Jump to content
House for Journalism and the Public Sphere

Data Privacy Statement

Publix Data Protection Information

Below, we inform you how Publix gGmbH (hereinafter "Publix" or "we") uses your personal data, what rights you have, and whom you can contact if you have questions about data protection.

In most cases, you can decide which personal data you wish to provide to us. However, if you choose not to provide certain data, we may not be able to offer you specific services. Mandatory information required for the provision of our services is marked accordingly.

These data protection notices are current as of July 2025. From time to time, we may need to make adjustments to reflect actual circumstances or legal and regulatory requirements; therefore, please check our data protection information on our website during your next visit to stay up to date.

Name and Contact Details of the Data Controller and Data Protection Officer

The data controller is Publix gGmbH

Industriestraße 2
79541 Lörrach, Germany.
Tel: +49 (0)30 62 72 45 59.
Email: hello@publix.de

The Data Protection Officer is Anna Cardillo,

MYLE-Partnerschaftsgesellschaft von Rechtsanwält:innen mbB
Potsdamer Str. 98
10785 Berlin, Germany
Email: anna.cardillo@myle-law.com

1. Data Processing on Our Website

We process your personal data when you visit our website and when you contact us.

1.1 Your Visit to Our Website

1.1.1 Provision of a Secure and Efficient Website

Each time you access our website, data that your browser automatically transmits to our server is stored. This includes IP address, type and version of the browser used, time, date, and website accesses. The processing is carried out for the purpose of the secure and efficient operation of our website.

Legal basis: The data processing is carried out to safeguard our legitimate interests pursuant to Art. 6(1)(f) GDPR in ensuring:

  • A smooth connection to the website;
  • Comfortable use of our website;
  • Evaluation of system security and stability; and
  • Other administrative purposes.

Storage duration: The aforementioned data is stored in a log file until it is automatically deleted after 15 days. The storage duration may be longer in individual cases, e.g., if required for legal prosecution.

Recipients: We use the services of the external hosting provider fortrabbit GmbH, Glogauer Str. 24, 10999 Berlin. The hosting provider provides us with infrastructure and platform services, computing capacity, storage space, and security services. It processes the personal data that is collected when visiting this website.

1.1.2 Website Analysis

To better understand user behaviour on our website and to continuously optimise our online offering, we conduct a website analysis. We collect aggregated and anonymised data to gain insights into the use of our website. No cookies are set, and no personal data such as IP addresses are stored in identifiable form. The IP address is truncated and cannot be assigned to individual visitors.

Legal basis: The data processing is based on Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in analysing the use of our website to continuously improve its content and user experience.

Storage duration: The stored analysis values are fully anonymised and do not allow any conclusions to be drawn about individual persons. Therefore, no specific storage duration is set. The statistical data is retained as long as it is needed for the analysis of website usage.

Recipients: We use the analysis tool "Fathom Analytics" (operator: Conva Ventures Inc., 26 Bastion Square, Third Floor Burnes House, Victoria, British Columbia, V8W 1H9 Canada) for the statistical evaluation of the use of our website. The processing takes place exclusively on servers within the EU. Fathom Analytics is a processor in this context pursuant to Art. 28 GDPR and thus a recipient of your data.

1.2 Your Contact

Should you contact us electronically, for example by sending us an email, using the contact form on our website, or calling us, we will process your email address, name, and other contact details, as well as the information provided in your enquiry. To respond to your written enquiry, we require at least your email address, making its processing essential.

We use an external contact form provided by the software solution HubSpot. Only the personal data entered into the contact form will be stored.

Legal Basis: We process your data based on Article 6(1)(f) of the GDPR, our legitimate interest in responding to your general enquiry. If you contact us to register for an event, book a room, or initiate another contract with us, the legal basis is Article 6(1)(b) of the GDPR. If we are legally obliged to store the data, the legal basis is Article 6(1)(c) of the GDPR in conjunction with the respective regulation.

Storage Duration: Your data will only be processed to respond to your enquiry and will be deleted immediately once your enquiry has been resolved, unless a contract has been concluded, there are legal retention obligations, or we have legitimate interests in further storage.

Recipient: HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin. HubSpot acts as our data processor under Article 28 of the GDPR and is therefore the recipient of your data.

There is a possibility that some of the information collected by HubSpot may also be processed outside the European Union in the USA. The USA is considered a third country in terms of data protection.

If a decision by the European Commission on the existence of an adequate level of protection (cf. Article 45(3) of the GDPR) exists in a third country, no additional measures are required for data transfer. In the case of data transfer to recipients based in the USA, this is based on the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided the recipient is certified accordingly. A list of currently certified companies can be found here. In other cases, as well as for data transfers to other so-called non-secure third countries, data transfer only takes place if the requirements of Articles 46 et seq. of the GDPR are met.

HubSpot's service provider is headquartered in the USA and is certified for Non-HR Data (DPF). To ensure a comprehensive level of protection, we have agreed on standard contractual clauses with the provider in accordance with Article 46(2)(c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe.

