Privacy policy

I. Foreword

CEOTRONICS AG (hereinafter also referred to as “CEOTRONICS”, “CT” or “we” or “us”) is pleased that you are visiting our website / web presence. We respect your privacy. Data protection and data security are therefore very important to us. With this privacy policy, we inform you about the extent to which personal data (hereinafter also referred to as “data”) is collected when you use our website and the purposes for which we use / process this data. We also inform you here about your rights.

II Responsible person

CEOTRONICS AG
Adam-Opel-Straße 6
63322 Rödermark
Germany
Phone: 06074 / 8751-0
E-mail: datenschutz@ceotronics.com
Register court: Offenbach am Main
Register number: HRB 34104

III External data protection officer

External Data Protection Officer
wavesun-technologies
Patrick Bäcker (Owner wavesun-technologies)
Am Lerchenberg 13
63322 Rödermark
Germany
Phone: 06074 / 3709395
E-Mail: info@wavesun-technologies.de

IV Status, changes and updates to the privacy policy
In order to enable the implementation of new technologies and measures and to ensure that our privacy policy always complies with legal requirements, we occasionally adapt it. We therefore ask you to inform yourself regularly about the content of our privacy policy. We will inform you as soon as the changes require an act of co-operation on your part (e.g. consent) or other individual notification.

Status: 08 December 2024 | Ver.: 01.06 | Classification: 01 – PUBLIC

V. Basic definitions of terms

“Processor”: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Third party”: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
“Recipient”: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
“Personal data”: Refers to all information (hereinafter also referred to as “data”) that relates to an identified or identifiable natural person (hereinafter also referred to as “data subject”) (e.g. surname, first name, email address, IP address, etc.).
“Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

VI Legal bases for the processing

We process the aforementioned personal data in compliance with the applicable statutory data protection requirements, in particular in accordance with the following legal bases of the General Data Protection Regulation (“GDPR”):

a. On the basis of your consent (Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, insofar as special categories of personal data are processed in accordance with Art. 9 para. 1 GDPR)
If you give us your consent, we will process your personal data for certain previously defined purposes. Your voluntarily granted consent can be withdrawn from us at any time – even partially – with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

b. For the fulfilment of contractual obligations or for the implementation of pre-contractual measures (Art. 6. para. 1 lit. b GDPR)
We process your personal data so that we can fulfil our contractual obligations to provide services or to carry out pre-contractual measures that are carried out on request.

c. Due to legal obligations (Art. 6 para. 1 lit. c GDPR)
We are subject to various legal obligations, which means legal requirements (e.g. retention periods under commercial and tax law in accordance with the German Fiscal Code and the German Commercial Code) according to which we must process your personal data.

d. In the context of the legitimate interest/balancing of interests (Art. 6 para. 1 lit. f GDPR)
We process your personal data to protect our legitimate interests or, if necessary, those of a third party, unless your interests or fundamental rights and freedoms, which require the protection of personal data, prevail.

e. National data protection regulations (BDSG and TDDDG)
In addition to the provisions of the GDPR, national regulations apply in Germany, including in particular the Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG). These contain special data protection regulations at national level according to which we process your data.

VII Safety measures (TOMs)

The security of your personal data is our top priority. In accordance with legal requirements and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we take appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk to your personal data.

The measures we take (in accordance with Art. 32 GDPR) include, in particular, ensuring the confidentiality, integrity and availability of data. We ensure this through regular checks on physical and electronic access to data, access, input, transfer and securing the availability and separation of and access to data. We have also set up procedures to ensure that data subjects’ rights are exercised, data is deleted and we respond to data threats. We already take the protection of your personal data into account when selecting hardware, software and the introduction of new processes that affect personal data, through technology design and through data protection-friendly default settings (in accordance with Art. 25 GDPR).

Our security measures include in particular the encrypted transmission of data between your browser and our server via SSL / TLS encryption (HTTPS). You can recognise the encrypted connection by the prefix https:// and the lock in the address bar of your browser.
Further information on security measures can also be found in the privacy policy here.

