Architecture
matters

Data Privacy

PRIVACY NOTICE

CSMM GmbH is responsible for the processing of personal data. For certain data processing operations that only concern specific groups, the information requirements are fulfilled separately. For any queries regarding data protection, please write to: datenschutz@cs-mm.com.

Where the term "data" is used in the text, this always refers to personal data as defined in the General Data Protection Regulation (GDPR).

1. General

The rights listed below may be restricted by trade secrecy in accordance with Section 29 of the German Federal Data Protection Act 2017 (BDSG-2017) in conjunction with Art. 23 GDPR. Insofar as there is no conflict with trade secrecy, data subjects have the following rights:

1.1 You have the right to obtain information at any time about all personal data that we process concerning you.

1.2 If your personal data is incorrect or incomplete, you have the right to the rectification or completion of the data.

1.3 You may obtain the deletion of your personal data at any time, as long as we are not legally obligated or entitled to continue processing your data.

1.4 Where the statutory requirements are met, you may obtain the restriction of the processing of your personal data.

1.5 If the processing takes place based on a weighing of interests, you may object to the processing, specifying the reasons relating to your particular situation.

1.6 If the data processing takes place on the basis of your consent or in the context of a contract, you have the right to the transfer of the data you provided, provided that this does not adversely affect the rights and freedoms of others.

1.7 If we process your data on the basis of a declaration of consent, you have the right to withdraw this consent with future effect at any time. The processing carried out prior to this withdrawal of consent remains unaffected by said withdrawal.

1.8 You also have the right to lodge a complaint with a supervisory authority responsible for data protection at any time if you consider that data processing has taken place in violation of the applicable law.

2. Website visitors

2.1 This website uses SSL encryption for security reasons and to protect the transmission of confidential content, such as enquiries that you send to us as the site operator. You can recognise encrypted connections by the fact that the address line in the browser changes from "http://" to "https://" and the padlock symbol appears in your browser address line. When SSL encryption is enabled, the data that you send to us cannot be read by third parties.  You have the right to obtain information about your stored personal data, its origin, recipients and the purpose of the data processing free of charge, as well as the right to the rectification, blocking or deletion of this data, at any time. To exercise these rights, and if you have any other questions concerning personal data, you can contact us at any time at datenschutz@cs-mm.com or via the contact details provided in the imprint.

2.2 Server log data. For every query, our web server processes a range of data that your browser automatically sends to our web server. This data includes the IP address currently assigned to your device, the date and time of the query, the time zone, the specific page or file called up, the http status code and the data volume transferred; additionally, the website that your query comes from, the browser used, the operating system of your end device and the language set. The web server uses this data to display the content of this website on your device in the optimum manner.

2.3 Analysis of usage behaviour.

On this website, data is gathered and stored using the web analysis service software Matomo (www.matomo.org), a service provided by InnoCraft Ltd.,150 Willis St, 6011 Wellington, New Zealand (“Matomo”) on the basis of our legitimate interest in the statistical analysis of user behaviour for the purposes of optimisation and marketing pursuant to Art. 6 (1)(f) GDPR. For the same purpose, this data can be used to create and evaluate pseudonymised usage profiles. Cookies can be used for this purpose. Cookies are small text files stored locally in the cache of the site visitor's internet browser. Amongst other things, the cookies allow the internet browser to be recognised. The data gathered with the Matomo technology (including your pseudonymised IP address) is processed on our servers.

The information generated by the cookie in the pseudonymised user profile is not used to personally identify the visitor to this website and is not merged with personal data about the bearer of the pseudonym.

If you do not agree with the storage and evaluation of this data from your visit, then you can object to its storage and usage at any time at the click of your mouse. In this case, an opt-out cookie will be stored on your browser, which means that Matomo does not hold any session data. Please note that fully deleting your cookies means that the opt-out cookie will also be deleted and you may need to reactivate it.

2.4 The purpose of data processing is to present CSMM and its offers online and to interact with communication partners. The purpose of analysing user behaviour on the website is to ensure that the website is designed in accordance with requirements. There are no plans to change these purposes.

