Privacy Policy

This privacy policy informs you about how we handle your personal data and your rights under the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). The controller responsible for data processing (unless otherwise specified below) is Nomos Verlagsgesellschaft mbH & Co. KG (hereinafter referred to as "we" or "us").

Our privacy policy consists of two parts. In Part A, you will find general information about data protection at Nomos Verlagsgesellschaft mbH & Co. KG and learn, among other things, what rights you have and where you can claim them. Part B is dedicated to the various groups of data subjects and explains in detail what data we collect and process about you. In doing so, we address you in your role as:

1. Visitors to our websites;
2. Customers of the Nomos Shops;
3. Customers of Inlibra;
4. Participants in webinars and events;
5. Newsletter subscribers;
6. Social media visitors;
7. Contact persons at service providers, suppliers, and business partners;
8. Job applicants;
9. Visitors in Switzerland.

A. General information

1. Contact details

If you have any questions or suggestions regarding this privacy policy or wish to exercise your rights, please send your request to

Nomos Verlagsgesellschaft mbH & Co. KG
Waldseestraße 3–5, 76530 Baden-Baden
E-Mail: datenschutzbeauftragter@nomos.de
Tel. +49 7221/2104-0

2. On what legal basis do we process your data?

The data protection term "personal data" refers to all information relating to an identified or identifiable person. We process personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. Data processing by us only takes place on the basis of a legal basis. We process personal data only with your consent (Art. 6 para. 1 letter a GDPR), for the performance of a contract to which you are a party or at your request for the implementation of pre-contractual measures (Art. 6 para. 1 letter b GDPR), to fulfil a legal obligation (Art. 6 para. 1 letter c GDPR) or if processing is necessary to safeguard our legitimate interests or the legitimate interests of a third party, provided that your interests or fundamental rights and freedoms, which require the protection of personal data, do not prevail (Art. 6 para. 1 letter f GDPR).

If you apply for an open position in our company, we will also process your personal data for the purpose of deciding whether to establish an employment relationship (§ 26 para. 1 sentence 1 BDSG).

3. Your rights

You decide what happens to your data! As a data subject, you therefore have the right to assert your rights against us. You have the following rights under the data protection laws applicable to you:

• In accordance with Art. 15 GDPR and § 34 BDSG, you have the right to request access to information about whether and, if so, to what extent we process personal data relating to you.
• You have the right to request that we correct your data in accordance with Art. 16 GDPR.
• You have the right to request the deletion of your personal data from us in accordance with Art. 17 GDPR and § 35 BDSG.
• You have the right to have the processing of your personal data restricted in accordance with Art. 18 GDPR.
• You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit this data to another controller.
• If you have given us separate consent to process your data, you can withdraw this consent at any time in accordance with Art. 7 para. 3 GDPR. Such withdrawal does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.
• If you believe that the processing of your personal data violates the provisions of the GDPR, you have the right to submit a complaint with a supervisory authority in accordance with Art. 77 GDPR.

In accordance with Art. 21 para. 1 GDPR, you have the right to object to processing based on Art. 6 para. 1 letter e or f GDPR for reasons arising from your particular situation. If we process personal data about you for direct marketing purposes, you may object to this processing in accordance with Art. 21 para. 2 and 3 GDPR.

If you exercise your rights in accordance with Articles 15 to 22 GDPR, we will process the personal data transmitted for the purpose of implementing these rights by us and to be able to provide evidence of this. Data stored for the purpose of providing information and preparing it will only be processed for this purpose and for data protection control purposes and otherwise restricted in accordance with Art. 18 GDPR.

This processing is based on the legal basis of Art. 6 para. 1 letter c GDPR in conjunction with Art. 15 to 22 GDPR and § 34 para. 2 BDSG.

4. Where do we process your data?

Generally, we process your data on European servers with the highest security standards. In providing our services, we are supported by external service providers to whom we transfer your data. Some data processing may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable law. Such transfers are permitted if the European Commission has determined that an adequate level of data protection is provided in such a third country. This applies to all transfers to countries on this list: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

If no such adequacy decision has been made by the European Commission, personal data will only be transferred to a third country if appropriate safeguards are in place in accordance with Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met.

If no adequacy decision has been made and unless otherwise specified below, we use the EU standard contractual clauses as appropriate safeguards for the transfer of personal data from the scope of the GDPR to third countries. You have the option of receiving a copy of these EU standard contractual clauses. To do so, please contact us at the address provided under Contact details.