1.3 Our Use of Cookies and Similar Technologies

Information about the use of cookies and similar technologies (hereinafter collectively referred to as "cookies") on our website can be found in our cookie information, which is accessible via the footer of our website.

Cookies can store or retrieve information on end devices. In this context, we may process personal data (e.g. language settings, meta, communication, and procedural data such as IP addresses, timestamps, identification numbers).

Legal Basis: The data processed using cookies is based on our legitimate interests in accordance with Article 6(1)(f) of the GDPR to improve the usability of our website. If the processing is necessary to fulfil our contractual obligations, it is carried out in accordance with Article 6(1)(b) of the GDPR when the use of cookies is required to meet our contractual obligations. If we use cookies that are not technically necessary, this is done only with your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG. Further details can be found via the footer of our website.

Storage Duration: We delete stored data as soon as its storage is no longer necessary or you request its deletion; in the case of legal retention obligations, we restrict the processing of the stored data accordingly.

2. Data Processing on Our Social Media Channels

We maintain publicly accessible profiles on the social media platforms LinkedIn, Instagram, Mastodon, and YouTube.

If you use our profiles on social networks to interact with us (e.g., like or share a post, follow us, write a comment, or send us a direct message), we process the data you provide to us for the purpose of contacting you. If we like, share, or comment on your posts, the data you have freely published on the aforementioned social media will be made accessible to our followers. All information you provide in your profile is publicly visible, meaning members who log into the network and customers of the social media services can view it. This also applies to your activities within the service, such as:

  • Comments on posts or videos;
  • "Likes";
  • "Follow" function.

Group memberships are also publicly visible. When you share posts, it is set by default to be public. In the options, you can restrict the visibility of these posts to your contacts.

Additionally, there is joint processing of personal data within the framework of so-called insights, through which the usage behaviour of visitors is evaluated.

LinkedIn processes data of visitors to our company profile to provide so-called Page Insights. This includes statistical information about page views, interactions (e.g., "Follow"), devices used (e.g., IP address, operating system, language settings), and professional characteristics such as function, industry, or company size. The insights are displayed to us exclusively in aggregated form – access to the clear data is not possible. For this processing, we are jointly responsible with LinkedIn. The basis for this is the Page Insights Joint Controller Addendum. Waiving this function is not possible, as LinkedIn only provides company profiles with Page Insights by default.

We use a business profile on Instagram, where Meta – the operator of Instagram – processes data about the use of our page to provide so-called Page Insights. This includes information about accessed content, interactions (e.g., "Follow"), devices used (e.g., IP address, operating system, language settings), and profile information of registered users. This data is provided exclusively in aggregated form – access to the clear data is not possible for us. For the processing within the framework of Page Insights, we are jointly responsible with Meta. Further information can be found in the Page Insights Controller Addendum. Waiving this function is not possible, as Meta only offers business profiles with the activated Insights function by default.

Legal Basis: The legal basis for this data processing is Article 6(1)(f) of the GDPR. Our legitimate interest lies in maintaining contact with our business partners and interested parties, informing them, as well as in contemporary public relations, market observation, and the needs-based design of our profile. If you contact us via social media because you are interested in our offer, the request also serves the purpose of pre-contractual measures at your request, and the legal basis is then Article 6(1)(b) of the GDPR.

Storage Duration: We store personal data that arises in the context of your interaction with our social media profiles only as long as it is necessary for the mentioned purposes. Comments or messages generally remain as long as they are published on the respective platform or are technically available, unless you exercise your right to deletion.

Recipient:

  • The social network Instagram is operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; the provider is therefore the recipient of your data;
  • The social network LinkedIn is operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; the provider is therefore the recipient of your data;
  • The video platform YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; the provider is therefore the recipient of your data;
  • The decentralised social network Mastodon is not operated by a central provider. Instead, it is based on a federated structure with many independent servers ("instances"). If you visit our presence on the instance mastodon.social, your data will be transmitted to the operator of this instance: Mastodon gGmbH, Mühlenstraße 8a, 14167 Berlin, Germany; the operator of the instance is therefore the recipient of your data.

Data Processing Outside the European Union (EU): There is a possibility that some of the information collected by Instagram, LinkedIn, and YouTube may also be processed outside the European Union in the USA. The USA is considered a third country in terms of data protection.

If a decision by the European Commission on the existence of an adequate level of protection (cf. Article 45(3) of the GDPR) exists in a third country, no additional measures are required for data transfer. In the case of data transfer to recipients based in the USA, this is based on the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided the recipient is certified accordingly. A list of currently certified companies can be found here. In other cases, as well as for data transfers to other so-called non-secure third countries, data transfer only takes place if the requirements of Articles 46 et seq. of the GDPR are met.

The social media platforms we use and described above have their headquarters in the USA and are certified accordingly (DPF).

