Data Privacy Information
This privacy statement informs you about how we treat your data. To make the processing of your data transparent, we would like to provide you with the following information to give you an overview of these processing operations. To keep things fair, we additionally want to inform you about your rights pursuant to the EU-General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
We will inform you in detail about
I. General Information
II. Data Processing on our Website
III. Data Processing Voya Services
IV. Data Processing on our Social Media
V. Further Data Processing
Voya GmbH is the controller of the data processing (hereinafter referred to as ‘we’ or ‘us’).
I. General Information
If you have any questions or feedback concerning this information or wish to contact us to exercise your rights, please send your enquiry to
Office: E/V Work Edition, Stadthausbrücke 5, 20355 Hamburg
Registered office: Chilehaus A, Fischertwiete 2, 20095 Hamburg
Tel. 040 / 2286837 – 30
2. Legal Basis
The legal term ‘personal data’ refers to all information relating to an identified or identifiable natural person.
We process personal data in compliance with the data protection regulations, in particular the GDPR and the BDSG. We solely process data based on law. We process personal data
– solely with your consent (Art. 6 section 1 letter a) GDPR),
– to perform a contract to which you are a party or to take steps at your request prior to entering into a contract (Art. 6 section 1 letter b) GDPR),
– to comply with a legal obligation (Art. 6 section 1 letter c) GDPR) or
– where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 section 1 letter f) GDPR).
– as a data processor (Art. 28 GDPR).
If you apply for an open position in our company, we will, additionally, process your personal data to decide on whether to hire you (section 26 para. 1 sentence 1 BDSG).
3. Period of Storage
Unless otherwise stated in the following, we will only store your data for as long as required to achieve the intended processing purpose or to fulfil our contractual or statutory obligations. In particular, such statutory retention requirements may result from regulations under commercial or tax law.
4. Recipients of Data
For certain processing activities, we rely on service providers. These processing activities include, for example, hosting, maintenance and support for IT systems, customer and client management, order processing, accounting, marketing or destruction of paper files and data carriers. A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors process data not for their own purposes but solely for the controller and are contractually obliged to implement appropriate technical and organizational measures ensuring data protection.
Should your data be transferred to further recipients, you can find this information under the description of the respective processing activity.
5. Processing in the Exercise of your Rights pursuant to Art. 15 to 22 GDPR
If you exercise your rights pursuant to Art. 15 to 22 GDPR, we process the personal data transferred in order for us to grant you your rights and to acquire proof thereof. For the purpose of providing information and preparing such information, we will process the stored data only for this purpose as well as for purposes of data protection control and otherwise restrict processing in accordance with Art. 18 GDPR. These processing operations are based on Art. 6 section 1 letter c) GDPR in combination with Art. 15 to 22 GDPR and section 34 para. 2 BDSG.
If we process data as a processor (Art. 28 GDPR) the controller needs to be contacted to exercise these rights.
6. Your rights
As the data subject, you are entitled to exercise your rights against us. In particular, you have the following rights:
– Pursuant to Art. 15 GDPR and section 34 BDSG, you have the right of access to information confirming whether and, if so, to what extent we are processing personal data concerning you.
– Pursuant to Art. 16 GDPR, you have the right to rectification of your data.
– Pursuant to Art. 17 GDPR and section 35 BDSG, you have the right to erasure of your personal data.
– Pursuant to Art. 18 GDPR, you have the right to require us to restrict the processing of your personal data.
– Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transfer such data to another controller.
– Where you have granted us specific consent to a processing activity, you can withdraw such consent at any time pursuant to Art. 7 section 3 GDPR. Any such withdrawal of consent shall not affect the lawfulness of processing based on that consent prior to its withdrawal.
– If you are of the view that the processing of your personal data infringes GDPR provisions, you have the right to lodge a complaint with a supervisory authority pursuant to Art.77 GDPR. Should you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact:
DER HAMBURGISCHE BEAUFTRAGTE FÜR DATENSCHUTZ UND INFORMATIONSFREIHEIT
Ludwig-Erhard-Str 22, 7. OG, 20459 Hamburg
Tel.: 040 / 428 54 – 4040
7. Right to object
Pursuant to Art. 21 section 1 GDPR, you have the right to object to processing activities based on Art. 6 section 1 letter e) or letter f) GDPR on grounds relating to your particular situation. If we process your personal data for the purpose of direct marketing, you may object to such processing pursuant to Art. 21 section 2 and section 3 GDPR.
