Privacy

Otto Lehmann GmbH ("Otto Lehmann") places great importance on protecting your privacy when processing personal data. This privacy policy provides comprehensive information on how Otto Lehmann handles your personal data and ensures data protection.

This privacy policy applies to the handling of your personal data when you visit the Otto Lehmann website at www.ottolehmann.com or our social media profiles on LinkedIn, Instagram, Facebook, or YouTube. This privacy policy also applies when you contact us via email, phone, or mail. Additionally, you can find information for applicants here.

The controller responsible for the data processing described in this privacy policy is:

Otto Lehmann GmbH
Berliner Straße 219
3073 Neutraubling
+49 (0)9401 786 0
Email: datenschutz@otto-lehmann-gmbh.de
‍

Data Protection Officer

For questions regarding data protection, you can also contact our data protection officer:

Mr. Thomas Wanjura
Projekt 29 GmbH & Co. KG
Ostengasse 14, 93047 Regensburg
Tel.: 0941 2986930
Fax: 0941 29869316
Email: anfragen@projekt29.de
Internet: www.projekt29.de

Should our data protection officer be unable to resolve your concern to your satisfaction, you always retain the right to lodge a complaint with the supervisory authority responsible for your federal state.

Otto Lehmann collects and processes various personal data from you, depending on the specific processing situation.

We process your personal data exclusively in accordance with the provisions of the General Data Protection Regulation (“GDPR”) and the Federal Data Protection Act (“BDSG”).

Below you will find a list of which personal data we process depending on the processing situation, what purposes these data processing operations serve, and on what legal basis we process the data.

In this section, we describe how your personal data is processed in connection with your visit to our website at: www.ottolehmann.com.  

Categories of Personal Data‍

Personal data refers to all information relating to an identified or identifiable natural person (e.g., name, address, email). Generally, disclosing your identity is not required to visit our website. When you access our website, we process the following personal data in particular:

• log data, i.e., data related to the use of the provided website (e.g., web browser and operating system used, referrer URL, date and time of access, amount of data transferred),
• IP address of the requesting computer, as well as
• further technical data comparable to the aforementioned.

In individual cases, we also require information, for example, to provide requested services, answer inquiries, or send informational material. In such cases, we will explicitly point this out.

Purposes:

The data processing serves to enable you to visit our website and to display it correctly. In addition, the processing serves statistical purposes and to improve the quality of our website, especially the stability and security of the connection. No personalized evaluation takes place.

Legal Basis:

The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, whereby our legitimate interest arises from the stated purposes.

Storage Duration:

The data is only temporarily stored in so-called log files for the duration of the session and deleted after visiting the website, unless a longer legal retention period applies.

Recipients:

Our website is hosted by Webflow (Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA), which, as part of a (sub-) data processing agreement for the provision of hosting and support services, may need to access the data listed above. Webflow is a tool for creating and hosting websites.

As part of its hosting services, Webflow provides this website externally via the Content Delivery Networks (CDNs) of the US companies Cloudflare Inc. and Amazon Web Services Inc. (CDN: Amazon CloudFront). In addition, Webflow uses Elasticsearch, Inc., USA (function: search function within the website). For details, please refer to Webflow's privacy policy: https://webflow.com/legal/eu-privacy-policy and: https://webflow.com/legal/subprocessors

Insofar as data is transferred to the USA, this is based on the standard contractual clauses of the EU Commission. Details can be found here: https://webflow.com/legal/eu-privacy-policy.

We have concluded a Data Processing Agreement (DPA) with the aforementioned provider. This is a contract required by data protection law, which ensures that the provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

When you contact us (e.g., via contact form, AI chat, email, phone, or social media), we process the information provided by the inquiring person to the extent necessary to answer the inquiry and, if applicable, to carry out pre-contractual or contractual measures.

Categories of Personal Data

‍When you contact us, we process the following personal data in particular:

• First name and last name,
• Email address,
• Time of inquiry,
• Phone number (if applicable, when contacting via phone)
• Information you provide when contacting us.  

‍Data subjects:

‍Communication partners.

‍Purposes:

The data is processed solely for the purpose of handling your inquiry.  

