We, at Commeo GmbH, are delighted that you visited our website. Protecting your personal data and making sure they remain confidential is a matter we take very seriously. By making this statement, we would like to inform you as to what information we capture during your visit and how it is used.
This Privacy Statement will provide you with an explanation as to the nature, scope and purpose of the processing of personal data (hereinafter referred to as “the data”) that takes place within our online offering and its associated websites. It also provides information about functionalities and content and about our presence on third-party online services, such as our social media profile (hereinafter jointly referred to as our “online offerings”). With regard to the terminology used, such as “processing” or “controller”, we hereby refer you to the definitions provided in Article 4 of the General Data Protection Regulation (GDPR).
49134 Wallenhorst, Germany
Tel. +49 5407 81381-0
Contact details of Data Protection Officer:
Data Protection Officer
49134 Wallenhorst, Germany
Tel. +49 5407 81381-0
Types of data processed:
- Personal data (e.g. names, addresses).
- Contact details (e.g. e-mail address, telephone numbers).
- Content data (e.g. text entries, photographs, videos)
- Usage data (e.g. web pages visited, interest in contents, times when accessed).
- Metadata and communication data (e.g. device information, IP addresses)
Categories of persons involved
Visitors and users of the online offering (from this point onwards, the persons involved will be referred to collectively as the “users”).
Purpose of processing
- To provide the online offering, its functionalities and content
- To answer contact requests and communicate with users
- Security measures
- Measuring reach/marketing
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any procedure carried out with or without the aid of automated processes or any such sequence of procedures employed in association with personal data. As a concept, this is very broad and encompasses practically any action carried out involving data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant bases in law
According to Article 13 of the GDPR, we must inform you of the legal bases that relate to our processing of data. In so far as the legal basis is not stated in the Privacy Statement, the following shall apply: the legal basis for the obtaining of consent shall be Article 6, paragraph 1, item a and Article 7 of the GDPR; the legal basis for the fulfilment of our services the implementation of contractual measures and the answering of questions shall be Article 6, paragraph 1, item b of the GDPR; the legal basis for the processing required in order to fulfil our legal obligations shall be Article 6, paragraph 1, item c of the GDPR; and the legal basis for the processing required in order to preserve our legitimate interests shall be Article 6, paragraph 1, item f of the GDPR. In the event that vital interests of the data subject or of another natural person make it necessary to process personal data, Article 6, paragraph 1, item d of the GDPR shall form the legal basis.
In accordance with Article 32 of the GDPR and taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity of the risk to the rights and freedoms of natural persons posed by the processing, we implement appropriate technical and organisational measures, in order to afford a level of protection that is in keeping with the risk.
Those measures especially include ensuring the confidentiality, integrity and availability of data by checking the physical means of accessing the data, as well as the relevant access obtained, the inputting and disclosure of the data, in addition to the measure to ensure availability and their separation. In addition, we have set up procedures to ensure that the rights of data subjects are upheld and that data is deleted, and to guarantee a response in the event that the data is compromised. Furthermore, we already take the need to protect personal data into account while developing and/or selecting hardware, software and processes, in accordance with the principle of Data protection by design and by default (Article 25 of the GDPR).
Collaboration with processors and third parties
In so far as in the course of our processing, we disclose data to other persons or companies (processors or third parties), transmit data to them or otherwise grant them access to the data, this shall solely take place if permitted by law (for example, if transmitting the data to third parties, such as payment providers, is required in accordance with Article 6, paragraph 1, item b of the GDPR for the performance of a contract), if you have consented to this, if a statutory obligation requires or if it is necessary in order to uphold our legitimate interests (such as the use of agents, web hosting companies, etc.).
In so far as we commission third parties to process data on the basis of a processing contract, this will be governed by the provisions of Article 28 of the GDPR.
Transfer to third countries
In so far as we process data in a third country (i.e. a country that does not form part of the European Union (EU) or the European Economic Area (EEA)) or in so far as this data is processed when taking up the services of third parties or when disclosing or transmitting data to third parties, this shall solely take place in order to fulfil our (pre-)contractual obligations, if consented to you by you, based on a statutory obligation or based upon our legitimate interests. Notwithstanding any statutory or contractual permissions, we will only process or outsource the processing of data if the special requirements laid down in Article 44 et seq. of the GDPR have been met. This means that processing will take place in accordance with specific safeguards, such as the officially recognised identification of a level of data protection equivalent to that of the EU (such as the “Privacy Shield” in place in the USA) or the observance of special contractual obligations (known as “standard contractual clauses”).
