Privacy Policy of collaboration Factory AG
Date: August 2023
1. Introduction
In this Privacy Policy you will learn,
- how we process your personal data in the context of your use of our websites and Internet services.
2. Controller
This Privacy Policy applies to data processing by us as Controller pursuant to Article 4 (7) of the General Data Protection Regulation (GDPR). Our contact details are:
collaboration Factory AG
Arnulfstraße 34
D-80335 Munich
Represented by: Dr. Rupert Stuffer (CEO) and Hartmut Schaper (Co-CEO)
Registry Court and -number: Munich, HRB 262367
Contact:
E-Mail: [email protected]
Tel: +49 (0)89 809133 230
Fax: +49 (0)89 809133 239
3. Data Protection Officer
External Data Protection Officer
Dr. Jochen Notholt
comp/lex – Lösungen & Dienste
Lindwurmstr. 10
80337 Munich
Germany
E-Mail: [email protected]
Tel: +49 (0)89 41614295 0
4. Definition of Terms
Unless this Privacy Policy contains or implies a different definition, reference is made to the definitions in Art. 4 GDPR with regard to the terms used.
5. Processing of Your Personal Data
5.1. When accessing our websites
When you access our websites, i.e. if you do not transfer information to us in any other way, we or the host provider acting on our behalf only collect the personal data that your browser transfers to our server. If you wish to view our websites, we collect the following data:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (concrete page)
- Access status/HTTP status code
- Amount of data transferred in each case
- website, from which the request comes
- Operating system
- Language and version of the browser software
This data is technically necessary for us to display and provide you with our websites. The legal basis for this processing is Art. 6 para. 1 lit. f GDPR. This data is stored for security reasons (e.g. to clarify acts of abuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is required for evidentiary purposes is exempt from deletion until the final clarification of the respective incident. The hosting service provider we use processes personal data for us on assignment and within the scope of our instructions as a so-called Processor pursuant to Art. 28 GDPR.
5.2. Cookie usage
Our websites use cookies. Cookies are usually small text files that are stored in the browser directory or program data subdirectories of your computer. They are created when you use your browser to visit a website that uses cookies.
Cookies are stored in the browser directory of your computer or in subfolders during your visit to our websites either for the duration of your visit or in case you visit our websites again at a later time. They enable our websites to retrieve or store information about you, your settings or your device from your browser. They are mainly used to ensure the expected functionality of the websites. As a rule, cookies do not contain information that could directly identify you. However, they allow us to provide you with a more personalized web experience.
We distinguish the following categories of cookies and related data processing:
1. Strictly necessary
2. Experience enhancement
3. Measurement
4. Targeting & Advertising
Tool | Cookie name | Category |
---|---|---|
|
_ga |
Measurement |
|
NID |
Targeting & Advertising |
DoubleClick (Google) |
DSID |
Targeting & Advertising |
iubenda |
_iub_cs-252372 |
Strictly necessary |
Hubspot |
__hstc |
Measurement |
LinkedIn Ads |
GAID |
Targeting & Advertising |
|
AnalyticsSyncHistory |
Measurement |
Google Ads |
AID |
Targeting & Advertising |
5.3. Analytics through Google Analytics 4
Our websites optionally use Google Analytics 4 so that we can further improve future websites. You can consent to the use of Google Analytics 4 when accessing the websites. You can revoke your consent to the use of Google Analytics 4 at any time. If you give us your consent, we evaluate the use of the websites. However, we do not make an allocation at the individual level. For this purpose, we process the following personal data from you
- IP adress (anonymized)
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (concrete page)
- Access status/HTTP status code
- Amount of data transferred in each case
- website, from which the request comes
- browser
- Information about your end device
- Operating system and its interface
- Language and version of the browser software
- screen and window resolution
- Your approximate location
- Information about the time you spend on the site
- Information about actions you perform on the websites
As already mentioned, we process this data exclusively with your consent. The legal basis for this is Art. 6 para. 1 lit. a GDPR.
