Privacy policy of CCV Deutschland GmbH

For German version click here.

The confidentiality and integrity of your personal data is of particular concern to us and forms the basis for a trusting business relationship. We will therefore process and use your data carefully, for the intended purpose or according to your consent and in accordance with the legal provisions on data protection.

With the following information, we inform you about the processing of your data in accordance with Art. 13 of the Basic Data Protection Regulation (GDPR).

Definitions according to Art. 4 GDPR

Personal data: information relating to a living person who can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data or an on-line identifier.

Processing: an operation relating to personal data, such as collection, recording, organisation, filing, storage, adaptation or alteration, disclosure or any other use.

Data subject: any identified or identifiable natural person whose personal data are processed by the controller.

Consent: Consent means any freely given and informed unequivocal expression of the data subject's will in a specific case, in the form of a declaration or other unequivocal affirmative act by which the data subject signifies his or her consent to the processing of personal data relating to him or her.

  1. Who is responsible for the data processing?

This privacy policy applies to data processing by

CCV Deutschland GmbH

Gewerbering 1

84072 Au in der Hallertau

Germany

(we, us and ours) is responsible for and provides websites, online offers and job advertisements. It also applies to free content and services (such as newsletters, online portals and platforms, download and transmission of text, audio, video and image material, even if and to the extent that access to these is provided by mobile devices such as mobile phones or other data storage and/or retrieval devices - hereinafter referred to as "Services" in their entirety or individually).

This privacy policy is also intended to inform you about the way and why we collect your personal data.

For websites of other providers to which reference is made, e.g. via links, the data protection information and declarations there apply. We are not responsible for the content and data processing on the corresponding third-party websites.

Responsibilities of business customers

If a customer, prospective customer or other user of CCV's services has access to personal information (e.g. if a CCV customer provides CCV with personal data about his or her employees), the customer is considered to be the data controller responsible for the processing and use of this information. This statement does not apply to the processing and use of personal data by customers, interested parties or other users.

  1. Hosting

The web server for the operation of our website is technically operated by our parent company:

CCV Group BV

Westervoortsedijk 55

6827AT, Arnheim

Netherlands

  1. Summary of our processing activities

In the following summary, the processing activities on our website are briefly described. You will find more detailed information in the sections below.

  • If you visit our website for informational purposes, we collect only limited personal data (see point 6.)
  • Should you wish to contact us, further personal data will be processed in this context (see point 7.)
  • When visiting our business profiles in the social networks, cookies may be used (see point 8. and the Cookie Policy)
  • If you register for one of our services and benefits such as webshop, newsletter subscription, marketplace, etc., further personal data will be collected (see point 9.)
  • We will inform you about personal data that we receive in the context of applications for a specific position or unsolicited applications under point 14.
  • Furthermore, your personal data is used for statistical analysis to improve our website. In addition, we enhance your user experience through third-party content (see under Cookie Policy)
  • Your personal information may be disclosed to third parties located outside your country of residence where different privacy standards may apply (see Cookie Policy)
  1. SSL or TLS encryption

We use various technical and organizational measures, according to the current state of the art, to protect and maintain the security, integrity and availability of your data.

For security reasons and to protect the transmission of confidential content that you send to the site operator, this website uses SSL or TLS encryption. This means that data that you transmit via this website cannot be read by third parties. You can recognize an encrypted connection by the "https://" address line of your browser and the lock symbol in the browser line.

  1. Approval (consent) to the collection, use and processing of personal data

Outside of legal obligations and personal data may only be collected, used or processed with (and within the scope of) your consent. In order to guarantee this, you can be asked at various points during the use of our Internet offer to agree to our data protection declaration or to the processing of your data for a specific purpose (e.g. contacting us via contact form)

  1. Use of the website for information purposes

If you visit our websites for information purposes, i.e. without registering for one of the services we offer or purchasing products, and without providing us with personal data in any other way, we may automatically collect additional information about you, which only contains personal data in limited cases and is automatically collected by our server. These are:

  • Browsertype and Browserversion
  • Used operating system
  • URL, which you have accessed
  • Host name of the accessing computer
  • Access date and time
  • IP address of the requesting computer

These data are recorded on the basis of Art. 6 para. 1 lit. f GDPR.

We use this information to ensure the provision, stability and security of the website. An evaluation of the data for marketing purposes does not take place in this context.

