Privacy

Be Privacy

Global Privacy Notice
Last modified on March 8, 2024

Welcome to Roland Berger's Global Privacy Notice ("Privacy Notice") Protecting your Personal Data and complying with the General Data Protection Regulation (GDPR) and other relevant data protection legislation are matters that we take very seriously. This Privacy Notice is intended to give you an overview of how we ensure this protection and compliance, what kinds of data we collect and why, and how we deal with it.

We refer to GDPR, when describing the processing of personal data, but because we operate globally, other relevant data protection legislation can apply. When reading the Privacy Notice, please note that the reference to the GDPR only applies when it is applicable.

By "Personal Data" we mean, in accordance with the GDPR, any information relating to an identified or identifiable individual. This is broader than just information of a personal or private nature and also includes information such as your name, date of birth, and email address.

1. Who is responsible and how to contact us?

In this notice “Roland Berger”, “we”, “us” or “our” refers to one or more of the Roland Berger Group Companies, most of which are a separate legal entity. The Roland Berger entity with which you have concluded a contract or are in the process of negotiating a contract and/or whose premises you visit and/or who is in contact with you in the context of public relations work is the data controller under the GDPR (if applicable), as this company uses your personal data in the context of the respective relationship with you. The address and name of this Roland Berger entity can be found here .

We welcome your feedback. If you have any comments, complaints or questions regarding this Privacy Notice or our processing of your Personal Data, or would like to exercise any of your rights, you can contact us at:

Roland Berger Holding GmbH & Co. KGaA
Sederanger 1
80538 Munich
Germany
Phone: +49-89-9230-0
Fax: +49-89-9230-8202
Email: [email protected]

The contact details of our data protection officer are:
Roland Berger Holding GmbH & Co. KGaA
z.Hd. Datenschutzbeauftragter
Sederanger 1
80538 Munich
Germany
Email: [email protected]

There are some points on our websites where we collect data for information and marketing purposes with your consent. This is generally done for all Roland Berger entities as joint controllers (Art. 26 GDPR).

2. Why and how do we collect, process and use your personal data?

This Privacy Notice explains how we collect, store, use, disclose and transfer (hereinafter “process”) your personal data. The personal data that we collect about you depends on the context of your interactions with us, the products, services and features that you use, your location, and applicable law. We process your data for the reasons described below and only for the purpose intended in each case.

Our services are neither aimed at nor intended for children.

It is important that the personal data we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be aware of. Please use the contact details above or keep your contact person at Roland Berger informed.

2.1. Legal basis for data processing

In principle, any processing of personal data is prohibited by law and is only permitted if the data processing is subject to an explicit permission. We process your data under the following circumstances:

  • "Consent": If you have voluntarily, in an informed and unambiguous manner, by means of a statement or other unambiguous affirmative act, indicated that you consent to the processing of personal data concerning you for one or more specific purposes (Art. 6 para. 1 sentence 1 lit. a GDPR)
  • "Performance of a contract": If we conclude a contract with you and the processing is necessary for the performance of this contract to which you are a party or for the implementation of pre-contractual measures taken at your request (Art. 6 para. 1 sentence 1 lit. b GDPR);
  • "Legal or regulatory obligation": If the processing is necessary to fulfill a legal obligation to which we are subject, e.g. a legal obligation to retain data (Art. 6 para. 1 sentence 1 lit. c GDPR);
  • "Legitimate interests": Where processing is necessary for the purposes of our legitimate interests (in particular legal or economic interests) or those of a third party, except where such interests are overridden by your interests or rights to the contrary (in particular where the data subject is a minor) (Art. 6 para. 1 sentence 1 lit. f GDPR);

The storage of information in your terminal device or access to information that is already stored in the terminal device is only permitted if it is covered by one of the following legal grounds:

  • § 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG): If you have given your consent on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR;
  • § 25 para. 2 no. 2 TTDSG: If the storage or access is absolutely necessary so that we, as provider of a telemedia service, can offer a telemedia service expressly requested by you.

2.2 Visitors to our website

Server logs
When you visit our websites, we record the following information:

  • your IP address;
  • the data you requested from the website;
  • how much data you downloaded;
  • the website from which your accessing system came to our website;
  • the server reply code on the request from your browser;
  • information about the browser you used;
  • the date and time you visited, and for how long; and
  • other similar data and information that serves to avert the risk of an attack on our information technology systems.

Roland Berger generally cannot attribute this data to any specific person.

This information is required in order to:

  • properly deliver the contents of our websites;
  • continually optimize our websites;
  • ensure the continued functioning of our information technology systems and the technology of our websites; and
  • provide law enforcement authorities with the necessary information for prosecution in the event of a cyberattack.

The legal basis for the processing of the data is Art. 6 para. 1 lit. a) GDPR (to optimize our websites), Art. 6 para. 1 lit. f) GDPR (to properly deliver the contents of our websites and to ensure the continued functioning of our information technology systems and the technology of our websites) and Art. 6 para. 1 lit. c) GDPR (to provide law enforcement authorities with the necessary information for prosecution in the event of a cyberattack).

