Privacy policy

Privacy Policy of CEVEYGROUP Status 11/22

(as PDF)
We take the protection of your personal data very seriously!
The statement below will give you an overview about what we do to ensure your data is protected and what types of data are collected for what purposes.
Your consent, or permission provided by law, form the fundamental aspects governing the storage and use of your data. This will depend on what we actually do with your data.
First of all, you will find a few items of general information on the subject of data protection.
Detailed arrangements for users of various services can be found in chapters I to VI. below for the following areas:

I. For all users of this website
II. For users of our testing systems via the CSYSGATE platform
III. For participants in online trainings with Zoom
IV. For applicants
V. For business contacts and seminar participants
VI. For recipients of our newslette

General information:

“GDPR” is used here as an abbreviation for the EU General Data Protection Regulation.
In accordance with Article 13 (and/or Article 14) of the GDPR, the information below serves to fulfil the information obligations in areas in which CEVEYCONSULTING GmbH and CEVEYSYSTEMS GmbH as responsible entities, collect, process or make use of personal data.

Entities responsible for data protection:

CEVEYCONSULTING GmbH – CEVEYSYSTEMS GmbH
Managing Director CEVEYCONSULTING GmbH:
Dr. Bernhard Cevey-Trendelenburg, Pierre Martin

Managing Director CEVEYSYSTEMS GmbH:
Dr. Bernhard Cevey-Trendelenburg

Address of the responsible entities:

CEVEYCONSULTING GmbH / CEVEYSYSTEMS GmbH
Pfalzhaldenweg 6
72070 Tübingen

Contact details of the data protection officer:

datenschutz(at)ceveygroup.com

Rights of the data subject:

In order to ensure that all matters are handled fairly and transparently, we wish to point out that the rights of the data subject include the following:

• The right to information
• The right to rectification or to erasure or the right to restriction of processing
• The right to withdraw consent
• The right to data portability

The legal basis for this can be found in Articles 15 to 22 of the GDPR.
In order to exercise any of these rights, please send a message to: datenschutz(at)ceveygroup.com.
In addition, there exists a right to lodge a complaint with a supervisory authority.

Supervisory authority:

The competent supervisory body for CEVEYCONSULTING GmbH and CEVEYSYSTEMS GmbH in the sense of Article 4(21) of the GDPR and Section 40 German Federal Data Protection Act (new) is:
Regional Representative for Data Protection and the Freedom of Information
Königstrasse 10 a
70173 Stuttgart
Telephone: +49 (0)711/61 55 41 – 0
E-mail: poststelle@lfdi.bw.de

Other information:

  • Automated decision-making including profiling does not exist at the present time.
  • In the event that CEVEYCONSULTING GmbH or CEVEYSYSTEMS GmbH intends to process personal data for any other purpose than the one for which the personal data were collected, it will make information regarding that other purpose and all other material information available to the data subject, before the data undergoes further processing for the other purpose. In so far as the other purpose is compatible with the purposes to which consent had been given, or in the event that the justifiable interests of the CEVEYGROUP should prevail, providing separate information will not be necessary.

Your trust is important to us. That is why we are always ready to discuss and explain to you how we process your personal data. If you have any questions and the answers cannot be found in this Data Protection Statement, or if you would like to receive more detailed information regarding any specific point, please contact us at any time by sending an e-mail to our Data Protection Officer at datenschutz(at)ceveygroup.com.

 

I. For all users of our website

Use of cookies

If you would like to know more about the cookies we use, please refer to our Cookie Policy. You can find it at the following link: https://ceveygroup.com/cookie-richtlinie-eu/

Provision of the website

Type and scope of processing
When you call up and use our website, we collect the personal data that your browser automatically transmits to our server. The following information is stored temporarily in a so-called log file:
– IP address of the requesting computer
– Date and time of access
– Name and URL of the accessed file
– Website from which the access is made (referrer URL)
– Browser used and, if applicable, the operating system of your computer, as well as the name of your access provider

Hosting of the website
Our website is hosted by the following service provider.
– Hetzner Online GmbH
– Industriestr. 25
– 91710 Gunzenhausen
– Germany

Purpose and legal basis
The processing is carried out to protect our overriding legitimate interest in displaying our website and ensuring security and stability on the basis of Art. 6 para. lit. f DSGVO. The collection of data and storage in log files is mandatory for the operation of the website. There is no right to object to the processing due to the exception under Art. 21 (1) DSGVO. Insofar as the further storage of log files is required by law, the processing is based on Art. 6 para. 1 lit. c DSGVO. There is no legal or contractual obligation to provide the data, however, calling up our website is not technically possible without providing the data.