2.5 The legal basis for the processing is Art. 6(1)(f) GDPR.

2.6 Log and communication data is not passed on to third parties except in special circumstances. In the event of a suspected criminal offence or during preliminary investigations, data may be passed on to the police and the public prosecutor's office. We also use service providers by means of commissioned processing for the provision of services, in particular for the provision and maintenance of IT systems.

2.7 IP addresses are anonymised within 24 hours at the latest. Pseudonymous usage data is deleted after six months in each case. Queries and communications are automatically deleted after ten calendar years.

2.8 It is also possible to use the website if you have objected to the pseudonymous usage analysis. It is not possible to communicate via the website without entering data.

2.9 Our website uses plugins from the video platform Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA.  The Vimeo privacy policy is available here: https://vimeo.com/privacy. Our website also uses plugins from YouTube, a Google-operated site. The operator of the site is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. The privacy policy is available here: https://policies.google.com/privacy?hl=en. When you visit one of our pages featuring a YouTube plugin, a connection is established with the YouTube server. Via this connection, the YouTube server is informed which of our pages you have visited. If you are logged into your YouTube account, you allow YouTube to link your surfing behaviour directly to your personal profile. You can prevent this from happening by logging out of your YouTube account. Further information on the handling of user data can be found in the YouTube privacy policy at: https://policies.google.com/privacy?hl=en. If you do not want YouTube to be able to link the visit to our website to your YouTube user account, please log out of your YouTube user account.

3. Clients and their employees

3.1 We process your data for the purposes of establishing and executing the business relationship and in order to fulfil legal requirements. We also process your data in order to inform you about any current legal developments, company news and events. There are no plans to change these purposes.

3.2 The legal basis for the processing in the case of business relationships with natural persons is Art. 6(1)(b) GDPR (preparation and performance of the contract), in the case of contracts with legal persons is Art. 6(1)(f) GDPR (legitimate interest, specifically communication with business-related contacts) and, in all cases, is Art. 6(1)(c) GDPR (legal obligations, in particular regulations under tax and commercial law). When assessing, asserting or rejecting claims, the legal basis is Art. 6(1)(f) GDPR (legitimate interest, specifically asserting claims or defending against claims). The legal basis for the processing of data for the purposes of providing information and invitations via email is Art. 6(1)(f) GDPR (legitimate interest, specifically providing information about topical issues and invitations to events).

3.3 Recipients of data may include banks for the purposes of processing payments. Authorities and administrative bodies may be recipients within the scope of their duties to the extent that we are obligated or entitled to transmit data. This applies to courts in particular. We also use service providers by means of commissioned processing for the provision of services, in particular for the provision and maintenance of IT systems.

3.4 All contract and booking-related data is stored in accordance with the applicable retention periods under tax and commercial law for a period of ten calendar years following the end of the business concerned. Legal titles are stored for 30 years, unless the enforceable claim is settled earlier. Queries and other communications are automatically deleted after ten calendar years.

3.5 The provision of data is legally and contractually obligatory for business partners and employees of business partners. If data is not provided, the business relationship cannot be established and executed. The provision of data is required for interested parties and communication partners. If data is not provided, no communication is possible.

4. Involved parties and their employees

4.1 In the context of business relationships and for the purposes of executing the business relationship and performing our clients' contracts in accordance with the contract, we also process the data of involved parties and their employees (e.g. contractual partners, subcontractors, third-party providers, authorities, administrative bodies, authorised experts etc.).

4.2 The legal basis for the processing of the data of involved parties and their employees is Art. 6(1)(f) GDPR (legitimate interest, specifically our client's interest in the contractual performance of its contract) and/or Art. 6(1)(c) GDPR (legal obligation).

4.3 Recipients of data may include any parties involved in the specific business relationship, in particular contractual partners, subcontractors, third-party providers, authorities, administrative bodies, authorised experts and other involved parties. We use service providers by means of commissioned processing for the provision of services, in particular for the provision and maintenance of IT systems.

4.4 All business relationship-related data is deleted ten calendar years following the end of the business relationship.

4.5 The provision of data is required for involved parties and their employees. If data is not provided, it is not possible to process the business relationships or represent the client.

