Privacy policy for our social media channels (September 2025)

We use our social media profiles to get in touch with interested parties, customers and applicants, to respond to enquiries and to provide information about our services and current topics relating to our company. The associated data processing is carried out on the basis of Art. 6(1)(f) GDPR, as we have a legitimate interest in responding to enquiries and effectively presenting our company to the outside world.

Information about the collection of personal data

Below, we provide information about the collection of personal data when using our social media sites.

The controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is

EXCO GmbH 
Adam-Opel-Straße 9-11
67227 Frankenthal
Germany
Email: info@exco-group.com
Website: www.exco-solutions.com

Contact details of the data protection officer EXCO GmbH

c/o Data Protection Officer
EXCO GmbH
Adam-Opel-Straße 9-11
67227 Frankenthal
Germany

Email: datenschutz@exco-group.com

This privacy policy applies to the following social media sites of EXCO GmbH:
https://www.linkedin.com/company/exco-gmbh/posts/?feedView=all

https://www.facebook.com/EXCO.TheQualityCompany

https://www.instagram.com/excogmbh/

https://www.kununu.com/de/exco

https://www.youtube.com/@excogroup2086

https://www.xing.com/pages/excogmbh

Your rights

You can exercise the following rights at any time using the contact details provided:

Information about what personal data we have stored about you and how we process it (Art. 15 GDPR),
Correction of incorrect or incomplete personal data (Art. 16 GDPR),
Deletion of your personal data stored by us (Art. 17 GDPR),
Restriction of processing if we are not yet permitted to delete your data due to legal obligations (Art. 18 GDPR),
Objection to the processing of your data (Art. 21 GDPR) and
Data portability, provided that the processing is based on your consent or a contract (Art. 20 GDPR).

If you have given us your consent, you can revoke it at any time with effect for the future. Please note that consent for social media appearances is given to the respective operator of the social network and must also be revoked there.

In addition, you have the right to lodge a complaint with a supervisory authority – for example, the data protection authority in your place of residence or the supervisory authority responsible for us.

An overview of the competent supervisory authorities (for the non-public sector) can be found here: www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.html

Data processing by social networks

Social networks such as LinkedIn, Facebook, etc. can usually analyse your user behaviour comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media sites triggers numerous data processing operations that are relevant to data protection. Specifically:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies stored on your device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you both within and outside the respective social media presence. If you have an account with the respective social network, interest-based advertising can be displayed on all devices on which you are or were logged in.

Bitte beachten Sie außerdem, dass wir nicht alle Verarbeitungsprozesse auf den Social-Media-Portalen nachvollziehen können. Je nach Anbieter können daher ggf. weitere Please also note that we cannot track all processing operations on social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.

Lotteries and promotions on social media

If you participate in one of our lotteries on social media, we process your personal data (e.g. name, email address or social media profile) in order to conduct the lottery, determine the winner(s) and notify them. The processing is based on your consent in accordance with Art. 6 (1) (a) GDPR. Your data will only be stored for as long as is necessary to run the competition and will then be deleted, provided there is no legal obligation to retain it. Further information can be found in the respective terms and conditions of the lottery.

Legal basis

Our social media presence is intended to ensure the most comprehensive presence possible on the internet. This constitutes a legitimate interest within the meaning of Article 6(1)(f) of the GDPR. The analysis processes initiated by social networks may be based on different legal bases, which must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6(1)(a) GDPR).

Responsible party and assertion of rights

When you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g. against Facebook).

Please note that, despite our joint responsibility with the social media portal operators, we do not have full control over the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

Storage perios

The data collected directly by us via our social media presence will be deleted from our systems as soon as you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies. Stored cookies remain on your device until you delete them yourself. Mandatory legal provisions – in particular retention periods – remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of social networks for their own purposes after you have given your consent. Further information on data processing and storage periods can be found in the privacy policies of the respective platforms – the corresponding links can be found below for the individual social media platforms.

