Data Privacy Policy
According to the General Data Protection Regulation (“GDPR”)
1. Introduction and scope
This Data Privacy Policy is intended to inform you about how we process your personal data during your use of our product or this cplace installation. This Data Privacy Policy applies to all personal data that we collect, process and use when you access and use the cplace installation. It does not apply to personal data concerning individuals that is contained in documents and files uploaded to the cplace environment or otherwise entered into the system by users (such as in text fields or wikis provided via widgets).
2. Controller
This Data Privacy Policy applies to data processing by us as the Controller according to Art. 4 (7) GDPR. Our contact information is:
collaboration Factory AG
Arnulfstraße 34
D-80335 München
Register court and number: Munich, HRB 262367
https://www.collaboration-factory.de/impressum
Kontakt:
Email: info@collaboration-factory.de
Tel: +49 (0)89 809133 230
Fax: +49 (0)89 809133 239
Website: https://www.collaboration-factory.de/kontakt
In this Data Privacy Policy, the Controller is also referred to as “we” and/or “us.”
3. Data Protection Officer
The Data Protection Officer of the Controller is:
Marco Niederhausen
collaboration Factory AG
Arnulfstraße 34
D-80335 München
E-Mail: datenschutz@collaboration-factory.de
E-Mail: privacy@collaboration-factory.de
4. Definitions
Unless this Data Privacy Policy contains or implies a different definition, please refer to the definitions in Art. 4 GDPR concerning the terms used.
5. Processing of personal data
Processing of personal data by our hosting service provider as our subcontractor.
Our cplace installation is operated or hosted on servers of our hosting service provider, which are located in Germany or in the EU or EEA.
We currently work with the following hosting service provider:
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
(hereinafter: “hosting service provider”).
Further information about data protection, processing security and the hosting service provider’s certification status is available here:>
https://www.hetzner.com/de/legal/privacy-policy
https://www.hetzner.com/de/unternehmen/zertifizierung
https://www.hetzner.com/AV/TOM.pdf
Our contractually bound hosting service provider processes personal data for us on our behalf and according to our instructions as a so-called “Processor” according to Art. 28 GDPR.
6. Use of this cplace installation
When our cplace installation is used, we or the hosting service provider acting on our behalf collect only personal data transmitted to our servers by your browser or processed in this cplace installation itself. This data may generally include:
User data
- IP address
- Name
- User name
- Operating system
- language and version of the browser software
- Internet Service Provider
- Websites from which the user’s system accesses this cplace installation
- Websites that are accessed by the user’s system via this cplace installation
Time-related data
- Date and time of the request
- Date and time of login
- Time zone difference to Greenwich Mean Time (GMT)
Usage data
- Content of the request (specific page)
- Actions of the user (e.g. deleting a page, changing an attribute value)
- Access status/HTTP status code
- Data volume transferred in each case
- Web page from which the request comes
- Operating system
This data is technically required by us in order to display or provide you with the desired content and thus enable you to work in the system (purpose of processing). The legal bases for this processing is Art. 6 (1) (a), (b) and (f) GDPR.
Our legitimate interest lies in enabling our customers, partners, employees and interested parties to use the (possibly specifically developed) applications or to use cplace in the context of sales and marketing processes and, among other things, to conduct product training and demonstrations. These measures serve the (further) distribution of cplace in the market and thus represent a contribution to the collaboration Factory AG business model.
The personal data to be processed thereby is generally within a business context, such as a business email address, an IP address sent from a computer used for business purposes, etc. In addition, the categories of personal data processed are to be judged as non-critical; neither do we generally process any special categories of personal data according to Art. 9 (1) GDPR.
Any misuse or causing of other damage to the personal data we process requires (in part) technical tools and considerable professional IT knowledge.
Considering the points above as a whole leads collaboration Factory AG to the assessment that the risk to our users of suffering damage as data subjects according to Art. 4 (12) GDPR (personal data breach) is to be classified as very low. As a result, we hold our legitimate interest to be true and feasible in consideration of the points above.
The processing takes place at different points from a technical perspective.
cplace’s own logs
The cplace Request Log stores the time and URL of the requested pages as standard. The storage or retention period is generally 90 days.
Personal data stored in cplace itself, as well as usage data, may be listed in logs. This includes email addresses and names of registered users as well as their activities and login or action times. These logs are used for troubleshooting and are deleted every 90 days in turn.
Backups of the (request) logs are made regularly. These are deleted every 90 days or overwritten with new backups in turn.
The legal basis for this processing is also Art. 6 (1) (a), (b) and (f) GDPR. Our legitimate interests and their consideration are presented in the first sub-point in section 6.
7. Recipients or categories of recipients
Personal data is communicated to the following categories of recipients:
- Our employees or collaborators according to Art. 29 GDPR
- Employees of our partners depending on the (project/business) context
- Our Processors to the necessary extent, in particular our hosting service provider
- If applicable - depending on your choice - individual named service providers of integrated services
Beyond this, your personal data will not be passed on to third parties without your express consent, unless we are legally obliged to do so or transmitting the data is absolutely necessary for the performance of a contractual relationship.
8. Use of cookies
So-called cookies are used within the software in some cases. These are small text files or small data sets stored on the device you use to access this cplace installation. Cookies are used in particular to ensure security when visiting a website (“absolutely necessary”), to implement certain functionalities such as standard language settings (“functional”) or to improve the user experience or performance on the website (“performance”).