VIII Use of Wordfence to secure the website

a. Nature and purpose of the processing
The “Wordfence” plugin from Defiant, Inc, 800 5th Ave, Suite 4100, Seattle, WA 98104, USA, is used to protect our website from unauthorised access, hacker attacks, malware and other threats. For this purpose, various data is collected, processed and analysed in order to detect and block potential attacks. The processing includes, among other things

• Recording and analysing IP addresses to identify potential threats.
• Checking login attempts for brute force attacks.
• Creation of blacklists and firewalls to defend against harmful activities.
• Real-time monitoring of website activity, including suspicious access.

b. Legal basis for data processing
Processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in ensuring the security of our website and protection against cyber attacks, data loss and unauthorised access. In individual cases, e.g. in the case of legal requirements, Art. 6 para. 1 lit. c GDPR (legal obligation) may also be relevant.

c. Data categories
When Wordfence is used, the following categories of personal data are processed:

• IP addresses: To identify and block potential threats.
• Log data: Details of access attempts, such as date, time, URL and browser used.
• User data: Information about logged-in users, e.g. user name (in case of suspicious activities or login attempts).
• Device and connection information: Operating system, browser type and version.
• Location data: Derived from IP addresses to identify attacks from specific regions.

d. Recipient

• Wordfence and its provider (Defiant, Inc., 800 5th Ave., Suite 4100, Seattle, WA 98104, USA): Certain security-relevant data (e.g. IP addresses, log data) is transferred to the servers of the provider Defiant, Inc. in the USA in order to analyse threats and improve global security mechanisms (e.g. blacklists).
• Internal recipients and service providers: Marketing and IT department and, if applicable, authorised service providers / processors who receive access to our website for monitoring, analysis and evaluation of security reports and logs.
• Authorities: In the event of an incident (e.g. hacking or legal requirements), relevant data may be passed on to the competent authorities. Lawyers, for example, may also receive data in order to pursue our claims.

e. Storage periods

Personal data will only be stored for as long as is necessary to fulfil the above-mentioned purposes:

• IP addresses and log data: These are generally stored for 30 days, provided there are no security-relevant events. Backup copies are excluded.
• Blacklists: Data on blocked IPs or malicious activities can be stored for longer to prevent repeated attacks.
• Data that is required for legal purposes is stored in accordance with the statutory retention obligations.

Should the aforementioned security-relevant events occur, we reserve the right to retain this data for longer for the above-mentioned purposes within the scope of our legitimate interest. If the stated purpose is achieved, the data will be deleted after a reasonable period of time.

f. Requirement to provide your personal data

The provision of personal data, in particular the IP address, is necessary to provide the security functions of Wordfence. Without this data, it would not be possible to protect our website from threats. When you visit our website, the processing takes place automatically.

g. Third country transfers

When using Wordfence, data may be transmitted to servers in the USA, as the provider Defiant, Inc. is based there. This transfer takes place on the basis of standard contractual clauses in accordance with Art. 46 para. 2 lit. c GDPR to ensure an adequate level of data protection. Further information on this can also be found in Wordfence’s privacy policy: https://www.wordfence.com/privacy-policy/.

h. Objection

You have the right to object to the processing of your personal data if there are grounds relating to your particular situation. Please note, however, that we may continue to process your data if there are compelling legitimate grounds that outweigh your interests, rights and freedoms, or if the processing serves the establishment, exercise or defence of legal claims.

i. Automated decision-making and profiling

There is no automated decision-making within the meaning of Art. 22 GDPR. Profiling is only carried out to the extent necessary to analyse and defend against security-related threats. This includes the identification of potential threats based on behavioural patterns (e.g. repeated failed login attempts).

IX. Technical provision

a. Nature and purpose of the processing
To ensure the secure and efficient provision of our website, we use our own dedicated servers hosted by external service providers. We also use service providers in the areas of IT security, marketing services and programming to design our website on a case-by-case basis, who are obliged to maintain confidentiality and/or with whom corresponding contracts, such as order processing contracts (“AV contract”) in accordance with Art. 28 Para. 3 GDPR or standard contractual clauses in accordance with Art. 46 Para. 2 lit. c GDPR (in the case of any third country transfers) are concluded. Corresponding service providers are regularly checked by us to verify the protection of the data.

