Privacy policy

We are delighted that you are interested in our company. The management of Promata GmbH takes data privacy very seriously. It is possible to use the web pages of Promata GmbH in principle without providing any personal data. If you want to make use of a particular service provided by our company through our website, personal data may need to be processed, however. If personal data needs to be processed and if there is no legal basis for this processing, we will generally obtain the consent of the data subject in question.

Personal data, such as the name, address, e-mail address or telephone number of the data subject in question for example, is always processed in accordance with the General Data Protection Regulation and in compliance with the applicable country-specific data protection regulations.

For this reason, you may not use our online services without providing appropriate confirmation that we can collect your data, as we are required by the relevant provisions (e.g. the European General Data Protection Regulation and other regulations governing data privacy) to fulfil the transparency obligations that they contain. In this data policy, our company seeks to inform the public about the nature, scope and purpose of the personal data that we collect, use and process. Moreover, data subjects are informed in this privacy policy of the rights to which they are entitled.

As the controller responsible for processing data, Promata GmbH has implemented numerous technical and organisational measures to ensure that the personal data processed through this website is protected as comprehensively as possible. Nevertheless, transmissions of data over the Internet can be exposed in principle to security flaws, which means that absolute security cannot be guaranteed. For this reason, every data subject is free to provide us with personal data using alternative channels, for example by telephone.

1. Definitions
The privacy policy of Promata GmbH is based on the terminology that has been used by the European legislator and regulator when issuing the General Data Protection Regulation (GDPR) and in the “Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680” (DSAnpUG-EU — German Act on the adaptation of data protection laws to Regulation (EU) 2016/679 and on the implementation of Directive (EU) 2016/680). In order to guarantee this, we would first like to explain the terms that are used.

• Personal data

Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

• Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

• Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

• Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

• Controller

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

• Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

• Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

• Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

• Consent

Consent means any specific, informed and unambiguous indication of the data subject’s wishes freely given by the data subject by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

2. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union and other provisions of a data protection character is:
the company Promata GmbH, represented by the directors Daniel Böttcher, Ralf Eschweiler and Michael Wolf.

3. Contact details of the data protection officer
EU-CON BeraterForum GmbH
Waldfeuchter Str. 266
52525 Heinsberg
info@promata.de

Any data subject can contact our data protection officer directly at any time if they have any questions or suggestions concerning data privacy.

4. Contact details of the competent data protection supervisory authority:
North Rhine-Westphalia | Tel.: +49 211 384 240
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (State Commissioner for the Protection of Data and Freedom of Information) of North Rhine-Westphalia
Kavalleriestr. 2-4
40213 Düsseldorf, Germany
https://www.ldi.nrw.de

5. Cookies
The web pages of Promata GmbH use cookies. Cookies are small text files that are stored and saved on a computer system by a web browser.
A large number of websites and servers use cookies. A lot of cookies include a cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a string of characters which enables web pages and servers to be assigned to the specific web browser in which the cookie has been stored. This enables the websites and servers that are visited to distinguish the data subject’s individual browser from other web browsers that contain other cookies. A specific web browser can be recognised and identified using the unique cookie ID.
By using cookies, Promata GmbH can provide the users of this website with more user-friendly services that would not be possible if the cookie were not set in the browser.
By using a cookie, the information and offers provided on our website can be optimised for the user. Cookies allow us to recognise the users of our website. The purpose of recognising users is to make it easier for them to use our website. The user of a website that employs cookies does not, for example, have to input their access data again each time they visit the website, because this is done by the website and by the cookie stored on the user’s computer system. Another example is the cookie used for a shopping basket in an online shop. The online shop remembers the items that a customer has placed in their virtual shopping basket by means of a cookie.
Data subjects can stop cookies being placed on their system by our website at any time by adjusting the relevant setting in the web browser they are using and, by doing so, permanently object to having cookies placed on their computer. Moreover, cookies that have already been installed can be deleted at any time via the web browser or by using other software programs. All popular web browsers allow this. If the data subject disables the use of cookies in their web browser, they may not be able to use all of our website’s functions to the full extent.

6. Collection of general data and information
The website of Promata GmbH collects a range of general data and information each time that it is visited by a data subject or retrieved by an automated system. This general data and information is stored in the server’s log files.

The following information may be recorded:
(1) browser types and versions used;
(2) the operating system used by the accessing system;
(3) the website from which an accessing system accesses our website (known as referrers);
(4) the sub-pages that are visited by an accessing system on our website;
(5) the date and time the website was accessed;
(6) an Internet protocol address (IP address);
(7) The Internet service provider used by the accessing system; and
(8) other similar data and information that may be used to avert a danger if our information technology systems are attacked.
We do not draw any conclusions about the data subject when using this general data and information.