The software uses only absolutely necessary and functional cookies, in particular to identify the user and ensure security, as well as to implement certain default settings such as the filters in the employee list or calendar settings.
Herein lies our legitimate interest under Art. 6 (1) (f) GDPR, because without this technology the operation of cplace would generally be possible not at all or only to a very limited extent. As explained in detail above, users have a low risk of suffering damages as data subjects according to Art. 4 (12) GDPR, so that our legitimate interest prevails. Further legal bases include Art. 6 (1) (a) and (b).
You may choose yourself whether you want to allow or object to the use of cookies via your browser settings.
We distinguish between the following categories of cookies and related data processing:
- Technically necessary
- Functional
- Performance or improved user experience
| Cookie-Name | Category | Function | Storage duration |
|---|---|---|---|
| JSESSIONID | Technically necessary | Usability of the cplace content | Session |
| Permanent Cookie | Functional | Optional: automatic login on next visit |
Across sessions (until the browser cache is cleared by the user) |
| XSRF-TOKEN | Technically necessary |
Protection from CSRF (Cross-Site-Request-Forgery) |
Session |
You may exclude the “permanent cookie” via the opt-out function on the login page by deactivating the “Keep me logged in” function on the login page.
9. Use of data privacy-related plugins
No additional information from data privacy-related plugins.10. Transmission to third countries
We process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) only if it is necessary to fulfill our (pre)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. The same applies to processing by third parties on our behalf, the disclosure of personal data to third parties, and its transmission to third parties. Service providers who process personal data on our behalf in a third country are also only used if an “adequacy decision” by the European Commission (Art. 45 GDPR) exists for the third country, or if the recipient possesses “appropriate safeguards” (Art. 46 GDPR) or “binding corporate rules” (Art. 47 GDPR).
General information on adequacy decisions:
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_de
General information on suitable guarantees:
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_de
General information on binding corporate rules:
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/binding-corporate-rules_de
Please contact us for further information.
11. Provision of personal data and profiling
You are not required by law to provide personal data concerning yourself. However, providing the data may be necessary to conclude a contract or for some functions of our service. If you do not provide the data, a contract or a function of our service may not be offered. There is no automatic decision-making, including profiling, beyond designated measures dependent on consent.
12. Erasure of data
The data we process will be deleted in accordance with Art. 17 GDPR or restricted in its processing in accordance with Art. 18 GDPR. Unless otherwise specified in this Data Privacy Policy, the data we process will be deleted as soon as it is no longer required for its intended purpose and the erasure is not subject to any legal obligations of retention. We review whether the data is required every six months.
13. Rights of data subjects
You have the right:
- under Art. 15 GDPR to request information about the personal data concerning you that we process. In particular, you may demand information about the purposes of processing; the category of the personal data; the categories of recipients to whom your data has been or will be disclosed; the planned storage period; the existence of your right to rectification, erasure, restriction of processing or objection; the existence of your right of complaint; the origin of your data if it was not collected by us; the existence of automated decision-making including profiling and, if applicable, meaningful information about it in detail;
- under Art. 16 GDPR to demand the rectification of inaccurate personal data or completion of incomplete personal data concerning you and stored by us without delay;
- under Art. 17 GDPR to demand the erasure of your personal data stored by us, unless its processing is necessary for exercising the right to freedom of expression and information, for complying with a legal obligation, for reasons of public interest, or for establishing, exercising or defending legal claims;
- under Art. 18 GDPR to demand the restriction of processing your personal data, insofar as you dispute the accuracy of the data; the processing is unlawful, but you oppose its erasure; we no longer require the data, but you require it for asserting, exercising or defending legal claims; or you have objected to the processing according to Art. 21 GDPR;
- under Art. 20 GDPR to receive your personal data that you have provided to us in a structured, common and machine-readable format, or to demand its transmission to another Controller;
- under Art. 77 GDPR to complain to a supervisory authority. As a rule, you may contact the supervisory authority of your usual place of residence or workplace or our company headquarters. The supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach.
14. Revocation of consent
If we process your personal data on the basis of consent given by you according to Art. 6 (1) (a) GDPR, you have the right to revoke any consent given to us according to Art. 7 (3) GDPR with future effect.
If you wish to exercise your right of revocation, you may notify us by emailing datenschutz@collaboration-factory.de or privacy@collaboration-factory.de. Alternatively, you may use the contact information given above in section 2.
15. Objection in case of processing based on legitimate interest
If we process your personal data on the basis of our legitimate interests according to Art. 6 (1) (f) GDPR, you have the right to object to the processing of your personal data under Art. 21 GDPR, provided that reasons exist that arise from your particular situation or that the objection is against direct marketing. In the latter case, you have a general right of objection, which we will implement without a particular situation being specified.
If you wish to exercise your right of objection, you may notify us by emailing datenschutz@collaboration-factory.de or privacy@collaboration-factory.de. Alternatively, you may use the contact information given above in section 2.
16. Security measures
We take state-of-the-art organizational, contractual and technical security measures to ensure that the provisions of data protection law are complied with in order to protect the data we process against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons.
17. Changes to this Data Privacy Policy
We reserve the right to change our Data Privacy Policy should it be necessary due to new technologies, changes in our data processing procedures, or in order to adapt it to changes in the legal situation concerning us. However, this only applies to this Data Privacy Policy. If we process your personal data on the basis of your consent or if parts of the Data Privacy Policy contain provisions of the contractual relationship with you, any changes will be made only with your consent.