Our privacy policy in accordance with GDPR

 

I. Name and address of the data controller

The data controller pursuant to the General Data Protection Regulation (GDPR) and other applicable national data protection laws and regulations of the Member States and other statutory data protection provisions is:

Struktur Management Partner GmbH
Gereonstraße 18 – 32
50670 Cologne
Germany
Tel.: +49 221 91 27 30 - 0
E-Mail: info@struktur-management-partner.com
Website: www.struktur-management-partner.com

II. Name and address of the data protection officer

The data controller’s data protection officer is:

Hans-Peter Samberger
Cyberdyne IT GmbH
Am Wassermann 31
50829 Cologne
Germany
Tel.: +49 221 6502 400
E-Mail: samberger@cyberdyne.de
Website: www.cyberdyne.de


General information on data processing

1. Scope of processing of personal data

As a matter of principle, we only collect and use our users’ personal data to the extent that this is necessary to provide a functional website and our content and services. The personal data of our website users are generally only collected and used after their consent has been obtained. An exception is made in those cases where prior consent cannot be obtained for factual reasons and processing of the data is permitted by law.

2. Legal basis for the processing of personal data

The processing of personal data is lawful under Article 6(1) a) of the EU’s General Data Protection Regulation (GDPR) provided we obtain the consent of the data subject to processing activities involving personal data.

If it is necessary to process personal data for the purpose of executing a contract with the data subject, the legal basis is Article 6(1) b) GDPR. This also applies to processing which is necessary prior to entering into a contract.

The processing of personal data necessary for compliance with a legal obligation to which our company is subject is lawful under Article 6(1) c) GDPR.

The legal basis for processing which is necessary in order to protect the vital interests of the data subject or of another natural person is Article 6(1) d) GDPR.

Processing which is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, is lawful under Article 6(1) f) GDPR.

3. Data erasure and storage duration

The data subject’s personal data are erased or blocked when the purpose for which they are stored no longer applies. Personal data may be stored for a longer period if required by European or national laws, European Union regulations, laws or other legal provisions to which the data controller is subject. Data are also erased or their processing is restricted if a mandatory statutory retention period expires unless it is necessary to continue storing the data for the purpose of entering into or executing a contract.

III. Plug-ins and Tools

Crisp

We use Crisp (hereinafter referred to as “Crisp”) for the processing of user inquiries via our support channels or live chat systems. The provider is Crisp IM SAS, 2 BOULEVARD DE LAUNAY 44100, NANTES, PAYS DE LA LOIRE, France.

Messages you send to us, can be stored in the Crisp ticket system or our employees respond to them in the live chat system. If you communicate with us via Crisp, all data you have entered from the start of the chat (i.e., name or chat ID, address, and phone number) as well as your IP address, your country of origin, the utilized browser and device, the accessed website and the exchanges messages are consolidated in a profile and saved on Crisp’s servers.

Messages that are addressed to us remain in our possession until you ask us to delete them or the reason for the data storage is no longer effective (e. g. after your inquiry has been processed). This shall be without prejudice to any statutory provisions – especially statutory mandatory retention obligations.

The use of Crisp is based on Art. 6(1)(f) GDPR. We have a legitimate interest in marketing activities that are as effective as possible. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TDDDG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time.

For more information, please consult the data privacy declaration of Crisp: https://crisp.chat/en/privacy/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/6312.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

IV. Provision of the website and creation of log files

1. Description and scope of data processing

Each time you visit our website our system automatically collects data and information from the computer you use to access our website.

The following data are collected:

(1) Information about the type of browser and version used
(2) The user's operating system
(3) The user's IP address
(4) The date and time of access
(5)Referrer URLs (websites from which the user’s system accesses our website)

These data are stored in our system’s log files. They are not combined with other personal data concerning the user.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Article 6(1) f) GDPR.

3. Purpose of data processing

The system’s temporary storage of the IP address is necessary to provide website content to the user’s PC. The user’s IP address has to be stored for the duration of the session for this purpose.

Storage of these data in log files enables us to provide a functional website. Furthermore, the data help us to optimise the website and to ensure the security of our information technology systems. No data are analysed for marketing purposes in this connection.

It is also in our legitimate interest to process these data for these purposes pursuant to Article 6(1) f) GDPR.