8. Data protection officer
You can contact our data protection officer via the following address:
II. Data processing on our website
During use of our website, we collect information that you provide yourself. We also automatically collect certain information about your use of the site during your visit to the site. In data protection law, the IP address is also considered personal data. An IP address is assigned to each device connected to the internet by the internet provider so that it can send and receive data.
1. Processing of Server-Log-Files
When using our website for informative purposes only, general information that your browser transfers to our server is initially stored automatically (not via registration). This includes by default: browser type/-version, operating system used, page called, the previously visited page (referrer URL), IP address, date and time of server request and HTTP status code. The processing is carried out in pursuit of our legitimate interests and is based on Art. 6 section 1 letter f) GDPR. This processing serves the technical administration and security of the website. The data collected will be deleted after fourteen days unless there is a justified suspicion of illegal use based on concrete indications and further examination and processing of the information is necessary for this reason.
We are unable to identify you as a data subject based on the information collected. Art. 15 to 22 GDPR therefore do not apply pursuant to Art. 11 section 2 GDPR, unless you provide additional information to enable your identification in order to exercise the rights set out in these articles.
2. Data Transfer to the USA
Visiting our website may involve the transfer of certain personal data to third countries, i.e. countries in which the GDPR is not applicable law. Such a transfer takes place in a permissible manner if the European Commission has determined that an adequate level of data protection is required in such a third country. If such an adequacy decision by the European Commission does not exist, a transfer of personal data to a third country will only take place if appropriate safeguards exist pursuant to Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met.
Unless otherwise stated below, we use the EU standard contractual clauses for the transfer of personal data to processors in third countries as appropriate safeguards.
3. Contact form and inquiries
Our website contains a contact form through which you can send us messages. The transfer of your data is encrypted (recognizable by the “https” in the address line of the browser). All data fields marked as mandatory fields are required to deal with your concern. Failure to provide it means that we will not be able to address your request. Further data is provided voluntarily. Alternatively, you can send us a message via the contact email. We process the data for the purpose of answering your request. If your request is directed at the conclusion or execution of a contract with us, Article 6 (1) letter (b) GDPR becomes the legal basis for data processing. Otherwise, we process the data on the basis of our legitimate interest in contacting requesting persons. The legal basis for data processing is then Article 6 (1) letter f) GDPR.
4. Sign up for a live Webinar
Our website contains a contact form through which you can register for our live webinar. The transfer of your data is encrypted (recognizable by the “https” in the address line of the browser). All data fields marked as mandatory fields are required to register for the webinar. Failure to provide it means that we will not be able to process your application. Further data is provided voluntarily. Alternatively, you can send us a message via the contact email. We process the data for the purpose of registering. The data provided is processed for the purpose of providing services. The processing is based on the legal basis of Article 6 (1) letter b) GDPR.
For the distribution of our newsletter we process the email address and the name of our customers. A valid e-mail address is required to subscribe to the newsletter. To verify the e-mail address, you will first receive a registration e-mail, which you must confirm via a link (Double Opt-In). If you subscribe to the newsletter in our App, we process personal data such as your e-mail address and your name based on the consent you have given us. The legal basis for this process is art. 6 sec. 1 letter a) GDPR. You can object the given consent at any time with effect for the future.
Furthermore, we analyze how often our customers open the newsletter and how they read it. For this purpose, we collect and process pseudonymized usage data, which is not combined with your name or email. The legal basis for this process is art. 6 sec. 1 letter f) GDPR. The processing serves our legitimate interest to improve our newsletter. You can always object to receiving the newsletter without costs arising by virtue thereof, other than transmission costs pursuant to the basic rates. Send your objection to email@example.com.
We use Mailchimp (The Rocket Science Group LLC d/b/a Mailchimp, USA) to manage our newsletter. For this reason, your e-mail is processed by Mailchimp. The processing is carried out on our behalf and is based on the legal basis of article 6 letter f) GDPR and serves our legitimate interest in the optimization and economic dispatch of our newsletter. If you do not want your data to be processed by Mailchimp, you should not subscribe to the newsletter or unsubscribe from it.
Mailchimp offers statistical evaluation possibilities of usage data. This includes information whether an e-mail has reached the recipient or if it has been rejected by the server.
7. Website analysis
We use Google Analytics only with IP anonymization enabled. This means that Google will truncate the IP address of users within Member States of the European Union or in other states that are party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.
The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for data processing is Article 6 (a) GDPR. You can revoke the storage of cookies in our Consent Management.