‍Legal bases:

Art. 6(1)(b) GDPR (Contract/Pre-contractual measures).

Storage duration:

The data will be deleted once your inquiry has been satisfactorily answered, unless a longer statutory retention period applies.

Information regarding the processing of your personal data in connection with the snow load calculation can be found here.

You can subscribe to our newsletter on our website.

Categories of Personal Data‍

If you subscribe to our newsletter, we process the following data from you:

• Email address,
• First name and last name,
• Referrer URL, date and time of registration and access, web browser,
• IP address, as well as
• Information for the purpose of proving newsletter registration.

Purposes and Legal Basis of Data Processing:

The data processing serves solely to send you information about our services, projects, and our company, and to keep you updated on new developments from Otto Lehmann.

The legal basis is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. Consent is always voluntary. Refusing or withdrawing consent will have no negative impact on you.

‍Registration / Double Opt-In:

For subscribing to our newsletter, we use the so-called double opt-in procedure. This means that after your registration, we send an email to the provided email address, asking you to confirm that you wish to receive the newsletter. The purpose of this procedure is to verify your registration and, if necessary, to clarify any potential misuse of your personal data. If you do not confirm your registration, your information will be blocked and automatically deleted after one month.  

You can revoke your consent to receive the newsletter and unsubscribe at any time. You can do this by clicking the link provided in every newsletter email, by sending an email to mail@ottolehmann.com, or by sending a message to the contact details provided in the imprint.

Storage Duration:

The data will be deleted after unsubscribing from the newsletter, unless a longer statutory retention period applies.

Recipients:

We use the mailing service "CleverReach" (CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany) for sending newsletters. CleverReach organizes and carries out the dispatch of newsletters, among other things. CleverReach uses the data you provide for the purpose of sending newsletters on our behalf and based on a data processing agreement concluded with us, solely for the purpose of sending newsletters. For this purpose, the data is stored on CleverReach's servers in Europe. Data is not transferred to third countries. Further details can be found in CleverReach's data security information at:  https://www.cleverreach.com/de-de/datensicherheit/.

Measurement of open and click rates using tracking pixels:

We would like to inform you that we evaluate your click behavior when sending newsletters. CleverReach can measure openings and clicks within the newsletters to optimize content. For this evaluation, the emails sent contain so-called tracking pixels, which are single-pixel image files "hidden" in our newsletters, and their download is counted. When the newsletter is opened, this pixel is automatically loaded from the CleverReach server. This process technically necessitates the transmission of data relevant to data protection, such as:

• recipient's IP address
• time of opening
• email program / operating system used

The data is collected exclusively in pseudonymized form, meaning direct personal identification is excluded.

‍Legal Basis:  

Since the placement of tracking pixels in newsletters requires the storage of information on your terminal device or access to information already stored on the terminal device, Section 25 (1), (2) TDDDG serves as the legal basis for this.

‍Data Processing:

A data processing agreement exists with CleverReach in accordance with Art. 28 GDPR.

General:

This website uses Fathom Analytics, a web analytics service provided by Conva Ventures Inc., 53 Forest Road, Victoria, British Columbia, Canada ("Fathom Analytics"). The service is used to collect and evaluate statistical information about the use of this website (e.g., page views, visitor numbers, dwell time, visitor origin, browsers used, and device types).

Categories of personal data:

When a page on this website is accessed, a JavaScript script from Fathom Analytics is loaded, which sends a page view request to Fathom's servers. The IP address and user agent (information about the browser and device type used) are transmitted. Fathom Analytics does not use cookies or similar tracking technologies. Instead, a privacy-friendly hashing method is used: an SHA-256 hash is generated from the IP address, user agent, website hostname, and a daily, site-specific salt, which enables anonymous identification of sessions and page views without permanently storing personal data. No raw personal data (IP address or user agent) is stored in the database. Only anonymized or pseudonymized aggregate data is stored, including:

• page visited (hostname/pathname), referring source (referrer),
• whether it is a new visit or a new session,
• time spent on the page, and
• statistical metrics on browser types, device types, and countries of origin.

