Privacy

(Revised 05/16/2018)

in line with the GDPR (General Data Protection Regulation and the
BDSG (Federal Data Protection Act)

Controller:
Name/company: credativ GmbH
Street no.: Trompeterallee 108
Postcode, city, country: 41189 Mönchengladbach Germany

Commercial registry/no.: Registry Court AG Mönchengladbach HRB 12080
Sales tax ID DE 204566209

Management Board: Dr. Michael Meskes, Jörg Folz, Sascha Heuer

Telephone number: +49 2166 9901-0
Email address: info@credativ.de

Data protection officer:
Name: Benjamin Seym
Email address: datenschutz@credativ.de

Please direct all questions on our data protection as well as any requests to erase data or to object to the storage of data, as well as any complaints to our data protection officer.

Basic information on data processing and the legal basis

credativ GmbH thanks you for visiting our website and your interest in our company.

The topic of data protection is a top priority for credativ GmbH. We would therefore like to take this opportunity to tell you how we implement the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

Here you will find information on which of your personal data are processed by credativ GmbH

  • when visiting our website
  • when making a purchase and concluding a contract
  • at events and trade fairs,
  • as well as any other contact (e.g. an application process)
  • at in-house training sessions

how, to what extent, and for what purpose.

This privacy policy applies for all personal data, irrespective of the domains, systems, platforms, devices (e.g. desktop or cell phones) used, or data that are processed by credativ GmbH in any other written form.

The terms used, such as “personal data” or its “processing” comply with the definitions provided in Art. 4 of the General Data Protection Regulation (GDPR).

The term “user” used below includes all categories of persons affected by the data processing. This includes our business partners, customers, prospective customers, training participants, applicants, employees, visitors to the credativ GmbH premises, and other visitors to the credativ GmbH online offer. The terms used, such as “user” are gender neutral.

We collect the following personal data

General contact data:

  • First name and last name
  • Email address
  • Job title
  • Company address
  • Phone numbers

Application process:

  • First name and last name
  • Private address
  • Phone numbers
  • Application photo, where applicable
  • Employer references
  • CV
  • Professional history (education, previous employers, qualifications)

When using our online services:

  • The name of your internet provider
  • The website from which you are visiting us
  • Our website that you are visiting and the history of the visit
  • Browser and operating system used
  • Timestamp of the visit and duration
  • Your IP address in anonymized form

Comments and contributions to our online blog:

  • Anonymized IP addresses
  • Username
  • Website from which you accessed the blog
  • Date of entry

Data of our employees:

  • The data collected for employees are listed separately in a separate document and are made available to the employees for inspection.

When we process personal data

We only process the personal data of users in compliance with the statutory data protection provisions in particular consideration of the GDPR and the BDSG.

This means that user data are only processed in accordance with the statutory provisions. Particularly when:

  • the data processing is necessary or legally required to provide our contractual services (e.g. processing of orders),
  • as well as online services,
  • the user has provided their consent,
  • as well as when this is necessary based on our legitimate interests.

For example, in the event of an interest in the analysis, optimization, and efficient operation and security of our operations within the meaning of Art. 6(1) lit f. GDPR. This includes employee and customer acquisition processes, website analysis (reach measurement, creation of profiles for advertising and marketing purposes, as well as the collection of access data and the use of the services of third-party providers), participation in training and contract administration.

Please note that the legal basis of consent is Art. 6(1) lit. a) and Art. 7 GDPR, the legal basis for the processing to perform our services and implement contractual measures is Art. 6(1) lit. b GDPR, the legal basis for processing to meet our legal obligations is Art. 6(1) lit. c GDPR, and the legal basis for processing to safeguard our legitimate interests is Art. 6(1) lit. f GDPR.

Where we store personal data

Personal data, such as stored contact data of customers and prospective customers are exclusively stored on credativ GmbH’s internal technical system. All software components necessary for this purpose are hosted on credativ GmbH’s internal server systems. We employ technical and organizational measures to ensure that these data are protected from transmission to third parties or unauthorized access.

Information on these data can be provided if an authorized and verified interest exists.

Our security measures

We take organizational, contractual, and technical security measures in line with the relevant state-of-the-art to ensure that the provisions of the data protection legislation are complied with and to protect the data that we process from accidental or intentional manipulation, loss, destruction, and against access by unauthorized persons. The technical organizational measures (TOM) can be inspected if a verified legitimate interest exists.