Personal Data obtained from you directly
We record and process information you enter on our websites or send us otherwise. This includes data you enter in forms or contact fields (e.g. for the subscription of Newsletters) or select from lists or menus.

There are some points on our websites where you can send us information by uploading documents via those websites to our servers. That is what happens when you apply online, for example (refer to the supplementary Recruitment Privacy Policy ).

On our websites, you also have the possibility to contact Roland Berger using the contact forms, email addresses, telephone and fax numbers provided there. When you contact us through the above channels, we will store and process the resulting personal data for the purposes of dealing with your request. Your information can be stored in our Customer Relationship Management (CRM) system. All data are used exclusively for the processing of your request.

The legal basis for the processing of the data is Art. 6 para. 1 lit. f) GDPR (general requests). Where the data are processed in order to take steps prior to entering into a contract at your request, the legal basis shall be Art. 6 para. 1 lit. b) GDPR. We process the personal data we collect solely for the purposes of effectively handling the requests addressed to us.

Profile and login information for access-protected areas
There are some access-restricted areas of the websites for which you need to register before you can use them, like the recruiting/applicant and alumni areas in particular. When registering, there are some details you have to enter that the registration form itself requires, particularly your email address, a password, and some information about yourself. Any other details you enter are voluntary. We process and save this data in accordance with the supplementary Privacy Policies for applicants and alumni .

In some areas of our websites, like our alumni network in particular, some of your registration data or contributions you make can be seen by other users once they log in. It is up to you to decide whether you want other registered users of this site to see your information and, if so, what. You can change these settings at any time. During the registration process, we will ask you to give your consent for processing and saving that data. The legal basis for processing that data is Art. 6 para 1 lit. a) GDPR.

2.1.2 Integration of third-party services and content

Within our website, we use content or service offers from third parties in order to integrate their content and services. In case of technically necessary cookies we do this on the legal basis of our legitimate interests according to Art. 6 para. 1 lit. f) GDPR, in case of technically non-necessary cookies on the legal basis of your consent according to Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TTDSG.

Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website.

During some visits we may use software tools such as JavaScript to measure and collect session information, including page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse overs), and methods used to browse away from the page. We may use this information to measure website activity, to develop ideas for improving our websites and for any other purpose to the extent permitted by applicable law.

The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visiting times and other details about the use of our online offering, and may also be linked to such information from other sources.

We use and engage certain providers to use cookies, web beacons, and similar tracking technologies (collectively, "cookies") on our website. In the following you will find an overview of third-party providers and their content as well as links to their privacy policies, which contain further information on the processing of data and if applicable further options to object (known as opting out). You can, of course, change or withdraw any consent you may have given for cookies that are not absolutely technically necessary in this Privacy Policy under Cookie Declaration.

Google Analytics
If you have given your consent, this website uses Google Analytics (GA4), a web analytics service provided by Google LLC. The responsible party for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Scope of processing
Google Analytics uses cookies that enable an analysis of your use of our websites. The information collected by means of the cookies about your use of this website is generally transferred to a Google server in the USA and stored there.
We use the User ID function. User ID allows us to assign a unique, persistent ID to one or more sessions (and the activities within those sessions) and to analyze user behavior across devices.
We use Google Signals. This allows Google Analytics to collect additional information about users who have personalized ads enabled (interests and demographics) and ads can be delivered to these users in cross-device remarketing campaigns.
Google Analytics 4 has IP address anonymization enabled by default. Due to IP anonymization, your IP address will be shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

During your website visit, your user behavior is recorded in the form of "events". Events can be:

  • Page views
  • First visit to the website
  • Start of session
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the bottom of the page (90%))
  • clicks on external links
  • internal search queries
  • interaction with videos
  • file downloads
  • seen / clicked ads
  • language settings

Also recorded:

  • Your approximate location (region)
  • your IP address (in shortened form)
  • technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
  • your internet service provider
  • the referrer URL (via which website/advertising medium you came to this website)

Purposes of processing
On our behalf, Google will use this information to evaluate your use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyze the performance of our website and the success of our marketing campaigns.

Recipients
Recipients of the data are/may be:

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor under Art. 28 DSGVO).
  • Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
  • Alphabet Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that US authorities may access the data stored by Google.

Third country transfer
Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by US authorities to the data stored by Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.

Duration of storage
The data sent by us and linked to cookies are automatically deleted after 14 months. The deletion of data whose retention period has been reached occurs automatically once a month.

Legal basis
The legal basis for this data processing is your consent pursuant to Art.6 para.1 p.1 lit. a GDPR.

Revocation
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected.

You can also prevent the storage of cookies from the outset by setting your browser software accordingly. However, if you configure your browser to reject all cookies, this may result in a restriction of functionalities on this and other websites. In addition, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google, by

a. not giving your consent to the setting of the cookie or

b. downloading and installing the browser add-on to disable Google Analytics HERE .