An effective contract for commissioned processing (AVV) has been concluded with the service provider in accordance with Art. 28 DSGVO.

Storage period
The aforementioned data is stored for the duration of the display of the website and for technical reasons beyond that for a maximum of 7 days.

Google Maps

We use the map service Google Maps to create directions. Google Maps is a service of Google Ireland Limited, which displays a map on our website.
When you access this content on our website, you establish a connection to servers of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, whereby your IP address and, if applicable, browser data such as your user agent are transmitted. This data is processed exclusively for the abovementioned purposes and to maintain the security and functionality of Google Maps.

Purpose and legal basis
The use of Google Maps is based on your consent pursuant to Art. 6 para. 1 lit. a. DSGVO and § 25 para. 1 TTDSG.

Storage period
The concrete storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. Further information can be found in the privacy policy for Google Maps: https://policies.google.com/privacy.

Contact form

On our website we offer you to contact us via a provided form. The information collected via mandatory fields is required to process the request. Furthermore, you can voluntarily provide additional information that you consider necessary for processing the contact request.
When using the contact form, your personal data will not be passed on to third parties.

Purpose and legal basis
The processing of your data by using our contact form is carried out for the purpose of communication and processing of your request on the basis of your consent pursuant to Art. 6 para. 1 lit. a DSGVO.  Insofar as your inquiry relates to an existing contractual relationship with us, the processing is carried out for the purpose of fulfilling the contract on the basis of Art. 6 (1) lit. b DSGVO. There is no legal or contractual obligation to provide your data, but the processing of your request is not possible without providing the information of the mandatory fields. If you do not wish to provide this data, please contact us by other means.

Storage period
Insofar as you use the contact form on the basis of your consent, we store the collected data of each inquiry for a period of three years, starting with the completion of your inquiry or until you revoke your consent.
If you use the contact form in the context of a contractual relationship, we store the collected data of each request for a period of three years from the end of the contractual relationship.

Google reCAPTCHA

We have integrated components of Google reCAPTCHA on our website (contact form). Google reCAPTCHA is a service of Google Ireland Limited and enables us to distinguish whether a contact request originates from a natural person or is automated by means of a program. When you access this content, you establish a connection to servers of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, whereby your IP address and possibly browser data such as your user agent are transmitted. Furthermore, Google reCAPTCHA records the user’s browsing time and mouse movements in order to distinguish automated requests from human ones. This data is processed solely for the above purposes and to maintain the security and functionality of Google reCAPTCHA.

Purpose and legal basis
The use of Google reCAPTCHA is based on your consent pursuant to Art. 6 para. 1 lit. a. DSGVO and § 25 para. 1 TTDSG.

Storage period
The concrete storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. Further information can be found in the privacy policy for Google reCAPTCHA: https://policies.google.com/privacy?hl=en-US

 

II. For users of our testing systems via the CSYSGATE platform

Purpose underlying the collection, processing or use of data
To answer questions regarding the relevant potential evaluation by the user, to draw up the appraisal of results and to evaluate and discuss the results with the user

Legal basis for the processing of data (Article 6 of the GDPR)
The data subject must voluntarily agree to the use of his/her data. This can be achieved by means of a corresponding declaration of intent. This Data Protection Statement is stored on the CSYSGATE portal.
The CEVEYGROUP will fundamentally adhere to the precepts of data avoidance and data minimisation with regard to the intended purposes for which data is processed, so as to take account of the interests of the parties concerned that are worthy of protection.

Description of the groups of persons affected and of the relevant data or categories of data

Group of persons involved: Persons submitting applications to CEVEYCONSULTING GmbH or CEVEYSYSTEMS GmbH, clients’ employees and cooperation partners making use of test systems.
The customary and essential details of contacts (surname, forename, company affiliation, e-mail address).

