Data Protection Declaration


I. Name and Address of the Controller

Name and address of the Controller as defined by the General Data Protection Regulation and other legal regulations of the individual member states trades:

Creditreform Rating AG
Europadamm 2-6
41460 Neuss
Germany
Phone: +49 (0) 21 31 / 109-626
email: info@creditreform-rating.de
Website: www.creditreform-rating.de

II. Address and Contact Details of the Data Protection Officer

The Data Protection Officer of the Controller can be contacted under:

Creditreform Rating AG
Europadamm 2-6
41460 Neuss
Germany
Phone: +49 (0) 21 31 / 109-602
email: datenschutz@creditreform-rating.de
Website: www.creditreform-rating.de

III. General Remarks

1. Description and scope of the Controller’s personal data processing activities

It is generally possible to access and use our website without any disclosure of personal data. Any submission of personal data that we may request on our website (including name, address or email address) will, insofar as this is possible, occur on a voluntary basis. Exceptions are made in cases where factual or practical reasons prevent us from procuring a prior permission and where legal regulations permit the processing of data under the circumstances given. Beyond this, personal data of customers are not disclosed to third parties. We are, however, permitted to provide government authorities with individual personal data inasmuch as the authorities in question request these data within their statutory powers (e.g.: for the purposes of law enforcement and criminal prosecution).
We would like to draw your attention to the fact that no Internet data transmission (for example communication via email) can ever be fully secure. It is not possible to guarantee total protection of data from third-party access. We hereby expressly object to any third-party use of the contact data that we publish under our duty to disclose the identities of the individuals who are accountable for our editorial content pursuant to German law for the purpose of sending non-requested advertising and information material. The individuals concerned reserve the right of taking legal action against entities which are sending them non-requested advertising including spam mails.

2. Legal foundations for the processing of personal data

Inasmuch as we are procuring permissions from the data subjects for the processing of their personal data, Art. 6 (1) lit. a of the EU-General Data Protection Regulation (GDPR) shall serve as the legal foundation for any such processing of personal data.
Art. 6 (1) lit. b of the GDPR shall provide the legal foundation for any processing of personal data that is required to fulfil the obligations of a contract in which the data subject is one of the parties. This also applies to data processing activities that are performed to take steps at the request of the data subject prior to entering in to the contract.
Inasmuch as a processing of personal data is required to fulfil a legal obligation of our company, Art. 6 (1) lit. c of the GDPR shall serve as the legal foundation for any such processing of personal data.

If vital interests of the data subject or another natural person require a processing of personal data, Art. 6 (1) lit. d of the GDPR shall serve as the legal foundation for any such processing of personal data.

If the data processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and if these legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6 (1) lit. f of the GDPR shall serve as the legal foundation for any such processing of personal data.

3. Deletion and storage periods

All personal data of the data subject shall be deleted or made unavailable for users when the legitimate purpose for storing the data in question has ceased to exist. Data may also be retained if such a data storage is required by European or national laws, regulations or other statutory provisions to which the Controller is subject. Data will also be deleted or made unavailable to users if a storage period specified in any of the aforementioned laws, regulations, legal provisions or standards has expired, unless the data in question must otherwise be retained for the purposes of agreeing a contract or of complying with the terms of a contract.

IV. Provision of the Website and Compilation of Log Files

1. Scope and description of the data processing activities

The provider of the pages automatically collects and stores the following information, using so-called server log files, which is automatically transmitted to us by your browser:

  • Type and version of the browser
  • Operating system in use
  • Pseudonymized IP address of the computer accessing the network (e.g.: 123.123.123.XXX)
  • Date and exact time of the server request

The log files contain pseudonymized IP addresses or other data on the basis of which an individual user might, in theory, be identified. Any such data are never retained together with the personal data of users. We reserve the right of examining these data retrospectively in the event that we have been provided with concrete evidence for unlawful use.

2. Legal foundations for the processing of data

Art. 6 (1) lit. f of the GDPR serves as the legal foundation for the temporary storage of data and log files.

