Privacy Statement

Thank you for your interest in our company and for visiting our website. In the following privacy statement, esatus AG (hereinafter referred to as “we”, “us” or “esatus AG”) would like to inform you about the type, scope and purpose of the personal data collected, used, and processed, in order to comply with the obligation of transparency, in particular by providing information about the rights of data subjects.

Personal data is information that relates to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified directly or indirectly (e.g., by means of associating him/her with an online identifier). This includes, without being limited to, information such as the name, address, telephone number and e-mail address or other physical characteristics by which a natural person can be identified. For the purposes of this privacy statement, we will refer to you as “you”, “user”, or “data subject”.

This privacy statement applies to the websites and operated by us, the online presences in the social media maintained by us, as well as all points under section 2.2. esatus Schweiz AG is a 100% subsidiary of esatus AG in Switzerland. The EU has certified that Switzerland has an adequate level of data protection in accordance with Art. 45 GDPR. The data processing is carried out under joint responsibility in accordance with Art. 26 GDPR. The provisions of the privacy statement of esatus Schweiz AG ( must also be observed if Swiss data protection law is affected.

1. Contact details of the Controller and the Data Protection Officer

„Controller” refers to the natural or legal person, public authority, agency, or other body which, on his/her own or jointly with others, determines the purposes and types of personal data processing.
Controller for data processing:

esatus AG
Rheinstraße 5
63225 Langen

Tel.: +49 6103 9029-0

Data Protection Officer:

Tel.: +49 6103 9029-0

2. General information on data processing

2.1. Information on data processing in the context of visiting the website

When the websites ( or are called up, esatus AG processes various personal data, depending on the type of processing. The different types of data processing are explained in the following section.

2.1.1. Operation of the website

This website is hosted by esatus AG. No data is being transferred to a third country. For the secure operation of this website, data is automatically recorded in so-called log files each time the website is called up. The data is automatically transferred to the esatus AG server by the browser you are using. The following data is transmitted:

  • Browser type/ and version
  • Operating system used
  • Referrer URL (the website previously visited)
  • IP address of the accessing computer
  • Time and date of the server request

The legal basis for this type of processing is Art. 6 (1) sentence 1 lit. f) GDPR (legitimate interest). The provision and operation of the website as well as browser optimization and maintenance of the security of this website represent the legitimate interest of esatus AG. An evaluation of the log files takes place exclusively for the purpose of the security of this website as well as for statistical evaluations. This data is not merged with other data and data sources. To ensure security, esatus AG uses intrusion detection. Article 6 (1) sentence 1 lit. f) GDPR (legitimate interest) constitutes the legal basis for the processing of system logs for intrusion detection.

Intrusion detection involves active monitoring of computer systems and/or networks with the aim of detecting attacks and misuse. Intrusion detection works by filtering out those incidents that indicate potential attacks, attempted misuse or security breaches from all incidents occurring in the monitored area, in order to subsequently investigate them in greater depth. This will allow rapid detection and reporting of harmful incidents. Corresponding log files are created for intrusion detection. If an anomaly is identified by means of intrusion detection, the IP address concerned is traced accordingly.

Apart from esatus AG, no other companies receive the data described above. This data is stored for a period of 7days. After this period, the IP address will be anonymized (“IP-masking”). An exception to this is the identification of anomalies by intrusion detection. If, as a result of such incidents (e. g. attacks, attempts of misuse or security breaches), data must be retained to serve as evidence, this data is exempt from deletion until the respective incident has been finally clarified. After expiration of this storage period or final clarification of the incident, all corresponding data is deleted, or the IP address is anonymized.

2.1.2 Contacting us via the website

You can send us an inquiry at any time using our contact form on our website. The following information will be requested:

  • Salutation
  • First name and surname
  • E-mail address
  • Free text field (e.g. subject), which you fill in yourself

All other data that you send us via the free text field is voluntary. In addition, your IP address, time and date are automatically transmitted to us. In addition to our contact form, you can contact us via the e-mail addresses communicated on the website. The data contained in your message (e-mail) will be processed depending on the purpose of the message. The data is processed exclusively for the purpose of responding to your inquiry and the associated communication. Please note that, depending on your provider, e-mails are generally transmitted unencrypted. We can therefore accept no responsibility for the transmission path. If you contact us by telephone, we will process your telephone number and any data you communicate voluntarily during the conversation.