Rather, this information is needed to
(1) deliver the content of our website correctly,
(2) optimise the content of our website as well as the advertising for it,
(3) guarantee that our information technology systems and our website technology can function at all times, and
(4) provide law enforcement authorities with the information necessary to prosecute offences in the event of a cyber attack.
This data and information is collected anonymously and analysed by our company both statistically and with the aim of increasing data protection and data security in our company in order ultimately to ensure an optimal level of protection for the personal data that we process. The anonymous data of the server log files is stored separately from all personal data provided by a data subject.

7. Contact options on the website
As a result of statutory regulations, the website of Promata GmbH contains information that enables users to get in contact quickly with our company electronically and to communicate directly with us; this also includes a general address for electronic mail (e-mail address). If a data subject contacts the controller by e-mail or using a contact form, the personal data transmitted by the data subject is stored automatically. Personal data of this kind that is transmitted voluntarily by a data subject to the controller is stored for processing purposes or for the purpose of contacting the data subject. This personal data is not disclosed to third parties.

8. Routine erasure and blocking of personal data
The controller processes and stores personal data of the data subject only for the period that is necessary for the purpose of the storage to be achieved or for the period that may have been stipulated by the European legislator or regulator issuing directives and regulations or by another legislator in laws or regulations to which the controller is subject.
If the purpose of storing the data ceases to apply or if a period of storage stipulated by the European legislator or regulator issuing directives and regulations or by another legislator elapses, the personal data is blocked or erased as a matter of routine and in accordance with the statutory regulations.

9. Rights of the data subject

• Right to obtain confirmation

Data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed.

• Right to obtain information

Data subjects whose personal data is processed have the right to obtain information free of charge and at any time from the controller about the personal data concerning them that is stored and to receive a copy of this information. Furthermore, the European legislator and regulator have granted data subjects the right to obtain the following information:

• • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data is not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Moreover, the data subject has a right to obtain information as to whether personal data has been transferred to a third country or an international organisation. If this is the case, the data subject furthermore has the right to obtain information about the appropriate safeguards in relation to the transfer.

• Right to rectification

Data subjects whose personal data is processed have the right to demand that inaccurate personal data concerning him or her be rectified without undue delay. Moreover, taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

• Right to erasure (right to be forgotten)

Data subjects whose personal data is processed have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies and if the processing is not necessary (any longer):

• • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR;
  • the personal data has been unlawfully processed;
  • the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

Where one of the above-mentioned grounds applies and a data subject would like to have their personal data erased, they can contact our data protection officer or another employee of the controller to this end at any time.

The data protection officer or another employee will arrange for this request to have the data erased to be complied with.

Where the personal data has been made public by Promata GmbH and our company as the controller is obliged pursuant to Article 17(1) GDPR to erase the personal data, we shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure by these other controllers of any links to, or copies or replications of, this personal data if the processing is no longer necessary. The data protection officer or another employee will make the necessary arrangement for this in the specific case.

• Right to restriction of processing

Data subjects whose personal data is processed have the right to obtain from the controller restriction of processing where one of the following applies:

• • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where one of the above-mentioned requirements is met and a data subject wishes to obtain restriction of the processing of personal data that is stored at Promata GmbH, they can contact our data protection officer or another employee of the controller to this end at any time. The data protection officer or another employee will arrange for processing to be restricted.

• Right to data portability

Data subjects whose personal data is processed have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. They furthermore have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Moreover, in exercising his or her right to data portability pursuant to Article 20(1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, where this is technically feasible and where this does not adversely affect the rights and freedoms of others.
The data subject can contact the appointed data protection officer or another employee at any time to assert this right to data portability.

• Right to object

Data subjects whose personal data is processed have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on these provisions.
If it receives an objection, Promata GmbH shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where Promata GmbH processes personal data for the purposes of direct marketing, the data subject has the right to object to the processing (with effect for the future) of the personal data for the purposes of this kind of marketing at any time. This also includes profiling where it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, Promata GmbH shall no longer process the personal data for these purposes.

Moreover, where personal data is processed at Promata GmbH for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, the data subject, on grounds relating to his or her particular situation, has the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The data subject can contact the data protection officer or another employee directly in order to exercise their right to object. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject is furthermore free to exercise his or her right to object by automated means using technical specifications.