The data will be deleted as soon as they are no longer necessary for the purpose of their collection. In the case of the collection of data for the provision of the website, this is the case when the respective session is ended.

The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. There is therefore no possibility of objection on the part of the user.

  1. Contact and customer support

You have the possibility to get in contact with us in several ways. By e-mail, by telephone, by chat, by contact form or by post. If you contact us or get in touch with our customer support, we will use the personal data that you voluntarily provide us with in this context solely for the purpose of meeting your request for contact and processing your enquiry.

The legal basis for this data processing is Article 6(1)(a), Article 6(1)(b), Article 6(1)(c) GDPR and Article 6(1)(f) GDPR.

Should you contact us via the contact form, the form with your personal data will be stored in our website backend for 1 year from the time of collection and then automatically deleted. Depending on the content of the message, further (contractual and/or legal) storage obligations may arise after forwarding to the appropriate departments.

  1. Social media presence

We maintain online presences within social networks in order to communicate with the users active there or to offer information about us there. Furthermore, you will find links (buttons) to our corresponding business profiles on our website.

If you visit our business profile in the social media, please note that (personal) data of you as a user may be processed outside the area of the European Union/European Economic Area. This may result in risks for you, because it could make it more difficult for you to enforce your rights, for example. With regard to US providers that are certified under the Privacy Shield or offer comparable guarantees of a secure level of data protection, we would like to point out that these same platform providers undertake to comply with the data protection standards of the EU.

Under certain circumstances, your (personal) data may be processed within social networks for market research and advertising purposes. For example, usage profiles can be created based on usage behaviour and the resulting interests. The user profiles can in turn be used, for example, to place advertisements within and outside the networks that are presumably in line with your interests. For these purposes, cookies are usually stored on your computer where the usage pattern and your interests are saved. Furthermore, data can also be stored in the user profiles independently of the devices you use (especially if you are a member of the respective social network and logged in to it - please also see our Cookie Policy).

For a detailed presentation of the respective forms of processing and the possibilities of objection (opt-out), we refer to the data protection declarations and information of the operators of the respective social networks.

Also in the case of requests for information and the assertion of rights of affected persons, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to the data of the users and can take appropriate measures and provide information directly. Should you nevertheless require assistance, you can contact us (for contact details see point 17.).

When visiting our business profile in the social networks, we may collect the following data:

  • Inventory data (e.g. names, addresses)
  • Contact details (e.g. e-mail, telephone numbers)
  • Content data (e.g. text entries, photographs, videos)
  • Usage data (e.g. websites visited, interest in content, access times)
  • Meta/communication data (e.g. device information, IP addresses)

This processing is based on Article 6 paragraph 1 sentence 1 lit. f GDPR.

Services used and service providers:

Facebook: Social network; service provider: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Privacy Statement: https://www.facebook.com/about/privacy; Privacy Shield (ensuring privacy level for processing of data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; Opt-Out: Settings for advertisements: https://www.facebook.com/settings?tab=ads; Additional Privacy Notice: Agreement on joint processing of personal data on Facebook Pages: https://www.facebook.com/legal/terms/page_controller_addendum, Privacy Notice for Facebook Pages: https://www.facebook.com/legal/terms/information_about_page_insights_data.

LinkedIn: Social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; Privacy Shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active; opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

YouTube: Social network; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; Opt-out: https://adssettings.google.com/authenticated.

Xing: Social network; service provider: XING SE, Dammtorstraße 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

  1. Registration for our services

Our websites offer, among other things, a webshop, a marketplace, systems that we use for contract initiation as well as some services (e.g. TOM Login, Vapos Login), which can only be used if a contractual relationship between you and us already exists. However, other services offered by us can also be used without a previous customer relationship between you and CCV. These would be:

9.1. Marketing actions

9.1.1 General marketing actions

With your e-mail address you can register for various actions and campaigns. This registration can be done on our website and through ads (paid & organic) on our profiles in social networks. When you register for these marketing actions, we will ask for your consent.

  • Valid eMail
  • Telephone or mobile number
  • Full first name and surname

The legal basis for this processing is Article 6(1), first sentence, lit. a GDPR.

Your personal data that you provide in the course of our campaigns on Facebook, LinkedIn and Google are automatically deleted by the platforms 90 days (30 days for Google) after collection. The personal data that you make available to us via our own website https://www.ccv.eu/de/ (e.g. through participation in campaigns) is automatically deleted after 1 year after collection.

