1. Personal data
Personal data is all information about a specific or identifiable natural person. An identifiable natural person is a person that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more specific physical, physiological, genetic, mental characteristics, economic, cultural or social identity of this natural person.
2. Affected person
An affected person is any identified or identifiable natural person whose personal data is processed by the controller.
Processing is any process or set of operations performed on personal data or personal data, whether automated, recorded, organized, structured, stored, adapted or changed, accessed, consulted, used, transmitted, disseminated or otherwise made available, directed or combined, restricted, deleted or destroyed.
Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain aspects of a natural person, in particular to analyze or predict aspects of work performance, economic situation, health, personal preferences, interests, the reliability, the behavior, the location or the movements of this natural person.
Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be assigned to a specific person without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data is not assigned to a specific or identifiable natural person.
Responsible for processing is the natural or legal person, public authority, agency or other body which, alone or in concert with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by the Union or Member State law, the controller or the specific criteria for their designation may be determined by the Union or Member State law.
The processor is a natural or legal person, public authority, government agency or other body that processes personal data on behalf of the controller.
8. Empfänger (eng. Recipients)
Empfänger ist eine natürliche oder juristische Person, Behörde, Agentur oder eine andere Stelle, an die die personenbezogenen Daten weitergegeben werden, unabhängig davon, ob es sich um einen Dritten handelt oder nicht. Behörden, die personenbezogene Daten im Rahmen einer besonderen Untersuchung nach dem Recht der Union oder eines Mitgliedstaats erhalten können, gelten jedoch nicht als Empfänger; die Verarbeitung dieser Daten durch diese Behörden erfolgt im Einklang mit den geltenden Datenschutzvorschriften entsprechend den Zwecken der Verarbeitung.
Recipient is a natural or legal person, agency, agency or other entity to which the personal information is disclosed, whether or not it is a third party. However, authorities which may obtain personal data under a specific investigation under the Union or national law shall not be considered as beneficiaries. The processing of these data by these authorities will be in accordance with the applicable data protection rules for the purposes of processing.
The consent of the data subject is any free, specific, informed and unambiguous presentation of the data subject’s wishes, by which they declare their consent to the processing of the personal data concerning them by means of a declaration or a clear affirmation.
I. Name of the person responsible
The person responsible within the meaning of the GDPR and other national data protection laws of the member states as well as other data protection regulations is the
Email: firstname.lastname@example.org | Website: www.usercentrics.com
II. Data Protection Officer
You can contact our data protection officer as follows:
IITR Datenschutz GmbH
Dr. Sebastian Kraska
External data protection officer
III. General information about the collection and processing of your data
1. Scope of processing
In principle, we process personal data of our website visitors and users only insofar as this is necessary to provide a functioning website and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies to cases in which prior consent can not be obtained for reasons of fact and the processing of the data is permitted by law.
2. Legal basis
Insofar as we obtain the consent of the data subject for processing of personal data, art. 6 §1 GDPR serves as a legal basis.
In the processing of personal data necessary for the performance of a contract to which the data subject is a party, art. 6 § 1 lit. b GDPR as a legal basis. This also applies to processing operations required to carry out pre-contractual actions.
Insofar as processing of personal data is required to fulfill a legal obligation that is subject to our company, art. 6 § 1 lit. c GDPR as legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, art. 6 § 1 lit. d GDPR as legal basis.
If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not prevail over the first interest, art. 6 § 1 lit. f GDPR as legal basis for processing.
3. Storage and deletion of your data
We delete or block the personal data of the data subject as soon as the purpose of the storage is eliminated. It may also be stored if provided for by the European or national legislator in EU regulations, laws or regulations to which our company is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for conclusion of a contract or fulfillment of the contract.