• Automated individual decision-making, including profiling

Data subjects whose personal data is processed have the right granted by the European legislator and regulator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision
(1) is necessary for entering into, or performance of, a contract between the data subject and a data controller; or
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(3) is based on the data subject’s explicit consent.
If the decision:
(1) is necessary for entering into, or performance of, a contract between the data subject and a data controller, or
(2) is based on the data subject’s explicit consent,
Promata GmbH shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
If a data subject wishes to assert rights in relation to automated decision-making, they can contact the data protection officer or another employee of the controller to this end at any time.

• Right to withdraw consent given under data protection law

Data subjects whose personal data is processed have the right granted by the European legislator and regulator to withdraw their consent to the processing of personal data at any time. If a data subject wishes to assert their right to withdraw their consent, they can contact the our data protection officer or another employee of the controller to this end at any time.

10. Data privacy in applications and in the application process
The controller collects and processes the personal data of applicants for the purpose of executing the application process. The processing can also be carried out by electronic means. This is the case in particular where an applicant sends relevant application documents to the controller by electronic means, for example by e-mail or using a web form installed on the website. If the controller enters into an employment contract with an applicant, the data that has been sent is stored in compliance with the statutory regulations for the purpose of processing the employment relationship. If an employment contract is not entered into by the controller with the applicant, the application documents received by Promata GmbH are erased automatically after the applicant has been notified of the decision not to hire them, unless erasure conflicts with other legitimate interests of the controller. Other legitimate interests within this meaning include for example a burden of proof in proceedings pursuant to the Allgemeines Gleichbehandlungsgesetz (AGG — General act on equal treatment).

11. Data privacy provisions on the application and use of Google AdWords
The controller has integrated Google AdWords on this website. Google AdWords is an online advertising service that allows advertisers to display advertisements both in the Google search engine results and in the Google ad network. Google AdWords enables an advertiser to define specific key words in advance, by means of which an advertisement will be exclusively displayed in the Google search engine results when the user clicks a search result relevant to the key word using the search engine. In the Google ad network, the advertisements are distributed on websites relevant to the subject by means of an automatic algorithm and in consideration of the previously defined key words.
The company that operates the services of Google AdWords is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The purpose of Google AdWords is to promote our website by displaying advertisement relevant to the interests in question on the website of third-party companies and the search engine results of the Google search engine and displaying third-party advertising on our website. When a data subject visits our website from a Google ad, a conversion cookie is placed by Google on the data subject’s information technology system. Please see the earlier explanation of what cookies are. A conversion cookie expires after 30 days and is not used to identify the data subject. As long as it has not expired, the conversion cookie is used to track whether certain sub-pages, the shopping basket of an online shopping system for example, have been visited on our site. Using the conversion cookie, both Promata and Google can ascertain whether a data subject who has been directed to our website from an AdWords advertisement has generated a sale, i.e. has completed or cancelled a purchase.
The data and information collected by the application of the conversion cookie is used by Google to generate visitor statistics for our website. We use these visitor statistics in turn to find out the total number of users who have been directed to us from AdWords advertisements, i.e. to measure the success or failure of the relevant AdWords advertisement and to optimise our AdWords advertisements for the future. Neither our company nor other advertising customers of Google AdWords receive information from Google that could be used to identify the data subject.

The conversion cookie is used to store personal information, for example the websites that the data subject has visited. Each time a data subject visits our website, personal data, including the IP address of the Internet connection that they have used, is accordingly transferred to Google in the US. This personal data is stored by Google in the US. Google may in certain circumstances disclose the personal data collected in this technical process to third parties.

As we have described above, data subjects can stop cookies being placed on their system by our website at any time by adjusting the relevant setting in the web browser they are using and, by doing so, permanently object to having cookies placed on their computer. This setting in the web browser that is used would also prevent Google from placing a conversion cookie on the data subject’s information technology system. Moreover, a cookie that has already been installed by Google AdWords can be deleted at any time via the web browser or by using other software programs.

Furthermore, the data subject has the possibility of opting out of to interest-based advertising by Google. To do this, the data subject has to go to www.google.de/settings/ads using the link in every web browser that they use and change their preferences in the settings there. Please go to www.google.de/intl/de/policies/privacy/ for more information and Google’s applicable data privacy provisions.