3. Data Processing When Using the Booking System

3.1 Booking via the Publix Website

The Publix website offers the possibility to book various types of rooms for different occasions. Filling out a booking request is necessary.

The following personal data is generally processed to check the request, check availability, and, if necessary, make a booking:

  • First and last name;
  • Company name and organisation (profit/non-profit);
  • Email address;
  • Telephone number (if provided);
  • Interest in Publix offer;
  • Date and time of planned use;
  • Number of people;
  • Information about the event (if provided);
  • Offer and billing address;
  • Information on how you became aware of us (if provided).

We use external contact forms provided by the software solution HubSpot. Only the personal data entered into the contact form will be stored.

Legal Basis: The necessary information such as name, email address, and desired time period is required to process your request and, if necessary, to initiate or perform a contract. The processing of this data is based on Article 6(1)(b) of the GDPR (processing for the performance of a contract or for pre-contractual measures).

The voluntary information helps us to respond to your request more specifically and to evaluate our marketing measures. The processing of this voluntary information is based on our legitimate interest in accordance with Article 6(1)(f) of the GDPR. Our legitimate interest lies in efficient communication, better customer care, and the optimisation of our offer and advertising strategies.

Storage Duration: The data will be stored as long as it is necessary to process the request and, if necessary, for a resulting booking. If no booking is made, the data will generally be deleted no later than 36 months after the end of the communication, unless there are legal retention obligations.

Recipient: HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin. HubSpot is our data processor in this context in accordance with Article 28 of the GDPR and is therefore the recipient of your data.

There is a possibility that some of the information collected by HubSpot may also be processed outside the European Union in the USA. The USA is considered a third country in terms of data protection.

If a decision by the European Commission on the existence of an adequate level of protection (cf. Article 45(3) of the GDPR) exists in a third country, no additional measures are required for data transfer. In the case of data transfer to recipients based in the USA, this is based on the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided the recipient is certified accordingly. A list of currently certified companies can be found here. In other cases, as well as for data transfers to other so-called non-secure third countries, data transfer only takes place if the requirements of Articles 46 et seq. of the GDPR are met.

The service provider HubSpot has its headquarters in the USA and is certified for Non-HR Data (DPF). To ensure a comprehensive level of protection, we have agreed on standard contractual clauses with the provider in accordance with Article 46(2)(c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe.

3.2 Use of the Publix App

With our Publix app, we offer you the possibility to book rooms directly via the app as part of our digital building services, which also enables access to booked rooms and a chat function.

For the mobile Publix app, available via the Google Play Store and the Apple App Store, the following separate notices apply:

For the booking system in the app, we use Thing-it, a cloud-based IoT platform that allows us to manage bookings digitally. The Thing-it platform is operated by Thing Technologies GmbH, Friedrichstraße 68, 10117 Berlin, Germany. Thing-it is our data processor in this context in accordance with Article 28 of the GDPR and is therefore the recipient of your data.

3.2.1 Data Processing When Downloading the Publix App

When downloading this app, certain necessary data about you will be transmitted to the respective app store (e.g., Apple App Store or Google Play).

In particular, when downloading, the email address, username, customer number of the downloading account, individual device identifier, payment information, and the time of download will be transmitted to the app store.

We have no influence on the collection and processing of this data; it is carried out exclusively by the app store you have selected. Accordingly, we are not responsible for this collection and processing; the responsibility lies solely with the app store.

3.2.2 Data Processing When Using the App

The processing of personal data is carried out to provide and manage the booking system, in particular to carry out bookings, control access, manage building use, organise operations, provide technical and organisational support to users, enable communication within the network between users, communicate with the landlord in case of problems, and document and track support processes (e.g., for troubleshooting).

When registering, the following data is processed:

  • Email address;
  • First and last name;
  • (if provided) Photo;
  • Telephone number.

Legal Basis: Article 6(1)(f) of the GDPR (legitimate interest in a secure and efficient building operation).

Storage Duration: The data will be stored as long as it is necessary for building use (e.g., rental or usage period). If there are legal retention periods (e.g., according to the German Commercial Code or the Fiscal Code), the data will be stored until the end of these periods and then deleted.

3.2.3 Room or Apartment Booking

Processed Data Categories: Booking data (email address; first and last name; booking times).

Legal Basis: Article 6(1)(f) of the GDPR (legitimate interest in the efficient organisation of room use and building operation). Additionally, Article 6(1)(b) of the GDPR (performance of a contract, e.g., for external parties/tenants).

Storage Duration: We retain personal data for up to 2 years after the respective booking. If there are legal retention periods (e.g., according to the German Commercial Code or the Fiscal Code), the data will be stored until the end of these periods and then deleted.

3.2.4 Localisation Function

We use a mobile device-based access system, where the building's app (Thing-it) recognises via the smartphone's operating system when a user is within a defined perimeter around the building (geofencing). Once this area is entered, the smartphone is temporarily activated as a digital access token to automatically or manually open the door. There is no permanent location tracking or storage of location data.

