Data protection policy
In this data protection policy we inform you about the personal data that we process when you visit our website, and the rights you have. We therefore request that you read the following in-formation carefully.
Personal data are all information related to an identified or identifiable natural person. They include your name, your address and communications data or your email address.
Process means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alter-ation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making availa-ble, alignment or combination, restriction, erasure or destruction.
Data subject is every identified or identifiable natural person whose personal data are processed by the controller.
Controller means the natural or legal person, public authority, agency or other body which, alone or joint-ly with others, determines the purposes and means of the processing of personal data.
User means all categories of persons affected by the data processing. They include our business part-ners and other visitors to our website.
For the terms used we also refer to the definitions in Art. 4 of the General Data Protection Reg-ulation (GDPR). Terms such as “user” are gender-neutral.
1. Name and address of the controller
Representatives of the controller are the managing directors Mark Freese, Jens Mahlke and Lu-ca Zanotti.
2. Data protection officer
You can contact our data protection officer by email at firstname.lastname@example.org or by writing to our postal address for the attention of “The Data Protection Officer”.
3. Processing of personal data
3.1. Visiting our website
3.1.1. Scope of data processing
When you visit our website, your browser sends certain data to our webserver for technical rea-sons. This concerns the following data (known as server logfiles):
- Date and time of server request
- Time zone difference to Greenwich Mean Time (GMT)
- Subject of request (specific page)
- Operating system and access status / HTTP status code
- Data volume transmitted
- Website from which the request comes (“Referrer URL”)
- Browser, language and version of browser software
3.1.2. Purpose of data processing
These data must be stored in log files to guarantee the website’s functionality. In addition, we use the data to optimize our website and to ensure the security of our information technology systems.
3.1.3. Legal basis for processing
We collect these data on the basis of our legitimate interest within the meaning of Art. 6 (1)f GDPR in order to display our website and ensure its security.
3.1.4. Duration of storage
Information in the logfiles is stored for security reasons (e.g. to investigate misuse or fraudu-lent activity) for a maximum of seven days and is then deleted. Data that must be retained as evidence is not deleted until the incident has been definitively clarified.
3.1.5. Objection and removal right
For technical reasons the collection of data is absolutely necessary for the provision of the website and their storage in logfiles is absolutely necessary for its operation. There is therefore no option for users to object.
3.2. Contact Forms
3.2.1. Scope of data processing
Contact forms are available on our website, which you are welcome to use to communicate electronically with us. When you make use of this opportunity, the data entered in the input mask are sent to us and processed. They consist of your title, first name, surname, business partner number, telephone number, email address, preferred means of contact and message text.
3.2.2. Purpose of data processing
We use the personal data from the input mask to process the contact request. The data are used to process the conversation, to respond to the request and to provide the required infor-mation.
Other data processed during the transfer process (e.g. date, time, IP-address) serve to prevent misuse of the contact form and ensure the security of our IT systems.
3.2.3. Legal basis for processing
When the contact form is used, the sender’s data are used to process the contact request in accordance with Art 6 (1)b GDPR.
3.2.4. Recipients of processing
When you contact us, your personal data are processed by the internal company functions re-sponsible for the respective request. We use a logistics provider to process the order as part of data processing by a processor in accordance with Art. 28 GDPR.
3.2.5. Duration of storage
When the contact request is an enquiry, the data are deleted as soon as they are no longer re-quired for the purpose for which they were collected. For the personal data from the input mask in the contact form and those sent by email, this is the case when the conversation with the user comes to an end. The conversation comes to an end when the circumstances suggest that the matter has been definitively clarified.
If you contact us as part of a contractual relationship or in the course of pre-contractual activities (e.g. to request an offer), the data are processed to execute the contract. The data stored by us are deleted as soon as they are no longer necessary for the purpose for which they were collected and there are no statutory record-keeping obligations that require them to be retained. Record-keeping obligations do exist under commercial and tax law, however. Data (e.g. accounting documents) are retained for 6 years in accordance with Section 257 para. 1 German Commer-cial Code (HGB) and for 10 years in accordance with Section 147 para. 1 Tax Code (AO) (e.g. accounting documents, commercial correspondence, tax-relevant documents).
