conreri digital development
DEEN
Legal

Privacy Notice

Controller

The controller within the meaning of Art. 4(7) GDPR and other data protection regulations is

conreri digital development GmbH
Von-Kurtzrock-Ring 16
22391 Hamburg, Germany
Phone: +49 (0) 40-22 86 64 26

Email: info@conreri.de
Website: www.conreri.de

Data Protection Officer

For questions and suggestions regarding data protection and the enforcement of your rights, you are also welcome to contact our Data Protection Officer:

conreri digital development GmbH
Von-Kurtzrock-Ring 16
22391 Hamburg, Germany
Phone: 0151 61728308
Email: support@conreri.de

Table of contents

  1. General information
  2. Data collected automatically when using our website
  3. Your (data subject) rights
  4. Overview of data processing procedures
  5. Presence on social media

I. General information

We collect various types of data on our websites. Some data is collected automatically when you use our services, for example through the use of so-called cookies. This automatically collected data is mostly of a general nature and primarily includes information about the duration and location of access.

In addition, with your consent, we collect personal data and data that you voluntarily provide when you wish to use certain services. It is possible to use our websites without providing personal data, but the scope of use may in some cases be considerably limited.

You decide on consent to the use of various purposes and service providers when you first access our website. Apart from the processing strictly necessary for the operation of the website, it is up to you which data processing you allow.

Due to many regulatory changes, an extensive set of data protection rules has emerged in recent years, intended on the one hand to ensure data security and strengthen the rights of users, but on the other hand has produced a flood of relevant terms. To make the following more detailed explanations of collected data, legal provisions and rights more accessible, we have briefly summarised the most important of these terms below.

Definitions of terms

In our privacy notice we use terms that are used and defined in the GDPR. So that you know what these mean, we would like to explain the most important terms.

Processor

A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller and bound by its instructions.

Consent banner

As a user, you have the option of granting your consent to processing that requires consent and of revoking it for the future. You make this decision via the so-called consent banner, which is automatically displayed on your first visit to our websites and provides you with the most important information about data processing.

Cookies

Cookies are text files that contain data from visited websites or domains and are stored by a browser on users' devices. A cookie primarily serves to store information about a user during or after their visit within an online offering. The stored information may include, for example, language settings on a website, login status, a shopping cart or video interactions. The term cookies also includes other technologies that perform the same functions as cookies (e.g. when user information is stored using pseudonymous online identifiers, also referred to as "user IDs"). Cookies are used to make websites more user-friendly. Since cookies are stored on the user's computer, you have control over them. You can make changes in your browser settings regarding the use and storage of cookies. However, deactivating cookies will in most cases lead to limited usability of our offering.

Third party

A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent

Consent is an expression of self-determination in data protection law. It is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them. Consent given can be revoked at any time for the future.

Recipient

The recipient is a natural or legal person, public authority, agency or other body to which personal data is disclosed, whether or not it is a third party. However, public authorities that may receive personal data in the context of a specific investigation under Union or Member State law are not regarded as recipients.

Personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). A natural person is regarded as identifiable who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. IP address or cookies) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Telecommunications Digital Services Data Protection Act (TDDDG)

The TDDDG is a law intended to protect the integrity of the end device and thus the privacy of users. The legal basis for storing and accessing information in the end user's terminal equipment is consent pursuant to Section 25(1) sentence 1 TTDSG. This consent is requested when the website is accessed.

Pursuant to Section 25(2) no. 2 TDDDG, consent is not required if the storage of information in the end user's terminal equipment or access to information already stored in the end user's terminal equipment is strictly necessary for the provider of a telemedia service to provide a telemedia service expressly requested by the user. You can see from the cookie settings which cookies are to be classified as strictly necessary (often also referred to as "technically necessary cookies"), therefore fall under the exemption of Section 25(2) TDDDG and thus do not require consent.

Please note that the legal basis for the subsequent processing of personal data results from the GDPR. The relevant legal bases for the processing of personal data on this website are provided further on in this privacy notice.

Processing

Processing is any operation or set of operations performed on personal data, whether or not by automated means. This basically includes any handling of personal data such as the collection, storage, modification, use, transmission, dissemination, deletion or destruction of personal data.

Controller

The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller must ensure the lawfulness of data processing through the use of regularly reviewed technical and organisational measures.

Data transfer outside the EU

The GDPR guarantees an equally high level of data protection within the European Union. When selecting our service providers, we therefore rely as far as possible on European partners when your personal data is to be processed. Only in exceptional cases will we have data processed outside the European Union in the context of using third-party services.

We only permit processing of your data in a third country if the special requirements of Art. 44 et seq. GDPR are met. This means that the processing of your data may then only take place on the basis of special guarantees, such as the officially recognised determination by the EU Commission of a level of data protection equivalent to that of the EU or compliance with officially recognised special contractual obligations, the so-called "standard data protection clauses".

II. Data collected automatically when using our website

When using the website purely for informational purposes, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. This data is not merged with other data sources without your consent.