The legal basis for contacting us via our website depends on the content of your request. In principle, the legal basis for contacting us via the website is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest). The legitimate interest here consists in providing the contact functionality and responding to your inquiries sent via the website. The IP address and the time stamp, which are automatically transmitted with your message, are used to prevent and trace misuse of our contact form. The processing of all data that you voluntarily transmit to us in the free text field is carried out in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR (consent). The data transmitted by you will generally be deleted after final processing of your request and fulfillment of the purpose.

Information on the process of transmitting data as part of an application can be found in section 2.2.2.

2.1.3. Cookies

Cookies are small text files that are stored on your computer and saved by your browser. A cookie contains a characteristic string of characters that allows your browser to be uniquely identified when you return to the website. Our website only uses session ID cookies. Session IDs allow us to identify you while you are visiting our site, for example, to permanently display your preferred language. Session IDs are usually automatically accepted by the browser. You can deactivate this function, but this may impair your use of the website. Session IDs do not contain any information that can be read in plain text. Session IDs are required to make the use of our website more comfortable. The legal basis for this is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest). The session IDs are temporarily stored on your computer and deleted after you quit the browser session and subsequently close the browser.

2.1.4 Analysis in the context of website use

We use the third-party tool Matomo to analyze the use of our website. We respect the rights of visitors to our website and use the tool with the best possible data protection settings. We therefore only collect the absolute minimum of data and also anonymize some of it. No cookies are set and the tool runs in a local environment without any data transfer.

We do not pass on any personal data to third parties.

The following data is collected:

  • User IP address (anonymisiert)
  • Date and time of the request
  • Page Title
  • Page URL
  • Referrer URL (anonymisiert)
  • Screen resolution being used
  • Time in local user’s timezone
  • Files that were clicked and downloaded
  • Links to an outside domain that were clicked
  • Pages generation time
  • Location of the user
  • Main Language of the browser
  • User Agent of the browser

The legal basis for processing is our legitimate interest in accordance with Art. 6 S.1 lit. f) GDPR. Our legitimate interest is the analysis of our website to improve our online presence. A balancing of interests with the interests of the data subject has been carried out.

The data is stored by us as long as the purpose of the processing (see above) continues to exist.

For further information, please also refer to the Matomo documentation and privacy policy.

2.2. Information on data processing independent of website visits

Irrespective of the visit to this website, esatus AG processes personal data in parts under joint responsibility with esatus Schweiz AG only:

  • for arranging events (e.g. workshops)
  • for meeting data collection obligations of the Corona Contact and Operating Restriction Ordinance of the Federal State of Hessen
  • for initiating employment relationships
  • for initiating contracts or fulfilling contractual or legal obligations related to the use of the “SOWL” product
  • for providing the esatus Wallet App
  • for carrying out electronic communication (sending e-mails),
  • for external presentation and advertising purposes in social media
  • for documenting customer and order history
  • for using event photographs for advertising purposes
  • for other purposes explicitly stated on declarations of consent.

In addition, this data protection declaration also applies to joint presences on social media (LinkedIn, X (former Twitter) and XING) of esatus AG and esatus Schweiz AG.

2.2.1. Event implementation

In the context of arranging and implementing events, esatus AG processes various personal data depending on the type of event, for example:

  •  First and last name
  • Contact details (address, telephone number, e-mail address)
  • Job title and job description
  • Employer or educational institution

All data processed in the context of an event serve to initiate and implement the corresponding event. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. a) and b) GDPR (consent and fulfilment of a contract). Your data will be deleted after the event has taken place. As a matter of principle, no data is transferred to third parties. Information on data communicated or transmitted to esatus AG in the context of events for the purpose of a job application can be found in section 2.2.2.
We use Eventbrite Inc ("Eventbrite") to register for events. If you click on the relevant link to register for an event, you will automatically be redirected to the Eventbrite website. 

The Eventbrite event platform is provided by Eventbrite Inc. 155 5th Street, Floor 7, San Francisco, CA 94103, USA. The responsible company for consumers in Europe who use a paid service is Eventbrite Operations (IE) Ltd, an Irish limited liability company with its registered office at Unit 3100, Citywest Business Campus Dublin 24, Citywest, Dublin, D24AK82, Ireland. Eventbrite maintains a branch office in Berlin: Eventbrite DE GmbH, Oranienstraße 25, 10999 Berlin, Germany.

