Introduction

This Privacy Notice explains how we collect, use and protect personal data in connection with:

• your visit to and use of our websites and
• our communication and business relationships with customers, potential customers and other business partners (including when you contact us using the contact details published on our websites).

“Personal data” means any information that directly or indirectly identifies an individual (for example, name, email address, IP address).

We process personal data in accordance with:

• the EU General Data Protection Regulation (GDPR),
• German data protection laws,
• where applicable, the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018,
• the Swiss Federal Act on Data Protection (FADP), and
• other relevant national data protection regulations.

CCTV at our UK office is additionally described in section 12. Information on data protection in the application process is provided in a separate notice (see section 8).

We do not use tracking or advertising cookies on our websites.
 

1. Sect. 1 Data Controller
2. Sect. 2 Data Protection Officer
3. Sect. 3 Your Rights
4. Sect. 4 Data Processing Principles
5. Sect. 5 Processing when you visit our website
6. Sect. 6 Processing when you contact us and when we provide Business Services
7. Sect. 7 Social Media
8. Sect. 8 Job Applications
9. Sect. 9 Recipients of Personal Data
10. Sect. 10 International Data Transfers
11. Sect. 11 Security
12. Sect. 12 CCTV at our UK Office
13. Sect. 13 Changes to this Notice

The controller responsible for the technical provision and operation of our websites is:

d-fine GmbH
An der Hauptwache 7
D-60313 Frankfurt am Main
Telephone: +49 69 90737-0
Email: info[at]d-fine.com

d-fine GmbH centrally hosts and operates the websites used by the d-fine group companies in Italy, the Netherlands, Austria, Switzerland, Sweden and the United Kingdom (“d-fine group companies”).

Depending on the specific processing activity (for example, if your enquiry relates to a particular country), d-fine GmbH and the relevant local d-fine group company may act as joint controllers for that processing. For data protection inquiries, please also see the contact details of our Data Protection Officer in Section 2.

For CCTV at our UK office in London, the controller is d-fine Ltd (see section 12).

Where we refer to the “GDPR” in this notice, this should be understood, where appropriate, as including both the EU GDPR and the UK GDPR, together with any applicable national data protection laws, such as the UK Data Protection Act 2018 and Swiss FADP. 

If you have any questions regarding this Privacy Notice or about how we handle personal data or wish to exercise your rights, please contact our Data Protection Officer:

Data Protection Officer
d-fine GmbH
An der Hauptwache 7
D-60313 Frankfurt
Email: dataprotectionofficer[at]d-fine.com

As a data subject, you have the rights granted by applicable data protection law. For visitors from the EU/EEA, these rights arise in particular from Articles 15-21 GDPR. For visitors from the United Kingdom, they arise from the UK GDPR and the UK Data Protection Act 2018. For visitors from Switzerland, the Swiss FADP applies.

Your rights include:

• Right of access: to obtain confirmation as to whether we process personal data about you and, if so, access to that data and certain additional information.
• Right to rectification: to request the correction of inaccurate personal data and the completion of incomplete data.
• Right to erasure: to request deletion of your personal data where the legal conditions are met (for example, where the data are no longer necessary for the purposes for which they were collected).
• Right to restriction of processing: to request that processing be restricted under certain conditions (for example, while the accuracy of data is being verified).
• Right to data portability: to receive the personal data you have provided to us in a structured, commonly used and machine readable format, and to transmit those data to another controller where legally required and technically feasible.
• Right to object:
  • You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.
  • Where personal data are processed for direct marketing purposes, you may object at any time to such processing, including profiling related to direct marketing.
• Right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time with effect for the future. The lawfulness of processing prior to withdrawal remains unaffected.
• Right to lodge a complaint: you may lodge a complaint with a competent data protection supervisory authority if you believe that processing of personal data relating to you infringes applicable data protection law. This may be the authority in your place of habitual residence, place of work or place of the alleged infringement. For the United Kingdom this is the Information Commissioner’s Office (ICO), and in Switzerland the Federal Data Protection and Information Commissioner (FDPIC).