The rights of data subjects
You have the right to obtain confirmation as to whether or not personal data are being processed and to be informed of that data and any additional information and to receive a copy of the data concerned in accordance with Article 15 of the GDPR.
In accordance with Article 16 of the GDPR, you have the right to have incomplete personal data relating to you completed or to seek rectification of inaccurate personal data that concerns you.
In accordance with Article 17 of the GDPR, you have the right to require relevant data be erased and/or to demand that the processing of the data be restricted in accordance with Article 18 of the GDPR.
In accordance with Article 20 of the GDPR, you have the right to receive the personal data you have provided to us and to demand that they be transmitted to another controller.
Furthermore and in accordance with Article 77 of the GDPR, you have the right to lodge a complaint with the competent supervisory authority. A list of data protection officers and their contact details can be accessed via the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
The right to withdraw consent
Under the terms of Article 7, paragraph 3 of the GDPR, you have the right to withdraw any consent you have given to be effective henceforth.
The right to object
In accordance with Article 21 of the GDPR, you are entitled at any time to object to the processing of data relating to you in the future. Objections of this type may especially be made against the processing of data for direct marketing purposes.
Cookies and the right to object to direct marketing
The term “cookies” is understood to refer to small files that are stored on computers belonging to users. Various items of information can be stored inside a cookie. The primary purpose of a cookie is to store details of a user (and/or the device on which the cookie has been saved), either during or after his/her visit within an online offering. The terms “session cookies” or “transient cookies” are understood to refer to cookies that are deleted once a user leaves the online offering and closes his/her browser. The items saved in a cookie of that type may be the contents of a shopping basket in an online shop or a login status. The terms “permanent cookie” or “persistent cookie” refer to cookies that are not deleted when the browser is closed. These cookies make it possible for a user’s login status to be saved if he/she revisits the site after a few days. In the same way, this type of cookie also makes it possible to save details of users’ interests, which may be used for marketing purposes or in order to measure the reach of a website. The term “third-party cookie” refers to a cookie offered by providers other than the controller operating the online offering (if the cookies are offered by the controller itself, however, they are referred to under the term “first-party cookies”).
We can make use of temporary and permanent cookies and will provide clarification about this within our Privacy Statement.
In the event that users do not wish any cookies to be saved on their computer, they are requested to deactivate the relevant option in their browser’s system settings. Saved cookies can be deleted by accessing the browser’s system settings. Rejecting all cookies may restrict some of the functionalities of this online offering.
It is possible to express your wish not to receive any cookies used for online marketing purposes, especially tracking cookies, by visiting the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. In addition, users can also prevent cookies from being saved by deactivating the relevant setting in your browser settings. Please note that doing so may mean it is not possible to make use of all of the functionalities of this online offering.
Erasure of data
The data processed by us will be erased, or the purposes for which they are processed restricted, in accordance with Articles 17 and 18 of the GDPR. Unless expressly indicated within this Privacy Statement, data saved by us will be erased once it is no longer required for its intended purpose and if that data does not need to be retained as a result of any statutory retention requirements. If such data is not erased, as it is needed for other legitimate purposes, the purposes for which it is processed will be restricted. This means that the data will be blocked and will not be used for other purposes. The types of data involved here include data that needs to be retained for commercial or tax-related purposes.
According to the statutory requirements in Germany, such data is specifically retained for 10 years by virtue of Article 147, paragraph 1 of the German Tax Code (AO), Article 257, paragraph 1, nos. 1 and 4, paragraph 4 of the German Commercial Code (HGB) (books, notes, management reports, accounting vouchers, trading books, any documents of relevance for tax purposes, etc.), and for 6 years in accordance with Article 257, paragraph 1, nos. 2 and 3, paragraph 4 of the German Commercial Code (commercial letters).
According to the statutory requirements in Austria, such data is specifically retained for 7 years by virtue of Article 132, paragraph 1 of the Austrian Federal Fiscal Code (BAO) (accounting vouchers, receipts/invoices, accounts, statements, business papers, itemised lists of income and expenditure, etc), for 22 years in connection with plots of land and for 10 years in the case of documents relating to services provided electronically, telecommunications services, radio services and television services provided to non-business parties in EU Member States and for which use is made of the VAT Mini One Stop Shop (MOSS).
