Data Privacy Statement

Data protection is of particularly high importance to our company. Generally, our website can be used without providing any personal data. However, if a person wishes to use special services of our company online, the processing of personal data may be necessary. If the processing of personal data is necessary and there is no legal basis for such a processing, we request the consent of the person concerned (the “data subject”) in general.

The processing of personal data, e.g. a data subject’s name, postal address, email address or telephone number, always takes place in accordance with the Federal Data Protection Act (BDSG), the EU General Data Protection Regulation (GDPR) becoming effective on 25 May 2018, and any laws applicable together with the aforesaid. With this Data Privacy Statement, our company intends to provide information about the type, scope and purpose of the personal data processed by us and inform the data subjects about their rights.

Our company has implemented numerous technical and organisational measures to ensure complete protection of the processed personal data as much as possible. However, internet-based data transmission may always involve security gaps so that absolute protection cannot be guaranteed.

1 Definitions

Our company’s Data Privacy Statement is based on the GDPR. Our Data Privacy Statement is intended to be easy to read and comprehensible. To ensure this, we will begin by explaining the terms used:

1.1 Personal data

“Personal data” means “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art. 4.1 GDPR).

1.2 Data subject

“Data subject” means any identified or identifiable natural person of which personal data are processed by the person responsible for the processing (“controller”).

1.3 Processing

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.4 Restriction of processing

“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.

1.5 Profiling

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

1.6 Pseudonymisation

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

1.7 Controller

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

1.8 Processor

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

1.9 Recipient

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

1.10 Third party

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

1.11 Consent

“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2 Name and address of the controller

The controller within the meaning of the GDPR is:

Caramba Chemie GmbH & Co. KG
Wanheimer Str. 334-336
47055 Duisburg, Germany

Email:  kontakt@caramba.eu
www.caramba.eu


3 Contact data of our external Data Protection Officer

Mr Michael Gruber
BSP-SECURITY
Franz-Mayer-Str. 1
93053 Regensburg, Germany

Tel. +49 (0) 941 46 29 09 29
info[at]bsp-security.de
www.bsp-security.de

Every data subject may contact our Data Protection Officer directly if he/she has any questions or suggestions concerning data protection.

4 Cookies

The website of our company uses cookies. Cookies are text files that are placed and stored on a computer system via a web browser.

Numerous websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is an unambiguous identifier of the cookie. It consists of a character strings by which websites and servers can be assigned to the specific web browser in which the cookie has been saved. This enables the visited websites and servers to distinguish the data subject’s individual browser from other web browsers which contain different cookies. A particular web browser can be recognised and identified by means of the unambiguous cookie ID. By using cookies, Muster GmbH can provide the users of this website with user-friendly services that would not be possible without cookies being placed.

By using a cookie, the information and offers on our website can be optimised for the benefit of the user. As mentioned above, cookies enable us to recognise returning users of our website. The purpose of that recognition is to make the use of our website easier for the users. For example, users of a website that uses cookies need not enter their access data again each time they visit the website because it is taken over by the website from the cookie that has been placed on the user’s computer system. Another example is the cookie of a shopping cart in an online shop. The online shop uses a cookie to remember the items that a customer has added to the virtual shopping cart.

The data subject can prevent the placing of cookies by our website at any time by making the appropriate setting in the web browser and thereby object to the placing of cookies permanently. Besides, cookies that have already been placed can be deleted using a web browser or other software program at any time. This is possible in all common web browsers. If the data subject deactivates the placing of cookies in the web browser used, it may not be possible to use all functions of our website completely.

5 Recording of general data and information

The web server of Muster GmbH records data and information of various kinds whenever the website is accessed by a data subject or an automated system. This general data and information is stored in the log files of the server. The data and information that may be recorded includes the browser types and versions used, the operating system used by the accessing system, the website from which an accessing system goes to our website, the subpages on our website that are accessed by an accessing system, the date and time of an access to our website, an internet protocol address (IP address), the internet service provider of the accessing system, and similar data and information used for averting danger in the event of an attack on our IT system.