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Responsibility

As the operator of our LinkedIn company profile, we are jointly responsible with LinkedIn for the processing of the personal data of profile visitors (in accordance with Art. 26 GDPR). For this purpose, we have entered into a joint responsibility agreement with LinkedIn, which clearly defines the respective data protection responsibilities. More details can be found here: https://legal.linkedin.com/pages-joint-controller-addendum

Legal basis

Your personal data is processed in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest. This interest lies exclusively in marketing purposes, in particular in better reaching our target groups, increasing our visibility, maintaining our image and providing information about our company. When you use LinkedIn, it processes personal data, including your IP address, account data and information about the devices you use. Cookies are also used – these are small data files that are stored on your device. For details on how they handle your personal data, please refer to LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy

How exactly LinkedIn uses the data for its own purposes, how long it is stored, whether it is personally assigned to individual users or whether the data is passed on to third parties – none of this is transparently comprehensible to us as site operators.

Recipients of the data

The recipient of the data collected within the framework of the platform is LinkedIn. It cannot be ruled out that when you visit our profile, data may also be processed on servers in third countries, e.g. in the USA.

Data transfer to third countries

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the US that aims to ensure compliance with European data protection standards when data is processed in the US. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5448

According to LinkedIn's privacy policy, personal data may be transferred to the United States or other third countries. LinkedIn states that it only transfers data to countries for which an adequacy decision has been made by the EU in accordance with Art. 45 GDPR or in which appropriate safeguards exist in accordance with Art. 46 GDPR.

Storage period

LinkedIn generally stores your personal data for as long as you maintain an active account. According to LinkedIn, certain information, such as employer reviews, may also be stored in anonymised form beyond this period.

Data provision

The provision of your personal data is not required by law or contract. However, without this information, interaction with our LinkedIn profile (e.g. through comments, likes or messages) is not possible.

Facebook

We have a profile on Facebook. This service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter referred to as Meta).

Please note that you use our Facebook page and its functions at your own risk. This applies in particular to interactive functions such as commenting, sharing or liking content.

Legal basis

Your data is processed on the basis of Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in external representation and public relations, in particular in increasing our visibility, addressing target groups, image cultivation, user information and employer branding. When you use Facebook, it processes personal data, including your IP address, account data, and information about the devices you use. Cookies are also used – these are small data files that are stored on your device. Further information on data processing by Facebook and your rights as a data subject can be found here: https://www.facebook.com/privacy/policy/

How exactly Facebook uses the data for its own purposes, how long it is stored, whether it is personally assigned to individual users or whether the data is passed on to third parties – none of this is transparently traceable for us as the website operator.

Recipient of the data

Empfänger der Daten ist Meta Platforms Ireland Limited, die für den europäischen Raum zuständig ist. Da die Konzernmutter Meta Platforms Inc. in den USA ansässig ist, kann es zu einer Datenübertragung in die USA kommen.

Data transfer to third countries

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/4452

Storage period

Facebook does not disclose in full how long and to what extent it stores your data, whether data is passed on to third parties or to what extent personal data is assigned. According to Facebook, your IP address is anonymised after 90 days.

Obligation to provide data

The provision of personal data is neither required by law nor contractually stipulated. However, without this data, it is not possible to interact with our content on Facebook.

Instagram

We have a profile on Instagram. This service is provided by Meta Platforms Ireland Limited (4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland).

Legal basis

When you visit our Instagram company page, Instagram processes, among other things, your IP address and information stored on your device via cookies. Among other things, this data is used to provide us, as the page operator, with statistical evaluations of the use of our Instagram page. Instagram explains what specific information it collects and how it is used in its general data policy: https://privacycenter.instagram.com/policy/

How exactly Instagram uses the data for its own purposes, how long it is stored, whether it is personally assigned to individual users or whether the data is passed on to third parties – none of this is transparently traceable for us as the site operator.

Recipient of the data

The recipient of the data is Meta Platforms Ireland Limited, which is responsible for the European region. As the parent company Meta Platforms Inc. is based in the USA, data may be transferred to the USA.

Data transfer to third countries

Storage period

When you visit our Instagram page, your IP address is transmitted to Instagram. According to Instagram, this is anonymised and deleted after 90 days.

Obligation to provide data

The provision of personal data is neither required by law nor contractually stipulated. However, without this data, it is not possible to interact with our content on Instagram.