We not only process data relating to our contractual partners and interested parties, but also data belonging to other contracting bodies, customers, clients or contractual partners (each of which is referred to as a “contractual partner”) in accordance with Article 6, paragraph 1, item b. of the GDPR, in order to provide them with our contractual or pre-contractual services. The data processed in the course of this and the nature, scope and purpose and necessity for the processing thereof, shall be determined in accordance with the underlying contractual relationship.
The data processed include the master data pertaining to our contractual partners (such as names and addresses), contact details (such as e-mail addresses and telephone numbers) and contract-related data (such as services taken up, the contents of the contract, communication in relation to the contract, the names of contact persons) and payment data (such as bank account details, payment history).
We generally do not process any special categories of personal data, except when these form part of the processing we have been asked to carry out or have agreed to carry out under the terms of a contract.
We process data that is required in order to justify and perform contractual services and make our contractual partners aware of why it is necessary to provide the data, if that is not already evident to them. We will only disclose such data to external parties or companies if this is necessary in the context of a contract. When processing data provided to us in the context of an assignment, we will act in accordance with the client’s instructions and in accordance with the statutory regulations.
Whenever a user makes use of our online services, we are able to store his/her IP address and the time at which the user undertook the action concerned. This is saved in line with our legitimate interests and also in line with the user’s interests in being protected from abuse or any other unauthorised use. Such data are generally not disclosed to third parties, unless this occurs in pursuit of our entitlements in accordance with Article 6, paragraph 1, item f. of the GDPR or unless we are legally obliged to disclose such data by virtue of Article 6, paragraph 1, item c. of the GDPR.
The data will be erased once it is no longer required in order to fulfil the contractual or statutory duties of care or in order to perform any duties arising under a warranty or any comparable duties. In that regard, the necessity to retain the data will be examined every three years; the statutory retention obligations shall apply in all other cases.
Data protection notices within the application process
We process applicant data only for the purpose and in the context of the application procedure and in a manner in keeping with the statutory requirements. Applicant data is processed in order to fulfil our (pre-)contractual obligations in the context of the application procedure in the sense of Article 6, paragraph 1, item b. of the GDPR, Article 6, paragraph 1, item f. of the GDPR, in so far as we are required to process data for reasons such as legal proceedings (in Germany Article 26 of the German Federal Data Protection Act (BDSG) additionally applies).
The application procedure requires applicants to supply us with their details. In so far as we provide an online form for that purpose, the necessary applicant details are labelled as such, can be determined from the job descriptions and shall, in all cases, include details about the person, the position and the contact addresses, together with the documentation that forms part of the application, such as a letter of application, a CV and the applicant’s certificates. Applicants are also free to disclose additional information to us on a voluntary basis.
By sending their application to us, applicants declare their agreement to the processing of their data for the purposes of the application procedure, in accordance with the nature and scope laid down in this Privacy Statement.
In so far as applicants voluntarily provide special categories of personal data in the sense of Article 9, paragraph 1 of the GDPR, these shall additionally be processed in accordance with Article 9, paragraph 2, item b. of the GDPR (such as health data, e.g. the applicant’s status as a severely disabled person or his/her ethnic background). In so far as applicants are asked to provide special categories of personal data in the sense of Article 9, paragraph 1 of the GDPR, these shall additionally be processed in accordance with Article 9, paragraph 2, item a. of the GDPR (such as health data, if these are necessary in order to carry out the role concerned).
If we provide an online form, applicants can submit their application using the online form on our website. The data will undergo state-of-the-art encryption before being sent to us.
Applicants can also submit their applications to us by e-mail. If doing so, applicants must take note that e-mails are generally not encrypted, which means that applicants themselves are responsible for encryption. This means that we cannot undertake any liability for the application while it is being conveyed from the sender and until it is received on our server. We therefore recommend making use of an online form or sending the application to us by post. After all, applications do not need to be submitted by means of the online form or by e-mail. It is still possible for applicants to submit their applications by post.
If an application turns out to be successful, the data provided by applicants can be used for employment purposes and will undergo further processing by us. In other cases, once an application submitted in response to a job advertisement is unsuccessful, the data relating to the applicants will be deleted. The data relating to the applicants will also be deleted if an application is withdrawn. Applicants are entitled to withdraw their application at any time.