5. Business partners and their employees

5.1 We process your data for the purposes of establishing and executing the contractual relationship and in order to fulfil legal requirements. There are no plans to change these purposes.
5.2 The legal basis for the processing in the case of contracts with natural persons is Art. 6(1)(b) GDPR (preparation and performance of the contract), in the case of contracts with legal persons is Art. 6(1)(f) GDPR (legitimate interest, specifically communication with contract-related contacts) and, in all cases, is Art. 6(1)(c) GDPR (legal obligations, in particular regulations under tax and commercial law). When assessing, asserting or rejecting claims, the legal basis is Art. 6(1)(f) GDPR (legitimate interest, specifically asserting claims or defending against claims).
5.3 Recipients of data may include banks for the purposes of processing payments. Authorities and administrative bodies may be recipients within the scope of their duties to the extent that we are obligated or entitled to transmit data. Furthermore, data may be transmitted to debt collection service providers, lawyers and courts in individual cases. We also use service providers by means of commissioned processing for the provision of services, in particular for the provision and maintenance of IT systems.
5.4 All contract and booking-related data is stored in accordance with the applicable retention periods under tax and commercial law for a period of ten calendar years following the end of the contract. Queries and communications are automatically deleted after ten calendar years.
5.5 The provision of data is legally and contractually obligatory for business partners and employees of business partners. If data is not provided, the business relationship cannot be established and executed. The provision of data is required for interested parties and communication partners. If data is not provided, no communication is possible.

6. Newsletter recipients, invitees and participants at events

6.1 We process your data for the purposes of sending the newsletter, inviting you to events and holding the event. There are no plans to change these purposes.

6.2 The legal basis for the processing of data for newsletters and invitations is Art. 6(1)(f) GDPR (legitimate interest, specifically communication with clients) if you are a client or the contact person of a client; otherwise, the legal basis is your consent (Art. 6(1)(a) GDPR). If you have signed up to an event, the legal basis is Art. 6(1)(b) GDPR (contract for the execution of the event) and Art. 6(1)(c) GDPR (legal obligations, in particular regulations under tax and commercial law).

6.3 We use service providers by means of commissioned processing for the provision of services, in particular for the provision and maintenance of IT systems.

6.4 All contract and booking-related data is stored in accordance with the applicable retention periods under tax and commercial law for a period of ten calendar years following the end of the contract. Data for newsletters is deleted upon unsubscription from the newsletter.

6.5 The provision of data is contractually obligatory in order to receive newsletters and invitations and for participation in events. If data is not provided, newsletters and invitations cannot be sent and it is not possible to participate in events.

7. Interested parties and communication partners

7.1 We process the data of interested parties and communication partners outside of business relationships for the purpose of communicating with the data subjects. There are no plans to change these purposes.

7.2 The legal basis for the processing of data of interested parties and other communication partners is Art. 6(1)(f) GDPR (legitimate interest, specifically communication with interested parties and communication partners).

7.3 We use service providers by means of commissioned processing for the provision of services, in particular for the provision and maintenance of IT systems.

7.4 Queries and communications are automatically deleted after ten calendar years.

7.5 The provision of data is required for interested parties and communication partners. If data is not provided, no communication is possible.

8. Applicants for employment

8.1 The purpose of data processing is to select applicants for employment. There are no plans to change this purpose.

8.2 The legal basis is Section 26 BDSG (2017) in conjunction with Art. 6(1)(b) (initiating the employment contract) and Art. 88 GDPR. We process data provided voluntarily in the context of your application on the basis of Section 26(2) BDSG (2017) in conjunction with Art. 6(1)(a) (consent) and Art. 88 GDPR.

8.3 Applicant data is forwarded internally to the partners and employees that are responsible and that make the relevant decisions. We use service providers by means of commissioned processing for the provision of services, in particular for the provision and maintenance of IT systems.

8.4 Applicant data is deleted six months following the end of the specific application process. If interest has been expressed in other positions, the data is retained for up to 12 months following the last job opening or the last specific expression of interest.

8.5 The provision of data is required for applicants. If data is not provided, it is not possible to submit an application.

As at: 25 May 2018