If you consent to the transfer of personal data to third countries, the transfer will be carried out on the legal basis of Art. 49 para. 1 letter a GDPR.

5. To whom and why do we pass on your personal data?

In order to provide our services and operate as a business, we use various external companies to which we transfer personal data in some cases. If further specific recipients receive personal data relating to certain groups of data subjects, we will inform you of this in Part B..

• Hosting providers: We commission certified service providers who meet the highest security standards to host our data.
• IT service providers and SaaS providers: We use the services of various service providers who support us as processors and simplify and optimise our processes. This also includes providers for conducting our webinars.
• Advertising and marketing providers: With the help of various advertising and marketing providers, we aim to increase brand awareness, promote demand for our products and increase customer loyalty. To this end, campaigns are planned, implemented and their success measured and analysed. These providers are also generally processors.
• Payment providers: In order to process payments in our online shop and Inlibra, we pass on your data to payment providers and banks, who process your data as controllers and/or processors.
• Trading partners and shipping service providers: We may transfer your personal data to fulfilment service providers, postal and delivery services, and trading partners in order to offer and deliver our goods to you.
• Affiliated companies: We are a group of companies, which means that data transfers between companies cannot be ruled out.
• Administration and authorities: Further transfers may take place in order to comply with legal regulations or to respond to court orders or other similar official requests. This also includes transfers to the tax authorities and to tax advisory/auditing companies.

6. How long do we store your data?

Unless otherwise specified below, we only store data for as long as is necessary to achieve the purpose of processing or to fulfil our contractual or legal obligations. Such legal storage obligations may arise in particular from commercial or tax law provisions. From the end of the calendar year in which the data was collected, we will store such personal data contained in our accounting data for eight years and personal data contained in commercial letters and contracts for six years. In all other cases, we will retain data relating to verifiable consent and complaints and claims for the duration of the statutory limitation periods. We will delete data stored for advertising purposes if you object to processing for this purpose.

7. How do we use cookies and other tracking technologies?

We use cookies and similar technologies on our websites. We have compiled more information about how we use these technologies in our cookie banners. The banner can be accessed via the footer of our websites. There you will also find a list of other companies that place cookies on our websites and process data based on your consent in accordance with Art. 6 para. 1 letter a GDPR, a list of cookies that we place, and an explanation of how you can reject certain types of cookies.

8. How can you contact our data protection officer?

You can contact our data protection officer at the following contact details: datenschutzbeauftragter@nomos.de

B. How and why we process your data

a. Visitors to our websites

The following information refers to data processing on the following websites:

• https://www.nomos.de/
• https://www.nomos-shop.de/de/
• https://www.inlibra.com/de/

1) We process pseudonymous information about the device and browser you use, server log files, your network connection and your IP address for the following purposes:

• To ensure the security, operability and stability of our websites, including the prevention of attacks;
• Integration of third-party content.

Legal basis: Legitimate interest pursuant to Art. 6 para. 1 letter f GDPR in the proper functionality and stability of the website.

2) We process information about how you interact with the website. This includes your IP address and user IDs, some of which are assigned by third-party providers, and is done for the following purposes:

• Measuring reach and analysing visitor interaction to optimise our websites, increase customer satisfaction and analyse errors;
• (Conversion) tracking for reach measurement and commission determination for our affiliate partners and influencers;
• Remarketing to acquire new customers through personalised advertising;

Legal basis: Consent pursuant to Art. 6 para. 1 letter a GDPR, which we obtain via the cookie banner on our website and which you can withdraw or adjust at any time via the footer of the website.

3) We process the data you provide us with via our contact forms. This is done in order to respond to your enquiry.

Legal basis: Art. 6 para. 1 letter b GDPR or our legitimate interest pursuant to Art. 6 para. 1 letter f GDPR to promote customer loyalty.

b. Customers of the Nomos shops

1) We process the data you provide about yourself when placing an order in our online shop and which we collect in connection with the order, such as your name, address, email address, payment information and information about purchased goods, including purchase history. The processing is carried out for the following purposes:

• Fulfilment of our services: This includes processing your order, shipping the goods, processing the payment and managing returns.
• Customer account: Creation of a password-protected customer account where you can view your personal data and purchase history;
• (Internal) customer management;
• Customer care: This includes answering questions about your order or our products and handling complaints.

Legal basis: Contract fulfilment in accordance with Art. 6 para. 1 letter b GDPR. Without the provision of data, contract fulfilment is not possible.

