Privacy Policy: ChromoTek

Content
1. Who is the controller and how can the controller be contacted?
2. What categories of personal data are being processed?
3. What is the purpose and legal basis of the data processing?
4. Who are potential recipients of personal data?
5. Is data being transferred to a third country?
6. Could services
7. Webinars/webcasts and web meetings
8. Newsletters and electronic notifications
9. Data protection information for applications
10. How long will personal data be stored?
11. What are my rights as a data subject?
12. Changes to our privacy statement

ChromoTek hereby brings the following explanations to the attention of its customers and third parties using our blogs, landingpages, Newsletters, Webinars, Social Media Accounts and Services for the purposes of fulfilling the information requirements under Art. 13 of the General Data Protection Regulation (“GDPR”).

 

1. Who is the controller and how can the controller be contacted?

Controller is ChromoTek GmbH, Am Klopferspitz 19, 82152 Planegg-Martinsried, Email: info@chromotek.com.
You can contact ChromoTek’s data protection officer any time by sending an e-mail to privacy@chromotek.com with regard to any questions and remarks you may have in connection with your personal data.

 

2. What categories of personal data are being processed?

ChromoTek processes the following categories of personal data:

 

a) Automatically generated website visitor information

ChromoTek collects information and data that is automatically transmitted or generated by the visitor’s browser each time ChromoTek’s website is accessed. Such information includes the IP address, the URLs of the site you visited before accessing the ChromoTek website (“referrer”), the browser used, the operating system used, the access device used, date and time of your access, the pages viewed on the ChromoTek website, potentially your user behavior (e.g. data entered, objects clicked, mouse cursor movements) and the time you spend on the website. This data is automatically transferred by the browser, regardless whether you are a registered user or not.

b) Google Analytics

ChromoTek’s blog uses the web analytics service Google Analytics that is provided by Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses “cookies”. Cookies are small text files that are placed on your computer which allow analyzing how you use the platform. The information generated by the cookie on your use of the platform will be transmitted to and stored by Google on servers in the United States. We have activated the so called “IP-anonymization” which means that your IP address will be truncated within the area of the European Union or the European Economic Area before being transferred to the United States. Only in exceptional cases the entire (i.e. non-truncated) IP address will be transferred to a Google server in the US and truncated there. Google will use this information on our behalf for the purpose of evaluating your use of the platform, compiling reports on platform activity and providing other services relating to platform and internet usage. Google does not provide us with data that we may link back particularly to you.

Your truncated IP address that is transferred to Google will not be associated with any other data held by Google. You may refuse accepting cookies by selecting the relevant settings of your browser. However, please note that if you do so you may not be able to use the full functionality of the platform. You can also opt out from being tracked via Google Analytics with effect for the future by downloading and installing Google Analytics Opt-out Browser Add-on under http://tools.google.com/dlpage/gaoptout?hl=de.
Clicking on this link set an opt-out cookie which prevents the future collection of your data via Google Analytics when visiting our website. Please note that you must opt-out again if you delete all cookies in your browser. Personal data associated with cookies, user identifiers (e.g., User-ID) and advertising identifiers (e.g., DoubleClick cookies, Android’s Advertising ID, Apple’s Identifier for Advertisers) will be deleted automatically after 14 months.
This website utilizes Google Analytics with the extension “anonymizeIP()”. This ensures processing of truncated IP addresses, so that no direct personal identification via IP addresses is possible. You can find additional information on Google Analytics and Google’s privacy policy here: http://www.google.com/analytics/terms/de.html,
privacy information: http://www.google.com/intl/de/analytics/learn/privacy.html,
privacy policy: www.google.de/intl/de/policies/privacy.

c) Social Media

ChromoTek GmbH maintains online presences within social networks in order to communicate with users or to provide information about us.
We point out that user data may be processed outside the European Union. This can be associated with certain risks, because the enforcement of the users' rights could be more difficult than inside the EU. However, we would like to point out that US providers offer adequate guarantees for a secure level of data protection and are obliged to comply with the data protection standards of the EU.

Furthermore, data of users of social networks are usually processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and user interests. The user profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and interests of the users are stored. Furthermore, data may also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to these).
For a detailed presentation of the respective forms of processing and the possibilities of objection (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.