In the context of the use of the Google Analytics 4 services, there are also data transfers from Google to affiliated companies and/or subcontracted processors. In this context, the above-mentioned data may be transferred to the USA and stored there. The data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to 46 para. 2 lit. c GDPR. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914…. Alternatively, you can also request these documents from us using the contact details provided in section 2.
5.4. Use of Google Ads Remarketing
In rare cases, we use the remarketing function within the Google Ads service. The remarketing function allows us to present users of our websites with advertisements based on their interests on other websites within the Google advertising network (in Google Search or on YouTube, so-called “Google Ads” or on other websites). You may consent to the use of Google Ads Remarketing when you access the websites. You can revoke your consent to the use of Google Ads Remarketing at any time. If you give us your consent, we evaluate the use of the websites in order to play you interest-based advertising on other websites. However, we do not make an allocation at the individual level. For this purpose, we process the following personal data from you
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (concrete terms)
- Access status/HTTP status code
- Amount of data transferred in each case
- website, from which the request comes
- browser
- Information about your terminal device
- Operating system and its interface
- Language and version of the browser software
- screen and window resolution
- Your approximate location
- Information about the time you spend on the site
- Information about actions you perform on the websites
As already mentioned, we process this data exclusively with your consent. The legal basis for this is Art. 6 para. 1 lit. a GDPR.
In the context of the use of the Google Ads Remarketing services, there are also data transfers from Google to affiliated companies and/or subcontracted processors. In this context, the above-mentioned data may be transferred to the USA and stored there. The data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to 46 para. 2 lit. c GDPR. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914…. Alternatively, you can also request these documents from us using the contact details provided in section 2.
In addition to the possibility of revoking consent to this data processing, you can additionally prevent participation in this tracking procedure in various ways:
- by adjusting your browser software settings accordingly; in particular, suppressing third-party cookies will prevent you from receiving third-party ads;
- by installing the plug-in provided by Google at the following link: https://www.google.com/settings/ads/plugin;
- by disabling the interest-based ads of the providers that are part of the “About Ads” self-regulatory campaign at the link http://www.aboutads.info/choices, with this setting being deleted when you delete your cookies;
- by permanent deactivation in your browsers Firefox, Internet Explorer or Google Chrome at the link http://www.google.com/settings/ads/plugin,
- by means of the corresponding cookie setting. We would like to point out that in this case you may not be able to use all functions of this offer to their full extent.
5.5. Use of the Google Tag Managers
We use the Google Tag Manager on our websites. The Google Tag Manager is a service of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Through Google Tag Manager, we can include various codes and services on our websites in an orderly and simplified manner. This allows us to manage website tags via one interface. When a tag is triggered, Google may process information (including personal data) and process it. In particular, the following personal data is processed by Google Tag Manager:
- Online identifiers (including cookie identifiers)
- IP adress
We use the Google Tag Manager in our interest to be able to make a simplified and clear integration of various services. In addition, the integration of the Google Tag Manager optimizes the loading times of the various services. The legal basis for this is Art. 6 para. 1 lit. f GDPR.
Google processes the data on our behalf as a so-called Processor pursuant to Art. 28 GDPR. In the context of using the services of the Google Tag Manager, there are also data transfers from Google to affiliated companies and/or subcontractors. In this context, the above-mentioned data may be transferred to the USA and stored there. The data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to 46 para. 2 lit. c GDPR. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914…. Alternatively, you can also request these documents from us using the contact details provided in section 2.
5.6. Analytics through LinkedIn Insight Tags
Our websites optionally use the LinkedIn Insight Tag, a service of LinkedIn Ireland Ltd, Wilton Plaza, Wilton Place, Dublin 2, Ireland. The LinkedIn Insight Tag stores and processes information about your user behavior on our websites. For this purpose, the LinkedIn Insight Tag uses, among other things, pixel, i.e. small image files that are stored locally in the cache of your web browser on your end device and that enable an analysis of your use of our websites. We process your data to evaluate campaigns and collect information about websites visitors who may have reached us through our campaigns on LinkedIn. You can consent to the use of the LinkedIn Insight Tag when accessing the websites. You can revoke your consent to the use of the LinkedIn Insight Tag at any time. If you give us your consent, we evaluate the use of the websites. For this purpose, we process the following personal data from you:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (concrete terms)
- Access status/HTTP status code
- Amount of data transferred in each case
- website from which the request comes
- browser
- Information about your terminal device
- Operating system and its interface
- Language and version of the browser software
- screen and window resolution
- Your approximate location
- Information about the time you spend on the site
- Information about actions you perform on the websites
- demographic information if you are an active LinkedIn member.
