Privacy policy

GPN – Global Private Network Telecommunication GmbH
Richard-Strauss-Straße 43, 1230 Vienna

Table of contents

§ 1 Legal Nature of the Statement
§ 2 Applicable legal provisions
§ 3 Termination

Article 1 – Transparency of data processing
§ 4 Informationspflicht
§ 5 Inhalt und Gestaltung der Information
§ 6 Verfügbarkeit von Informationen
§ 7 Einwilligung

Article 2 – Earmarking
§ 8 Principle
§ 9 Prohibition of tying

Article 3 – Special data processing cases
§ Section 10 Direct marketing
§ Section 11 Automated individual decisions
§ 12 Special types of personal data

Article 4 – Data quality, data economy and data avoidance
§ 13 Data quality
§ 14 Data economy, data avoidance, anonymisation and pseudonymisation
§ 15 Profiling, statistical analysis
§ 16 Data archiving

Article 5 – Restriction of disclosure
§ 17 Disclosure of data to third parties
§ 18 Responsibility
§ 19 Data processing on behalf

Article 6 – Data Protection Organisation and Data Security
§ 20 Data protection officers
§ 21 Reviews of the level of data protection
§ 22 Technical, organisational and staff-related measures

Article 7 – Rights of data subjects
§ 23 Question and right of appeal
§ 24 Right of access
§ 25 Right to object/right to erasure/blocking
§ 26 Right to rectification
§ 27 Right to clarification and comment
§ 28 Exercise of the rights of the data subject

Article 8 – Process Management/Data Protection Responsibilities
§ 29 Responsibility for Data Processing
§ 30 Coordination by the Chief Officer Corporate Data Protection
§ 31 Duty to monitor and advise
§ 32 Employee Training and Obligations
§ 33 Cooperation with supervisory authorities

Article 9 – Cookies, tracking and external services
§ 34 Google reCAPTCHA
§ 35 Google Maps
§ 36 Google Analytics
§ 37 Google Ads Conversion Tracking

Article 10 – Terms and definitions
Data protection and data security for customers and users have a high priority for GPN – Global Private Network Telecommunication GmbH (hereinafter referred to as “GPN Telecom”) worldwide. Therefore, the protection of personal data during all business processes is also very important to us. You can find more information about our data protection principles in the Privacy Statement of GPN Telecom GmbH (*.pdf).

This data protection statement explains what information we collect at GPN Telecom GmbH – during your visit to our websites – and how this information is used. However, it does not apply to websites of companies that do not belong to the GPN Telecom GmbH company, even if these external websites have a link to this or another GPN Telecom GmbH website. If you would like information about the collection and processing of personal data by specific companies in the GPN Telecom GmbH group, please contact GPN Telecom GmbH directly using their contact details.

Collection and processing of personal data

When you visit our websites, our web server temporarily records the domain name or IP address of the requesting computer as well as the access date, the client’s file request (file name and URL), the HTTP response code and the website from which you are visiting us as well as the number of bytes transferred during the connection for the purpose of system security. We may store some information in the form of so-called “cookies” on your PC so that we can optimise our website according to your preferences. Additional personal data such as name, address, telephone number or e-mail address is not collected unless you provide this information voluntarily, for example as part of an online order for a product or service, a survey, a competition or a request for information. Personal data collected during a visit to GPN Telecom GmbH websites is processed exclusively in accordance with the legal provisions of the country in which the company concerned is based.

Use and disclosure of personal data

We only use your personal data for the purpose of technical administration of the websites and to fulfil your wishes and requirements. Only if you have given us your prior consent will we also use this data for product-related surveys and marketing purposes – but only to the extent necessary for each specific case. We will only disclose data to government agencies if required by law. Our employees and our offices are obliged to maintain confidentiality.

Freedom of choice for the customer

We like to contact customers about offers and news on products and services. When you register on our websites or order services and products, we will ask you to indicate whether you would like to receive direct advertising communications. Of course, as a customer of GPN Telecom GmbH, you will continue to receive the necessary information about important changes in connection with existing service contracts (e.g. tariff changes) regardless of this consent.

Freedom of information

Upon written request, we will be happy to inform you which data we have stored about you (e.g. name, address).