4. Please note
Your consent data will be processed for the use of this website and the use of the implemented Consent Management Platform. We use the Google Cloud Platform of Google Ireland Limited. The servers are located in Frankfurt and Belgium. Due to the judgment of the Court of Justice of July 16th, 2020 (Case C311/18), the transfer of personal data to the US on the basis of the Privacy Shield was declared invalid. We would like to inform you that we cannot exclude the fact that data may be transferred to the US and may be subject to access by the US security authorities in accordance with 50 U.S.C. §1881(b)(4), 50 U.S.C. §1881a (= FISA 702).
This applies to the use of the Usercentrics website as well as to all websites that have implemented the Usercentrics Consent Management Platform as a service into their website.
IV. Provision of the website and creation of log files
1. Scope of processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer. This is e.g. information like
– Information about the type and version of your internet browser,
– The operating system of your computer or smartphone,
– Your internet service provider,
– Your IP address,
– Date and time of your access,
– Websites from which you came to us,
– Websites that you visit from our site.
– The legal basis for the temporary storage is art. 6 § 1 lit. f GDPR.
We collect such technical information in so-called “log files”, so that you can display our website correctly and we can identify the causes of any technical problems, for the technical optimization of our websites and for the purpose of the security of our computer systems and networks. For these purposes, our legitimate interest in the processing of data according to art. 6 § 1 lit. f GDPR.
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. Typically, this technical information will be erased or rendered unrecognizable at the latest after seven days.
The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no contradiction on the part of the user.
V. Contact requests for product information, a demo or other concerns
1. Description and scope of data processing
On our website you can contact us via various options: e.g. contact form, book a demo, request a quote, request product information, request guides. If you make this possible, the data entered in the input mask will be transmitted to us and saved. In addition to the specific input macro data, the IP address and the date and time of the request are collected and stored. For the processing of the data, you give your consent in the context of the sending process.
Alternatively, a contact via e-mail address is possible. In this case, the user’s personal data transmitted by e-mail will be stored.
In this context, there will be no disclosure of the data to third parties, unless this is necessary for the processing of the query (for example, demo booking tool). In any case, the data will be used exclusively for processing the conversation.
2. Legal basis for processing
Legal basis for the processing of the data is in the presence of the consent of the user art. 6 § 1 lit. a GDPR.
The legal basis for the processing of the data transmitted in the course of sending an e-mail is article 6 (1) lit. f GDPR. If the e-mail contact aims to conclude a contract, then additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
3. Purpose of the data processing
The processing of personal data from the input mask is solely for the processing of your request. In the case of contact via e-mail, this also includes the required legitimate interest in the processing of the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
4. Duration of storage
If you have booked a demo, requested product information or an offer, we reserve the right to store the data for two years to measure the profitability of our sales and marketing. Otherwise, we will delete the data as soon as it is no longer necessary to achieve the purpose of its collection. For the personal data from the input form of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the relevant facts have been finally clarified.
The additional personal data collected during the sending process will be deleted at the latest after a period of seven days.
5. Opposition and removal possibility
The user has the possibility at any time to revoke his consent to the processing of the personal data. If the user contacts us by e-mail, he may object to the storage of his personal data at any time. In such a case, the conversation can not continue.
All personal data stored in the course of contacting will be deleted in this case.
VI. You become a customer or partner of Usercentrics
1. Description and scope of data processing
We offer the possibility of becoming a customer or partner by providing personal data. The data is collected and stored in the contract process. A transfer of data to third parties does not take place. The following data is collected during the registration process:
– Your email address,
– First name and last name,
– if necessary company affiliation,
– Payment information (possibly the company),
– other data that we request from you and
– possibly data that we receive in the course of the business relationship.
2. Legal basis for processing
Legal basis for the processing of the data is in the presence of the consent of the user art. 6 § 1 lit. a GDPR and art. 6 §1 lit. b GDPR, since the registration of the fulfillment of a contract or the implementation of pre-contractual measures.
3. Purpose of the data processing
Registration is required to fulfill the customer or partner contract or to carry out pre-contractual measures.