Kununu

We operate a company profile on Kununu. This platform is provided by Kununu, a service of New Work SE, based at Am Strandkai 1, 20354 Hamburg, Germany.

Legal basis

Your personal data is processed on the basis of Art. 6 (1) (f) GDPR – due to our legitimate interest. This consists exclusively of marketing purposes, such as improving accessibility to our target groups, increasing our visibility, establishing and maintaining our corporate image, informing users and in the area of employer branding (employer attractiveness).

As soon as you visit our Kununu profile or interact with content on the site, Kununu processes personal data. We have no influence on what data is collected or processed by Kununu and to what extent.

The use of the Kununu profile and its functions is at your own risk. This applies in particular to interactive functions such as following, rating or commenting. All content you voluntarily enter, as well as posts you view or share, may be evaluated by Kununu. Further details can be found here: https://privacy.xing.com/de/datenschutzerklaerung/druckversion

Responsibility

As the operator of our Kununu company profile, we are responsible, together with Kununu, for the processing of the personal data of profile visitors (in accordance with Art. 26 GDPR). Further details can be found here: https://www.xing.com/terms/employer-branding-profil

Recipient of the data

The recipient of the data is New Work SE, based at Am Strandkai 1, 20354 Hamburg.

Datenübermittlung in Drittstaaten

According to its own information, Kununu also transfers personal data to countries outside the EU (third countries). Kununu states that it only transfers data to countries for which an adequacy decision has been made by the EU in accordance with Art. 45 GDPR or in which appropriate safeguards exist in accordance with Art. 46 GDPR.

Storage period

Your personal data will be stored by Kununu for as long as your account is active. Certain data may continue to be stored even after you close your account, but only in anonymised form so that no conclusions can be drawn about your identity.

Provision of your personal data

The provision of your personal data is neither legally nor contractually mandatory. However, without providing the relevant information, active interaction with our Kununu profile is not possible, for example through reviews or comments.

YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Legal Basis

Your personal data is processed on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR. This lies in particular in improving our visibility on the internet, targeting users, increasing our level of awareness, exchanging information with interested parties and building our corporate image (employer branding and marketing).

When you visit YouTube, a connection to Google servers is established. Personal data such as your IP address may be transmitted in the process.

If you are logged into your Google/YouTube account, your usage behaviour can be directly assigned to you. Without logging in, less data is stored, but device-related data (e.g. via a unique identifier) is still stored.

For details on how they handle your personal data, please refer to YouTube's privacy policy: https://policies.google.com/privacy?hl=de.

Data transfer to third countries

As Google's headquarters are located in the United States, data processing outside the European Union is possible. To safeguard such transfers, Google uses the European Commission's standard contractual clauses in accordance with Art. 46 GDPR to ensure an adequate level of data protection.

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA that aims to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780

Storage period

YouTube generally stores your personal data for as long as your Google or YouTube account is active. Even after you delete your account, Google may continue to store certain information, but only in anonymised or aggregated form that does not allow any conclusions to be drawn about your identity.

Provision of your data

The provision of your personal data is neither legally nor contractually mandatory. Without the processing of certain data, active use of or interaction with our YouTube channel (e.g. commenting, liking or sharing) is not possible.

XING

We have a profile on XING. The provider is New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.

Legal basis

Your personal data is processed on the basis of our legitimate interest pursuant to Art. 6 (1) (f) GDPR. This interest lies in particular in improving our visibility on the internet, targeting users, increasing our profile, exchanging information with interested parties and building our corporate image (employer branding and marketing). For details on how they handle your personal data, please refer to XING's privacy policy: https://privacy.xing.com/de/datenschutzerklaerung/druckversion

Data transfer to third countries

According to its own information, XING also transfers personal data to countries outside the EU (third countries). XING states that it only transfers data to countries for which an adequacy decision has been made by the EU in accordance with Art. 45 GDPR or in which appropriate safeguards exist in accordance with Art. 46 GDPR.

Storage period

Your personal data will be stored by XING for as long as your account is active. After your account has been deleted, your data will be completely deleted, subject to statutory retention obligations.

Provision of your data

Fragen zum Datenschutz

If you have any questions about data protection, please send us an email at: info@exco-group.com