3. Purposes of the data processing activities

The temporary storage of IP addresses within the system is necessary to allow the delivery of the website to the user’s computer. For this purpose, the user’s IP address must be kept in storage for the duration of the session.

The log file storage serves to maintain the website’s functionality. We also use the relevant data to optimize the site and to protect the security of our information technology systems. No data from this stage of the operation are used for marketing purposes.

4. Storage period

Data will be deleted as soon as they are no longer required to fulfil the purposes for which we originally collected them. In the case of data storage for the purpose of transmitting content from the website to the user, this means that any such data will be deleted at the end of the respective session.

Data will be deleted from log files after a maximum period of seven days, but may be retained for longer periods. In any such case, the IP addresses of the users will be deleted or modified in such a way that it is no longer possible to connect the addresses to the individual user who accessed the files in question.

5. Right to object and to demand removal

The temporary storage of data as described in the above and the storage of data in log files are necessary for the operation of the website. The user therefore has no right to object.

V. Use of Cookies

1. Description and scope of the Controller’s personal data processing activities

Internet pages may use so-called cookies. Cookies do not damage your computer and do not contain computer viruses. We are using cookies to make our websites more user-friendly, more effective and more secure. Cookies are small text files that are picked up by your browser and stored on the hard drive of your computer.

Most of the cookies that we use are so-called “session cookies“. They will be automatically deleted as soon as you leave our site. Other cookies are retained by your device until you delete them. These cookies allow us to recognize your browser during your next visit.

You can instruct your browser to notify you whenever a cookie is stored in your system, to delete cookies automatically every time you close the browser or to permit the storage of cookies either on a case-by-case basis, in exceptional cases only or not at all. If you deactivate cookies, you may not be able to use all the functions of our website.

2. Legal foundations for the processing of data

Art. 6 (1) lit. f of the GDPR serves as the legal foundation for the processing of personal data through the use of cookies.

3. Purposes of the data processing activities

We are using the technically required cookies to make it easier for the users to access and navigate the website. Some of our website’s functions cannot be used without the use of cookies. To benefit fully from the offers that we provide, browser recognition must be enabled after a change of page.

We require cookies for the following applications:

  • Use of the web shop (login, shopping basket)
  • Changes of the language settings
  • Search term memory

Data that have been collected by technically required cookies will not be used to create user profiles.

4. Storage period, right to object and to demand removal

Cookies are stored on the user’s computer and transmitted to our website. This means that you have full control over the cookies‘ use. By changing the settings of your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. Deletions can also be performed automatically. If you deactivate cookies, you may not be able to use all the functions of our website.

VI. Web Shop Registration and Use

1. Description and scope of the Controller’s personal data processing activities

Our website provides users with an opportunity to register by submitting certain personal data. Users enter these data into an input mask and transmit them to us. We subsequently store these data.
The use of our web shop also requires a voluntary registration through the submission of certain personal data. We are applying the widest possible range of safeguards to protect your personal data from unauthorized third-party access. We do not provide any third party with your data or market these data. The submission of payment data and the payment process itself are handled by the payment service provider of your choice (such as PayPal).
We require the following data to complete the registration process:

  • First name and family name
  • Country
  • Company affiliation
  • Position at the company
  • Business phone number and email address
  • Personal password

The following data are also stored as part of the registration process:

  • User IP address
  • Date and exact time of the registration

During the registration process, we request your permission to process the data you submit and link to this Privacy Statement.

2. Legal foundations for the processing of data

Art. 6 (1) lit. a of the GDPR serves as the legal foundation for the processing of personal data with the user’s permission.
Additionally, if the registration is required to fulfil the obligations of a contract in which the data subject is one of the parties or to perform steps at the request of the data subject prior to entering in to the contract, Art. 6 (1) lit. b of the GDPR shall also serve as the legal foundation for the processing of the data in question.