In the course of using and visiting the Eventbrite website, Eventbrite automatically collects further personal data for which Eventbrite, as the operator of the website, is responsible. This concerns your IP address, browser identification, terminal device information, characteristics of your access device and/or browser, statistical data about your activities on the services, information about how you access the services.
Eventbrite is the sole controller of this automated processing and we have no control over these processing operations. This applies equally to all data collected during registration and login to the website. Please refer to the Eventbrite privacy policy ( 

In the course of booking an event, Eventbrite collects personal data on behalf of esatus AG:

  • Surname and first name
  • employer
  • e-mail address
  • Information on the events booked and attended

The purpose of the data collection is the proper implementation of events, the proper identification and authentication of you as a participant in the event and the fulfilment of the service offer before and during the implementation of the event.

The legal basis for the processing is your consent in accordance with Art. 6 Para. 1 lit. a) GDPR. You give this consent during registration by entering and confirming your personal data. Alternatively, the processing is based on our legitimate interest according to Art. 6 para. 1 lit. f) GDPR. The legitimate interest is the proper implementation of the event and identification of the participants in order to enable an optimal range of services. A balancing of interests has taken place.

Eventbrite acts as a processor for esatus AG. As part of the reference within the terms of use, a corresponding order processing agreement has been concluded ( 

It cannot be ruled out that Eventbrite also processes the data for its own purposes. In this regard, reference should also be made to the linked document as well as to Eventbrite's privacy policy (

Eventbrite processes the personal data in the USA. The transfer of personal data takes place in accordance with Art.46 para.2 lit. c) GDPR on the basis of the applicable standard contractual clauses of the EU. Eventbrite has signed a corresponding contract and makes it available online (

In addition, Eventbrite is certified under the new Data Privacy Framework between the US and the EU ( 

Similarly, it should be noted that you do not have the same effective remedies available to you as within the EU. For further information, please refer to Eventbrite's privacy policy.

The data collected will not be passed on to third parties by esatus AG. esatus AG has no influence on the passing on of data by Eventbrite. In this regard, please refer to the Eventbrite data protection declaration.

The deletion of the data collected by esatus AG takes place after the completion of the respective event. esatus AG has no influence on the deletion of data processed at and by eventbrite.

2.2.2. Initiation of employment relationships

In the context of initiating employment relationships, esatus AG generally processes all personal data that are voluntarily communicated to us by you in electronic form or by post during the application process. These data include, for example, personal data and qualification documents. Depending on the procedure used, the data may be transmitted by the data subject in unencrypted form.

A corresponding application can be made both via electronic contact (e.g. unsolicited application by e-mail) and in the context of a job fair. We would like to point out that if an application is made via LinkedIn, for example, the personal data transmitted by the applicant will be processed at this point by a third-party provider. The legal basis for this is the applicant's consent pursuant to Art. 6 (1) p. 1 lit. a) DSGVO. Processing on the part of esatus AG is carried out in accordance with this section. We have no influence on the processing by LinkedIn. In this respect, please refer to section 2.2.3.
In the context of providing the application documents that are submitted to us via a dedicated form on our website, the following personal data are processed:

  • Salutation
  • First and last name
  • E-mail address
  • All personal and non-personal data transmitted to us in the free text field
  • All personal and non-personal data provided as part of the document upload. This concerns, for example, the CV and/or qualification papers and the data contained therein.

This processing is done for the purpose of performing the application process, including communication via the various channels. The legal basis for this is Art. 6 para. 1 p. 1 lit. a) and b) GDPR (consent and implementation of pre-contractual measures), Art. 88 para. 1 GDPR (data processing in the employment context) and Section 26 para. 1 BDSG (data processing for purposes of the employment relationship). 

Your data will be deleted after completion of the application process and after expiry of the statutory retention period, unless an employment relationship is established.

See section 2.2.9 for further information on this topic.

2.2.3. External presentation as well as advertising purposes in social media

esatus AG entertains the following presences in social media for the purpose of external presentation and advertising:

In the context of the use of social media, esatus AG as well as esatus Schweiz AG publish, in addition to product and technical topics, posts about employees in a professional context (e.g. participation in business events). The naming of employees is usually done by linking to the respective profile of the employee. The following types of data are processed in this context:

  • Contact data (e.g. e-mail address)
  • Content data (e.g. data in a free text field)

Such presences are entertained to communicate with the users of the respective social platform, and to communicate about the services of esatus AG and esatus Schweiz AG. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest). Under certain circumstances, you may have given consent to one of the platform operators listed above to process your personal data pursuant to Art. 6 para. 1 p. 1 lit. a) GDPR.