Purposes and legal basis:

The purpose of processing is to analyze user behavior to improve the website offering and to optimize the content and technical infrastructure of the website. Data processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR (legitimate interests). Our legitimate interest arises from the stated purposes.

Data processing:

Fathom Analytics processes website visitor data on our behalf. A data processing agreement exists with Fathom Analytics in accordance with Art. 28 GDPR.

Server locations and third-country transfers:

Fathom Analytics is a Canadian company and has introduced what is known as "EU Isolation". This feature is enabled by default for all customers. With EU Isolation, data traffic from website visitors from the EU is routed exclusively via EU infrastructure. The IP address of EU visitors is anonymized within the EU and never reaches third-country servers.

Storage duration:

Pseudonymized data (hash values) are retained for approximately 48 hours. After this period, the hash salts are removed from the system, making it practically impossible to trace back to individual persons. Hashes used for unique visitor identification are automatically deleted daily. Aggregated, fully anonymized statistical data (page views, visits, time spent, etc.) are stored for the duration of the contract with Fathom Analytics. After the contract ends, the data is deleted.

Opt-out options:

Since Fathom Analytics does not set cookies, an opt-out via browser cookie settings is not technically applicable. Website visitors have the following options to minimize or prevent data collection:

• Do-Not-Track (DNT): Fathom Analytics respects the browser's Do-Not-Track header. If DNT is enabled in your browser settings, Fathom Analytics will not perform any tracking.
• Disabling JavaScript: Completely disabling JavaScript in your browser prevents the Fathom script from running and thus prevents any data collection by the service.

Further information:

Detailed information on data processing by Fathom Analytics can be found at: https://usefathom.com/data and https://usefathom.com/legal/compliance.

‍

This website currently does not use cookies.

‍Neither technically necessary nor optional (functional, statistical, or marketing) cookies are used. A cookie consent banner is therefore not required.

This section provides information on the processing of personal data within the scope of applicant management (applications submitted via email, post, or online form through the online job portal).

Our website's "Career" section allows you to learn about our application process and current job openings at Otto Lehmann, and to submit online applications. Clicking the "Career" button will redirect you to our online application portal, which is technically operated by the external service provider...

How is your data processed during the application process?

Visiting the Job Portal

(a) Categories of Personal Data

You can generally visit our job portal without disclosing your identity. However, when you access it, we process the following personal data in particular:

• Log data, i.e., data related to the use of the provided website (e.g., web browser and operating system used, referrer URL, date and time of access, amount of data transferred),
• IP address of the requesting computer, as well as
• other technical data comparable to the aforementioned.

(b) Purposes and Legal Basis of Data Processing

Data processing enables you to visit our job portal and ensures our career page is displayed correctly. Furthermore, this processing serves statistical purposes and helps improve the quality of our website, particularly connection stability and security.

The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, with our legitimate interest arising from the purposes mentioned above.

(c) Retention Period

The data is only temporarily stored in log files for the duration of your session and deleted after you leave the website, unless a longer statutory retention period applies.

Application Process

If you apply for an advertised position (online) or submit an unsolicited application, and provide us with your personal data by submitting your application documents, through an online application, personal interviews and correspondence, or via a recruitment agency, we will collect and process this data to the extent necessary for deciding on your application and establishing an employment relationship.

(a) Categories of Personal Data

As a rule, we require the following data as part of the application process:

• First and last name,
• Address,
• Email address,
• Phone number (optional),
• Photo (optional),
• Information about your school, vocational, or university education, including certificates,
• Your professional background, including references from previous employers, further professional qualifications and activities, and references,
• Language skills and, if applicable, relevant privately acquired knowledge and skills or private engagement, insofar as this is relevant for the position you are applying for.
• ‍IT/metadata during electronic transmission (e.g., time, technical logs)

If you voluntarily provide us with any further personal data, we will also store it.

(b) Purposes and Legal Basis of Data Processing

We use your contact details exclusively to get in touch with you and inform you about the status of your application and our selection decision. Other personal data contained in the application documents is used to review your qualifications and professional achievements and to assess your suitability for the position to be filled. Furthermore, your data may also be processed for legal prosecution purposes, particularly insofar as this is necessary for asserting, exercising, or defending mutual legal claims arising from the application process.