To protect your personal data held by us from unauthorised access and misuse, we have taken extensive technical and operational security precautions. Our security procedures are regularly reviewed and adapted to technological progress.


If you wish to have data corrected or deleted, or if you have any other questions or suggestions regarding data protection, please use any of our contact options with GPN Telecom GmbH.

Privacy Statement (guideline) for the protection of personal rights in the handling of personal data at GPN Telecom GmbH


(1) Due to the increasing networking of information and communication systems, the protection of personal data of customers, sales partners, employees and interested parties is a significant concern of GPN Telecom GmbH worldwide.

(2) The essential objective of this guideline is therefore to create a globally uniform and high level of data protection within GPN Telecom GmbH. In particular, in the case of transnational data flows, it must be ensured that personal data are processed at the recipient in accordance with the data protection principles that apply to the transmitting agency.

(3) GPN Telecom GmbH is aware that the success of GPN Telecom GmbH as a whole depends not only on the global networking of information flows, but above all on the trustworthy and secure handling of personal data.

(4) In many areas, the GPN Telecom GmbH Group is perceived as a single unit from the perspective of its customers. It is therefore the common concern of the companies of GPN Telecom to make an important contribution to the joint entrepreneurial success by implementing this guideline and to support the claim of GPN Telecom GmbH as a provider of high-quality products and services.



§ 1 Legal nature of the statement

This statement is a policy that is binding for the entire GPN Telecom GmbH Group and comes into force upon adoption and publication by the company management. It applies to the handling of all personal data of natural persons, in particular data of customers, employees and other third parties as well as contractual or business partners.

§ 2 Applicable legal provisions

(1) The following principles are intended to ensure a uniformly high level of data protection throughout the GPN Telecom GmbH Sales Department Group. However, they do not replace the necessary, possibly legal legitimation that must underlie the respective handling of personal data. Existing obligations and regulations for individual companies regarding the processing and use of personal data that go beyond the following principles or contain additional restrictions for the processing and use of personal data remain unaffected by this Privacy Statement.

(2) For data collected in Europe, processing – even in the case of transmission abroad – shall be governed by the legal provisions of the state in which the data were collected.

(3) The collection of personal data and its transmission to government agencies shall be carried out – insofar as not within the scope of a normal customer contractual relationship – in accordance with the mandatory statutory regulations of a country.

(4) This Privacy Statement is otherwise governed by the laws of the Republic of Austria.

§3 Termination

Termination or cancellation of the Privacy Statement – regardless of the time, circumstances and reasons – does not release the companies from the obligations and/or regulations of this Privacy Statement concerning the processing of data already transferred.



Article 1 – Transparency of data processing

§ 4 Duty to inform

The data subjects must be informed about the handling of their personal data in an easily accessible manner, for example by posting the Privacy Policy and this statement on the Internet on the GPN Telecom GmbH website.

§ 5 Content and design of the information

(1) The persons concerned shall be adequately informed about the following:

a) the identity of the controller and its contact address.

b) the intended scope and purpose of the data collection, processing and/or use. The information should indicate which data are stored and/or processed/used, why and for how long.

c) if personal data is disclosed to third parties, to whom and to what extent and for what purpose this disclosure is made.

d) on the manner of data processing and/or use, in particular also if the processing or use is to take place abroad.

(2) Regardless of the medium chosen, this information should be given to data subjects in a clear and easily understandable manner.

§ 6 Availability of information

The information must be available to the data subjects when the data is first collected and thereafter whenever needed.

§ 7 Consent

(1) If the collection, processing or use of the data is not required for the purpose of initiating or fulfilling a contract or if there is no legal permission, the consent of the data subject shall be obtained at the latest at the beginning of the collection, processing or use of the data.

(2) In addition to the information obligations from the above points, the following must be observed when giving consent:

a) Content
Consent must be explicit, voluntary and based on an informed basis which informs the data subject in particular of the scope of the consent, but also of the consequences of non-consent. The wording of declarations of consent must be sufficiently specific and inform the data subject of his or her right to withdraw at any time.

b) Formal requirements
Consent must be obtained in a form appropriate to the circumstances (usually in writing or electronically). In exceptional cases, it may be given orally if the fact of consent and the special circumstances that make oral consent appropriate are adequately documented.