Also, in the case of requests for information and the assertion of data subject rights, we would like to point out that these can most effectively be enforced with the providers. Only the providers have access to the data of the users and can take appropriate measures and provide information directly. Should you nevertheless require assistance, please contact us.

  • Processed data types: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

  • Affected persons: Users (e.g. website visitors, users of online services).

  • Purposes of processing: contact requests and communication, tracking (e.g. interest/behavioral profiling, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of returning visitors).

  • Legal basis: legitimate interests (Art. 6 (1) GDPR), consent by the user (Art. 6 (1) sentence 1 lit. a GDPR), fulfilment of contract and pre-contractual enquiries (Art. 6 (1) sentence 1 lit. b. GDPR)

Used services and service providers:

Privacy policy: https://privacy.xing.com/en/privacy-policy

d) Order and transaction data

If you place an order we will collect and process the respective order and transaction data, including

  • your contact information and delivery address

  • your order

  • delivery and shipment status

  • payment data and payment status

The processing of the aforementioned data is required to fulfil an order.

 

e) User accounts and communication

When you create a user account, we collect the following data:

  • name, surname, username, password, email address, home and delivery address, TR ID no., demographic data, bank data

  • Administrative data, e.g. the date of your registration and your last visit

If you contact us (e.g. place an inquiry with our customer service), we also store and process your communication with us (e.g. e-mails).

 

f) Newsletter and marketing information

If you provide us with your contact information (e-mail) via placing an order or creating a user account and have given us your consent by agreeing to receive marketing information, we will regularly send you marketing information and our newsletter about our own products and services. We may also send you invitations to electronic surveys.
You can withdraw your consent and opt-out at any time by clicking on the opt-out link provided in all marketing mailings without incurring any costs (other than the usual transmission costs at the basic rates).

Provider: Inxmail GmbH, Wentzingerstraße 17, 79106 Freiburg, Deutschland: sending of newsletters

 

3. What is the purpose and legal basis of the data processing?

We process personal data in accordance with the requirements of the GDPR:

 

a) To perform a contract with the customer (Art. 6 (1)(b) GDPR)

We process personal data to perform our contract with our customers, including to:

  • manage registered users’ accounts and personalize the website

  • facilitate purchases and sales, including

    •  confirming the credentials of the party directly/indirectly shopping through the website,

    •  saving contact and other necessary information for communication purposes,

    •  contacting our customers for the purposes of providing information on the terms, current status of the distant sales agreement and other agreements executed in accordance with the relevant provisions under the Law on the Protection of Consumers and updates regarding thereto,

    •  taking orders, providing goods and services,

    •  realizing payment transactions,

    •  preparing all records and documents constituting the basis of the transaction either electronically (internet/mobile, etc.) or as hardcopies,

    •  fulfilling the obligations assumed under the distant sales agreement and any other agreement executed in accordance with the relevant provisions under the Law on the Protection of Consumers,

  • ensure the performance of technical, logistical and other similar functions by third parties on behalf of the seller.

 

b) For the purposes of the legitimate interests pursued by ChromoTek (Art. 6 (1)(f) GDPR)

We process personal data for the purpose of our legitimate interests, including:

  • Service improvements, for example

    • providing a better shopping experience to our customers and visitors

    • improving goods and services, resolving systemic problems

    • continue to improve the websites and services technically and adapt them to the needs of our users and visitors

    • evaluating customer complaints and suggestions concerning our services

  • Analysis of aggregated, pseudonymous data e.g.

    • analyzing customer environments

    • analyzing website visitor behavior to compile statistical reports on website activity

    • create aggregated statistics on access channels and the transition to our partner’s websites

  • Marketing, e.g.

