This privacy policy informs you about our handling of your data. In order to make the processing of your data comprehensible to you, we would like to provide you with an overview of this processing with the following information. To ensure fair processing, this privacy statement contains general information about our handling of your data as well as information about your rights under the European Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
Privacy information
I. General information
II. Data processing on our website
III. Data processing on our social media pages
IV. Further data processing
Responsible for data processing is cimt ag (hereinafter referred to as “we” or “us”).
I. General information
1. Contact
If you have any questions or suggestions regarding this information, or if you would like to contact us about asserting your rights, please send your request to
cimt ag
Danske Hus
Meßberg 4
20095 Hamburg
Tel.: +49 40 53302-0
Fax: +49 40 53302-22
E-Mail: info@cimt-ag.de
2. Legal basis
The term “personal data” under data protection law refers to all information that relates to an identified or identifiable individual.
We process personal data in compliance with the relevant data protection regulations, particularly the DSGVO and the BDSG. Data processing by us only takes place on the basis of a legal permission. We process personal data
- only with your consent (Art. 6 Abs. 1 Buchst. a) DSGVO),
- in order to perform a contract to which you are a party or, at your request, in order to carry out pre-contractual measures (Art. 6 Abs. 1 letter. b) DSGVO),
- to fulfill a legal obligation (Art. 6 Abs.1 letter. c) DSGVO)
- or if the processing is necessary to protect our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms requiring the protection of personal data override (Art. 6 Abs. 1 letter. f) DSGVO).
3. Duration of storage
Unless otherwise stated in the following notes, we store data only as long as it is necessary to achieve the purpose of processing or to fulfill our contractual or legal obligations. Such legal retention obligations may arise in particular from commercial or tax law regulations.
4. Categories of recipients of the data
We use order processors in the context of processing your data. Processing operations carried out by such processors include, for example, hosting, maintenance and support of IT systems, marketing measures or file and data carrier destruction. A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller. Processors do not use the data for their own purposes, but carry out data processing exclusively for the data controller and are contractually obligated to ensure appropriate technical and organizational measures for data protection.
In addition, we may transfer your personal data to bodies such as postal and delivery services, the company’s bank, tax advisors/auditors or the tax authorities.
If your data is transferred to other recipients, we will inform you under the respective processing procedure.
5. Processing when exercising your rights pursuant to Art. 15 to 22 DSGVO.
If you exercise your rights pursuant to Art. 15 to 22 DSGVO, we process the transmitted personal data for the purpose of implementing these rights by us and to be able to provide evidence thereof. We will only process data stored for the purpose of providing information and preparing it for this purpose and for data protection control purposes and otherwise restrict processing in accordance with Art. 18 DSGVO.
These processing operations are based on the legal basis of Art. 6 para. 1 lit. c) DSGVO in conjunction with. Art. 15 to 22 DSGVO and Section 34 (2) BDSG.
6. Your rights
As a data subject, you have the right to assert your data subject rights against us. In particular, you have the following rights:
- In accordance with Art. 15 DSGVO and Section 34 BDSG, you have the right to request information about whether and, if so, to what extent we are processing personal data relating to you or not.
- You have the right to demand that we correct your data in accordance with Art. 16 DSGVO.
- You have the right, in accordance with Art. 17 DSGVO and § 35 BDSG, to demand that we delete your personal data.
- You have the right to have the processing of your personal data restricted in accordance with Art. 18 DSGVO.
- You have the right, in accordance with Art. 20 DSGVO, to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format and to transfer this data to another controller.
- If you have given us separate consent to data processing, you may revoke this consent at any time in accordance with Article 7 (3) DSGVO. Such a revocation will not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.
- If you believe that a processing of personal data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.
7. Right of objection
In accordance with Art. 21(1) DSGVO, you have the right to object to processing based on the legal basis of Art. 6(1)(e) or (f) DSGVO on grounds relating to your particular situation.
If personal data about you is processed by us for the purpose of direct marketing, you may object to such processing pursuant to Art. 21 (2) and (3) DSGVO.
8. Data protection officer
You can reach our data protection officer at the following contact details:
II. Data processing on our website
When you use the website, we collect information provided by you. In addition, during your visit to the website, certain information about your use of the website is automatically collected by us. In data protection law, the IP address is also generally considered to be a personal data. An IP address is assigned to every device connected to the Internet by the Internet provider so that it can send and receive data.