When you access our website, we collect the following data that is technically necessary for us to display our website to you and to ensure stability and security:

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page, name of the requested file)
  • Access status / HTTP status code (file transferred, file not found, etc.)
  • Amount of data transferred in each case
  • Website from which the request originates
  • Browser
  • Operating system and its interface
  • Language and version of the browser software
  • Consent to the use of cookies

The temporary storage of the IP address by our system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

Temporary storage or processing of this so-called server log data is strictly necessary for reasons of ensuring functionality and technical security, in particular to ward off and defend against attack or damage attempts, and takes place on the basis of our corresponding legitimate interest pursuant to Art. 6(1)(f) GDPR. Where there are concrete indications, the log data may be analysed retrospectively.

The data stored by our hosting provider Hetzner is automatically deleted after 90 days.

III. Your (data subject) rights

Under the EU General Data Protection Regulation, you have various rights as a data subject, which you can assert at support@conreri.de. These are set out below:

Right of access

You can request confirmation from us as to whether personal data concerning you is being processed by us. If such processing takes place, you can request the following information from us:

  • the purposes for which the personal data is processed;
  • the categories of personal data that are processed;
  • the recipients or categories of recipients to whom your personal data has been or will be disclosed;
  • the planned duration of the storage of your personal data or, if specific information is not possible, criteria for determining the storage period;
  • the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by the controller or a right to object to such processing;
  • the existence of a right to lodge a complaint with a supervisory authority;
  • all available information about the origin of the data if the personal data is not collected from the data subject;
  • the existence of automated decision-making including profiling pursuant to Art. 22(1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject.

You also have the right to request information as to whether your personal data is transferred to a third country or to an international organisation. In this context, you can request to be informed about the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.

You also have a right to rectification and completion vis-à-vis us if your personal data is incorrect or incomplete.

Right to lodge a complaint with the supervisory authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority responsible for us:

The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str 22, 7th floor
20459 Hamburg, Germany
Phone: (040) 428 54 – 4040
Email: mailbox@datenschutz.hamburg.de
Website: https://datenschutz-hamburg.de

The supervisory authority with which the complaint was lodged will inform you of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Right to restriction of processing

Under the following conditions you can request the restriction of the processing of your personal data:

  • if you contest the accuracy of your personal data for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of its use;
  • we no longer need the personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of legal claims; or
  • if you have objected to the processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether our legitimate grounds override yours.

If the processing of your personal data has been restricted, such data may – apart from being stored – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. If the processing has been restricted under the above conditions, you will be informed by us before the restriction is lifted.

Right to erasure

You can request that your personal data be erased without delay and we are obliged to erase this data without delay if one of the following reasons applies:

  • your personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • you revoke your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR and there is no other legal basis for the processing;
  • you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR;
  • your personal data has been processed unlawfully;
  • the erasure of your personal data is necessary to fulfil a legal obligation under Union or Member State law to which the controller is subject;
  • your personal data was collected in relation to information society services offered pursuant to Art. 8(1) GDPR.

The right to erasure does not exist insofar as the processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, insofar as the right referred to under (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or for the establishment, exercise or defence of legal claims.

If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis us, we are obliged to notify all recipients to whom your personal data has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves disproportionate effort.

Right to data portability

You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided that

  • the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR; and
  • the processing is carried out by automated means.

In exercising this right, you also have the right to have your personal data transmitted directly from us to another controller, where this is technically feasible. The freedoms and rights of other persons may not be adversely affected by this. The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

IV. Overview of data processing procedures

This chapter lists the data processing procedures on this website. It also transparently shows which services we use for this purpose.

Newsletter with Rapidmail

We use rapidmail to send newsletters to our clients. The provider is rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg, Germany. The data you enter for the purpose of subscribing to the newsletter is stored on rapidmail's servers in Germany. No transfer of data to third countries takes place.

The legal basis for the data processing is Art. 6(1)(b) GDPR. If you do not want analysis by rapidmail, you must unsubscribe from the newsletter. For this purpose we provide a corresponding link in every newsletter.

For the purpose of analysis, the emails sent with rapidmail contain a so-called tracking pixel that connects to rapidmail's servers when the email is opened. In this way it can be determined whether a newsletter message has been opened and which links in the newsletter are clicked.

For more details, please refer to rapidmail's data security information at: https://www.rapidmail.de/datensicherheit.

V. Presence on social media

We maintain presences on "social media". Insofar as we have control over the processing of your data, we ensure that the applicable data protection regulations are complied with. Below you will find the most important data protection information regarding our company presences.

In addition to us, the following are responsible for the company presences within the meaning of the EU General Data Protection Regulation (GDPR) and other data protection regulations:

  • LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)
  • Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany)

You use these platforms and their functions at your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating). We point out that your personal data may be processed outside the area of the European Union.

We process your personal data on the basis of our legitimate interests in effective information and communication pursuant to Art. 6(1) sentence 1(f) GDPR.

Since we do not have full access to your personal data, you should contact the social media providers directly when asserting your data subject rights, as they each have access to the personal data of their users and can take appropriate measures and provide information.

Should you nevertheless need help, we will of course try to support you.