For more information on Google Analytics' terms of use and Google's privacy policy, please visit https://marketingplatform.google.com/about/analytics/terms/us/ and at https://policies.google.com/?hl=en .

Google Tag Manager
This website uses Google Tag Manager. Google Tag Manager is a solution that allows marketed website tags to be managed using an interface. The Tag Manager tool itself (which implements the tags) is a cookie-less domain and does not register Personal Data. The tool causes other tags to be activated that may, for their part, register data under certain circumstances. Google Tag Manager does not access this information. If recording has been deactivated at the domain or cookie level, this setting will remain in place for all tracking tags implemented with Google Tag Manager.

Your consent is the legal basis for this data processing, Art. 6 para.1 lit.a) GDPR.

Cookiebot
Our website uses the cookie consent technology of Cookiebot to obtain your consent to store certain cookies in your browser and to document these in accordance with data protection regulations. Cookiebot is a self-service cloud service of the company Cybot ( https://www.cookiebot.com/de/about/ ).

When you enter our website, a Cookiebot cookie in which the consents you have given or the withdrawal of these consents are stored is stored in your browser. This data is not passed on to the provider of Cookiebot.

The data collected will be stored until you ask us to delete it or until you delete the cookie yourself or until the purpose for data storage no longer applies. Mandatory legal retention periods remain unaffected. For details on data processing by Cookiebot, please visit https://www.cookiebot.com/de/privacy-policy/ .

The Cookiebot consent technology is used to obtain the legally required consent for the use of cookies. The legal basis for this data processing is Art. 6 para. 1 lit. c) GDPR.

Hubspot
We use the CRM, registration and marketing automation system "HubSpot", operated by our service provider HubSpot Germany GmbH (Unter den Linden 26, 10117 Berlin, Germany), and its subprocessors Hubspot Inc. (25 First Street, 2nd Floor, Cambridge, MA 02141, USA) and Hubspot Ireland ltd. (One Dockland Central, Dublin 1, Ireland). For this purpose, we have concluded a data processing agreement with Hubspot Germany, and additionally so-called standard contractual clauses, in which HubSpot Inc. undertakes to process user data only in accordance with our instructions and to comply with the EU level of data protection. Learn more about HubSpot's data privacy policy here .

The legal basis for the processing is our legitimate interests Art. 6 para. 1 lit. f) GDPR for necessary cookies (to distinguish between humans and bots) and your consent Art. 6 para. 1 lit. a) GDPR for non-necessary cookies (efficient and quick processing of user requests, applications and optimization of our online offering).

LinkedIn Insight Tag

This website uses LinkedIn Conversion Tracking provided by LinkedIn (LinkedIn Inc.). LinkedIn Conversion Tracking is an analytics tool powered by the LinkedIn Insight-Tag. LinkedIn Conversion Tracking offers aggregated and anonymized reports on LinkedIn ad campaigns run by Roland Berger and aggregated and anonymized information on user behavior on the Roland Berger website. We use LinkedIn Conversion Tracking to track ad conversions and show website visitors more relevant ads on LinkedIn. You can prevent the collection of data generated by the cookie and its processing by LinkedIn by following the instructions on this site: www.linkedin.com/psettings/guest-controls/retargeting-opt-out .The LinkedIn Insight Tag enables the collection of data regarding members' visits to our website, including the URL, referrer, IP address, device and browser characteristics, timestamp, and page views. This data is encrypted, then de-identified within seven days, and the de-identified data is deleted within 90 days. LinkedIn does not share the personal data with the website owner, it only provides aggregated reports about the website audience and ad performance. LinkedIn also provides retargeting for website visitors, enabling the website owner to show personalized ads from its website by using this data, but without identifying the member.

LinkedIn
Our website uses features of the LinkedIn network. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA.

Each time you access one of our pages that contains LinkedIn features, a connection to LinkedIn servers is established. LinkedIn will be notified that you have visited our sites using your IP address. If you click on LinkedIn's "Recommend" button and are logged into your LinkedIn account, LinkedIn is able to track your visit to our site to you and your account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by LinkedIn.

For more information, please refer to the LinkedIn privacy policy at: https://www.linkedin.com/legal/privacy-policy .

Awesome-Table.com
We use Awesome Table provided by Google Inc. ("Google") to display data in maps and tables on our website. For more information please see Google's privacy policy ( https://sites.google.com/site/scriptsexamples/available-web-apps/privacy-policy )

MyNewsDesk
We use the Services of MyNewsdesk AB ("MyNewsDesk") to publish press releases and photos on our website. Additionally, MyNewsDesk is used to display a Feed of the Roland Berger Social Media Channels of Facebook, Instagram, Twitter and YouTube on our website.

For Information on how MyNewsDesk uses Cookies, please see MyNewsDesk's privacy policy ( https://www.mynewsdesk.com/dk/about/terms-and-conditions/privacy_policy ), cookie policy ( https://www.mynewsdesk.com/us/about/terms-and-conditions/cookies ) and their list of cookies used ( https://www.mynewsdesk.com/us/about/terms-and-conditions/cookies/cookie-list ).