2) We also process the aforementioned data for the following purposes:

• Non-promotional communication on technical, contractual and security-related topics (e.g. order and shipping confirmations, password reminder messages, customer account confirmation);
• Internal analysis of purchasing behaviour and segmentation by interest groups in preparation for marketing measures.

Legal basis: Legitimate interest pursuant to Art. 6 para. 1 letter f GDPR for the promotion of customer loyalty.

3) We also process the aforementioned data for the following purposes:

• To comply with legal requirements and retention obligations.

Legal basis: Compliance with legal obligations pursuant to Art. 6 para. 1 letter c GDPR.

c. Customers of Inlibra

1) We process the data you provide when registering a customer account and which we collect in connection with the registration, such as your name, address, postcode and payment information and information about purchased products (such as eBooks or magazines), including purchase history. The processing is carried out for the following purposes:

• Fulfilment of our services: This includes processing your order, providing access to the products and processing the payment.
• Customer account: Creation of a password-protected customer account through which your personal data and purchase history can be viewed;
• (Internal) customer management;
• Creation of a wish list;
• Customer care: This includes answering questions about your order or our products and processing complaints.

Legal basis: Contract fulfilment in accordance with Art. 6 para. 1 letter b GDPR.

2) If you register with us via Shibboleth and OpenAthens (single sign-on), we also process your authorisation and personal status at the institution through which access is provided.

Legal basis: Contract fulfilment in accordance with Art. 6 para. 1 letter b GDPR.

3) We also process the aforementioned data for the following purposes:

• Non-promotional communication on technical, contractual and security-related topics (e.g. order and shipping confirmations, password reminder messages, customer account confirmation);
• Internal analysis of purchasing behaviour and segmentation by interest groups in preparation for marketing measures.

Legal basis: Legitimate interest pursuant to Art. 6 para. 1 letter f GDPR for the promotion of customer loyalty.

4) We also process the aforementioned data for the following purposes:

• to comply with legal regulations and retention obligations.

Legal basis: Compliance with legal obligations pursuant to Art. 6 para. 1 letter c GDPR.

5) We process your IP address or other information, such as access via a VPN connection, information about your access location and access times for the following purposes:

• Authentication, in the case of access via institutions, to ensure that only authorised users have access;
• To ensure security/prevent unauthorised access to customer accounts.

Legal basis: Legitimate interest pursuant to Art. 6 para. 1 letter f GDPR to ensure that only authorised persons have access to customer accounts.

d. Participants in webinars and events

1) We process the data you provide when registering for an event or webinar on our websites and which we collect in connection with the registration, such as your name, email address, postal address, company and payment information. The processing is carried out for the following purposes:

• Registration for events and webinars;
• Processing payment and invoicing.

Legal basis: Fulfilment of a contract pursuant to Art. 6 para. 1 letter b GDPR.

2) We process your data collected in the course of a webinar, such as video recordings, audio transmissions, your name and, if provided by you, chat messages. The processing is carried out for the following purposes:

• Conducting the webinar.

Legal basis: Fulfilment of a contract pursuant to Art. 6 para. 1 letter b GDPR.

3) We may use the email address you provided when booking to inform you about similar products and services we offer.

Legal basis: Legitimate interest pursuant to Art. 6 para. 1 letter f GDPR in conjunction with § 7 para. 3 German Act Against Unfair Competiton (Gesetz gegen den Unlauteren Wettberb – UWG). You can object to this at any time without incurring any costs other than the transmission costs according to the basic tariffs. To do so, you can unsubscribe by clicking on the unsubscribe link contained in every mailing.

e. Newsletter subscribers

We process the name and contact details you provide when you subscribe to our newsletter for the following purposes:

• Sending personalised advertising emails with information and updates about our products, promotions and events for the purpose of sales promotion and acquisition of new customers;
• Verification of your email address via double opt-in.

We process pseudonymous information about your use of our newsletter (click behaviour, opening rate and time, length of stay) for the following purposes:

• Measuring success in order to optimise our content and improve our products.

The legal basis for data processing in connection with our newsletter is your consent in accordance with Art. 6 para. 1 letter a GDPR, which can be withdrawn at any time by contacting us at the above contact details or by using the unsubscribe link.

f. Contact persons at service providers/suppliers/business partners

We process data that you provide about yourself and the company you work for, such as your name, email address and telephone number, for the following purposes:

• Fulfilment of the contract with the company you work for (this includes contract management, documentation of ongoing cooperation, billing and communication).