4. Duration of storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. This is the case during the registration process for the performance of a contract or for the performance of pre-contractual measures if the data are no longer necessary for the performance of the contract. Even after the conclusion of the contract, there may be a need to store personal data of the contracting party in order to comply with contractual or legal obligations. In particular, our company has to observe the storage obligations of § 257 Commercial Code in this connection.
5. Opposition and removal possibility
As a user you always have the option to cancel your account. You can change the data stored about you at any time. If the data is required to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible, unless contractual or legal obligations preclude deletion.
VII. Cookies and Tracking Technologies
1. What are Cookies?
A web browser cookie is a small text file sent from a website to your computer or mobile device where it is stored by your web browser. Web browser cookies may store information such as your IP address or other identifier, your browser type, and information about the content you display and interact with on the digital services. By storing such information, web browser cookies can store your preferences and settings for online services and analyze how you use online services.
Tracking Technologies: Web Beacons / Gifs, Pixels, Page Tags, Script
Emails and mobile applications can contain small, transparent image files or lines of code to record how you interact with them. This information is used to help website and app publishers better analyze and improve their services.
2. Use, legal basis and purpose
Before consent is given 2 functional cookies are set. The “PHPSESSID” cookie is used to recognize the browser language and thus display the language of the website accordingly. After closing the browser this cookie will be deleted. The “wBounce” cookie only contains the value “true”. This value is used to determine if the user has already seen a pop-up or not. If the user has already interacted with one, we do not want to show it to him or her again for a certain period of time.
In addition, we set the two IAB cookies “euconsent” and “eupubconsent”. These cookies are stored when a user does not want to be tracked. The same applies to the storage of data in the local storage. This only serves the purpose to remind us that a user has not given his or her consent. Otherwise, we would have to ask about it every time the same user visits the site.
The legal basis for the processing of personal data using technically necessary cookies is Article 6 (1) lit. f GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes is the consent of the user Art. 6 para. 1 lit. a GDPR.
The use of the analysis cookies is for the purpose of improving the quality of our website and its contents. Through the analysis cookies, we learn how the website is used and so we can constantly optimize our offer.
3. Duration of storage, objection and disposal options
VIII. Implemented Technologies
Our services are not aimed at children under 13 years. We do not knowingly collect information from children under the age of 13. If you have not reached the age limit, do not use the services and do not provide us with your personal information. If you are a parent of a child below the age limit and you learn that your child has provided Usercentrics personal information, please contact us at email@example.com and insist on exercising your rights of access, correction, cancellation and / or opposition. If you are resident in California and are under 18 years of age and wish to erase publicly available content, please contact us at firstname.lastname@example.org.
X. Your rights
If we process your personal data you have – after successful identification – the following rights towards us:
1. Right to information
You may request confirmation from our company as to whether we process personal information pertaining to you.
If such processing is available, you can request information about a large number of circumstances in accordance with GDPR, such as
(1) the purposes for which your personal information is processed;
(2) the categories of personal data being processed;
(3) the recipients or categories of recipients to whom your personal information has been disclosed or is still being disclosed;
(4) the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the retention period;
(5) the existence of a right to rectification or deletion of your personal data, a right of limitation of our processing or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) all available information about the source of your personal data, unless your personal information was collected from yourself;
(8) the existence of automated decision-making including profiling under article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on the data subject.
You have the right to request information about whether your personal information relates to a third country or an international organization. In this connection, you can request the appropriate guarantees in accordance with. Art. 46 GDPR in connection with the transfer.
2. Right to rectification
You have the right to correct and / or complete your personal data if this information is incorrect or incomplete. We will make the correction without delay.
3. Right to restriction of processing
Under certain circumstances, you may request the restriction of the processing of your personal data.
(1) if you contest the accuracy of your personal information for a period of time that enables us to verify the accuracy of your personal information;
(2) if the processing is unlawful and you refuse the deletion of your personal data and instead request the restriction of the use of your personal data;
(3) If we no longer need your personal information for the purposes of processing, but you need it to assert, exercise or defend your rights, or
(4) if you object to the processing and it is not yet certain that the legitimate reasons of our group of companies and affiliates exceed your reasons.