OpenStreetMap
We use the open source mapping tool OpenStreetMap to display geodata. The OpenStreetMap Foundation is based in the UK and operates its servers in Europe. For more details, please see the OpenStreetMap Foundation's privacy policy: https://wiki.osmfoundation.org/wiki/Privacy_Policy#Log_files_and_Information_submitted_to_OSMF_Services .

Pathmotion
We have implemented the career inspiration platform of PathMotion S.A.S ("PathMotion") to connect people who are in interested in our company directly with Roland Berger employees to provide a look behind the scenes. For Information on how PathMotion uses Cookies, please see PathMotion's end user agreement ( https://www.pathmotion.co/end-user-agreement ).

YouTube
We have embedded videos from YouTube (YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA) in our website. This has been done using the "double click" procedure. This means that, initially, only a thumbnail is displayed on our website without a connection to YouTube being established. Only when you click on the respective thumbnail is a connection to YouTube established and your IP address forwarded to the YouTube servers. YouTube is thus informed that our website was visited with your IP address. We do not obtain any information about the data collected in this way or how it is used.

If you are signed in to your YouTube or Google account, Google may add the processed information to your account and treat it as personal data, depending on your account settings, see in particular https://www.google.de/policies/privacy/partners/ .

We integrate YouTube so that you can watch videos directly on our website. By including external videos, we reduce the load on our servers and can thus use these resources elsewhere, which can increase the stability of our servers. Further information on data processing by Google is available at https://policies.google.com/privacy .

Your consent is the legal basis for this data processing, Art. 6 para.1 lit.a) GDPR.

Vimeo
We have embedded Vimeo videos in our website. These videos are stored on www.vimeo.com and are directly playable from our website. The video platform is operated by Vimeo, Inc. By visiting a website with embedded Vimeo videos, a direct connection is established between your browser and a server of Vimeo in the US. Vimeo stores information about your visit to our website including your IP address. If you have a Vimeo account and do not wish Vimeo to collect information about you through this website and associate this information with your member data on Vimeo, you must log out before visiting this website. Further information on the purpose and scope of data collection and processing by the third-party provider, as well as on your rights and options for protecting your privacy, can be found at vimeo.com/cookie_policy or vimeo.com/privacy .

New Relic
We use the NewRelic software on our website. This enables analysis of your website usage. The information stored by the cookie about your use of this website (including your IP address) is transferred to a NewRelic server in the US. We process this data due to our predominant interest in the optimal marketing of our online offering according to Art. 6 para. 1 lit. f) GDPR.

New Relic will use the stored information to evaluate your use of the website, compile reports on website activities for the website operators and provide further services related to website and internet use. We have concluded so-called standard contractual clauses with New Relic, Inc.

Further information on data protection can be found at https://newrelic.com/termsandconditions/privacy .

Soundcloud
The embed functionality of Soundcloud allows us to integrate music tracks from Soundcloud into our pages. The privacy policy of Soundcloud is available at https://soundcloud.com/pages/privacy .

Typeform
Typeform is used to set cookies that, for example, enable the user to switch to different pages or prevent a form from being sent multiple times. Typeform thus receives your IP address and can deduce that our website was called up with this IP address. According to its own information, Typeform does not store any data by which users can be personally identified (see Typeform: https://help.typeform.com/hc/en-us/articles/360029581691-What-happens-to-my-data ).

MyFonts Web fonts
Our website design relies on, among other things, fonts for display purposes of MyFonts (Monotype). The legal basis for this data processing is Art. 6 para. 1 lit. f) GDPR. Therefore our website uses a visitor counter from MyFonts to record the number of visitors to our website. We are contractually obliged to use this visitor counter. Please also refer to the MyFonts privacy policy: https://www.monotype.com/legal/privacy-policy/web-font-tracking-privacy-policy

Meta Pixel
Within the Join section of our Roland Berger website, the so-called "Meta Pixel" (formerly Facebook Pixel) of the social network Meta, which is operated by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta"), is used.

With the help of the Meta pixel, it is possible for Meta, on the one hand, to determine you as a visitor to our online offer as a target group for the display of advertisements (so-called "social media ads"). Accordingly, insofar as you have declared your consent, we use the meta pixel to display the social media ads placed by us only to those meta users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics determined on the basis of the websites visited), which we transmit to Meta (so-called "Custom Audiences"). With the help of the Meta pixel, we also want to ensure that our social media ads correspond to the potential interest of the users and do not have a harassing effect. With the help of the Meta Pixel, we can further track the effectiveness of the Meta Ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta Ad (so-called "conversion").

Meta Pixel uses, among other things, cookies, which are small text files that are stored locally in the cache of your web browser on your terminal device. If you are logged in to Meta (formerly Facebook) with your user account, your visit to our online presence will be noted in your user account. The data collected about you is anonymous for us, so it does not allow us to draw any conclusions about the identity of the user. However, Meta may link this data to your user account there. If you have a user account with Meta and are registered, Meta can assign your visit to your user account.

