Privacy

Policy

Privacy Policy

1. Introduction
With the following information, we aim to provide you as a „data subject“ with an overview of how we process your personal data and your rights under data protection laws. Using our website is generally possible without providing personal data. However, if you want to use specific services of our company via our website, the processing of personal data may become necessary. If such processing of personal data is required and there is no legal basis for such processing, we generally obtain your consent.

The processing of personal data, such as your name, address, or email address, is always conducted in compliance with the General Data Protection Regulation (GDPR) and in accordance with the country-specific data protection regulations applicable to “Cronbach GmbH.” Through this privacy policy, we inform you about the scope and purpose of the personal data we collect, use, and process.

We have implemented numerous technical and organizational measures as the data controller to ensure the most complete protection of personal data processed through this website. However, internet-based data transmissions may generally have security vulnerabilities, so absolute protection cannot be guaranteed. For this reason, you are free to transfer personal data to us via alternative means, such as by telephone or mail.

You can also take simple and easy-to-implement measures to protect yourself against unauthorized access by third parties to your data. Therefore, we would like to provide you with some tips on how to securely handle your data:

  • Protect your account (login, user, or customer account) and your IT system (computer, laptop, tablet, or mobile device) with secure passwords.
  • Only you should have access to your passwords.
  • Ensure that you only use your passwords for one account (login, user, or customer account).
  • Do not use the same password for multiple websites, applications, or online services.
  • Especially when using publicly accessible or shared IT systems, always log out of a website, application, or online service after using it.
  • Passwords should consist of at least 12 characters and should not be easy to guess. Avoid using common everyday words, your name, or the names of relatives; instead, use uppercase and lowercase letters, numbers, and special characters.

2. Controller
The controller as defined by the GDPR is:

Cronbach GmbH
Spitalerstr. 16, 20095 Hamburg, Germany
Email: hello@cronbach.co

Representatives of the controller:Stefan Sindram & Prof. Dr. Joost van Treeck

3. Data Protection Officer
You can reach our Data Protection Officer at:

Dr. Frank Eickmeier
Phone: +49.40.414000-34
Fax: +49.40.414000-41
Email: eickmeier@unverzagtvonhave.com

For all questions and suggestions regarding data protection, feel free to contact our Data Protection Officer directly.

Definitions
This privacy policy is based on the terminology used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our privacy policy should be both easy to read and understand for the public, as well as for our customers and business partners. To ensure this, we would like to explain the terminology used in advance.

We use the following terms in this privacy policy:

  • Personal Data
    Personal data refers to any information relating to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, or an online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Data Subject
    A data subject is any identified or identifiable natural person whose personal data is processed by the controller.
  • Processing
    Processing is any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
  • Restriction of Processing
    Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.
  • Profiling
    Profiling refers to any automated processing of personal data aimed at evaluating personal aspects related to a natural person, particularly to analyze or predict aspects concerning their performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  • Pseudonymization
    Pseudonymization involves processing personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures ensuring that the personal data cannot be attributed to an identified or identifiable natural person.
  • Processor
    A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
  • Recipient
    A recipient is a natural or legal person, public authority, agency, or another body to which personal data is disclosed, whether a third party or not. Authorities that may receive personal data in the context of a particular inquiry in accordance with Union or Member State law are not considered recipients.
  • Third Party
    A third party is a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons authorized to process personal data under the direct authority of the controller or processor.
  • Consent
    Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

5. Legal Basis for Processing
Article 6(1)(a) GDPR (in conjunction with Section 25(1) TTDSG) serves as the legal basis for processing operations in our company where we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are a party, such as processing operations required for the delivery of goods or the provision of another service or consideration, the processing is based on Article 6(1)(b) GDPR. The same applies to processing operations necessary for carrying out pre-contractual measures, for example, in cases of inquiries about our products or services.

If our company is subject to a legal obligation that necessitates the processing of personal data, such as compliance with tax obligations, the processing is based on Article 6(1)(c) GDPR.

In rare cases, the processing of personal data may be required to protect the vital interests of the data subject or another natural person. This would be the case, for instance, if a visitor were injured on our premises and their name, age, health insurance details, or other vital information needed to be shared with a doctor, hospital, or other third parties. In this case, processing would be based on Article 6(1)(d) GDPR.

Finally, processing operations may be based on Article 6(1)(f) GDPR. This legal basis applies to processing operations not covered by any of the aforementioned legal bases if the processing is necessary to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not override this interest. Such processing operations are particularly permitted because they have been specifically recognized by the European legislator. The legislator considered that a legitimate interest might be assumed if you are a customer of our company (Recital 47, Sentence 2 GDPR).

6. Data Sharing with Third Parties
Your personal data is only shared with third parties for the following purposes:

  • If you have given explicit consent according to Article 6(1)(a) GDPR.
  • If the disclosure is necessary to assert, exercise, or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data, as per Article 6(1)(f) GDPR.
  • If there is a legal obligation for the disclosure according to Article 6(1)(c) GDPR.
  • If it is legally permissible and required for the execution of contractual relationships with you under Article 6(1)(b) GDPR.

