in line with the GDPR (General Data Protection Regulation and the
BDSG (Federal Data Protection Act)
Name/company: credativ GmbH
Street no.: Trompeterallee 108
Postcode, city, country: 41189 Mönchengladbach Germany
Commercial registry/no.: Registry Court AG Mönchengladbach HRB 12080
Sales tax ID DE 204566209
Management Board: Dr. Michael Meskes, Sascha Heuer, Geoff Richardson, Peter Lilley
Telephone number: +49 2166 9901-0
Email address: firstname.lastname@example.org
Data protection officer:
Name: Benjamin Seym
Email address: email@example.com
Please direct all questions on our data protection as well as any requests to erase data or to object to the storage of data, as well as any complaints to our data protection officer.
Basic information on data processing and the legal basis
credativ GmbH thanks you for visiting our website and your interest in our company.
The topic of data protection is a top priority for credativ GmbH. We would therefore like to take this opportunity to tell you how we implement the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
Here you will find information on which of your personal data are processed by credativ GmbH
- when visiting our website
- when making a purchase and concluding a contract
- at events and trade fairs,
- as well as any other contact (e.g. an application process)
- at in-house training sessions
how, to what extent, and for what purpose.
The terms used, such as “personal data” or its “processing” comply with the definitions provided in Art. 4 of the General Data Protection Regulation (GDPR).
The term “user” used below includes all categories of persons affected by the data processing. This includes our business partners, customers, prospective customers, training participants, applicants, employees, visitors to the credativ GmbH premises, and other visitors to the credativ GmbH online offer. The terms used, such as “user” are gender neutral.
We collect the following personal data
General contact data:
- First name and last name
- Email address
- Job title
- Company address
- Phone numbers
- First name and last name
- Private address
- Phone numbers
- Application photo, where applicable
- Employer references
- Professional history (education, previous employers, qualifications)
When using our online services:
- The name of your internet provider
- The website from which you are visiting us
- Our website that you are visiting and the history of the visit
- Browser and operating system used
- Timestamp of the visit and duration
- Your IP address in anonymized form
Comments and contributions to our online blog:
- Anonymized IP addresses
- Website from which you accessed the blog
- Date of entry
Data of our employees:
- The data collected for employees are listed separately in a separate document and are made available to the employees for inspection.
When we process personal data
We only process the personal data of users in compliance with the statutory data protection provisions in particular consideration of the GDPR and the BDSG.
This means that user data are only processed in accordance with the statutory provisions. Particularly when:
- the data processing is necessary or legally required to provide our contractual services (e.g. processing of orders),
- as well as online services,
- the user has provided their consent,
- as well as when this is necessary based on our legitimate interests.
For example, in the event of an interest in the analysis, optimization, and efficient operation and security of our operations within the meaning of Art. 6(1) lit f. GDPR. This includes employee and customer acquisition processes, website analysis (reach measurement, creation of profiles for advertising and marketing purposes, as well as the collection of access data and the use of the services of third-party providers), participation in training and contract administration.
Please note that the legal basis of consent is Art. 6(1) lit. a) and Art. 7 GDPR, the legal basis for the processing to perform our services and implement contractual measures is Art. 6(1) lit. b GDPR, the legal basis for processing to meet our legal obligations is Art. 6(1) lit. c GDPR, and the legal basis for processing to safeguard our legitimate interests is Art. 6(1) lit. f GDPR.
Where we store personal data
Personal data, such as stored contact data of customers and prospective customers are exclusively stored on credativ GmbH’s internal technical system. All software components necessary for this purpose are hosted on credativ GmbH’s internal server systems. We employ technical and organizational measures to ensure that these data are protected from transmission to third parties or unauthorized access.
Information on these data can be provided if an authorized and verified interest exists.
Our security measures
We take organizational, contractual, and technical security measures in line with the relevant state-of-the-art to ensure that the provisions of the data protection legislation are complied with and to protect the data that we process from accidental or intentional manipulation, loss, destruction, and against access by unauthorized persons. The technical organizational measures (TOM) can be inspected if a verified legitimate interest exists.
Access to the credativ GmbH online offer is available in both an encrypted and unencrypted form. When transmitting personal data, e.g. when using the contact form or making comments in the blog, we recommend transmitting data in encrypted form via HTTPS.
Transmission of data to third parties and third-party providers
Data is only transmitted to third parties within the scope of the statutory provisions. For example, we only forward user data to third parties if this is necessary for contractual purposes based on Art. 6(1) lit. b) GDPR or to ensure the efficient and effective operation of our business based on legitimate interests in line with Art. 6(1) lit. f GDPR.
Subcontractors, which also include subsidiaries from the credativ Group, are generally not used to provide services. However, if this is the case, the client needs to provide their express consent in advance. If we commission subcontractors to provide our services, the subcontractors are obliged to meet all the GDPR and BDSG provisions and ensure the relevant technical and organizational measures to protect personal data in accordance with the GDPR and the BDSG.
