Name/Company: ZST Security Service Consulting and Technology GmbH
Street, No.: Bahnhofstrasse 62
Post code, place, country: 24582 Bordesholm, Germany
Commercial Register/No.: Kiel Local Court HRB 7218 KI
Managing Directors: Etsuko Zander, Thorsten Steubesand
Telephone: +49 (0) 4322 / 44 898-0
E-mail address: info(at)zst-security.com
Data Protection Officer:
Dachauer Str. 65
DE 80335 Munich
Telephone: +49 (0) 89 997 408640
E-mail address: info(at)dataco-germany.com
Version as at: 18 May 2018
1. Basic information on data processing and legal framework
1.1. This Data Privacy Statement clarifies the nature, scope and purpose of the processing of personal data within our online offering and related websites, features and content (hereinafter collectively referred to as "Online Offering" or "Website"). The Data Privacy Statement applies regardless of the domain, system, platform and device (such as desktop or mobile) on which the Online Offering is being run.
1.2. The terms used, such as "personal data" or "processing", are based on the definitions in Article 4 of the EU General Data Protection Regulation (GDPR).
1.3. The personal data of users processed in the context of this Online Offering include usage data (such as the pages visited on our Website, interest in our products) and content data (such as entries using the contact form).
1.4. The term "User" covers all categories of data subjects affected by data processing. These include our business partners, customers, interested parties and other visitors to our Online Offering.
1.5. We process the personal data of users only in compliance with the relevant data protection regulations. This means that users' data will only be processed if there is legal permission to do so. That is, especially if the data processing is required for the provision of our contractual services (i.e. the processing of orders) or Online Services, or is required by law, a consent of the user exists or if processing is necessary for the purposes of our legitimate interests within the meaning of Article 6(1)(f) GDPR (i.e. interest in the analysis, optimisation and economic operation and security of our Online Offering), in particular related to the measurement of reach, the creation of profiles for advertising and marketing purposes as well as collection of access data and use of third-party services.
1.6. Please note that the legal basis for your consent is Article 6(1)(a) and Article 7 GDPR, the legal basis for the processing for the performance of our services and the performance of contractual measures is Article 6(1)(b) GDPR, the legal basis for processing in order to comply with our legal obligations is Article 6(1)(c) GDPR, and the legal basis for processing in order to safeguard our legitimate interests is Article 6(1)(f) GDPR.
2. Security measures
2.1. We take state-of-the-art organisational, contractual and technical security measures to ensure that the provisions of data protection laws are adhered to and in order to protect the data we process from accidental or intentional manipulation, loss, destruction or access by unauthorised persons.
2.2. One of these security measures is the encrypted transfer of data between your browser and our server.
3. Transfer of data to third parties and third-party providers
3.1. All transfer of data to third parties takes place only within the scope of legal requirements. We will transfer user data to third parties only, for example, if it is required for contractual purposes on the basis of Article 6(1)(b) GDPR or based on legitimate interests for the economical and effective conduct of our business operations in accordance with Article 6(1)(f) GDPR.
3.2. If we use subcontractors to provide our services, we will take appropriate legal precautions and appropriate technical and organisational measures to protect personal data in accordance with applicable law.
3.3. If, within the framework of this Data Privacy Statement, any content, tools or other means provided by other providers (collectively referred to as "third-party providers") are used, and the registered office stated is located in a third country, it must be assumed that data will be transferred to the country where the third-party provider has its registered office. Third countries are countries in which the GDPR is not directly applicable law, essentially any country outside the European Union or the European Economic Area. The transfer of data to third countries takes place when there is an adequate level of data protection, user consent or other legal authorisation.
4. Provision of contractual services
4.1. We process inventory data (names and addresses as well as the contact information of users) and contract data (e.g. services used, names of contacts, billing information) for the purpose of fulfilling our contractual obligations and services in accordance with Article 6(1)(b) GDPR.
4.2. The IP address and the time of the relevant intervention by the user are stored in the course of registration and renewed registration and during the use of our online services. Storage is based on our legitimate interests as well as those of the users in protecting the data against misuse and other unauthorised use. This data shall not be transferred to third parties except if it is necessary for the purpose of pursuing our claims or there is a statutory obligation to do so pursuant to Art. 6(1)(c) GDPR.