Article 2 – Earmarking

§ 8 Principle

Personal data may only be used for the purposes for which it was originally collected.

§ 9 Prohibition of tying

The use of services or the receipt of products and/or services may not be made dependent on the data subject consenting to the use of his or her data for purposes other than those of establishing and fulfilling the contract. This shall only apply if the data subject is unable to use comparable services or products or is unable to do so in a reasonable manner.

Article 3 – Special data processing cases

§ 10 Direct marketing

(1) Data subjects shall be informed that they may object at any time to the use of their personal data for direct marketing purposes. They shall also be informed of the nature, content and period of time during which their data may be used for direct marketing purposes.

(2) Data subjects shall be informed of their right to object whenever they receive direct marketing promotional materials. Furthermore, data subjects shall be provided with adequate possibilities to exercise their right to object with regard to such advertising materials, in particular, they shall be provided with information on the body to which the objection should be addressed.

(3) Special statutory provisions pursuant to § 2 para. 1 sentence 2 of this Privacy Statement, which make the use of personal data dependent on the consent of the data subject, shall have priority.

§ 11 Automated individual decisions

(1) Decisions which evaluate individual aspects of a person and which are likely to result in legal effects for the data subjects or significantly affect them shall not be based solely on automated processing. This includes, in particular, decisions for which data on the creditworthiness, professional performance or state of health of the data subject are relevant.

(2) If there is an objective need to make automated decisions in an individual case, the data subject shall be informed without delay of the result of the automated decision and shall be given the opportunity to comment within a reasonable period of time. His or her opinion shall be duly taken into account before a final decision is taken.

§ 12 Special types of personal data

(1).The processing of special categories of personal data shall be permitted only where there is explicit legal authorisation or the prior consent of the data subject. It may also be carried out where the processing is necessary in order to comply with the rights and obligations of the controller in the field of employment law, provided that this is permitted by national law which provides for adequate safeguards.

(2) Prior to the commencement of any such collection, processing or use, the data protection department of the company concerned shall be duly consulted in writing, where necessary. In particular, the nature, scope, purpose, necessity and legal basis of the use of the data should be considered.

Article 4 – Data quality, data minimisation and data avoidance

§ 13 Data quality

(1) Personal data must be correct at all times and, if necessary, kept up to date (data quality).

(2) Reasonable steps shall be taken to ensure that inaccurate or incomplete data are erased or, where appropriate, rectified, having regard to the purposes for which the data were collected, processed or used.

§ 14 Data economy, data avoidance, anonymisation and pseudonymisation

(1) Personal data must be adequate and relevant, taking into account the purpose of their use, and must not exceed the necessary scope (data economy). Data may only be processed within the scope of a specific application if this is necessary (data avoidance).

(2) Where possible and economically reasonable, procedures shall be used to delete the identification features of the data subjects (anonymisation) or to replace the identification features with other identifiers (pseudonymisation). Anonymisation and pseudonymisation shall be carried out in such a way that the actual identity of the data subject cannot be re-established or can only be re-established with disproportionate effort.

§ 15 Profiling, statistical evaluations

(1) Organisational and technical measures that correspond to the current state of applied concepts and technology shall ensure that profiling (e.g. movement profiles, user profiles, consumption profiles) is excluded unless it is expressly permitted by law or the data subject has consented.

(2) Purely statistical evaluations or investigations on the basis of anonymised or pseudonymised data shall remain unaffected.

§ 16 Data archiving

When creating data archiving concepts, the principles of data processing, in particular data economy and data avoidance, must be taken into account. Personal data must not be archived without the express consent of the data subject unless it is operationally necessary or required by law.

Article 5 – Restriction of disclosure

§ 17 Disclosure of data to third parties

(1) The disclosure of personal data to a third party requires a legal basis. This can also result from the fulfilment of a contractual obligation towards the data subject or from his/her consent.

(2) Paragraph 1 shall not apply insofar as national provisions exist, in particular for reasons of State security, national defence, public security and the prevention, investigation, detection and prosecution of criminal offences, which expressly provide for the disclosure of personal data for these purposes.

