The protection of your privacy and your data is very important to us. In the following, we would therefore like to inform you about the type, purpose and legal basis of the data processing carried out by us in each case. With this Privacy Policy, we are fulfilling our duty to inform you according to Articles 13 and 14 of the General Data Protection Regulation (GDPR). We hope to be able to answer your most pressing questions on the subject of data protection. However, if you have any further questions or concerns about data protection, please do not hesitate to contact us at any time.

1. Name and contact information of controller and company data protection officer

COIA GmbH (“COIA”), Agnesstrasse 14, D-80798 Munich, Germany Email: Telephone: +49 (0) 89 /452 44 22 90 Fax: +49 (0) 89 /452 44 22 99 is the controller and responsible for the COIA website.
You can reach our company’s data protection officer at

2. Processing of personal data as well as nature and purpose of their use

a) When visiting the website

When accessing our website, the browser used on your terminal device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file. The following information is collected without your intervention and stored until automatic deletion:

  •  IP address of the querying computer,
  • Date and time of the query,
  • Name and URL of the retrieved file,
  • Website from which the access is made (referrer URL),
  • Browser used and
  • if applicable, operating system of your computer and name of your access provider.

This information is anonymised and is used to ensure a smooth connection and a comfortable use of the website, to evaluate the system security and stability and for other administrative purposes. The IP address is also temporarily stored for security reasons in order to protect the website against cyberattacks.

The legal basis for this data processing is our overriding legitimate interest according to Article. 6 para. 1 lit. f GDPR. Our legitimate interest is based on the data collection purposes listed above. We do not use data collected this way for the purpose of drawing conclusions about your person in any case.

b) Social Media Presence

a) General information

We run publicly accessible profiles on various social networks. When you visit these profiles, a variety of data processing procedures are initiated. Below, we provide you with an overview of these data processing procedures, including your personal data collected, used and stored by us when you visit our profiles. We would like to point out that you use our social media platform profiles and their functions on your own responsibility. This applies, in particular, to the use of interactive functions (e.g. commenting, sharing, rating).

When you visit our profiles, your personal data will not only be collected, used and stored by us, but also by the providers of the respective social network. The individual data processing procedures and their scope differ depending on the provider of the respective social network and they are not necessarily traceable for us. For details regarding the collection and storage of your personal data and about the type, scope and purpose of their use by the provider of the respective social network, please refer to the privacy statements of the respective provider. The data collected concerning you in this context is processed by the platforms and may be transferred to countries outside the European Union, in particular to the USA (see section 11 in this Privacy Policy for data transfer to third countries). We do not know how the social media platforms use the data from your visit to our account and interaction with our posts for their own purposes, how long such data is stored and whether data is passed on to third parties. Data processing may differ depending on whether you are registered and logged in to the social network or visit the site as a non-registered and/or non-logged-in user. When you access a post or the account, the IP address assigned to your device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your device can be used to track how you have moved around the web. Buttons embedded in websites enable the platforms to record your visits to these websites and assign them to your respective profile. Based on this data, content or advertising tailored to you can be offered. If you wish to avoid this, you should log out or deactivate the “stay logged in” function, delete the cookies on your device and restart your browser.

b) Our Social Media Profiles

In the following, we inform you about the data processing in the context of the use of our


We operate a profile on the social platform Facebook (, a service of Facebook Ireland Ltd, 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland. As the operator of a Facebook profile, we can view the information stored in your public Facebook profile, insofar as you have such a profile and are logged into it while accessing our Facebook profile. In addition, Facebook provides us with anonymous statistics on the usage of our profile that we use to improve the user experience when visiting our Facebook profile. We do not have access to the data that Facebook collects to compile these statistics. This data processing serves our legitimate interest in improving the user experience when visiting our Facebook profile in line with the target group. The legal basis for the data processing is therefore Article 6 (1) f DSGVO.

In addition, Facebook uses cookies that are stored on your device when you visit our Facebook profile, even if you do not have your own Facebook profile or are not logged into it during your visit to our profile. These cookies, which also collect your IP address, allow Facebook to create user profiles based on your preferences and interests and to show you advertising (both within and outside of Facebook) tailored to these preferences and interests. Cookies remain on your terminal device until you delete them. Details on this can be found in Facebook’s privacy policy: We have no influence on the latter data processing by Facebook, have no insight into the results of the data processing and have no interest in this.