When visiting our website, data is processed from all visitors as part of the provision of the above-mentioned hosting, which is generated during communication with our servers, as well as when contacting us directly and when downloading files and playing videos. This includes, in particular, your IP address, which is technically necessary for establishing a connection. Further data is collected by us (or the commissioned (hosting) service providers) as so-called server log files (access log data of our servers – see also “Data categories”). They are processed in particular for the following purposes:

• Ensuring a smooth connection to the website,
• Ensuring the smooth use of our website,
• Evaluation of system security (e.g. for defence against DDoS attacks, “cyber attacks”) and system stability, and
• for further administrative purposes.

b. Legal basis for data processing
The processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in ensuring the security and functionality as well as improving the stability of our website.

c. Data categories
Technically relevant: IP address used (for the functionality of the connection to the website), date and time at the time of access, subpage visited, amount of data sent in bytes, browser used, operating system used and its interface, operating system used and its interface as well as data processed within the framework of our CMS “WordPress” and the plugins used – for further information, see also the data protection declaration here.

d. Recipient
Recipients of the data are in particular internal employees of the marketing department as well as externally commissioned marketing agencies, programmers and IT security service providers. Our website is hosted on dedicated servers at STRATO AG, Pascalstraße 10, 10587 Berlin and at Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen. The external hosting service providers have no direct access to the personal data processed via the website, except in individual cases following instructions and authorisation.

e. Storage periods
The data will be deleted as soon as it is no longer required for the purpose for which it was collected.
The server log files are deleted regularly (usually after 14 days; other log files are deleted for longer depending on the purpose). Should the above-mentioned security-relevant events occur, we reserve the right to retain this data for longer for the above-mentioned purposes within the scope of our legitimate interest. If the stated purpose is achieved, the data will be deleted after a reasonable period of time.

f. Requirement to provide your personal data
The provision of the aforementioned personal data is neither legally nor contractually required. However, without the transmission of your IP address, the service and functionality of our website or access to it cannot be guaranteed. In addition, individual services may not be available or may be restricted.

g. Third country transfers
The processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Automated decision-making and profiling
As a responsible company, we do not use automated decision-making or profiling for this data processing.

X. Use of cookies and similar technologies

a. Nature and purpose of the processing
Like many other websites, we also use so-called “cookies”.
Cookies are simple files that store information about our website and your use of it. These small files are optionally created automatically by your browser when you use our website and stored locally on your end device. This does not mean that we have direct knowledge of your identity. The use of cookies serves to make the use of our website more pleasant for you.
We therefore distinguish between technically necessary and non-essential cookies:
Technically necessary cookies (“first party cookies”) are required for the operation of a website and are essential in order to navigate it and use its functions. These cookies are not stored permanently on your computer or device and are deleted when you close the browser. These are so-called “session cookies” or “session cookies”.

Information on the technically necessary cookies used can be found in the cookie consent tool.

Non-necessary cookies, on the other hand, are mostly functional cookies, analysis and performance cookies as well as marketing cookies, which make it possible, for example, to record and count the number of visitors and traffic sources in order to measure and improve the performance of the website. They are also used to find out whether problems or errors occur on certain pages, which pages are the most popular and how visitors navigate the website.

• Functional cookies
  Functional cookies are used to store information provided, such as the user name, and thus offer the website visitor improved and personalised functions based on this.
• Analysis and performance cookies
  Analysis and performance cookies are used to track visits and individual activities on websites. They are used to statistically record and analyse the use of websites.
• Marketing cookies
  Marketing cookies originate from external advertising companies, among others, and are used to collect information about the websites visited by the user, e.g. to create target group-oriented advertising for the user, but also to display external content such as videos, street maps or company profiles on social media platforms.

Information on cookies that are not technically necessary can be found in the cookie consent tool.

b. Legal basis for data processing
The use of technically necessary cookies (“first party cookies”) is possible without the consent of the website visitor and is subject to a legitimate interest in the economic operation and optimisation of our website and services within the meaning of Art. 6 para. 1 lit. f GDPR and § 25 para. 2 no. 2 TDDDG for the associated processing operations.