When using that general data and information, Muster GmbH will not draw any conclusions as regards the data subject. That information is actually needed in order to deliver the content of our website correctly, to optimise the content of our website and the advertising of it, to guarantee the permanent functionality of our information technology systems and the technology of our website, and to provide prosecuting authorities with the information necessary for prosecution in the event of a cyberattack. That data and information collected anonymously is analysed by Muster GmbH for statistical purposes and, besides, for the purpose of improving data protection and data security at our company to ultimately ensure an optimum level of protection of the personal data processed by us. The anonymous data of the server log files is stored separately from all personal data entered by any data subject.

6 Possibility to contact us via our website

As required by law, our company’s website contains information enabling people to contact our company quickly and to communicate with us directly, which also includes a general electronic mail (email) address. If a data subject contacts the controller by email or via a contact form, the personal data submitted by the data subject will be stored automatically. Such personal data transmitted to the controller freely by the data subject will be stored for processing and for contacting the data subject. Such personal data will not be disclosed to third parties.

7 Routine erasure and blocking of personal data

The controller will process and store personal data of the data subject only for the period which is necessary for achieving the purpose of the processing or to the extent that this is required by the legislature in laws or regulations applicable to the controller. If the purpose of the storage ceases to exist or any storage period required by the legislature expires, the personal data will be blocked or deleted routinely and in accordance with the provisions of the law.

8 Rights of the data subject

8.1 Right to confirmation

Every data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to make use of this right to confirmation, he or she may contact our Data Protection Officer or another employee of the controller at any time.

8.2 Right to information

Every data subject has the right to require the controller to give information about the personal data stored about his or her person, as well as a copy of that information together with the following information, free of charge:

  • the purposes of the processing
  • the categories of personal data concerned
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • where the personal data are not collected from the data subject, any available information as to their source
  • the existence of automated decision-making, including profiling, referred to in Article 22.1 and 22.4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

Furthermore, the data subject has the right to obtain information on whether personal data have been transmitted to a third country or an international organisation. If this is the case, the data subject will also have the right to obtain information on the adequate guarantees in connection with such transmission.

If a data subject wishes to make use of this right to information, he or she may contact our Data Protection Officer at any time.

8.3 Right to rectification

Every data subject has the right to require the immediate rectification of incorrect personal data concerning him or her. Furthermore, the data subject has the right to require the completion of incomplete personal data – also by means of an additional declaration – taking into account the purpose of the processing.

If a data subject wishes to make use of this right to rectification, he or she may contact our Data Protection Officer at any time.

8.4 Right to erasure (right to be forgotten)

Every data subject has the right to require the controller to immediately erase the personal data concerning him or her if one of the following reasons exists and to the extent that the processing is not necessary:

  • The personal data were collected or otherwise processed fur purposes for which they are no longer necessary.
  • The data subject withdraws consent on which the processing is based according to Art. 6.1 a GDPR or Art. 9.2 a GDPR, and there is no other legal ground for the processing.
  • The data subject objects to the processing pursuant to Art. 21.1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21.2 GDPR.
  • The personal data have been unlawfully processed.
  • The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  • The personal data have been collected in relation to the offer of information society services referred to in Art. 8.1 GDPR.

If one of the above reasons exists and a data subject wishes to request the erasure of personal data that are stored at our company, he or she may contact our Data Protection Officer at any time. Our Data Protection Officer will cause the request for erasure to be fulfilled immediately.

Where the personal data has been made public by our company and our company, as the controller, is obliged pursuant to Art. 17.1 GDPR to erase the personal data, our company, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data, to the extent that the processing is not necessary. The Data Protection Officer will cause the necessary steps to be taken in the individual case.

8.5 Right to restriction of processing

Under EU directives and regulations, every data subject has the right to obtain from the controller restriction of processing where one of the following applies:

  • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
  • The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
  • The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
  • The data subject has objected to processing pursuant to Article 21.1 GDPR and it has not been determined whether the legitimate grounds of the controller override those of the data subject.

If one of the above prerequisites is fulfilled and a data subject wishes to request the restriction of the processing of personal data that are stored at our company, he or she may contact our Data Protection Officer at any time. The Data Protection Officer will cause the processing to be restricted.

8.6 Right to data portability

Every data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. Such person also has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to Art. 6.1 a GDPR or Art. 9.2 a GDPR or on a contract pursuant to 6.1 b GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising his or her right to data portability pursuant to Art. 20.1 GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, provided that this is technically feasible and rights or freedoms of other persons are not affected by this.