1. Processing of server log files
During the purely informative use of our website, general information that your browser transmits to our server is stored automatically at first (i.e. not via registration). This includes by default: browser type/version, operating system used, page accessed, the previously visited page (referrer URL), IP address, date and time of the server request and HTTP status code. The processing is carried out to protect our legitimate interests and is based on the legal basis of Art. 6 (1) f) DSGVO. This processing is for technical administration, website security and internal analysis purposes. The stored data is deleted after seven days unless there is a justified suspicion of unlawful use based on concrete indications and further examination and processing of the information is necessary for this reason. We are not able to identify you as a data subject on the basis of the stored information. Articles 15 to 22 of the GDPR therefore do not apply pursuant to Article 11(2) of the GDPR, unless you provide additional information that enables us to identify you in order to exercise your rights set out in these articles.
2. Newsletter
a. Subscription and unsubscription
We offer the possibility to subscribe to our newsletter. After registration, we will inform you regularly about the latest news on our offers. A valid e-mail address is required to register for the newsletter. To verify the e-mail address, you will first receive a registration e-mail, which you must confirm via a link (double opt-in). If you subscribe to the newsletter on our website, we process personal data such as your e-mail address and name based on the consent you have given. The processing is based on the legal basis of Art. 6 (1) a) DSGVO. You can revoke the consent given at any time with effect for the future, for example via the “unsubscribe” link in the newsletter or by contacting us via the channels mentioned above. The legality of the data processing operations already carried out remains unaffected by the revocation. When registering for the newsletter, we also store the IP address and the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis arises from our legal obligation to document your consent (Art. 6 para. 1 lit. c) in conjunction with. Art. 7 para. 1 DSGVO)..
b. Newsletter analysis
We also analyze the reading behavior and opening rates of our newsletter. For this purpose, pseudonymized usage data is collected and processed by us, which we do not merge with your email address or your IP address. The legal basis for the analysis of our newsletter is Art. 6 (1) f) DSGVO and the processing serves our legitimate interest in optimizing our newsletter. You can object to this at any time by contacting one of the contact channels mentioned above.
c. Service provider
For the management of subscribers, the dispatch of the newsletter and the analysis, we use the MailChimp service of The Rocket Science Group LLC d/b/a MailChimp (USA). Your e-mail address is therefore transmitted by us to MailChimp.
On the basis of the email address, MailChimp performs a geolocation and thereby determines information about the IP address (geolocation data and any existing location information) with the help of a “geolocation service provider”. Geolocation is also used to determine time zones. This, in turn, is possibly used for the simultaneous sending out of newsletters at certain times.
Geolocation is performed both when subscribing to the newsletter and when opening newsletter emails. You can view more information here. We have no influence on the performance of geolocation. This function cannot currently be deactivated in MailChimp.
If MailChimp can determine the set language from the browser used when subscribing to the newsletter or when calling up links, this will be saved in your profile. This function can be used in particular to form segments of subscribers by language. For example, it allows us to send newsletter emails in English to subscribers who have set English as their default language in their browser. This function cannot be disabled by us.
The processing is carried out on our behalf and is based on the legal basis of Art. 6 lit. f) DSGVO and serves our legitimate interest in optimizing and economically sending our newsletter. If you do not want your data to be processed by MailChimp, you should not subscribe to or unsubscribe from the newsletter.
The adequacy of the level of data protection is ensured via EU-standard contractual clauses
3. Whitepaper
a. Whitepaper Download
We offer a whitepaper on our website that you will receive from us if you allow us to contact you for marketing purposes from now on. To receive the whitepaper, you must provide a valid email address. To verify the e-mail address, you will first receive a registration e-mail, which you must confirm via a link (double opt-in). We process your e-mail address for promotional purposes on the basis of the consent you have given. The processing is based on the legal basis of Art. 6 (1) a) DSGVO. You can revoke your consent at any time with effect for the future, for example via the link provided for this purpose at the end of every message from us or by contacting us in any other way. The legality of the data processing operations already carried out remains unaffected by the revocation.
b. Service provider
We use the service Hubspot from Massachusetts (USA) to send the whitepaper. Your e-mail address as a mandatory field and optionally name, position, company, telephone number are therefore transmitted by us to Hubspot.
The processing is carried out on our behalf and is based on the legal basis of Art. 6 lit. f) DSGVO and serves our legitimate interest in customer acquisition as well as customer retention. If you do not want your data to be processed by Hubspot, you should not request a whitepaper or unsubscribe.
The adequacy of the data protection level is ensured via EU-standard contractual clauses.
4. Webinars
We organise online webinars for our customers and interested parties. Registration requires the processing of personal data (name, e-mail address and, if applicable, employer), which you provide to us via the input mask. The processing of the data provided is for the purpose of providing the service and is based on the legal basis of Art. 6 para. 1 letter b DSGVO.