4. Duration of storage

The data will be erased as soon as they are no longer required for the purpose for which they were collected. Data collected for the purpose of displaying website content to the user are erased at the end of the session.

Data stored in log files are erased after nine weeks at the latest. The data may be stored for longer than this. The users’ IP addresses are anonymised after 7 days to prevent identification of the originating client.

5. Right to object and opt out

The collection of the data for the purpose of displaying website content to the user and the storage of the data in log files are necessary to operate the website. The user therefore has no right to object.

V. Use of cookies

a) Description and scope of data processing

We use cookies on our website. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. If a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a globally unique identifier (GUID), a randomly generated string of characters which allows us to identify your browser when you visit the website again.

We use cookies to enhance the user experience on our website. Some elements of our website need to be able to identify your browser when you go from one web page to another. Functional cookies support this by collecting information about form status. A time-limited link can also be requested to reinstate an assessment.
The data from these cookies are not merged with other data or analysed for profiling purposes.

The following data are stored and transferred in cookies:

Session data/form status

b) Legitimate basis for data processing

The legal basis for processing personal data while using cookies is Article 6(1) f) GDPR.

c) Purpose of data processing

The purpose of using technically necessary cookies is to simplify the user experience on our website. Some website functions cannot be provided without cookies. These are functions that need to recognise your browser when you move from one page to another.

We use cookies for the following applications:

Session data/form status

Data collected with technically necessary cookies are not used for profiling purposes.

It is also in our legitimate interest to process these data for these purposes pursuant to Article 6(1) f) GDPR.

d) Duration of storage, right to object and opt out

Cookies are stored on the user’s computer and thence transmitted to our site. This means that, as user, you have full control over the use of cookies. You can change your browser settings to disable the transmission of all or certain cookies. Cookies stored on your device can be erased at any time, either manually or automatically. If you disable cookies for our website you may not be able to use all the functions of the website to their full extent.

VI. Newsletter

1. Description and scope of data processing

If you consent to receive news your e-mail address may be used by us for the purpose of sending a newsletter to you. In that case the newsletter will only contain direct advertising for own similar products or services.

No data are transferred to third parties in connection with data processing for the distribution of newsletters. Your data are used solely for the purposes of sending you the newsletter.

2. Legal basis for data processing

The legal basis for sending out the newsletter in connection with the sale of goods or services is section 7, paragraph 3 of the German Act Against Unfair Competition. The legal basis for the electronic processing of the address is Article 6(1) a) GDPR.

3. Purpose of data processing

The user’s e-mail address is collected for the purpose of delivering the newsletter.

The purpose of collecting other personal data during the registration process is to prevent misuse of the services or the e-mail address used.

4. Duration of storage

The data will be erased as soon as they are no longer required for the purpose for which they were collected. The user’s e-mail address is therefore stored for as long as the newsletter subscription remains active.

5. Possibility of opposition and removal

The user can unsubscribe from the newsletter at any time. Every newsletter contains a link for this purpose.

VII. Contact form and e-mail contact

1. Description and scope of data processing

There is a contact form on our website which can be used to contact us electronically. When the contact form is used, the data entered into the input mask by the user will be transferred to us and stored. These data are:

(1) The IP address of the user
(2) Date and time of registration
(3) First and last name
(4) E-mail address
(5) Message content

Your consent to the processing of the data will be requested and reference will be made to this Privacy Policy during the transmission process.

Alternatively, you can contact us by writing to the e-mail address provided. In this case the user’s personal data which are transmitted with the e-mail are stored.

The data are not passed on to third parties in this context. The data are used solely for the purpose of corresponding with you.

2. Legal basis for data processing

Data are processed on the legal basis of the user’s consent in accordance with Article 6(1) a) GDPR.

The legal basis for processing the data transmitted in conjunction with sending an e-mail is Article 6(1) f) GDPR. If the purpose of the e-mail is to enter into a contract, an additional legal basis for the processing is Article 6(1) b) GDPR.

3. Purpose of data processing

We only process the personal data entered into the input mask for the purpose of corresponding with the sender. It is also in our legitimate interest to process the data when you contact us by e-mail.

The other personal data processed in the course of sending the message serve to prevent misuse of the contact form and ensure the security of our information technology systems.