Unless applicants submit a legitimate objection, erasure will take place once a period of six months has elapsed, so that we are able to respond to any subsequent questions regarding the application and are able to fulfil our obligation to provide evidence under the German Equal Treatment Act. Receipts relating to any travel costs reimbursed will be archived in accordance with the requirements laid down under tax law.
Whenever anyone makes contact with us (such as by means of the contact form, by e-mail, telephone or social media), details of the user will be processed in order to administer and respond to the contact request in accordance with Article 6, paragraph 1, item b. (in connection with contractual or pre-contractual relationships), and Article 6, paragraph 1, item f. (other enquiries) of the GDPR. Details regarding the user may be saved in a Customer Relationship Management system (“CRM system”) or a comparable system used to manage enquiries.
We will delete the enquiries, once they are no longer necessary. We verify their necessity every two years; statutory archiving requirements shall also apply.
Hosting and the sending of e-mails
Hosting services taken up by us shall be used in order to provide the following services: infrastructural and platform services, computing capacity, storage space and database services, the sending of e-mails, security services and technical maintenance services that we deploy for the purpose of operating this online offering.
To that end, we, or our hosting provider, process personal data, contact details, content data, contractual data, usage data, metadata and communication data relating to our clients, interested parties and visitors to this online offering, based on our legitimate interests in ensuring that this online offering is provided in an efficient and secure manner in accordance with Article 6, paragraph 1, item f. of the GDPR in conjunction with Article 28 of the GDPR (concluding a processing contract).
Storage of access data and log files
Based upon our legitimate interest in the sense of Article 6, paragraph 1, item f. of the GDPR, we, or our hosting provider, save data each time a user accesses the server on which our service is located (known as server log files). The access data will include the name of the website accessed, the file, date and time these were retrieved, the quantity of data transferred, notifications that retrieval was successful, the type and version of browser used, the user’s operating system, the referrer URL (the previous website visited), the IP address and the requesting provider.
For security reasons (such as the need to trace any actions constituting misuse or deception), log file information is only saved for a maximum of 7 days and is then erased. Data that need to be retained for evidentiary purposes are exempt from deletion until the case involved is ultimately resolved.
Google is certified under the Privacy Shield Convention and therefore offers a guarantee that it will adhere to European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will make use of that information on our behalf, in order to evaluate the use being made of our online offering by the users, in order to compile reports about the activities carried out within our online offering and in order to deliver additional services associated with the use of this online offering and of the internet to us. Using the data that is processed, pseudonymous usage profiles may be compiled for the users.
We only make use of Google Analytics with IP anonymisation switched on. This means that in Member States of the European Union or in other states that are signatory to the EEA Agreement, Google shortens users’ IP addresses. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.
The IP address transmitted by the user’s browser is not merged with other data held by Google. Users can prevent cookies being saved by making use of the relevant setting in their browser software; users can also prevent Google from capturing the data generated by the cookie that relates to their use of the online offering and can prevent that data from being processed by Google, by downloading and installing the browser plug-in available via the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
Users’ personal data are erased or anonymised after a period of 14 months has elapsed.
Online presences in social media
We maintain an online presence on social networks and social platforms, in order to communicate with our customers, interested parties and users and to inform them about our services there. Whenever a user visits each individual network or platform, the terms and conditions and data processing guidelines of the relevant operator will apply.
Unless indicated otherwise in our Privacy Statement, we process data relating to our users if they communicate with us via the social networks and platforms, such as by writing comments on our online presences or by sending messages to us.
Integration of third-party services and content
As part of our online offering and based upon our legitimate interests (i.e. our interest in the analysis, optimisation and commercial operation of our online offering in the sense of Article 6, paragraph 1, item f. of the GDPR), we make use of content or services from third-party providers, in order to integrate their services, such as videos or fonts (hereinafter collectively referred to as “Content”).
This does however require that the third-party supplier of such content is able to view users’ IP addresses, as they would not be able to send the content to the users’ browsers without access to the IP address. The IP address therefore forms a requirement for the presentation of such content. We endeavour only to make use of content supplied by providers who will solely make use of the IP address in order to deliver the content. Furthermore, third-party suppliers may also make use of pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Using these pixel tags enables information, such as visitor traffic to the pages of this website, to be evaluated. Anonymised information may furthermore be saved on users’ devices in cookies. That may include information about the browser and the operating system, referring websites, the amount of time spent on the site, together with other details regarding the use being made of our online offering. Such information may also be combined with information obtained from other sources.