We, LUY GmbH, are certain that you should have absolute control over your data. We therefore take the protection of your personal data very seriously and adhere strictly to all data protection laws. The following data protection declaration gives an overview of how we ensure this protection, what kind of data we collect (and for what purpose) and what your rights are regarding your personal data.

Should you have any questions regarding data protection, feel free to contact us at any time.

Any changes that we make in future to the “Data Protection Declaration of LUY GmbH” will be posted on this page.

This data protection declaration came into force on 16.11.2023.

Responsible entity

Company:
LUY GmbH

Street, building no.:
St.-Martin-Str. 114

Postcode, city:
81669 München

Commercial register number:
HRB 287 093

Directors:
Manuel Deil, Alexander Youssef

Telephone number:
+49 89 27372633 - 0

E-mail address:
contact@luy.eu

Data protection officer

You can contact our data protection officer via the e-mail address privacy@luy.eu.

1. Essential information on data processing and its legal basis

1.1. This data protection declaration explains the nature, scope and purpose of the processing of personal data within the scope of our web pages, functions and contents (hereinafter jointly referred to as the “website”). This data protection declaration applies irrespective of the domains, systems, platforms and devices (e.g., desktop or mobile) on which the online offer is executed.

1.2. The terms used, such as “personal data” or their “processing”, refer to the definitions contained in Art. 4 General Data Protection Regulation (GDPR).

1.3. The personal data of users processed within the framework of the online offer includes usage data (browser type and version, operating system used, the URL of the previously visited site, the IP address of the accessing computer and the time of the enquiry), as well as the content details (e.g., entries made on the application form).

1.4. The term “user” covers all categories of the data subjects. These include our business partners, customers, interested parties and other browsers of our online offer. The terms used, such as “user”, should be understood as being gender neutral.

1.5. We process users' personal data exclusively in compliance with the relevant data protection regulations. This means that user data will be processed only if legal permission has been granted, in particular if data processing is required by law, if user consent has been obtained, and also on the basis of our legitimate interests (i.e. an interest in the analysis, optimization and efficient operation and security of our online service as defined in Art. 6(1)(f) GDPR, in particular, when measuring reach, creating profiles for advertising and marketing purposes, and when collecting access data and using the services of third parties).

1.6. We would like to point out that a legal basis is established either by consent, by the need for processing in order to render our services and implement our contractual measures, by the need for processing in order to fulfill our legal obligations, or by the need for processing in order to protect our legitimate interests (Art. 6(1)(a) and Art. 7 GDPR).

1.7. Which sources and data do we use? We process the personal data of customers, suppliers, interested parties, applicants and employees. We process this data in the context of business relations, application procedures or employment relationships. We also use data from publicly accessible sources, the processing of which is permissible. The legal basis is the fulfilment of (pre-)contractual obligations, a legitimate interest, a legal provision or an existing consent as provided by the person concerned.

2. Security measures

2.1. We take organizational, contractual, and technical security measures in line with state-of-the-art technological standards, in order to ensure that the regulations set out under data protection laws are observed and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons.

2.2. The security measures include, in particular, the encrypted transmission of data between your browser and our server.

You've discovered a gap in our security? Please write to us at security@luy.eu. We will contact you as soon as possible. For encrypted contact, you can also use our certificate.

2.3. As the security team at LUY, we take care of your online security. If you have any complaints about the misuse of our (or your) network access, or if you receive spam from one of our addresses, please get in touch by e-mail via abuse@luy.eu.

3. Transfer of data to third parties and third-party providers

3.1. Data will be passed on to third parties only within the scope of statutory requirements. We will pass on user data to third parties only if this is deemed necessary for contractual purposes, e.g., on the basis of Art. 6(1)(b) GDPR or on the basis of a justified interest in accordance with Art. 6 (1)(f) GDPR, and the efficient and effective operation of our business operations.

3.2. If we use subcontractors to render our services, we take appropriate legal precautions, as well as appropriate technical and organizational measures, to ensure that personal data are protected in accordance with the relevant statutory provisions.

3.3. If contents, tools or other resources from other providers (hereinafter referred to jointly as “third-party providers”) are used within the scope of this data protection declaration, these are transferred only to countries with an appropriate level of data protection and to countries that fall within the scope of the GDPR.

4. Online application

4.1. Applicant management: for our online application form and applicant management, we use the platform from the service provider Talention (TFI GmbH, Delphiplatz 1, 42119 Wuppertal, Germany) to ensure fast and secure processing when recruiting new employees. For this purpose, we have concluded a contract processing agreement with the provider in which the provider undertakes to comply with all data protection regulations and to process the data only in accordance with our instructions and only for the corresponding purpose.

4.2. With regard to applicant data that we receive (by post, e-mail or online), our technical and organisational measures ensure that your personal data is treated confidentially and in line with statutory requirements. Following the completion of the application procedure, your data will be deleted, unless you agree to its storage over a longer period of time. Deletion takes place after four months (due to compliance with deadlines for possible legal action as per the General Equal Treatment Act [AGG]).

4.3. init(U) – Application entry via app for recruiting events

The app can be used to collect data from interested parties, in order to initiate an application process. This includes a person’s name, e-mail address, gender, photo, a self-assessment of technical skills and, if appropriate, application documents.

This data is

(a) stored on an internal system and remains accessible only to authorised persons.

b) transferred to the Applicant Management System of our service provider, Talention.

All data will be deleted after four months, unless the interested party explicitly consents to its storage for a longer time for the purpose of establishing contact at a later date. In this 

5. Google Analytics

5.1. We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

5.2. Google uses cookies. The information generated by the cookie about users' use of the online service is transmitted to Google's servers and processed there. This can also include transmissions to Google LLC based in the USA.