3.2.6. Objection and removal right
You have the option of revoking your consent to the processing of your personal data. In this case the conversation cannot be continued. Please send your revocation of consent to email@example.com. In this case, all the personal data stored when you contacted us will be deleted, to the extent that no record-keeping obligations prevent us from doing so. Data pro-cessed in connection with an order or request for an offer are subject to record-keeping obliga-tions under commercial and tax law. There is therefore no option for users to object.
3.3. Portal for advertising material
3.3.1. Scope of data processing
You can order supplies and consumables (e.g. acceptance stickers for your business or im-printer payment slips) from our advertising material portal. If you are a new customer you must register before using the portal for the first time. This means we process the following data: ti-tle, business partner number*, first name*, surname*, email address*, password*. The fields marked * are obligatory.
3.3.2. Purpose of data processing
We process these data in order to provide you with supplies and consumables as part of our contract.
3.3.3. Legal basis for processing
The data are processed to provide contractual services. The legal basis for this processing is Art. 6(1)(b) GDPR.
3.3.4. Recipients of processing
The data are processed by our responsible internal function. This is the Customer Service de-partment.
3.3.5. Duration of storage
The data are processed to execute a contract. The data stored by us are deleted as soon as they are no longer necessary for the purpose for which they were collected and there are no statuto-ry record-keeping obligations that require them to be retained. Record-keeping obligations do exist under commercial and tax law, however. Data (e.g. accounting documents) are retained for 6 years in accordance with Section 257 para. 1 German Commercial Code (HGB) and for 10 years in accordance with Section 147 para. 1 Tax Code (AO) (e.g. accounting documents, commercial correspondence, tax-relevant documents).
3.3.6. Objection and removal right
Data processed in connection with an order for advertising material are subject to record-keeping obligations under commercial and tax law. There is therefore no option for users to ob-ject.
3.4.1. Scope of data processing
You can subscribe to a Paymentletter on our website. If you decide to do so, we process the following data: title, business partner number, first name, surname, email address, sector. For registration it is sufficient for you to tell us your name and email address.
We only send payment letters with the consent of recipients. This entails the use of a double opt-in procedure. After subscribing for the payment letter you receive an email in which you have to confirm your subscription. We use this procedure so that no one can subscribe using someone else’s email address. We log subscriptions to the payment letter to document the subscription process in line with the statutory requirements. The data include the date, time and IP address at the time of subscription.
The Paymentletter contain a “web beacon”, i.e. a pixel-sized file that is retrieved by the server of our mailing service provider when the Paymentletter is opened. When it is retrieved, tech-nical information about the browser and the IT system used are collected, as are the IP-address and the time of retrieval. This information is used to improve services using technical data or target groups and their reading patterns by means of retrieval locations (which can be deter-mined with the help of the IP-address) or access times. The analytical data gathered also in-cludes whether the Paymentletter is opened, when it is opened and which links are clicked. For technical reasons we are able to attribute this information to individual subscribers. Neither we nor our service providers intend to observe individual recipients of the payment letter, however. The analysis rather helps us to identify the reading patterns of our subscribers and adapt our contents to them or to send different contents depending on their interests.
3.4.2. Purpose of data processing
We send payment letters for advertising purposes, in order to inform our subscribers about products, offers and promotions from our company.
3.4.3. Recipients of data processing
Your data are processed by our Marketing department when you subscribe for the Paymentletter.
The payment letter is distributed by an external provider, Campaign Monitor, which is operated by Campaign Monitor Pty Ltd, 404/3-5 Stapleton Ave, Sutherland NSW 2232, Sydney, Australia.