The following data categories are processed:

  • Geofencing data of the end device (i.e., the device reports: "I am in the defined area");
  • Device identifier or user ID;
  • Time of geofence triggering.

Legal Basis: The processing of your personal data is based on your consent. You can deactivate the geofencing function at any time in the settings of your device or the app.

Storage Duration: We store the data until the consent is revoked or the processing purpose ceases to exist, unless there are legal retention periods.

3.2.5 Chat Function

As part of our booking system, there is a chat function that serves to establish communication between the user and the landlord in case of problems with the use of the building.

Processed Data Categories:

  • Content of sent messages;
  • Sender data/user identity;
  • Support case-related data (created support tickets).

Legal Basis: Article 6(1)(f) of the GDPR (legitimate interest in efficient communication and support) and, if necessary, Article 6(1)(b) of the GDPR (performance of a contract).

Storage Duration: The data will be stored as long as it is necessary for the use of the building, the processing of support requests, or the fulfilment of contractual obligations, at the latest until the end of the rental or usage relationship. If there are legal retention periods (e.g., according to the German Commercial Code or the Fiscal Code), the data will be stored until the end of these periods and then deleted.

4. Data Processing When Concluding Other Contractual Relationships

We process personal data within the framework of supplier relationships, (cooperation) contracts, and other business relationships.

If Publix commissions you or your employer, for example, as a supplier or business partner, or if such a contractual relationship is initiated, or for the purpose of contacting you, we process the following information:

  • Master data (e.g., salutation, first name, last name, gender, your position in the company);
  • (publicly accessible) data about your company/your employer;
  • Communication data (e.g., business telephone number, email address, business postal address).

The processing of this data is carried out to:

  • Identify you or your company/your employer as our supplier, service provider, or partner;
  • Fulfil legal obligations;
  • Initiate, conclude, and fulfil a contractual relationship with you/your company/your employer;
  • Correspond with you, provided this serves the initiation or fulfilment of the contract;
  • Design operational processes efficiently;
  • For accounting purposes, if a remunerative contractual relationship is established;
  • Safeguard legitimate interests.

Legal Basis: The data processing is necessary for the purposes mentioned above in accordance with Article 6(1)(b) of the GDPR (if you are personally the contracting party or are to become one) or Article 6(1)(f) of the GDPR (if your employer is the contracting party or is to become one).

In the case of a legal obligation to process data, the legal basis arises from national or Union law in conjunction with Article 6(1)(c) of the GDPR.

In certain circumstances, we may need to process your personal data to assert or defend claims; the legal basis is our legitimate interest in accordance with Article 6(1)(f) of the GDPR in efficient legal defence and claim enforcement.

Storage Duration: The personal data we collect will be stored until the aforementioned purposes cease to apply and then deleted, unless we are obliged to store it for a longer period in accordance with Article 6(1)(c) of the GDPR due to legal retention and documentation obligations (e.g., from commercial, criminal, or tax law) or you have consented to storage beyond this in accordance with Article 6(1)(a) of the GDPR.

The provision of your personal data is required if you wish to enter into a contractual relationship with us. If you do not provide your personal data, it will not be possible to establish and execute the contractual relationship.

5. Data Processing When Using Microsoft

5.1 Video Conferences and Webinars Using Microsoft Teams

The following information is provided regarding the personal data processed when you participate in our Teams meetings and webinars.

Note: If you access the Microsoft Teams website, the provider of Microsoft Teams, Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland ("Microsoft Ireland") is responsible for data processing. Accessing the website is only necessary to download the software. If you do not want or cannot use the Microsoft Teams app, you can also use Microsoft Teams via your browser. The service is then provided via the Microsoft Teams website.

Microsoft Teams allows users to chat (chat, channel) and participate in Microsoft Teams meetings. For Teams meetings, you will receive an invitation via your email address; you can join the meeting via a link provided.

When using Microsoft Teams, various types of data are processed. The extent of the data depends on the information you provide before and during the meeting. The following personal data is regularly processed:

  • Information about participants: first name, last name, telephone number (optional), email address, password, profile picture (optional), department (optional);
  • When dialling in by phone: information about the incoming and outgoing phone number, country code;
  • Connection data: start and end time of the meeting, possibly other connection data such as the IP address of the device;
  • Audio and video data: To display video and play audio, data from the microphone of your device and any video camera of the device are processed during the Teams meeting. If this is not desired, you can turn off the camera or mute the microphone at any time via the Teams settings. We use the Teams meetings mode in Microsoft Teams. Audio and video recordings are prevented by our settings. There is generally no recording of the event;
  • Text data: When using the chat, question, or survey functions, the text entries you make are processed to display them in the Teams meeting and, if necessary, to log them.