To exercise your rights, please contact our Data Protection Officer (see section 2). We will handle your request in accordance with legal requirements.

We process personal data in line with the data protection principles set out in the GDPR and applicable national laws. In particular, this means that we:

• process personal data lawfully, fairly and in a transparent manner,
• collect personal data only for specified, explicit and legitimate purposes and do not process it in a manner that is incompatible with those purposes,
• limit the processing of personal data to what is necessary in relation to the purposes (“data minimisation”),
• keep personal data accurate and, where necessary, up to date, and take reasonable steps to ensure that inaccurate data is rectified or deleted,
• retain personal data only for as long as necessary for the purposes described in this Notice and applicable legal retention periods (“storage limitation”),
• process personal data in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
   

We do not use your personal data for automated individual decision‑making, including profiling, within the meaning of Article 22 GDPR.

When you visit our websites, certain data are processed automatically in order to display the website, ensure its security and operate the underlying IT infrastructure.

5.1 Data processed

Automatically collected when you visit our websites:

• IP address and other online identifiers
• Date and time of access
• Pages and files accessed, referrer URL
• Browser type and version, operating system, device information
• Cookie-related information (for technically necessary cookies, for example to maintain your session and to remember that the cookie notice has already been displayed)
• Server log file information for security and stability

Purpose
Provide and display the website, ensure stability and security (for example log files, hosting).

Legal basis
Legitimate interests (Art. 6(1)(f) GDPR) in operating a secure and functional website.

5.2 Cookies

Cookies are small text files or similar technologies that store information on your device. On our websites we only use cookies that are technically necessary. These cookies are required to operate the website and to provide basic functions.

Types of cookies used

• Session cookies
  • Purpose: maintain your session across multiple page views and enable technical provision of the website.
  • Storage period: deleted when you close your browser.
• Cookie notice cookie  
  • Purpose: ensure that the cookie notice is not displayed again on future visits after it has been shown once.
  • Storage period: automatically deleted after eight hours
• Language selected cookie
  • Purpose: Enable your browser to open the d-fine website in your preferred language, i.e. the language version you last selected.
  • Storage period: One year

We do not use cookies for reach measurement, statistics, profiling, advertising or tracking.

Legal basis

• Storage and access: section 25(2) Telecommunications Digital Services Data Protection Act (TDDDG) for Germany, the Privacy and Electronic Communications Regulations (PECR) in the United Kingdom and comparable e‑privacy rules in other relevant jurisdictions for technically necessary cookies.
• Associated personal data processing: legitimate interests (Art. 6(1)(f) GDPR) in providing a functional, secure and user‑friendly website, or performance of contract/pre‑contractual measures (Art. 6(1)(b) GDPR) where applicable.

Managing cookies

You can configure your browser to inform you about the setting of cookies, to allow cookies only in individual cases, to exclude the acceptance of cookies, or to delete cookies automatically when closing the browser. If you deactivate technically necessary cookies, some website functions may not work properly.

5.3 Server log files

Access to our websites is recorded in server log files, which may include:

• Address and name of the websites and files accessed
• Date and time of access
• Data volume transferred
• Report on successful retrieval
• Browser type and version, operating system
• Referrer URL
• IP address and requesting provider

Log files are used for security purposes (for example, to prevent server overloads and attacks such as DDoS) and to maintain server stability.

Legal basis 

Legitimate interests (Art. 6(1)(f) GDPR)

Retention

Log files are stored for a maximum of 30 days, then deleted or anonymised, unless longer storage is required as evidence in a specific case (for example, in connection with a security incident).

5.4 Hosting provider

Our websites are hosted by:

Mittwald CM Service GmbH & Co. KG  
Königsberger Straße 4–6  
32339 Espelkamp  
Germany  
Website: www.mittwald.de
Privacy notice: www.mittwald.de/datenschutz

6.1 Contacts and enquiries (email, phone, post, in person)

When you contact us using the contact details provided on the website or in connection with the website, we process the information you provide to us and any information required to handle your request.

