Portamus GmbH prioritizes data protection. Website use requires no personal data, but special services may necessitate data processing. The company obtains consent when required and complies with GDPR and applicable data protection regulations. Personal data — including names, addresses, email addresses, and phone numbers — is processed according to GDPR and applicable national laws.

Portamus GmbH has implemented technical and organizational measures to protect personal data. However, internet-based transmissions may have security vulnerabilities, so absolute protection cannot be guaranteed.

1. Definitions

The policy uses terminology from the GDPR. Key terms are defined as follows:

a) Personal data: All information relating to an identified or identifiable natural person, including identifiers such as names, identification numbers, location data, online identifiers, or characteristics expressing physical, physiological, genetic, mental, economic, cultural, or social identity.

b) Data subject: Any identified or identifiable natural person whose personal data is processed.

c) Processing: Any operation performed on personal data with or without automated means, including collection, recording, organisation, storage, adaptation, retrieval, use, transmission, restriction, deletion, or destruction.

d) Restriction of processing: Marking stored personal data to limit future processing.

e) Profiling: Automated processing of personal data to evaluate particular aspects relating to work performance, financial situation, health, preferences, interests, reliability, behaviour, or location.

f) Pseudonymisation: Processing personal data in a manner that cannot be attributed to a specific data subject without additional information, kept separately under technical and organisational safeguards.

g) Controller: The natural or legal person, authority, or entity deciding the purposes and means of processing personal data.

h) Processor: A natural or legal person, authority, or entity processing personal data on the controller’s behalf.

i) Recipient: Any natural or legal person, authority, or entity to whom personal data is disclosed, excluding authorities receiving data for investigation purposes.

j) Third party: Any entity other than the data subject, controller, processor, or persons authorised to process personal data.

k) Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, expressed as a declaration or clear affirmative action, confirming agreement to the processing of personal data.

2. Controller

The controller within the meaning of the GDPR is:

Portamus GmbH
Inselstr. 27
46149 Oberhausen
Germany

Phone: +49 (0)208-30980891
Email: contact@portamus.com
Website: portamus.com

3. Cookies

Portamus GmbH uses cookies — text files stored via the internet browser on computer systems. Many websites use cookies containing unique cookie IDs, which allow servers to distinguish individual browsers and recognise returning visitors.

Cookies allow Portamus GmbH to provide user-friendly services that would otherwise not be possible, and to optimise website information and offers according to user preferences. Data subjects may prevent cookie setting at any time through browser settings, permanently opposing cookie placement. Previously set cookies may be deleted through browsers or software programmes. Deactivating cookies may prevent full website functionality.

4. Collection of General Data and Information

Portamus GmbH collects general data and information with each website visit by data subjects or automated systems, stored in server log files. This includes:

  1. Browser types and versions used
  2. The accessing system’s operating system
  3. The referrer website
  4. Accessed sub-pages
  5. Access date and time
  6. Internet Protocol (IP) address
  7. Internet Service Provider
  8. Other similar data serving threat prevention against attacks on IT systems

No conclusions about individual data subjects are drawn from this general data. The information is used to:

  1. Correctly deliver website content
  2. Optimise website content and advertising
  3. Ensure IT system and website functionality
  4. Provide law enforcement with information necessary following cyberattacks

Anonymously collected data are statistically evaluated to increase data protection and security. Server log file data are stored separately from personal data provided by data subjects.

5. Contact Possibilities via the Website

The Portamus GmbH website contains legally required contact information enabling rapid electronic contact and direct communication, including email addresses. When data subjects contact the controller via email or contact form, the transmitted personal data are automatically stored. Voluntarily provided personal data are retained for processing purposes or for contacting the data subject. No third-party disclosure occurs.

6. Routine Erasure and Blocking of Personal Data

The controller processes and stores personal data only for periods necessary for the storage purpose or as required by GDPR or applicable law. When storage purposes expire or legally prescribed retention periods conclude, personal data are routinely blocked or deleted according to legal requirements.

7. Rights of the Data Subject

Under the GDPR and BDSG, data subjects have the following rights:

a) Right of confirmation: Data subjects may request confirmation of whether personal data concerning them is being processed.

b) Right of access: Data subjects are entitled to free information about personal data stored concerning them and a copy thereof, including: processing purposes, categories of data processed, recipients or recipient categories, planned storage duration, rights to correction or deletion, the right to lodge complaints with supervisory authorities, information about data origin, and information about any automated decision-making.

c) Right to rectification: Data subjects may request immediate correction of inaccurate personal data and completion of incomplete personal data.

d) Right to erasure (Right to be Forgotten): Data subjects may request deletion of personal data where: the data is no longer necessary for its original purpose; consent is withdrawn; the data subject objects and no overriding legitimate grounds exist; the data was unlawfully processed; deletion is required to fulfil a legal obligation; or the data was collected regarding information society services.

e) Right to restriction of processing: Data subjects may request restriction of processing where: the accuracy of the data is contested; processing is unlawful but erasure is opposed; the controller no longer needs the data but the data subject requires it for legal claims; or an objection is pending verification.

f) Right to data portability: Data subjects may receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller without hindrance, where processing is consent- or contract-based and carried out by automated means.

g) Right to object: Data subjects may object at any time to processing based on legitimate interests or for direct marketing purposes, including profiling. Portamus GmbH will cease processing unless compelling legitimate grounds overriding the data subject’s interests can be demonstrated.

h) Automated decision-making and profiling: Data subjects have the right not to be subject to decisions based exclusively on automated processing — including profiling — that produce legal effects or similarly significantly affect them, unless the decision is necessary for contract performance, authorised by law, or based on explicit consent.

i) Right to withdraw consent: Data subjects may withdraw consent for personal data processing at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at contact@portamus.com. We will respond within one month as required by Article 12 GDPR.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for Portamus GmbH is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Postfach 20 04 44
40102 Düsseldorf, Germany
www.ldi.nrw.de

8. Data Protection for Applications

The controller collects and processes applicant personal data to manage application procedures, including electronic submissions via email or website forms. If an employment contract is concluded, transmitted data are retained according to legal requirements for employment management. If no contract is concluded, application materials are automatically deleted two months after rejection notification, unless other legitimate interests prevent deletion — such as proof obligations under the General Equal Treatment Act (AGG).

9. Matomo Web Analytics

Portamus GmbH has integrated Matomo, an open-source web analysis tool, to analyse visitor behaviour. Matomo collects data about visitor referrers, accessed sub-pages, visit frequency, and dwell duration, primarily for website optimisation. The software operates on the controller’s server; all log files are stored exclusively there and are not forwarded to third parties.

Matomo sets a cookie on data subject systems enabling website usage analysis. Each page visit causes the browser to transmit data — including the data subject’s IP address — to the server for analysis. Data subjects may prevent cookie setting through browser settings or delete existing Matomo cookies at any time. An opt-out cookie may also be set to prevent future data capture. Deleting the opt-out cookie requires it to be reset. Website functionality may be limited following opt-out.

Further information is available at matomo.org/privacy.

Processing activities at Portamus GmbH are based on the following legal grounds:

  • Article 6(1)(a) GDPR — processing with the data subject’s consent
  • Article 6(1)(b) GDPR — processing necessary for the performance of a contract or pre-contractual measures
  • Article 6(1)(c) GDPR — processing required to fulfil a legal obligation (e.g. statutory retention requirements)
  • Article 6(1)(d) GDPR — processing necessary to protect the vital interests of the data subject or another person
  • Article 6(1)(f) GDPR — processing necessary for the legitimate interests of the controller or a third party, provided that the data subject’s fundamental rights and freedoms do not override those interests

11. Legitimate Interests in Processing

Where processing is based on Article 6(1)(f) GDPR, the legitimate interest of Portamus GmbH is the conduct of its business operations for the well-being of all employees and shareholders.

12. Storage Duration

Personal data storage duration follows applicable statutory retention requirements. Data is routinely deleted after the applicable retention period expires, unless continued retention is necessary for contract fulfilment or pre-contractual purposes:

  • Contact form data — retained for up to 2 years from the date of first contact, unless an ongoing client relationship exists
  • Contractual and engagement data — retained for 10 years in accordance with statutory retention obligations under German commercial law (HGB § 257)
  • Marketing contact data — retained until you unsubscribe or request deletion

After the applicable retention period, data is securely deleted or anonymised.

13. Legal or Contractual Requirements for Data Provision

Personal data provision is partly legally required (e.g. tax regulations) or arises from contractual arrangements. Sometimes contract conclusion requires the data subject to provide personal data for processing. Non-provision may prevent contract conclusion. Before providing personal data, data subjects should contact company employees, who will explain on a case-by-case basis whether provision is legally or contractually required, whether obligations to provide data exist, and the consequences of non-provision.

14. Automated Decision-Making

As a responsible company, Portamus GmbH refrains from automatic decision-making or profiling in its business operations.