General Information

Our information on data protection explains the handling of personal data that (may) result from visiting this website. At the same time, we also use this information to provide general information about the processing of personal data in our company. Please note that this general data protection information cannot, of course, cover every individual case in practice. If other, additional data processing takes place in such situations, we will provide you with additional information in the specific individual case. Your rights explained here will of course still apply without restriction.

The topic of data protection has now reached a certain level of complexity and can no longer be explained in a few words. We have therefore structured our site as follows:

  • Name and address of the person responsible
  • Your rights
  • Types of processing / legal basis
  • Recipients of your data
  • Visiting our website
  • Handling of data of our customers, interested parties, suppliers, authorities and associations
  • Applicants for employment
  • Changes to our data protection information

Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the EU member states as well as other data protection regulations is

Infranaut IT-Services GmbH
Berliner Allee 65
DE 64295 Darmstadt

+49 6151 460 90 17

represented by its managing director
Frank Turgetto (

We have appointed an (external) Data Protection Officer

esquilin GmbH
Joerg Weiß
Max-Beckmann-Weg 65
65428 Rüsselsheim am Main

You can reach our data protection officer via our contact details of Infranaut IT-Services GmbH mentioned above or by e-mail:

Your Rights

Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure ("right to be forgotten") under Art. 17 GDPR, the right to restriction of processing (blocking) under Art. 18 GDPR, the right to object under Art. 21 GDPR and the right to data portability under Art. 20 GDPR if you have consented to data processing or have concluded a contract with us. The restrictions under Sections 34 and 35 BDSG (German Federal Data Protection Act) apply to the right to information and the right to erasure. Finally, you have the right to file a complaint with the supervisory authority in accordance with Art. 77 GDPR in conjunction with Section 19 BDSG.

If you have given us your consent to specific processing of your personal data, you can withdraw this consent at any time for the future. Whenever we process your data on the basis of a legitimate interest or a balancing of interests, you can object to such processing at any time for the future.

Difference between Withdrawal and Objection

The revocation is to be stated if processing is based on consent. This is always the case if you were expressly asked to give your consent before the data was collected (in particular by signing or clicking in the checkbox).

An objection is indicated if data processing is carried out on the basis of a balancing of interests. In this case, you do not have to sign anything and usually do not have to give your consent. However, the GDPR obliges every 'data processor' to inform the data subjects about the processing and to state the legal basis; this should enable you to know whether you can formally object to the data processing. We also use this data protection notice in particular to inform you about the processing activities that we carry out on the basis of a balancing of interests.

Do I really need to know the difference between revocation and objection? No.

If you are not comfortable with any data processing, please simply contact us at the above addresses. We will then explain to you whether the processing can be stopped or at least restricted - you do not need to mention the word revocation or objection.

If it is not possible to stop the processing because otherwise, for example, tax laws would be violated or a concluded contract can no longer be fulfilled, the controller will explain this to you. If the processing is based on a legitimate interest, the controller will ask you for a reason why the processing should be stopped. The controller will then carefully weigh your interests against his own and inform you of the result.

If we contact you for marketing reasons and you do not wish us to do so, a simple and clear indication is sufficient for a stop; no justification is then required.

If, despite all explanations or due to our behavior, you have the impression that you are being denied your rights, then a complaint to a data protection supervisory authority is a logical next step. The GDPR gives you the right to contact these authorities at any time.

Applicable supervisory authority

The responsible supervisory authority for us is

The Hessian Commissioner for Data Protection and Freedom of Information (HBDI)
P.O. Box 3163
DE 65021 Wiesbaden
Phone: +49-611-1408-0

Types of Processing / Legal Basis

According to the requirements of the GDPR, all processing activities must be assigned to a legal basis from the catalog in Art. 6 (1) GDPR. We will cite the exact legal basis here once if you wish to read it in detail. Otherwise, we only refer to the common term 'legal basis' in italics and underlined in our data protection information without always mentioning the exact reference in the law.

The GDPR offers a total of six variants or legal bases, of which only four are relevant to us:

  • Processing of data on the basis of consent; Art. 6 (1) a.
  • Necessary processing for the preparation or performance of a contract; Art. 6 (1) b.
  • Processing necessary to comply with a mandatory law or regulation; Art. 6 (1) c.
  • Processing necessary for the purposes of the legitimate interests pursued; Art. 6 (1) f; also referred to as balancing of interests.