The use of non-essential cookies, such as functional cookies, analysis and performance cookies and marketing cookies, is subject to the consent of the website visitor in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG for the associated processing operations.
The cookie consent tool is used in accordance with Art. 6 para. 1 lit. c GDPR (legal obligation).

c. Data categories

• IP address
• Browser used
• Operating system used
• Session ID or value / content of the cookie
• For more information, see information in the cookie consent tool

d. Recipient
Mainly the marketing department and external service providers (further information is described in the cookie consent tool).
The cookie consent tool “Borlabs Cookie” is operated on our own servers.

e. Storage periods
The storage periods for the individual cookies and other technologies used can be found in the cookie consent tool.
The user can also set their web browser so that the storage of cookies on their end device is generally prevented or they are asked each time whether they agree to the setting of cookies. Once cookies have been set, the user can delete them at any time. How this works is described in the help function of the respective web browser.
A general deactivation of cookies may lead to functional limitations of this website.

f. Requirement to provide your personal data
The provision of your personal data in cookies is voluntary in the case of non-essential cookies, solely on the basis of your consent (so-called opt-in cookies). You can also prevent the use of pre-set, technically necessary cookies (so-called opt-out cookies) via your browser settings. Without your consent, however, the service and functionality of our website cannot be guaranteed. In addition, individual services may not be available or may be restricted.

g. Third country transfers
The transfer and processing of your personal data may also take place in third countries for certain cookie categories (see information in the cookie consent tool and in this privacy policy). By consenting to these certain cookie categories, you consent to the processing of the data stored on your device or terminal equipment, such as personal identifiers or IP addresses, for these processing purposes in accordance with Section 25 (1) TDDDG and Art. 6 (1) lit. a GDPR. In addition, in accordance with Art. 49 para. 1 lit. a GDPR, you consent to providers in the (mainly in the USA) also processing your data. Transfers to third countries may also take place within the scope of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR and § 25 para. 2 no. 2 TDDDG. In these cases, it is possible that the transferred data will be processed by local authorities.

h. Revocation of consent
You can change/revoke your consent at any time with effect for the future by clicking on the cookie consent tool button at the bottom left of the website or on “Cookie settings” under “Legal information”. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

i. Automated decision-making and profiling
As a responsible company, we do not use cookies for automated decision-making or profiling.

XI. Use of Matomo for reach measurement

a. Nature and purpose of the processing
We use the “Matomo” tool/service on our website, an open source web analysis tool for the statistical evaluation of visitor access. So-called “device fingerprinting” (digital fingerprinting) is used for this purpose. This is a technology (usually unrecognisable to the user) that reads and collates information specific to end devices (such as device type, device performance, screen resolution, operating system, etc.). This creates a unique “device fingerprint”, which potentially changes on a regular basis. The “device fingerprint” is not stored on the end device and no cookies are set, which means that the creation of directly personally identifiable user profiles (in addition to the anonymisation of IP addresses) is not possible. Matomo is hosted on our own servers, so no data is transferred/disclosed to third parties. Cross-site device recognition is not possible due to local hosting and cookie-free use. Only we and authorised service providers have access to the analyses. The protection of your data is important to us, which is why we have also configured Matomo so that your IP address is only recorded in abbreviated form. We therefore process your usage data in anonymised form. It is not possible for us to identify you personally. Further information on the terms of use and data protection regulations of Matomo can be found at: https://matomo.org/privacy/.
We use the data for statistical analysis (reach measurement) of user behaviour on our website for the purpose of optimising the functionality and stability of the website and to improve the presentation of our products and services.

b. Legal basis for data processing
The legal basis for data processing is your consent, which can be revoked at any time with effect for the future, in accordance with Art. 6 para. 1 lit. a GDPR for the above-mentioned purposes and in accordance with § 25 para. 1 TDDDG. The data will never be used to personally identify the user of the website and will not be merged with other data.

c. Data categories
Device type, device performance, screen resolution, operating system, anonymised IP address, approximate location, etc.

d. Recipient
Recipients of the data are in particular employees of the marketing department as well as external service providers/processors, e.g. marketing agencies, hosters and programmers.

e. Storage periods
The data is deleted as soon as it is no longer required for our recording purposes. In our case, this is done automatically within matomo after the following period: 12 month(s). As all data collected is processed exclusively in anonymised form, cumulative key figures may be stored for internal statistics for a longer period of time.

f. Requirement to provide your personal data
The provision of your personal data takes place as described above on the basis of your consent for the stated purposes, which can be revoked at any time with effect for the future.

g. Third country transfers
Although Matomo is based in New Zealand, Matomo and all associated data is hosted locally on our own servers located within the EU/EEA. This means that there is no connection / data transfer to Matomo (except for support cases). The processing therefore does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Cancellation option
You can revoke your consent at any time with effect for the future via our cookie consent tool.

i. Automated decision-making and profiling
With the help of the Matomo analysis tool, we collect and process all data anonymously as described above. Therefore, no personal user profiles are or can be created.