3. Purposes of the data processing activities

The website requires user registrations for the provision of certain content and services.
Users must also complete the registration process to enable us to fulfil the obligations of any contract with the user or to perform steps prior to entering into any such contract. The information that you provide is necessary to complete payment and invoicing procedures.

4. Storage period

Data will be deleted as soon as they are no longer required to fulfil the purposes for which we originally collected them. Inasmuch as data are concerned which have been submitted as part of the registration process, this means that they shall be deleted when the registration of the user in question on our website is cancelled or modified.
Data that have been stored during the registration process in order to enable us to fulfil the obligations of any contract with the user or to perform steps prior to entering into any such contract shall also be deleted when the data are no longer required for the purposes of the contract in question. A necessity to retain the personal data of the contractual partner can survive the completion of the contract in order to enable us to comply with certain contractual and legal obligations.

5. Right to object and to demand removal

Users are free to cancel their registration at any time. You can also instruct us at any time to modify or to rectify any personal data that we may have stored about you. If you want to delete your account, please contact info@creditreform-rating.de or our Data Protection Officer (for contact details, please see II.). We shall promptly comply with any request to delete personal data.
If the data are required to fulfil the obligations of a contract or to perform steps prior to entering into a contract, a premature deletion of data can only be performed if no contractual or legal obligations prevent us from deleting the data in question.

VII. Contact Form and Contact Via Email

1. Description and scope of the Controller’s personal data processing activities

Our website features a contact form that users are free to use on a voluntary basis. If a user takes advantage of this opportunity to contact us, any data that are entered into the input mask and submitted will be transmitted to us. We subsequently store these data. These data include the following:

  • Title
  • First name and family name
  • Company affiliation
  • Position at the company
  • Address of the company (Post Code, Town or County)
  • Business phone number and email address
  • Product in which an interest has been expressed
  • User-defined text information

When the user submits the form, we also store the following data:

  • User IP address
  • Date and exact time of the submission

Alternatively, users can also contact us via email under an address that has been specified for this purpose. Any personal data that users submit in their emails will also be stored.
No data that have been stored in this way shall be provided to third parties. The data are exclusively used for the purpose of processing the conversation or to perform steps prior to entering into a contract.

2. Legal foundations for the processing of data

Art. 6 (1) lit. f of the GDPR serves as the legal foundation for the processing of the data. Additionally, if the contact is established with a view to agreeing a contract, Art. 6 (1) lit. b of the GDPR shall also serve as the legal foundation for the data processing activities.

3. Purposes of the data processing activities

Personal data from the input mask of the contact form shall be exclusively used for purposes of contacting potential customers and of performing steps prior to entering into a contract. If users contact us by email, we shall equally exercise our legitimate business interest in processing any data submitted to us in this way.
Other personal data that have been provided to us during the submission as described in the above shall be used to prevent the misuse of our contact form and to ensure the security of our information technology systems.

4. Storage period

Data will be deleted as soon as they are no longer required to fulfil the purposes for which we originally collected them. Inasmuch as the personal data are concerned that have been submitted through the input mask or per email, this means that they shall be deleted when the conversation with the user in question has been completed. Conversations shall be considered completed when the circumstances indicate that the underlying matter has been conclusively settled.
Other personal data that have been provided to us during the submission as described in the above shall be deleted after a maximum period of seven days.

5. Right to object and to demand removal

Users can at any time withdraw their consent to the processing of their personal data. Users who contact us per email shall be free to object to the storage of their personal data at any time. In such a case, we shall not be able to continue the conversation.
Withdrawals of consent and objections to data storage can be submitted by email to the address info@creditreform-rating.de or to our Data Protection Officer (for contact details, please see II.). On receiving such a request, we shall promptly delete all personal data that have been stored in connection with the user’s activity of contacting us.
If the data are required to fulfil the obligations of a contract or to perform steps prior to entering into a contract, a premature deletion of data can only be performed if no contractual or legal obligations prevent us from deleting the data in question.

