Privacy policy of Choice AG

    Introduction

    The protection of your personal data is very important to us. This privacy policy explains how Choice AG collects, uses and protects your personal data. We inform you about the type, scope and purpose of data processing. Our aim is to offer you transparency about the data processing procedures we carry out.

    Important information at a glance

    1. Responsible for data processing: Choice AG, Thomas-Mann-Straße 16 – 20, 90471 Nuremberg, Germany.
    2. Purpose of processing: contract fulfillment, communication, marketing.
    3. Your rights: You have the right to information, correction, deletion, objection and data portability.
    4. Contact data protection officer: datenschutzbeauftragter@datenschutzexperte.de

    1. responsible person and data protection officer

    Responsible for data processing:
    Choice AG
    Thomas-Mann-Strasse 16 – 20
    90471 Nuremberg
    Nuremberg, Germany

    Contact:
    Phone: +49 911 480499-0
    E-Mail:info@choice.de
    Website:www.choice.de

    Board of Directors authorized to represent the company: Antonio Pardo (Chairman), Bego Jasenac, Hannes Beyer

    Commercial register:
    Nuremberg Local Court, HRB 41407

    External data protection officer:
    Mr. Dominik Fünkner
    Proliance GmbH
    Leopoldstrasse 21
    80802 Munich
    Germany

    Contact: datenschutzbeauftragter@datenschutzexperte.de

    You can contact our data protection officer directly at any time with questions about data protection or to exercise your rights.

    2 Scope of this privacy policy

    This privacy policy informs you about how Choice AG (hereinafter “we” or “Choice”) processes personal data. It applies to:

    • Business partners and customers(companies and their employees)
    • Users of our platforms(Fleetshop, Choice Connect)
    • Interested parties(e.g. for marketing communication)
    • Applicantsfor open positions
    • Visitors to our office locations
    • Newsletter recipients
    • Social media users(followers, interaction partners)

    The privacy policy explains what data we collect, the purposes for which we process it, the legal basis for this and what rights you have.

    3. legal bases of data processing

    Your personal data is processed on the basis of the following legal bases: the General Data Protection Regulation (GDPR) and the Telecommunications Digital Services Data Protection Act (TDDDG):

    • Consent (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TDDDG): If you have given us your express consent, for example for the receipt of newsletters, the storage of your data in the talent pool or the use of cookies for analysis or marketing purposes.
    • Fulfillment of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR): If the processing is necessary to fulfill a contract with you or to carry out pre-contractual measures, for example when processing inquiries via the contact form, in the context of application procedures or the provision of services.
    • Legal obligation (Art. 6 para. 1 lit. c GDPR): If we are legally obliged to process your data, for example to fulfill tax retention obligations or to fulfill security requirements at our office locations (e.g. ArbSchG: to ensure the safety of employees and visitors; StGB: To support law enforcement measures in the event of security-related incidents; BGB: To defend against or assert legal claims).
    • Legitimate interest (Art. 6 para. 1 lit. f GDPR): If the processing is necessary to safeguard our legitimate interests, for example: to improve our services by analyzing and optimizing processes, to ensure IT security and abuse prevention (e.g. protection against cyber attacks and detection of attempted fraud), to assert legal claims (e.g. enforcement of claims or defense against unjustified claims) or for access documentation in our office locations to protect employees and visitors and to ensure building security.
    • Purposes of the employment relationship (Art. 88 GDPR in conjunction with Section 26 BDSG): If the processing is necessary to establish, implement or terminate an employment relationship, for example in the context of application procedures.
    • Technically necessary services (Section 25 (2) TDDDG): If the processing is necessary to provide technically necessary services, for example for Session management, content management or IT security.

    4. general information on data transfer to third countries

    As part of our business activities and to provide our services, we sometimes use service providers based outside the European Union (EU) or the European Economic Area (EEA). This applies in particular to service providers in the USA.

    Legal bases for third country transfers:

    We only transfer personal data to third countries if this is legally permissible and an appropriate level of data protection is guaranteed. We rely on the following guarantees:

    4.1 Adequacy decision of the EU Commission (Art. 45 GDPR)

    For certain countries, the EU Commission has determined that an adequate level of data protection exists there. In this case, no further authorization is required.

    Examples:

    • USA:EU-U.S. Data Privacy Framework (DPF) – applies to certified U.S. companies
    • United Kingdom (UK):Adequacy decision since 2021
    • Switzerland, Canada, Japan, Israelet al.

    Important:We only transfer data on the basis of an adequacy decision (DPF, if certified) or suitable guarantees (SCC incl. additional measures if necessary).

    We only work with US companies that are certified. A list of companies that are certified according to the EU-U.S. Data Privacy Framework are certified under: https://www.dataprivacyframework.gov

    4.2 Standard contractual clauses (Art. 46 para. 2 lit. c GDPR)

    If there is no adequacy decision or additional security is required, we conclude the standard contractual clauses approved by the EU Commission with our service providers.standard contractual clauses(Standard Contractual ClausesSCC). These oblige the recipient to guarantee a level of data protection that complies with the GDPR.

    4.3 Data processing agreements (Art. 28 GDPR)

    We have concluded data processing agreements with all service providers who process personal data on our behalf.order processing contracts(AVV) have been concluded. These regulate

    • The type and scope of data processing
    • Technical and organizational measures for data protection
    • The duty of confidentiality
    • The rights and obligations of both parties
    • The deletion of data after completion of the order

    Examples of third country transfers:

    Service provider

    Country

    Guarantee

    OpenAI

    USA

    Standard contractual clauses

    Google (Gemini)

    USA

    EU-U.S. Data Privacy Framework + Standard Contractual Clauses

    Anthropic (Claude)

    USA

    Standard contractual clauses

    Microsoft (Power Automate, Copilot)

    USA

    EU-U.S. Data Privacy Framework + Standard Contractual Clauses

    Superpowered Labs (VAPI AI)

    USA

    Standard contractual clauses

    Whistleblower system

    We would like to be informed about unlawful conduct in our company so that we can clarify and stop such behavior. We therefore encourage everyone – whether (former) employees, business partners or third parties – to inform us of any legal violations. We guarantee that all whistleblowers will be treated confidentially. Therefore, anyone (m/f/d) can also contact the Chief Compliance Officer, Dr. Götz Gerlach, directly or use our whistleblower portal. This can be used to send information without giving a name. However, we ask that you at least set up a mailbox under a different name that does not allow any conclusions to be drawn about your real identity so that we can ask questions. We ask for your understanding that the whistleblower portal can only be used to report violations of laws, guidelines or our Code of Conduct. of Conduct is to be used.