Access to the credativ GmbH online offer is available in both an encrypted and unencrypted form. When transmitting personal data, e.g. when using the contact form or making comments in the blog, we recommend transmitting data in encrypted form via HTTPS.

Transmission of data to third parties and third-party providers

Data is only transmitted to third parties within the scope of the statutory provisions. For example, we only forward user data to third parties if this is necessary for contractual purposes based on Art. 6(1) lit. b) GDPR or to ensure the efficient and effective operation of our business based on legitimate interests in line with Art. 6(1) lit. f GDPR.

Subcontractors, which also include subsidiaries from the credativ Group, are generally not used to provide services. However, if this is the case, the client needs to provide their express consent in advance. If we commission subcontractors to provide our services, the subcontractors are obliged to meet all the GDPR and BDSG provisions and ensure the relevant technical and organizational measures to protect personal data in accordance with the GDPR and the BDSG.

If contents, tools, or other means are used by other providers (“third-party providers”) as part of the processing of personal data and their registered office is located in a third country, it must be assumed that the data is transferred to the third-party providers’ countries of domicile. Third countries are countries in which the GDPR is not directly applicable, i.e. effectively countries outside the EU and the European Economic Area. Data is only transmitted to third countries if an adequate level of data protection, user consent, or other legal permission exists.

Provision of contractual services (customer registration)

We process master data, contractual data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services in line with Art. 6(1) lit. b GDPR and the relevant provisions from the BDSG. Storage takes place based on our legitimate interests as well as the interests of users in protection against misuse and other unauthorized use. These data are generally not transmitted to third parties, unless this is necessary to pursue our claims or an associated legal obligation exists pursuant to Art. 6(1) lit. c GDPR or BDSG.

Establishing contact

When establishing contact with us (via contact form or email), the user’s information is processed to respond to and implement the contact request in accordance with Art. 6(1) lit. b GDPR, and is stored on our systems for further processing. Storage takes place based on our legitimate interests as well as to ensure protection against misuse and other unauthorized use. These data are generally not transmitted to third parties, unless this is necessary to pursue our claims or an associated legal obligation exists pursuant to Art. 6(1) lit. c GDPR or BDSG.

Comments and contributions

When users leave comments or other contributions on our blog, their anonymized IP addresses (last 2 octets are replaced with zeros) and the username are stored based on our legitimate interests within the meaning of Art. 6(1) lit. f GDPR.

Collection of access data and log files

We collect data on every access to our servers (server log files) based on our legitimate interests within the meaning of Art. 6(1) lit. f GDPR.

The access data include:

  • Name of the accessed website
  • Date, time, and duration of access
  • Browser type and version
  • The user’s operating system
  • Referrer URL (previously visited website)
  • IP address in anonymized form and
  • The requesting provider

All credativ GmbH’s technical systems log access. These access attempts (log file information/log file data) are subject to rolling storage for security reasons (e.g. to investigate misuse or fraud) and are then automatically overwritten. Data whose continued storage is required for evidentiary purposes are excluded from this erasure until the final resolution of the specific incident.

Cookies and reach measurement

Cookies are information that is transmitted from our web server or the web servers of third parties to the user’s web browser where it is stored for future access. Cookies may be small files or other types of information storage.

Users are informed of the use of cookies when visiting our website as part of the reach measurement and their consent is requested.

If users do not want cookies to be stored on their computer, they are asked to disable the relevant option in their browser’s system settings. Stored cookies and the information they contain (e.g. session IDs) can be erased in the browser’s system settings. The exclusion of cookies may impair the function of our website.

We use two types of cookies:

Session cookies

which are only stored for the duration of the current visit to our online presence and are deleted after closing the browser. This type of cookie (has_js) checks whether Java Script is enabled in your browser to ensure the optimized display of the web contents.

Persistent cookies

These cookies (“_pk_id.2.fafa” and “_pk_ses.2.fafa”) generate a random, unique identification number that is stored in your browser’s memory. This makes it possible for us to recognize your browser during your next visit so that you are not included in the list of first-time website visitors once again. This information is stored based on our legitimate interests within the meaning of Art. 6(1) lit. f GDPR. A cookie also contains information on its origin and the storage period. These cookies cannot store any other data.