4. Duration of storage

The data will be erased as soon as they are no longer required for the purpose for which they were collected. Personal data which are sent to us via the input mask of the contact form, or by e-mail, are erased when the correspondence with the user ends. The correspondence is deemed to have ended when circumstances indicate that the matter concerned has been conclusively clarified or resolved.

The personal data which are additionally collected during the transmission process are erased after seven days at the latest.

5. Right to object and opt out

Users can revoke their consent to the processing of personal data concerning them at any time. Users who contact us by e-mail can also object to the storage of their personal data at any time. In that case correspondence with the user is terminated.

Objections can be sent at any time in writing to the data controller or via e-mail to datenschutz@struktur-management-partner.com.

All personal data stored in connection with the contact will then be erased.

VIII. Registration

1. Description and scope of data processing

There is a registration form on our website that is necessary for users to participate in our offerings (e.g. digital publications, assessments, online events). When the registration form is used, the data entered into the input mask will be transferred to us and stored. These data are:

(1) The IP address of the user
(2) Date and time of registration
(3) Title, first and last name
(4) Company
(5) E-mail address
(6) Entries made in the assessment, where applicable

Optional additional information:
(7) Company
(8) Position
(9) Business phone number

Your consent to the processing of the data will be requested and reference will be made to this Privacy Policy during the registration process.

The registration is processed in our central CRM system (Microsoft Dynamics). The data are only used in connection with the product or service you have registered to use unless you have opted in to other processing purposes.

2. Legal basis for data processing

Data are processed on the legal basis of the user’s consent in accordance with Article 6(1) a) GDPR. A data processing contract pursuant to Article 28 GDPR has been concluded with Microsoft.

3. Purpose of data processing

We only process the personal data entered into the input mask for the purpose of processing the registration.

The other personal data processed in the registration process serve to prevent misuse of the registration form and ensure the security of our information technology systems.

4. Duration of storage

The data will be erased as soon as they are no longer required for the purpose for which they were collected. This is the case with data entered into the registration form input mask when the registration has been processed and the registration purpose has ended. Under some circumstances we will obtain separate consent for data storage, e.g. for future job vacancies or analyses.

The personal data which are additionally collected during the registration process are erased after seven days at the latest.

5. Right to object and opt out

Users can revoke their consent to the processing of personal data concerning them at any time. In that case the user can no longer participate.

Objections can be sent at any time in writing to the data controller or via e-mail to datenschutz@struktur-management-partner.com.

All personal data stored in connection with the registration will then be erased.

IX. Privacy notice on the use of YouTube

1. Description and scope of data processing

In some circumstances, after registration, you will receive an e-mail containing a link to a YouTube playlist that is not publicly available. The site is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. If you click on the link a connection to the YouTube servers will be established. Technical information about your browser, such as operating system, browser version and your PC’s IP address, will be shared with the YouTube server.

2. Legal basis for data processing

The legal basis for processing personal data while using cookies is Article 6(1) a) GDPR.

3. Purpose of data processing

We only process the personal data from the linked videos for the purpose of displaying the videos. This function cannot be provided in any other way.

Data collected with technically necessary cookies are not used for profiling purposes.

4. Duration of storage, right to object and opt out

Cookies are stored on the user’s computer and thence transmitted to our site. This means that, as user, you have full control over the use of cookies. You can change your browser settings to disable the transmission of all or certain cookies. Cookies stored on your device can be erased at any time, either manually or automatically. If you disable cookies for our website you may not be able to use all the functions of the website to their full extent.

X. Privacy notice on the use of Microsoft Teams video conferences

1. Description and scope of data processing

In some circumstances you will receive an e-mail containing a link to participate in an online conference. Some events are based on services provided by non-European cloud service providers such as Microsoft Teams. The operator is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. If you use the link a connection to the Microsoft 365 servers will be established. Technical information about your browser, such as operating system, browser version and your PC’s IP address, will be shared with the server.

2. Legal basis for data processing

The legal basis for processing personal data while using cookies is Article 6(1) a) GDPR. A data processing contract pursuant to Article 28 GDPR has been concluded with Microsoft.

3. Purpose of data processing

We only process the personal data from the linked video conference for the purpose of implementing the video conference. This function cannot be provided in any other way.

Data collected with technically necessary cookies are not used for profiling purposes.