Legal Basis: The processing is carried out on the basis of Article 6(1)(b) of the GDPR to fulfil a contract. Data that is not necessary for the fulfilment of a contract, of which the respective data subject is a party, is processed on the basis of Article 6(1)(f) of the GDPR, our legitimate interests in the effective conduct of meetings within the framework of our business relationships and online information events on technical topics and about us, as well as in enabling chat messages between participants.

Storage Duration: We store chat content for a period of one year. In 1-to-1 chats, meetings between the participants of the chat can be started, which can be encrypted end-to-end by users; we point out to use this. Users can read the chat history afterwards and without participating in a meeting as long as the meeting was invited from a team and one is part of that team. The chat history of meetings can therefore generally be read afterwards.

Recipient: We generally do not pass on personal data that we process in connection with the use of Teams to third parties, unless they are intended for disclosure.

Microsoft Ireland necessarily becomes aware of the above data to the extent provided for in our data processing agreement with Microsoft Teams. Microsoft Ireland reserves the right to process customer data for its own legitimate business purposes. We have no influence on these data processing activities. According to Microsoft Ireland, this includes, for example, IP address, operating system, microphone drivers, jitter value, and all data required for stable and secure operation. According to Microsoft Ireland, personal data within Microsoft Teams is permanently deleted systemically after 90 days. To the extent that Microsoft Teams processes personal data in connection with legitimate business purposes, Microsoft is an independent controller for these data processing activities and is responsible for compliance with all applicable data protection regulations. If you need information about processing by Microsoft Ireland, please refer to the relevant statement from Microsoft.

Data Processing Outside the European Union (EU): Data processing outside the EU generally does not take place, as we have restricted our storage location to data centres in the EU. However, we cannot exclude the possibility that data routing takes place via internet servers located outside the EU. This may be the case, for example, if participants in an online meeting are located in a third country.

If a decision by the European Commission on the existence of an adequate level of protection (cf. Article 45(3) of the GDPR) exists in a third country, no additional measures are required for data transfer. In the case of data transfer to recipients based in the USA, this is based on the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided the recipient is certified accordingly. A list of currently certified companies can be found here. In other cases, as well as for data transfers to other so-called non-secure third countries, data transfer only takes place if the requirements of Articles 46 et seq. of the GDPR are met. The service provider has its headquarters in the USA and is certified in accordance with the DPF.

5.2 Use of Microsoft Copilot

As part of our Microsoft 365 Business Standard licence, we use the AI-powered assistant "Microsoft 365 Copilot" ("Microsoft Copilot") to increase the efficiency and productivity of our employees. Copilot assists in the creation, editing, and analysis of content in Microsoft applications such as Word, Excel, Outlook, and PowerPoint.

When using Microsoft Copilot, personal data may be processed, especially if it is contained in documents, emails, or calendar data. The processing is carried out exclusively within the framework of the existing permissions of the respective users and based on the content that can be accessed via Microsoft Graph.

Microsoft states that Microsoft Copilot complies with the General Data Protection Regulation and that the data used via Microsoft Copilot is not used to train the underlying language models (LLMs).

Legal Basis: The processing is carried out on the basis of Article 6(1)(f) of the GDPR (legitimate interest). Our legitimate interest lies in efficient work organisation, supporting employees through automated functions, and optimising internal work processes. If consent is required (e.g., for particularly sensitive data or outside of contractual obligations), the processing is carried out on the basis of Article 6(1)(a) of the GDPR.

Storage Duration: Copilot activities (e.g., inputs and responses generated by Microsoft Copilot) are temporarily stored to provide the functions and improve the user experience. We delete Copilot content after a period of 6 months.

Recipient: The recipient is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland ("Microsoft Ireland").

There is a possibility that some of the information collected by Microsoft Ireland may also be processed outside the European Union in the USA. The USA is considered a third country in terms of data protection.

If a decision by the European Commission on the existence of an adequate level of protection (cf. Article 45(3) of the GDPR) exists in a third country, no additional measures are required for data transfer. In the case of data transfer to recipients based in the USA, this is based on the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided the recipient is certified accordingly. A list of currently certified companies can be found here. In other cases, as well as for data transfers to other so-called non-secure third countries, data transfer only takes place if the requirements of Articles 46 et seq. of the GDPR are met. The service provider has its headquarters in the USA and is certified in accordance with the DPF.

6. Newsletter

We process your personal data when you subscribe to our newsletter. To receive the newsletter, providing an email address is necessary and sufficient. The processing of personal data within the scope of the newsletter is for the purpose of sending information about offers, events, news, or services.

Legal Basis: The processing of the email address and, if provided, the first and last name is based on your consent in accordance with Article 6(1)(a) of the GDPR.

After you submit your subscription, you will first receive an email asking you to confirm your email address by clicking on a link (so-called double opt-in procedure). The double opt-in procedure is a technical measure to ensure that the newsletter subscription is made by the actual owner of the email address. The legal basis for verifying the email address is Article 6(1)(f) of the GDPR, with our legitimate interest being to send email messages only to the actual owner of the email address. Only after this process is completed will we send you our newsletter.