9.1.2 Newsletter marketing

With your e-mail address you can subscribe to our newsletter. This registration can be done on our website and via a link in the e-mail signatures of our employees. When you register for these services, we will ask for your consent. With the help of the so-called "Double-Opt-In" procedure we check whether you are the owner of the given e-mail address. You will receive an e-mail with a link that you can use to confirm that you have registered yourself for the newsletter.

The legal basis of this processing is Article 6 paragraph 1 sentence 1 lit. a GDPR.

The email addresses of pending confirmations are stored for 60 days. The confirmation link also expires after 60 days.

We store your e-mail address as long as you subscribe to our newsletter. You can unsubscribe from the newsletter by clicking on the link contained in each newsletter.

9.2 4eyeTool

As partner, integrator or network operator you can activate our OPP terminals. For this purpose, the PCI regulations applicable to electronic payment transactions stipulate that the following personal data must be collected and stored when calculating activation codes for the commissioning of vending machine terminals according to the dual control principle:

  • Company name
  • First and last name
  • Telephone number
  • eMail address

This data is used exclusively for the purpose of calculating activation codes. A combination with other data or a passing on to third parties does not occur.

The legal basis for the processing is your consent according to Art. 6 (1) lit. a GDPR.

The data will be deleted at the earliest after the destruction of all components involved in the activation process (terminal and card reader) or until you have expressly commissioned the deletion yourself.

9.3 Online Shop „MyCCV“

In order to place orders via "MyCCV", you must create a user account. Your personal data will be stored in your customer account for future purchases. You can delete your personal data and your user account in your account settings. When you place orders via our website, we may collect the following data:

  • IP address
  • Salutation, first name, last name
  • A valid eMail address
  • Address

This processing is based on Art. 6 (1) lit. b GDPR.

We are required by law to retain transaction-related financial information (including address, payment and order information) for ten years. After 2 years, however, we will limit the processing of your personal data in order to comply with the legal requirements and will then stop processing the personal data. The storage of your personal data in this regard is based on Art. 6 Paragraph 1 Sentence 1 lit. c GDPR.

9.4 OAM Receipt server https://receipt.ccv-deutschland.de:8007/

As a consumer, you have the option of having a QR code displayed at various retailers (CCV customers) via the card terminal after your purchase. As soon as you scan the QR code with your mobile phone, you will be linked to our website. There you have the option of having your proof of purchase sent to your e-mail address or to download it directly. We collect the following data:

  • A valid email address
  • IP address

The legal basis for the processing is your consent according to Art. 6 (1) lit. a GDPR.

The document server deletes personal data within one day. However, the CCV Mailgateway, which is used to send documents, stores metadata (including the destination address) for six months.

  1. Transfer of personal data to third parties

Your personal data may be disclosed to the following contractors who assist us in providing our services:

Lionware GmbH, Im Kaisemer 13A, 70191 Stuttgart, Germany (Hosting of the portal for the PostIdent procedure)

Personio GmbH, Buttermelcherstraße 16, 80469 Munich, Germany (Hosting application portal, see point 14.)

Inspyde, MutzerHeide 3, 51467 Bergisch Gladbach, Germany

Biedmeer B. V. (CCVShop), Diamantstraat 3, 7554 TA Hengelo (Ov), Netherlands

CCV Group B. V., Westervoortsedijk 55, 6827 AT Arnhem, Netherlands (Hosting of the website, see point 2. – use and evaluation of cookies, see Cookie Policy; hosting & maintenance „MyCCV“, see point 9.3)

The Rocket Science Group LLC d/b/a MailChimp, 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA (Newsletter dispatch, see point 9.1.)

Samhammer AG, Zur Kesselschmiede 3, 92637 Weiden, Germany (Support Hotline, see point 7.)

There is an agreement between the CCV and all the listed contractors on contract processing in accordance with Art. 28 GDPR. The legal basis for this transfer of your personal data is therefore Art. 6 Paragraph 1 Sentence 1 lit. b GDPR.

  1. Transfer of personal data to third countries

Within the scope of the above-mentioned scope, it is possible that we may transfer your personal data to legal entities named in this data protection declaration. This is done exclusively on the basis of a contractual agreement on order processing between us and the corresponding third party provider. These third parties may be located in other countries (including countries outside the EEA) where data protection standards may differ from those in your country of residence. Please note that data processed in other countries may be subject to foreign laws and may be accessible to the governments, courts, law enforcement and regulatory authorities of those countries.