If contents, tools, or other means are used by other providers (“third-party providers”) as part of the processing of personal data and their registered office is located in a third country, it must be assumed that the data is transferred to the third-party providers’ countries of domicile. Third countries are countries in which the GDPR is not directly applicable, i.e. effectively countries outside the EU and the European Economic Area. Data is only transmitted to third countries if an adequate level of data protection, user consent, or other legal permission exists.
Provision of contractual services (customer registration)
We process master data, contractual data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services in line with Art. 6(1) lit. b GDPR and the relevant provisions from the BDSG. Storage takes place based on our legitimate interests as well as the interests of users in protection against misuse and other unauthorized use. These data are generally not transmitted to third parties, unless this is necessary to pursue our claims or an associated legal obligation exists pursuant to Art. 6(1) lit. c GDPR or BDSG.
When establishing contact with us (via contact form or email), the user’s information is processed to respond to and implement the contact request in accordance with Art. 6(1) lit. b GDPR, and is stored on our systems for further processing. Storage takes place based on our legitimate interests as well as to ensure protection against misuse and other unauthorized use. These data are generally not transmitted to third parties, unless this is necessary to pursue our claims or an associated legal obligation exists pursuant to Art. 6(1) lit. c GDPR or BDSG.
Comments and contributions
When users leave comments or other contributions on our blog, their anonymized IP addresses (last 2 octets are replaced with zeros) and the username are stored based on our legitimate interests within the meaning of Art. 6(1) lit. f GDPR.
Collection of access data and log files
We collect data on every access to our servers (server log files) based on our legitimate interests within the meaning of Art. 6(1) lit. f GDPR.
The access data include:
- Name of the accessed website
- Date, time, and duration of access
- Browser type and version
- The user’s operating system
- Referrer URL (previously visited website)
- IP address in anonymized form and
- The requesting provider
All credativ GmbH’s technical systems log access. These access attempts (log file information/log file data) are subject to rolling storage for security reasons (e.g. to investigate misuse or fraud) and are then automatically overwritten. Data whose continued storage is required for evidentiary purposes are excluded from this erasure until the final resolution of the specific incident.
Cookies and reach measurement
Cookies are information that is transmitted from our web server or the web servers of third parties to the user’s web browser where it is stored for future access. Cookies may be small files or other types of information storage.
If users do not want cookies to be stored on their computer, they are asked to disable the relevant option in their browser’s system settings. Stored cookies and the information they contain (e.g. session IDs) can be erased in the browser’s system settings. The exclusion of cookies may impair the function of our website.
We use two types of cookies:
which are only stored for the duration of the current visit to our online presence and are deleted after closing the browser. This type of cookie (has_js) checks whether Java Script is enabled in your browser to ensure the optimized display of the web contents.
These cookies (“_pk_id.2.fafa” and “_pk_ses.2.fafa”) generate a random, unique identification number that is stored in your browser’s memory. This makes it possible for us to recognize your browser during your next visit so that you are not included in the list of first-time website visitors once again. This information is stored based on our legitimate interests within the meaning of Art. 6(1) lit. f GDPR. A cookie also contains information on its origin and the storage period. These cookies cannot store any other data.
Reach analysis with Matomo (formerly PIWIK)
The information on your use of this online offer generated by the cookie is stored on our server and is not forwarded to third parties.
Reach analysis with Google Analytics
Google re/marketing services
We use the marketing and remarketing services (“Google Marketing Services”) provided by
1600 Amphitheatre Parkway
Mountain View, CA 94043, USA, (“Google”) based on our legitimate interests (i.e. interest in the analysis, optimization, and efficient operation of our online offer within the meaning of Art. 6(1) lit f. GDPR)
Google is certified under the Privacy Shield agreement and therefore guarantees compliance with European data protection law
Google Marketing Services allow us to improve the targeting of our advertisements for and on our website in order to only display advertisements to potentially interested users. For example, if a user is displayed advertisements for products in which they were interested on other websites, this is referred to as “remarketing”. For these purposes, Google runs a code when accessing our website and other websites on which Google Marketing Services are active and (re)marketing tags (invisible graphics or code, also referred to as “web beacons”) are integrated into the website. They are used to store an individual cookie, i.e. a small file (similar technologies may be used instead of cookies) on the user’s device. The cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. This file notes which websites the user visited, the content they were interested in, and the offers on which they clicked, as well as additional technical information on the browser and operating system, referring websites, duration of the visit, and other information on the use of the online offer. The user’s IP address is also recorded, in which case, as part of our use of Google Analytics, the IP address is shortened within member states of the European Union or in other contracting parties to the Agreement on the European Economic Area, and is only transmitted to a Google server in the USA in full, where it is then shortened, in exceptional cases. The IP address is not merged with the user’s data within other Google offers. Google may also combine the aforementioned information with this type of information from other sources. If the user subsequently visits other websites, advertisements may be displayed to the user in accordance with their interests.
