Privacy policy

Privacy Policy of CEVEYGROUP Status 08/20

(as PDF)
We take the protection of your personal data very seriously!

The following statement gives you an overview of how we ensure this protection and what kind of data is collected for what purpose.

In principle, the basis for the storage and use of your data is your consent. Or legal permission. What we do with your data depends on this.

A note in advance: For better readability, we refrain from using masculine and feminine forms of language – all references to persons apply equally to both types of person.

Gender.

You will first find some general information on the subject of data protection here.

For detailed regulations for users of various services, please refer to chapters I. to VI. below for the following areas:

I. For all users of this website
II. For inquiries to our companies
III. For users of our test systems via the CSYSGATE platform
IV. For participants in online training with Zoom
V. For applicants
VI. For business contacts and seminar participants

General information:

“GDPR” is used here as shorthand for the EU General Data Protection Regulation.
The following information is provided in accordance with Art. 13 (or Art. 14) DSGVO to fulfill the information obligations in areas where CEVEYCONSULTING GmbH and CEVEYSYSTEMS GmbH collect, process or use personal data as data controllers.

Person responsible for data protection:

CEVEYCONSULTING GmbH – CEVEYSYSTEMS GmbH
Managing Director CEVEYCONSULTING GmbH:
Dr. Bernhard Cevey-Trendelenburg
Managing Director CEVEYSYSTEMS GmbH:
Dr. Bernhard Cevey-Trendelenburg

Address of the responsible bodies:

CEVEYCONSULTING GmbH / CEVEYSYSTEMS GmbH
Pfalzhaldenweg 6
72070 Tübingen

Contact details of the data protection officer:

privacy(at)ceveygroup.com

Rights of the person concerned:

In order to ensure fair and transparent processing, we point out that the following rights, among others, exist for the data subject:

– The right to information
– The right to rectification or erasure or to restriction of processing
– The right to withdraw consent
– The right to data portability

As a legal basis, reference is made here to Articles 15-22 of the GDPR.

For purposes of exercising these rights, please contact: privacy(at)ceveygroup.com.

Furthermore, there is the right to complain to a supervisory authority.

Supervisory authority:

The supervisory authority responsible for CEVEYCONSULTING GmbH and CEVEYSYSTEMS GmbH in the sense of Art. 4 No. 21 DSGVO, § 40 BDSG new reads:
State Commissioner for Data Protection and Freedom of Information
Dr. Stefan Brink
Königstrasse 10 a
70173 Stuttgart
Phone: 0711/61 55 41 – 0
E-mail: poststelle@lfdi.bw.de

Other information:

– There is currently no automated decision-making including profiling.
– If CEVEYCONSULTING GmbH or CEVEYSYSTEMS GmbH intends to further process the personal data for a purpose other than that for which the personal data was collected, it shall provide the data subject with information about such other purpose and any other relevant information prior to such further processing. Provided that the other purpose is compatible with the previous purposes for which admissibility was given or legitimate interests of the CEVEYGROUP prevail, separate information is not necessary.
Your trust is important to us. Therefore, we are always available to answer your questions regarding the processing of your personal data. If you have any questions that cannot be answered by this privacy statement or if you would like more detailed information on any point, please contact the data protection officer at any time at datenschutz(at)ceveygroup.com.

I. For all users of our website

When using our Internet pages, the following data is stored for organizational and technical reasons: the names of the pages accessed, the browser and operating system used, the date and time of access, names of downloaded files and their shortened IP address. This evaluation serves exclusively to optimize our Internet presence and does not allow any conclusions to be drawn about an individual person.

Cookies use
We use cookies to make our site more user-friendly. Cookies are small text files that are stored on your terminal device. They help you navigate the website comfortably and without delay. Only anonymous data is used for this – it is not possible for us to identify you as the person behind it. Cookies do not harm your computer and do not contain viruses. Most of the cookies we use are so-called “session cookies”. They are automatically deleted after the end of your visit. Other cookies remain on your terminal device and enable us to recognize your browser on your next visit (persistent cookies).
You can set your browser so that you are informed about the setting of cookies and decide individually about their acceptance or exclude the acceptance of cookies for certain cases or in general. You can block or delete individual cookies. However, for technical reasons, this may result in some functions of our website being impaired and no longer functioning fully.

II. For inquiries to our companies

Do you have a specific request? You can find our contact details on the website under “Contact”. We are looking forward to your inquiry by mail, post or telephone. You decide yourself and voluntarily which data you pass on to us.
We use your data for the purpose of providing the service you requested, in order to send you suitable and tailored information on the topics you requested in the event of interest or queries on your part.

III. For users of our test systems via the CSYSGATE platform

Purpose for the data collection, processing or use
Answering the questions of the corresponding potential evaluation by the user, preparation of the results report, evaluation and discussion of the results with the user

Legal basis for the processing (Art. 6 DSGVO)
The data subject voluntarily consents to the use. This is the case by corresponding declaration of intent. This privacy policy is deposited on the portal CSYSGATE.
As a matter of principle, the CEVEYGROUP observes the principles of data avoidance and data economy with regard to the intended purposes of the processing, taking into account the interests of the data subjects that are worthy of protection.