XII Making contact

a. Nature and purpose of the processing
If you contact us with questions or concerns of any kind via contact form, e-mail, telephone, etc., your personal data will be collected and processed. If you use contact forms that are integrated on our website for various purposes (e.g. within the protected area), we require the data from you that are declared as mandatory fields. All other information is voluntary.
This data is stored and used exclusively to respond to your enquiry or to contact you and for the associated technical administration. This data will not be passed on to third parties unless it is necessary to pursue our claims or there is a contractual or legal obligation to do so or you have given us your consent.
If your contact is aimed at the conclusion of a contract, the data will be processed for the contractual initiation and conclusion of the contract. We also need this data for the legally required compliance check. We offer our products and services primarily to companies (B2B). If a contractual relationship already exists, the data will be processed to fulfil the contract.

b. Legal basis for data processing
The legal basis for the processing of the data is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in responding to your request and carrying out the compliance check. If your contact is aimed at the conclusion of a contract or if a contract already exists, the legal basis for the processing is Art. 6 para. 1 lit. b GDPR ((pre-)contractual measure). If we are subject to retention obligations (e.g. under tax and commercial law) in connection with responding to your enquiry or for the performance of a contract, the legal basis is Art. 6 para. 1 lit. c GDPR (legal obligation).

c. Data categories
Depending on the type of enquiry, e.g. first and last name, e-mail address, telephone number, address, company, function, text entries, attachments, etc..

d. Recipient
Recipients of the data are in particular authorised employees who are responsible for processing the enquiry and, if applicable, service providers/processors to support the response.

e. Storage periods
For enquiries from non CEOTRONICS customers / interested parties:
Your data that we have received in the course of contacting you will be deleted as soon as it is no longer required for the purpose for which it was collected, your request has been fully processed, no further communication with you is required or requested by you, there is no legal or contractual basis, no consent has been given and there are no retention obligations.

For CEOTRONICS customers:
Your data that we have received as part of the execution of the contract or related services will be deleted as soon as it is no longer required for the purpose for which it was collected, e.g. the contract has been cancelled, there is no legal or contractual basis, no consent has been given and there are no retention obligations.

f. Requirement to provide your personal data
For enquiries from non CEOTRONICS customers / interested parties:
If you contact us, we must be provided with at least a communication address and your request in order to respond to the enquiry.

For CEOTRONICS customers:
In the event of support enquiries or contractual questions (e.g. via e-mail messages), we require the data stored with us (e.g. customer number, etc.) as well as any additional data / information provided by you in order to be able to answer the corresponding enquiries. Enquiries via the contact form in the protected area are automatically assigned by the login data provided to you.

g. Third country transfers
The processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Objection
You can object to the processing of your personal data and its use for contacting you (if this is in the legitimate interest of CEOTRONICS) at any time with effect for the future by sending an e-mail to datenschutz@ceotronics.com.

i. Automated decision-making and profiling
As a responsible company, we do not use automated decision-making or profiling for this data processing.

XIII Use of the protected area

a. Nature and purpose of the processing
The protected area is reserved for individual interested parties and customers. You will receive the access data for your account separately from CEOTRONICS. The following data is regularly processed for your account: Title, surname, first name, authority, a valid e-mail address and password. The provision of further data is optional and voluntary.

As part of the use of our registration functions and the use of the account or the protected area, we store the IP address and the time of the respective user action. The collection and processing is based on our legitimate interest as well as that of the user in protection against misuse and other unauthorised use of our protected area. This data is not passed on to third parties unless it is necessary to pursue our claims or there is a contractual or legal obligation to do so.

