I. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation and other national data protection legislation of the member states as well as other data protection provisions is:
II. General use of the website
1. Scope of processing personal data
We only process the personal data of our users if this is necessary to provide a functional website as well as our content and services. The personal data of our users are processed regularly only once the user has given consent. An exception applies in cases in which it is not possible to obtain consent in advance for practical reasons and data processing is permitted by law.
We generally only collect personal information about users of our website in connection with enquiries about our services, e.g. via the ‘Contact’ page.
2. Legal basis for processing personal data
The legal basis for obtaining the consent of the data subject to process personal data is point (a) of Art. 6 (1) EU General Data Protection Regulation (GDPR). The legal basis for processing personal data required to fulfil a contract, with the data subject being one of the contracting parties, is point (b) of Art. 6 (1) GDPR. This also applies to processing operations that are required to perform pre-contractual measures.
The legal basis for processing personal data required to fulfil a legal obligation to which our company is subject is point (c) of Art. 6 (1) GDPR. The legal basis for vital interests of the data subject or another natural person making the processing of personal data necessary is point (d) Art. 6 (1) GDPR. The legal basis for data processing being required to maintain a legitimate interest of our company or a third party and this not being outweighed by the interests, basic rights and fundamental freedoms of the data subject is point (f) of Art. 6 (1) GDPR.
3. Data erasure and storage duration
Personal data of the data subject will be erased or blocked once the purpose of storage no longer applies. The data may be stored for longer if this is stipulated by European or national legislators in European regulations, laws and other provisions to which the controller is subject. The data are blocked or erased once a retention period prescribed by the stated regulations expires unless it is necessary to continue storing the data to enter into or fulfil a contract.
III. Providing the website and creating log files
1. Description and scope of data processing
Every time our website is accessed, our system automatically records data and information from the accessing computer system. When accessing our website www.classion.de, information is automatically sent to the server of our website by the browser used on your mobile device. This information is temporarily stored in a so-called log file. The following information will be recorded without any action on your part and stored until it is automatically erased:
• IP address of the requesting computer,
• Date and time of access,
• Name and URL of the retrieved file,
• Website from which our site is accessed (referrer URL),
• Browser used and possibly the operating system of your computer as well as the name of your access provider.
2. Legal basis for data processing
Legal basis for the temporary storage of data and the log files is point (f) of Art. 6 (1) GDPR.
3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to transmit the website to the user’s computer. The IP address of the user must stored for the duration of the session. These purposes are in line with our legitimate interest in data processing according to point (f) of Art. 6 (1) GDPR.
4. Duration of storage
The data will be erased once they are no longer required to achieve the purpose for which they were collected. This is the case when each session ends if data are collected to provide the website.
5. Option to object and appeal
It is necessary to collect data to provide the website and to store data in log files to operate the website. The user cannot object to this.
1. Description and scope of data processing
2. Legal basis for data processing
Legal basis for processing personal data using cookies is point (f) of Art. 6 (1) GDPR.
3. Purpose of data processing
These purposes are in line with our legitimate interest in processing personal data according to point (f) of Art. 6 (1) GDPR.
4. Duration of storage, option to object and appeal
1. Scope of processing personal data
We use the open source software tool Matomo (formally PIWIK) on our website to analyse the surfing habits of our users. The software places a cookie on the user’s computer (see above for information on cookies). If individual pages of our website are accessed, the following data are stored:
(1) Two bytes of the IP address of the accessing system of the user
(2) The accessed website
(3) The website from which the user is referred to the accessed website (referrer)
(4) The subpages that are accessed from the accessed website
(5) The length of time on the website
(6) The frequency of access of the website
The software runs exclusively on the servers of our website. The user’s personal data are only stored there. The data are not passed on to third parties.
2. Google Analytics
3. Legal basis for processing personal data
The legal basis for processing the user’s personal data is point (f) of Art. 6 (1) GDPR.
4. Purpose of data processing
The processing of the user’s personal data allows us to analyse the surfing behaviour of our users. By analysing data we obtain, we can compile information about the use of individual components of our website. This helps us to constantly improve our website and its user friendliness. These purposes are in line with our legitimate interest in data processing according to point (f) of Art. 6 (1) GDPR. Anonymising the IP address adequately takes the user’s interest in protecting their personal data into account.
5. Duration of storage
The data is erased once they are no longer required for our recording purposes.
6. Option to object and appeal
VI. Social plug-ins Facebook, Instagram & LinkedIn
On our website, we give you the option of using so-called ‘social plugins’ of the companies:
• Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (Facebook und Instagram);
• „Recommended-Button“ von LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA;
The plug-ins on the website are only shown as a graphic that contains a link to the corresponding website of the plug-in provider. Clicking on the graphic forwards you to the services of the provider. Only then will your data be sent to the respective service provider. If you do not click on the graphics, no data will be exchanged between you and the social networks above.
VII. Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and have the following rights with regard to the controller:
1. Right to access
You have the right to obtain from the controller confirmation as to whether or not your personal data are being processed. Where that is the case, you can request access to the following information from the controller:
(1) the purposes of the processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) where possible, the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of your personal data or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data are not collected from the data subject, any available information as to their source;
(8) the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You shall have the right to be informed if your personal data are transferred to a third country or to an international organisation. In this context, you shall have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.
2. Right to rectification
You shall have the right to have personal data rectified and/or completed by the controller if the personal data about you is incorrect or incomplete. The controller shall rectify the data without undue delay.
3. Right to restriction of processing
You shall have the right to obtain from the controller restriction of processing where one of the following applies:
(1) the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; (4) you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override yours. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If you have obtained restriction of processing pursuant to the requirements above, you shall be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
a) Erasure obligation
You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obli- gation to erase personal data without undue delay where one of the following grounds applies:
(1) the personal data about you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Art. 9 (2), and where there is no other legal ground for the processing;
(3) you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR;
(4) your personal data have been unlawfully processed;
(5) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) your personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
b) Information to third parties
Where the controller has made the personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure shall not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9 (2) as well as Art. 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
5. Right to information
If you have exercised your right to rectification, erasure or limitation of processing against the controller, the controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform you about those recipients if you request it.
6. Right to data portability
You shall have the right to receive your personal data, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(1) the processing is based on consent pursuant to point (a) of Art. 6 (1) GDPR or point (a) of Art. 9 (2) GDPR or on a contract pursuant to point (b) of Art. 6 (1) GDPR; and
(2) the processing is carried out by automated means.
In exercising this right to data portability, you shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This right shall not adversely affect the rights and freedoms of others. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You shall have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Art. 6 (1) GDPR, including profiling based on those provisions. The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to withdraw the declaration of consent under data protection law
You shall have the right to withdraw you consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated individual decision-making including profiling
You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between you and the data controller;
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests;
(3) is based on your explicit consent.
These decisions shall not be based on special categories of personal data referred to in Art. 9 (1) GDPR, unless point (a) or (g) of Art. 9 (2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
Status as of: May 2020