Basis
The Meta Pixel is used on the basis of Art. 6 para. 1 lit. a) GDPR for marketing and optimization purposes, in particular in order to place relevant and interesting ads for you on Meta and thus improve our services, make them more interesting for you as a user and avoid annoying ads.

Data Processing Agreement
For the processing of data for which Meta acts as a processor, we have concluded a data processing agreement with Meta, in which we oblige Meta to protect our customers' data. This applies to the processing of data relating to contact information for matching (2.a.i. of the Meta Business Tools Terms) and event data for measurement and analytics services (2.a.ii. of the Meta Business Tools Terms).

Joint Controller
We have entered into a Joint Controller Agreement with Meta for the processing of the Data for which we act as Joint Controller with Meta. This applies with respect to Event Data for ads targeting (2.a.iii. of the Meta Business Tools Terms) and Event Data to improve ad delivery, personalize features and content, and to improve and secure Meta products (2.a.v. of the Meta Business Tools Terms).

Required information pursuant to Art. 13 para. 1 lit. a) and lit. b) GDPR can be found in Meta's Data Policy at https://www.facebook.com/about/privacy .

Deletion
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Data will be deleted after 180 days at the latest.

Third country
Since a transfer of personal data to the USA takes place, further protection mechanisms are required to ensure the level of data protection of the GDPR. To ensure this, Meta concludes standard data protection clauses with its subcontractors in accordance with Art. 46 para. 2 lit. c) GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe.

Objection
You can object to the collection by the meta pixel and use of your data to display meta ads. To set which types of ads are displayed to you within Meta, after you log in to Meta (formerly Facebook), you can go to the page set up by Meta and follow the instructions there on the settings for usage-based advertising. The settings are done in a platform-independent manner, which means that they are applied to all devices, such as desktop computers or mobile devices. You can further object to the use of cookies that are used for reach measurement and advertising purposes via the deactivation page of the Network Advertising Initiative and additionally the US website aboutads.info or the European website youronlinechoices.com.

You can find another opt-out option in our Cookie-Deklaration.

We would like to point out that this setting will also be deleted when you delete your cookies.

Matomo
The web analysis tool "Matomo" is used for the purpose of demand-oriented design of our website. Matomo creates usage profiles on the basis of pseudonyms.

Scope of processing
Matomo uses so-called cookies, which are text files that are saved on the end-user’s device and allow an analysis of the website. This enables us to collect statistics about the user's visits to the website and to identify the referring website from which the visitor has come. It also tracks the visitor's page views during the session. In this way, we are able to recognise and count returning visitors.

Heatmaps from Matomo
We also use Matomo's heatmaps service on our website. Heatmaps summarizes the end user’s behavior to simplify data analysis and combine quantitative and qualitative data. They provide an overview of how our website visitors interact with an individual website or service page - what they click on, what content they browse and what they ignore. This helps us to identify trends and optimize our service.

The use of heatmaps sets an additional cookie. More information at: What are the cookies created by Matomo JavaScript Tracking client? FAQ - Analytics Platform - Matomo .

Legal basis
The legal basis for data processing is your consent in accordance with § 25 para. 1 TTDSG, Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by calling up the cookie settings and changing your selection there. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected.

Data processing agreement
For the processing of data for which Matomo acts as an data processor, we have concluded a data processing agreement with Matomo, in which we oblige Matomo to protect the data of our users.

Storage location
Your personal data and backups are stored securely in Europe.

Registered office
InnoCraft Ltd, 7 Waterloo Quay, PO Box 625, 6140 Wellington, New Zealand. New Zealand is one of the few countries that the EU considers to have an adequate level of data protection.

Matomo's privacy policy can be found here: Matomo Cloud Privacy Policy - Matomo Analytics

2.2 Participants on Events, Webinars, Surveys, Interviews, Competitions and Newsletter Subscriber

We offer the possibility to subscribe to Newsletters and studies, participate in surveys or in interviews, receive similar information and marketing materials (“Newsletter”), or register for events. If you would like to use these services, we will need a working email address from you and details to enable us to verify that this email address is really yours and whether you agree to receive the Newsletters. For legal reasons, an email will be sent to the email address you provided asking for confirmation in a double-opt-in procedure after signing up for our Newsletter. The legal basis for sending Newsletters Newsletteris Art. 6 para. 1 lit. a) GDPR.

When you register, we record the following data:

  • Title (required)
  • First name (required)
  • Last name (required)
  • Email (required)
  • Company (required)
  • Job title (required)
  • Country (optional)

The Personal Data collected when ordering information and marketing material will be used exclusively for the following purposes:

  • Sending the Newsletter
  • Consulting, marketing and advertising
  • Composing the topics of the Newsletter according to your interests

Our Newsletters and other automatically sent emails with information and marketing material as well as emails in connection with events contain so-called web beacons for statistical analysis. We use these to optimize the content of the Newsletters and adapt them better to user interests. By integrating these web beacons, we can identify when an email was opened by a person concerned and which links in the email were opened. This will only be done with your consent when requesting such emails.