User data are only processed under a pseudonym as part of the Google Marketing Services. That is, Google does not store and process, e.g. the user’s name or email address, rather it processes the relevant data in relation to the cookie within pseudonymous user profiles. That is, from Google’s perspective, the advertisements are not administered and displayed for a specifically identifiable person, but rather for the cookie owner, irrespective of who this cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymization. The information collected about the users by Google Marketing Services are transmitted to Google and stored on Google’s servers in the USA.
We also use the “Google AdWords” online marketing program as part of the Google Marketing Services. In the case of Google Adwords, every AdWords customer receives a different “conversion cookie”. Cookies can therefore not be tracked via the websites of AdWords customers. The information collected with the cookie is used to create conversion statistics for AdWords customers who have decided to use conversion tracking. The AdWords customers are informed of the total number of users that have clicked on their advertisement and were forwarded to a website with an integrated conversion tracking tag. However, they do not receive any information that they could use to personally identify users.
We may also use the “Google Optimizer” service. Google Optimizer allows us to track the impact of various changes to a website (e.g. changes to the input fields, the design, etc.) as part of “A/B testing”. Cookies are stored on the user devices for these test purposes. Only pseudonymous user data are processed in this respect.
In addition, we may use the “Google Tag Manager” to integrate and manage the Google Analysis and Marketing Services in our website.
If you would like to object to interest-based advertising by Google Marketing Services, you can use the settings and opt-out options provided by Google: http://www.google.com/ads/preferences.
Integration of third-party services and content
We use third-party content or service offers within our online offer based on our legitimate interests (i.e. interest in the analysis, optimization, and efficient operation of our online offer within the meaning of Art. 6(1) lit f. GDPR) in order to integrate their contents and services, such as videos or fonts (“content”). This always requires the third-party providers of this content to record the user IP address as, without the IP address, they would not be able to send the content to their browser. The IP address is therefore required to display this content. We endeavor to only use the content of providers that use the IP address exclusively to deliver the content. Third-party providers may also use Pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. “Pixel tags” allow information, such as visitor traffic to the pages on this website, to be evaluated. The pseudonymous information can also be stored in cookies on the user’s device and contain technical information on the browser and operating system, referrer websites, duration of visit, as well as other information on the use of our online offer, and may also be combined with this type of information from other sources.
The following list provides an overview of third-party providers as well as their content, and links to their privacy policies, which provide additional information on data processing and objection options (opt-outs), which have already been mentioned above in some cases:
External fonts of Google Inc., https://www.google.com/fonts (“Google Fonts”)
Google Fonts are integrated by accessing a Google server (generally in the USA).
Maps of the “Openstreetmap” service of the third-party provider Openstreetmap Foundation
132 Maney Hill Road, Sutton Coldfiled, West Midlands, B721JU
Videos of the “YouTube” platform from the third-party provider Google Inc.
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Rights of users
Users have the right to receive free information on their personal data that we have stored upon request.
Users also have the right to rectify incorrect data, restrict processing, and erase their personal data where applicable. They are entitled to assert their right to data portability and, in case of suspected unlawful data processing, they have the right to submit a complaint with the competent supervisory authority.
Users may also revoke consents with effect for the future.
Erasure of data
The data that we store are erased as soon as they are no longer required for their intended purpose and the erasure does not breach any statutory storage obligations. If the user data are not erased because they are required for other legally permissible purposes, their processing is restricted. That is, the data are blocked and not processed for other purposes. For example, this applies for user data that needs to be stored for commercial or tax purposes.
Under the statutory provisions, storage takes place for 6 years pursuant to Section 257(1) HGB (German Commercial Code) (trading books, inventories, opening balance sheets, annual financial statements, commercial correspondence, accounting records, etc.) as well as for 10 years pursuant to Section 147(1) AO (German Tax Code) (accounts, records, management reports, accounting documents, commercial and business correspondence, tax-related documents, etc.).
Right to object
Users may object to the future processing of their personal data at any time in line with the statutory provisions. An objection may particularly be submitted against processing for the purposes of direct marketing. Please contact our data protection officer in this respect.
Right to lodge a complaint with a supervisory authority
If you have the impression that we are collecting your data unlawfully or are not processing collected data in compliance with the applicable laws, you have the right to lodge a complaint with the competent data protection supervisory authority as regulated in the GDPR.
For credativ GmbH this is the “Landesbeauftragte für den Datenschutz Nordrhein-Westfalen” (State Data Protection Officer for North Rhine-Westphalia) (https://www.ldi.nrw.de/)