In connection with subscribing to our newsletter, we also process information such as your status (subscribed/blocked), membership in an email list, date and type of registration, IP address(es), information on delivery and so-called bounces or other delivery problems, and the history to manage your subscription and document the subscription process. The legal basis for processing your data in connection with documenting your consent is Article 6(1)(f) of the GDPR. Our legitimate interest is to be able to prove that and how the consent was given if this is disputed.

Storage Duration: We store your personal data in connection with the newsletter as long as you are subscribed to the newsletter. After unsubscribing from the newsletter, your data will be deleted. You can unsubscribe at any time, for example, via a link at the end of each newsletter. Alternatively, you can also declare your wish to unsubscribe by sending us a message (see the contact details in the section "Name and Contact Details of the Controller and the Data Protection Officer").

Recipient: The recipient is the newsletter service provider The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce De Leon Ave NE, Atlanta, Georgia 30308, USA. Rocket Science is our data processor in this context in accordance with Article 28 of the GDPR and is therefore the recipient of your data.

There is a possibility that some of the information collected by Rocket Science may also be processed outside the European Union in the USA. The USA is considered a third country in terms of data protection.

If a decision by the European Commission on the existence of an adequate level of protection (cf. Article 45(3) of the GDPR) exists in a third country, no additional measures are required for data transfer. In the case of data transfer to recipients based in the USA, this is based on the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided the recipient is certified accordingly. A list of currently certified companies can be found here. In other cases, as well as for data transfers to other so-called non-secure third countries, data transfer only takes place if the requirements of Articles 46 et seq. of the GDPR are met.

The service provider Rocket Science has its headquarters in the USA and is not certified (DPF). To ensure a comprehensive level of protection, we have agreed on standard contractual clauses with the provider in accordance with Article 46(2)(c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe.

7. Video Recordings

We have installed cameras on our premises and in our rooms. We only process video data (no audio recordings). The cameras are fixed and not movable. Access to the video data is highly restricted. The cameras are operated only to the extent necessary to fulfil the purpose of exercising house rights and protecting individuals.

Legal Basis: The processing of image data is based on Article 6(1)(f) of the GDPR. Our legitimate interest lies in exercising our house rights, preventing and investigating crimes, and protecting individuals and property. This is particularly important considering the people working in our building and their specific risk situation. The people working in our building deal daily with sensitive information, vulnerable individuals, and politically sensitive topics. This often leads to hostility and concrete risk situations.

Storage Duration: The video recordings are used exclusively for the purposes mentioned and are generally deleted after a maximum of 72 hours, unless they are needed for evidence or to assert legal claims.

Disclosure to third parties only occurs in individual cases, e.g., to law enforcement authorities within the framework of legal requirements.

Notices about the video recordings are visibly posted on-site.

8. Use of the (Guest) Wi-Fi Network

When you use the provided Wi-Fi network, connection and log data are processed for technical reasons to enable use and ensure the security of the network. This includes data such as MAC address, IP address, time of connection establishment and termination, data volumes transmitted, and, if applicable, logging of security-relevant events. These are processed to ensure the operation and security of the network, prevent misuse, and address disruptions.

Legal Basis: Article 6(1)(f) of the GDPR (legitimate interest in secure network operation).

Storage Duration: Log data is deleted after 7 days, unless security-relevant tracking is required.

9. Data Processing in the Context of Our Own Events

Publix regularly organises events. In the context of these events, personal data of the participants is processed. Specifically, this concerns the following areas:

9.1 Invitation Management

The processing of personal data in the context of invitation management serves the planning, organisation, and execution of events.

We invite people to Publix events in various ways, depending on the occasion and size of the event. There are some formats or events where information reaches the public through various communication channels. In such cases, registration is not required, and therefore no personal data is processed.

For other events, registration is necessary.

One method involves registration through a registration window. We use the software solution HubSpot, through which we provide a link to register for our events. If you register for one of our events on our website, via email, or through an invitation link we send you, we process your personal data to the extent necessary for the organisation, execution, and follow-up of the event. We collect the following data from you: email address, first name, and last name.

For some events, we use the software solution "pretix" from the event-specialised company rami.io GmbH. The service provider may have access to your data to analyse technical problems and respond to support requests. If you register for events managed through the pretix cloud solution, you enter the following personal data in the registration form:

  • Email address;
  • First name, last name;
  • Company/organisation;
  • Address;
  • For paid events, the billing address.

Legal Basis: For non-paid events, the legal basis is Article 6(1)(f) of the GDPR, our legitimate interests being the efficient management of participants, the smooth execution of the event, and for access control purposes to grant entry only to invited guests. For paid events, the legal basis is Article 6(1)(b) of the GDPR, the underlying contract.

The provision of your data is required for participation in the event, and you are contractually obliged to provide your data. If you do not provide your data, it will not be possible to conclude and/or execute the contract.