As already mentioned, we process this data exclusively with your consent. The legal basis for this is Art. 6 para. 1 lit. a GDPR.
In the context of the use of LinkedIn Analytics services, there are also data transfers from the LinkedIn Insight Tag to affiliated companies and/or subcontracted processors. In this context, the above-mentioned data may be transferred to the USA and stored there. The data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to 46 para. 2 lit. c GDPR. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914…. Alternatively, you can also request these documents from us using the contact details provided in section 2.
5.7. Handling Support Request using Efecte
We use Efecte to handle incoming support requests. Efecte is a service provided by Efecte Germany GmbH, Fürstenrieder Straße 279a, 81377 München. Efecte is used to integrate contact forms and forward your requests to us. In particular, the following personal data is processed by Efecte when you submit a support request to us:
- E-mail adress
- Name
- Your adress
- Information about your request (including text entries, photographs, videos)
We use Efecte in our interest to integrate a convenient and simple solution for handling support requests and to be able to guarantee you fast and uncomplicated processing of your requests in this way. The legal basis for this is Art. 6 para. 1 lit. f GDPR. The use of Efecte is optional. If you do not agree to us processing your data using Efecte, we offer you alternative contact options for submitting support requests by phone or mail.
Efecte processes the data on our behalf as a so-called Processor pursuant to Art. 28 GDPR. The data processing takes place exclusively in a country of the European Union or the European Economic Area.
5.8. In the context of contacting us by e-mail
We process e-mails that you transfer to us and we transfer to you using the services of our e-mail provider. In the context of e-mail communication, our e-mail provider processes your personal data (i.e. your e-mail address and the information you provide in the e-mail) on our assignment to enable us to communicate with you by e-mail or, if you are our customer, to process the contract. The processing of your personal data occurs on the basis of Art. 6 para. 1 lit. f or Art. 6 para. 1 lit. b GDPR. We delete the data if it is no longer necessary and there are no legal obligations to the contrary. We review the necessity every six months.
5.9. Within the framework of the subscription to our newsletter
With your consent, you can subscribe to our newsletter, with which we inform you about our current interesting offers. In addition, our newsletters contain information about our products, promotions and our company.
For the registration to our newsletter we use the so-called double opt-in procedure. This means that after your registration, we will send you an e-mail to the e-mail address you provided, in which we ask you to confirm that you wish to receive the newsletter shipping. In addition, we store your IP addresses and the times of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.
Mandatory information for sending the newsletter are your e-mail address and name. After your confirmation, we store your e-mail address for the purpose of sending the newsletter and your name for the purpose of personal address in the mailings. The legal basis is Art. 6 para. 1 lit. a GDPR. We store your e-mail address for this purpose until you revoke your consent.
For mailing our newsletter, we use the services of service providers who act on our behalf and within the scope of our instructions as so-called Processors in accordance with Art. 28 GDPR personal data. This also includes service providers based in the USA. The data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to 46 para. 2c GDPR. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914…. Alternatively, you can request these documents from us using the contact details provided in section 2.
5.10. In the context of contact by telephone
If you contact us by phone, we need your personal data (e.g. name, contact details, etc.) to process your inquiry or request. This data processing is necessary to enable us to communicate with you or, if you are our customer, to process the contract. The processing of your personal data is based on Art. 6 para. 1 lit. f or Art. 6 para. 1 lit. b GDPR. We delete the data if it is no longer necessary and there are no legal obligations to the contrary. We review the necessity every six months.
