Privacy policy

This is how we handle data

PRIVACYNOTICE

Thank you for your interest in our services. We would like to inform you below about how we handle your personal data. Personal data is any information relating to an identified or identifiable natural person.

The protection of your privacy is important to us.

I. Who is responsible for data processing and whom can you contact?

Responsible for data processing (the data controller) is

ck.solution GmbH
represented by Managing Director Mr. Chris Kroos
Gutenbergstr. 6
49479 Ibbenbüren, Germany

Telephone: +49 (0)54519549-0
E-mail: mail@cksolution.de

The data protection officer is

Chris Kroos
Gutenbergstr. 6
49479 Ibbenbüren, Germany

Telephone: +49 (0)5451 95493-0
E-mail: accounting@cksolution.de

II. General information on data processing

1. Scope of data processing

Personal data is processed by us exclusively for the purpose of fulfilling the requested services and for the protection of our own justified business interests.

2. Legal basis for data processing

Legal bases for the processing may include:

  • Art. 6 (1) a) GDPR (your consent)
  • Art. 6 (1) b) GDPR, if the data processing serves to establish or perform a contract;
  • Art. 6 (1) c) GDPR, if we are legally obliged to collect data;
  • Art. 6 (1) f) GDPR, if we have a legitimate interest in the data processing and our interests override your rights and freedoms.

3. Duration of storage / deletion of data

We normally delete or block personal data as soon as the purpose for storing it no longer applies. If we are required by law to retain data, it will be blocked or deleted only after the statutory retention period has expired, unless it is necessary to continue to store the data in order to conclude or fulfil a contract. Storage and documentation obligations may arise from the German Civil Code (BGB), the German Commercial Code (HGB), the German tax code (AO) or others. The time limits for storage and documentation specified in these codes are two to a maximum of ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, are generally three years under sections 195 et seq. BGB.

4. Recipients of the collected data

The recipients of the data collected via our services are primarily ourselves. In addition, processors (e.g. web hosts) have access to the collected data. Compliance with the legal regulations is ensured in this respect, however, through order processing contracts that we conclude with our processors based in the EU. Data is only transferred to third countries to the extent that we inform you of this within the scope of this privacy notice.

In addition, your data will only be transferred to third parties within the scope of our services if the transfer of your data is absolutely necessary and is permitted by law.

5. Profiling / automated decision-making

We do not carry out profiling / automated decision-making within the meaning of GDPR.

6. Obligation to provide data

When you visit our website, there is no legal or contractual obligation to provide personal data. Within the framework of the contractual use of our services, the provision of personal data is mandatory. If this data is not provided, no contractual relationship can be established with us.

 

III. Data processing when visiting our public website

1. General

1.1 Scope of data processing

When you use our website for information purposes only, i.e. if you do not register or otherwise transmit information to us, we only collect the data that your browser transmits to our server (known as server log files). When you visit our website, we collect the following data, which is technically necessary for us to display the website to you:

(1) Information on the type of browser and version used (if transmitted by the user)
(2) The user’s operating system
(3) The user’s IP address (in anonymised form where necessary)<
(4) The time spent on the website and number of visits
(5) Date and time of access
(6) The website from which the user accesses our website (if indicated by the user)
(7) Any website that is called up by the user’s system via our website

This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

1.2. Legal basis for data processing

The legal basis for the temporary storage of the data is Art. 6 (1) f) GDPR.

1.3. Purpose of data processing

The temporary storage of the IP address by the system is necessary so that the website can be sent to the requesting computer. The processing is based on our legitimate interest in improving the stability and functionality of the website.

These purposes also include our legitimate interest in data processing pursuant to Art. 6 (1) f) GDPR, which outweighs your rights, because you are free to visit our website and we provide transparent information about the data processing.

1.4. Duration of storage

The collected data is deleted as soon as it is no longer required to achieve the purpose for which it was collected (for providing the website). The IP address stored in the log files is deleted seven days after the session.

1.5. Possibility of objection and erasure

The collection of data for the provision of the website is vitally necessary in order for the website to function. Unfortunately, it is therefore not possible for you to object to the processing of data for this purpose.

 

2. Cookies

Cookies may be used when you visit our web pages. Cookies are text files that are stored in the web browser or by the browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified if the website is called up again.