To claim the right to data portability, the data subject may contact our Data Protection Officer at any time.

8.7 Right to object

Every data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Art. 6.1 e or f GDPR. This also applies to profiling based on those provisions.

Our company will no longer process the personal data in the case of an objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the processing occurs for the establishment, exercise or defence of legal claims.

Where our company processes personal data for direct marketing purposes, the data subject will have the right to object at any time to the processing of the personal data for such marketing. This also applies to profiling to the extent that it is related to such direct marketing. If the data subject submits an objection to the processing for direct marketing purposes to us, we will no longer process the personal data for such purposes.

In addition, where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89.1 GDPR, the data subject, on grounds relating to his or her particular situation, has the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise the right to object, the data subject may contact the Data Protection Officer directly.

8.8 Automated individual decision-making, including profiling

Every data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision is necessary for entering into, or performance of, a contract between the data subject and the controller or is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests or is based on the data subject’s explicit consent.

If the decision is necessary for entering into, or performance of, a contract between the data subject and the controller or is based on the data subject’s explicit consent, our company will implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

If the data subject wishes to claim rights related to automated decision-making, he or she may contact our Data Protection Officer at any time.

8.9 Right to revoke a consent under data protection law

Every data subject has the right to revoke a consent to the processing of personal data at any time. If the data subject wishes to claim his or her right to revoke a consent, he or she may contact our Data Protection Officer at any time.

9 Data protection in connection with job applications and application processes

The controller collects and processes the personal data of applicants for the purpose of executing the application process. The processing may also be performed by electronic means. In particular, this is the case if an applicant transmits appropriate application documents to our company by electronic means, e.g. by email or via a web form that is provided on our website. If our company concludes a contract of employment with an applicant, the transmitted data will be stored in accordance with the provisions of the law for the purpose of handling the employment relationship. If our company does not conclude a contract of employment with the applicant, the application documents will be erased automatically 6 months after the decision to reject the applicant is communicated, provided that the erasure is not excluded by other legitimate interests of the controller. A legitimate interest in this sense may exist, for example, in the case of burden of proof in proceedings under the German General Act on Equal Treatment (AGG).

10 Data protection regulations; tracking tools

10.1 Data protection regulations concerning the use of Google Analytics

The controller has integrated the Google Analytics component (with an anonymisation function) into this website. Google Analytics is a web analysis service. Web analysis is the collection and analysis of data concerning the behaviour of visitors to websites. The data collected by a web analysis service includes (without limitation) data on the website from which a data subject has accessed a website (so-called referrer), the subpages of the website that have been visited and the time for which the visitor has remained on a subpage. Web analysis is used mainly for optimising a website and for cost-benefit analyses of internet advertising.

The operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

For the web analysis via Google Analytics, the controller uses the extension “_gat._anonymizeIp”. Using this extension, the IP address of the data subject’s internet connection is shortened and anonymised by Google if our website is accessed from a member state of the European Union or another contracting member state of the Treaty on the European Economic Area.

The purpose of the Google Analytics component is to analyse the streams of visitors on our website. Google, among other things, uses the obtained data and information to analyse the use of our website in order to compile online reports for us which show the activities on our website and to provide other services which are related to the use of our website.

Google Analytics places a cookie on the information technology system of the data subject. For an explanation of what cookies are, see above. The placing of a cookie enables Google to analyse the use of our website. With each access to an individual page of this website which is operated by the controller and into which the Google Analytics component has been integrated, the Google Analytics component causes the web browser on the information technology system of the data subject to transmit data to Google for the purpose of performing an online analysis. In connection with this technical process, Google is provided personal data such as the IP address of the data subject, which Google uses, among other things, to track the origin of the visitors and clicks and thereby enable commission calculations.

By means of the cookie, personal information such as the access time, the location from which an access was made and the frequency of visits to our website by the data subject is stored. With every visit to our website, those personal data, including the IP address of the internet connection used by the data subject, are sent to Google in the USA. Those personal data will be stored by Google in the USA. Google may disclose those personal data obtained by means of the technical process to third parties.