Description of the groups of persons concerned and the related data or data categories
Affected group of persons: applicants of CEVEYCONSULTING GmbH, CEVEYSYSTEMS GmbH and SMARTinSALES GmbH, employees of customers and cooperation partners who use the test systems. Usual and necessary data of contacts (name, first name, company affiliation, e-mail address).

Recipients or categories of recipients to whom the data may be disclosed
All employees (including employees of sister companies, if applicable) who are authorized in-house to perform the tasks defined for the purpose.
If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as to payment service providers, is required for the performance of the contract pursuant to Art. 6 (1) lit. b DSGVO), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.). If we commission third parties with the processing of data on the basis of a so-called “order processing agreement”, this is done on the basis of Art. 28 DSGVO.

Upon request, further information can be obtained by contacting data protection(at)ceveygroup.com.

Data transfer to third countries
Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the special requirements of Art. 44 et seq. DSGVO are met. This means, for example, that processing takes place on the basis of special guarantees, such as the officially recognized determination of a level of data protection that corresponds to the EU or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

Storage period or standard periods for the deletion of data
The legislator has enacted a wide range of retention obligations and periods. After expiry of these periods, the corresponding data is routinely deleted if it is no longer required for the fulfillment of the contract. For example, the commercial or financial data of a completed fiscal year is deleted in accordance with legal requirements after a further ten years, unless longer retention periods are prescribed or required for justified reasons. Shorter deletion periods are used in special areas (e.g. in the personnel administration area such as rejected applications or warnings). If data is not affected by this, it is deleted when the purposes for which it was stored cease to apply.

IV. For participants in online training with Zoom

Purpose for the data collection, processing or use
ZOOM is used as a tool to conduct video conferences and meetings, interactive online training, online meetings and online coaching. Data processing for purposes other than those mentioned above does not take place.

Legal basis for the processing (Art. 6 DSGVO)
The processing of personal data in the context of the use of ZOOM is based on the following legal grounds:
– Art. 6 par. 1 lit. a DSGVO, consent to the voluntary use of Zoom
– Art. 6 par. 1 lit. b DSGVO, insofar as the meetings are conducted in the context of contractual relationships.
– Art. 6 par. 1 lit. e, para. 2, 3 DSGVO for the performance of official duties
– Art. 6 par. 1 lit. f GDPR. Our interest is in the effective delivery of online training.

Description of the groups of persons concerned and the related data or data categories

Affected group of people:
Participants of online offerings where Zoom is used as a tool

Zoom collects User Data that is necessary for the provision of Zoom’s services. Data collected based on the use of Zoom services (e.g. meetings) will not be used by Zoom for advertising purposes. Zoom uses data that it receives when you visit marketing websites such as zoom.us and zoom.com. Website visitors have control over their own cookie settings when they visit the marketing websites.

Data categories when using Zoom in online meetings:
– User details:
First name, last name (as entered by the user himself when entering the meeting room),
E-mail address, password (only for users who have their own account, not for participants without their own account),
Profile picture (optional, if deposited by the user)
– Meeting metadata: Topic, attendee IP addresses, device/hardware information.
– When dialing in with the telephone: information on the incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.
– Text, audio, and video data: Users may have the ability to use chat, question or polling features in an “online meeting”. In this respect, the text entries made by the user are processed in order to display them in the “Online Meeting”. To enable the display of video and the playback of audio, the data from the microphone of the terminal device as well as from any video camera of the terminal device are processed accordingly during the duration of the meeting. The camera or microphone can be switched off or muted at any time even via the “Zoom” applications.

We would like to point out that each user is responsible for what (possibly confidential) information he or she shares in an online meeting.

Recipients or categories of recipients to whom the data may be disclosed
Personal data processed in connection with the use of ZOOM will not be disclosed to third parties as a matter of principle, unless it is specifically intended for disclosure. The provider of ZOOM as well as any subcontractors necessarily receive knowledge of the processed data, insofar as this is required or provided for in the context of the order processing contract or any contractual relationships with subcontractors.

Data transfer to third countries
Zoom is a remote conferencing provider headquartered in San Jose, California/USA.
In this respect, the data processing takes place in a third country.
Only the EU and the USA (as the company’s headquarters) are selected as data centers for use by CEVEYGROUP; no processing takes place in other countries.

There is a “Global Data Processing Addendum” order processing agreement with Zoom, which can be found at https://zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf and which complies with the requirements of Art. 28 DSGVO.

On the other hand, an adequate level of data protection is guaranteed by the conclusion of so-called EU standard data protection clauses, which Zoom has concluded with the subcontractors (cf. Art. 46 DSGVO).

Zoom’s privacy policy can be found at https://zoom.us/de-de/privacy.html. The measures Zoom has taken to comply with the GDPR can be found at https://zoom.us/de-de/gdpr.html.

Storage period or standard periods for the deletion of data

Data protection-friendly default settings mean that the services are preset so that no communication content is stored. All other personal data will be stored by ZOOM as a processor within the meaning of Art. 28 DS-GVO for as long as necessary for the provision of the technical service and its billing.

