If a data subject wants to use special services of our company via our CrystalBridge website, this might require the processing of personal data. If there is no statutory basis for the processing of personal data, we generally obtain the consent of the data subject. Your data is processed in accordance with the requirements of the General Data Protection Regulation (GDPR) and exclusively for the fulfillment of contractual purposes, based on consents given or on a statutory basis. In addition, we inform the data subjects of their vested rights. We therefore ask you to take note of the following information regarding how your data is handled.
As the controller responsible for data protection, we have implemented numerous technical and organizational measures to ensure that personal data processed via this website is provided the most complete protection possible. Nevertheless, Internet-based data transmissions can have security gaps, which means that absolute protection cannot be guaranteed.
I. The controller is: SNP Schneider-Neureither & Partner SE, Dossenheimer Landstraße 100, 69121 Heidelberg, E-Mail: firstname.lastname@example.org
Data protection officer of the controller is: Michael Bätzler, with post address of the controller with attention to "The Data Protection Officer" or under email@example.com
II. Subject of the Data Protection
Personal data is the subject of the data protection.
According to the Federal Data Protection Act (BDSG), personal data is all individual information about personal or material circumstances of a specific or identifiable natural person. The GDPR also defines "personal data" as all information relating to an identified or identifiable natural person; an identifiable person is a person who can be identified directly or indirectly, in particular by assigning them to an identifier such as a name, an identification number, location data or an online identifier.
A data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible.
Processing is any operation or set of operations that is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1. Data Collection
CrystalBridge automatically collects and stores information in its server log files; your browser transmits this information to us. Data such as:
• Browser type/version
• Operating system used
• Subsites that are accessed using an accessing system on our website
• Host name of the accessing computer (IP address)
• Date and time of the server request, etc.
• Other similar data and information used for security purposes in the event of attacks on our information technology systems.
The data collected is only used for statistical analyses and to improve the website. This data cannot be assigned to specific persons. This data is not combined with other data sources; the data is erased after a statistical analysis.
a) Registering with a Customer Account
You must register in order to use CrystalBridge. If you register as a user, we set up password-protected direct access for you. As part of the registration, we will collect and store your first name, last name and e-mail address. Data in the mandatory fields which are marked with "*" and are necessary to fulfil our contractual obligations
Furthermore you may give additional personal data as academic title, mobile number, telephone number, fax number and profile picture on an absolute optional basis. You can manage and view your personal data in your user account (first name, last name, e-mail address and further optional personal data).
We will use the data you provide during the registration to check your access authorization. We will save the data, logon and logoff times, the time of testing, and the test result so that we can maintain the activation permanently and perform reviews if necessary. The operator assumes no liability for password misuse, unless this misuse is caused by CrystalBridge itself.
The result of the analysis of SNP System Scan will identify solely the name of the person who runs the SNP System Scan on your SAP®-System as personal data. Furthermore aggregated and no personal data will be identified only, provided, as defined in the SAP®-Standard, master data and transaction data are held separately. If your organisation (e.g. sales or purchasing organizations) is structured on an individual-related basis, personal data may be included in the result of the analysis. The collection of these data may be excluded by the parameter setting of the analysis.
b) Logging on
When you log on, your logon details are compared with the access data stored in our database. We only save this to your user account in the case of failed logons in order to block the account after 3 failed logons in succession. This prevents unauthorized access attempts and protects you and us from attempted fraud (section 28(1) sentence 1 no. 1, 2 BDSG old version; Art. 6(1)(a), (b) and (f) GDPR).
We require your personal data so that we can respond to you personally. The software collects data for the purpose of providing cloud services; setting up and managing user accounts; protecting against fraud, claims, and other obligations as well as detecting and preventing them; and compliance with applicable law and our directives.
3. Legal Basis
We process personal data exclusively on the basis of an appropriate authorization. If the processing is based on consent, the legal basis is Art. 6(1)(a) GDPR. If the processing of personal data is necessary for the fulfillment of a contract in which the Party is the data subject, e.g. if a service is performed, the processing is performed in accordance with Art. 6(1)(b) GDPR. If the processing is necessary in order to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and fundamental freedoms of the person concerned do not prevail, then personal data of a data subject can be processed in accordance with Art. 6(1)(f) GDPR.