VIII. Rights of Data Subjects

If any of your personal data are processed, you are a data subject as defined by the GDPR and have the right to exercise the following rights against the Controller:

1. Right of access to personal data

You have the right to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed.
Where that is the case, you can instruct the Controller to provide you with the following information:

(1) the purposes of the processing activities;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) any available information as to the source of the personal data where they have not been collected directly from the data subject;
(8) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
(9) whether your personal data are transferred to a third country or to an international organisation and what appropriate safeguards are in place pursuant to Article 46 of the GDPR relating to any such transfer.

2. Right to rectification

You have a right to obtain from the Controller the rectification or completion of inaccurate or incomplete personal data concerning you. The Controller shall have to perform the rectification or completion without undue delay.

3. Right to restriction of processing

You have the right to obtain from the Controller restriction of processing where one of the following applies:

(1) you are contesting the accuracy of your personal data in reference to a period which enables the Controller to verify the accuracy of the personal data in question;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the Controller no longer requires the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims, or
(4) you have objected to processing pursuant to Article 21 (1) of the GDPR pending the verification whether the legitimate grounds of the Controller override your own reasons.
(5) Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
(6) If a restriction of processing has been obtained in reference to any of the legal grounds outlined in the above, you shall be informed by the Controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation to erase
You have the right to obtain from the Controller the erasure of your personal data without undue delay. The Controller shall have the obligation to erase your personal data without undue delay where one of the following grounds applies:
(1) Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) You withdraw consent on which the processing is based according to point (a) of Article 6 (1) of the GDPR, or point (a) of Article 9 (2) of the GDPR, and there is no other legal ground for the processing.
(3) You object to the processing pursuant to Article 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) of the GDPR.
(4) Your personal data have been unlawfully processed.
(5) Your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject.
(6) Your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

b) Third-party involvement
Where the Controller has made your personal data public and is obliged pursuant to Art. 17 (1) of the GDPR to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you (as the data subject concerned) have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions
No such right to erasure shall apply to the extent that processing is necessary:

(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.

5. Right of information

Once you have exercised your right of rectification, erasure or restriction of processing against the Controller, the Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in compliance with his respective obligations to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You also have the right to instruct the Controller to identify those recipients to you.

6. Right to data portability

You have the right to receive your personal data that you have provided to the Controller in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been submitted, provided:

(1) the processing is based on consent pursuant to point (a) of Article 6 (1) or point (a) of Article 9 (2) of the GDPR or on a contract pursuant to point (b) of Article 6 (1) of the GDPR; and
(2) the processing is carried out by automated means.
In exercising your right to data portability, you shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of this right shall not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to any processing of your personal data which is based on point (e) or (f) of Article 6 (1) of the GDPR, including profiling activities that may be based on those provisions.
The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data are processed for direct marketing purposes, you shall have the right to object at any time against any processing of your personal data for such marketing purposes, including profiling to the extent that it is related to such direct marketing activities.
Once you have objected to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
You may opt – in the context of the use of information society services and notwithstanding Directive 2002/58/EC – to exercise your right to object by automated means using technical specifications.

8. Right to withdraw the Declaration of Consent under Data Protection Law

You have the right to withdraw your Declaration of Consent to the processing of data at any time. Any such withdrawal of your consent to the processing of personal data shall not affect the lawfulness of the processing activities that have been completed in the period between the provision of the Declaration of Consent and its eventual withdrawal.

9. Automated individual decision-making including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or similarly affecting you in a significant way. This shall not apply when the relevant decision:

(1) is necessary for entering into, or performance of, a contract between you and the Controller,
(2) is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights, freedoms and legitimate interests, or
(3) is based on your explicit consent.
These decisions, however, shall not be based on special categories of personal data referred to in Article 9 (1) of the GDPR, unless point (a) or (g) of Article 9 (2) of the GDPR applies and suitable measures to safeguard your rights, freedoms and legitimate interests are in place.
In cases for which the exemptions described in the above under points (1) and (3) apply, the Controller shall implement suitable measures to safeguard your rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you believe that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

11. Data processing for applications

You can apply via our website. You can see how the applicant data is processed here: