

Privacy Policy
PIA FLOAK
The requirements of the EU General Data Protection Regulation (hereinafter GDPR) apply throughout Europe. We would like to inform you about the processing of personal data carried out by our company in accordance with this regulation (cf. Articles 13 and 14 GDPR). Should you have any questions or comments regarding this privacy policy, you can send them at any time to the email address provided under section 1.2 or 1.3.
1. Overview
In this section of the privacy policy you will find information about the scope, the controller responsible for the data processing and its data protection officer.
1.1 Scope
On this page we inform you about the nature, scope and purpose of the personal data collected by PIA FLOAK GmbH, which is processed both when visiting this website and in other processing operations under our responsibility that are not connected with this website.
1.2 Controller
The controller responsible for the data processing – i.e. the entity that decides on the purposes and means of the processing of personal data – in connection with the processing operations is:
PIA FLOAK GmbH
Gorch-Fock-Wall 1a
20354 Hamburg
Phone: +49 (0)40 1888 112 0
Email: contact@piafloak.com
1.3 Data Protection Officer
You can contact our data protection officer as follows:
Contact form:
ePrivacy GmbH
Burchardstr.14
D-20095 Hamburg
2. The Data Processing Operations in Detail
In this section of the privacy policy we inform you in detail about the processing of personal data. For better clarity, we structure this information according to specific functionalities.
2.1 General Information on the Data Processing
The following applies to all of the processing operations described below, unless otherwise stated:
2.1.1 No Obligation to Provide Data
There is neither a contractual nor a statutory obligation to provide the personal data. You are not obliged to provide any data.
2.1.2 Consequences of Not Providing Data
In the case of required data (data marked as mandatory at the point of entry), not providing it means that the relevant service cannot be performed. Otherwise, not providing data may result in our services not being able to be provided in the same form and quality.
2.1.3 Transmission to Government Authorities
We transmit personal data to government authorities (including law enforcement authorities) only when this is necessary to fulfil a legal obligation to which we are subject (legal basis: Art. 6(1)(c) GDPR) or when it is necessary for the establishment, exercise or defence of legal claims (legal basis: Art. 6(1)(f) GDPR).
2.1.4 Storage Period
We do not store your data longer than we need it for the respective processing purposes. If the data is no longer required, it is regularly deleted, unless its temporary retention is still necessary. Reasons for this may include the following:
- Compliance with commercial and tax-law retention obligations
- Preserving evidence for legal disputes within the framework of the statutory limitation periods
2.1.5 Categories of Recipients
In addition to the categories of recipients explicitly listed below, personal data is also transmitted to the following categories of recipients: IT service providers, telephone and fax providers.
2.1.6 Data Categories
- Account data: login/user ID and password
- Master personal data: title, form of address/gender, first name, last name, date of birth
- Address data: street, house number, any address additions, postal code, city, country
- Contact data: telephone number(s), fax number(s), email address(es)
- Registration data: information about the service you registered for; times and technical information regarding registration, confirmation and unsubscription; data provided by you during registration
- Order data: ordered products, prices, payment and delivery information
- Payment data: account data, credit card data, data for other payment services such as PayPal
- Access data: date and time of the visit to our service; the page from which the accessing system reached our site; pages accessed during use; data for session identification (session ID); as well as the following information about the accessing computer system: Internet Protocol address used (IP address), browser type and version, device type, operating system and similar technical information.
- Application data: CV, references, certificates, work samples, qualifications, images, videos
- Data under Art. 9 GDPR: data revealing racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data for the unique identification of a natural person, health data or data concerning the sex life or sexual orientation of a natural person.
2.2 Accessing the Website
This describes how we process your personal data when you access the website.
2.2.1 Information on the Processing
| Data category | Purpose | Legal basis | Legitimate interest (if applicable) | Storage period |
|---|---|---|---|---|
| Access data | Establishing a connection, displaying the content of the service, detecting attacks on our site based on unusual activity, error diagnosis | Protection of legitimate interests (Art. 6(1)(f) GDPR) | Proper functioning of the services, security of data and business processes, prevention of misuse, prevention of damage through interference with information systems | 7 days |
| User consent data | User consent management and in particular the storage and management of the choices made by the visitor regarding the use or non-use of tools when visiting this website | Compliance with a legal obligation (Art. 6(1)(c) GDPR) | – | 3 years |
2.2.2 Recipients of the Personal Data
| Recipient category | Data concerned | Legal basis for the transmission | Legitimate interest (if applicable) |
|---|---|---|---|
| Hosting & content provider | Access data | Processing on behalf (Art. 28 GDPR) | – |
| User consent management platform | User consent data | Compliance with a legal obligation (Art. 6(1)(c) GDPR) | – |
| Tag management platform | Aggregated data for triggering tags | Consent (Art. 6(1)(a) GDPR) | – |
| Tracking & analytics platform | Access data | Consent (Art. 6(1)(a) GDPR) | – |
| Web fonts platform | Access data | Consent (Art. 6(1)(a) GDPR) | – |
| Translation platform | Access data | Consent (Art. 6(1)(a) GDPR) | – |
2.2.3 Content Providers That Transmit Data to Third Countries
| Recipient | How it works | Data categories | Adequacy decision, if applicable (Art. 45 GDPR) | Appropriate safeguards, if applicable (Art. 46 GDPR) |
|---|---|---|---|---|
| none | – | – | – | – |
2.2.4 Tracking for the Analysis and Optimisation of Our Services and Their Use
Below we describe how your personal data is processed using tracking technologies for the analysis and optimisation of our services.
The description of the tracking procedures also includes information on how you can prevent or object to the data processing. Please note that the so-called “opt-out”, i.e. the rejection of the processing, is usually stored via cookies. If you use our services on a new device or in a different browser, or if you have deleted the cookies set by your browser, you will need to declare the rejection again.
The tracking procedures presented process personal data only in pseudonymous form. There is no connection to a specific, identified natural person, i.e. no merging of the data with information about the bearer of the pseudonym.
Purposes of the processing: Analysing user behaviour by means of tracking helps us to check the effectiveness of our services, to optimise them and adapt them to users’ needs, and to fix errors.
Legal basis of the processing: consent pursuant to Art. 6(1)(a) GDPR
The tracking procedures used are described in the consent management tool.
2.3 Newsletter
What happens to your personal data in connection with a subscription to our newsletter is described here:
2.3.1 Information on the Processing
| Data category | Purpose | Legal basis | Legitimate interest (if applicable) | Storage period |
|---|---|---|---|---|
| Email address | Verification of the registration (double opt-in procedure), sending of the newsletter | Consent (Art. 6(1)(a) GDPR) | – | Duration of the newsletter subscription |
| Master personal data | Personalisation of the newsletter | Consent (Art. 6(1)(a) GDPR) | – | Duration of the newsletter subscription |
| Subscription/unsubscription data | Traceability of completed newsletter registration/confirmation/unsubscription | Protection of legitimate interests (Art. 6(1)(f) GDPR) | Proof of completed newsletter registration/confirmation/unsubscription | Duration of the newsletter subscription (unsubscription data kept indefinitely to fulfil accountability obligations) |
| Newsletter usage profile data / tracking | Interest-based design of the newsletter | Consent (Art. 6(1)(a) GDPR) | – | Duration of the newsletter subscription |
2.3.2 Recipients of the Personal Data
| Recipient category | Data concerned | Legal basis for the transmission | Legitimate interest (if applicable) |
|---|---|---|---|
| Newsletter provider | all data mentioned under 2.3.1 | Processing on behalf (Art. 28 GDPR) | – |
2.3.3 Transmission of Personal Data to Third Countries
| Recipient | How it works | Data categories | Adequacy decision, if applicable (Art. 45 GDPR) | Appropriate safeguards, if applicable (Art. 46 GDPR) |
|---|---|---|---|---|
| none | – | – | – | – |
2.4 Job Applications
There are diverse career opportunities within our group of companies. During an ongoing application process, we process your personal data in the following way:
We store your application documents with all the information you have provided in them in the applicant pool of the PIA group of companies (https://pia.me). The PIA companies use the applicant pool to find suitable candidates for positions to be filled. Your data will be deleted 6 months after being added to the applicant pool or, if considered in a selection process, 6 months after the conclusion of the selection process. Your application documents are passed on exclusively within the PIA group of companies; they are not passed on to third parties.
2.4.1 Information on the Processing
| Data category | Purpose | Legal basis | Legitimate interest (if applicable) | Storage period |
|---|---|---|---|---|
| Address data, contact data | Identification, contact, communication to initiate a contract | Contract (Art. 6(1)(b) GDPR) | – | 6 months |
| Master personal data | Identification, contact, age verification | Contract (Art. 6(1)(b) GDPR) | – | 6 months |
| Application data | Assessment and evaluation for the advertised position | Contract (Art. 6(1)(b) GDPR) | – | 6 months or until termination of the contract |
2.4.2 Recipients of the Personal Data
| Recipient category | Data concerned | Legal basis for the transmission | Legitimate interest (if applicable) |
|---|---|---|---|
| Applicant management & data storage provider | all data mentioned under 2.4.1 (unless partially objected to) | Processing on behalf (Art. 28 GDPR) | – |
| PIA group of companies | all data mentioned under 2.4.1 (unless partially objected to) | Joint controller (Art. 26 GDPR) | – |
2.4.3 Transmission of Personal Data to Third Countries
| Recipient | How it works | Data categories | Adequacy decision, if applicable (Art. 45 GDPR) | Appropriate safeguards, if applicable (Art. 46 GDPR) |
|---|---|---|---|---|
| none | – | – | – | – |
2.5 Customer Support
You can find out how we process your personal data when you contact our customer support here:
2.5.1 Information on the Processing
| Data category | Purpose | Legal basis | Legitimate interest (if applicable) | Storage period |
|---|---|---|---|---|
| Master personal data, contact data, content of inquiries/complaints | Processing of customer inquiries and user complaints | Contract (Art. 6(1)(b) GDPR), protection of legitimate interests (Art. 6(1)(f) GDPR) | Customer retention, improvement of our service | Processing of the inquiry |
2.5.2 Recipients of the Personal Data
| Recipient category | Data concerned | Legal basis for the transmission | Legitimate interest (if applicable) |
|---|---|---|---|
| Customer management | all data mentioned under 2.5.1 (unless partially objected to) | Processing on behalf (Art. 28 GDPR) | – |
| Affiliated companies | all data mentioned under 2.5.1 (unless partially objected to) | Processing on behalf (Art. 28 GDPR) | – |
2.5.3 Transmission of Personal Data to Third Countries
| Recipient | How it works | Data categories | Adequacy decision, if applicable (Art. 45 GDPR) | Appropriate safeguards, if applicable (Art. 46 GDPR) |
|---|---|---|---|---|
| none | – | – | – | – |
2.6 Social Media
You can find out how we process your personal data when you follow us on social media here:
2.6.1 Information on the Processing
| Data category | Purpose | Legal basis | Legitimate interest (if applicable) | Storage period |
|---|---|---|---|---|
| Online identifier | External representation, advertising approach | Protection of legitimate interests (Art. 6(1)(f) GDPR) | Acquisition of new customers, care of existing customers, and recruitment and retention of employees | Analogous to the contract term |
2.6.2 Recipients of the Personal Data
| Recipient category | Data concerned | Legal basis for the transmission | Legitimate interest (if applicable) |
|---|---|---|---|
| Social media platform operators | all data mentioned under 2.6.1 (unless partially objected to) | Protection of legitimate interests (Art. 6(1)(f) GDPR) | Acquisition of new customers, care of existing customers, and recruitment and retention of employees |
2.6.3 Transmission of Personal Data to Third Countries
| Recipient | How it works | Data categories | Adequacy decision, if applicable (Art. 45 GDPR) | Appropriate safeguards, if applicable (Art. 46 GDPR) |
|---|---|---|---|---|
| Xing, LinkedIn, Twitter, Facebook, Instagram, Kununu | External representation, advertising approach | Online identifier | – | EU standard contract or joint controller with additional safeguards |
3. Data Subject Rights
3.1 Right to Object
You have the right, on grounds relating to your particular situation, to object at any time with effect for the future to the processing of personal data concerning you that is carried out pursuant to Art. 6(1)(e) or (f) GDPR. You can exercise the right to object free of charge.
3.2 Right of Access
You have the right to know whether personal data concerning you is being processed by us, what personal data this may be, as well as further information pursuant to Art. 15 GDPR.
3.3 Right to Rectification
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you (Art. 16 GDPR). Taking into account the purposes of the processing, you have the right to have incomplete personal data completed – including by means of a supplementary statement.
3.4 Right to Erasure (“Right to be Forgotten”)
You have the right to demand that we erase personal data concerning you without undue delay, provided that one of the grounds set out in Art. 17(1) GDPR applies and the processing is not necessary for one of the purposes regulated in Art. 17(3) GDPR.
3.5 Right to Restriction of Processing
You are entitled to request a restriction of the processing of your personal data if one of the conditions regulated in Art. 18(1)(a) to (d) GDPR is met.
3.6 Right to Data Portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, or to have us transmit it directly, where technically feasible. This shall always apply where the basis of the data processing is consent or a contract and the data is processed by automated means. It does therefore not apply to data held only in paper form.
3.7 Right to Withdraw Consent
Insofar as the processing is based on your consent, you have the right to withdraw your consent at any time. This does not affect the lawfulness of the processing carried out on the basis of the consent up until the withdrawal.
3.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority.
Last updated: 30 April 2026
Version: 1.0