Google will use this information on our behalf to evaluate the use of our online service by users, to compile reports on the activities within this online service, and to provide us with further services associated with the use of this online service and the internet. Pseudonymous user profiles can be created from the processed data.

5.3. We use Google Analytics 3 with activated IP anonymization. This means that the IP address of the users is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

5.4. The IP address transmitted by the user's browser is not merged with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly. Additionally, users can prevent the collection of data generated by the cookie and related to their use of the online offer to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en

5.5. You can prevent the collection of your data by Google Analytics by revoking your consent to the use of cookies here: /de/cookies/

5.6. You can find further information on the use of data by Google, as well as the settings and objection options available, on the websites of Google: https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google when you use websites or apps of our partners”), http://www.google.com/policies/technologies/ads (“Data use for advertising purposes”), http://www.google.de/settings/ads (“Manage information that Google uses to serve ads to you”).

5.7. We use Google Tag Manager. Google Tag Manager is a solution that allows marketers to manage website tags through one interface. The Tag Manager tool itself (which implements the tags) is a cookie-less domain and does not collect personal information. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If deactivation has occurred at domain- or cookie level, it will persist for all tracking tags implemented with Google Tag Manager. https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/

5.8. In addition, we use the data collected by Google Analytics as part of Google Optimize. Among other things, so-called A/B tests are used to analyze the use of different variants of our websites in Google Optimize. This allows us to better understand the behavior of our users and make the websites more user-friendly.

6. Cookiebot (Cookie Consent Tool)

Our website uses the Cookie Consent Tool “Cookiebot” to obtain your consent to the storage of certain cookies in your browser and to document these in accordance with data protection regulations. Cookiebot is operated by Cybot A/S, 1058 Copenhagen, Denmark.

When you enter our website, a Cookiebot cookie is stored in your browser, in which the consents you have issued (or your revocation thereof) are stored.

The Cookiebot-Consent-Technology is used to obtain the legally required consent for the use of cookies. Data processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in providing a cookie consent management service for website visitors.

For more information on the handling of the transferred data, please refer to the data protection declaration from cookiebot.com: https://www.cookiebot.com/de/privacy-policy/

7. Matomo 

7.1. Description and scope of data processing

Our website uses the web analysis service software Matomo (www.matomo.org) to collect and store data for marketing and optimization purposes. This data is used to create user profiles under a pseudonym; cookies are used for this purpose. Cookies are small text files that are stored locally in the cache of the website visitor's Internet browser. Cookies make it possible to recognize the Internet browser. The data collected using Matomo technology (including your anonymized IP address) is transferred to our server and stored for usage analysis purposes, which helps us to optimize our website. The information generated by the cookie in the pseudonymous user profile is not used to personally identify the visitor to this website and is not merged with personal data about the bearer of the pseudonym. You can prevent the use of cookies and thus participation in tracking by setting your browser software accordingly, but in this case you may not be able to use all the functions of this website to their full extent.

7.2. Legal basis

The legal basis for the processing of users' personal data is Art. 6 (1) f) GDPR.

7.3. Purpose of data processing

The processing of users' personal data enables us to analyze the surfing behavior of our users. By analyzing the data obtained, we are able to compile information about the use of the individual components of the website. This helps us to constantly improve the website and its user-friendliness. These purposes also constitute the legitimate interest in processing the data in accordance with Art. 6 para. 1 f) GDPR. By anonymizing the IP address, the interest of users in the protection of their personal data is adequately taken into account.

7.4. Duration of storage 

The data is deleted as soon as it is no longer required for recording purposes.

7.5. Possibility of objection and removal 

Cookies are stored on the user's computer and transmitted by it to our website. You therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent. 

You can find more information on the privacy settings of the Matomo software at the following link: https://matomo.org/docs/privacy/.

8. Social Media

Our online presence does not use embedded social media functions. We simply link to offers of external providers. When calling up a linked page, their data protection provisions apply accordingly.

9. Cookies

You will find further information on, among other things, how cookies work, the purpose, scope and legal basis of data processing and the possibility of revocation here.

10. User rights

10.1. Right to the disclosure of information: Users have the right to request the disclosure, free of charge, of information on the personal data we have stored on them.

10.2. Right of rectification: In addition, users have the right to correct inaccurate data, to restrict the processing and deletion of their personal data and, where applicable, to exercise their rights to data portability.

10.3. Right of revocation: Users may also revoke their consent, in principle with effect for the future. This revocation must be sent to the data protection officer.

10.4. Right of appeal: In the event of a violation of the GDPR, those affected have a right of appeal vis-a-vis the competent supervisory authority. The right of appeal is without prejudice to other administrative or judicial remedies.

11. Deletion of data

The data stored with us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory storage obligations. To the extent that user data is not deleted because it is required for other (and legally permissible) purposes, its processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to user data that must be retained for commercial or tax-related reasons.

12. Right of objection

Users can object at any time, in accordance with statutory requirements, to the future processing of their personal data. This objection may be made, in particular, against processing for direct marketing purposes. Any objection should be directed to the responsible data controller.

13. Changes to the data protection declaration

We reserve the right to amend this data protection declaration to align with changes in legislation or should there be any changes to our service and the associated data processing. However, this applies only with regard to declarations on data processing. To the extent that user consent is required, or if components of the data protection declaration contain provisions of a contractual relationship with the users, changes will be made only with the consent of users.

Users are asked to update their understanding regarding the content of this data protection regulation at regular intervals.

Munich, 16.11.2023
Executive Management