Recipients or categories of recipients to whom data can be divulged
All employees (including employees of affiliated companies, if applicable) who are tasked with fulfilling tasks of a specific purpose inside the company.
In so far as we disclose data to other individuals or entities (contract processors or third parties) during processing, transfer data to them or grant them access to the data in any other manner, we will do this only if there exists a legal basis to do so (e.g. if it is necessary, in fulfilment of contractual requirements, to transfer data to third parties, such as a supplier of payment services, in accordance with Article 6(1)(b) of the GDPR), if you have given consent, if we are legally obliged to do so or in order to uphold our justified interests (e.g. when deploying vicarious agents, web hosting providers, etc.). In so far as we instruct third parties to process data on the basis of a “contract processing agreement”, we will do so in accordance with Article 28 of the GDPR.
Further information can be obtained upon request by sending a message to datenschutz(at)ceveygroup.com.

Transfer of data to third countries
Subject to the terms set out by law or under a contract, we will only process data or arrange for it to be processed in third countries if the special requirements laid down under Article 44 et seq. of the GDPR have been fulfilled. Amongst other things, this means that processing will take place on the basis of special guarantees, such as the official adoption of a level of data protection corresponding to the one that applies in the EU (such as the “Privacy Shield” in the case of the USA) or compliance with officially recognised contractual obligations (standard contractual clauses).

Duration of storage and/or regulatory deadlines for the deletion of data
The legislator has imposed a variety of requirements and deadlines governing data retention. Once those deadlines have expired, the relevant data must be routinely deleted if no longer required to fulfil the terms of an agreement. As a rule, test data is deleted after the expiry of 2 years or when the purposes for which it was stored cease to apply.

 

III. For participants in Online-Trainings with Zoom

Purpose underlying the collection, processing or use of data
Zoom is used as a tool to conduct video conferences/meetings, interactive online training, online meetings, and online coaching. No data processing is carried out for purposes other than those mentioned above.

Legal basis for the processing of data (Article 6 of the GDPR)
The processing of personal data in the context of the use of Zoom is based on the following legal principles:
• Art. 6 para. 1 lit. a DSGVO, consent to the voluntary use of Zoom
• Art. 6 para. 1 lit. b DSGVO, insofar as the meetings are held within the framework of contractual relations.
• Art. 6 para. 1 lit. e, para. 2, 3 DSGVO for the performance of official duties
• Art. 6 para. 1 lit. f DSGVO. We are interested in the effective implementation of online training courses.

Description of the groups of persons affected and of the relevant data or categories of data
Group of persons affected:
Participants of online offers, where zoom is used as an aid

Zoom collects the user data that is necessary for the provision of Zoom services. The data which is collected based on the use of Zoom services (e.g. meetings) is not used by Zoom for advertising purposes. Zoom uses data that the company obtains when you visit marketing websites such as zoom.us and zoom.com. Visitors to the website have control over their own cookie settings when they visit the marketing websites.

Categories of data when using Zoom in online meetings:
• Information about the user:
First Name, Last Name (as entered by the user when entering the meeting room), E-mail address, password (only for users who have their own account, not for participants without their own account), Profile picture (optional, if stored by the user)
• Meeting metadata: Subject, participant IP addresses, device/hardware information
• When dialling in by telephone: information on incoming and outgoing telephone number, country name, start and end time. If necessary, further connection data such as the IP address
of the device can be saved.
• Text, audio and video data: Users may be able to use the chat, question or survey functions in an “online meeting”. In this respect, the text entries made by the user are processed in order to display them in the “online meeting”. In order to enable the display of video and the playback
of audio, the data from the microphone of the terminal device and from any video camera of the terminal device are processed for the duration of the meeting. The camera or microphone can be switched off or muted at any time even via the “Zoom” applications.

We would like to point out that each user is responsible for any and all information he or she shares during the online meeting, confidential or otherwise.