This applies to contact: by email, by telephone, by post and in person (for example, meetings arranged after contacting us via the website).

Data processed

• Contact data (e.g. name, email address, telephone number, postal address)
• Content of the enquiry or communication (including any attachments)
• Notes of telephone conversations or meetings where appropriate
• Technical/meta data where applicable (e.g. date, time, channel, internal reference)

Purposes

• Receiving, processing and responding to your enquiry
• Maintaining a record of communications
• Taking steps at your request prior to entering into a contract
• Managing communication within existing business relationships

Legal basis

• Performance of a contract or pre contractual measures (Art. 6(1)(b) GDPR) where the enquiry relates to a contractual relationship with you or to entering into such a relationship
• Legitimate interests (Art. 6(1)(f) GDPR) in handling general enquiries and maintaining business communication

Retention

We store enquiry data for as long as necessary to process your request and to follow up where appropriate. Where enquiries relate to a contractual relationship or may be relevant for legal purposes, they may be stored for the duration of the relationship and for the applicable limitation and retention periods.

6.2 Business services and business relationships

When website visitors become or are customers or other contractual partners, we process their personal data in the context of our business services.

Data processed

• Master data (e.g. names, addresses, company details, position in the company)
• Contact details (e.g. business email address, phone number)
• Contract related data (e.g. subject of contract, duration, customer category)
• Billing and payment data where applicable (e.g. invoice details, payment status)
• Communication data relating to the business relationship (e.g. correspondence, meeting notes, information relating to participation in telephone or online meetings such as date, time and duration of meetings and participants
• Technical usage data in connection with online meetings and collaboration tools where necessary for the provision and security of the service (e.g. IP address, device and system information)

Purposes

We process data from customers, potential customers and other contractual partners (collectively “contractual partners”) to:

• respond to requests for information about our services
• assess and enter into contracts
• perform and manage contracts (including project communication and support)
• handle any warranties, service issues or breaches of contract
• manage invoicing and payments
• maintain and develop the business relationship

We also process data in this context to:

• comply with legal obligations (for example tax and commercial law retention),
• protect our rights and IT systems, prevent misuse and enforce or defend legal claims.

In connection with online meetings and collaboration tools, we use service providers acting on our behalf. Depending on the provider and configuration, this may involve processing in the EU/EEA, the United Kingdom and, in individual cases, other countries subject to appropriate safeguards (see section 10).

Legal basis

• Performance of a contract and pre contractual measures (Art. 6(1)(b) GDPR)
• Legal obligations (Art. 6(1)(c) GDPR), for example tax and commercial retention duties
• Legitimate interests (Art. 6(1)(f) GDPR) in efficient business administration and in protecting our rights and operations

Retention

We store personal data relating to business services for the duration of the business relationship and thereafter for as long as necessary for the applicable statutory limitation and retention periods (in particular under commercial and tax law), typically between three and ten years after the end of the calendar year in which the last relevant transaction or communication took place.

We maintain profiles on various social networks and platforms to provide information about our organisation and to communicate with interested parties.

When you visit or interact with our profiles (for example by viewing our content, following our pages, commenting or sending messages), the respective platform provider processes your personal data under its own responsibility and in accordance with its own privacy notice. The platform may, in particular, use your data for market research and advertising purposes and to create usage profiles.

We also process personal data when you communicate with us via these platforms (for example, if you send us a direct message or comment on our posts), in order to handle your enquiry and manage our presence there. The legal basis for this is our legitimate interests (Art. 6(1)(f) GDPR) in external presentation and communication with users and business contacts.

Depending on the provider and your account settings, these platforms may also process personal data in countries outside the EU/EEA, the United Kingdom or Switzerland (in particular the United States). Further details can be found in the privacy notices of the respective providers. The most effective way to exercise your data protection rights in relation to data processed by a social network is usually to contact the platform provider directly, as it has full access to the relevant data. If you need assistance in doing so, you can also contact us.