Recipients of your Data

Third Parties

If we pass on your data to third parties, we will explain this in the context of the respective processing or in the following here in the data protection information in each case and tell you the reason / purpose, the recipient and the legal basis for the transfer. If data is transferred to third parties, these third parties are then responsible as the data controller for the processing that takes place there.


Processors are service providers who assist us with data processing on our behalf. Such processors may not process the data for their own purposes, i.e. only and exclusively in accordance with our instructions. Processors may not evaluate the data on their own authority or even transfer it to third parties without our instructions. Processors are closely bound to us by contracts, are carefully selected and monitored by us accordingly. As we retain sovereignty over your data in the case of processors, we remain the controller in accordance with the rules of the GDPR and therefore also your point of contact. For this reason, we do not publish a complete list of processors here.

Visiting our website

General remarks

When you access our website, some technical data is always automatically collected and processed - otherwise our web server would not be able to present you with a page on your smartphone or PC. This information includes, for example, the type of web browser, the operating system used, the domain name of your internet service provider and your IP address (your personal address on the internet, so to speak). This means that all this information is personally identifiable (related to you). However, this data processing is necessary because without the IP address, the web server would not know where to deliver the requested website.

In addition to the actual page load, the data from the page request is also processed for the following purposes and is needed for this:

  • Ensuring a smooth connection setup of the website,
  • Ensuring the trouble-free use of our website,
  • evaluation of system security and stability, and
  • to optimize our website.

Important: We do not use your data from the page view to draw conclusions about your person. We do not have a cookie banner because we do not use cookies.
All of the processing activities mentioned above are based on our legitimate interest in operating the website securely and efficiently.

The IP addresses and thus the personal reference of the above data are anonymized or deleted after seven days at the latest, unless they are the subject of the investigation of misuse.

Access to administrative Accounts, Protection against Misuse

Unauthorized attempts to log in to our administrative accesses are not logged anonymously. We store and process data from such and other fraudulent attempts in order to prevent a possible attack, for example by blocking access, or to assist law enforcement authorities in investigating the matter, as hacking websites is illegal (even attempts to do so).
We generally store such log files for at least four months, as cyber-attacks are often long-term in nature. We base the maximum storage period on the requirements that the BDSG (national Federal Data Protection Act) prescribes for operators of state-run web servers in Germany (the BDSG and the GDPR do not provide any specific requirements for private web servers). Section 76 (4) BDSG: "The log data shall be deleted at the end of the year following its generation."

All of the aforementioned processing activities are carried out on the basis of a balancing of interests, i.e. the legitimate interest in operating a secure website and in the legal prosecution of persons who wish to harm our customers or us.

Contact form

We occasionally activate a contact form on our website. If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provide there, will be forwarded to our employees by e-mail and stored for the purpose of answering / processing. In addition, the data is created as with every visit to a website, as we have already explained above.
In principle, sending e-mails always involves the risk of third parties gaining knowledge of the communication (confidentiality), the message being falsified (integrity) or the message being delivered with a delay or lost completely (availability) due to faults in an integrated technical component. The contact form is therefore not suitable or recommended for time-critical, binding and/or confidential messages. For such matters, we recommend direct contact or a phone call.
The presentation of the legal basis for data processing and explanation of the storage periods required by the GDPR is somewhat complicated with a contact form. To keep it brief: We want to make it as easy as possible for interested parties to contact us and are certainly pursuing a legitimate interest for both sides. The form of processing described is necessary for this. If the communication via the contact form leads to the conclusion of a contract with you as a person, we must refer to the legal basis of contract - a small but important distinction, as this results in fundamentally different storage and deletion rules.

The details on processing the data of interested parties and contractual partners apply regardless of the form of communication; we therefore present this in detail in a separate section below.

Handling Data of our Customers, Interested Parties, Suppliers, Authorities and Associations

An Overview in Brief

We process data because we have to or because we want to. A compulsion arises if contracts or laws cannot be fulfilled without the processing. In all other cases, processing takes place because it is necessary to fulfill legitimate interests. As a rule, Infranaut IT-Services GmbH does not process data on the basis of consent. Should we deviate from this principle, we will explain this in the specific individual case.