8. Integrated services and third-party content
We use services and content (collectively, “Content”) provided on our Website by third parties. For such an integration a processing of your IP address is necessary, so that the contents can be sent to your browser. Your IP address will therefore be transmitted to the respective third party providers. This data processing is carried out in order to safeguard our legitimate interests in the optimisation and economic operation of our website and finds its legal basis in Art. 6 Sec. 1 letter f) GDPR. You can object to this data processing at any time by changing the settings of your browser or by using certain browser extensions. Please note that this may result in functional restrictions on the website.
„Google Web Fonts “of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; “Google”) for displaying fonts.
III. Data Processing Voya Services
Within our travel management software, we process personal information as a service provider for our customers. In this case our client is the controller according to Art. 4 (7) GDPR and Voya acts as a Processor according to Art. 28 GDPR.
1. Registration User Account as an employee
In order to use our service, a personal registration is necessary. All basic information (name, email) is provided by your employer, especially in case of bulk registrations. The rest of the information is completed by the user. All mandatory fields are required for the operation of our service. This includes Gender, Birth Date and preferred language.
As a user, you have the possibility to store further information in your account. This includes information about your passport and identity card, address, payment options, travel preferences and loyalty programs.
Personal credit cards are also provided by the user. The credit card data is tokenized so real credit card data never touches our system. Sensitive data is requested from the user but not stored after authentication.
2. Voya Service
Our team is processing additional personal data for making travel bookings and during the customer service. We may collect and process data when:
– facilitating chat and attachments like boarding passes – the data is provided by the traveller and/or the travel manager when booking on behalf of the traveller.
– finding and booking travel options, including booking confirmations and calendar invites (when receive a booking request, the data is processed)
– updating traveler profiles including passport information
– managing travel policies and approval processes (when the booking is not within the company guidelines, the request is then forwarded to an approver.)
– travel itineraries to organise your trip in an orderly manner
– travel expenses dashboard – users, depending on access rights configured by the company administrator, have visibility on travel expenses of a group or a company. As a user you have visibility of your own expenses.
– expense management – users, depending on the enabled features, can process their travel expense. This includes the processing of receipt, travel details required to calculate expenses and per diems which will be provided by the users, and storage of expense data for accounting purposes.
3. Update from Voya
As a user you can receive our Voya Newsletter to get the latest news about product and business updates.
To verify the e-mail address, you will first receive a registration e-mail, which you must confirm via a link (Double Opt-In). If you subscribe to the newsletter, we process personal data such as your e-mail address and your name based on the consent you have given us. The legal basis for this process is art. 6 sec. 1 letter a) GDPR. You can object the given consent at any time with effect for the future.
If your user account is deleted, you will be automatically unsubscribed from our newsletter.
IV. Data processing on our Social Media
We operate company pages on multiple social media platforms via which we offer further opportunities to obtain information about our company and for exchange. We operate company pages on the following social media platforms:
Visiting a company page on social media can result in your personal data being processed. The information in your social media account constitutes personal data. This also encompasses messages and statements made with the account. Additionally, certain information about your visit to a company page is often collected automatically during your visit.
Data Processing during the Visit of a Social Media Page
Certain information about you is processed relating to your visit to our Facebook page on which we present our company or individual products. Meta Platforms Ireland Ltd. is the sole controller of this processing. Further information about the processing of personal data by Facebook is available via https://www.facebook.com/privacy/explanation.
Facebook provides the opportunity to object to certain processing activities; corresponding information and opt-out-methods are available via https://www.facebook.com/settings?tab=ads.
Facebook provides us with anonymised statistics and insights for our Facebook page, which enable us to gain knowledge about the ways in which people interact with our page (so called ‘insights’). These insights are created based on certain information about persons who have visited our page. Facebook and we are joint controllers of this processing. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. This finds its legal basis in Art. 6 section 1 letter f) GDPR. It is impossible to match the information obtained via insights to individual accounts which interact with our Facebook page. We have concluded an agreement with Facebook on joint controllership in which the data protection duties are allocated between Facebook and us. Details of the processing of personal data for the creation of insights and of the agreement we concluded with Facebook are available via https://www.facebook.com/legal/terms/information_about_page_insights_data. Regarding these processing activities, you may also exercise your rights (see above ‘Your Rights’) against Facebook directly. Further information is available in Facebook’s privacy statement via https://www.facebook.com/privacy/explanation.