You can be informed by e-mail about processes that are relevant to your user account, such as technical changes.

b. Legal basis for data processing
The legal basis for the processing of the data is Art. 6 para. 1 lit. b GDPR. The implementation of (pre-)contractual measures for the provision of an account as part of the included provision of services and services as well as for answering enquiries (e.g. via the contact form). Otherwise, we process your data in our legitimate interest (in accordance with Art. 6 para. 1 lit. f GDPR) to answer your enquiries (if these are not aimed at a contract), to send the above-mentioned technical information, for technical administration and the application of security measures to protect the accounts and the protected area and, if necessary, for compliance checks. If you use the “Stay logged in” function, you give us your consent to use the function in accordance with Art. 6 para. 1 lit. a GDPR, which can be revoked at any time with effect for the future.

c. Data categories
Master, contact and login data (e.g. title, surname, first name, authority, telephone number, email address and password), content data (e.g. text entries via the contact form), meta / communication data (e.g. IP address, device information).

d. Recipient
Recipients of the data are authorised employees and, if applicable, service providers/processors to support the answering of support requests and the provision of services.

e. Storage periods
If you no longer wish to use your account / have requested the deletion of the account or the contractual basis expires / you have terminated the contract, your data relating to the account will be deleted, subject to the statutory retention obligation. It is your responsibility to back up your data prior to the deletion request, expiry of the contractual basis or cancellation. We are authorised to irretrievably delete all data stored during the period of use, provided there are no retention obligations. To request the deletion of your account, please get in touch with your contact person at CEOTRONICS.

f. Requirement to provide your personal data
In the case of support enquiries or contractual questions (e.g. e-mail enquiries), we require the data stored with us (e.g. customer number, etc.) as well as any additional data / information provided by you in order to be able to answer the corresponding enquiries. Enquiries via the contact form in the protected area are automatically assigned by the login data provided to you.

g. Third country transfers
Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Objection
You can object to the storage of your personal data and data relating to your use of the protected area and for contacting you (if this is in the legitimate interest of CEOTRONICS) at any time with effect for the future by sending an e-mail to datenschutz@ceotronics.com.

i. Automated decision-making and profiling
As a responsible company, we do not use automated decision-making or profiling for this data processing.

XIV Newsletter and direct advertising

a. Nature and purpose of the processing
For persons who have consented to receive the newsletter:
If you have given us your express, voluntary consent, which can be revoked at any time with effect for the future, we will regularly send you our newsletter or comparable information on CEOTRONICS product news, trade fairs and/or events by e-mail to the e-mail address you have provided.
To receive the newsletter, you must provide your (company) e-mail address, title, first name and surname as well as the desired target group for the topic-specific sending of information. Further details, such as the company, are optional / voluntary. When subscribing to our newsletter, this data is used exclusively for this purpose. Newsletter subscribers may also be informed about circumstances that are relevant to the service or registration (such as changes to the newsletter offer or technical circumstances).
Your data will only be used to send you the newsletter you have subscribed to by e-mail. Your name is given so that we can address you personally in the newsletter and, if necessary, identify you if you wish to exercise your rights as a data subject. When you register to receive our newsletter, the data you provide will be used exclusively for this purpose.
We require a valid e-mail address for effective registration. We use the “double opt-in” procedure to check that a registration is actually made by the owner of an e-mail address. For this purpose, we log the subscription to the newsletter, the sending of a confirmation email and the receipt of the requested reply. No further data is collected. The data is used exclusively for sending the newsletter.

For existing customers:
If we receive your e-mail address in connection with the sale of a product or service and you have not objected to this, we reserve the right to regularly send you information by e-mail about new products, trade fairs and/or events organised by CEOTRONICS or about products/services similar to those you have already purchased. This serves to safeguard our legitimate interests, which predominate in the context of a balancing of interests, in a promotional approach to our customers.