We use the following technically necessary cookies:

Designation: CONCRETE5
Function: Necessary for use of the content management system. Stores information on access permissions to pages and content and language selection.
Duration of storage: Session

In addition, we use the following functional cookies:

Designations: *_fontSize
Functions: Saves the desired font size in the user manual
Duration of storage: 365 days

Designations: *_headerState
Functions: Saves the visitor’s setting as to whether the page title in the user guide should be displayed
Duration of storage: Session

Designations: *_hmDevice
Functions: Saves the type of browser being used (desktop, tablet or smartphone browser) so that the relevant CSS files and other resources can be used without further checks.
Duration of storage: 365 days

Designations: *_hmSearchHidden
Functions: Stores the width of the Table of Contents area set by the user.
Duration of storage: Session

2.2. Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 (1) f) GDPR, our legitimate interest.

2.3. Purpose of data processing

The purpose of using technically necessary cookies is to make the use of websites easier for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised again even after a page change.

The user data collected through technically necessary or functionally necessary cookies is not used to create user profiles.

2.4. Duration of storage, options of objection and erasure

Cookies are stored on the user’s computer and transmitted from there to our site. The various storage durations can be found under point 2.1 above. As the user, you have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the sending of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically.

If cookies for our website are deactivated, it may no longer be possible to use all the functions of the website to their full extent.

 

3. E-mail contact / Contact forms /Partner contact

3.1. Scope of data processing

It is possible to contact us on our website via the e-mail address provided or our contact forms (for general contact or specifically to become an integration partner) and also to contact an SAP partner company. In this case, the personal data of the user transmitted by the e-mail or the respective contact form will be stored by us. Mandatory information is marked with an asterisk on the respective contact form. Further information can be given voluntarily. The data we collect via an e-mail enquiry or contact form is generally processed only by ourselves. If you use a contact form, in addition to the data you provide, we also collect the time and date of sending and the IP address. This data will only be used for processing the conversation or enquiry. To protect against misuse, we use a ‘captcha’ before sending a request; this enables computers to be distinguished from humans. For this purpose we use the solution provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany, with whom we have concluded a processing agreement.  The following log data is collected here: Request Headers User-Agent, Origin and Referrer; the puzzle itself that contains information about the account and website key to which the puzzle relates; the version of the widget, a timestamp.

Friendly Captcha stores an anonymised counter for each IP address to dynamically scale puzzle difficulty on the edge network to detect malicious users and minimise the blocking of legitimate users. This data is stored separately from the rest of the data and cannot be associated with specific websites. Friendly Captcha anonymises the IP addresses via one-way hashing so that the user cannot be personally identified. More information on the captcha can also be found at: https://friendlycaptcha.com/de/legal/privacy-end-users/

3.2. Legal basis for data processing

The legal basis for the processing of data collected in the course of sending an e-mail or using a contact form with captcha is Art. 6 (1) f) GDPR. If the contact is intended for the purpose of concluding a contract, an additional legal basis for the processing is Art. 6 (1) b) GDPR.

3.3. Purpose of data processing

The processing of the personal data we obtain when you make contact with us is used solely for the processing of the contact and its subject matter. When the contact form for SAP partner companies is used, the sole purpose of data processing is to refer you to the partner you have selected. This is also in our legitimate interests. Since the contact is initiated by you, since you are free to do so and since we inform you in advance how we handle the transmitted data, our legitimate interest outweighs your personal right. When the contact form is used, we store the IP address to protect our systems from misuse. The use of the captcha also serves to protect against misuse of our systems, i.e. to ensure that the enquiry is placed by a natural person.

3.4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case when the particular conversation with the user has ended. The conversation is ended when it is clear from the circumstances that the matter in question has been conclusively clarified. We delete the additional data collected when using the contact form after 7 days at the latest.

3.5. Recipients / forwarding of the data

Essentially, only we as the provider process the data from the contact forms. However, in the case of the contact form for SAP partner companies, we forward the contact data to the SAP partner company selected by the interested party so that they can contact the interested party directly. The SAP partner also stores this data. The selected partner company is responsible for informing you about how it then processes the data.In this respect, it is the sole controller within the meaning of GDPR.

3.6. Data processing outside the European Union

Please note that if you select an SAP partner company based outside the EU / EEA, data will be transferred to a third country and compliance with the European level of data protection is not guaranteed there by the GDPR. It can therefore not be ruled out that, for example, law enforcement or security authorities (e.g. NSA in the USA) have access to your data.

3.7. Possibility of objection and erasure

The user has the option of objecting to the storage of his personal data at any time. In such a case, the conversation cannot be continued. The objection can be made either by e-mail or by post via our contact details provided in the Legal Information section (imprint).

