Privacy Notice

1. Introduction

We would like to use the information below to provide you “data subject” with an overview of our processing of your personal data and your rights under data protection law. It is generally possible to use our website without entering personal data. However, if you wish to make use of special services offered by our company through our website, it may be necessary to process personal data. If it is necessary to process personal data and there is no legal basis for such processing, we will generally obtain your consent.

Personal data, such as your name, address or email address, is always processed in accordance with the EU General Data Protection Regulation (GDPR) and in accordance with the country-specific data protection regulations applicable to the “Max ASP GmbH”. The aim of this Privacy Notice is to inform you about the scope and purpose of the personal data we collect, use and process.

As the data controller, we have implemented numerous technical and organisational measures to ensure the most complete possible protection of the personal data processed via this website. Nevertheless, Internet-based data transmissions can in principle have security gaps so that absolute protection cannot be guaranteed. For this reason, you are free to submit personal data on alternative ways, such as by phone or by post to us.

2. Data controller

The data controller, as defined by the GDPR, is:

Max ASP GmbH
Kässbohrerstraße 16, 89077 Ulm, Germany
Phone: +49 731 15927 0

Data controller’s representative: Benjamin Tänzer

3. Data protection officer

You can reach the data protection officer as follows:

Wolfgang Branz
Phone: +49 7525 9469859

You may contact our data protection officer directly at any time if you have any questions or suggestions regarding data protection.

4. Disclosure of data to third parties

Your personal data will not be conveyed to third parties for purposes other than those listed below.

We will only share/convey your personal data with third parties if:

  1. you have given us your express consent to do so in accordance with Art. 6 (1) lit. a GDPR,
  2. the disclosure is permissible in accordance with Art. 6 (1) lit. f GDPR to protect our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  3. in the event that a legal obligation exists for the disclosure pursuant to Art. 6 (1) lit. c GDPR, as well as

In the context of the processing operations described in this privacy statement, personal data may be transferred to the USA. Companies in the USA only have an adequate level of data protection if they have certified themselves under the EU-US Data Privacy Framework and thus the adequacy decision of the EU Commission pursuant to Art. 45 GDPR applies. We have explicitly mentioned this in the privacy policy for the service providers concerned. In order to protect your data in all other cases, we have concluded commissioned processing agreements based on the standard contractual clauses of the European Commission. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent can serve as the legal basis for the transfer to third countries in accordance with Article 49 (1) a) of the GDPR. This sometimes does not apply in the case of a data transfer to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 of the GDPR.

5. Technology

5.1 SSL/TLS-encryption

This site uses SSL or TLS encryption to guarantee the security of data processing and to protect the transmission of confidential content, such as orders, login data or contact enquiries that you send to us as the operator. You can recognise an encrypted connection by the fact that the address bar of the browser contains a “https://” instead of a “http://” and by the lock symbol in your browser bar.

We use this technology to protect your transmitted data.

5.2 Data collection when visiting the website

If you only use our website for informational purposes, i.e. if you do not register or otherwise provide us with information, we only collect the data your browser sends our server (in what is known as “server log files”). Our website collects a range of general data and information each time you access a website or an automated system. This general data and information is stored in the server’s log files. It may be collected.

  1. the browser types and versions used,
  2. the operating system used by the accessing system,
  3. the website from which an accessing system accesses our website (so-called referrer),
  4. the sub-pages accessed via an accessing system on our website,
  5. the date and time of access to the website,
  6. an internet Protocol (IP) address, and
  7. the internet service provider of the accessing system.

When using this general data and information, we do not draw any conclusions about your person. Rather, this information is required to

  1. deliver the contents of our website correctly,
  2. optimise the contents of our website as well as to advertise it,
  3. to ensure the permanent operability of our IT systems and the technology of our website, and
  4. to provide law enforcement authorities with the information necessary to prosecute in the event of a cyber-attack.

Therefore, the data and information collected will be used by us for statistical purposes only and for the purpose of increasing the data protection and data security of our enterprise to ensure an optimal level of protection for the personal data we process. The data of the server log files is stored separately from any personal data provided by a data subject.

The legal basis for data processing is Art. 6 (1) lit. f GDPR. Our legitimate interest follows from the purposes for data collection listed above.