5.11. Within the scope of contacting us via contact form
If you contact us via contact form, we need your personal data (escpecially your first name, last name, salutation, company and e-mail address) to process your inquiry or request. This data processing is necessary to enable us to communicate with you or, if you are our customer, to process the contract. The processing of your personal data is based on Art. 6 para. 1 lit. f or Art. 6 para. 1 lit. b GDPR. We delete the data if it is no longer necessary and there are no legal obligations to the contrary. We review the necessity every six months.
5.12. In the context of surveys with Microsoft Forms
To conduct surveys, we use Microsoft Forms from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (“Microsoft”). Microsoft Forms enables us to design and evaluate surveys and online forms.
Participation in surveys is voluntary. On the basis of the survey results, we make anonymous evaluations that have no reference to the person surveyed. Nevertheless, Microsoft may collect and store metadata, such as your IP address, when you call up the web application.
The provision of personal data, such as e-mail address, is voluntary. The processing of this data is based on Art. 6 para. 1 lit. a DSGVO. We delete the data if it is no longer required and there are no legal obligations to the contrary.
We have concluded an order processing agreement with Microsoft for the use of Microsoft Forms, which obliges Microsoft to protect the data of our site visitors and not to pass it on to third parties. Processing regularly takes place within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. However, data transfers to the USA cannot be ruled out.
The data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to 46 para. 2 lit. c GDPR. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914…, you can also request these documents from us using the contact details provided in section 2.
Further information on Microsoft Forms can be found here: https://support.office.com/de-de/forms.
Further information on Microsoft’s data protection policy can be found at: https://privacy.microsoft.com/de-de/privacystatement.
5.13. In the context of your participation in our annual conference
The digital part of our annual PPM conference cplace Day/DIGI CON takes place on the event platform HyperCon. HyperCon, the service provider used and contractually bound by us, processes personal data on our behalf and within the scope of our instructions as a so-called order processor in accordance with GDPR, Art. 28. When you access this event website, we, respectively, the provider of hosting services contracted by us, will exclusively collect the personally identifiable data your browser transmits to our server. Specifically, these include:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of request (specific page)
- Access status/HTTP status code
- Volume of data transmitted
- Website initiating the request
- Browser
- Operating system and its user interface
- Browser software language and version
- Information about your device
We need these data for technical purposes to provide you with access to the event platform. The legal basis for this processing of your data is GDPR, Art. 6(1)(f) – your consent in the context of registration for the event and GDPR, Art. 6 (1) (b) for our contract fulfillment. These data are stored for the duration of no more than 14 days for security reasons (e.g. to support investigations of misuse or fraudulent activities), and will be deleted thereafter. Data which must be stored as evidence beyond that period are exempt from erasure pending final resolution of the case in question. Hypercon’s privacy policy can be found at: https://www.iubenda.com/privacy-policy/36889631/legal?ifr=true&height=80….
5.13.1 Analytics through Google Analytics 4
Our event websites use Google Analytics 4. See point 5.3.
5.13.2 Use of Vimeo for the event recordings
The conference content, e.g. speaker presentations, will be recorded. The video recordings will be uploaded to the COLLABORATION FACTORY channel on Vimeo after the event and then embedded on our event website. Vimeo (Vimeo LLC, 555 West 18th Street New York, NY 10011 USA) is responsible for complying with applicable privacy protection laws in connection with the use of the Vimeo platform. To read Vimeo’s privacy policy please go to https://vimeo.com/privacy.
For the purposes specified above, Vimeo will, to the best of our knowledge, process the following personally identifiable data from you:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of request (specific page)
- Access status/HTTP status code
- Volume of data transmitted
- Website initiating the request
- Browser
- Operating system and its user interface
- Browser software language and version
- Information about interaction with the Vimeo plug-in
- Device identifier of your equipment if applicable
- Version of the Vimeo software used by us
- Information about playbacks of the video to date
- Information about the way the video has been playback (e.g. full screen)
The legal basis for the processing of personally identifiable data in connection with the use of Vimeo videos, and for the associated transmission of personally identifiable data to Vimeo Inc. is Art. 6(1)(1)(b). We will process and transmit your data to perform our contractual obligation to carry out cplace Digi Con 2021 as agreed with you.