Reach analysis with Matomo (formerly PIWIK)

We use Matomo, open-source software for the statistical evaluation of user access, based on our legitimate interests (i.e. interest in the analysis, optimization, and efficient operation of our online offer within the meaning of Art. 6(1) lit f. GDPR). The user’s IP address is shortened before it is stored. But Matomo uses cookies that are stored on the user’s computer and enable an analysis of the use of this online offer by the user. This allows pseudonymous user profiles of the users to be created from the processed data.

The information on your use of this online offer generated by the cookie is stored on our server and is not forwarded to third parties.

Reach analysis with Google Analytics

We use Google Analytics, software for the statistical evaluation of user access, based on our legitimate interests (i.e. interest in the analysis, optimization, and efficient operation of our online offer within the meaning of Art. 6(1) lit f. GDPR). The user’s IP address is shortened before it is stored. But Google Analytics uses cookies that are stored on the user’s computer and enable an analysis of the use of this online offer by the user. This allows pseudonymous user profiles of the users to be created from the processed data.

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Privacy Shield (guarantees the privacy level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; Opt-out: Opt-out plugin: http://tools.google.com/dlpage/gaoptout?hl=de, Settings for displaying advertisements: https://adssettings.google.com/authenticated.

Google re/marketing services

We use the marketing and remarketing services (“Google Marketing Services”) provided by

Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043, USA, (“Google”) based on our legitimate interests (i.e. interest in the analysis, optimization, and efficient operation of our online offer within the meaning of Art. 6(1) lit f. GDPR)

Google is certified under the Privacy Shield agreement and therefore guarantees compliance with European data protection law

(https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google Marketing Services allow us to improve the targeting of our advertisements for and on our website in order to only display advertisements to potentially interested users. For example, if a user is displayed advertisements for products in which they were interested on other websites, this is referred to as “remarketing”. For these purposes, Google runs a code when accessing our website and other websites on which Google Marketing Services are active and (re)marketing tags (invisible graphics or code, also referred to as “web beacons”) are integrated into the website. They are used to store an individual cookie, i.e. a small file (similar technologies may be used instead of cookies) on the user’s device. The cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. This file notes which websites the user visited, the content they were interested in, and the offers on which they clicked, as well as additional technical information on the browser and operating system, referring websites, duration of the visit, and other information on the use of the online offer. The user’s IP address is also recorded, in which case, as part of our use of Google Analytics, the IP address is shortened within member states of the European Union or in other contracting parties to the Agreement on the European Economic Area, and is only transmitted to a Google server in the USA in full, where it is then shortened, in exceptional cases. The IP address is not merged with the user’s data within other Google offers. Google may also combine the aforementioned information with this type of information from other sources. If the user subsequently visits other websites, advertisements may be displayed to the user in accordance with their interests.

User data are only processed under a pseudonym as part of the Google Marketing Services. That is, Google does not store and process, e.g. the user’s name or email address, rather it processes the relevant data in relation to the cookie within pseudonymous user profiles. That is, from Google’s perspective, the advertisements are not administered and displayed for a specifically identifiable person, but rather for the cookie owner, irrespective of who this cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymization. The information collected about the users by Google Marketing Services are transmitted to Google and stored on Google’s servers in the USA.

We also use the “Google AdWords” online marketing program as part of the Google Marketing Services. In the case of Google Adwords, every AdWords customer receives a different “conversion cookie”. Cookies can therefore not be tracked via the websites of AdWords customers. The information collected with the cookie is used to create conversion statistics for AdWords customers who have decided to use conversion tracking. The AdWords customers are informed of the total number of users that have clicked on their advertisement and were forwarded to a website with an integrated conversion tracking tag. However, they do not receive any information that they could use to personally identify users.

We may integrate advertisements of third parties based on the “DoubleClick” Google Marketing Service. DoubleClick uses cookies which enable Google and its partner websites to display advertisements based on user visits to this website or other websites on the internet.

We may integrate advertisements of third parties based on the “AdSense” Google Marketing Service. AdSense uses cookies which enable Google and its partner websites to display advertisements based on user visits to this website or other websites on the internet.

We may also use the “Google Optimizer” service. Google Optimizer allows us to track the impact of various changes to a website (e.g. changes to the input fields, the design, etc.) as part of “A/B testing”. Cookies are stored on the user devices for these test purposes. Only pseudonymous user data are processed in this respect.

