Data protection

The following tips provide a simple overview of what happens to your personal data when you use the CONCIDE® web app. We take the protection of your personal data very seriously, when collecting and processing it using the CONCIDE® web app, and informing you when we collect which data and how we use it. We have taken both technical and organizational measures to ensure data protection regulations are observed by both us and any service providers.

This privacy statement clarifies the type, scope and purpose processing personal data (hereinafter referred to as 'data') within the CONCIDE® web app (hereinafter referred to as 'web app') and the websites, functions and content associated with it.

Controller

Controller for the collection, processing and use of your personal data as in GDPR Art. 4 Point 7

NEWWORKABLES GmbH
Business address & postal address: Ludwigstraße 79, 95632 Wunsiedel
Headquarters: Hildenbach 30, 95632 Wunsiedel
Email: mail@newworkables.de
Telephone: +49(0)170 - 3504 997 (Angelika Nürnberger)

Types of processed data

  • Personal data (e.g. Your name)
  • Contact data (e.g. Your email address)
  • User content (e.g. Your comments on our page, photos and videos you upload)
  • Usage data (e.g. your previously visited concisions, access pages)
  • Meta-/communication data (e.g. device information, IP addresses)

Categories of data subjects

Visitors and users of the web app (hereinafter: "User").

Processing purpose

  • Providing the web app and its functions and content
  • Answering contact enquiries and communicating with users
  • Security measures
  • Audience measurement /marketing

Used terms

"Personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;(GDPR Art. 4 Point 1).

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;(GDPR Art. 4 Point 2).

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;(GDPR Art. 4 Point 4)

"Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;(GDPR Art. 4 Point 5)

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (GDPR Art. 4 Point 7)

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;(GDPR Art. 4 Point 8)

Relevant legal basis

Art. 13 GDPR stipulates that we inform you of the legal basis for our data processing. Unless the legal basis is explicitly mentioned in the following data protection declaration, the following applies:

  • For obtaining consent, the legal basis is Art. 6 para. 1 lit. a and Art. 7 GDPR.
  • For the processing for the performance of our services and implementation of contractual measures as well as answering inquiries, the legal basis is Art. 6 para. 1 lit. b GDPR.
  • For the processing for the fulfillment of our legal obligations, the legal basis is Art. 6 para. 1 lit. c GDPR.
  • For the processing in order to protect our legitimate interests, the legal basis is Art. 6 Para. 1 lit. f GDPR.
  • In the event that vital interests of the data subject or another natural person require the processing of personal data, the legal basis is Art. 6 para. 1 lit. d GDPR.

Security measures

To secure your data, we maintain technical and organizational security measures in accordance with Art. 32 GDPR, which we constantly adapt to state-of-the-art technology.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data, by controlling the physical access to the data.

We have set up procedures which guarantee data subjects’ rights are exercised, date is deleted and response to data threats.

We also observe the protection of personal data by technology design (privacy by design) and using privacy-friendly pre-settings (privacy by default), Art. 25 GDPR.

Your personal data is transmitted encrypted. This applies to all communication via our website. We use SSL (Secure Socket Layer) encryption. You can recognize an encrypted connection when the address line of the browser changes from "http: //" to "https: //" and by the lock symbol in the address bar of your browser. If SSL or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.

However, we would like to point out that data transmission on the Internet e.g. when communicating by email can have security gaps.

Cooperation with contract processors and third parties

If, in the course of our processing, we disclose data to contract processors or third parties, transfer it to them or otherwise grant them access to the data, this is done exclusively on the basis of a legal authorisation, e.g. if you have given your consent, Art. 6 para. 1 lit. a GDPR, the transfer to third parties in accordance with Art. 6 para. 1 lit. b GDPR is necessary to fulfil the contract, a legal obligation provides for this, Art. 6 para. 1 lit. c GDPR, or on the basis of our legitimate interests, Art. 6 Para. 1 lit. f GDPR.

In the case of contract processors, the transfer is made on the basis of a contract processing agreement in accordance with Art. 28 GDPR.

Transfers to third countries

The data collected with the web app is stored with an external, German service provider (host). A transfer of data to other European countries as well as to a third country does not take place.