Campaign Monitor offers extensive analytical options relating to how the payment letter is opened and used. These analyses are group-based and are not used by us to analyse individ-ual recipients of the payment letter. Further information about Campaign Monitor and data pro-tection at the provider Campaign Monitor can be found at https://www.campaignmonitor.com/policies/.
By its own account, Campaign Monitor can use these data in pseudonymised form, i.e. without attribution to a user, in order to optimise or improve its own services, e.g. for the technical op-timisation of mailing and layout of the payment letter or for statistical purposes, to determine which countries the recipients come from. The mailing service provider does not used the data of our subscribers to write to them itself, however, or to pass them on to third parties.
3.4.4. Legal basis for processing
We send payment letters with the consent of recipients. The legal basis for this is Art. 6(1)(a) GDPR.
The use of the mailing service provider Campaign Monitor, the statistical data gathering and analysis and the logging of the subscription process take place on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR, which consist of operating a user-friendly, cost-effective and secure payment letter system.
3.4.5. Duration of storage
We store the personal data given when you subscribe to the payment letter until you revoke your consent.
3.4.6. Objection and removal right
If you no longer want to receive our payment letter you can cancel the subscription at any time and so revoke your consent. At the end of the payment letter you will find a cancellation link. Alternatively you can send an email to Paymentletter@concardis.com. When you cancel your subscription to the newsletter, your personal data will be deleted.
3.5.1. Scope of data processing
a) Transient cookies are deleted automatically when you close the browser. They particularly include the session cookies. These store a session ID, with which various requests by your browser can be attributed to a joint session. When you return to our website, your computer can be recognised. The session cookies are deleted when you log out or close the browser.
b) Persistent cookies are deleted automatically after a defined period, which can vary from one cookie to another. You can delete the cookies at any time in the security settings of your browser.
3.5.2. Purpose of data processing
3.5.3. Legal basis for data processing
The legal basis for the processing of personal data using the technically necessary cookies is Art. 6(1)(f) GDPR.
3.5.4. Duration of storage
Session cookies are deleted as soon as the browser is closed.
Persistent cookies are deleted automatically after a defined period.
3.5.5. Objection and removal right
You should be aware, however, that in this case you may not be able to use all the functions of our website.
3.6. Google Analytics
3.6.1. Scope of data processing
On our website we use Google Analytics, a web analytics service from Google Inc., 1600 Am-phitheatre Parkway, Mountain View, CA 94043, United States (“Google”).
The information collected by Google about your use of our website (e.g. the pages you visit) are sent to a Google server in the USA, stored there, analysed and the results sent to us in anonymised form.
On our website we use the IP-anonymisation offered by Google. This means that Google will abbreviate the IP address prior to sending within the member states of the European Union or other signatories of the treaty creating the European Economic Area. Only in exceptional cas-es will the full IP address be sent to a Google server in the USA and be abbreviated there.
Google is certified in the EU-US Privacy Shield, which guarantees a reasonable level of data protection for data stored with Google in the USA.
3.6.2. Purpose of data processing
Google uses this information on our behalf to analyse the use of our website and to compile reports on activities within our website. This enables us to improve your online experience and make our website more user-friendly.
3.6.3. Legal basis for processing
Our legitimate interest in data processing by Google Analytics lies in the purposes described above. The legal basis for this processing is Art. 6(1)(f) GDPR.
3.6.4. Duration of storage
Sessions and campaigns are deleted at the end of a defined period. The default setting is for sessions to be ended after 30 minutes without activity and campaigns after six months. The time limit for campaign storage may be up to 26 months.
3.6.5. Objection and removal right
The IP address communicated by your browser will not be merged with other data from Google. You can prevent cookies being stored by setting your browser software accordingly, as described in the chapter “Cookies” above. Besides taking this step, you can prevent the da-ta generated by the cookie related to your use of this website (including your IP address) from being sent to and processed by Google by downloading and installing the browser plug-in available here: https://tools.google.com/dlpage/gaoptout?hl=de.