In the event of an objection, all personal data stored in the course of contacting you will be deleted by us. If the objection concerns our SAP partner company, we will forward your objection to them.

Insofar as data is collected within the framework of a contractual relationship, there is no possibility of objection, as this is absolutely necessary for the performance of the contract.

 

4. Update registration / Newsletters

4.1. Scope of data processing

We use rapidmail for sending newsletters. The provider is rapidmail GmbH, Wentzingerstrasse, 21, 79106 Freiburg, Germany, with whom we have concluded a processing agreement. One of the functions of rapidmail is to organise and analyse the dispatch of newsletters. The data entered by you for the purpose of receiving the newsletter will be stored on the servers of rapidmail in Germany. If you do not want analysis by rapidmail, you must unsubscribe from the newsletter. We provide a link for this in every newsletter. You can also unsubscribe from the newsletter directly on the website. For the purpose of analysis, emails sent by rapidmail contain a so-called tracking pixel that connects to the servers of rapidmail when the email is opened. In this way it can be determined whether a newsletter message has been opened. Furthermore, rapidmail enables us to determine whether and which links are clicked on in the newsletter message. All links in the email are ‘tracking links’ and can be used to count your clicks.

For further information please refer to rapidmail’s data security information at: https://www.rapidmail.de/datensicherheit.

For more information on the analysis functions of rapidmail, please visit: https://www.rapidmail.de/wissen-und-hilfe

4.2. Legal basis

The legal basis for data processing is Art. 6 (1) a) GDPR, your consent.

4.3. Purpose of data processing

We use rapidmail for sending newsletters.

4.4. Duration of storage

The data stored by us within the scope of your consent for the purpose of the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from our servers and from the servers of rapidmail after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the login area) remain unaffected by this.

4.5. Revocation option

You have the option to revoke your consent to data processing with effect for the future at any time. The lawfulness of the data processing operations already carried out remains unaffected by the revocation.

 

5. Social media buttons

We have some social media buttons on our website (e.g. Facebook, Twitter, Instagram, etc.). For this purpose we use the ‘c’t Shariff’ solution developed by Heise Medien GmbH & Co. KG, which provides social media buttons compliant with data protection regulations.

Buttons provided directly by operators of social media networks inadmissibly transmit personal data such as the IP address or entire cookies right from the moment of loading a website on which they are integrated and so pass on precise information about your surfing behaviour to the social media services without this being requested. You do not have to be logged in or a member of the respective network for this to occur. In contrast, a Shariff button establishes direct contact between the social network and the visitor only when the latter actively clicks the Share button. Shariff thus prevents you leaving a digital trail on every page you visit and improves data protection. By using Shariff, we can protect your personal data yet still integrate social media sharing buttons. Further information can be found here:

https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html

If you go onto a social media platform, you leave our website. Information on subsequent data processing can then be found from the provider of the service concerned. Links to the social media privacy notices can be found here:

https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0

https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect

https://de.linkedin.com/legal/privacy-policy

 

6. Job applications

You will find job vacancies on our website. If you apply for one of these by e-mail or using our designated form, we will handle your application and your personal data as follows:

6.1. Scope of data processing

We process the data that you send us in connection with your application or that we request via our form (name, e-mail address). You can also send your CV via our form. We then process all the relevant data on the CV. Your applicant data will be viewed by the HR department once your application is received. Suitable applications are then forwarded internally to the department heads for the position concerned. Then the further procedure is coordinated. In the company, only those persons have access to your data who need it for the proper course of our application procedure.

6.2. Legal basis for data processing

The legal basis is Section 26 Federal Data Protection Act (BDSG) in the version applicable since 25.05.2018. Under this, the processing of data required for the decision on establishing an employment relationship is permissible. A further legal basis is your consent pursuant to Art. 6 (1) a) GDPR.

Should the data be required for legal prosecution after completion of the application process, data processing may be carried out on the basis of the requirements of Art. 6 GDPR, in particular to safeguard legitimate interests pursuant to Art. 6 (1) f) GDPR. Our interest then consists in asserting or defending claims.

6.3. Purpose of data processing

The purpose of the data processing is to check your suitability for the position (or other open positions in our company, if applicable) and to carry out the application procedure. Insofar as legal claims are asserted following an application procedure, the purpose is to assert or defend claims.

6.4. Duration of storage

In the event of rejection, data of applicants will be deleted after 6 months.

If you have consented to further storage of your personal data, we will transfer your data to our applicant pool. There, the data is deleted after two years.