3. Links

COIA’s website can refer to third-party websites through links. If you click these links, you will leave the COIA website. COIA has no influence over what data these websites process.

4. Applications for jobs

Applicants have the option of applying to us in various ways. These also include an electronic application via email. In this, as well as in all other cases, we store the following data as far as such accrue:

  • First and last name
  • Sender address
  • Date and time of access
  • IP address
  • If applicable, their routes
  • Subject
  • Message content (cover letter, references, CV, targeted starting date, salary expectations, special features, e.g. work samples)
  • Additional attachments, if applicable

You can also apply to us by post or using other means of communication. Applying via email without encryption does not guarantee completely secure data transmission.

The legal basis for the processing of data collected in this respect is Article 6 lit. b, Article 88 para.1 GDPR in conjunction with Sec. 26 para.1 sentence 1 BDSG [German Federal Data Protection Act]. Your data is required for the preparation, conclusion or implementation of the intended employment and is used exclusively for these purposes.

Your data will only be stored for as long as it is necessary to carry out the stated purposes. We delete data of rejected applicants no later than one year after the rejection, unless the applicant expressly requests longer storage or earlier deletion. For this purpose, please contact us via

Your data will not be passed on to third parties in connection with your application. The data will be used exclusively for processing within the application process.

Please note that under the General Data Protection Regulation, certain data might be considered as particularly sensitive and in need of special protection. This includes e.g. data concerning health, origin or religion. We kindly ask you to not provide us with such data as a matter of principle. Should you nevertheless decide to provide such data in your application, please note that you are at the same time giving your explicit consent to the processing of your data according to Article 9 para 2 lit. a GDPR.

5. Data transfer to third parties

  • We do not transfer your personal data to third parties for purposes other than those listed in this Privacy Policy. We will only transfer your personal data to third parties if:
  • you have given your consent to this according to Article 6 para 1 lit. a GDPR,
  • the transfer is necessary according to Article 6 para 1 lit. f GDPR for the assertion, exercise or defence of legal claims or another legitimate interest mentioned in this Privacy Policy and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  • there is a legal obligation for the transfer according to Article 6 para 1 lit. c GDPR
  • as well as if a transfer is necessary in the context of contractual relationships with you according to Article 6 para 1 lit. b.

6. Your rights

The GDPR grants you certain rights vis-à-vis the controller (here: COIA) for the protection of your personal data. We would like to inform you about these rights in the following.

You have the right:

  • according to Article 15 GDPR to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data processed, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it was not collected by us, as well as the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details;
  • according to Article 16 GDPR to demand the immediate correction of incorrect or completion of your personal data stored by us;
  • according to Article 17 GDPR to request for the deletion of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims. If deletion is not possible for these reasons, your data will be blocked to the extent that it can only be used for the purpose that precludes deletion;
  • to demand the restriction of the processing of your personal data according to Article 18 GDPR, insofar as the correctness of the data is disputed by you, the processing is unlawful, but you object to its deletion and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing according to Article 21 GDPR;
  • According to Article 20 GDPR to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller;
  • to revoke your consent at any time according to Article 7 para 3 GDPR. Such a revocation has the consequence that we will no longer continue the data processing, which was based on this consent, for the future, insofar as no other legal basis exists.
  • complain to a supervisory authority according to Article 77 GDPR . As a rule, you can contact the supervisory authority of your place of residence or workplace or our registered office;
  • if your personal data is processed on the basis of our overriding legitimate interests according to Article 6 para 1 lit. f to object to the processing of your personal data according to Article 21 GDPR, provided that there are grounds for doing so which arise from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right of objection, which is implemented by us in any case.

In addition to contacting us via email (, you may also contact us by any other means using the contact details provided under the heading “Controller” (e.g. by telephone, fax or letter) in order to exercise all of your listed rights.

7. Data security

COIA also uses appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. The security measures are continuously reviewed and improved in line with technological developments.