§ 18 Responsibility

(1) When transferring data to third parties that are not public bodies, the company that originally collected the personal data shall ensure that it is processed or used lawfully. Accordingly, appropriate data protection and data security measures must already be discussed and agreed with the recipient prior to the transfer of data. Insofar as agreements are concluded with entities in countries without an adequate level of data protection, sufficient guarantees must be ensured with regard to the protection of the right to privacy and the exercise of related rights.

(2) On the basis of generally accepted standards, appropriate technical and organisational measures shall be taken to ensure the integrity and security of the data during their transmission to a third party.

§ 19 Data processing on behalf

(1) If a subcontractor acts on behalf of an undertaking, in addition to the services to be provided, the contract shall also refer to the obligations of the subcontractor as a data processor. These obligations shall regulate the instructions of the enterprise (the data controller) regarding the manner of processing the personal data, the purpose of the processing and the necessary technical and organisational measures to protect the data. § Section 18 (1) sentence 3 of this Privacy Statement shall apply accordingly.

(2) The contractor may not use the personal data for its own or third party purposes without the prior consent of the controller. In the latter case, the above regulations must also be agreed with the subcontractor(s).

(3) Subcontractors shall be selected on the basis of their ability to meet the above requirements.

Article 6 – Data protection organisation and data security

§ 20 Data Protection Officer

(1) An independent data protection officer shall be appointed in the companies whose task it is to ensure that the various organisational units are advised on the legal and/or internal company requirements or the principles of data protection.

(2) The Data Protection Officer shall be involved at an early stage in the development of new products and services to ensure that they comply with the principles set out in this Privacy Statement.

§ 21 Reviews of the level of data protection

Reviews of the level of data protection (e.g. through data protection audits) should be carried out at regular intervals in order to check the effectiveness and success of the technical and organisational measures introduced to protect data. Data protection audits can be carried out internally by the Data Protection Officer or other organisational units with an audit mandate, or – in consultation with the Data Protection Officer – by an independent, external third party. The basis for determining the level of data protection are the legal and corporate policy requirements applicable to the respective organisational unit as well as the requirements from this guideline.

§ 22 Technical, organisational and employee-related measures

Appropriate confidentiality obligations must be agreed in writing with each employee when they start working for the company. In addition, appropriate technical and organisational measures must be taken for company processes and IT systems when handling personal data.

These measures include:

a) deny unauthorised persons access to data processing equipment with which personal data are processed or used (access control),

b) prevent data processing systems from being used by unauthorised persons (access control),

c) ensure that persons authorised to use a data processing system have access only to the data to which they are authorised to have access and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage (access control),

d) ensure that personal data cannot be read, copied, altered or removed by unauthorised persons during electronic transmission or during transport or storage on data media, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment (control of disclosure),

e) ensure that it is possible to verify and establish ex post whether and by whom personal data have been input into, modified or removed from data processing systems (input control),

f) ensure that personal data processed under contract can only be processed in accordance with the instructions of the principal (control of the contractor),

g) ensure that personal data are protected against accidental destruction or loss (availability control),

h) ensure that data collected for different purposes can be processed separately (separation requirement).

Article 7 – Rights of data subjects

§ 23 Right of question and appeal

Every data subject has the right to contact the data protection department of the relevant company at any time with questions and complaints regarding the application of this Privacy Statement.

Unless otherwise specified below, all companies with which the data subject has a contractual relationship or where his/her personal data are processed are competent for the purposes of these regulations. The company to which the data subject has turned shall ensure the implementation of the data subject’s rights with the other competent companies.

§ 24 Right to information

(1) Any data subject may at any time request information from the responsible company on:

a) the personal data stored about him/her, including its origin and recipients;

b) the purpose of the processing or use;

c) the persons and bodies to whom his or her data are regularly transmitted, in particular insofar as transmission abroad is concerned,

d) the provisions of this Statement

(2) The information shall be provided to the data subject in an understandable form within a reasonable period of time. As a rule, it shall be provided in writing or electronically.

(3) The undertakings may charge a fee for the provision of information if and to the extent that this is permissible under the respective Land law.

§ 25 Right of objection/right of deletion/blocking

(1) The data subject may object to the competent company to the use of his/her data if he/she has a right to object.