No usage data (e.g. access to websites and content) or metadata (e.g. IP address) are processed by esatus AG. These data are only processed by the respective provider of the social network. We have no influence on the way your personal data are processed within the scope of these websites; in this respect we are not the responsible party within the meaning of Art. 4 No. 7 GDPR. The respective data protection declarations of the operators of the above-mentioned platforms shall apply.

2.2.4. Use of event photographs for advertising purposes

In the context of events, photographs are usually taken by esatus AG, esatus Schweiz AG or by a service provider commissioned by us. These images are published in accordance with the declaration of consent voluntarily signed by the event participants. esatus AG and esatus Schweiz AG uses event photographs for advertising purposes on various channels, such as the website and social media. esatus AG and esatus Schweiz AG would therefore like to draw attention to the fact that, in the event of publication on the internet, personal data (including photos) can be accessed and stored worldwide. The data can thus also be found via search engines, for example. It cannot be ruled out that other persons or companies may link the data with other personal data available on the internet and thus create a personality profile, modify the data or use it for other purposes.

The legal basis for this processing operation is Article 6 (1) sentence 1 a) GDPR (consent). The data subject can revoke his consent at any time. For this purpose, we ask the data subject to send an e-mail to the following address: All data will be deleted as soon as the consent to use the photographs is revoked. esatus AG will delete the relevant photographs on all its channels accordingly.
esatus AG as well as esatus Schweiz AG have no influence on the deletion of the corresponding recordings stored by third parties.

2.2.5. Contract initiation procedures and contractual or legal obligations relating to the use of the product "SOWL”

SOWL is a so-called cloud agent, an identity management system for digital identities (credentials). As part of the use of SOWL, personal data is processed by the respective company that uses SOWL. In this context, the data processing may include both the process of issuing identities and credentials, and the identity verification via a corresponding credential.
SOWL can be operated either in-house (hosted by the customer) or by esatus AG (SaaS). The esatus AG has no access to the SOWL instances, which are hosted in the respective customer’s own environment. A daily license sync is performed for SOWL. The daily license sync sends relevant metadata for the respective system to esatus AG. These metadata comprise the following data (no personal reference):

  • Number of proofs
  • Number of credentials issued
  • Number of revocations
  • Number of identities
  • Number of errors
  • Number of warnings
  • License ID

For customers where SOWL is hosted by esatus AG, esatus AG can access the respective SOWL instance within the scope of support purposes after appropriate consent by the customer. All productive SOWL instances are hosted on Amazon Web Services (AWS). The AWS services used by esatus AG are provided exclusively within Germany. This involves server capacities that are operated in eu-central-1 (Frankfurt). The deletion of corresponding personal data is the responsibility of the respective customer who uses the SOWL instance.

If you use a product demo of esatus AG (e.g., a SOWL demo access), esatus AG do not process any further personal data from you, apart from technical data to ensure the functionality of SOWL. The data used to demonstrate the functionalities is test data that are in no way related to the identity of the user. All customers of esatus AG are explicitly requested not to use any real data with personal reference in the demo area. The SOWL demo environment is operated at Microsoft Azure, with server capacities being maintained at Microsoft Azure in the Germany West Central region.

2.2.6. Provision of the esatus Wallet App

The purpose of the esatus Wallet app is to enable quick authentication or release of personal, verified data that users store and manage independently on their end device.

Downloading the esatus Wallet app from the Apple App Store or the Google Play Store

When personal data is processed upon downloading the app from the Apple App Store or the Google Play Store to your mobile device, we cannot influence the way this data is processed. On the part of esatus AG, no data is processed in this context. For information on the processing of your personal data in the context of store downloads, please refer to the privacy policy of the respective provider.
The Apple App Store and the Google Play Stores provide esatus AG with information on the downloads made via the customer area. This is anonymized data that is provided exclusively for statistical purposes. The information provided comprises the following data:

  • Manufacturer
  • Operating system version
  • App version
  • Device name
  • Country

The legal basis for data processing in the context of technical provision is Art. 6 (1) p. 1 lit. f) GDPR. We have no influence on the collection and processing of this data, which is carried out by the app store selected by you. In this respect, we are not the responsible party within the meaning of Art. 4 No. 7 GDPR. 
Privacy policy Google Play Store:
Privacy policy Apple App Store:

Using the esatus Wallet App

When using the esatus Wallet App, esatus AG or third parties have no access to personal data that users manage via the App. Exempt from this is the explicit release of specific data by the user of the esatus Wallet App. In this case, the user can see which of his data is requested by a third party and must actively agree to this transfer.