If you want to prevent your data from being collected in future by Google Analytics when you visit our website via various devices (especially mobile devices such as smartphones or tab-lets), you must opt out on all the systems you use. This opt-out cookie will be set when you click on the link below:
Deactivate Google Analytics
3.7. Google AdWords
3.7.1. Scope of data processing
We use Google AdWords to attract attention to our products and services on external websites by means of advertising. These adverts are supplied by Google using “ad servers”. They entail the use of ad server cookies, which measure certain parameters, such the number of times the adverts are displayed and clicked by users. When you come to our website via a Google ad-vert, Google AdWords stores a cookie on your computer. We have described above what cookies are and how they can be deleted. These cookies enable Google to recognise your in-ternet browser. If a user visits certain pages on the website of an AdWords customer and the cookie stored on their computer has not yet expired, Google and the customer can see that the user has clicked on the advert and was referred to this page. A different cookie is assigned to each AdWords customer. Cookies can therefore not be tracked across the websites of Ad-Words customers. We do not collect or process any personal data in the advertising activities mentioned. We only receive statistical analyses from Google. We can use these analyses to identify which of our advertising activities are particularly effective. We do not receive any fur-ther data from the use of advertising material; in particular we cannot identify users on the ba-sis of this information.
Your browser uses the marketing tools that we deploy to establish a direct connection to the Google servers. We have no control over the scope and further use of the data that Google collects by means of this tool and so inform you to the best of our knowledge: By the use of AdWords conversion, Google is informed that you have retrieved the corresponding section of our website or have clicked on one of our adverts. Insofar as you are registered with a Google service, Google can attribute the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider finds out and stores your IP-address.
3.7.2. Purpose of data processing
We can determine how successful the individual advertising activities are in relation to the data from advertising campaigns. Our interest is to show you advertising that interests you, to make our website more interesting for you and to enable the fair calculation of advertising costs.
3.7.3. Legal basis for processing
The data processing serves our legitimate interest in targeting our adverts. The legal basis for this processing is Art. 6(1)(f) GDPR.
3.7.4. Duration of storage
These cookies generally expire after 30 days and are not intended to identify you personally. The metrics stored with this cookie are generally the unique cookie ID, the frequency of ad im-pressions, the last impression (relevant for post-view conversations) and opt-out information.
3.7.5. Objection and removal right
There are various ways for you to avoid taking part in this tracking method: a) by setting your browser software accordingly; denying third-party cookies means that you do not receive any adverts from third-party advertisers; b) by deactivating cookies for conversion tracking by setting your browser so that cookies from the domain “www.googleadservices.com” are blocked, https://www.google.de/settings/ads, whereby this setting is deleted when you delete your cookies; c) by deactivating the interest-based adverts from those advertisers who are part of the self-regulation campaign “About Ads” www.aboutads.info/choices, whereby this setting is deleted when you delete your cookies; d) by permanently deactivating it in your Firefox, Internet Explorer or Google Chrome browser under the link http://www.google.com/settings/ads/plugin.
3.8. Google Remarketing
3.8.1. Scope of data processing
In addition to Adwords Conversion we use the application Google Remarketing (“Google-Marketing-Services”) from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
This is a procedure with which we can address you again. This application enables our adverts to be shown to you after you have visited our website, in the course of your further internet use. This takes place by means of cookies stored in your browser, which track and analyse your usage patterns when you visit various websites. What cookies are and how they can be deleted is described above. With the help of these cookies we can analyse user behaviour dur-ing visits to our website and then use it for targeted product recommendations and interest-based advertising.
So Google can determine your last visit to our website. By Google’s own account, the data gathered in the course of remarketing is not merged with your personal data which may be stored by Google. In particular, Google uses pseudonymisation for its remarketing.