    • providing information to our customers with respect to products that may be of interest to them, based on the customer’s field of interest

    • providing information on campaigns

    • providing information about our products and services

    • various marketing and advertisement activities and in this regard, organizing electronic and/or physical surveys through contracted entities

    • if you have given us your consent, SMS/short messages, instant messages to purchasers, use autodial, computer, phone, e-mail/mail, fax, other electronic communication tools and carry out commercial electronic communications in accordance with the applicable legislation with respect to presentation, advertisement, communication, promotion, sales and marketing purposes concerning the goods and services

    • Providing marketing partners (e.g. retargeting / advertising providers) with pseudonymous data about website usage, in order to display “targeted” ads on third party websites (“retargeting”)

 

c) Pursuant to legal obligations (Art. 6(1) GDPR)

We will provide information to public officials in accordance with the applicable law and upon demand in cases concerning public safety. In addition, we will fulfil our legal obligations and exercise our rights arising from the applicable legislation.

 

d) Consent based (Art. 6(1)(a) GDPR)

To the extent you have granted us consent to process your personal data for certain purposes, such processing is based on your consent. You can withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

e) Automatic individual decisions and profiling

ChromoTek does not make decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you pursuant to Art. 22 GDPR.

 

4. Who are potential recipients of personal data?

Generally, we do not give your personal data away to third parties, unless you have given consent to such transfer or the transfer is legally permitted. In particular, we do not give your e-mail address or other contact information to third parties for advertising purposes or as part of address trading.

That being said, personal data may be transferred to third parties as follows:

To our external contractors and service providers, who act as data processors. These data processors receive personal data solely for the performance of their services for us. They are contractually obliged not to use personal data for other purposes. Data processors may include, without limitation, IT service and telecommunication providers (including e.g. hosting and cloud storage providers), logistics and shipping providers, accounting and business service providers, CRM, sales, advertising, survey and marketing service providers.

Website: https://www.google.com/?hl=de

    • Logmein USA, Inc., 320 Summer Street, Boston, MA 02210, USA: for hosting webinars

Website: www.gotomeeting.com/webinar

Privacy policy: www.logmeininc.com/de/legal/privacy

  • Banks and payment service provider, including the Interbank Card Centre, for the purpose for processing payments.

  • Fraud prevention agencies/providers.

  • Advertising and retargeting partners, as stated above, who may be permitted to set a cookie on your computer and receive your IP address and information about the visited webpages, for tracking and advertising purposes. No identification information (e.g. email address, username, name, address, ...) is being transmitted. See “Retargeting” above.

  • Courts and other public institutions due to legal requirements.

 

5. Is data being transferred to a third country?

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using the services of third parties or disclosure or transfer of data to third parties, this will only take place if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will only process or transfer the data in a third country if the special requirements of Art. 44 ff. GDPR. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to that of the EU (e.g. BCR, adequacy decision) or compliance with officially recognized special contractual obligations (so-called "standard contract clauses").

 

6. Cloud services?

We use software services accessible via the Internet and running on the servers of their providers (so-called "cloud services", also referred to as "software as a service") for the following purposes: document storage and management, calendar management, e-mailing, spreadsheets and presentations, exchanging documents, content and information with specific recipients or publishing web pages, forms or other content and information, and participating in audio and video conferences.
In this context, personal data may be processed and stored on the servers of the providers, as far as they are part of communication processes with us or otherwise processed by us as described in this privacy policy. This data may include, in particular, master data and contact details of users, data on procedures, contracts, other processes and their contents. The providers of cloud services also process usage data and metadata that they use for security purposes and service optimization.
If we use the cloud services to provide other users or publicly accessible websites with forms or other documents and content, the providers may store cookies on the users' devices for web analysis purposes or to remember user settings (e.g. in the case of media control).
Notes on legal bases: If we ask for consent to use the cloud services, the legal basis for processing is consent. Furthermore, their use can be a component of our (pre)contractual services, provided that the use of the cloud services has been agreed in this context. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient and secure administration and collaboration processes).

  • Processed data types: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

  • Data subjects: Customers, employees (e.g. employees, applicants, former employees), interested parties, communication partners.

  • Purposes of processing: office and organizational procedures.

  • Legal basis: Consent (Art. 6 Paragraph 1 S. 1 lit. a GDPR), Fulfilment of contract and pre-contractual inquiries (Art. 6 Paragraph 1 S. 1 lit. b GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Services used and service providers:

Salesforce.com (CRM)

We also use the CRM system of the provider salesforce.com in order to process user inquiries faster and more efficiently. Salesforce uses user data only for the technical processing of the inquiries and does not pass them on to third parties. In order to use salesforce, at a minimum, you must provide a correct e-mail address. A pseudonymous use is possible. In the course of processing service requests, it may be necessary to collect additional data (name, address). The use of Zendesk is optional and serves to improve and accelerate our customer and user service.