Notes on measuring success:
Our sent newsletters contain a so-called web beacon, i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a dispatch service provider, from their server. As part of this retrieval, technical information such as information on the dispatch or delivery status, your browser and your system as well as your IP address and the time of retrieval are initially collected.
We use this technical information to improve our newsletter. This analysis includes determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is not our intention, nor that of the mailing service provider used, to analyse individual user information. The evaluations are used exclusively to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. No user-specific analyses or observations are explicitly carried out. In addition, only authorised employees have access to this information. As a central security measure, the newsletter is sent via software hosted by us, which means that only we and authorised service providers/processors have access to these analyses.
Subject to the express consent of the user, the newsletter is analysed and its success measured on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR for the purposes of using a user-friendly and secure newsletter system that serves our business interests and meets the expectations of users.
A separate cancellation of the performance measurement and the newsletter itself is unfortunately not possible, in this case the consent for the entire newsletter must be revoked or objected to.

b. Legal basis for data processing
For persons who have consented to receive the newsletter:
On the basis of your express consent in accordance with Art. 6 para. 1 lit. a GDPR, we will regularly send you our newsletter or comparable information by e-mail to the e-mail address you have provided.

For existing customers:
The processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with. § Section 7 (3) UWG on the basis of our overriding legitimate interest in advertising to our customers.

c. Data categories
Company e-mail address, company, title, first and last name, target group, logging of registration/deregistration (date and time) or existing customer entry as well as dispatch data (meta and communication data such as the IP address).

d. Recipient
The recipients of the data are employees of the marketing and other authorised departments and, where applicable, service providers / processors to support the provision, design and administration of our newsletter and direct advertising services. Our newsletter software is hosted on our own servers.

e. Storage periods
The data will only be processed in this context as long as the corresponding consent has been given, you (if applicable as an existing customer) object to the sending of marketing emails or the purpose no longer applies. After revocation of consent or objection to direct marketing, you will be removed from the relevant mailing lists after a reasonable period of time.

f. Requirement to provide your personal data
The provision of your personal data is voluntary, solely on the basis of your consent or because you are registered with us as an existing customer.

g. Third country transfers
Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Revocation of consent / objection
You can revoke / object to the storage of your personal data and its use for the newsletter dispatch / direct advertising at any time with effect for the future by sending an e-mail to marketing@ceotronics.com and / or newsletter@ceotronics.com.
When sending newsletters, there is usually also the option of clicking on an unsubscribe link in the respective newsletter (usually at the bottom of the message).

i. Automated decision-making and profiling
As a responsible company, we do not use automated decision-making or profiling for this data processing.

XV Business relations

As part of the use of our website and communication (e.g. enquiries via contact forms or by email) with us, a contract may be initiated, for example. For this purpose, in addition to our privacy policy (which largely concerns our website and related services), we provide you with the information obligations pursuant to Art. 13 and 14 GDPR for interested parties, customers, service providers and suppliers under the following link:

XVI Applications

We have included information on current vacancies on our website (mainly at https://ceotronics.com/karriere).
The corresponding information obligations pursuant to Art. 13 and 14 GDPR can be viewed at https://ceotronics.com/informationspflichten-dsgvo.
Further information on data processing will be provided (if necessary) during the application process.

XVII Social media presences

We have online presences in social networks (“social media presences”) and process user data in these networks in order to provide information about us and to communicate with users. As a rule, we also use social media channels to display adverts and conduct market research.
Further information on CEOTRONICS’ online presence in social networks and the corresponding information obligations pursuant to Art. 13 and 14 GDPR can be found on our website at https://ceotronics.com/informationspflichten-dsgvo.

Further information on data processing will be provided (if necessary) by further data protection notices or references.
We have not currently integrated any online presences on our website in such a way that personal data is transmitted to the operators of the sites. We have only included links (e.g. images, icons or texts). If you click on these images, icons or texts, the external website of the social media provider opens (on which the data protection regulations of the respective provider apply – CEOTRONICS has no influence on these).

XVIII. Data retention obligations and deletion of data

Your personal data will only be stored for as long as it is required for the fulfilment of our contractual and legal obligations or as long as you revoke your consent(s). If your data is not deleted because it is required for other legal purposes, its processing will be restricted to these purposes, i.e. generally blocked.

