Status: April 28, 2025 | Version: 1.2

Controller & Contact
Data Categories, Purposes & Legal Bases
Retention Period
Technical & Organizational Measures (TOM)
Cookies & Tracking
Third-Party Sharing
Social Media & External Links
Automated Decisions & Profiling
Data Subject Rights
Updates, Versioning & Changes
Legal Review & Record of Processing Activities

1. Controller & Contact

This section provides information on who is responsible for data processing at Zimara GmbH and how to contact us for privacy questions.

Controller:
Zimara GmbH
Lange Lage 5
37154 Northeim, Germany

Contact:
Email: info@zimara-gmbh.de
Phone: +49 5551 98200
Fax: +49 5551 982020

Data Protection Officer:
Appointed as required by Art. 37(1) GDPR when legal conditions are met.

Privacy Contact (until DPO appointment):
Email: datenschutz@zimara-gmbh.de
Phone: +49 5551 98200

2. Data Categories, Purposes & Legal Bases

This section explains which personal data we collect, for what purposes, and on what legal basis.

Data	Purpose	Legal Basis
Title, First/Last Name, Address	Contract fulfillment (e.g., offers, invoicing) Sending documents (contracts, info material)	Art. 6(1)(b) GDPR (Contract)
Email Address	Responding to inquiries Sending important information Newsletter (with consent)	Art. 6(1)(b)&(a) GDPR (Communication & Consent)
Phone (Landline/Mobile)	Appointment scheduling Urgent queries	Art. 6(1)(b) GDPR (Contract)
IP Address, Date/Time, Log Data	IT security Error analysis Attack detection/prevention	Art. 6(1)(f) GDPR (Legitimate interest)
Contact form messages	Processing your requests Documentation	Art. 6(1)(f) GDPR (Legitimate interest)
Voluntary info (Company, Subject)	Faster processing	Art. 6(1)(f) GDPR (Legitimate interest)
Applicant data	Selection process, job offers	Art. 6(1)(b) GDPR, §26 BDSG

Special Categories of Personal Data (Art. 9 GDPR): None currently processed. If required, they will be documented separately with Art. 9(2) GDPR basis and additional safeguards.

Details:
• Contract performance: Data needed to provide services and handle contracts.
• Consent: Newsletters only after explicit opt-in; withdrawal any time (Art. 7(3) GDPR).
• Legitimate interest: Security and system stability to protect infrastructure and data.
• Newsletter: Sent only after double opt-in. Withdrawal via newsletter-widerruf@zimara-gmbh.de; data deleted within 30 days.

3. Retention Period

We explain how long we keep your data and when it is deleted:

Contract & invoice data: Up to 10 years (legal retention per §257 HGB, §§147 ff. AO).
Contact requests & logs: At least 30 days, then permanently deleted; exceptions apply.
Newsletter subscription: Deleted within 30 days after withdrawal or contract termination, unless legal retention requires otherwise.

Annual audits ensure compliance.
Legal basis: Art. 6(1)(c) GDPR (legal retention) & (f) GDPR (legitimate interest).

4. Technical & Organizational Measures (TOM)

Per Art. 32 GDPR, we protect your data with:

Access control: Authorized personnel only; roles matrix; biannual reviews.
Permissions & roles: Need-to-know; documented changes.
Encryption: SSL/TLS (min. TLS 1.2, HSTS); database encryption.
Backup & monitoring: Daily offsite backups (30-day retention); disaster recovery drills.
Spam/malware filters: Form and email scanning; quarantine of threats.
Incident management: Report within 4 hours; notify authorities & data subjects within 72 hours; DSFA for high-risk; biannual penetration tests.

Full TOM record available upon request.

5. Cookies & Tracking

Our cookie usage and management:

Essential session cookies: Required for site functionality (Art. 6(1)(f) GDPR).

Category	Purpose	Duration	Provider	Legal Basis
session_id	Session management	Browser session	zimara-gmbh.de	Art. 6(1)(f) GDPR
cookie_consent	Store consent settings	12 months	Consent tool	Art. 6(1)(c) GDPR
csrf_token	Prevent CSRF attacks	Browser session	zimara-gmbh.de	Art. 6(1)(f) GDPR

No analytics or marketing cookies; browser settings allow control.

Processors (§28 GDPR): Hosting, payment, tax advisor, logistics (data processing agreements).
Standard contractual clauses (2021): For third-country transfers.
Transfers outside EU: EU Commission SCCs + TOM per Art. 46(2)(c) GDPR.
Law enforcement: Only if legally required; no voluntary disclosures.

Data flows when using our social media or external links:

Platforms: LinkedIn, YouTube, Vimeo per their policies.

YouTube Privacy-Enhanced Mode: Loads after explicit click.
Referrer header: Suppress with rel="noreferrer".

Platform	Data Shared	Legal Basis
LinkedIn	Referrer URL, IP, timestamp	Art. 6(1)(f) GDPR
YouTube	Referrer URL, IP, timestamp	Art. 6(1)(f) GDPR
Vimeo	Referrer URL, IP, timestamp	Art. 6(1)(f) GDPR

8. Automated Decisions & Profiling

No automated decision-making or profiling (Art. 22 GDPR); all analyses manual.

9. Data Subject Rights

Right	Description	Deadline
Access (Art.15)	Info on processed data	1 month (max 3 months)
Rectification (Art.16)	Correct inaccurate data	Without undue delay
Erasure (Art.17)	Delete if no legal basis	Without undue delay
Restriction (Art.18)	Limit processing	Without undue delay
Data portability (Art.20)	Receive data in machine-readable format	Without undue delay
Withdraw consent (Art.7)	Withdraw consent anytime	Immediate
Object (Art.21)	Object to processing	Immediate
Complaint (Art.77)	File complaint with supervisory authority Lower Saxony	Any time

Process: Send request via email/post; identity verification; response within one month.

10. Updates, Versioning & Changes

Version: 1.2 (April 28, 2025)
Annual review on May 1; next review: May 1, 2026.
Change log:
- 1.0 – April 18, 2018: Initial publication
- 1.1 – October 15, 2022: Added social media & cookie consent
- 1.2 – April 28, 2025: Expanded TOM, profiling notice, data subject rights

11. Legal Review & Record of Processing Activities

Reviewed by Legal and Compliance per Art. 30 GDPR and BDSG.

Record of Processing Activities: “2025-04-28_ProcessingActivities_Zimara” – available on request.