Vimeo will inevitably receive the data specified above. Vimeo is a service rendered by a provider from USA. Furthermore, we cannot exclude that data may additionally be routed by Internet servers located outside the EU. In particular, this may be the case when you as a participant are located in a third country. This means that your personally identifiable data will likewise be processed in a third country. Agreement of the so-called EU standard contractual terms and conditions ensures an adequate level of privacy protection. The legal basis for this transmission of data is GDPR, Art. 46(2)(c). Furthermore, transmission of your data to USA is necessary for us to meet our contractual obligation to carry out cplace Digi Con 2021 as agreed with you. The legal basis for this is GDPR, Art. 49(1)(1)(b).
There is no obligation to access any videos.
5.14. In the context of playing embedded videos via Youtube, and the use of Google Fonts
Google Fonts is a typeface visualization service provided by Google Ireland Limited that allows websites to incorporate content of this kind on their pages. In this context and to our knowledge, Google processes usage data and tracking data.
You can find more information on Google Fonts here: https://policies.google.com/privacy
For our websites, Google Fonts are hosted by ourselves, thus no personal data is transferred to Google.
However, if you want to play embedded videos on our websites, Google Fonts are used, which are provided by Google Ireland Ltd. Therefore, we ask you beforehand for your consent according to Art.6 para. 1 lit. a and Art. 49 para. 1 lit. a GDPR. When playing the videos, the following personal data will be processed from you:
- Tracker
- UUID
5.15. In the context of playing embedded videos via Vimeo
Some embedded videos on our websites are provided via Vimeo. Vimeo (Vimeo LLC, 555 West 18th Street New York, NY 10011 USA) is responsible under data protection law for the operation of the Vimeo platform. You can find Vimeo’s data protection notice at: https://vimeo.com/privacy
In this context, Vimeo processes the following personal data of you to our knowledge:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of request (specific page)
- Access status/HTTP status code
- Volume of data transmitted
- Website initiating the request
- Browser
- Operating system and its user interface
- Browser software language and version
- Information about interaction with the Vimeo plug-in
- Device identifier of your equipment if applicable
- Version of the Vimeo software used by us
- Information about playbacks of the video to date
- Information about the way the video has been playback (e.g. full screen)
Before playing a video, we ask for your consent according to Art.6 para. 1 lit. a and Art. 49 para. 1 lit. a GDPR.
Vimeo will inevitably receive the data specified above. Vimeo is a service rendered by a provider from USA. Furthermore, we cannot exclude that data may additionally be routed by Internet servers located outside the EU. In particular, this may be the case when you as a participant are located in a third country. This means that your personally identifiable data will likewise be processed in a third country. Agreement of the so-called EU standard contractual terms and conditions ensures an adequate level of privacy protection. The legal basis for this transmission of data is Art. 46 para.2 lit. c GDPR.
5.16. As part of the recruiting process
We process the following personal data from you for this purpose:
- Contact data (esp. name, address, date of birth, telephone number, e-mail).
- Application data (i.e. all data that you have submitted or provided to us as part of your application; e.g.: Details of professional qualifications and school education, details of further professional training, cover letters, certificates, references from employers, etc.
We process this data for the following purposes:
- Establishing employment contracts
- Building a talent pool to manage applicants for future positions
The legal basis for the processing is:
- Art. 6 para. 1 lit. b GDPR
- Art. 6 para. 1 lit. f GDPR
- Art. 6 para. 1 lit. a GDPR (especially for our Talent Pool)
- § 26 BDSG
Justification of legitimate interest:
collaboration Factory is in a constant state of development and growth. The acquisition of new partners, customers and thus projects enables us to further penetrate the market. Our project successes and the further distribution of our product are based, among other things, on the cooperation with competent and motivated employees.
In order to cope with current and future tasks, we need to further increase our staffing levels. Recruiting new employees is a decisive criterion in this regard.
Furthermore, collaboration Factory wants to position and present itself in the market as a valuable and long-term employer.
Applicants visit so-called applicant or recruiting fairs with the intention of applying for jobs offered by the companies represented. From this point of view, the personal data used in this context are made available for processing of their own will and impulse. The data to be processed is to be regarded as rather uncritical and is also shared by the applicants on social networks, among other things.