Should the application process lead to an employment relationship with you, the data will be transferred to the personnel file and stored for the purposes of establishing and carrying out the employment relationship. You will be separately informed about this upon hiring.

The legal basis for processing your personal data to the described extent is Section 26 (1) sentence 1 of the BDSG. If, during the application process, you provide us with special categories of personal data, such as information about health, religious beliefs, or ethnic origin, the legal basis is Art. 9 (2) lit. b and lit. h GDPR, as the processing of such data may be necessary due to our legal obligations as an employer and for the associated protection of your fundamental rights, as well as to assess the employability of potential employees and, if necessary, take required occupational health and preventive healthcare measures.

(c) Storage Period

Should the application process lead to an employment relationship, apprenticeship, or internship, the data will initially continue to be stored and transferred to the personnel file.

In the event of a rejection, we generally store your application documents and the personal data contained therein for a period of six months after the rejection has been issued. After this period, we destroy your application documents and data submitted in paper form, unless you have explicitly informed us that you wish for them to be returned in original. Electronic data is deleted after six months. Longer storage only occurs if it is necessary for the defense of legal claims, if legal provisions exceptionally prevent deletion, or if you have expressly consented to longer storage.

Recipients: Within our company, the HR department, relevant departments, management, and, if applicable, the works council/representative body for severely disabled persons receive access, as far as necessary. Outside the company, we only transmit data as far as legally required or necessary for processing, e.g., to social security institutions, health insurance companies, pension insurance, the Federal Employment Agency, professional associations, tax authorities, courts, banks, insurance companies. If we use service providers as processors (e.g., IT/hosting), this is done on the basis of Art. 28 GDPR.

Within the application process, we work with the following service provider, who may receive access to your personal data to perform their services:

Third-Country Transfer:

No transfer to third countries takes place. Should a transfer become necessary in exceptional cases, it will only occur in compliance with Articles 44 et seq. GDPR (e.g., Standard Contractual Clauses) and with prior notification.

Origin of Data:

Your data related to the application is primarily collected directly from you. Additionally, where permissible, data may originate from public sources (e.g., professional networks) or from third parties (e.g., recruitment agencies). Legally mandated inquiries (e.g., to the tax office/health insurance fund after hiring) may also be added.

Obligation to Provide:

The provision of certain personal data is necessary for the decision on hiring and the execution of the employment relationship. Without this data, it is not possible to process the application or establish the employment relationship.

‍

Personal data is collected exclusively directly from you, for example, when you visit our website.

Otto Lehmann only shares your personal data if this is permissible under European data protection law, for example, because the data transfer is necessary for the fulfillment of a contract or because you have given us your consent to the disclosure of the data. We work with several service providers, such as technical service providers (e.g., hosting services, website maintenance).

Disclosure due to Legal Obligations or for Safeguarding Legitimate Interests

Insofar as we are legally obliged to do so, by court order or due to an enforceable administrative order, we must transmit your personal data to authorized bodies (e.g., supervisory or financial authorities). The legal basis for such disclosure is then Article 6(1)(c) GDPR.

Processing by Processors and Other Recipients

For individual services, we may use commissioned service providers ("processors"). These processors act solely on our instructions and are contractually obliged, in accordance with Article 28 GDPR, to comply with data protection regulations. This does not apply if these service providers act as controllers themselves (e.g., legal and tax advisors). Processors are also contractually obliged, for example, to either delete or return personal data upon completion of the contract.

The following categories of recipients, who are typically processors, may receive access to your personal data:

• IT and web service providers or companies commissioned for the maintenance of our website or platform and internal IT infrastructure (software, hardware).

The legal basis for sharing data with entities that are not processors is Article 6(1)(b) or (f) GDPR. Furthermore, we only share your personal data with third parties if you have given your explicit consent in accordance with Article 6(1)(a) GDPR.

In the course of our business relationships, your personal data may be transferred or disclosed to third-party companies. These may also be located outside the European Union ("EU") or the European Economic Area ("EEA"), in so-called third countries. Such processing is carried out exclusively for the fulfillment of contractual and business obligations and for maintaining your business relationship with us.

