland and Sweden exali AG acts as a tied agent for Markel Insurance SE) according to VVG. As you can usually apply for insurance benefits for our insurance products up to 10 years after the contract has ended, it is essential that your data is stored for this period

6. Transmission to a third country

Within the social networks, your data can also be processed outside the area of the European Union. This can result in risks because the enforcement of your rights could be more difficult.

7. Necessity of provision

It is also possible to contact us by email, telephone or post.

8. Automated decision making / profiling

There is no automated decision-making or so-called profiling

9. Your rights

Insofar as we receive your personal data when operating the online presence in the social networks, you are entitled to the rights specified in this Privacy Policy. If you also want to assert your rights against the respective operator of the social network, the most effective way to do this is to contact them directly. Only the providers have access to your data and can directly take appropriate measures and provide information. We will of course support you in asserting your rights as far as we can and forward your inquiries to the operator of the social network.

VI. Rights of the data subject

If your personal data are processed, you are the data subject within the meaning of the General Data Protection Regulation. You are therefore entitled to the following rights vis-à-vis us as the controller.

To exercise your rights as a data subject towards us as the responsible party, please contact the following email address: dataprotection@exali.com

1. Right to Information - Art. 15 GDPR

You have the right to request a confirmation from the responsible party as to whether the personal data concerned are being processed.

If such processing is taking place, you have the right to information about this personal data and the following information:

  • the purposes for which the personal data is processed;
  • the categories of personal data that is processed;
  • the recipients or the categories of recipients to whom the personal data has been disclosed or are still being disclosed;
  • if possible, the planned period of time, for which the personal data will be stored (or, if this is not possible, the criteria for establishing this period of time);
  • the existence of a right to correct or delete your personal data, a right to restrict processing by us or a right to object to this processing;
  • the existence of a right to lodge a complaint with a supervisory authority;
  • all available information about the origin of the data if the personal data is not collected from the data subject;
  • the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You also have the right to request information about whether your personal data is being transmitted to a third country or to an international organisation. In this context, you can also request to be informed about the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transmission.

2. Right to rectification - Art. 16 GDPR

You have the right to immediate correction and / or completion of the data concerning you, provided that the processed personal data is incorrect or incomplete.

3. Right to erasure - Art. 17 GDPR

You have the right to request the immediate deletion of your personal data at any time if one of the following reasons applies:

  • the personal data concerning you is no longer necessary for the purposes for which they were collected or otherwise processed;
  • you have revoked your consent on which the processing was based according to. Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing;
  • According to Art. 21 para. 1 you have lodged an objection to the processing and there are no overriding legitimate reasons for the processing, or you have, according to Art. 21 para. 2 GDPR lodged an objection to the processing;
  • the personal data concerning you has been processed unlawfully;
  • the deletion of your personal data is necessary to fulfil a legal obligation under Union law or the law of the member states to which the person responsible is subject;
  • the personal data relating to you was collected in relation to information society services offered in accordance with Art. 8 Para. 1 GDPR.

Exceptions:
There is no right to deletion if processing is necessary

  • to exercise the right to freedom of expression and information;
  • to fulfil a legal obligation that requires processing under the law of the Union or of the member states to which the person responsible is subject, or to perform a task that is in the public interest or in the exercise of official authority that has been transferred to the responsible party;
  • for reasons of public interest in the area of public health in accordance with Article 9 paragraph 2 letters h and i and Article 9 paragraph 3;
  • for archival purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89
  • para. 1 GDPR, insofar as the right mentioned in section a) is likely to make the implementation of the objectives of this processing impossible or seriously impair it, or
  • to assert, exercise or defend legal claims.

4. Right to restriction of processing - Art. 18 GDPR

You have the right to request that the personal data relating to you be restricted under the following conditions:

  • if you dispute the accuracy of the personal data concerning you for a period of time that allows the responsible party to check the accuracy of the personal data;
  • if the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
  • if the responsible party no longer needs the personal data for the purposes of processing, but you need these to assert, exercise or defend legal claims, or
  • if you have objected to the processing in accordance with Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the responsible party outweigh your reasons.

If the processing of your personal data has been restricted, this data - apart from storage - may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest processed by the Union or a member state.

If the processing has been restricted due to the aforementioned conditions, you will be informed by us before the restriction is ended.

5. Right to notification - Art. 19 GDPR

If you have exercised one of your rights to correction, deletion or restriction of processing, we are obliged to notify all recipients to whom the personal data concerning you have been disclosed of the correction, deletion of the data or the restriction of processing unless this turns out to be impossible or involves a disproportionate effort.

You also have the right to be informed about these recipients.

6. Right to data portability - Art. 20 GDPR

You have the right to receive the personal data concerning you, which you have provided to the person responsible, in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another person responsible without hindrance from the person responsible to whom the personal data was provided, provided that

  1. the processing is based on consent in accordance with Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract in accordance with Art. 6 para. 1 lit.b GDPR and
  2. the processing is carried out using automated procedures.

In exercising this right to data portability, you also have the right to have your personal data transmitted directly from one person in charge to another person in charge, insofar as this is technically feasible.

7. Right of objection - Art. 21 GDPR

You have the right, for reasons that arise from your particular situation, to object at any time to the processing of personal data relating to you, which is carried out based on Art. 6 Para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions.

We will then no longer process the personal data concerning you unless they can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims

If personal data are processed in order to run direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising

If you object to processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.

In connection with the use of services of the information society - regardless of Directive 2002/58 / EC - you have the option of exercising your right of objection by means of automated procedures that use technical specifications.

8. Right to withdraw the declaration of consent under data protection laws

You have the right to withdraw your declaration of consent under data protection law at any time. Withdrawing your consent does not affect the legality of the processing carried out on the basis of your consent up to the point of withdrawal.

9. Right to lodge a complaint with a supervisory authority - Art. 77 GDPR

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing of your personal data is being carried out violates the General Data Protection Regulation.

The supervisory authority to which you lodge a complaint will inform you, as the complainant, of the status and results of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.

These data protection notices are updated at regular intervals.