Data Privacy Policy for Customers
This data privacy policy applies to the processing of personal data relating to customers and potential customer of
Facelift brand building technologies GmbH
Gerhofstraße 19
20354 Hamburg,
hereinafter referred to as Facelift, who acts as controller to such processing activities.
Purposes, legal basis of processing
Personal data of (representatives of) customers and potential customers are processed to conduct business between Facelift and the (potential) customer. Conducting business includes, without limitations,
- identifying (potential) customers and their representatives,
- Keeping customers or their representatives informed about the business relations,
- Enabling communication with (potential) customers or their representatives,
- Billing Facelift’s services to customers, and
- Processing liability.
For these purposes the following categories of personal data relating to (representatives of) customers may be processed:
- Personal master data, incl. name, email address, and phone number; and
- Information necessary for conducting business.
All processing is based on Article 6(1) lit. b of the European Union General Data Protection Regulation (GDPR).
Note: the use of Facelift’s services and websites is not governed by this data privacy policy; specific policies apply to the various services and websites.
Recipients of Personal Data, Transfers to Third Countries
Personal data processed for the aforementioned purposes may be shared by Facelift with third parties where Facelift engages these third parties to make use of the third parties’ expertise. Where Facelift shares personal data with third parties located outside the European Union or European Economic Area, such transfers of personal data rely on adequacy decisions by the European Commission in accordance with Article 45 GDPR1, or are based on appropriate safeguards in the form of standard data protection clauses for the transfer of personal data to third countries as adopted by the European Commission.2
Facelift transfers personal date to the following third parties.
| Third Party | Third Country | Purpose / Processing Activity |
| SALESFORCE INC. | USA | Software tool used for customer relationship management |
| Hubspot, INC. | USA | Software tool used for customer relationship management |
| MICROSOFT CORPORATION | USA | Communication services |
Data Retention
Personal data is retained for varying timespans depending on the purposes of processing and is deleted afterward, unless legal requirements prevent Facelift from deleting the data, or the data subject has consented to the continuance of the processing of their data by Facelift. Facelift is legally required to retain some data, incl. personal data, relating to its business relations for 6 years or longer pursuant to tax and commerce legislation in accordance with Article 6(1) lit. c GDPR.
Data Subject Rights
Data subjects are granted the rights laid down in Chapter III GDPR.
Under Article 15 GDPR, the data subject is entitled to obtain from the controller confirmation as to whether personal data concerning them is being processed. If personal data concerning the data subject is being processed by the controller, the data subject also has the right to request from the controller information regarding the purposes of processing; the categories of personal data concerned; the (categories of) recipients of personal data concerning the data subject, in particular, recipients in third countries or international organizations; where possible, the retention periods of personal data, or if not possible, the criteria used to determine such retention periods; the right to request from the controller rectification or erasure or the restriction of processing or to object to processing; the right to lodge a complaint with a supervisory authority; the origin of personal data concerning the data subject where such data was not collected from the data subject; the existence of automatic decision-making, including profiling, and meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject.
Under Article 16 GDPR, the data subject has the right to obtain from the controller that inaccurate personal data concerning the data subject be rectified without undue delay.
Under Article 17 GDPR, the data subject has the right to obtain from the controller the erasure of personal data concerning the data subject without undue delay, unless the processing of personal data concerning the data subject is necessary for the right of freedom of expression and information; for compliance with legal obligations; for reasons of public interest; or for the establishment, exercise, or defense of legal claims.
Under Article 18 GDPR, the data subject has the right to obtain from the controller the restriction of processing of personal data concerning the data subject provided that the accuracy of the personal data is contested; the processing is unlawful and the data subject opposes erasure and requests restriction instead; the controller does not need the personal data any longer but the data is required by the data subject for the establishment, exercise, or defense of legal claims; or the data subject has objected to processing of personal data concerning them, as long as it takes to verify that the controller’s legitimate interest override the data subject’s.
Under Article 20 GDPR, the data subject has the right to receive from the controller the personal data concerning them which they have provided to the controller in a structured, common, machine-readable format, provided that the processing is based on consent pursuant to Article 6(1) lit. a or Article 9(2) lit. b GDPR or is based on a contract pursuant to Article 6(1) lit. b GDPR. Per the data subject’s request, the data may also be transmitted to another controller.
Under Article 21 GDPR, the data subject has a right to object. In accordance with Article 21(4) GDPR, this right must be presented clearly and separately from any other information. Accordingly, the right is presented in the section entitled “Right to Object.”
In addition to the rights granted to the data subject under Chapter III GDPR, where the processing of personal data concerning the data subject is based on consent, the data subject has, under Article 7(3) GDPR, the right to revoke said consent at any time.
Under Article 77(1) GDPR, the data subject is also entitled to lodge a complaint with a supervisory authority, especially a supervisory authority at the data subject’s habitual place of residence, at the data subject’s place of work, or with the controller’s relevant supervisory authority.
Right to Object
Under Article 21 GDPR the data subject has the right to, at any time and on grounds relating to their particular situation, object to processing of personal data concerning them where the processing is based on Article 6(1) lit. e or f GDPR. After the right has been claimed by the data subject, the controller must cease the processing of personal data concerning the data subject unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject; or the processing is necessary for the establishment, exercise, or defense of legal claims.
The data subject always has the right to object to processing of personal data concerning them for direct marketing purposes.
Concerning processing activities for which Facelift is the controller, the right to object can be claimed via email to dataprivacy@facelift-bbt.com.
Consequences of Failure to Provide Personal Data, Automated Decision-Making, Profiling
Failure of the data subject to provide personal data may prevent or hinder Facelift from engaging or maintaining a business relation with the data subject or the (potential) customer they data subject represents.
Facelift does not subject the data subject to automatic decision-making, including profiling, as defined in Article 22 GDPR.
1 The full list of countries that provide adequate protection can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
2 The text of the standard data protection clauses can be obtained from the European Commission at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en