If the processing of your personal data has been restricted, we may only process this data – with the exception of its storage – with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
If the limitation of the processing after the o.g. If conditions are restricted, you will be informed by us before the restriction is lifted.
4. Right to cancellation
You may require us to have your personal information deleted immediately and we shall be obliged to erase that information immediately if one of the following is true:
(1) your personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(2) You revoke your consent, to which the processing acc. art. 6 § 1 lit. a or art. 9 § 2 lit. GDPR and there is no other legal basis for processing.
(3) According to art. 21 §1 GDPR objection to the processing and there are no prior justifiable reasons for the processing, or art. 21 § 2 GDPR.
(4) Your personal data have been processed unlawfully.
(5) The deletion of personal data concerning you shall be required to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.
Have we made your personal data public and we are gem. Article 17 (1) of the GDPR requires that we take appropriate measures to inform other companies processing your personal data that you have deleted all links to yours, taking into account available technology and implementation costs personal data (and all copies thereof) (“right to be forgotten”). The right to erasure does not exist if the processing is necessary.
(1) to exercise the right to freedom of expression and information;
(2) to fulfill a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task which is in the public interest or in the exercise of official authority conferring on the controller has been;
(3) for reasons of public interest in the field of public health pursuant to art. 9 (2) lit. h and i as well as art. 9 (3) GDPR, or
(4) to assert, exercise or defend legal claims.
5. Right to information of third parties by our company
If you have the right to rectify, delete or restrict the processing to our company, we are obliged to notify all recipients to whom we have disclosed your personal data this rectification or deletion of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort. You also have the right to be informed by us about these recipients.
6. Right to Data Portability
You have the right to receive personally identifiable information you provide us in a structured, common and machine-readable format. You also have the right to transfer this information to another person without hindrance by the controller to whom the personal data has been provided, provided that
(1) the processing on a consent acc. art. 6 §1 lit. a GDPR or art. 9 § 2 lit. a GDPR or on a contract acc. art. 6 § 1 lit. b GDPR is based and
(2) the processing is done by automated means.
In exercising this right, you also have the right to obtain that your personal data relating to you are transmitted directly from one person to another, insofar as this is technically feasible. Freedoms and rights of other persons may not be affected.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.
7. Right to object
You have the right at any time, for reasons that arise from your particular situation, against the processing of your personal data, which pursuant to art. 6 § 1 lit. e or f GDPR takes an objection; this also applies to profiling based on these provisions.
We will no longer process your personal information in this case unless there are compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of enforcing, pursuing or defending legal claims.
If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct mail.
If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
8. Right to revoke the data protection consent declaration
You have the right to revoke your data protection declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.
9. Automated decision on a case-by-case basis, including profiling
You have the right not to be subjected to a decision based solely on automated processing – including profiling – that will have legal effect or similarly affect you in a similar manner.
This does not apply if the decision
(1) is required for the conclusion or performance of a contract between you and us,
(2) is permitted by Union or Member State legislation to which the controller is subject, and where such legislation contains appropriate measures to safeguard your rights and freedoms and legitimate interests, or
(3) with your express consent.
With respect to the cases referred to in (1) and (3), the person responsible shall take reasonable steps to uphold the rights and freedoms and your legitimate interests, including at least the right to intervene in the intervention of a person of our company in order to express his or her own position and to challenge it heard of the decision.
10. Right to complain to the supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of its residence, place of work or place of alleged infringement, if you believe that the processing of the personal data concerning you is against GDPR. Names and contact information of the competent supervisory authorities in the European Union can be found at http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.
XI. Security and integrity of the data
Protecting the information you give us or that we receive about you is our priority. We take appropriate security measures to protect your information from loss, misuse, and unauthorized access, alteration, disclosure, or destruction. Usercentrics has taken measures to ensure the ongoing confidentiality, integrity, availability and resiliency of systems and services that process personal information, and will restore the availability and access to information in the event of a physical or technical incident in a timely manner.