To conduct the webinar, we use Teams, a service of Microsoft Corp. (USA). Before entering the webinar room, you will be asked to enter your name. Please note that this name may be noted by the other webinar participants. If you do not wish to do this, you may enter your initials only instead. By using Teams, a transfer of your data to the USA cannot be excluded. To ensure an adequate level of protection, we have concluded EU standard contractual clauses. You have the possibility to obtain a copy of these EU standard data protection clauses or to inspect them. To do so, please contact us at the address given under Contact.
By registering for the webinar, you agree to be contacted by our sales team afterwards. We offer you participation in our webinar in return for your contact details and consent to receive further information about our services. This processing is carried out on the legal basis of Art. 6 para. 1 letter a DSGVO. You have the option to revoke your consent at any time by clicking on the unsubscribe link in the email or by contacting us at the above-mentioned contact address.
To manage your data, we use salesforce, a service of salesforce.com, inc. (USA). We use Salesforce’s Processor Binding Corporate Rules for the Processing of Personal Data as appropriate safeguards for transfers to third countries: https://c1.sfdcstatic.com/content/dam/web/en_us/www/documents/legal/misc/Salesforce-Processor-BCR.pdf
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.
5. Cookies
We use cookies and similar technologies on our website. Cookies are small text files that are stored by your browser when you visit a website. This identifies the browser used and can be recognized by our web server. We use so-called “session cookies”, which are deleted when the browser session is closed. Other cookies (“persistent cookies”) are automatically deleted after a specified period of time, which may vary depending on the cookie.
The use of cookies is partly technically necessary for the operation of our website. We also use cookies and comparable technologies to measure analytics about the reach of our website and to analyze the use of our website. We additionally use cookies and comparable technologies to track user behavior across websites and devices.
Cookies are stored on the user’s computer. Therefore, you as a user also have full control over the use of cookies. You can delete cookies at any time in the security settings of your browser. You can object to the use of cookies through your browser settings in principle or for specific cases. Further information on this is provided by the Federal Office for Information Security at https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/Sicherheitsmassnahmen/Cookies/cookies_node.html.
Information on how cookies and comparable technologies are used by us can be found below in each case under the description of the specific processing activity. Further information on the cookies used on our website can also be found on our consent banner.
You can also change your cookie settings here:
6. Consent management via borlabs
This website uses Borlabs. The Borlabs consent banner allows users of our website to give consent to certain data processing operations or to withdraw consent they have given. In addition, Borlabs helps us to be able to provide proof of the declaration of consent. For this purpose, Borlabs processes information about the declaration of consent and further log data about this declaration. Cookies are also used to collect this data.
The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis arises from our legal obligation to document your consent (Art. 6 para. 1 lit. c) in conjunction with. Art. 7 para. 1 DSGVO).
7. Google Analytics
We use the Google Analytics service of Google Ireland Limited (Ireland/EU) to evaluate our website visits. Google uses cookies that enable an analysis of your use of our website. Personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about interaction with our website are processed in the process. The information generated by the cookie about the use of our website by users is usually transferred to a Google server in the USA and stored there. Google will use this information on our behalf for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. In doing so, pseudonymous user profiles can be created from the processed data.
We only use Google Analytics with IP anonymization activated. This means that the IP address of users is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by the user’s browser is not merged with other data from Google.
The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for data processing in connection with the Google Analytics service is therefore Art. 6 (1) a) DSGVO. You can prevent the storage of cookies by Google Analytics via an appropriate setting of your browser software or our Consent Banner. You can also prevent the collection of information generated by the cookie by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout.
If you visit our website via a mobile device, you can deactivate Google Analytics by one click.
Please also note that we document any consent you have given in order to comply with our obligation to provide evidence under Article 7 (1) DSGVO. As we are obliged to do so, this storage is based on the legal basis of Art. 6 para. 1 lit. c) DSGVO)
When using Google Analytics, a transmission of the processed data to the US-based Google LLC by us cannot be excluded.
The adequacy of the level of data protection is ensured via EU-standard contractual clauses.
8. Cloudflare
We use the Cloudflare service of Cloudflare Inc (USA) on our website to display content. For such integration, processing of your IP address is technically necessary so that the content can be sent to your browser.
The processing of your data is based on Art. 6 para. 1 lit. f DSGVO and is based on our legitimate interest in the optimisation and economic operation of our website.