The overall consideration and weighing of the above-mentioned points leads to the assessment that the risk for our applicants is to be classified as very low to non-existent to suffer damage as data subjects according to Article 4 (12) of the GDPR (personal data breach).
Recipients of this data are:
- Internally: supervisors or internal departments responsible for hiring the person, managing directors or persons authorized to represent the company.
- Externally: Order processors for personnel data processing
- Personio GmbH (Rundfunkplatz 4, 80335 Munich, Germany) has been commissioned as a processor. The service provider used by us and bound by contract processes personal data for us on behalf of and within the scope of our instructions as a so-called order processor pursuant to Art. 28 GDPR.
Deletion of data:
If no employment contract is concluded with the applicant, the application documents will be deleted no later than six months after notification of the rejection decision, provided that no other legitimate interests of the controller conflict with such deletion. Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).
Data stored in the talent pool will be deleted after 5 years at the latest, unless consent is revoked by the applicant.
5.17. Usage of Hubspot
Our websites use the service HubSpot (HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, Phone: +353 1 5187500). Hubspot is an integrated software solution that we use to cover various aspects of our online marketing. These include: Email marketing, social media publishing & reporting, reporting, campaign controlling, contact management (e.g. user segmentation & CRM), landing pages and contact forms.
Hubspot enables website visitors to take advantage of marketing offers, download marketing content, and get in touch with us. The contact information left by our visitors is stored on HubSpot servers and used by us solely for our marketing efforts. All information we collect is subject to our privacy policy.
As part of our marketing measures, the following data may be collected and processed via Hubspot:
- Geographical position
- Browser type
- Navigation information
- Referral URL
- Performance data
- Information about how often the application is used
- Mobile apps data
- HubSpot subscription service credentials
- Files that are displayed on site
- Domain names
- Pages viewed
- Aggregated usage
- Operating system version
- Internet service provider
- IP address
- Device identifier
- Duration of visit
- Where the application was downloaded from
- Operating system
- Events that occur within the application
- Access times
- Clickstream data
- Device model and version
In addition, we also use Hubspot to provide forms, e.g. our contact form. If you leave personal data (e.g. name, email address, etc.) in our forms, we use this data to process your inquiry or request. This data processing is necessary to enable us to communicate with you. The processing of your personal data is based on Art. 6 para. 1 lit. f or Art. 6 para. 1 lit. b GDPR. The personal data will be kept for as long as it is necessary to fulfill the purpose of processing. The data will be deleted as soon as they are no longer required to achieve the purpose.
Further information in this regard can be found in section 5.11 of this privacy policy.
In the context of the use of HubSpot’s services, the above-mentioned data may be transferred to the USA and stored there. The security of the transfer is secured by so-called standard contractual clauses, which ensure that the processing of personal data is subject to a level of security that corresponds to that of the GDPR. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914…, you can also request these documents from us using the contact details provided in section 2.
More information on HubSpot’s privacy policy.
More information from HubSpot regarding EU data protection regulations.
More information about the cookies used by HubSpot can be found here & here.
5.18. Usage of Training bookings and execution
We offer the opportunity to book training courses from the cplace Academy (e-learning, classroom training) on our websites.
The following categories of personal data are processed
- Master data (e.g. surname, first name, company affiliation)
- Contact data (e.g. e-mail address, billing address)
- User data (e.g. GitHub username, user name of the cplace training environments)
- Content data (in particular texts that you leave in the comment fields)
- Communication data (e.g. content in emails in the context of further, personal communication)
- Training status (e.g. status of participation, certificates of attendance)
- Online data (personal data that is transmitted when you visit our cplace training environments or websites, e.g. via your browser, see above)
We process this data for the following purposes:
- Providing an online system to carry out the booking process
- Establishment and conclusion of a contractual relationship for training services
- Preparation, implementation and follow-up activities of the booked training courses
The legal bases for the processing are:
- Art. 6 para. 1 lit. a GDPR
- Art. 6 para. 1 lit. b GDPR
- Art. 6 para. 1 lit. f GDPR
Justification of the legitimate interest:
Our legitimate interest lies in bringing our customers, partners, employees and interested parties closer to the use, possible applications and potentials associated with our product in a methodically and didactically prepared form and also to disseminate cplace knowledge in the community via this channel.