Further information on the deletion of your personal data can also be found in the individual data protection notices of this privacy policy.
If the data is no longer required for the fulfilment of contractual or legal obligations, as mentioned above, it is regularly deleted. Unless temporary and limited further processing is required for the following purposes, among others:

• Fulfilment of retention periods under commercial and tax law: The German Commercial Code (HGB) and the German Fiscal Code (AO) should be mentioned. The retention periods stipulated there are generally up to 10 years.
• Preservation of evidence within the framework of the statutory limitation period. According to §§ 195 ff. of the German Civil Code (BGB), the regular limitation period is 3 years, in special circumstances up to 30 years.
• Compliance with storage obligations arising from other legal obligations.

XIX Right to revoke consents granted in accordance with Art. 7 para. 3 GDPR

You have the right to withdraw your consent(s) – even partially – at any time with effect for the future. The withdrawal of consent(s) shall not affect the lawfulness of processing based on consent(s) before its/their withdrawal. As a result, we may no longer continue the data processing that was based on this/these consent(s) in the future, provided that there are no legal obligations or contractual provisions to the contrary.

XX. Right to information pursuant to Art. 15 GDPR

Every data subject has a right of access to the personal data concerning them. The right of access extends to all data processed by us. The right can be exercised easily and at regular intervals so that all data subjects are always aware of the processing of their personal data and can check its lawfulness (see recital 63 GDPR). The right of access includes in particular the following information:

• The purpose of the processing
• The data categories
• The recipients / categories of recipients, in particular recipients from international organisations or third countries; if a third country is involved, the data subject also has the right to obtain information about the appropriate safeguards in connection with the transfer.
• Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
• All available information about the origin of the data if the personal data is not collected from the data subject.
• All available information on the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR.
• The existence of a right to
  • Correction or
  • erasure of the personal data concerning them or
  • the restriction of processing by the controller or
  • a right to object to this processing and
  • the existence of a right to lodge a complaint with a supervisory authority

If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact us using the contact details provided at the beginning of this data protection notice.

XXI Right to rectification pursuant to Art. 16 GDPR

Every data subject has the right to obtain from our company without undue delay the rectification of inaccurate personal data concerning him or her. Furthermore, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration, taking into account the purposes of the processing.

If a data subject wishes to exercise this right to rectification, they can contact us at any time using the contact details provided at the beginning of this privacy policy.

XXII Right to erasure (right to be forgotten) pursuant to Art. 17 GDPR

Every data subject has the right to erasure and to be forgotten and can demand that we erase the personal data concerning them without undue delay, provided that one of the following reasons applies and insofar as the processing is not necessary:

• The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
• The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
• The data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) GDPR.
• The personal data was processed unlawfully.
• The deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data was collected in relation to information society services offered in accordance with Art. 8 para. 1 GDPR.

If one of the aforementioned reasons applies and a data subject wishes to request the erasure of personal data, they can contact us at any time using the contact details provided at the beginning of this privacy policy. The controller will ensure that the request for erasure is complied with immediately.

XXIII Right to restriction of processing pursuant to Art. 18 GDPR

Every data subject has the right to obtain from the controller restriction of processing where one of the following applies:

• The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
• The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
• The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
• The data subject has objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by the controller, he or she may contact us at any time using the contact details provided at the beginning of this privacy policy. The controller will arrange for the restriction of processing.

XXIV Right to data portability pursuant to Art. 20 GDPR

Each data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. He or she also has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR, or on a contract pursuant to point (b) of Article 6(1) GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising his or her right to data portability pursuant to Art. 20 (1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others. To assert the right to data portability, the data subject can contact us at any time using the contact details provided at the beginning of this privacy policy.

XXV Right to object pursuant to Art. 21 GDPR

Every data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR. This also applies to profiling based on these provisions.

The controller shall no longer process the personal data in the event of an objection, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. If the controller processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This also applies to profiling insofar as it is associated with such direct advertising. If the data subject objects to the controller to the processing for direct marketing purposes, the controller will no longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by the controller for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To exercise the right to object, the data subject may contact us at any time using the contact details provided at the beginning of this privacy policy.

XXVI Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
The supervisory authority responsible for us is
The Hessian Commissioner for Data Protection and Freedom of Information
Prof Dr Alexander Roßnagel
P.O. Box 31 63
65021 Wiesbaden
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Phone: 0611 / 1408-0
E-mail: poststelle@datenschutz.hessen.de
Homepage: http://www.datenschutz.hessen.de
Of course, you can also contact any other data protection supervisory authority as described above.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.