For these purposes, Google directly executes a code when our website and other websites on which Google marketing services operate are retrieved and (re)marketing tabs (invisible graphics or code, also known as web beacons) are embedded in the website. They store an in-dividual cookie, i.e. a small file, on the user’s device. Similar technologies may also be used instead of cookies. This file records which websites the user visits, which contents they are in-terested in and which offers they click on, as well as technical information about the browser and operating system, referrer websites, visiting times and other information on the use of the online offering. The users’ IP-address is also tracked, whereby we notify users that Google An-alytics abbreviates the IP-address within the member states of the European Union or other signatories of the treaty creating the European Economic Area and only in exceptional cases sends them in full to a Google server in the USA, where they are then abbreviated. The IP-address is not merged with the user’s data within other Google products and services. Google may connect the preceding information with information from other sources. If you visit a web-site in the Google advertising network after visiting our website, you may be shown adverts with contents from our website.
3.8.2. Purpose of data processing
Google uses this information on our behalf in order to guide previous users of our website back to our website and to approach them with interest-based advertising.
3.8.3. Legal basis for processing
The basis for the processing of the data is the currency of the legitimate interests of Concardis (i.e., interest in the analysis, optimisation and economic operation of our online services within the meaning of Art. 6(1)(f) of the GDPR).
3.8.4. Duration of storage
Sessions and campaigns are deleted at the end of a defined period. The default setting is for sessions to be ended after 30 minutes without activity and campaigns after six months. The time limit for campaign storage may be up to 26 months.
3.8.5. Objection and removal right
If you do not want browser cookies to be used at all, you can adjust your browser settings so that cookies are not accepted. Please note that, in this case, you may not be able to use our website, or may only be able to use certain functions. How to deactivate cookies in your browser is described in the chapter Cookies.
4. Data security
We take technical, contractual and organisational measures to ensure the state-of-the-art securi-ty of data processing. We ensure that the provisions of data protection legislation, particularly the General Data Protection Regulation, are adhered to and that the data processed by us are protected against destruction, loss, alteration and unauthorised access. These security measures also include the encrypted transmission of data between your browser and our serv-ers. Please note that for transfers via the internet, the SSL encryption is only activated when the key symbol appears in the lower menu bar of your browser window and the address begins with . The SSL technology (Secure Sockets Layer) uses encryption to protect the data being transferred from illegal third-party access. If this option is not available you can decide not to send us certain data via the internet.
All the information you send us is stored and processed on our servers in the Federal Republic of Germany.
5. Collaboration with processors and third parties
Data are only transferred to third parties within the framework of statutory provisions. We only transfer user data to third parties when necessary, e.g. for contractual purposes pursuant to Art. 6(1)(b) or on the basis of our legitimate interest in the economical and effective operation of our business pursuant to Art. 6(1)(f) GDPR.
To provide our services we use processors as defined in Art. 28 GDPR, particularly for the op-eration, maintenance and hosting of the website and IT systems. We have taken the appropriate legal precautions and corresponding technical and organisational measures to ensure the pro-tection of personal data in accordance with applicable statutory provisions.
6. Transfers to third countries
When we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in connection with third-party services, it only takes place to perform our (pre-)contractual obligations, with your consent, on the basis of a legal obliga-tion or in our legitimate interests. In these cases we process the data subject to the conditions of Art. 44 et seq. GDPR, i.e. on the basis of special guarantees, such as the Privacy Shield or standard contractual clauses.
7. Social Media Plug-Ins
We embed external services and contents in our website. Via the plug-in we give you the op-portunity to interact with social networks and other users, so that we can improve our offering and make it more interesting for you as a user. The legal basis for the use of these plug-ins is Art. 6(1) sentence 1(f) GDPR.
When we use such services or display third-party contents, communication data such as data, time and IP-address are exchanged between you and the respective provider. This particularly entails your IP-address, which is required to display contents in your browser.
It may be that the provider of the respective services or contents process your data for their own, additional purposes. Since we have no influence over the data collected by third parties and their processing by them, we cannot provide any binding information on the purpose and scope of their processing of your data. For further information about the purpose and scope of data collection and processing, you should therefore consult the data protection policies of the providers responsible under data protection law for the services and contents embedded by us. Here you will also find further references to data processing and opt-out options.
