Data Protection Declaration
Policy version: May 2018
Controller’s name and address
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States as well as other data protection regulations is the entity indicated in the site notice.
Data Protection Officer’s contact details
Basic information on the processing of personal data
We only collect and process our users’ personal data if this is necessary to provide a functional website as well as our company’s services. Processing will only take place with your consent or if a legal regulation requires or allows us to undertake such processing.
In this connection, your personal data’s security has a high priority for us. We therefore protect your data through technical and organisational measures to prevent misuse. We regularly review the measures taken and adapt these to current technical conditions. We also ensure all our staff are bound to observe confidentiality in accordance with Article 28 GDPR.
Purposes of and legal basis for the processing, transfer to third parties and abroad
We process your data for the following purposes:
- Fulfilment of new or existing contractual relationships or for the implementation of pre-contractual measures, e.g. the preparation of offers;
- Dispatch of marketing information;
- Processing of inquiries, e.g. as part of our core activity or for applications;
- Provision of telemedia, e.g. our website or e-mail;
In this connection, we process the data on the legal basis of Article 6(1) GDPR:
- Article 6(1)(a) GDPR: Processing operations based on your consent
- Article 6(1)(a) GDPR: Processing procedures for the performance of a contract or the implementation of pre-contractual measures, e.g. a purchase or service contract or the solicitation of an offer
- Article 6(1)(c) GDPR: Processing operations which we are legally obliged to undertake, e.g. storage for tax reasons
- Article 6(1)(f) GDPR: Processing operations we undertake on the basis of our legitimate interests, e.g. the transfer of your data to postal service providers for the purpose of sending mail or to a tax consultant. This also includes storing information about website usage for the purpose of optimizing our website.
The transfer of your data to third parties is also based on the above authorisation facts and your data will only be transferred within the scope of a processing agreement or if other confidentiality obligations exist. This includes persons subject to a duty of professional secrecy or shipping carriers. If data is transferred to third countries outside the European Economic Area, there shall be a corresponding adequacy resolution pursuant to Article 45 GDPR for the respective third country (e.g. for Switzerland), or the recipient shall have put in place the corresponding safeguards pursuant to Article 46 GDPR, e.g. certification under the Privacy Shield for companies in the USA.
Duration of storage, erasure of personal data
Personal data will only be processed and stored for the period necessary to fulfil the processing purposes. Following the purpose’s fulfilment, we will erase or block your data, provided that we are no longer subject to any legal storage obligation.
Data transfer to third parties
MC² Europe GmbH can transfer personal data to the following third parties:
- Public authorities in the event of overriding legal provisions;
- Other companies within the MCH Group;
- MCH Group agencies abroad;
- internally for purposes of internal communication, support, administration and billing;
- MC² Europe GmbH’s data processor;
- Service partners for accompanying services, if the data subject requests corresponding services from MC² Europe GmbH.
Collection of access data and log files
We collect access data (log files) about each server access on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR. This includes the name of the accessed website, date and time of access, transferred file and data volume, notification of successful or unsuccessful access, browser type and version, the operating system, referrer URL (the previously visited page) and your IP address.
Log files are collected for security reasons (e.g. to investigate criminal offences), are stored for a period of 7 days and subsequently deleted. If data are still required for evidence purposes, they will be excluded from erasure until the respective incident has been finally cleared up.
To guarantee a fast and stable connection, we have outsourced hosting to an external service provider. This provider will process the above-mentioned log data according to our specifications. Data is transferred on the basis of our legitimate interest pursuant to Article 6(1)(f) GDPR in conjunction with Article 28 GDPR.
Cookies are text files that are stored by the internet browser on the user's computer system. Cookies will be stored in the data subject’s browser memory when this website is accessed.
You can prevent the storage of cookies in the browser, but the site may then only function to a limited extent. Instead, it makes more sense to set the browser to delete all cookies after the end of the respective browser session, which works on our site without restriction and prevents recognition at the next visit with all positive and negative consequences for you.
We use technical cookies because this is technically necessary for the operation of the service offered in accordance with Article 6(1)(f) GDPR, i.e. to protect our legitimate interest.
Technical cookies are used to recognize a user when the website is called up again and thus, for example, to save language settings made, a shopping basket or suchlike beyond a browsing session.
In addition, we use tracking cookies to compile statistical information about how our website is used. The legal basis for this is also for the purposes of our legitimate interests in accordance with Article 6(1)(f) GDPR. Tracking cookies also include
Google is certified in accordance with the Privacy Shield agreement and therefore guarantees compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). We have concluded the required data protection agreement with Google in writing: see also www.google.com/analytics/terms/us.html
In order to track site visitors and website conversions, our website uses Facebook pixels from Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook").