In order for a data sharing request to be sent to you, the first step is to scan the corresponding QR code on the website with the esatus Wallet App on your device. After scanning this QR code, you will receive a connection request. In order to be able to continue using the service, it is necessary to accept the connection request. For establishing the connection, unique decentralized identifiers (DIDs), which were generated explicitly for this connection, are exchanged between you and the service provider. Once the connection has been successfully established, you start the actual proof process by scanning another QR code. During this process, you are presented with a request, similar to the connection setup. This request is sent to you via the encrypted connection which has previously been established. Only when you click “share” on the request will the data be transferred. When transferring your data, secure transport encryption (https) as well as asymmetric encryption is used, by applying the DIDComm protocol. For further information, please refer to the W3C documentation (see

During this process, the respective third party (service provider) becomes the processor of the data and receives it directly at the specified service endpoint. All data that the user wants to manage via the app will be stored on his/her cell phone and will not be sent unless the user explicitly agrees. In addition, there is the option to give a permanent consent to send data to an existing and known connection. This function is deactivated after installation of the app and the user must actively select it. The legal basis for both processing procedures in this case is Art. 6 (1) p. 1 lit. a) GDPR (consent). This consent can be revoked at any time.
Furthermore, the Wallet App offers the functionality to automatically download credential images. This function is deactivated by default, but you can activate it at your discretion. The legal basis here is Art. 6 (1) sentence 1 lit. a) GDPR (consent). If this function is activated, information such as the IP and credential definition is transmitted to esatus AG.
In the case of processing or transmission of personal data relating to you by a so-called proof (proof request) from third parties, please refer to the relevant data protection statements of the third party for information on the processing of the data relating to you. esatus AG has no access to the incoming and outgoing connections of third parties and cannot view any data in this context.

Ensuring functionality of the esatus Wallet App
To maintain the functionality of the esatus Wallet App and to ensure that personal, verified data arrives at the appropriate recipient, we process technical information such as:

  • IP addresses,
  • your device ID with your push service operator (Google or Apple), or
  • Your operating system used.

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest). Our interest here is to be able to inform the user about activities even when the app is closed and to provide fast response times in the process flow.

Push service for message broadcasting when the app is closed

The Push Service is a functionality of an internal operating system or notifications that are sent to your mobile device even if you are not currently using our app. You can turn these push notifications on and off at any time in the app settings of your mobile device (Apple device). If you activate push notifications or allow the sending of push notifications when starting the app for the first time, a unique identification number of your mobile device (device ID) is communicated to the service that provides the push functionality at your operating system provider (for Android: “Firebase Messaging Cloud”, for iOS “Apple Push Notification Service”). The consent for sending push notifications can vary depending on the provider, the previously explained process regarding the consent when opening the app for the first time corresponds to Apple’s procedure. The push service returns a so-called identifier (“Push Notification Identifier”), which no longer allows any conclusions to be drawn about the device ID and thus about you as the user. Afterwards, communication with the push server always takes place via this identifier. The sole purpose of processing the identifier is to provide the Push Service. For information on the Push Service, please refer to the privacy policy of your respective operating system provider, as this is an internal operating systems process.

When processing data in this context, recipients of relevant data are Microsoft Azure for hosting the Notification Hub and Google for the Push Notification Services under Android devices as well as Apple for Push Notification Services under iOS devices.

Mediation Agent

The incoming transmission required for the transport via the server provided by esatus AG (Mediation Agent) always takes place via secure transport encryption (https), as well as via asymmetric encryption using the DIDComm protocol. It can only be decrypted by recipient and sender. For more information on the DIDComm protocol, please refer to the W3C documentation (see For further information on the processing of personal data by the sender of requests (third parties), please refer to the relevant privacy statements of the individual data recipient, who may be processing your personal data and is to be classified as a controller within the meaning of Art. 4 No. 7 GDPR. The Mediation Agent is operated on servers of AWS. These server capacities are maintained in the eu-central-1 (Frankfurt) of AWS.