6. Contents of our website

6.1 Contact support / Contact form

Personal data is collected when contacting us (e.g. via contact form or e-mail). Which data is collected in the case of the use of a contact form can be seen from the respective contact form. This data is stored and used exclusively for the purpose of answering your request or for contacting you and the associated technical administration. The legal basis for processing the data is our legitimate interest in responding to your request in accordance with Art. 6 (1) lit. f GDPR. If your contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 (1) lit. b GDPR. Your data will be deleted after final processing of your request; this is the case if it can be inferred from the circumstances that the matter concerned has been conclusively clarified and the deletion does not conflict with any legal obligations to retain data.

6.2 Services / Digital Goods

We only transmit personal data to third parties if this is necessary within the framework of the Data Protection Agreement, for example to the credit institution commissioned with the payment processing.

No further transmission of data will take place unless you have expressly consented to the transmission. Your data will not be disclosed to third parties without your express consent, for example for advertising purposes.

The basis for data processing is Art. 6 (1) lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.

6.3 Application Management / job exchange

We collect and process the personal data of applicants for the purpose of processing the application procedure. The processing may also take place electronically. This is particularly the case if an applicant submits the relevant application documents to us electronically, for example by e-mail or via a web form on the website. If we conclude an employment or service contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If we do not conclude a contract with the applicant, the application documents are automatically deleted two months after notification of the rejection decision, provided that no other legitimate interests on our part oppose deletion. Another legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the German Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz [AGG]).

The legal basis for processing your data is Art. 88 GDPR icw § 26 (1) German Federal Data Protection Act (Bundesdatenschutzgesetz [BDSG]).

6.4 Whistleblower Protection Act Reporting Portal

Details of the processing activity

The purpose of this processing activity is to introduce and operate an internal reporting office to fulfill legal obligations under the HinSchG and to exercise legality/supervisory duties.

This includes the implementation of a whistleblower system/reporting channel.

  • Designation of an impartial person or department responsible for following up on reports.
  • The reporting office will receive reports, send confirmations of receipt, and report back to the whistleblower.
  • Follow-up measures will be implemented and all reports and follow-up measures will be documented.

Additionally, data is analysed to assess previous compliance cases, with the aim of enhancing the compliance management system.

Legal basis of the processing activity

The processing is necessary to comply with a legal obligation pursuant to Art. 6 para. 1 lit. c DS-GVO (Section 16 para. 1 sentence 1 HinSchG, Art. Paragraph 8, sentence 1 of Directive 2019/1937, and possibly also Sections 76, 91 lit.2, and 93 lit.1 of the AktG).

Recipient Categories

Internal (within the department)

Data transfer to a third country

No data will be transferred to third countries.

Additional information obligations

Storage period of the personal data

The data will be deleted 3 years after completion of the procedure.

Obligation to provide personal data

The data subject is obliged to provide the personal data.

Data can also be provided anonymously.

Consequences of non-provision

Whistleblowers may be required to provide their personal data to submit or justify the report. However, there is no obligation to submit information.

6.5 Facebook Connect

On our website, you can log in to create a customer account or register using the social plugin “Facebook Connect” of the social network Facebook, which is operated by Meta Platforms Inc. (formerly Facebook Inc.), 1 Hacker Way, Menlo Park, CA 94025, USA (“Meta”), within the scope of the so-called single sign-on technology, if you have a Facebook profile. You can recognise the social plugins from “Facebook Connect” on our website by the blue button with the Facebook logo and the inscription “Log in with Facebook” or “Connect with Facebook”. “Connect with Facebook” or “Log in with Facebook” or “Sign in with Facebook”.

When you view a page of our website that contains such a plugin, your browser establishes a direct connection to Meta’s servers. The content of the plugin is transmitted by Facebook directly to your browser and integrated into the page. Through this integration, Facebook receives the information that your browser has called up the corresponding page of our website, even if you do not have a Facebook profile or are not currently logged in to Facebook. This information (including your IP address) is transmitted by your browser directly to a Meta server in the USA and stored there. These processing operations are only carried out if you have given your express consent in accordance with Art. 6 (1) lit. a GDPR.

By using this “Facebook Connect”-button on our website, you also have the option of logging in or registering on our website using your Facebook user data. Only if you give your express consent in accordance with Art. 6 (1) lit. a DS-GVO prior to the registration process on the basis of a corresponding notice about the exchange of data with Facebook, do we receive the general and publicly accessible information stored in your profile from Facebook when using the “Facebook Connect” button, depending on your personally made data protection settings at Facebook. This information includes the user ID, name, profile picture, age and gender.