If you register for one of our events, we also use your Personal Data for the following purposes: to identify you as a registered participant of the event, to grant you access to the event, to send reminders and to inform you if there are any changes to the event (e.g. a change of date and time), to contact you after the event to ask for your feedback in accordance with Art. 6 para. 1 lit. b) GDPR.

For the implementation of the online event (e.g webinar) we use Teams or Zoom. For this specific purpose separate data protection notice apply (refer to the supplementary Privacy Policy for Telephone Conferences and Webinars via "Microsoft Team" and Privacy Policy for Telephone Conferences and Webinars via "Zoom" ).

In addition, photographs and/or video recordings can be taken at the event. If you do not wish to be photographed or filmed, please let the photographer or camerapeople know on the spot. We process the photographs and/or video recordings for the purposes of documentation of the event, for printed and for online publicity on our publicly available websites or/and on social media (a.o. Instagram, Facebook, LinkedIn). For controllers in the EU the legal basis for taking and publishing of photographs and/or video recordings is our legitimate interests in reporting on the event pursuant to Art. 6 para. 1 lit. f) GDPR. We ask for your separate consent pursuant to Art. 6 para. 1 lit. a) GDPR for the publication of photos, if the content and composition of the photos or the intended use requires this.

In case Roland Berger organizes a competition on a social media channel of Facebook or Instagram following personal data will be process:

  • participant´s account name on social media channel;
  • winners last name, first name, birthday, address.

A processing of the data is carried out exclusively for the implementation of the competition (for the purpose of the implementation of the participation contract and in particular for the notification of the prize). The legal basis for this data processing is Art. 6 para. 1 lit. b) GDPR and Art. 6 para. 1 lit. f) GDPR.

2.3 Clients / Suppliers

If you have had contact with us for the purpose of concluding a contract (e.g. consulting agreement) between us, for example through emailing or meeting our representative, we collect, use and store limited amounts of personal information relating to you, such as your name, job title, employer organization, contact details and other information necessary for the contract (e.g. for advising to the Client).

We collect, process and store this personal information for the following purposes:

  • Identification of shareholders and employees or contact persons of Client or Supplier
  • Provision of advisory support to Client and for the performance of the contract
  • For corresponding with the Client or Supplier or the contact persons of the Client or Supplier
  • For invoicing
  • In relation to managing disputes or any other legal complaints
  • Contacting the shareholders or the contact persons of Client or Supplier in the event of future business transactions of interest to the shareholders and/or Client or Supplier
  • To invite Client or Supplier to take part in marketing or other promotional events, or seminars or similar events, and to inform Client or Supplier about other topics which might interest them
  • To carry out sanction list / compliance screenings (see more details below)
  • To ask you for feedback (for instance, in a survey about our client services and to manage, review and act on feedback we are getting)
  • To send you our Newsletter in case you have given us your business card for the purpose of sending you information and making further business contact

The legal basis for processing the data is Art. 6 para 1 lit. b) GDPR as it is necessary for the entering into a contract, for the establishment, execution and termination of the contract and for the mutual fulfilment of obligations arising from the contract, further Art. 6 para 1 lit. c) GDPR as it is legal obligation in case of managing disputes or any other legal complaints, further your consent according to Art. 6 para 1 lit. a) GDPR in case you have given us your business card, and Art. 6 para 1 lit. f) GDPR as it is necessary for the legitimate interests of Roland Berger.

We may carry out sanction list / compliance screenings with regard to the business relationship with you and in compliance with legal compliance obligations. Any such use of your Personal Data is based on the permission to process Personal Data in order to comply with statutory obligations (Art. 6 para. 1 lit. c) GDPR) and our legitimate interests (Art. 6 para. 1 lit. f) GDPR) or under the equivalent provisions under applicable law.

In some cases, we search and use Personal Data from public sources (such as LinkedIn, Xing and other publicly available sources on the internet) to complete or correct your data (first name, company, country, etc.). We store this data in our CRM system. The legal basis for this data processing is Art. 6 para. 1 lit. f) GDPR.

Your personal data, such as names, email addresses, organisational details, may also be processed by us in connection with the use of our Microsoft 365 Services. For this specific purpose separate data protection notice apply (refer to the supplementary Privacy Policy for Microsoft365 Cloud Services ).

2.4 Visitors to our offices

When you visit our offices, we can collect the following personal information about you for the following purposes:

  • contact information by completion of the security list of visitors in line with our legitimate interests (security of the building);
  • video images of you in the entry and exit areas from CCTV footage in line with our legitimate interests (security of the building);
  • your name and time of entry to our offices through a security access system in line with our legitimate interests (maintaining security of our offices);
  • names and dietary preferences for catering purposes in meetings in line with our legitimate interests (respecting visitors’ needs);
  • health data to assist in the control of infectious diseases (such as the virus Covid-19) in line with our health and safety legal obligations;
  • if applicable, health information by completion of the first aid accident book in order to comply with our health and safety legal obligations; and
  • guests’ name and if applicable other information for the purpose of organising events (for example conferences, charity events or student/alumni events) and providing name badges, attendee lists, team lists and table plans.