If you are awarded a position during the application process, the data from the applicant data system will be transferred to our personnel information system.

 

7. Online test environment

7.1. Scope of data processing

If interested parties wish to test our services and functionalities, we offer them an online test environment. Within the framework of the provision of the test environment, we initially only store the e-mail address and the time of request of each interested party. We will then send a confirmation link to the e-mail address given. If the interested party clicks the confirmation link, he will be technically enabled to access the test environment of our demo server and to test all available functions. We also store all times of the actions performed (registration, clicking the confirmation link, starting the test environment). It is not necessary to enter a name to use the test environment.

Within the test environment, we anonymously track usage behaviour (e.g. when the test ended, which functions were executed, etc.). In this context, however, we do not set any cookies, pixels, etc. in the user’s browser.

7.2. Legal basis

The legal basis is our legitimate interest pursuant to Art. 6 (1) f) GDPR and Art. 6 (1) b) GDPR (pre-contractual measures).

7.3. Purpose of data processing

The purpose of the data processing is to provide a test environment in order to demonstrate the functions of our software as realistically as possible to interested parties. We track user behaviour in order to make our test environment more user-friendly and to optimise the test environment. This is also in our legitimate interests, which outweigh the rights of users, because they are free to use our test environment and we also provide transparent information about data processing.

7.4. Duration of storage / options for objection

We delete the data we collect concerning the use of the test environment as soon as the purpose ceases to apply, i.e. when, depending on the individual case, it is foreseeable for us that a contractual relationship will not come about. If the test results in a contractual relationship, the storage period will depend on that contractual relationship. In such cases we collect further data (e.g. name, address, billing data etc.) as described below.

 

8. Login area / Registration my.cks

8.1. Scope of data processing

We provide customers with a login area on our website. In order to use the customer and partner portal via our website, registration is first required. The e-mail address you provide will be stored and processed for this purpose. You can provide additional data on a voluntary basis while using the portal, e.g.:

  • E-mail address
  • Company name and address
  • Industry
  • First name, last name, telephone number
  • Function / position in the stated company
  • Language
  • Date of birth
  • Other data that you save in the application.

For security reasons, your IP address (non-anonymised) is stored in the system during log-in.

8.2. Legal basis

The processing is carried out on the basis of Art. 6 (1) f) GDPR due to our overriding legitimate interest in ensuring the trouble-free operation of our website and, if applicable, Art. 6 (1) b) GDPR, where contractual or pre-contractual services are involved.

8.3. Purpose of data processing

The purpose of the data processing is the provision of our offered services, in which we also have a legitimate interest. The additional technical data serves as proof of your registration and as protection against misuse of our systems.

8.4. Duration of storage / options for objection

We delete your personal data after the aforementioned purposes cease to apply, unless we are legally obliged to retain it (e.g. due to tax law requirements). You can delete your account with us at any time. To do so, please use the contact options provided by us on the website.

If the data is required for the performance of a contract or for the implementation of pre-contractual measures, data can only be deleted early where contractual or legal obligations do not prevent deletion.

With regard to your further objection options, please read the section ‘Your rights as a data subject’.

 

9. Appointment bookings /registrations for training courses and other events

9.1. Scope of data processing

Customers, partners or interested parties wishing to make an appointment for a demonstration, training or other event can use our booking tool. The provider of the appointment booking tool is cituro GmbH, Peter-Dörfler-Strasse 30, 86199 Augsburg, Germany, with whom we have concluded a processing agreement.

The following data (mandatory data) is collected and stored when using the tool:

  • First and last name
  • E-mail address
  • Company name

Further information (e.g. telephone number) can be provided voluntarily. Where this is provided, we store and process all data provided by the user.

More information can be found at:

https://www.cituro.com/datenschutz

9.2. Legal basis for data processing

The legal basis for processing the data collected in the course of booking an appointment is Art. 6 (1) f) GDPR, our legitimate interest in processing the booking. If the contact is intended for the purpose of concluding a contract, an additional legal basis for the processing is Art. 6 (1) b) GDPR.

9.3. Purpose of data processing

The purpose of collecting the data is to identify and address the customer, to process the customer’s request, to contact the customer quickly in the event of appointment cancellations, to send confirmation messages or appointment reminders, to check availability, to reserve the selected appointment and for IT security. As the user is free to use the tool, our legitimate interest in the data provided prevails, unless this data is absolutely necessary for the reservation of an appointment as a pre-contractual or contractual measure in itself.