Data protection-friendly default settings made by CEVEYGROUP in accordance with Art. 5 DSGVO
Meeting Attendance:
– Each meeting has its own ID, which is used only once.
– Users do not need their own account with Zoom to join a meeting, dial-in via browser is possible, no installation on the PC is required.
– Waiting room: joining a meeting before the moderator is not possible, the moderator grants access to the meeting only to the invited persons.
– Dialing into a meeting (also by phone) is possible for all participants only by entering a password, this is not automatically embedded in the link sent to the participants.

In the meeting:
– Automatic saving and saving chat messages by participants are blocked.
– All participants hear a sound when a new participant joins the meeting.
– Remote control is disabled: Participants cannot control shared content from other users.
– Remote camera control by other users is disabled.

Feedback to Zoom:
– The feedback function on Zoom is disabled.
– The option to report participants to Zoom in case of misconduct is disabled.
– The ability to contact Zoom Support via chat is disabled.
– The attention tracking has been removed by Zoom itself.

Records:
– All recording options and live streaming of meetings are disabled.

V. For applicants

Purpose for the data collection, processing or use
Conducting the application process, deciding on the conclusion of an employment contract.

Legal basis for the processing (Art. 6 DSGVO)
Art. 6 par. 1 letter b DSGVO: Implementation of pre-contractual measures, which are carried out at the request of the data subject.
The data subject submits his/her application voluntarily.
As a matter of principle, the CEVEYGROUP observes the principles of data avoidance and data economy with regard to the intended purposes of the processing, taking into account the interests of the data subjects that are worthy of protection.

Description of the groups of persons concerned and the related data or data categories
Affected group of persons: applicants of CEVEYCONSULTING GmbH, CEVEYSYSTEMS GmbH and SMARTinSALES GmbH
Usual and necessary information provided by applicants for application procedures.

Recipients or categories of recipients to whom the data may be disclosed
Human Resources Department as well as supervisor of the position for which you have applied, management. There is no transmission to third parties, with the exception of our service providers within the framework of order processing.

Data transfer to third countries
There is no intention to transfer the personal data to a third country or an international organization.
Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the special requirements of Art. 44 et seq. DSGVO are met. This means, for example, that processing takes place on the basis of special guarantees, such as the officially recognized determination of a level of data protection that corresponds to the EU or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

Storage period or standard periods for the deletion of data
The data will be deleted 6 months after completion of the application process. If an employment contract is concluded, we will inform you separately about the use of data in the employment relationship.

VI. For business contacts and seminar participants

Purpose for the data collection, processing or use
Outreach. So that we can contact you for the business purposes.
For seminar participants: Documentation of participation in our events on behalf of our customers, to send event minutes and to create attendance confirmations.

Legal basis for the processing (Art. 6 DSGVO)
Depending on the phase of our contact, different legal bases are conceivable:
– Carrying out (also) pre-contractual measures that take place at the request of the data subject.
– The person concerned consents voluntarily. This is the case by corresponding declaration of intent.
– The processing is necessary for the fulfillment of contractual obligations (such as for CEVEYGROUP services).
– If necessary, also the protection of the legitimate interests of the CEVEYGROUP.
As a matter of principle, the CEVEYGROUP observes the principles of data avoidance and data economy with regard to the intended purposes of the processing, taking into account the interests of the data subjects that are worthy of protection.

Description of the groups of persons concerned and the related data or data categories
Affected group of persons: business contacts of CEVEYCONSULTING GmbH, CEVEYSYSTEMS GmbH and SMARTinSALES GmbH; contact persons of customers, service providers, partners; seminar participants
Usual and necessary contact details (name, first name, title, company affiliation, department if applicable, telephone no., e-mail address). Transaction data such as history entries can be linked to these contacts, this for proof and information basis for e.g. meetings.

Recipients or categories of recipients to whom the data may be disclosed
All employees (including employees of sister companies, if applicable) who are authorized in-house to perform the tasks defined for the purpose.
If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as to payment service providers, is required for the performance of the contract pursuant to Art. 6 (1) lit. b DSGVO), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.). If we commission third parties with the processing of data on the basis of a so-called “order processing agreement”, this is done on the basis of Art. 28 DSGVO.
Upon request, further information can be obtained by contacting data protection(at)ceveygroup.com.

Data transfer to third countries
Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the special requirements of Art. 44 et seq. DSGVO are met. This means, for example, that processing takes place on the basis of special guarantees, such as the officially recognized determination of a level of data protection that corresponds to the EU or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

Storage period or standard periods for the deletion of data
The legislator has enacted a wide range of retention obligations and periods. After expiry of these periods, the corresponding data is routinely deleted if it is no longer required for the fulfillment of the contract. For example, the commercial or financial data of a completed fiscal year is deleted in accordance with legal requirements after a further ten years, unless longer retention periods are prescribed or required for justified reasons. If data is not affected by this, it is deleted when the purposes for which it was stored cease to apply. Contacts of people who are known to have left their companies are set to inactive and thus no longer appear in usual searches.