As explained above, the data subject can prevent the placing of cookies by our website at any time by making the appropriate setting in the web browser and thereby object to the placing of cookies permanently. Such a setting in the web browser used would also prevent Google from placing a cookie on the information technology system of the data subject. Besides, any cookie of Google Analytics that has already been placed can be deleted using the web browser or another software program at any time.

Furthermore, the data subject has the possibility to object to any recording of the data which are generated by Google and are related to a use of this website as well as the processing of such data by Google and to prevent such recording and processing. To do so, the data subject must download and install a browser add-on available at the web address https://tools.google.com/dlpage/gaoptout. That browser add-on informs Google Analytics via JavaScript that no data and information on visits to websites may be transmitted to Google Analytics. Google will consider the installation of the browser add-on as an objection. If the information technology system of the data subject is deleted, formatted or reinstalled at a later date, the data subject will have to install the browser add-on again in order to deactivate Google Analytics. If the browser add-on is uninstalled or deactivated by the data subject or by another person within the data subject’s sphere of influence, it will be possible to install the browser add-on again or reactivate it.

Further information as well as the current data protection regulations of Google can be found at https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html. More detailed explanations on Google Analytics can be found at https://www.google.com/intl/de_de/analytics/ .

10.2 Data protection regulations concerning the use of Google AdWords

The controller has integrated Google AdWords into this website. Google AdWords is an internet advertising service that allows advertisers to place advertisements in the search results of the Google search engine and in the Google advertising network. Google AdWords enables advertisers to define certain key words in advance by means of which an advertisement is only shown in the Google search results if the user of the search engine requests a search result which is relevant to the key words. In the Google advertising network the advertisements are distributed over subject-related websites by means of an automatic algorithm and taking into account the key words defined in advance.

The operating company of the services of Google AdWords is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google AdWords is to advertise our website by showing interest-related advertisements on the websites of third-party companies and in the search results of the Google search engine and to show third-party advertisements on our website.

If a data subject accesses our website via a Google advertisement, Google places a so-called conversion cookie on the information technology system of the data subject. For an explanation of what cookies are, see above. A conversion cookie becomes invalid after thirty days and is not used for identifying the data subject. If a conversion cookie has not expired, it is used for determining whether certain subpages of our website, e.g. the shopping cart of an online shop system, have been accessed. The conversion cookie enables both us and Google to determine whether a data subject who has accessed our website via an AdWords advertisement has generated sales, i.e. performed or aborted a purchase transaction.

The data and information collected by using the conversion cookie are used by Google to create visitor statistics for our website. We, for our part, use the visitor statistics to determine the total number of users who have accessed our website via AdWords advertisements, i.e. to determine the success or failure of the AdWords advertisement concerned and to optimise our AdWords advertisements for the future. Neither our company nor other advertising customers of Google AdWords receive any information from Google which could be used for identifying the data subject.

By means of the conversion cookie, personal information such as the web pages visited by the data subject is stored. Thus, with every visit to our website, personal data, including the IP address of the internet connection used by the data subject, are sent to Google in the USA. Those personal data will be stored by Google in the USA. Google may disclose those personal data obtained by means of the technical process to third parties.

As explained above, the data subject can prevent the placing of cookies by our website at any time by making the appropriate setting in the web browser and thereby object to the placing of cookies permanently. Such a setting in the web browser used would also prevent Google from placing a conversion cookie on the information technology system of the data subject. Besides, any cookie of Google AdWords that has already been placed can be deleted using the web browser or another software program at any time.

Furthermore, the data subject has the possibility to object to the interest-related advertising by Google. To do so, the data subject must visit the address www.google.de/settings/ads from each web browser that he or she uses and make the desired settings on that web page.

Further information as well as the current data protection regulations of Google can be found at https://www.google.de/intl/de/policies/privacy/ .

 

11 Competent data protection supervisory authority

The North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4
40213 Düsseldorf, Germany

Tel.: +49 (0) 211 38424-0
Fax: +49 (0) 211 38424-10
Email: poststelle@ldi.nrw.de

12 Changes to the data protection regulations

We reserve the right to change our security and data protection regulations if this becomes necessary due to the development of technology. In those cases, we will also adjust our notes on data protection accordingly. Please always note the current version of our Data Privacy Statement.

(04/2018)