2.5 Job Applicants

We have the applicants' area of our different recruiting websites, where potential applicants can apply for jobs, internships and other positions. For this specific purpose a separate data protection notice applies (refer to the supplementary Recruitment Privacy Policy ).

2.6 Alumni / Pathfinder Job board

We have our alumni area, where people who used to work for Roland Berger can keep in touch with their former colleagues and the company itself. For this specific purpose separate data protection notice apply (refer to the supplementary Data Protection Notice for alumni ). In order to support our alumni and employees, we offer them our exclusive Pathfinder Job board, where Clients, alumni, and executive search companies can post jobs in this exclusive database. For this specific purpose a separate data protection notice applies (refer to the supplementary Data Protection Notice for Pathfinder ).

2.7.1 TikTok

When visiting our Page on TikTok (i.e. our User Profile), TikTok collects personal data of the users. Information about the data collection and further processing by TikTok can be found in TikTok's privacy policy .

Roland Berger has no influence on what user data TikTok collects. Roland Berger also has no access to the personalized collected data or your profile data. Roland Berger can only see the public information of your profile and you decide in your TikTok settings what exactly this data is. In addition, you have the option in your TikTok settings to actively hide your "Likes" or to no longer follow the Roland Berger TikTok Page. Then your profile will no longer appear in the list of followers of our TikTok Page.

Roland Berger receives anonymous statistics from TikTok regarding the use and usage of the TikTok Page. The following information is provided here, for example:

  • Followers: number of people who follow Roland Berger - including growth and development over a defined time frame.
  • Reach: number of people who see a specific post. Number of interactions on a post. This can be used, for example, to determine which content is better received by the community than others.
  • Ad performance: how many people saw an ad.
  • Demographics: average age of visitors, gender, location, language.

We use these statistics, from which we cannot draw any conclusions about individual followers, to constantly improve our online offering on TikTok and to better respond to the interests of our followers. We cannot link the statistical data with the profile data of our followers. You can decide via your TikTok settings in which form targeted advertising will be shown to you. Roland Berger will display ads for events, jobs and employer branding. TikTok's " Ads and Your Data " guide gives you an overview of how your personal data is processed in connection with Ads.

Roland Berger receives personal data through TikTok when you actively share it with us via a personal message or comment on our TikTok Page (User Profile).

For the use of various TikTok services, we have concluded several data protection agreements with TikTok Ireland and TikTok United Kingdom (Joint Controller Agreement and Data Processing Agreement).

2.7.2 WhatsApp Channel "Roland Berger Career"

On our WhatsApp Channel "Roland Berger Career" you will find tips and information about the application process at the Roland Berger Group.

We do not process your personal data. However, if you have stored your first and last name or a photo as a display image in your WhatsApp profile, this personal data can be viewed by us. We do not (further) process this data. We cannot access your telephone number.

You can object to the data processing within the WhatsApp channel at any time by selecting "No longer subscribe" in the channel info.

WhatsApp is operated by WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5 Ireland. Further Information on the handling of your personal data can be found in the following privacy notice: https://www.whatsapp.com/legal/channels-privacy-policy-eea?lang=de.

3. To whom we may disclose your Personal Data?

Where does data go once it reaches Roland Berger?
Once you send data, or it is collected on our websites, we transmit it within Roland Berger to the recipients who need to know it. Applications, for instance, go to our human resources department and the department for which the position is advertised (refer to the supplementary Recruitment Privacy Policy ).

External service providers
We may involve service providers who support us in the processing of Personal Data or otherwise and who may come into contact with your Personal Data. This will only happen after the prior conclusion of a Data Protection Agreement that obligates our service providers to process Personal Data only according to our instructions and to keep it confidential.

Intra-group sharing, Joint Controllers
Within the Roland Berger Group's organization, there is a need to exchange Personal Data on an intra-group basis as Controller to Controller or Joint Controllers.

For example in the course of our business relationship with you, we may share Business Partner contact information with affiliated group companies. We and these companies (see the list here ) are jointly responsible for the proper protection of your personal data (Art. 26 GDPR). To allow you to effectively exercise your data subject rights in the context of this joint controllership, we entered into an agreement with these companies granting you the right to centrally exercise your data subject rights under section 4 of this Privacy Notice against Roland Berger Holding GmbH & Co. KGaA, Sederanger 1, 80538 Munich, Germany.

Roland Berger entities might also be established outside the EU or the EEA. In such cases, we will ensure that there are adequate safeguards (i.e. EU standard contractual clauses) in place to protect your Personal Data. We at Roland Berger are responsible for informing you about your rights as a data subject under applicable data protection laws. You can address any requests or complaints you may have with regard to your Personal Data to Roland Berger ( How to contact us? ). The other Roland Berger entities within the Roland Berger Group's organization that might also keep your Personal Data will give us reasonable cooperation, assistance and information in order to comply with such requests or complaints.