LinkedIn Company Page
Generally, the LinkedIn Ireland Unlimited Company (Ireland/EU – ‘LinkedIn’) is the sole controller of the processing of your personal data relating to a visit to our LinkedIn page. Further information on the processing of personal data by LinkedIn are available via https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.
If you visit or follow our LinkedIn company page, LinkedIn processes personal data to provide us with anonymised statistics and insights which enable us to gain knowledge about the ways in which interact with our page (so called ‘insights’). For this purpose, LinkedIn processes, in particular, such data that you already shared with LinkedIn by adding it to your profile like, for example, position, country, field of work, seniority, company size and employment status. Further, LinkedIn collects information on how you interact with our LinkedIn company page, for example whether you follow our LinkedIn company page. LinkedIn does not share personal data with us by providing us with the insights. We only have access to a summarized version of the insights. Also, we are unable to make conclusions about individual members from the information in the insights. LinkedIn and we are joint controllers of the processing regarding the page insights. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. This finds its legal basis in Art. 6 section 1 letter f) GDPR. We have concluded an agreement with LinkedIn on joint controllership in which the data protection duties are allocated between LinkedIn and us. The agreement is available via https://legal.linkedin.com/pages-joint-controller-addendum. The agreement stipulates the following:
– LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights pursuant to the GDPR. In order to do so, you can contact LinkedIn online via (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or via the contact details in the data protection guidelines. You can contact the Data Protection Officer of LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also reach out to us via the contact details mentioned above for the exercise of your rights relating to the processing of your personal data for insights. In such a case, we will forward your request to LinkedIn.
– LinkedIn and we have agreed that the Irish data protection commission shall be the responsible supervisory authority monitoring the processing for insights. You always have the right to lodge a complaint with the Irish data protection commission (see dataprotection.ie) or any other supervisory authority.
Generally, Twitter Inc. (USA) is the sole controller of the processing of your personal data relating to your visit to our Twitter account. Further information on the processing of personal data by Twitter Inc. is available via https://twitter.com/en/privacy.
Xing and Kununu
Generally, the New Work SE (Germany/EU) is the sole controller of the processing of your personal data relating to your visit to our Xing profile. Further information on the processing of personal data by New Work SE is available via https://privacy.xing.com/en/privacy-policy.
Processing of Data you Share with us via our Company Pages
Additionally, we process information which you provide us with via the respective social media platform. Such information can include the username, contact details or a message to us. Generally, we only process this personal data if we have expressly requested you to share this data with us like, for example, in connection with a survey. We are the sole controller of such processing activities.
We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.
Additionally, we might process such data shared with us for purposes of evaluation or marketing. Such processing is based on Art. 6 section 1 letter f) GDPR and serve our legitimate interest to develop our product range and inform you about our product range. Further data processing can take place if you have consented (Art. 6 section 1 letter a) GDPR) or if this serves to fulfil a legal obligation (Art. 6 section 1 letter c) GDPR).
V. Further data processing
1. Contact via Email
If you send us a message via our contact email address, we will process the transferred data in order to process the request. We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.
2. Contractual relationship
In order to establish and execute the contractual relationship with our customers, suppliers and business partners it is regularly necessary to process the master, contract and payment data provided to us. If we process personal data of our contact persons at commercial customers, suppliers and business partners in the course of this, this happens in pursuit of our legitimate interests and is based on Art. 6 section 1 letter f) GDPR. In addition, we process customer and potential customer data for evaluation and marketing purposes. This processing takes place on the legal basis of Art. 6 section 1 letter f) GDPR and serves our interest in further developing our product range and informing you specifically about products by Voya. Further data processing can take place if you have consented (Art. 6 section 1 letter a) GDPR) or if this serves to fulfil a legal obligation (Art. 6 section 1 letter c) GDPR).
When you apply for a position at our company, we process your application data exclusively for purposes related to your interest in current or future employment with us. Your application will only be processed and acknowledged by the responsible contact person. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. If we are unable to offer you a position, we will retain the data you provide for up to three months for the purpose of potentially answering questions relating to your application and rejection. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of presenting evidence or if you have expressly consented to longer storage. Legal basis for the data processing is section 26 para. 1 BDSG. If we keep your applicant data for a period of six months and you have expressly consented to this, we would like to point out that this consent can be freely withdrawn at any time in accordance with Art. 7 section 3 GDPR. Such a withdrawal of consent does not affect the lawfulness of the processing, which has taken place prior to the withdrawal.