Using the product demo

If you use a product demo of esatus AG (e.g., the Covid Credential Demo on the website), esatus AG will not process any further personal data from you other than technical data to ensure the functionality of the app and the data already mentioned above (see 2.1 and 2.2.6). The data used to demonstrate the functionalities is test data that has nothing to do with the identity of the user. For more information on the processing of technical data to maintain security and the legal basis of this processing, please refer to the above.

2.2.7 Conducting demos of esatus SSI solutions at events

In the context of conducting demonstrations of esatus SSI solutions (SOWL and Wallet) at events, esatus AG processes personal data provided by the participants of the event via credential (proof from his Wallet). The legal basis for the processing of personal data is usually Art. 6 (1) a GDPR (consent). Data processing within SOWL and the esatus Wallet is explained in sections 2.2.5 and 2.2.6.

2.2.8. Documentation of customer and order history and related processing purposes

As part of the documentation of customer data and order history, esatus AG processes personal data that has been transmitted to us by our customers or future customers. These are, for example, without being limited to:

  • Full name
  • Salutation
  • Complete address
  • Bank data (e.g. IBAN)
  • Other information necessary for the performance of the contract.

The purpose of this processing is the proper maintaining of our business activities and traceability of business processes. The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest) and Art. 6 para. 1 p. 1 lit. b) GDPR (implementation of pre-contractual measures and contract performance). For all data that you voluntarily transmit to us in this context, Art. 6 para. 1 p. 1 lit. a) GDPR (consent) is to be considered the relevant legal basis. All corresponding data will be stored by esatus AG for the duration of the fulfillment of the purpose. In addition, further processing may be necessary to meet legal obligations. When personal data are processed for the fulfillment of legal requirements (e.g. retention periods under commercial or tax law) in connection with the business activities of esatus AG, Art. 6 para. 1 sentence 1 lit. c) GDPR (legal obligation) forms the relevant legal basis. Processing is carried out until the legal obligations are fulfilled.

In addition, processing of personal data may be necessary for the assertion of legal claims. The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest), our interest being the clarification and possible defense of claims. Processing will only take place within the scope of and until the conclusion of the assertion of any claims.

2.2.9. Conducting online meetings and communication

For the purpose of communicating and conducting online meetings/webinars with potential applicants and/or customers, we use Microsoft Teams.
The following personal data may be processed in the process:

  • Full name
  • Display name
  • E-mail address
  • Phone number, if applicable
  • External appearance, if applicable
  • Meeting metadata, such as meeting ID, date, time, location
  • Audio and video data
  • Any data that you voluntarily submit to us during the meeting (e.g. submitted documents)

The user has the sole freedom of decision  to activate his microphone and/or camera.

The legal basis for the processing is the user's consent pursuant to Art. 6 (1) sentence 1 lit. a) GDPR or our legitimate interest pursuant to Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interest is the implementation of the respective meeting. A consideration of interests was undertaken.
We will not pass on your data to third parties unless there is a processing procedure with a corresponding legal basis.

The processed data will be deleted after the purpose has been fulfilled, unless there is a legal obligation to retain data to the contrary.

There may be further data processing by Microsoft. We have no influence on this data processing. Please refer to Microsoft's privacy policy for more information: 
Microsoft is certified under the EU-US Data Privacy Framework:
A corresponding order processing contract exists. For further information, please refer to Microsoft's privacy policy:

3. Rights of the data subjects

All of the following rights of data subjects can be exercised informally at any time, e.g., by sending a request by e-mail to By addressing the request by e-mail or by contacting an employee, the request will be processed and carried out without delay. The rights mentioned below apply to all processing activities of esatus AG as well as esatus Schweiz AG. Insofar as Swiss data protection law is affected, additional reference is made to the corresponding section 3 of the privacy policy of the esatus Schweiz AG

3.1. Right of access by the data subject according to. Art. 15 GDPR

Data subjects have the right to obtain confirmation as to whether personal data concerning them are being processed.
In addition, data subjects have the right to request, free of charge, information about the personal data concerning them and to obtain a copy thereof. In addition to the copy, the following information will be provided:

  • Purposes of processing
  • Categories of personal data
  • Recipients or categories of recipients in third countries or international organizations
  • If possible, the planned duration of the storage of the personal data and, if this is not possible, the criteria for determining the duration
  • The existence of other data subject rights, the existence of a right of appeal to a supervisory authority
  • The existence of automated decision-making, including profiling.
  • If the personal data has not been collected from the data subject, any available information about the origin of the data

In addition, if the data is transferred to a third country or an international organization, appropriate safeguards, such as the use of EU standard contractual clauses, will be communicated.