Storage Duration: We store your data for the duration of the organisation (including the corresponding preparation and follow-up) of the respective event. Any existing legal retention obligations remain unaffected. Within 3 months after the conclusion of the event, the participant data will be deleted.

Recipient:

  • HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin;
  • The software company rami.io GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg, Germany, which developed the product pretix.

Both companies are our data processors in this context in accordance with Article 28 of the GDPR and are therefore the recipients of your data.

When you order a ticket, pretix uses cookies to improve the ordering process and remember which shopping cart belongs to you. We do not store IP addresses, browser information, or other unnecessary metadata beyond the duration of your request. If you pay for your ticket through a payment provider such as PayPal, Stripe, Mollie, or Sofortüberweisung, pretix only transmits the absolutely necessary data to the respective payment service provider.

Data Processing Outside the European Union (EU): There is a possibility that some of the information collected by HubSpot may also be processed outside the European Union in the USA. The USA is considered a third country in terms of data protection.

If a decision by the European Commission on the existence of an adequate level of protection (cf. Article 45(3) of the GDPR) exists in a third country, no additional measures are required for data transfer. In the case of data transfer to recipients based in the USA, this is based on the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided the recipient is certified accordingly. A list of currently certified companies can be found here. In other cases, as well as for data transfers to other so-called non-secure third countries, data transfer only takes place if the requirements of Articles 46 et seq. of the GDPR are met.

The service provider HubSpot has its headquarters in the USA and is certified for Non-HR Data (DPF). To ensure a comprehensive level of protection, we have agreed on standard contractual clauses with the provider in accordance with Article 46(2)(c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe.

9.2 Access Control

The data entered into the ticket system (pretix) is initially incorporated into the guest list. Once the guest list is finalised, you will receive a ticket generated by pretix with your first and last name and a QR code, which you can use to legitimise yourself at the entrance to the event. To grant you access, we scan your QR code on the day of the event and ask you to identify yourself. You will be granted access once the system confirms that you are on the guest list and can identify yourself. The system records that and when you checked in. Billing is done directly through the online tool. In this process, the following personal data is processed:

  • Ticket code with ticket status (valid, invalid, already redeemed);
  • Event details (title, date, time);
  • Name of the booking person;
  • Time of the scan process (entry time).

The processing of this data serves to verify the validity of the ticket, control access to the event, and, if necessary, document attendance for organisational reasons.

Legal Basis: For non-paid events, the legal basis is Article 6(1)(f) of the GDPR, our legitimate interests being the efficient management of participants, the smooth execution of the event, and for access control purposes to grant entry only to invited guests (exercising our house rights). For paid events, the legal basis is Article 6(1)(b) of the GDPR, the underlying contract.

Storage Duration: We store your data for the duration of the organisation (including the corresponding preparation and follow-up) of the respective event. Any existing legal retention obligations remain unaffected. Within 3 months after the conclusion of the event, your data will be deleted from pretix.

Recipient: The software company rami.io GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg, Germany, which developed the product pretix. Rami.io is our data processor in this context in accordance with Article 28 of the GDPR and is therefore the recipient of your data.

9.3 Photo/Video Recordings at Events

On the occasion of events, we take photos and video recordings and publish them afterwards. The recordings serve public relations on the Publix website, in social media (Instagram, LinkedIn, Mastodon, YouTube), press releases, and the documentation of the event online and offline.

Legal Basis: The processing serves the legitimate interest of Publix in public relations, making Publix's activities visible, and documenting the event in accordance with Article 6(1)(f) of the GDPR.

Storage Duration: If the data subject objects to published photos and there are no overriding reasons on the part of Publix for further processing of the photos, they will be deleted immediately. Otherwise, the photos will be deleted as soon as they are no longer needed for the purposes for which they were created.

Recipient: A selection of the images is sometimes sent to sponsors, partners, and representatives of the press for journalistic and editorial purposes.

9.4 Presentation of Stage Guests at Events

In the context of preparing and conducting our events, we introduce stage guests as part of the event promotion. This includes the publication of information about the stage guests, such as name, function, title, and possibly photo or short biographical information, on our communication channels (e.g., website, social media channels, newsletter, event flyer).

Legal Basis: The processing is based on Article 6(1)(f) of the GDPR. Our legitimate interest lies in promoting the event and informing the public about the content, participants, and schedule of the event. Additionally, the presentation of stage guests for promotional purposes can also be derived as a legitimate interest from the contract with the stage guests.

Storage Duration: The data is stored only as long as it is necessary for the planning, execution, and follow-up of the event, unless there are legal retention obligations.

Recipient: The personal data collected in connection with the organisation and execution of the events is stored by us in "ClickUp," a cloud-based organisation and project management tool. The provider Mango Technologies, Inc. (doing business as ClickUp) 350 Tenth Avenue, Suite 500, San Diego, CA 92101 USA) acts as a data processor in accordance with Article 28 of the GDPR.