When using the service, a transmission of your data to the USA cannot be excluded. Please note the information in the section “Data transfer to third countries”. For further information on data protection at Cloudflare, please refer to Cloudflare’s data protection information at https://www.cloudflare.com/privacypolicy/.
9. Integrated services and contents of third parties
On our website we use services and content (hereinafter collectively referred to as “content”) provided by third-party providers. When integrating them, we use a two-click solution. When using the two-click solution, no connection is established to the third-party provider, but a placeholder is loaded from our own server. This can be a preview image of the embedded maps or videos. A contact to the “third-party server” is only established after another click on the respective placeholder. The transmission of the IP address thus only takes place when you confirm this with your click.
The data processing is carried out with your consent and is based on Art. 6 (1) a) DSGVO.
We have integrated content from the following services provided by third-party providers into our website:
- „YouTube“ provided by YouTube LLC (USA) for the display of videos.
When using Google services, a transmission of processed data to the US-based Google LLC (USA) by us cannot be excluded.
The adequacy of the level of data protection is ensured via EU-standard contractual clauses.
10. Pardot Marketing Automation System
We use the Pardot Marketing Automation System (“Pardot MAS”) of salesforce.com, Inc. (USA) on our website. Pardot MAS is a special software for recording and evaluating the use of a website by website visitors. When you visit our website, Pardot MAS records your click path and uses it to create an individual usage profile using a pseudonym. As far as Pardot MAS processes personal data, the processing is carried out exclusively on our behalf and according to our instructions.
The processing of your data is based on your consent according to Art. 6 para. 1 lit. a) DSGVO.
Cookies are set on your terminal device to integrate the service. The setting of cookies as well as access to information stored in the terminal device you are using is done with your consent pursuant to Section 25 (1) TTDSG. which you can revoke at any time with future effect via our Consent Management Tool. When using the service, a transfer of your data to the USA cannot be excluded. We use Salesforce’s Processor Binding Corporate Rules for the Processing of Personal Data as appropriate safeguards for transfers to third countries: https://c1.sfdcstatic.com/content/dam/web/en_us/www/documents/legal/misc/Salesforce-Processor-BCR.pdf. For more information about Salesforce’s privacy practices, please see Salesforce’s privacy notice at https://www.salesforce.com/company/privacy/.
III. Data processing on our social media pages
We are represented on several social media platforms with a company page. Through this, we would like to offer further opportunities for information about our company and for exchange. Our company has company pages on the following social media platforms:
When you visit or interact with a profile on a social media platform, personal data about you may be processed. Information associated with a social media profile used also regularly constitutes personal data. This also covers messages and statements made while using the profile. In addition, during your visit to a social media profile, certain information is often automatically collected about it, which may also constitute personal data.
1. Visit of a social media page
a. Facebook and Instagram page
When you visit our Facebook or Instagram page, through which we present our company or individual products from our range, certain information about you is processed. The sole controller of this processing of personal data is Meta Platforms Ireland Limited. For more information about the processing of personal data by Meta, please visit https://www.facebook.com/privacy/explanation. Meta offers the possibility to object to certain data processing; related information and opt-out options can be found at https://www.facebook.com/settings?tab=ads.
Meta provides us with statistics and insights in an anonymized form for our Facebook and Instagram page, which we use to gain insights into the types of actions that people take on our page (so-called “page insights”). These page insights are created based on certain information about individuals who have visited our page. This processing of personal data is carried out by Meta and us as joint controllers. The processing serves our legitimate interest in evaluating the types of actions taken on our site and improving our site based on these insights. The legal basis for this processing is Art. 6 (1) (f) DSGVO. We cannot associate the information obtained via Page Insights with individual Facebook profiles that interact with our Facebook page. We have entered into a joint controller agreement with Meta, which specifies the distribution of data protection obligations between us and Meta. For details about the processing of personal data to create Page Insights and the agreement entered into between us and Meta, please visit https://www.facebook.com/legal/terms/information_about_page_insights_data. Regarding these data processing operations, you have the option of asserting your data subject rights (see “Your rights” in this regard) against Meta as well. Further information on this can be found in Meta’s privacy policy at https://www.facebook.com/privacy/explanation.
Please note that according to Meta’s privacy policy, user data is also processed in the USA or other third countries. Meta only transfers user data to countries for which an adequacy decision has been issued by the European Commission in accordance with Art. 45 DSGVO or on the basis of appropriate safeguards in accordance with Art. 46 DSGVO.
b. LinkedIn
For the processing of personal data when visiting our LinkedIn page, LinkedIn Ireland Unlimited Company (Ireland/EU – “LinkedIn”) is basically the sole controller. For more information about the processing of personal data by LinkedIn, please visit https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.