Sending data to third parties
As a fundamental rule, we do not disclose, transfer, sell or otherwise market Personal Data to third parties, such as other companies or organizations, without your express consent except as required to meet our contractual obligations between Roland Berger and you.

For example the following categories of recipients may receive your personal data:

  • authorities, courts, parties to a legal dispute or their designees to whom we are required to provide your personal data by applicable law, regulation, legal process or enforceable governmental order, e.g., tax and customs authorities, regulatory authorities and their designees, financial market regulators, public registries;
  • auditors or external consultants such as lawyers, tax advisors, insurers or banks, and
  • another company in the event of a change of ownership, merger, acquisition or disposal of assets.

Transfer of data to countries outside the EU/EEA
Where there is a sufficient legal basis, your Personal Data may be transferred to and processed outside the EU/EEA in other countries where laws and provisions governing the processing of Personal Data may be less stringent. In such cases, we will ensure that the data transfer is based on an adequacy decision (e.g., the EU-US Data Privacy Framework for transfers to the U.S. for certified companies ) or conclusion of the EU standard contractual clauses, which can be viewed and downloaded here .

4. What are your rights?

Data subjects have rights with respect to Roland Berger in relation to their Personal Data in accordance with Art. 15-21 GDPR. In particular, you have the right to:

  • request a copy of the Personal Data we hold about you (right of access, Art. 15 GDPR);
  • ask that we update the Personal Data we hold about you, or correct any Personal Data that you think is incorrect or incomplete (right to rectification, Art. 16 GDPR);
  • ask that we delete Personal Data that we hold about you, or restrict the way in which we use your Personal Data (right to erasure, Art. 17 GDPR and right to restriction of processing, Art. 18 GDPR)
  • object to our processing of your Personal Data (right to object, Art. 21 and 22 GDPR)
  • request that your Personal Data be transferred to you or another data controller (right to data portability, Art. 20 GDPR).

If you are unhappy with the way we have handled your Personal Data or any data protection query or request that you have raised with us, you have a right to complain to the competent supervisory authority (Art. 77 GDPR). We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority, so please contact us in the first instance.

We may need to request specific information from you to help us confirm your identity and ensure your right of access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Objection and withdrawal of consent
If you have given us your consent to process your Personal Data (Art. 6 para. 1 lit. a) GDPR), you can withdraw your consent at any time with future effect. If we process your Personal Data based on Art. 6 para. 1 lit. f) GDPR (legitimate interests), you can object at any time to the processing of your Personal Data for marketing reasons.

Please use either the link included in each Newsletter we send you or, alternatively, contact Roland Berger via mail, fax, email or using the contact details given above under How to contact us.

5. How long do we retain your Personal Data?

We store Personal Data in accordance with legal storage periods. We routinely delete this Personal Data or block it once these periods expire or the reasons for storage cease to apply, in accordance with data protection rules.

If you have agreed to a longer duration for storing, processing and using your data, we will delete or block your data after this duration expires or should you revoke your consent (refer to the supplementary Privacy Policy for applicants ).

We will retain the data you transfer to us in contact requests until you ask for their deletion, object to their storage, or the purpose for their storage no longer applies. The purpose for the storage of the data no longer applies when it becomes evident that the underlying issue has been conclusively settled.

6. Data protection principles

We comply with applicable data protection laws. This says that the personal information we hold about you must be:

  • used lawfully, fairly and in a transparent way;
  • collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  • relevant to the purposes we have told you about and limited only to those purposes;
  • accurate and to the extent appropriate, kept up to date;
  • kept only as long as necessary for the purposes we have told you about; and
  • kept securely.

7. Security

In accordance with legal requirements, Roland Berger has taken extensive technical and organizational measures to ensure a level of protection that is in line with, or in some cases exceeds, data privacy requirements. The measures taken protect not only Personal Data, but also other data processed on the same systems. Roland Berger operates an Information Security Management System (ISMS) which is certified according to ISO/IEC 27001:2013. The ISMS provides the framework for ensuring the information security goals confidentiality, integrity and availability.

The security of your data is important to us, so all the areas of our websites where you can actively input data use encrypted data transmission such as TLS (Transport Layer Security) to protect your data from being accessed by unauthorized third parties.

If you register to use access-protected areas of Roland Berger's websites, you should keep the login details you receive in a safe place and protected from access by third parties. If you log in on a computer that is used by more than one person, please do not forget to log off properly at the end of each session and close the browser window you were using.

With help of the extensive technical and organizational security precautions Roland Berger protects your Personal Data from being manipulated, either accidentally or deliberately, or being lost, destroyed or accessed by unauthorized third parties. We are constantly improving these precautions as technology develops.

8. Changes to this Privacy Notice

This Privacy Notice was last modified on March 8, 2024. We may occasionally modify or amend it from time to time. When we make changes to this Privacy Notice we will update the revision date at the top of this Privacy Notice. Where those changes are material, we will take steps to let you know. The new modified or amended Privacy Notice will apply as from that revision date. Please always verify whether you have consulted the latest version of the Privacy Notice.