A transfer of data to a third country will only take place if it is necessary to fulfil our (pre-)contractual obligations, on the basis of your consent, a legal obligation or on the basis of our legitimate interests according to the aforementioned legal grounds. Subject to other legal or contractual permissions, we will only process or transfer the data to a third country if the special requirements of Art. 44 ff. GDPR (e.g. on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to that of the EU (e.g. for the USA through the 'Privacy Shield') or compliance with officially recognised special contractual obligations (so-called 'standard contractual clauses')).

Rights of data subjects

  • Right to confirmation and information: In accordance with Art. 15 GDPR, you have the right to receive confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have the right to request from us, free of charge, information about the personal data stored about you, together with a copy of this data.
  • Right of rectification According to Art. 16 GDPR, you have the right to request that we correct any incorrect personal data relating to you. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data.
  • Right to deletion: Under Art. 17 GDPR, you have the right to request that personal data concerning you be deleted immediately.
  • Right to restrict processing: Under the conditions of Art. 18 GDPR, you have the right to request that the processing of personal data be restricted.
  • Right to data portability: In accordance with Art. 20 GDPR, you have the right to request that the personal data concerning you, that you have provided us be received in a structured, common and machine-readable format and to request that it be transferred to other persons responsible, if technically feasible.
  • Right to object According to Art. 7 para. 3 GDPR, you have the right to revoke your consent to the processing of personal data at any time with future effect.
  • Right to object In accordance with Art. 21 GDPR, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data, which is based on Art. 6 (1) lit. e or f GDPR; this also applies to profiling based on these provisions. If personal data is processed by us for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising, including profiling related to such direct marketing.

You can assert the aforementioned rights at any time against the above-mentioned responsible person.

  • Right to lodge a complaint with a supervisory authority: According to Art. 77 GDPR, you have the right to lodge a complaint with the responsible supervisory authority. The supervisory authority responsible here is:

Bavarian State Office for Data Protection Supervision

Promenade 18
91522 Ansbach
Postal address: Postfach 606
91511 Ansbach
Telephone: 0981/180093-0
Telefax: 0981/180093-99
Email: poststelle@lda.bayern.de
Homepage: http://www.lda.bayern.de

A list of data protection officers and their contact details can be found under the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Deletion of data

Unless otherwise explicitly stated, the data stored by us is deleted according to Art. 17 GDPR, as soon as it is no longer required for its intended purpose and the deletion does not conflict with any legal storage requirements. After 5 years of inactivity, your personal data will be deleted. In addition, as of the ‘Basic’ version, you can also delete your data record at any time using the delete function or inform your admin about the deletion request.

If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted in accordance with Art. 18 GDPR, i.e. the data will be blocked and not processed for other purposes. For example, this applies to data that must be kept for commercial or tax law reasons. According to legal requirements in Germany, data can be stored for up to 10 years in accordance with §§ 147 Paragraph 1 No. 1, 4 and 4a, Paragraph 3 AO, 257 Paragraph 1 No. 1 and 4, Paragraph 4 HGB (books, records, management reports, receipts, trading books, documents relevant for taxation, etc.) and 6 years according to §§ 147 para. 1 no. 2, 3 and 5, para. 3 AO, 257 para. 1 no. 2 and 3, para 4 HGB (commercial letters).

Contact request

When contacting us (e.g. via email, telephone or also via social media), the information provided by the user is used for processing the contact request and processing it in accordance with. Art. 6 para. 1 lit. b GDPR, to fulfill our contractual obligations or to answer (pre) contractual inquiries, and otherwise in accordance with Art. 6 para. 1 lit. f GDPR, processed based on the legitimate interests in answering the inquiries.

We delete the requests if they are no longer needed. We check the necessity every two years; the statutory archiving obligations also apply.

Operating and accessing the web app

This web app is hosted by an external, German service provider (hoster). Personal data recorded in this web app are stored on the server of the hoster. This includes IP addresses, contact data, email addresses, website access files and other data generated via the app.

Our hoster provides us with the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services we use for the purpose of operating the web app.

The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. f GDPR) and in the interest of a safe, fast and efficient provision of our web app by a professional provider (Art. 6 para. 1 lit. GDPR).