5.1. When contacting us (via contact form or e-mail), the information provided by the user is processed in order to deal with the contact request and its handling in accordance with Art. 6(1)(b) GDPR.
5.2. Users' information can be stored in our customer relationship management system ("CRM System") or similar systems to organise enquiries.
5.3. We use the CRM System "Helpdesk" provided by Help Scout Inc., 131 Tremont St, Boston, MA 02111-1338, USA) based on our legitimate interests (efficient and rapid processing of user enquiries). We have therefore signed a contract containing so-called standard contract clauses in which Help Scout undertakes to process user data only in accordance with our instructions and in compliance with the EU data protection level. Help Scout is also certified under the Privacy Shield Framework, thereby providing an additional warranty of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000KzX1AAK&status=Active).
6. Collection of access data and log files
6.1. Based on our legitimate interests within the meaning of Art. 6(1)(f) GDPR, we collect data on every access to the server on which this service is located (so-called server log files). These access data include the name of the retrieved web page, the file, the date and time of retrieval, amount of data transferred, the message about successful retrieval, browser type and version, the user's operating system, the referrer URL (the previously visited page), IP address and the requesting provider.
6.2. Log file information is stored for security purposes (for example, to investigate abusive or fraudulent activities) for a maximum of seven days and then deleted. Data whose further retention is required for evidential purposes shall be exempted from this deletion until final clarification of the incident.
7. Cookies and reach measurement
7.1. The term “cookies” refers to information transmitted from our web server or third-party web servers to users' web browsers and stored there for later retrieval. Cookies can be small files or other forms of information storage.
7.2. We use "session cookies" that are only stored for the duration of the current visit to our online presence (for example, to enable the storage of your login status or the shopping cart function and thus the use of our online offer at all). A session cookie stores a randomly generated unique identification number, a so-called session ID. A cookie also contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies will be deleted if you have finished using our Online Offer and you log out or close the browser
7.4. If users do not want cookies stored on their computer, they are asked to disable the option in their browser's system settings. Stored cookies can be deleted from the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this Online Offer.
8. Google Analytics
8.2. Google is certified under the Privacy Shield Framework and consequently warrants that it complies with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
8.3. Google shall use this information on our behalf in order to analyse the use of our Online Offering by users, compile reports on the activities within this Online Offering and provide us with further services associated with use of this Online Offering and the Internet. As part of this procedure, pseudonymised profiles of users may be created from the data that is processed.
8.4. We use Google Analytics so that the ads placed in advertising services of Google and its partners are shown only to users who have also displayed an interest in our online content or who have the specified characteristics (e.g. interests in specific topic or products which are determined using the websites visited) which we transmit to Google (known as "remarketing audiences", or "Google Analytics audiences“). By using the remarketing audiences we also wish to ensure that our ads align with the potential interest of the users and do not annoy them.
8.5. We use Google Analytics only with activated IP anonymisation. This means that users' IP addresses will be truncated by Google within Member States of the European Union or in other states which are signatories to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the USA and truncated there.
8.6. The IP address transmitted from the user's browser is not combined with other data held by Google. Users can prevent the cookies from being stored by making a corresponding adjustment to the setting of their browser software; users can also stop Google from collecting the data which is generated by the cookie and is related to the users' use of the Online Offering and can stop Google from processing that data by downloading and installing the browser plugin which is available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB.
9.1. Based on our legitimate interests (i.e. our interest in the analysis, optimisation and economically viable operation of our Online offering within the meaning of Art. 6(1)(f) GDPR) we use the marketing and remarketing services (hereafter: "Google Marketing Services") of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google").