Further information about specific platforms:

Instagram - social network

Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
Legal basis: legitimate interests (Art. 6(1)(f) GDPR)
Website: www.instagram.com
Privacy notice: instagram.com/about/legal/privacy

LinkedIn - social network

Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Legal basis: legitimate interests (Art. 6(1)(f) GDPR)
Website: www.linkedin.com
Privacy notice: www.linkedin.com/legal/privacy-policy

We and LinkedIn Ireland Unlimited Company are joint controllers for the collection of data used to generate “Page Insights” (statistics) for our LinkedIn pages. The allocation of responsibilities between us and LinkedIn is set out in the “Page Insights Joint Controller Addendum”: legal.linkedin.com/pages-joint-controller-addendum. Further information about the data used for Page Insights can be found in LinkedIn’s privacy policy.

We may also use LinkedIn Lead Gen Forms for certain recruiting or marketing campaigns. If you submit such a form, the information pre filled from your LinkedIn profile (for example, role, organisation, location) and any additional details you provide will be transmitted to us.

Xing - social network

Provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany
Legal basis: legitimate interests (Art. 6(1)(f) GDPR)
Website: www.xing.com    
Privacy notice: privacy.xing.com/de/datenschutzerklaerung

kununu - employer rating platform

Provider: XING AG, Dammtorstraße 29–32, 20354 Hamburg, Germany
Legal basis: legitimate interests (Art. 6(1)(f) GDPR)
Website: www.kununu.com/de
Privacy notice: privacy.xing.com/de/datenschutzerklaerung

If you apply for a position with us, additional data will be processed in the context of the application process. Detailed information on data protection for job applicants can be found here:

www.d-fine.com/en/service-navigation/information-on-data-protection-in-the-application-process/

That separate notice explains the purposes, legal bases, recipients and retention periods for application data.

We only disclose personal data to third parties where this is lawful and necessary for the purposes described in this notice or to comply with legal obligations.

Categories of recipients may include:

• IT and hosting service providers (e.g. webhosting, email, infrastructure)
• Professional advisers, such as lawyers, auditors and tax advisers
• Banks and payment service providers (for processing payments)
• Subcontractors and other business partners, where they support us in providing services
• Telecommunications and postal providers (for communication and deliveries)
• Public authorities, courts and regulatory bodies, where required by law or necessary to assert or defend legal claims

If we use third party platforms (for example, social networks) and you interact with us there, those providers also process your data under their own responsibility in accordance with their privacy notices.

For the operation of this website and the handling of related contacts and business services, we generally process personal data within the European Union, the European Economic Area (EEA), the United Kingdom and Switzerland. Our websites are hosted in Germany and the service providers named in this notice are, as a rule, located in the EU/EEA. We do not routinely transfer personal data collected via this website to countries outside the EU/EEA, the United Kingdom or Switzerland.

If, in exceptional cases, we use service providers in other countries or otherwise transfer personal data to such countries, we will ensure that an adequate level of data protection is in place, for example through an adequacy decision by the European Commission or the UK government or appropriate safeguards such as standard contractual clauses. 

We take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures include:

• access controls and role based authorisation,
• secure networks and systems (including firewalls and malware protection),
• encryption and pseudonymisation where appropriate,
• secure backup and archiving procedures,
• internal policies and training.

Our security measures are reviewed regularly and updated in line with technological developments and legal requirements.

Closed‑circuit television (CCTV) operates in certain areas of our UK office:

d‑fine Ltd
14 Aldermanbury Square
London EC2V 7HR
United Kingdom  

The CCTV system is used for security purposes, to help protect people, buildings and property and to prevent and investigate incidents. The legal basis is our legitimate interests in ensuring the security of our premises and operations (Art. 6(1)(f) UK GDPR). The full CCTV Policy for the UK office is available at reception or on request from d‑fine Ltd or our Data Protection Officer (see section 2).

We may update this Privacy Notice from time to time, for example to reflect changes in our processing activities or in legal requirements. The current version is available on this web page.

This Privacy Notice was last updated on 09 March 2026.