Legal and Contractual Necessity

The services of Infranaut IT-Services GmbH are aimed exclusively at commercial customers. Business correspondence is subject to a retention obligation due to tax and commercial law regulations. This retention obligation is based in particular on § 257 HGB, § 147 AO and § 14b UstG and is set at six or ten years. It begins at the end of the year in which the transaction was completed or a contract was fulfilled, the content of which was shaped by the message (i.e. the message was effectively part of the contract). Deletion takes place at the end of the retention period. The storage of data during the statutory retention period and the necessary disclosure to authorities (e.g. tax office auditors) is therefore carried out in order to comply with the law.
Without listing any other laws that apply to us here, we will always transfer data to third parties (in particular government agencies) if compliance with mandatory laws is not otherwise possible.

In addition to the fulfillment of legal requirements, we will also transfer data in our care to third parties if this is necessary for the fulfillment / execution of contracts. If, in this case, the personal data of a contractual partner is directly affected, the transfer takes place to fulfill contractual obligations. If you contact us as a representative of a company, we will process your personal data to the extent necessary to fulfill the contract with your company. Under data protection law, however, this processing of your data is not based on the contract, as this would require a contract directly with you as the data subject. This may sound confusing, but it is not something that you as the data subject need to worry about; it is a data protection nuance that we will explain for the purpose of good order. The legal basis for such processing of contact persons' data, which is common in the B2B context, is the legitimate interest in working smoothly with other companies - as we explain further in the following paragraph.

Legitimate Interests


We want to fulfill contracts as good / efficient as possible. We therefore make a note of the names of contact persons, for example, or take notes of conversations during the initiation or execution of a contract. This data processing is in the (legitimate / justified) interest of all parties involved; surely no one wants to start from the beginning again and again when continuing conversations, even if the contact person changes internally.
This means that we are already processing personal data beyond the legal basis of contract fulfillment or legal requirements. This differentiation is important because it results in different storage rules and data subject rights.

We must process the name of a contractual partner and store it within the scope of the retention obligation. We may store the names and circumstances of our contact persons if this is necessary for legitimate purposes and does not outweigh the rights of the data subjects that require protection. The processing (collection, use, storage) is then formally carried out on the basis of legitimate interest. As explained above, you can object to this processing.

Other specific Processing Purposes

In addition to the more efficient conduct of discussions and negotiations or contract execution, the processing of data on contact persons also takes place in order to proactively approach interested companies, suppliers or existing and former customers for a new or extended partnership. In the case of existing customers, we also process data on our contacts as part of the collection and handling of feedback and criticism as part of quality management. In the case of our suppliers, the purpose for processing personal data is also the efficient control (audits) from our information security management.

In the event of legal disputes, we also use the data to assert, exercise or defend legal claims. Irrespective of this, in individual cases we involve experts for legal and tax issues in the assessment or processing of contracts, invoices, etc. If you wish to contact our (external) data protection officer, we will also pass on your data to him or her. These third parties are regularly bound to confidentiality due to their professional position and/or by specific contracts. In addition, they do not receive data processed on behalf of our customers, but only the (necessary) information that results directly from the specific process, contracts and invoices etc. (in particular contact details of contact persons named there and information about the process).

All of the above processing activities are carried out in the legitimate or justified interest of fulfilling a contract. We therefore pursue legitimate interests on our part, but in many cases also in the interests of our customers and their employees.

The processing of personal data from contacts with authorities and associations is also based on a balancing of interests. Here, too, we record contact persons and the content of discussions in order to make the processing of transactions or technical contacts (e.g. with regulatory authorities) more efficient.

Data origin

Information on individuals at interested parties, customers, suppliers, authorities or associations regularly comes from direct contact or related documents (general correspondence, tender or contract documents; advertising letters from potential suppliers). Data from interested parties also comes from our contact form on our website (if active) or from e-mails or letters sent to us. If we take the initial sales initiative ourselves, we also take the contact data from publicly accessible sources (e.g. websites) or simply ask directly in the company for a suitable contact person for us.