The recipients of personal data based in the USA are certified under the EU-US Privacy Shield Agreement and the data transfer is based on so-called standard contractual clauses of the EU Commission. You can find further information on this under https://www.privacyshield.gov.

  1. Automated decision making

We do not process your personal data for automated decision making processes that have legal effect on you or significantly affect you in a similar way.

  1. What rights do you have as a data subject?

We take the greatest possible care and security when handling your personal data. The GDPR gives rise to the following rights with regard to your personal data:

Right to information

You have the right to be informed about those of our operations that involve the handling and processing of your personal and payment data.

Right of access

You have the right to inspect your personal data stored with us. If you wish to exercise this right, we must first verify your identity before retrieving your data. You will then receive all data we have stored about you. We will also inform you of the details of our processing methods, including information on the purpose of processing, the retention period, the recipients of the data and the method of data collection. We aim to provide you with an overview of this data after one month at the latest. If we expect a longer processing time, we will inform you of this.

Right of rectification, limitation and erasure

You have the right to correct or supplement your personal data stored with us. You can also arrange for the partial deletion of your data in order to limit the amount of data we may use in the future. Furthermore, you have the "right to be forgotten", i.e. you can request that your data stored with us be completely deleted. However, we are legally obliged to retain certain data, which cannot be deleted in this case.

Right to data portability

You may request CCV to transfer the data stored about you to another legal entity by digital means. If you exercise this right, we will provide you with your data in a structured and common file format. We can only do this for personal data that you have transmitted to us yourself or that you have expressly agreed to process or that we have received in fulfilment of our contractual obligations. We have set ourselves the goal that the requested information should be ready for data transfer within one month at the latest. If we assume a longer processing time, we will inform you of this.

Right of appeal

If you believe that we are processing certain personal data about you unlawfully, we would ask you to inform us of this. If your objection is justified, we will stop processing your personal data to the appropriate extent.

Right of appeal

You also have the opportunity to lodge an official complaint if you feel that your data is not being handled with the necessary care. In the event of a complaint, we will examine our procedures in detail and make every effort to rectify any shortcomings found. If no agreement can be reached, you have the possibility to contact the German data protection authority with your complaint.

  1. Handling of application documents which we receive by post, e-mail or fax

Your data will be processed by CCV Deutschland GmbH exclusively within the framework of the application procedure and will be deleted at the latest six months after the application procedure has ended. Your data will not be passed on to third parties.

We store your unsolicited application solely for the purpose of contacting you if we have an interesting and suitable position to fill. In this context, the application documents can only be viewed by the responsible managers, the personnel department and the management. Beyond this circle, no information is passed on to third parties. Your data will be deleted after 12 months. Within this period you can request the early deletion of your data at any time.

The legal basis for the processing of your data in this context is your implied consent (in accordance with Art. 6 (1) a GDPR) by sending the applicant data. This consent can be revoked at any time with effect for the future. As a consequence of the revocation, your application can no longer be processed and therefore cannot be considered.

If you use our applicant management system, Personio, you will be shown a separate data protection statement at that point.

  1. Which supervisory authority do we report to?

At CCV we respect your rights with the utmost care. However, if you feel that we have not sufficiently respected your rights, you have the right to complain to a data protection authority, as mentioned in point 6.

The Supervisory Authority responsible for CCV Germany can be reached as follows:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Postfach 1349

91504 Ansbach

Germany

  1. How can you contact us or make use of your above mentioned rights?

If you have any questions, concerns or comments about this privacy policy or inquiries about your personal data, please send an e-mail to our data protection officer:

Phone: +49 (0)8752 8640

E-Mail: datenschutz@de.ccv.eu

You can also use our contact form for this purpose.

The information that you provide when you contact us (for example, first name, last name and e-mail address) will only be processed in order to handle your request. It will be deleted immediately thereafter. Alternatively, we will restrict the processing of your personal data in accordance with the statutory regulations on retention obligations.

Note

We reserve the right to change this data protection declaration according to the updating of our website. The need for action in this regard may also arise, for example, as a result of changes in the law. Please visit this website regularly and check the current data protection statement. This data protection declaration was last updated on 13.12.2019.