Recipients or categories of recipients to whom data can be divulged
Personal data that is processed in connection with the use of Zoom is generally not passed on to third parties, unless it is specifically intended to be passed on. The provider of Zoom as well as possible subcontractors receive knowledge of the processed data, as far as it is necessary or intended in the context of the contract processing agreement or possible contractual relationships with subcontractors

Transfer of data to third countries
Zoom is a remote conferencing provider with headquarters in San Jose, California/USA.
The data processing is therefore carried out in a third country.
When used by CEVEYGROUP, only the EU and the USA (as the company headquarters) are selected as data centres; processing in other countries does not take place.
With Zoom there is a contract processing agreement “Global Data Processing Addendum”, which can be found at https://zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf and which complies with the requirements of Art. 28 DSGVO.
Zoom also fulfils the data protection guarantees according to Art. 44ff DSGVO, as it is certified under the EU-US Privacy Shield.
On the other hand, an appropriate level of data protection is guaranteed by the conclusion of so-called EU standard data protection clauses which Zoom has concluded with the subcontractors (cf. Art. 46 DSGVO).
The data protection guidelines of Zoom can be found at https://zoom.us/de-de/privacy.html. The measures taken by Zoom to comply with the DSGVO can be found at https://zoom.us/de-de/gdpr.html.

Duration of storage and/or regulatory deadlines for the deletion of data
By means of data protection-friendly default settings, the services are pre-set so that no communication content is stored. All other personal data will be stored by Zoom as a commissioned processor in the sense of Art. 28 DSGVO for as long as this is necessary to provide the technical
service and its billing.

Data protection-friendly pre-sets made by CEVEYGROUP according to Art. 5 DSGVO
Participation in meetings:
• Each meeting has its own ID, which is only used once.
• Users do not need their own account at Zoom to participate in a meeting. A dial-in via browser is possible, an installation on the PC is not required.
• Waiting room: It is not possible to join a meeting before the moderator, the moderator grants access to the meeting only to the invited people.
• Dialling into a meeting (also by telephone) is only possible for all participants by entering a password; this is not automatically embedded in the link that is sent to the participants.

In the meeting:
• The automatic saving and saving of chat messages by participants is blocked.
• All participants hear a sound when a new participant joins the meeting.
• Remote control is disabled: Participants cannot control content shared by other users.
• Camera remote control by other users is disabled.

Feedback to Zoom:
• Feedback to Zoom is disabled.
• The option to report participants to Zoom in case of misconduct is disabled.
• The option to contact Zoom support via chat is deactivated.
• Attention tracking has been removed by Zoom.

Recordings:
• All recording capabilities and live streaming of meetings are disabled

 

IV. For applicants

Purpose underlying the collection, processing or use of data
To carry out a job application process and to reach a decision whether a contract of employment should be concluded.

Legal basis for the processing of data (Article 6 of the GDPR)
Article 6(1)(b) of the GDPR: In order to take steps at the request of the data subject prior to entering into a contract.
The data subject submits his/her application voluntarily.
The CEVEYGROUP will fundamentally adhere to the precepts of data avoidance and data minimisation with regard to the intended purposes for which data is processed, so as to take account of the interests
of the parties concerned that are worthy of protection.

Description of the groups of persons affected and of the relevant data or categories of data
Group of persons involved: Persons submitting applications to CEVEYCONSULTING GmbH or CEVEYSYSTEMS GmbH.
The customary and essential details relating to applicants, which form part of a job application process.

Recipients or categories of recipients to whom data can be divulged
The Personnel department, the line managers of the post for which you have applied and company management. No data will be transferred to third parties, with the exception of our service providers carrying out data processing on a contractual basis.

Transfer of data to third countries
There is no intention to transfer personal data to any third country or to any international organisation. Subject to the terms set out by law or under a contract, we will only process data or arrange for it to be processed in third countries if the special requirements laid down under Article 44 et seq. of the GDPR have been fulfilled. Amongst other things, this means that processing will take place on the basis of special guarantees, such as the official adoption of a level of data protection corresponding to the one that applies in the EU (such as the “Privacy Shield” in the case of the USA) or compliance with officially recognised contractual obligations (standard contractual clauses).

Duration of storage and/or regulatory deadlines for the deletion of data
The data will be deleted six months after the application process has been completed. If an employment contract is concluded, we will inform you by separate means as to the way in which your data will be used in connection with your status as an employee.

 

V. For business contacts and seminar participants

Purpose underlying the collection, processing or use of data
Maintaining contacts. So that we are able to contact you for business purposes.
In the case of seminar participants: In order to document your participation in our events on behalf of our clients, in order to send you the minutes of the event you attended and in order to draw up certificates of participation.