  • Types of data processed: inventory data (e.g. names, addresses), contact data (e.g. e-mail, phone numbers), content data (e.g. text entries, photographs, videos), order and contract history

  • Persons concerned: Communication partners, business partners.

  • Purpose of processing: We use the cloud-based CRM system to manage contact requests and communication, administration of applications for sales, marketing, supplier and customer management. 

  • Legal basis: Fulfilment of contract and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).

Services used and service providers:

  • Salesforce: The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA

Web page: https://www.salesforce.com/de/  
Processor BCR: https://www.salesforce.com/company/privacy/ 
Privacy policy: https://www.salesforce.com/de/company/privacy/

HubSpot (CRM)
Parallel to Sales Force, we use HubSpot for our online marketing activities. This is an integrated software solution with which we cover various aspects of our online marketing. These include among others:

  • Content Management (website and blog)

  • E-mail marketing (newsletter as well as automated mailings, e.g. to provide downloads)

  • Social media publishing and reporting

  • Reporting (e.g. traffic sources, accesses)

  • Contact management (e.g. user segmentation and CRM)

  • Landing Pages and Contact Forms

Our service allows users to learn more about our company, download content and provide their contact information and other demographic information. This information, as well as the content of our website, is stored on servers of our software partner HubSpot. We may use this information to contact visitors to our Web site and to determine which services of our company are of interest to them. We use all collected information exclusively to optimize our marketing. 
Service Provider HubSpot, Inc. 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy 

 

7. Webinars/webcasts and web meetings

We offer webinars/webcasts or web meetings with different topics at regular intervals.
Participation in a webinar/webcast or web meeting requires registration. For webinars/webcasts and web meetings we use the products GoToWebinar and GoToMeeting .
LogMeIn Ireland Ltd. provides us with a registration link for registration.
During the registration process the following data is processed:

  • First name, last name

  • Company

  • Address

  • E-mail address

We need your data regularly for the creation of an invoice and your e-mail address for the transmission of the registration confirmation.
The legal basis for the data processing follows from Art. 6 para. 1 lit. b GDPR.
Your data will be deleted when they are no longer required for the purposes for which they were collected.
Service provider: LogMeIn Ireland Limited, Bloodstone Building Block C, 70 Sir John Rogerson's Quay, Dublin 2, Ireland. Website: https://www.logmeininc.com , Privacy Policy:

 

8. Newsletter and electronic notifications

We send newsletters, e-mails and other electronic notifications (hereinafter referred to as "newsletters") only with the consent of the recipients or a legal permission. If, in the course of registering for the newsletter, its contents are specifically described, they are decisive for the consent of the users. Furthermore, our newsletters contain information about our services and us.
To subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name for the purpose of personal contact in the newsletter, or other information if this is necessary for the purposes of the newsletter.
Double opt-in procedure: The registration for our newsletter is always carried out in a so-called Double-Opt-In-Procedure. This means that you will receive an e-mail after registration in which you are asked to confirm your registration. This confirmation is necessary so that nobody can register with foreign e-mail addresses. The newsletter registrations are logged in order to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored by the shipping service provider are also logged.
Deletion and restriction of processing: We may store the deleted e-mail addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of a consent is confirmed at the same time. In case of obligations to permanently observe objections, we reserve the right to store the e-mail address in a block list for this purpose alone.
The logging of the registration procedure is based on our legitimate interests for the purpose of proving that it has been carried out properly. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure sending system.
Information on legal bases: The dispatch of newsletters is based on the consent of the recipients or, if consent is not required, on our legitimate interests in direct marketing, if and to the extent that this is permitted by law, e.g. in the case of advertising to existing customers. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests. The registration process will be recorded on the basis of our legitimate interests in order to prove that it was carried out in accordance with the law.
Content: Information about us, our services, campaigns, events, products and offers.
Analysis and performance measurement: The newsletters contain a so-called "web-beacon", i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened, or, if we use a mailing service provider, from their server. Within the scope of this retrieval, technical information such as information on the browser and your system, as well as your IP address and the time of retrieval, is initially collected.
This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined by means of the IP address) or the access times. This analysis also includes determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor, if used, that of the mailing service provider to observe individual users. Rather, the evaluations serve to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
The evaluation of the newsletter and the measurement of success are carried out, subject to the express consent of the users, on the basis of our legitimate interests for the purpose of using a user-friendly and secure newsletter system that serves our business interests and meets the expectations of the users.
A separate revocation of the performance measurement is unfortunately not possible, in this case the entire newsletter subscription must be cancelled or must be contradicted.