The European Commission certifies that some third countries provide a level of data protection comparable to the EU standard through so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html).

However, in other third countries to which personal data may be transferred, there may not be a level of data protection comparable to that of the EU due to a lack of legal provisions. This may mean that your personal data is processed in a jurisdiction that offers a level of protection that, in certain cases, provides less protection for your personal data than the jurisdiction in which you are normally resident. Where this is the case, we ensure that data protection is adequately guaranteed and that appropriate safeguards are in place. This means, for example, that we conclude the standard contractual clauses of the European Commission for the protection of personal data.

Please contact us (see contact details under Section 2) if you would like more information on this.

Unless an explicit storage period is specified under Section 3, we generally store your personal data only for as long as we need the data for the purposes for which we collected it and for the fulfillment of legal requirements and obligations. Your data is generally stored only on our servers in Germany, subject to any transfer that may occur in accordance with the provisions in Section 3.  

However, data may be stored beyond the specified period in the event of an (impending) legal dispute with you or other legal proceedings, or if storage is required by legal provisions to which we, as the controller, are subject (e.g., Section 257 HGB or Section 147 AO). When the retention period prescribed by legal provisions expires, the personal data will be blocked or erased, unless further storage by us is necessary and there is a legal basis for it.

We implement technical and organizational measures to protect your data against loss, destruction, manipulation, and unauthorized access. Employees and service providers are obliged to comply with data protection laws. Wherever we collect and process personal data, the transmission is encrypted (e.g., TLS/HTTPS). Our security measures are continuously improved, and the data protection notices are regularly updated.

Subject to legal requirements, you have the following rights: access, rectification, erasure, restriction of processing, data portability, and objection.

Right of access

You can request information on whether and to what extent we process data concerning you.

Right to rectification

You can request the rectification of inaccurate data and the completion of incomplete data.

Right to erasure

You can request the erasure of your data, provided there are no legal retention obligations preventing it or another legal basis requires the processing.

Right to restriction of processing

You can request the restriction of processing if

• You dispute its accuracy (for the duration of the review),
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead,
• we no longer need the data, but you require it for the establishment, exercise or defence of legal claims, or
• you have objected and it has not yet been determined whether our legitimate grounds override yours.

Right to Information about Recipients

Pursuant to Art. 19 GDPR, you have the right to request information about the recipients of data to whom a rectification, erasure of your personal data, or restriction of processing has been communicated.  

Right to Data Portability

You have the right to receive data you have provided to us in a structured, commonly used, machine-readable format and – where technically feasible – to request its transmission to another controller, provided that the processing is based on consent or a contract and is carried out by automated means.

Right to Withdraw Consent

If we process personal data based on your consent, you are also entitled to withdraw your consent at any time pursuant to Art. 7 Para. 3 GDPR. Your withdrawal means that we will no longer continue the data processing that was based on this consent for the future. The lawfulness of processing carried out based on your consent until withdrawal remains unaffected by your withdrawal.

Right to Lodge a Complaint

If you believe that our processing of your personal data violates data protection regulations, you have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. In Bavaria, this is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Tel. +49 (0) 981 180093-0, Fax: +49 (0) 981 180093-800.

RIGHT TO OBJECT: UNDER THE CONDITIONS OF ART. 21 GDPR, YOU ALSO HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA, INSOFAR AS THE PROCESSING IS BASED ON A LEGITIMATE INTEREST PURSUANT TO ART. 6 PARA. 1 S. 1 LIT. F GDPR OR ON ART. 6 PARA. 1 S. 1 LIT. E GDPR (THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS). WE WILL CEASE THE PROCESSING OF YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.

SUBMITTING AN OBJECTION: THE OBJECTION CAN BE DECLARED INFORMALLY BY POST OR E-MAIL AND SHOULD BE ADDRESSED TO THE CONTACT DETAILS IN SECTION 2.

‍

We do not condition the conclusion of contracts on you providing us with personal data in advance. As a user, you are generally under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data.

We do not intend to use personal data collected from you for automated decision-making (including profiling).

We reserve the right to amend this privacy policy to reflect changes in legal requirements or technical developments. The current version is available on this website. We will provide separate notice here for any significant changes.