This directly serves the further penetration of our product into the market and thus represents a contribution to the business model of collaboration Factory AG.
The personal data to be processed is not considered critical. In particular, protective measures are also taken (e.g. double opt-in in the booking process), which make the misuse of personal data significantly more difficult. In this processing, no personal data of special categories pursuant to Art. 9 para. 1 GDPR are processed.
The risk for the person concerned of suffering damage in accordance with Art. 4 para. 12 GDPR (violation of the protection of personal data) is to be classified as very low. We therefore consider our legitimate interest to be legitimate and feasible in consideration of the aforementioned points.
The recipients of this data are
- Internal: Employees of collaboration Factory AG
- Externally: Processors
The processing of personal data is also carried out by our hosting service providers as our subcontractors.
Our websites and cplace installation are operated on servers of hosting service providers located in Germany, the EU or the EEA.
We currently work with the following hosting service provider:
For the hosting of cplace installations
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen
Further information on data protection, security of processing and the status of the hosting service provider’s certifications can be found under the following links:
https://www.hetzner.com/de/legal/privacy-policy https://www.hetzner.com/de/unternehmen/zertifizierung https://www.hetzner.com/AV/TOM.pdf
For the operation of our websites:
Mittwald CM Service GmbH & Co. KG, Königsberger Str. 4 – 6, 32339 Espelkamp
The hosting service providers are contractually binded and function as Processors on our behalf in accordance with Art. 28 GDPR.
6. Deletion of Data
The data processed by us will be deleted in accordance with Art. 17 GDPR or its processing will be restricted in accordance with Art. 18 GDPR.
Unless otherwise regulated in this Privacy Policy, the data processed by us will be deleted as soon as it is no longer necessary for its intended purpose and the deletion does not conflict with any statutory retention obligations. We review the necessity every six months.
In accordance with legal requirements in Germany, the retention or storage of, in particular, books, records, inventories, annual financial statements, management reports, the opening balance sheet as well as the work instructions and other organizational documents required for their comprehension, the received and sent commercial or business letters, the accounting vouchers as well as other documents, insofar as they are of significance for taxation, is carried out for ten years in accordance with Section 147 (1) of the German Fiscal Code (Abgabenordnung – AO). This also applies to any personal data of data subjects contained in the aforementioned documents.
7. Rights of Data Subjects
You have the right:
- request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
- in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or completion of your personal data stored by us;
- in accordance with Art. 17 GDPR, to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims;
- in accordance with Art. 18 GDPR, to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR;
- in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another Controller;
- complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.
8. Revocation of Given Consents
If we process your personal data on the basis of your consent pursuant to Art. 6 para 1 lit. a GDPR, you have the right to revoke any consent granted to us pursuant to Art. 7 (3) GDPR with effect for the future.
If you wish to exercise your right of withdrawal, you can do so by sending an e-mail to [email protected]. Alternatively, you can also use the contact details mentioned above under point 2.
9. Objection in Case of Processing Based on Legitimate Interest
If we process your personal data on the basis of our legitimate interests pursuant to Art. 6 para 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right to object, which is implemented by us without specifying a particular situation.
If you would like to exercise your right to object, you can notify us by e-mail at [email protected]. Alternatively, you can also use the contact details mentioned above under point 2.
10. Security Measures
We take organizational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons. The security measures include in particular the encrypted transmission of data between your browser and our server.
11. Changes to this Privacy Policy
We reserve the right to change our Privacy Policy if this should be necessary due to new technologies or changes in our data processing procedures or in order to adapt it to changes in the legal situation applicable to us. However, this only applies to this Privacy Policy. If we process your personal data on the basis of your consent or if parts of the Privacy Policy contain provisions of the contractual relationship with you, any changes will only be made with your consent.
The current version of our Privacy Policy can be found at www.cplace.com/en/privacy .