9.4. Duration of storage / options for objection

The data is deleted as soon as it is no longer required for achieving its purpose. This depends, among other things, on when the appointment takes place. The user can cancel appointments and object to data processing at any time. In such cases we will delete the data collected via the appointment booking.

 

10. Online meetings via TeamViewer

10.1. Scope of data processing

We use the TeamViewer tool to conduct video conferences, online meetings and training sessions (hereinafter ‘online meetings’). This is a service provided by TeamViewer Germany GmbH, a company based in Germany, with whom we have concluded a processing agreement.

As the provider of the meeting, the party responsible for data processing directly related to provision of the online meeting is ourselves.

If you use TeamViewer through the TeamViewer website, TeamViewer is responsible for data processing. It is however only necessary to access the website in order to download the software (application) for use.

If you are unwilling or unable to use the TeamViewer application, the basic functions can also be used via a browser version, which you can also find on the TeamViewer website. You can find the data protection notice for TeamViewer here:

https://www.teamviewer.com/de/datenschutzinformation/

The following personal data are processed:

User details: Username, display name, e-mail address, profile image (optional), preferred language

Meeting metadata: Meeting ID, participant IP addresses, telephone numbers, location

Text, audio and video data: You may have the option of using the chat function in an online meeting. If you use this facility, the text entries you make are processed in order to display them in the online meeting. To enable the display of video and the playback of audio, data from your terminal’s microphone and any terminal video camera will be processed as necessary for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the applications.

10.2. Legal basis

To the extent that personal data is processed by our employees, section 26 BDSG is the legal basis for data processing. Where personal data associated with the use of TeamViewer is not required for the establishment, performance or termination of the employment relationship, but is nevertheless an elementary component of the use of TeamViewer, the legal basis for the data processing is Art. 6 (1) f) GDPR. Our interest in these cases is in the effective conduct of online meetings.

Furthermore, the legal basis for data processing when conducting online meetings is Art. 6 (1) b) GDPR, insofar as the meetings are conducted prior to or within the framework of contractual relationships.

If there is no contractual relationship, the legal basis is Art. 6 (1) f) GDPR. Again, our interest is in the effective conduct of ‘online meetings’.

10.3. Purpose of data processing

We use TeamViewer to conduct online meetings. If we want to record online meetings, we will tell you transparently before the online meeting takes place and – where necessary – ask for consent.

If it is necessary for the purposes of logging the outcomes of an online meeting, we will log the chat content. However, this will usually not be the case.

Automated decision-making within the meaning of Art. 22 GDPR is not used.

10.4. Recipients / forwarding of data

Personal data processed in connection with participation in online meetings will not be disclosed to third parties except where it is specifically intended to be disclosed. Please note that content from online meetings, as also with face-to-face meetings, is often intended precisely to communicate information to customers, interested parties or third parties and is therefore intended to be shared.

Other recipients: The provider of TeamViewer necessarily gains knowledge of the above-mentioned data to the extent that this is envisaged within our processing agreement with TeamViewer.

10.5. Data processing outside the European Union

No data processing takes place outside the European Union (EU). However, we cannot exclude the possibility that data is routed via internet servers that are located outside the EU. This may be the case in particular if participants in online meetings are in a third country.

However, the data is encrypted during transfer via the Internet and is thus protected from unauthorised access by third parties.

10.6. Duration of data processing / options for objection

We generally delete personal data when there is no need for further storage. Such a need may exist in particular if the data is still required in order to fulfil contractual services, for checking and granting or ward off warranty and if applicable guarantee claims. Where statutory retention obligations apply, deletion can only come into consideration once the applicable obligations have expired.

 

11. Your rights as a data subject

When your personal data is processed, you are a data subject within the meaning of GDPR and are entitled to the following rights:

  • Right to information
  • Right of rectification
  • Right to restriction of processing
  • Right to erasure
  • Right to information
  • Right to data portability
  • Right to object
  • Right to revoke consent previously given
  • Right to complain to a supervisory authority.

A list of all supervisory authorities can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information at

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

 

11. IT security

To protect the security of your data during transmission we use the TLS encryption method (256 bit key), which you can recognise by the green lock symbol in the address line of the URL of our website. In addition, we secure our IT systems with firewalls, virus protection and other technical and organisational measures in accordance with the GDPR and the BDSG.

 

12. Right of modification

We reserve the right to modify this data protection notice to ensure that it complies with current legal requirements. The updated data protection declaration will then apply for subsequent visits to our website.

 

Dated: March 2023