We use the following social media plug-ins: Facebook, Google +, Twitter, XING, LinkedIn and Youtube. You can identify the provider of the plug-in by means of the mark on the box over its first letter or its logo. We give you the opportunity to communicate directly with the provider of the plug-in via the button. When you click on the marked field and so activate it, the plug-in provider receives information that you have retrieved the corresponding webpage of our online offering.
We neither have control over the data collected and the data processing, nor do we know the full extent of data collection, the purposes of processing or the retention periods. We also have no information about deleting the data collected by the plug-in provider.
The plug-in provider stores the data collected about you as a user profile and uses this for the purposes of advertising, market research and/or for the design of its website. Such use takes place particularly (also for users who are not logged in) to present interest-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the compilation of this user profile, whereby you must address the respec-tive plug-in provider to exercise it.
Data are transferred regardless of whether you have an account with the plug-in provider or are logged in there. If you are logged in with the plug-in provider, the data gathered from our web-site is ascribed directly to your account with the plug-in provider. When you click the active but-ton and link the page for example, the plug-in provider stores this information in your user ac-count and shares it with your public contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, since this enables you to avoid the data being added to your profile with the plug-in provider.
Further information about the purpose and scope of data collection and processing by the plug-in provider can be found in the data protection policies of these providers, links to which are provided below. There you will also find further information about your rights and optional settings to protect your privacy.
Addresses of the respective plug-in providers and URL with data protection policies:
- Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php ; further information on data collection: http://www.facebook.com/help/186325668085084 , http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo .
Facebook complies with the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework
- Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; further information about data protection: https://www.google.com/policies/privacy/partners/?hl=de .
Google complies with the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework .
- Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; further information about data protection: https://twitter.com/privacy . Twitter complies with the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework .
- Videos on the platform “YouTube” from the third-party provider Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Further information on data protection: https://www.google.com/policies/privacy/ . You can opt out at https://www.google.com/settings/ads/.
YouTube complies with the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework .
- LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA;
http://www.linkedin.com/legal/privacy-policy . LinkedIn complies with the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework .
- Xing AG, Gänsemarkt 43, 20354 Hamburg, Germany; http://www.xing.com/privacy.
- Facebook’s ‘Like’ button
Plug-ins from the social network Facebook are integrated in our pages (Facebook Ireland Limited, Hanover Reach, 5–7 Hanover Quay, Dublin 2, Ireland). The Facebook plug-ins can be recognised by the Facebook logo or the ‘Like’ button (‘Gefällt mir’) on our site. An over-view of Facebook plug-ins can be found here: http://developers.facebook.com/docs/plugins/ .
When you visit one of our pages that has this plug-in, your browser establishes a direct connection with the Facebook servers. The content of the plug-in is sent directly by Face-book to your browser, which embeds it in the website. This sends Facebook the information that you have visited that particular page of our website. If you are logged in to Facebook, it can assign your visit to your Facebook account. If you interact with the plug-ins – by click-ing on the ‘Like’ button or by posting a comment, for example – your browser will send this information directly to Facebook where it will be stored. As this communication takes place directly, we are not aware of the data that is sent. For information about the purpose and ex-tent of data collection, further processing and use of the data by Facebook as well as your rights and optional settings to protect your privacy, please refer to Facebook’s data protec-tion policy at http://de-de.facebook.com/privacy/explanation.php .
8. Your rights
When we process your personal data you are a data subject within the meaning of the General Data Protection Regulation (GDPR) and have the following rights to your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
9. Changes to the data protection policy
We reserve the right to amend the data protection policy to adapt it to changes in the law or if services and data processing should change. This only applies to statements on data pro-cessing, however. To the extent that the consent of users is required or elements of the data protection policy include provisions from the contract with users, these changes will only take place with the agreement of the users.
Please consult the data protection policy on a regular basis.