We, i.e. our hoster, processes access data. This includes:

  • Name and URL of the retrieved file
  • Date and time of access
  • Amount of data transferred
  • Notification of successful access (HTTP response code)
  • Browser type and version
  • Operating system
  • Referer URL (i.e. previously visited webpage)
  • Websites accessed by the user's system via our website.
  • User's internet provider
  • IP address and the requesting provider

Without associating it to you personally or to other profiles created, we use this log data for statistical evaluations of operations and security, and for the optimization of our online offer and the web app. Log data is also used for the anonymous recording of the number of visitors to our website, as well as the scope and type of use of our web app. Based on this information, we can analyze the data traffic, find and fix errors and improve our services.

Herein our legitimate interest in accordance with Art 6 para. 1 lit. f GDPR.

We reserve the right to check the logged data if there are legitimate reasons to suspect illegal use. If necessary, we store IP addresses in the log files for a limited period of time, for security purposes, provision of services or the billing of a service, e.g. if you use one of our offers.

Collection of personal data while using the web app and platform.

Your email address is required to operate the app. This is provided by the participating company and entered manually into the system. Double opt-in method: as soon as the email address is entered, we immediately send you a confirmation email to your email address, explaining the reason for contacting you. You confirm your registration by clicking on a linked web address found within the confirmation email. In accordance with legal requirements, your confirmation will be logged in order to prove your consent. This includes the storage of the confirmation time as well as the IP address.

At the same time, you will be asked to enter a password. In addition, we ask you to provide your first and last name, which we use for a customized, personalized address.

The data you enter in the web app (texts on decisions (concisions), solution proposals, comments and oppositions) is saved to the database. Your data will be sent encrypted to the backend and saved until further notice (notice in writing to mail@newworkables.de, activation of the delete function or following 5 years of inactivity).

This data is processed according to Art. 6 para. 1 lit. b GDPR., and with your consent, where needed, according to Art. 6 para. 1 lit. b GDPR.

Solutions, comments, opposition points

While using the web app, you can enter solutions, comments, opposition points and other things. In addition to a suggestion, comment or opposition point, information about the time of creation, your email address and the name you selected are saved and displayed.

The comments and the associated data (e.g. IP address) are saved and remain in this app until the commented content is deleted, or for legal reasons the comments are deleted by an administrator (e.g. offensive comments). If you no longer wish to display your own comments, you can delete them until the start of the opposition measurement phase.

This data is processed according to Art. 6 para 1 lit. b GDPR.

Decisions made (Concisions)

Concisions created by users (decisions generated using the web app) are not automatically deleted, as long as the subscription, within the scope of licenses booked, remains active. When a concision is completed, the decision-making process is saved, including its associated comments and personal data, unless the concision is carried out anonymously; in this case, the opposition points are pseudonymized. This helps the decision to be understood at a later point in time.

At this point, this data is also processed according to Art. 6 para 1 lit. b GDPR

Evaluation

Anonymous statistics are generated from completed concisions and are visible for the participating organizations and for the operators of CONCIDE®. Under no circumstances will personal references be made.

At this point, this data is also processed according to Art. 6 para 1 lit. f GDPR

Cookies

In addition to the aforementioned data, when using our web app, cookies are stored on your device according to GDPR Art. 6, paragraph 1. Cookies are small text files stored within your digital device’s memory and within the application you use. Cookies are used to make the platform more user-friendly or usable and to recognize users.

In the following, we explain how our web app uses cookies (scope, functionality):

An internal access token will be set. This is platform ID that is used to assign the user to a specific request. This allows your digital device to be recognized when you use our application again. This cookie is used to enable the functionality of the Web APP. The access token is deleted when you clear your browser‘s cache. Profiles are not created using this cookie. Therefore, the data processing associated with this cookie, which is necessary to enable the use of the web app, is in accordance with Article 6 (1) (b) GDPR.

If you do not want cookies stored on your computer, you will be prompted to deactivate them from the options in the system settings of your browser. Stored cookies can be deleted in the system settings of the browser. However, the exclusion of cookies can lead to functional restrictions of the web app.

Latest update of privacy policy: December 2019