There is a possibility that some of the information collected by ClickUp may also be processed outside the European Union in the USA. The USA is considered a third country in terms of data protection.

If a decision by the European Commission on the existence of an adequate level of protection (cf. Article 45(3) of the GDPR) exists in a third country, no additional measures are required for data transfer. In the case of data transfer to recipients based in the USA, this is based on the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided the recipient is certified accordingly. A list of currently certified companies can be found here. In other cases, as well as for data transfers to other so-called non-secure third countries, data transfer only takes place if the requirements of Articles 46 et seq. of the GDPR are met.

ClickUp is not certified under the DPF. Therefore, we have agreed on standard contractual clauses with the provider in accordance with Article 46(2)(c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe.

10. Data Processing in the Application Process

The data you submit as part of your application for our job offers is transmitted via TLS encryption and stored in a database. We use the personnel management and applicant management software "Personio" from the provider Personio SE & Co. KG, Seidlstraße 3, 80335 Munich, Germany. We have integrated an application form on our website via Personio.

Personio is our data processor in this context in accordance with Article 28 of the GDPR and is therefore the recipient of your data.

We process the data you provide to us with your application for a position at Publix (e.g., with your cover letter, CV, and certificates). Mandatory information that we need to decide on your application is marked accordingly in the input mask. This usually includes name, first name, contact details, availability, and salary expectations, as well as cover letter and CV. Without this information, we cannot consider your application.

Legal Basis: The legal basis for processing your personal data is Article 6(1)(b) of the GDPR. The data processing is necessary for the decision on the establishment of an employment relationship. If special categories of personal data are processed (e.g., health data), we process them for reasons of labour law, social security law, or social protection in accordance with Article 6(1)(b) in conjunction with Article 9(2)(b) of the GDPR.

After the application process is completed, further data processing may either be based on your consent or may be necessary for legal prosecution, in which case the legal basis is Article 6(1)(f) of the GDPR, our legitimate interest in asserting or defending claims.

Storage Duration: The data we collect will be stored until the aforementioned purposes cease to apply and then deleted, unless we are obliged to store it for a longer period in accordance with Article 6(1)(c) of the GDPR due to legal retention and documentation obligations (e.g., from commercial, criminal, or tax law).

If you have consented to further storage, we will include your data in our applicant pool. The data will be deleted after two years.

In the case of an unsuccessful application, the data will generally be deleted six months after the conclusion of the process, unless there are longer retention obligations in individual cases (e.g., for any receipts for travel expense reimbursement) or storage beyond this is necessary to defend against legal claims.

11. Disclosure of Your Personal Data

We only disclose your data if we are legally permitted to do so. We may disclose your data as follows, unless already specifically mentioned above:

  • We use a software company as a data processor for our contract management. The data processor is DocuSign Germany GmbH, Mies-van-der-Rohe-Straße 6, 80807 Munich, Germany.
  • For our accounting, we use DATEV eG, Paumgartnerstr. 6 - 14, 90429 Nuremberg, Germany, and visual4 GmbH, Schreiberstr. 27, 70199 Stuttgart, Germany, as data processors.
  • Public authorities, particularly tax authorities, may receive data if this is necessary to fulfil a legal obligation. The legal basis for the disclosure is Article 6(1)(c) of the GDPR in conjunction with the respective regulation.
  • In connection with the operation of our company (e.g., auditors, banks, insurers, tax advisors, auditors, legal advisors, data protection officers, supervisory authorities, or other entities), data may be disclosed. The legal basis for the disclosure is Article 6(1)(b) or (f) of the GDPR.
  • We may transfer your data to document/data destruction companies.
  • We may transfer your address data to logistics companies for shipping purposes.
  • If there is suspicion of a criminal offence, we may disclose your data to law enforcement authorities (e.g., police, public prosecutor's office).

12. Your Rights

As a data subject, you have the following rights, provided the respective legal requirements are met:

  • Right of access (Article 15 of the GDPR)
  • Right to rectification (Article 16 of the GDPR)
  • Right to erasure (Article 17 of the GDPR)
  • Right to restriction of processing (Article 18 of the GDPR)
  • Right to data portability (Article 20 of the GDPR)

Additionally, under Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority of your choice regarding our data processing. Our headquarters are in Lörrach. The supervisory authority responsible for us is: The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart.

Furthermore, you have the right to object (Article 21 of the GDPR) if we process data based on Article 6(1)(f) of the GDPR. Please note that for data processing for purposes other than direct marketing, you must provide reasons arising from your particular situation. You can lodge your objection by sending us a message (see the contact details in the section "Name and Contact Details of the Controller and the Data Protection Officer").

If we process data concerning you based on your consent, you can withdraw your consent with effect for the future. You can declare your withdrawal by sending us a message (see the contact details in the section "Name and Contact Details of the Controller and the Data Protection Officer").

Subscribe to our newsletter!