9.2. Google is certified under the Privacy Shield Framework and consequently warrants that it complies with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
9.3. Google Marketing Services allows us to show ads for and on our website in a more targeted way so that we can present users only with ads which potentially align with their interests. If a user, for example, is shown ads for products in which he has shown an interest on other websites, this is called "remarketing". In order to do this, when our websites or those of others on which Google Marketing Services are active are visited, Google immediately runs a Google code and so-called (re)marketing tags (invisible graphics or code, also known as "web beacons") are embedded in the website. They are used to store an individual cookie, i.e. a small file, on the user's device (similar technologies can also be used instead of cookies). The cookies may be placed by various domains including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. The file notes the websites visited by the user, the content in which the user is interested, and the offers the user has clicked on, as well as technical information about the browser and operating system, referring websites, the time spent on the site and other information about use of the online offering. The user's IP address is also recorded, although we notify within the framework of Google Analytics that the IP address is truncated within Member States of the European Union or in other states which are signatories to the Agreement on the European Economic Area and is only in exceptional cases sent in its full form to a Google server in the USA and truncated there. The IP address will not be combined with data of the user within other Google offers. The aforementioned information may also be combined by Google with such information from other sources. If the user then visits other websites, ads which are targeted to the user according to its interests can be displayed.
9.4. The users' data is processed in pseudonymised form in Google Marketing Services. This means that Google stores and processes, for example, not the name or e-mail address of the users but processes the relevant data generated by the cookie within pseudonymous user profiles. Therefore, from Google’s perspective, the ads are not managed and shown for someone who is specifically identified but for the cookie owner, regardless of who that cookie owner is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymisation. The information collected by Google Marketing Services about the users is transmitted to Google and stored on Google's servers in the USA.
9.5. The Google Marketing Services used by us include the online advertising program "Google AdWords". In the case of Google AdWords, each AdWords customer receives a different "Conversion Cookie". This prevents cookies from being tracked through the websites of AdWords customers. The information obtained by means of the cookie is used to prepare conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers learn the total number of users who have clicked on their ad and who have been taken to a page that has a conversion tracking tag. However, they receive no information through which users can be personally identified.
9.7. If you wish to object to interest-targeted advertising by Google Marketing Services you can use the setting and opt-out options provided by Google: http://www.google.com/ads/preferences.
10. Integration of services and content by third parties
10.1. Within our Online Offering, based on our legitimate interests within the meaning of Art. 6(1)(f) GDPR (that is, our interest in the analysis, optimisation and economical operation of our Online Offering), we use content or service offers from third party providers in order to integrate their content and services, such as videos or fonts (collectively referred to hereafter as "Content"). This always presupposes that the third-party providers of this Content perceive the IP address of the users, since they could not send the content to their browsers without the IP address. The IP address is therefore required for the presentation of this Content. We endeavour to use only content whose respective providers use the IP address solely for the delivery of the Content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include, but is not limited to, technical information about the browser and operating system, referring web sites, the time of the visit, and other information regarding the use of our Online Offering.
10.2. The following presentation provides an overview of third-party providers as well as their Content, including links to their data privacy statements, which contain further information on the processing of data and the option of objecting to their use (so-called opt-out), as already mentioned here earlier in part.:
11. Rights of users
11.1. Users have the right, upon request, to receive information free of charge about the personal data that we have stored about them.
11.2. Users additionally have the right to correct inaccurate data, limit the processing and request deletion of their personal data, if applicable, assert their rights to data portability and, in the event of unlawful processing, file a complaint with the appropriate regulatory authority.
11.3. Users may revoke consent, generally with effect for the future.
12. Deletion of data
12.1. The data stored with us are deleted as soon as they are no longer necessary for their purpose and the deletion does not conflict with any statutory storage requirements. If the users' data are not deleted because they are required for other and legally permitted purposes, their processing will be restricted. That is, the data will be blocked and not processed for other purposes. This applies, for example, to user data that must be retained for reasons und trade or tax law.
12.2. According to legal requirements, data must be stored for 6 years in accordance with Section 257 (1) of the German Commercial Code (HGB) (trading books, inventories, opening balance sheets, annual accounts, trade letters, accounting documents, etc.) and for 10 years pursuant to Section 147(1) of the German Fiscal Code (AO) (books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.).
13. Right of objection
13.1. Users may object to the processing of their personal data in accordance with legal requirements at any time. The objection may in particular be made against processing for direct marketing purposes.
14. Amendments to this Data Privacy Statement
14.1. We reserve the right to amend this Data Privacy Statement in order to adapt it to changed legal situations, or to changes in the services provided or data processing. However, this applies only to explanations concerning data processing. If user consent is required or elements of the Data Privacy Statement contain provisions concerning the contractual relationship with the users, these amendments will only be made with the consent of the users.
14.2. Users are asked to inform themselves regularly about the content of the Data Privacy Statement.