To protect your data during its potential transfer to third countries (outside the EU/EEA), we have concluded data processing agreements based on the European Commission’s standard contractual clauses. Where these are insufficient to ensure an adequate security level, your consent under Article 49(1)(a) GDPR may serve as the legal basis for data transfer.

7. Technology
7.1 SSL/TLS Encryption
Our site uses SSL or TLS encryption to protect the transmission of confidential content, such as orders, login details, or inquiries you send us as the site operator. You can identify an encrypted connection by the browser’s address bar showing „https://“ and a lock icon.

This technology ensures that the data you transmit remains secure.

7.2 Data Collection on Website Visits
When you use our website for informational purposes only (i.e., without registering or transmitting information to us), we only collect data that your browser sends to our server („server log files“). This includes:

  • Browser types and versions used.
  • Operating system of the accessing device.
  • The referring website.
  • Subpages visited on our website.
  • Date and time of access.
  • Anonymized IP address.
  • Internet service provider of the accessing system.

These data are required for:

  • Correct delivery of website content.
  • Optimization of our content and advertising.
  • Maintaining our IT systems’ functionality.
  • Providing information to law enforcement authorities in the event of cyberattacks.

These server log files are processed based on Article 6(1)(f) GDPR, reflecting our legitimate interest in operating a secure and optimized website.

7.3 Hosting by Host Europe
Our website is hosted by Host Europe GmbH, Hansestr. 111, 51149 Cologne, Germany. Personal data (e.g., IP addresses in log files) is processed on their servers.

We use Host Europe under Article 6(1)(f) GDPR, based on our legitimate interest in secure and efficient website hosting. A data processing agreement under Article 28 GDPR is in place.

8. Cookies
8.1 General Information
Cookies are small files stored on your device when you visit our website. They store data specific to your device and interactions with our site. Cookies help enhance usability and optimize functionality.

We use:

  • Session Cookies: Automatically deleted when you leave our site.
  • Temporary Cookies: Store user preferences for future visits.
  • Analytics Cookies: Gather data on site usage to improve our offerings.

8.2 Legal Basis for Cookies
Cookies necessary for the website’s functionality are processed under Article 6(1)(f) GDPR. Other cookies are processed based on your consent (Article 6(1)(a) GDPR), which can be managed through our cookie banner.

8.3 Managing Cookies
You can manage or delete cookies via your browser settings. Instructions for common browsers are available:

8.4 Complianz GDPR/CCPA
We use Complianz GDPR/CCPA for managing cookie consent. Complianz stores the following data:

  • Browser details.
  • Date and time of consent.
  • Device information.

Details on Complianz can be found at Complianz.io.

9. Website Content
9.1 Contact Forms
When contacting us via form or email, your data is used solely to process your inquiry under Article 6(1)(f) GDPR. If it relates to a contract, processing is also based on Article 6(1)(b) GDPR.

9.2 Job Applications
Personal data submitted during applications are processed to handle recruitment procedures under Article 88 GDPR in conjunction with Section 26 BDSG. If no contract is established, data are deleted after two months unless legal claims (e.g., under AGG) necessitate retention.

10. Social Media Activities
We maintain profiles on social networks to communicate and inform users. Data processing occurs under Article 26 GDPR (joint controllership) and follows the respective platform’s privacy policies:

  1. Web Analytics
    We use „WordPress Stats“ by Jetpack to evaluate site usage. Data is processed on servers in the U.S., and IP addresses are anonymized. Consent is required (Article 6(1)(a) GDPR). Details: Jetpack Privacy Policy.
  2. Plugins and Services
    12.1 Google Maps
    We use Google Maps for interactive maps. Data processing is based on your consent (Article 6(1)(a) GDPR). Privacy details: Google Privacy Policy.

12.2 Google WebFonts
We use Google WebFonts for consistent text display. Data is transmitted to Google servers with consent (Article 6(1)(a) GDPR).

12.3 YouTube Videos
Embedded YouTube videos are used with user consent (Article 6(1)(a) GDPR). Privacy policy: YouTube Privacy Policy.

  1. Your Rights
    13.1 Right to Access (Art. 15 GDPR)
    13.2 Right to Rectification (Art. 16 GDPR)
    13.3 Right to Erasure (Art. 17 GDPR)
    13.4 Right to Restriction (Art. 18 GDPR)
    13.5 Right to Data Portability (Art. 20 GDPR)
    13.6 Right to Object (Art. 21 GDPR)
    13.7 Right to Withdraw Consent
    13.8 Right to Complain
  2. Storage and Deletion
    Personal data is stored only as long as necessary for its purpose or as required by law.
  3. Duration of Storage
    Retention depends on legal requirements. Data is deleted after fulfillment or expiration of the specified period.
  4. Updates
    This privacy policy is valid as of May 2023. Updates may be made as required by legal or operational changes.

Due to the further development of our websites and services or as a result of changes in legal or regulatory requirements, it may become necessary to update this Privacy Policy. The current version of the Privacy Policy can be accessed and printed at any time on our website at “https://www.cronbach.co/datenschutzerklaerung.”