Storage period and deletion

As mentioned above, the storage and erasure period depends largely on the legal basis of the processing. If the data is stored because this is required by commercial or tax laws, for example, we have no room for maneuver and consistently follow the legal requirements: In the case of tax-relevant data, this is ten years starting from the end of the year in which the transaction was completed. This period may be extended due to ongoing tax audits or requirements by the authorities.

In the case of data that we process on the basis of legitimate interest, the law does not give us any fixed requirements. Here we have to define a pragmatic solution that is appropriate to the given circumstances ourselves. At this point, 'appropriate' means that we again include the legitimate interests of the data subjects in the consideration. For us, 'pragmatic' here means that we want to delete with easy-to-handle, flat-rate deadlines wherever possible. If we were to carry out time-consuming (case-by-case) checks before our deletion runs, this would mean having to deal with the personal data again - and that would be the opposite of the data-saving processing required by the GDPR.

We are therefore generally guided by the general legal limitation period. After this three-year period has expired, the processing purpose "storage and use of data for the establishment, exercise or defense of legal claims" is no longer applicable. This period therefore also applies to data from sales activities that have not resulted in a contract. Such inactive contacts are deleted or blocked after three years. We consider a contact to be inactive if there has been no further communication between the two parties during the three-year period. A block is indicated if we are not yet allowed to delete the data due to other retention obligations, but no longer wish to use it for sales purposes.

Specific example: A contract has been fulfilled and terminated. There has been no follow-up contract to date. In any case, the tax-relevant data must be stored for the 10 years described (1st purpose). However, we take the liberty of contacting former customers in the follow-up period (max. three years) for possible follow-up business. For this purpose, we use the contact information from the previous business relationship (2nd purpose). If we are successful, deletion is not necessary (processing required for follow-up business). If the follow-up business is not successful, the use of this data for the second purpose will stop after three years at the latest; the data will then no longer be accessible for sales and will only be used for the first purpose (guaranteeing the tax retention obligation). If this purpose also ends, the data will be deleted/destroyed.

Bewerber für eine Mitarbeit

Applicants for a Job

When sending application documents, we offer to set a password to encrypt the documents.

The application documents are stored in an area to which only the employees dealing with applications have access, in addition to technical administrators who are under a special obligation to maintain confidentiality.

Storage Period

During the Application Process

An application can only be processed in a fair and structured manner if the decision-makers have access to the necessary information. The information is ultimately stored with the aim of concluding an employment contract.

An Employment Relationship is Established

The documents provided become part of the personnel file; we provide information on the scope, purpose and legal basis of further processing as well as on the possible transfer of data to third parties in connection with the conclusion of the employment contract.

No Employment Relationship is Established

As we occasionally receive inquiries following applications as to why a rejection was made, the information is not deleted immediately after the application process has been completed; otherwise we would not be able to respond to the inquiries. Furthermore, it is not possible to make factual statements against the background of the General Equal Treatment Act (AGG) without retaining the documents from the application process. By being able to provide information, we are pursuing our own legitimate interests and, where applicable, the interests of the person concerned (applicant).

As there is no time limit for responding to inquiries, we delete the application as soon as the legal deadlines justify this: six months after completion of the application process.

Which data is affected?

All data that is the subject of the application and arises from the communication and is necessary (in particular interview content, emails) is affected by the storage.

We encourage all applicants to only provide us with information in the course of the application that is necessary for an objective selection. These are professionally relevant qualifications and experience. Information on ideological beliefs or religious affiliation may play a role in the course of payroll accounting (church tax), but is not relevant to the application. Information on political positions or the (non-)existence of a trade union affiliation may also not be the subject of a recruitment decision - and should therefore not be included in an application.

Convince us with a professional application in which only the personal information that is or may be relevant for a hiring decision is disclosed.

No Disclosure of Data to Third Parties

As a normal rule, information from application procedures is not passed on to third parties. If, in the course of an application, the expected individual net remuneration of the applicant is to be calculated, we pass on the relevant / necessary data to a specialized service (e.g. tax consultant). This is done in the (legitimate) interest of being able to provide the most accurate information possible.

Changes to our Privacy Information

We reserve the right to amend this privacy policy so that it complies with any changing legal requirements or to implement changes to our services in the privacy notice, e.g. when introducing new services. You can find the current privacy notices here on our website.

As of: 2023-06-13