  • Processed data types: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), meta/communication data (e.g. device information, IP addresses, ID), usage data (e.g. websites visited, interest in content, access times).

  • Affected persons: Communication partners.

  • Purposes of processing: direct marketing (e.g. by e-mail or by post).

  • Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

  • Option to object (opt-out): You can cancel receipt of our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can use one of the contact options listed above, preferably e-mail.

Used services and service providers:

  • Inxmail: Email marketing platform; service provider: Inxmail GmbH, Wentzingerstr. 17, D-79106 Freiburg; Website: https://www.inxmail.de ; Website: https://www.inxmail.de/datenschutz  

  • Analysis tool Pardot from salesforce.com Inc.: The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA

You can object to the evaluation of your user behavior at any time by clicking on the unsubscribe link provided in each newsletter e-mail or by informing us by e-mail to datenschutz@chromotek.com  or via another contact channel. The information is stored as long as you have subscribed to the newsletter. After you unsubscribe, we store the data purely statistically and anonymously.

 

9. Data protection information for application

We process your applicant data exclusively for the purpose and within the scope of the application procedure in accordance with the legal requirements. Candidate data is processed to fulfill our (pre-)contractual obligations within the framework of the applicant selection procedure in accordance with Art. 6 Para. 1 lit. b GDPR as well as § 26 BDSG, if the data processing is necessary for us, e.g. within the framework of legal procedures.
The application procedure requires that applicants send us their application documents. The required applicant data is derived from the job offers. In principle, this includes personal details, address and contact data as well as the documents belonging to the application, such as cover letter, CV and certificates. In addition, applicants can voluntarily provide us with additional information.
Insofar as special categories of personal data within the meaning of Art. 9 Para. 1 GDPR are voluntarily disclosed as part of the application procedure, they are additionally processed in accordance with Art. 9 Para. 2 lit. b GDPR (e.g. health data, severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 Para. 1 GDPR are requested from applicants in the course of the application procedure, their processing is also carried out in accordance with Art. 9 Para. 2 letter a GDPR (e.g. health data if this is necessary for the exercise of the profession).
Applicants can send us their applications by e-mail or post. Please note, however, that e-mails are generally not sent in encrypted form and that the applicants themselves must ensure that they are encrypted. We can therefore not assume any responsibility for the transmission path of the application. 
In the event of a successful application, the data provided by the applicants may be processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants' data will be deleted. The applicants' data will also be deleted if an application is withdrawn, which the applicants are entitled to do at any time.
Subject to a justified revocation by the applicants, the data will be deleted after a period of six months after completion of the selection process in order to comply with our obligation to provide evidence under the Equal Treatment Act (AGG). Invoices for any travel expense reimbursement will be archived in accordance with tax law requirements.

 

10. How long will personal data be stored?

We process and store personal data if necessary for the purpose of processing, in particular for the performance of our contractual services or for the observance of legal obligations.
In particular:

  • Transaction / order data is stored for the term of statutory retention periods as prescribed by tax law, i.e. ten years.

  • User account data (except for transaction data) will be deleted one year after the deletion of a user account.

 

11. What are my rights as a data subject?

You have right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR) or erasure (Art. 17 GDRP) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR). In addition, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). 

 

12. Changes to our privacy statement

We keep our privacy statement under regular review, and we will place any updates on this web page, as required by changes in our data processing. We will inform you as soon as the changes require your cooperation (e.g. consent) or to receive other individual notification This privacy policy was last updated on August 19th, 2022.