In addition, we may use the “Google Tag Manager” to integrate and manage the Google Analysis and Marketing Services in our website.

Further information on Google’s use of data for marketing purposes is provided on the overview page: https://www.google.com/policies/technologies/ads, Google’s privacy policy can be found at https://www.google.com/policies/privacy .

If you would like to object to interest-based advertising by Google Marketing Services, you can use the settings and opt-out options provided by Google: http://www.google.com/ads/preferences.

Integration of third-party services and content

We use third-party content or service offers within our online offer based on our legitimate interests (i.e. interest in the analysis, optimization, and efficient operation of our online offer within the meaning of Art. 6(1) lit f. GDPR) in order to integrate their contents and services, such as videos or fonts (“content”). This always requires the third-party providers of this content to record the user IP address as, without the IP address, they would not be able to send the content to their browser. The IP address is therefore required to display this content. We endeavor to only use the content of providers that use the IP address exclusively to deliver the content. Third-party providers may also use Pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. “Pixel tags” allow information, such as visitor traffic to the pages on this website, to be evaluated. The pseudonymous information can also be stored in cookies on the user’s device and contain technical information on the browser and operating system, referrer websites, duration of visit, as well as other information on the use of our online offer, and may also be combined with this type of information from other sources.

The following list provides an overview of third-party providers as well as their content, and links to their privacy policies, which provide additional information on data processing and objection options (opt-outs), which have already been mentioned above in some cases:

External fonts of Google Inc., https://www.google.com/fonts (“Google Fonts”)
Google Fonts are integrated by accessing a Google server (generally in the USA).
Privacy policy: https://www.google.com/policies/privacy/
Opt-out: https://www.google.com/settings/ads/

Maps of the “Openstreetmap” service of the third-party provider Openstreetmap Foundation
132 Maney Hill Road, Sutton Coldfiled, West Midlands, B721JU
Privacy policy: https://wiki.osmfoundation.org/wiki/Privacy_Policy

Videos of the “YouTube” platform from the third-party provider Google Inc.
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Privacy policy: https://www.google.com/policies/privacy/
Opt-out: https://www.google.com/settings/ads/

Rights of users

Users have the right to receive free information on their personal data that we have stored upon request.

Users also have the right to rectify incorrect data, restrict processing, and erase their personal data where applicable. They are entitled to assert their right to data portability and, in case of suspected unlawful data processing, they have the right to submit a complaint with the competent supervisory authority.

Users may also revoke consents with effect for the future.

Erasure of data

The data that we store are erased as soon as they are no longer required for their intended purpose and the erasure does not breach any statutory storage obligations. If the user data are not erased because they are required for other legally permissible purposes, their processing is restricted. That is, the data are blocked and not processed for other purposes. For example, this applies for user data that needs to be stored for commercial or tax purposes.

Under the statutory provisions, storage takes place for 6 years pursuant to Section 257(1) HGB (German Commercial Code) (trading books, inventories, opening balance sheets, annual financial statements, commercial correspondence, accounting records, etc.) as well as for 10 years pursuant to Section 147(1) AO (German Tax Code) (accounts, records, management reports, accounting documents, commercial and business correspondence, tax-related documents, etc.).

Right to object

Users may object to the future processing of their personal data at any time in line with the statutory provisions. An objection may particularly be submitted against processing for the purposes of direct marketing. Please contact our data protection officer in this respect.

Amendments to the privacy policy

We reserve the right to amend the privacy policy in order to adapt it to changed legal situations or in case of changes to services and data processing. However, this only applies with regard to privacy policies. If user consents are required or parts of the privacy policy contain regulations on the contractual relationship with users, amendments only occur with the consent of the users.

Users are advised to regularly inform themselves of the content of the privacy policy.

Right to lodge a complaint with a supervisory authority

If you have the impression that we are collecting your data unlawfully or are not processing collected data in compliance with the applicable laws, you have the right to lodge a complaint with the competent data protection supervisory authority as regulated in the GDPR.

For credativ GmbH this is the “Landesbeauftragte für den Datenschutz Nordrhein-Westfalen” (State Data Protection Officer for North Rhine-Westphalia) (https://www.ldi.nrw.de/)