(2) The right to object shall also apply in the event that the data subject had previously given his/her consent to the use of his/her data.

(3) Justified requests for deletion/blocking of data shall be complied with immediately. Such a request shall be justified in particular if the legal basis for the use of the data has ceased to exist.

If there is a right to delete the data, but deletion is not possible or unreasonable, the data shall be blocked for non-permissible uses. Statutory retention periods must be observed.

§ 26 Right of rectification

The data subject may at any time request the responsible company to correct the data stored about him or her if it is incomplete and/or incorrect.

§ 27 Right to clarification and opinion

(1) If a data subject claims that his or her rights have been violated by unauthorised data processing, in particular in the form of a breach of this Privacy Statement, the competent companies shall investigate the facts without undue delay. They shall cooperate closely and grant each other access to all information necessary to establish the facts.

(2) The competent data protection department of the company with the greatest proximity to the subject shall coordinate all relevant correspondence with the data subject.

§ 28 Exercise of the rights of the data subject

Data subjects must not be disadvantaged because of the use of the rights described here. The manner of communication with the data subject – e.g. by telephone, electronically or in writing – should, as far as appropriate, be in accordance with the data subject’s wishes.

Article 8 – Process management/data protection responsibilities

§ 29 Responsibility for data processing

(1) In their capacity as data controllers, the companies are obliged, in particular vis-à-vis the data subjects, to ensure compliance with the data protection provisions and this Privacy Statement.

(2) The data protection officer of the respective company shall be informed immediately of any violations (including suspected violations) of data protection provisions and this Privacy Statement. In the event of incidents with relevance for more than one company, the Corporate Data Protection Department shall also be informed. The Data Protection Officers shall also inform the Corporate Data Protection Department if the laws applicable to a company change in a materially adverse way.

(3) The data protection departments of the individual companies shall coordinate their activities with each other within the framework of the data protection policy. Accordingly, they shall provide each other with mutual support and use synergies.

§ 30 Coordination by the Group Data Protection Officer

(1) The Corporate Data Protection Officer coordinates the cooperation and coordination on all important data protection issues. The Group Data Protection Coordination Committee shall serve as a coordination body.

(2) It is the responsibility of the Corporate Data Protection Officer to develop and update the company’s data protection policy. The data protection departments of the companies shall also coordinate with each other in this regard.

§ 31 Duty to monitor and advise

(1) Monitoring compliance with national and international data protection regulations and this Privacy Statement is the responsibility of the data protection officers of the respective companies. In this regard, all divisions of the respective companies are obliged to inform the responsible data protection officer about corresponding developments and future plans.

(2) Unless restricted by law, the competent data protection officers shall have the power to carry out on-site inspections of all processing operations involving personal data.

(3) If necessary, the data protection departments of the companies shall use similar procedures throughout the group within the scope of their auditing task, e.g. in the form of joint data protection audits.

§ 32 Employee training and commitment

(1) The employees of the companies shall be adequately trained with regard to the data protection regulations and the application of this Privacy Statement.

(2) The companies shall prepare appropriate training documents with the participation of the competent data protection departments.

§ 33 Cooperation with supervisory authorities

(1) Undertakings agree to respond to and comply with the recommendation of the supervisory authority responsible for them or, where applicable, for the undertaking exporting the data, within a reasonable time and to a reasonable extent.

(2) In the event of a change in the laws applicable to an undertaking which may have a material adverse effect on the representations made herein, the undertaking shall notify the relevant supervisory authority of the change as required.

Article 9 – Cookies, tracking and external services

§ 34 Google reCAPTCHA

We use the reCAPTCHA function of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) on our website, which is primarily used to distinguish whether an entry is made by a natural person or improperly by machine and automated processing. As part of this function, the IP address and other data required by Google for the reCAPTCHA service are sent to Google, which means that when you use Google reCAPTCHA, personal data may also be transmitted to the servers of Google LLC. in the USA. If you do not want any data about you to be transmitted to Google by the reCAPTCHA function, you must log out of Google (your account) completely and delete all Google cookies in the browser you are using before you visit our website. If you therefore visit our website and you have not made any settings to deactivate the reCAPTCHA function in your sphere of influence (browser, Google account), you declare that you agree that any personal data may be automatically transmitted to servers of Google LLC. may be transmitted.