When you visit, follow or engage with our LinkedIn company page, LinkedIn processes personal data to provide us with anonymized statistics and insights. This provides us with insights into the types of actions that people take on our site (so-called page insights). For this purpose, LinkedIn processes in particular such data that you have already provided to LinkedIn via the information in your profile, such as data on function, country, industry, seniority, company size and employment status. In addition, LinkedIn will process information about how you interact with our LinkedIn company page, such as whether you are a follower of our LinkedIn company page. With the page insights, LinkedIn does not provide us with any personal data about you. We only have access to the aggregated Page Insights. It is also not possible for us to draw conclusions about individual members via the information in the Page Insights. This processing of personal data in the context of the Page Insights is carried out by LinkedIn and us as joint controllers. The processing serves our legitimate interest to evaluate the types of actions taken on our LinkedIn company page and to improve our company page based on these insights. The legal basis for this processing is Article 6(1)(f) DSGVO. We have entered into a joint controller agreement with LinkedIn, which sets out the distribution of data protection obligations between us and LinkedIn. The agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum. Afterwards, the following applies:
- LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights under the GDPR. You can contact LinkedIn to do so online via the following link (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or reach LinkedIn via the contact details in the Privacy Policy. You can contact the Data Protection Officer at LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You may also contact us at our provided contact details about exercising your rights in connection with the processing of personal data in the context of the Page Insigts. Is this the case, we will forward your request to LinkedIn.
- LinkedIn and we have agreed that the Irish Data Protection Commission is the lead supervisory authority overseeing processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see at www.dataprotection.ie) or any other supervisory authority.
Please note that according to the LinkedIn Privacy Policy, personal data is also processed by LinkedIn in the US or other third countries. LinkedIn transfers personal data only to countries for which an adequacy decision has been issued by the European Commission in accordance with Article 45 of the GDPR or on the basis of appropriate safeguards in accordance with Article 46 of the GDPR.
c. Twitter
For the processing of personal data when visiting our Twitter profile, Twitter Inc. (USA) is the sole responsible party. Further information about the processing of personal data by Twitter Inc. can be found at https://twitter.com/de/privacy.
d. XING
New Work SE (Germany/EU) is the sole responsible party for the processing of personal data when visiting our Xing profile. For more information about the processing of personal data by New Work SE, please visit https://privacy.xing.com/de/datenschutzerklaerung.
2. Comments and direct messages
We also process information that you have provided to us via our company page on the respective social media platform. Such information may be the username used, contact details or a message to us. These processing operations by us are carried out as the sole responsible party. We process this data on the basis of our legitimate interest in contacting inquiring persons. The legal basis for the data processing is Art. 6 para. 1 letter f DSGVO. Further data processing may take place if you have consented (Art. 6 para 1 letter a DSGVO) or if this is necessary for the fulfillment of a legal obligation (Art. 6 para 1 letter c DSGVO).
If you have provided us with the information because of participation in a sweepstake, we will only process it in order to be able to send you a prize, if applicable. After delivery of the prize or if you have not won, we will delete the data. The legal basis for the processing is Art. 6 para. 1 letter b DSGVO.
IV. Further data processing
1. Contact by e-mail
If you send us a message via the contact email provided, we will process the transmitted data for the purpose of responding to your inquiry.
We process this data based on our legitimate interest to get in touch with inquiring persons. The legal basis for the data processing is Art. 6 para. 1 letter f) DSGVO.
2. Contractual relationship
For the establishment or implementation of the contractual relationship with our customers, suppliers and business partners, the processing of personal data provided to us, such as the name and contact details of the respective contact person, is regularly required. The legal basis for this processing is Art. 6 (1) (f) DSGVO and we base this processing on our legitimate interest. Further data processing may take place if you have consented (Art. 6 para. 1 letter a) DSGVO) or if this serves the fulfillment of a legal obligation (Art. 6 para. 1 letter c) DSGVO).
3. Applications
If you apply to our company, we process your application data exclusively for purposes related to your interest in a current or future employment with us and the processing of your application. Your application will only be processed and noted by the relevant contacts at our company. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. If we are unable to offer you employment, we will retain the data you have provided for up to six months after any rejection for the purpose of answering questions relating to your application and rejection. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of providing evidence, or if you have expressly consented to longer storage. The legal basis for data processing is Section 26 (1) sentence 1 BDSG. If we store your applicant data for longer than six months and you have expressly consented to this, we would like to point out that this consent can be freely revoked at any time in accordance with Article 7 (3) DSGVO. Such revocation shall not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.