Legal basis for the processing of data (Article 6 of the GDPR)
Depending on the stage that our connection, as contacts, has reached, a variety of legal bases is conceivable:
• In order (and additionally) to take steps at the request of the data subject prior to entering into a contract.
• The data subject voluntarily gives consent to this. This can be achieved by means of a corresponding declaration of intent.
• Processing is required in order to fulfil contractually engaged obligations (such as for services provided by the CEVEYGROUP).
• In certain cases, processing may also be required in order to uphold the justified interests of the CEVEYGROUP.
The CEVEYGROUP will fundamentally adhere to the precepts of data avoidance and data minimisation with regard to the intended purposes for which data is processed, so as to take account of the interests of the parties concerned that are worthy of protection.

Description of the groups of persons affected and of the relevant data or categories of data
Group of persons involved: Business contacts of CEVEYCONSULTING GmbH and CEVEYSYSTEMS GmbH; contact persons representing clients, service providers or partners; seminar participants
The customary and essential details of contacts (surname, forename, mode of address, company affiliation and/or department, telephone number, e-mail address). It is possible that for evidential or information purposes, such as for meetings, transactional data may have been linked to these contacts, such as entries in a history, for example.

Recipients or categories of recipients to whom data can be divulged
All employees (including employees of affiliated companies, if applicable) who are tasked with fulfilling tasks of a specific purpose inside the company.
In so far as we disclose data to other individuals or entities (contract processors or third parties) during processing, transfer data to them or grant them access to the data in any other manner, we will do this only if there exists a legal basis to do so (e.g. if it is necessary, in fulfilment of contractual requirements, to transfer data to third parties, such as a supplier of payment services, in accordance with Article 6(1)(b) of the GDPR), if you have given consent, if we are legally obliged to do so or in order to uphold our justified interests (e.g. when deploying vicarious agents, web hosting providers, etc.). In so far as we instruct third parties to process data on the basis of a “contract processing agreement”, we will do so in accordance with Article 28 of the GDPR.
Further information can be obtained upon request by sending a message to datenschutz(at)ceveygroup.com.

Transfer of data to third countries
Subject to the terms set out by law or under a contract, we will only process data or arrange for it to be processed in third countries if the special requirements laid down under Article 44 et seq. of the GDPR have been fulfilled. Amongst other things, this means that processing will take place on the basis of special guarantees, such as the official adoption of a level of data protection corresponding to the one that applies in the EU (such as the “Privacy Shield” in the case of the USA) or compliance with officially recognised contractual obligations (standard contractual clauses).

Duration of storage and/or regulatory deadlines for the deletion of data
The legislator has imposed a variety of requirements and deadlines governing data retention. Once those deadlines have expired, the relevant data must be routinely deleted if no longer required to fulfil the terms of an agreement. The law there requires that commercial or financial data relating to concluded financial years must be deleted once ten more years have elapsed, assuming that there are no further stipulations that these be retained for a longer period or that the retention thereof is not required for any justifiable reasons. As long as the data do not relate to any such areas, they will be deleted once the purposes for which they were saved no longer apply. Contacts of persons, about whom it has become known that they have left their company, can be rendered inactive and will therefore no longer appear during ordinary searches.

 

VI. For recipients of our newsletter

If you subscribe to our company’s newsletter, the data in the respective input mask will be transmitted to the controller. The registration for our newsletter is carried out in a so-called double opt-in procedure. This means that you will receive an e-mail after registration in which you will be asked to confirm your registration. This confirmation is necessary so that no one can register with foreign e-mail addresses.

When registering for the newsletter, the user’s IP address and the date and time of registration are stored. This serves to prevent misuse of the services or the e-mail address of the person concerned.

The data is not passed on to third parties. An exception exists if there is a legal obligation to pass on the data. The data is used exclusively for sending the newsletter.

The subscription to the newsletter can be cancelled by the data subject at any time. Likewise, consent to the storage of personal data can be revoked at any time. For this purpose, a corresponding link can be found in each newsletter.

The legal basis for the processing of the data after registration for the newsletter by the user is, if the user has given his consent, Art. 6 para. 1 lit. a) DSGVO. The legal basis for sending the newsletter as a result of the sale of services is Section 7 (3) UWG

 

 

 

This site is registered on wpml.org as a development site.