This allows the behaviour of site visitors after they have been redirected to the provider's website by clicking on a Facebook ad to be tracked. As a result, the effectiveness of Facebook advertisements can be evaluated for statistical and market research purposes and future advertising measures optimised.
The data collected are anonymous to us, the operator of this website; we cannot draw any conclusions about the identity of the users. However, the data are stored and processed by Facebook, so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes, according to Facebook's Data Policy: https://www.facebook.com/about/privacy. As a result, Facebook can enable ads to be displayed on and outside of Facebook. We, the site operator, have no influence over this use of the data.
The use of Facebook pixels is based on Article 6 (1) f GDPR. The website operator has a legitimate interest in effective advertising including social media.
You can also disable the remarketing Custom Audiences feature in the ad settings section at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. In order to do so, you have to be logged into Facebook.
If you do not have a Facebook account, you can opt-out of Facebook-based advertising on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/.
When contact is made (e.g. via the contact form, e-mail, telephone or social networks), the user's personal data will be processed to process the contact request in accordance with Art. 6(1)(b) GDPR, i.e. to fulfil a contract or implement pre-contractual measures. Your data may be transferred to a customer management program (CRM system) for this purpose. Please note that we are required to archive e-mails in accordance with the German GoBD [Principles for the Proper Maintenance and Keeping of Books, Records and Documents in Electronic Form and for Data Access], and emails sent to us can therefore not be completely deleted (from our archive system).
No automated decision-making
MC² Europe GmbH shall refrain from automatic decision-making within the meaning of Article 22 GDPR.
Notice on the rights of data subjects
If we process your personal data, you are the data subject within the meaning of the GDPR, and you have the following rights with respect to the controller:
Right to information and data portability
You have the right to request information about your stored personal data.
You have the right to receive the requested data in a commonly used and machine readable format.
Right to rectification
You have the right to obtain immediate rectification of any inaccurate personal data concerning you from the controller. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data.
Right to restriction of processing
You can request the restriction of the processing of personal data concerning you where one of the following conditions applies:
1) The data subject has contested the personal data’s accuracy for a period enabling the controller to verify the personal data’s accuracy;
2) The processing is unlawful, and the data subject opposes the personal data’s erasure and requests the restriction of the personal data’s use instead;
3) The controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the establishment, exercise or defence of legal claims, or if
4) the data subject has lodged an objection to the processing, as long as it has not been established whether the controller's justified grounds outweigh those of the data subject.
If processing has been restricted, such personal data shall only be processed - apart from being stored - with the data subject’s consent or for the purpose of establishing, exercising or defending legal claims or protecting the rights of another natural person or legal entity or on grounds of an important public interest of the Union or a Member State. We will notify you before the restriction is lifted.
Right to erasure
You can request the erasure of personal data concerning you where one of the following conditions applies:
1) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2) The data subject withdraws their consent and there is no other legal ground for the processing;
3) The data subject objects to the processing and there are no overriding legitimate grounds for the processing.
4) The personal data was processed illegally;
5) The personal data erasure is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject;
6) The personal data was collected in relation to the use of web services.
Right to withdraw a declaration of consent
You have the right to withdraw consent to the processing of personal data at any time. In the event of withdrawal, the lawfulness of the processing carried out on the basis of the consent until the withdrawal shall not be affected.
Right to information
If you have exercised your right to rectification, erasure or restriction of processing, we shall also notify all recipients to whom this data has been transferred of this fact, unless this involves a disproportionate effort or is impossible.
Right to object
You also have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you. This also applies to a proﬁling based on these provisions. In the event of an objection, the controller shall no longer process personal data unless it can prove compelling reasons worthy of protection for the processing that override the data subject’s interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
If we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising. This also applies to proﬁling, if it is associated with such direct marketing.
Automated decisions in individual cases including profiling
You have the right not to be subject to a decision based exclusively on automated processing - including profiling - which produces legal effects concerning you or similarly affects you significantly. This does not apply if the decision:
1) is necessary for the conclusion or performance of a contract between you and the data controller;
2) is permitted by Union law or the law of the Member States to which the data controller is subject and that law contains appropriate measures to safeguard your rights, freedoms and legitimate interests; or
3) is made with your express consent.
Decisions under paragraph 2 may not be based on special categories of personal data pursuant to Article 9(1) GDPR, unless Article 9(2)(a) or (g) GDPR applies, and appropriate measures have been taken to protect the data subject’s rights, freedoms and legitimate interests.
With respect to the cases described in (1) and (3), the controller shall implement suitable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain human intervention on the controller’s part, to express your point of view and to contest the decision.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
Collection of personal data
If you do not provide us with the personal data we require for contractual purposes, this failure to provide data shall not generally mean that the contract cannot be concluded. In individual cases we can advise you whether the provision of persona data is legally obligatory or contractually prescribed, and what consequences the failure to provide personal data would have in individual cases.