3.2. Right to rectification according to Art. 16 GDPR

Data subjects have the right to request rectification of inaccurate personal data and to request completion of incomplete data, taking into account the purposes of the processing.

3.3. Right to erasure or right to be forgotten according to Art. 17 GDPR

Data subjects have the right to request erasure of personal data concerning them, which shall be erased immediately upon request, provided that one of the following reasons applies and the processing is not necessary:

  • The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
  • The data subject revokes his or her consent to the processing and there is no other legal basis for the processing.
  • The data subject objects to the processing and there are no overriding legitimate grounds for processing, or the data subject objects to direct marketing.
  • The personal data have been processed unlawfully.
  • The erasure of the data is necessary for compliance with a legal obligation.
  • The personal data was collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.

If esatus AG or esatus Schweiz AG has made personal data of the data subject public and is obliged to erase it pursuant to Article 17 (1) of the GDPR, esatus AG or esatus Schweiz AG shall take reasonable steps, taking into account the available technology and the cost of implementation, to inform other data controllers who process the published personal data, that the data subject has requested from those other data controllers to erase all links to or copies of the personal data, unless the processing is necessary.

3.4. Right to restriction of processing according to Art. 18 GDPR

Data subjects have the right to restrict processing if one of the following conditions is met:

  • The accuracy of the personal data is contested by the data subject (for a period of time that permits verification by the controller).
  • The processing is unlawful, but the data subject objects to erasure and requests restriction of use.
  • The controller no longer needs the data for the purposes of the processing operations, but the data subject needs them to assert or exercise or defend legal claims.

The data subject has objected to the processing, and it is not yet clear whether the legitimate grounds of the controller or the data subject’s interests worthy of protection prevail.

3.5. Right to data portability according to Art. 20 GDPR

Data subjects have the right to data portability. This right entitles data subjects to receive their respective personal data in a structured, common, and machine-readable format. The data subject thus has the right to transfer this data to another controller or to request the transfer from the old controller to the new controller.

3.6. Right of objection according to Art. 21 GDPR

The data subject may object to the data processing based on Art. 6 (1) p. 1 lit. f) GDPR (legitimate interest). As a result, further data processing will be prohibited unless the esatus AG or esatus Schweiz AG can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedom of the data subject, or the processing serves the purpose of asserting, exercising, or defending legal claims. If esatus AG or esatus Schweiz AG processes personal data for direct marketing purposes, the user may object to such processing at any time.

For the notification of an objection, we ask the data subject to send an e-mail to the following address: or to contact us by post. The postal address can be found in the contact details of the person responsible and the data protection officer.

3.7. Automated decisions in individual cases including profiling according to Art. 22 GDPR

As a conscientious company, we do not use automatic decision-making or profiling.

3.8. Right to complain to the supervisory authority pursuant to Art. 77 GDPR

If you have the impression that the processing of your data violates data protection law or that your data protection rights have been violated in any way, you can complain to the Hessian Data Protection Commissioner:

3.9 Right of withdrawal

The data subject has the right to withdraw his or her consent (Art. 6 Abs. 1 S.1 lit. a) GDPR) at any time, should the processing be carried out on the basis of previously given consent. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out since the consent was given until the withdrawal.

4. Duration of storage

The duration of the storage of personal data depends on the corresponding statutory retention period and the purpose of the processing. As soon as the legal retention period expires or the purpose of the processing ceases to exist, the personal data will be deleted unless it is required for the performance or initiation of a contract. Justified deviations may arise in the context of individual processing operations, to which we will refer separately.

Data security

We take appropriate technical and organizational measures, taking into account the state of the art and in accordance with legal requirements, to ensure an adequate level of protection.

Due to the ongoing development of our website as well as our other offers, or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy.

Editing status: 01.08.2023