Further information on Google: Google’s privacy policy can be viewed here:

The use of reCAPTCHA on our website is based on our legitimate interest in a secure and bot-free website in accordance with Art. 6 para. 1 lit. a DSGVO.

As far as legally required, we have obtained your consent for the processing of your data as described above in accordance with Art. 6 para. 1 lit. a DSGVO.

§ 35 Google Maps

This site uses the map service Google Maps. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When using Google Maps, Google also processes and uses usage data of the Maps functions by the visitor of the website and, if applicable,
transmits it to servers of Google LLC. in the USA and stores it there. As the website operator, we have no influence on this data transmission. The use of Google Maps is in the interest of an appealing presentation and easy location of the places we indicate on the website, in particular our location, in accordance with Art. 6 para. 1 lit. a DSGVO.

§ 36 Google Analytics

Our website uses the web analytics service “Google Analytics” provided by Google Ireland Limited, with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. This stores cookies on your computer and thus enables the analysis of your use of the website. Furthermore, the cookie generates data about your use of our website (browser type/version, referrer internet address, operating system, IP address, time of request) which is usually transmitted to a Google server in the USA and stored there.
This data is used to carry out analyses and optimisations of internet and website use, market research and the provision of other services associated with internet use. This information may be transferred to third parties where permitted by law or where third parties process the data on our behalf. Your IP address will be anonymised and will never be merged with other Google data.
You can prevent the installation of cookies or, moreover, the collection/processing of the website usage data generated by the cookie (incl. your IP address) by Google through appropriate settings in your browser by downloading and installing a browser add-on
This sets an opt-out cookie that prevents the future collection of your data when you visit our website. This only applies to the browser used and to our website. This opt-out cookie is stored on your device and is only valid until you delete your cookies on your browser.
Further information on data protection in connection with Google Analytics can be found, for example, in the Google Analytics help 6004245?hl=en.
The legal basis for the processing is the legitimate interest in offering visitors to our website targeted and relevant advertising and follows Art. 6 para. 1 lit. f DSGVO.

§ 37 Google Ads Conversion Tracking

We use “Google Ads” from Google for our online presence and, as part of this, the conversion tracking offered. For this purpose, a cookie for conversion tracking is stored on your computer if you click on an ad placed by us in the Google search or advertising network. These cookies are not used for personal identification and lose their validity after 30 days. Within the validity of the cookie, both we and Google can recognise that you clicked on a Google ad and were redirected to our page or subsite.
The cookies originally issued by Google for each Ads customer cannot be tracked via our website. Conversion cookies generate information that is used to create conversion statistics for us with which our ad activities can be controlled. However, we do not receive information with which you can be personally identified as a user.
You can block the installation of cookies in general or set your browser to block cookies from the domain and thus deactivate cookies for conversion tracking by making the appropriate settings in your browser. You can find Google’s privacy policy for conversion tracking at

Article 10 – Terms and definitions

Automated individual decisions
are decisions which produce legal effects concerning the data subject or significantly affect him or her and which are based solely on automated processing of data intended to evaluate certain personal aspects relating to him or her, such as his or her performance at work, creditworthiness, reliability, conduct, etc. The data subject shall not be subject to automated individual decisions.

Data subject
Any natural person whose personal or personally identifiable data is handled in the GPN Telecom GmbH group.

The controller
is the company that determines the purposes and means of the processing of personal data.

GPN Telecom GmbH Group
GPN Telecom GmbH and all companies in which it directly or indirectly holds an interest of more than 50% or over which it has economic control.

A data processor
is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller (data processing on behalf).

is a company that has agreed to be bound by this Privacy Statement.

Personal data
means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Handling of personal data
means any operation or set of operations which is performed upon personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction; this also includes the processing of personal data in structured, manually created files.

A recipient
is any natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether or not this is a third party.
However, authorities that may receive data in the context of an individual investigation request are not considered recipients.

Special types of personal data
are data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life.

A third party
is any person or body outside the data controller. Third parties are not the data subject or persons and bodies who collect, process or use personal data on behalf of the data subject in Germany, in another member state of the European Union or in another state party to the Agreement on the European Economic Area.

Status February 2022