8. Use of external fonts

On our website we use a font from Google fonts (“Open Sans”) by Google, a service of the provider Google Inc. ( (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”). Due to the licensing terms of Google, Open Sans transfers the user’s IP-Address to the Google-Servers in the USA (see for the data transfer to third countries point 10. in this privacy policy). Google thereby analysis the use of its fonts for its own statistical purposes and informs about them on its websites (see e.g. We have no influence on this processing. As far as we benefit from these statistical outcomes, such as the general improvement of Open Sans for the use on websites, the legal basis for this data processing is our overriding legitimate interest in a functioning website according to Article 6 para 1 lit. f GDPR. You can find more detailed information on data protection at Google here:

9. Use of Zoom

We use the online tool “Zoom”, a service of Zoom Video Communications Inc, 55 Almaden Boulevard, 6th Floor San Jose CA 95113 / USA for video calls, webinars and other digital face-to-face communication. The following privacy notice applies in the event that we send you a Zoom link to participate in an online meeting or make it available on our website. In this case, Zoom is a processor within the meaning of Article 28 GDPR, and we have concluded a processor agreement with Zoom for this purpose.

After clicking on a Zoom link sent or provided by us, Zoom needs and requires your first and last name and, if applicable, the entry of the password sent by us for your admission to a meeting. We need your email address to send you the Zoom link. This will also be sent to Zoom. In addition to that, your IP address (which may also be used to determine your location) and device information will be transmitted to us and Zoom when the meeting begins. The same applies to the topic of the meeting and the description stored, if applicable. Further data, such as your job title or calendar integration is only transmitted if you enter it.

When you dial in via your phone / smartphone, Zoom receives your phone number, information about your location and the start and end time of the call. We also receive this information when you dial in from your phone.
As a matter of principle, we do not record meetings. If we do make a recording, we will inform you separately about the data collected in the process and obtain your consent.

Depending on which Zoom features you use during the meeting, data from your camera, microphone, location and text messages you leave (e.g. as part of the chat features), information about Zoom’s product and website usage (e.g. number of times you attend meetings) may be collected and transmitted to us and/or Zoom.

Some of your data, especially your name and possibly your phone number, may be visible to other meeting participants, depending on the zoom setting.
If you have a Zoom account, the data collection may be more extensive than described above.

You can find more detailed information on data protection at Zoom at:

The legal basis for data processing through Zoom is our overriding legitimate interest in the functioning of online meetings according to Article 6 para 1 lit. f GDPR. If the meetings are held in connection with a contractual relation, such as a parties’ agreement with COIA, the legal basis for the data processing is the necessity for the execution of the contract according to Article 6 para. 1 lit. b GDPR

We are not responsible for further data processing by Zoom, on which we have no influence.

To ensure the protection of your data and in awareness of the fact that Zoom is a US provider, we have agreed to EU Standard Contractual Clauses with Zoom that ensure an adequate level of protection. We have also configured Zoom settings to store data only on European servers or servers in a secure third country (e.g. Canada or Japan). For general information on data transfer to third countries, please refer to section 11 of this Privacy Policy.

10. Data transfer to third countries

The use of external services may result in the transfer of data to third countries outside the European Union. Insofar as a lower level of data protection exists in these countries than in the European Union and insofar as no adequacy decision issued by the Commission of the European Union exists for these countries according to Article 45 GDPR, we act with internal agreements and regulations to ensure an adequate level of protection for your data. To achieve this goal, we also make use of Standard Contractual Clauses of the European Union. To the extent that these measures are not possible or sufficient, we would like to point out that the transfer of your data to third countries is based on your consent according to Article 49 of the GDPR and may also be necessary for the performance of a contract according to Article 49 GDPR. However, we would like to point out at the same time that in these cases (transfer of data to third countries) there is a possibility that the protection of your data is not guaranteed to the same extent as within the European Union. In the USA in particular, security authorities have easier access to personal data. In such cases, you will not be able to assert your above-mentioned data subject rights with the same effectiveness as within the European Union.

11. Storage period

In principle, we only store your data for as long as it is required to fulfil the underlying purpose in each case. In addition, we store data within the legally permitted and required periods, which generally end three years after the end of the year in which you entered into contractual contact with us. In certain cases, however, statutory storage periods of 10 or 30 years may also apply.

12. Changes

This Privacy Policy is currently valid and was last modified in June 2022.

Due to the further development of our website or due to changed legal or official requirements, it may become necessary to change this Privacy Policy. The current Privacy Policy can be accessed and printed out by you at any time on the website at