12. Use of Google Analytics
This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses “cookies”, text files that are stored on your computer and that enable your use of the website to be analysed. The information about your use of this website that is created by the cookie is generally transmitted to and stored on a Google server in the US. If IP anonymisation is enabled on this website, your IP address will, however, be shortened by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. The full IP address will be transmitted to a Google server in the US and shortened there only in exceptional circumstances. Google will use this information on behalf of the operator of this website in order to evaluate your use of the website, compile reports on the website activities and perform other services associated with the use of the website and Internet use for the website operator. The IP address transmitted from your browser within the framework of Google Analytics is not combined with other data by Google. You can prevent cookies from being stored by setting your browser software to do this; we draw your attention to the fact, however, that you may not be able to use all the functions of this website in their full extent in this case. You can furthermore prevent the data generated by the cookie and relating to your use of the website (including your IP address) from being collected and processed by Google by downloading and installing the browser plug-in from the following link (http://tools.google.com/dlpage/gaoptout?hl=de).

For more detailed information, please see http://tools.google.com/dlpage/gaoptout?hl=de and http://www.google.com/intl/de/analytics/privacyoverview.html (general information about Google Analytics and privacy policy). We draw your attention to the fact that the extension “gat._anonymizeIp();” has been added to Google Analytics on this website in order to guarantee anonymised collection of IP addresses (called IP masking).

13. Vimeo
We may embed videos from the “Vimeo” platform of the provider Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA. Privacy policy: https://vimeo.com/privacy. We draw your attention to the fact that Vimeo may use Google Analytics and refer in this connection to the privacy policy (https://www.google.com/policies/privacy) and opt-out settings for Google-Analytics (http://tools.google.com/dlpage/gaoptout?hl=de) and the Google settings for using data for marketing purposes (https://adssettings.google.com).

14. Legal basis for the processing
Point (a) of Article 6(1) GDPR provides the legal basis for our company for processing procedures in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case for example in processing procedures that are required in order to deliver goods or to perform another service or service in return, the processing is based on point (b) of Article 6(1) GDPR. The same applies for processing procedures that are necessary to take steps prior to entering into a contract, for example in cases involving enquiries about our products or services. If our company is subject to a legal obligation that requires personal data to be processed, for example in order to fulfil tax obligations, the processing is based on point (c) of Article 6(1) GDPR. In rare cases, the processing of personal data may be necessary in order to protect the vital interests of the data subject or of another natural person; This would be the case for example if a visitor were injured at our company and their name, age, health insurance data or other vital information had to be disclosed to a doctor, a hospital or another third party. The processing would then be based on point (d) of Article 6(1) GDPR. Finally, processing procedures might be based on point (f) of Article 6(1) GDPR. This provides the legal basis for processing procedures that are not covered by any of the legal bases described above where the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. We are permitted to carry out processing of this kind in particular because they have been specifically mentioned by the European legislator. It has taken the view in this regard that a legitimate interest could be assumed where the data subject is a client of the controller (Recital 47, sentence 2, of the GDPR).

15. Legitimate interests in processing data that are pursued by the controller or a third party
If the processing of personal data is based on point (f) of Article 6(1), our legitimate interest is constituted by the conducting of our business activity in all of its forms.

16. period for which the personal data will be stored
The criterion for deciding how long personal data is stored is the relevant statutory retention period. The relevant data is erased as a matter of routine after the period has elapsed, provided it is no longer required to perform or initiate a contract.

17. Statutory or contractual regulations governing the provision of personal data; necessity for entering into a contract; obligation of the data subject to provide the personal data; possible consequences of a failure to provide personal data
We would like to take this opportunity to inform you that providing personal data is stipulated by law in some cases (e.g. tax regulations) or may also be required on account of contractual regulations (e.g. information on contracting partners). It may sometimes be necessary, in order to enter into a contract, for a data subject to provide us with personal data that we subsequently have to process. The data subject is required for example to provide personal data to us when our company enters into a contract with them. A failure to provide the personal data would have the consequence that the contract with the data subject could not be entered into.

The data subject can contact our data protection officer before providing their personal data. Our data protection officer will then clarify to the data subject in the specific case whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into the contract, as well as whether there is an obligation to provide the personal data and what consequences a failure to provide the personal data would have.

18. Automated decision-making
As a responsible company, we choose not to conduct automated decision-making or profiling.

19. Children
Protecting the privacy of children is an important issue. For this reason, we do not collect, process or use on our website any information from persons who we know are under the age of 13 if we have not previously obtained verifiable consent from a legal representative. Legal representatives can ask to inspect the information that their child has provided and request that it be erased.