4. Duration of storage, right to object and opt out

Cookies are stored on the user’s computer and thence transmitted to our site. This means that, as user, you have full control over the use of cookies. You can change your browser settings to disable the transmission of all or certain cookies. Cookies stored on your device can be erased at any time, either manually or automatically. If you disable cookies for our website you may not be able to use all the functions of the website to their full extent.

XI. Data subject rights

When personal data concerning you is processed you have the following rights as the data subject pursuant to GDPR.

1. Right of notification

You can request confirmation from the data controller of whether personal data concerning you are being processed by us.

If personal data concerning you are being processed, you can request the following information from the controller:

(1) The purposes for which the personal data are being processed.
(2) The categories of personal data being processed.
(3) The recipients or categories of recipients to whom the personal data have been or will be disclosed.
(4) The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
(5) The existence of the right to obtain from the controller rectification or erasure of personal data concerning you, the right to restriction of processing by the controller or the right to object to processing.
(6) The right to lodge a complaint with a supervisory authority.
(7) All available information about the origin of the data if the personal data were not collected from the data subject
(8) The existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to obtain information about whether the personal data concerning you is transferred to a third country or an international organisation. In this connection you also have the right to obtain information as to whether appropriate safeguards pursuant to Article 46 GDPR are provided in connection with the transfer of personal data.

2. Right of rectification

You have the right to obtain the rectification of personal data concerning you and the supplementation of incomplete personal data from the data controller. The data controller will comply without undue delay.

3. The right to restrict processing

When one of the following applies you have the right to obtain from the controller restriction of processing:

(1) if you contest the accuracy of the personal data for a period enabling the controller to verify the accuracy of the personal data
(2) if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
(3) if the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims or
(4) if you have objected to processing pursuant to Article 21(1) GDPR pending the verification of whether the legitimate grounds of the controller override your grounds.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If you have obtained restriction of processing pursuant to the above the data controller will inform you before the restriction of processing is lifted.

4. Right to erasure

a) Erasure obligation

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

(1) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) You withdraw your consent on which the processing is based according to Article 6(1) a), or Article 9(2) a) GDPR, and where there is no other legal ground for the processing.
(3) You object to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
(4) The personal data concerning you have been unlawfully processed.
(5) The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

b) Information to third parties

Where the controller has made the personal data public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, these personal data.

c) Exceptions

The right of cancellation does not exist insofar as the processing is necessary

(1) for exercising the right of freedom of expression and information
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
(3) for reasons of public interest in the area of public health in accordance with Article 9(2) h) and i) as well as Article 9(3) GDPR
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing or
(5) for the establishment, exercise or defence of legal claims.

5. Notification obligation

If you have exercised your right of any rectification or erasure of personal data or restriction of processing vis-a-vis the controller, the controller is required to communicate any rectification, erasure or restriction of processing of your personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to obtain information from the controller about those recipients.

6. Right to data portability

You have the right to receive your personal data which you have provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit these data to another controller without hindrance from the controller to which the personal data had been provided, where
(1) the processing is based on consent pursuant to Article 6(1) a) GDPR or Article 9(2) a) GDPR or on a contract pursuant to Article 6(1) b) GDPR and
(2) the processing is carried out by automated means.

In exercising this right to data portability you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This may not adversely affect the rights and freedoms of others.

The right to data portability does not apply to processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you on the basis of Article 6(1) e) or f) GDPR including profiling based on those provisions.

The controller will no longer process the personal data concerning you unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data for such marketing purposes, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8. Right to revoke consent to the processing of your personal data

You have the right to revoke your declaration of consent under data protection law at any time. This does not affect the lawfulness of processing up to the time of revocation.

9. Automated, individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for entering into, or performance of, a contract between you and the data controller
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or
(3) is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Article 9(1) GDPR unless point a) or g) of Article 9(2) applies and suitable measures to safeguard your rights, freedoms and legitimate interests are in place.

In the cases of (1) and (3) the data controller implements suitable measures to safeguard your rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express an own point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority where the complaint is lodged informs the complainant about the status and outcome of the complaint process, including the right to an effective judicial remedy pursuant to Article 78 GDPR.

The competent supervisory authority is LDI NRW.

www.ldi.nrw.de