Please note that following changes to Facebook’s privacy policy and terms of use, consent may also result in the transfer of your profile pictures, friends’ user IDs and friends list if these have been marked as “public” in your privacy settings on Facebook. The data transmitted by Facebook will be stored and processed by us for the creation of a user account with the necessary data, if these have been released by you on Facebook for this purpose (title, first name, last name, address data, country, e-mail address, date of birth). Conversely, data (e.g. information on your surfing or purchasing behaviour) may be transferred from us to your Facebook profile on the basis of your consent.

The consent given can be revoked at any time by sending a message to the responsible person named at the beginning of this Privacy Policy.

For the purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your rights in this regard and setting options for protecting your privacy, please refer to Facebook’s privacy policy:

This US company is certified under the EU-US Data Privacy Framework. There is hereby an adequacy decision pursuant to Art. 45 GDPR, so that a transfer of personal data may also take place without further guarantees or additional measures.

If you do not want Facebook to assign the data collected via our website directly to your Facebook profile, you must log out of Facebook before visiting our website. You can also completely prevent the loading of Facebook plugins with add-ons for your browser, e.g. with “Adblock Plus” (

7. Your rights as a data subject

7.1 Right to confirmation

You have the right to request confirmation from us as to whether personal data relating to you will be processed.

7.2 Right to information (Article 15 GDPR)

You have the right to obtain information about the personal data stored about you at any time, free of charge, as well as the right to access a copy of such data from us, in accordance with the statutory provisions.

7.3 Right to rectification (Article 16 GDPR)

You have the right to request the immediate rectification of incorrect personal data relating to yourself. Furthermore, the data subject has the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

7.4 Erasure (Article 17 GDPR)

You have the right to demand that we erase the personal data relating to you be deleted without delay, provided that one of the reasons provided by law applies and if processing or further storage is not required.

7.5 Restriction to processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your data if one of the legal requirements is met.

7.6 Data transferability (Article 20 GDPR)

You have the right obtain personal data relating to you that you provided us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller without hindrance by us, to whom the personal data was provided, provided that the processing is based on the consent pursuant to Article 6 Paragraph 1(a) GDPR or Article 9 Paragraph 2(a) GDPR or on a contract pursuant to Article 6 Paragraph 1(b) GDPR, and the data are processed using automated procedures, unless processing is necessary to complete a task, is in the public interest or is carried out in the exercise of an official authority assigned to us.

Furthermore, when exercising your right to data transferability pursuant to Article 20 Paragraph 1 GDPR, you have the right to have personal data transferred directly from one controller to another, provided this is technically feasible and does not impede the rights and freedoms of other persons.

7.7 Objection (Article 21 GDPR)

You have the right to lodge an objection to the processing of personal data relating to you for reasons relating to your particular situation where this is done on the basis of Article 6 Paragraph 1(e) (data processing in the public interest) or (f) (data processing on the basis of the weighing of legitimate interests) GDPR.

This also applies to profiling based on these provisions pursuant to Article 4 Number 4 GDPR.

Should you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling and legitimate reasons for such processing that outweigh your interests, rights and freedoms, or where processing serves the assertion, exercise or defence of legal claims.

In individual cases, we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to profiling where this is connected to this kind of direct marketing. Should you object to the processing of your data for direct marketing purposes, we will no longer process your personal data for this purpose.

In addition, you have the right to object to our processing of your personal data for scientific or historical research purposes or for statistical purposes pursuant to Article 89 Paragraph 1 GDPR for reasons arising from your particular situation, unless such processing is necessary for the performance of a task in the public interest.

You are free to exercise your right to lodge an objection in relation to the use of information society services, Directive 2002/58/EC notwithstanding, by means of automated procedures using technical specifications.

7.8 Revocation of consent regarding data protection

You have the right to revoke any consent to the processing of personal data at any time with future effect.

7.9 Lodging a complaint with a supervisory authority

You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.

8. Routine storage, erasure and blocking of personal data

We process and store your personal data only for the period of time necessary to meet the storage purpose or as required by the legal provisions to which our company is subject.

If the storage purpose no longer applies or if a required retention period expires, personal data will be routinely blocked or erased in accordance with the statutory provisions.

9. Duration of storage of personal data

The criterion for the duration of the retention of personal data is the respective legal retention period. Once this period expires, the data in question will be routinely erased, provided it is no longer required for the fulfilment or initiation of the contract.

10. Version and amendments to the Privacy Notice

This Privacy Policy is currently valid as of: December 2023

ue to the further development of our Internet pages and offers or due to changed legal or official requirements, it may become necessary to change this Privacy Policy.