Legal basis: Legitimate interest pursuant to Art. 6 para. 1 letter f GDPR in the fulfilment of the contract between the company you work for and us.

g. Job applicants

Data that you provide in the course of your application or that a recruitment agency transmits to us about you. This includes information about your CV, your previous career and other data that we process for the following purposes:

• Determining whether you are suitable for the job role;
• Initiating an employment relationship.

Legal basis: Contract negotiation in accordance with Art. 6 para. 1 letter b GDPR and § 26 para. 1 sentence 1 BDSG.

• Fulfilment of statutory retention obligations or defence against legal claims.

Legal basis: Compliance with legal obligations pursuant to Art. 6 para. 1 letter c GDPR.

• You will be added to our talent pool and contacted again at a later date if no employment opportunity arises for the time being.

Legal basis: Consent pursuant to Art. 6 para. 1 letter a GDPR, which can be withdrawn at any time by contacting us at the above contact details.

If we are unable to offer you employment, we will retain the application documents you have submitted for up to six months after any rejection for the purpose of answering questions relating to your application and rejection. This does not apply if statutory provisions prevent deletion, if further storage is necessary for the purpose of providing evidence or if you have expressly consented to longer storage.

h. Social media visitors

1) Responsibility of social media providers
When you visit our social media pages (Bluesky, Facebook, Instagram, LinkedIn, Mastodon, XING, X, YouTube) where we present our company, certain information about you as a visitor is processed.

Further information:

• Bluesky: Privacy Policy of Bluesky Social PBC,
• Facebook and Instagram: Privacy Policy of Meta Platforms Ireland Limited; opt-out option,
• LinkedIn: Privacy Policy of LinkedIn Ireland Unlimited Company,
• Mastodon: Privacy Policy of Mastodon gGmbH,
• XING: Privacy policy of New Work SE,
• X: Privacy policy of Internet Unlimited Company,
• YouTube: Privacy policy of Google LLC.

2) Joint responsibility of social media providers and Nomos Verlagsgesellschaft mbH & Co. KG (joint controllers)
Social media providers collect and process event data and send us anonymised statistics and data for our pages, which help us gain insights into the various activities that visitors carry out on our site (known as "Page Insights"). These page insights are created based on certain information about individuals who have visited our page(s). We have entered into a joint controller agreement with some of the social media providers regarding this data processing.

Further information:

Facebook and Instagram:

• Joint Controller Agreement
• Data subject rights can also be asserted against Meta.

LinkedIn:

• Joint Controller Agreement
• Data subject rights can be asserted via this contact form at LinkedIn. You can contact LinkedIn's data protection officer via this link.
• LinkedIn and Nomos Verlagsgesellschaft mbH & Co. KG have agreed that the Irish Data Protection Commission is the competent supervisory authority that monitors the processing of Page Insights. You can lodge your complaint with the Irish Data Protection Commission (see www.data protection.ie) or with another supervisory authority.

XING:

• Joint Controller Agreement
• Information on how to exercise your rights as a data subject at New Work SE can be found here.

3) Under the responsibility of Nomos Verlagsgesellschaft mbH & Co. KG
We process information that you have provided to us via our social media channels on the respective social media platform. This information may include the name you use, contact information or a message to us.

Legal basis: Legitimate interest pursuant to Art. 6 para. 1 letter f GDPR in communicating with interested parties and followers.

i. Visitors in Switzerland

If you are a data subject within the scope of the Swiss Federal Act on Data Protection (DSG), the following information applies.

The legal references made in this privacy policy are intended for data subjects in Switzerland in accordance with the comparable provisions of the DSG. This applies in particular to the applicable rights of data subjects under Articles 25-29, 32 DSG.

Data processing also takes place in the following countries outside Switzerland:

• EU/EEA,
• United States of America.

We guarantee an appropriate level of data protection. This is ensured by:

• a proven adequate level of data protection in accordance with Art. 16 para. 1 DSG for the recipient country;
• standard data protection clauses that have been previously approved, issued or recognised by the EDÖB, in particular the standard contractual clauses of the European Commission;
• certification in accordance with the principles of the Data Privacy Framework between Switzerland and the USA, if the data processing is carried out by an organisation in the USA that is certified in accordance with this framework;
• an international treaty regulating an adequate level of data protection.

***