4. Duration for Which the Personal Data Is Stored
The criterion for the duration of the storage of personal data is the respective statutory retention period. After this period expires, the corresponding data will be routinely erased, provided that it is no longer necessary for the fulfillment or initiation of a contract.
5. Disclosure of Data
All personal data is treated confidentially and is only accessible to authorized personnel who have been previously bound to data secrecy and the regulations of the applicable data protection laws. This data is also not disclosed to third parties without the express consent of the client, unless we are obliged to do so by law or by a court decision.
If we use partner companies (subcontractors) to process a contract, your data might also be disclosed to these partner companies. In this case, our partner companies work for us in the context of order data processing. We shall only entrust subcontractors with the processing of a client's personal data if the subcontractors have previously committed themselves in writing in the same way that we have in order to comply with the statutory data protection provisions.
If partner companies (subcontractors) that have their registered office outside the EU/EEA area are used for the purpose of contract processing, data is only disclosed on the basis of the EU standard contractual clauses. On this basis, non-European partner companies (subcontractors) also undertake to comply with European data protection standards.
III. Routine Erasure and Blocking of Personal Data
If no explicit storage period is specified during the collection (e.g. in the context of a declaration of consent), personal data will be erased insofar as this data is no longer necessary to fulfill the purpose of the storage, unless statutory storage obligations (e.g. commercial and tax storage obligations) prevent erasure. If the storage purpose no longer applies or if a storage period prescribed by the competent legislator expires, we will erase or block the personal data in accordance with the statutory regulations.
IV. Rights of the Data Subject
Rights can be addressed to the controller at any time. To do so, you can contact the controller specified below [clause I] or the data protection officer.
1. Right to Confirmation
All data subjects have the right to request confirmation from the controller as to whether the controller processes their personal data.
Data subjects can request information at any time without giving reasons by addressing themselves to the controller.
2. Right to Information
All data subjects affected by the processing of personal data have the right to obtain information from the controller about the personal data stored that concerns them (processing purpose; categories of processed data; disclosure to third party recipients; duration of storage; vested rights to blocking, correction and erasure; complaints to supervisory authorities; information on automated decision-making; profiling; transmissions to third countries or international organizations). Information is provided free of charge.
3. Right to Correction
Data subjects have the right to have inaccurate data concerning them corrected immediately or, in the event of incompleteness, to have the data supplemented while taking into account the processing purposes.
4. Right to Erasure
All data subjects have the right to have the controller erase personal data immediately if the personal data is no longer necessary to achieve the purpose; consent is revoked and the processing does not take place on any other legal basis; an objection is lodged against the processing without there being overriding legitimate interests in the processing; the data processing is unlawful; the erasure of personal data is required by law to fulfill a legal obligation; or the personal data has been stored with respect to information society services offered in accordance with Art. 8(1) GDPR.
5. Right to Restrict the Processing
All data subjects affected by the processing of personal data have the right to demand that the controller restrict the processing of their personal data if the data subjects dispute the accuracy of the personal data or if they have lodged an objection. The duration of the restriction must be sufficient for the controller to check the accuracy of the personal data or, in the event of an objection, to check the legitimate reasons. If the processing is unlawful and the data subject's request to erase the personal data is refused, the data subject may instead request that the use of the personal data be restricted.
6. Right to Data Portability
All data subjects affected by the processing of personal data have the right to obtain personal data concerning themselves from the controller. The data is then made available in a structured, common and machine-readable format. In the case of processing on the basis of a contract or consent, and if the processing is performed using automated processes, the right to transmit the data to third parties can be asserted insofar as this is technically feasible and provided that the rights and freedoms of other persons are not affected by this.
7. Right to Object
All data subjects affected by the processing of personal data have the right, if reasons arise as a result of their particular situation, to object to the processing of personal data concerning themselves that results from Art. 6(1)(e) or (f) GDPR.
8. Right to Revoke the Declaration of Consent
You can revoke your consent to the collection and use of data given to us at any time with effect for the future and without giving reasons; this does not affect the legality of the processing performed on the basis of your consent until such revocation.
9. Right to Be Informed
If you have exercised your right to correct, erase or restrict the processing, we will inform all recipients to whom the personal data concerning you has been disclosed of this correction, erasure or restriction, unless this involves disproportionately high effort or is not possible. You have the right to be informed of these recipients.
V. Data Protection Officer, Complaints
We take data protection within our company very seriously. Our employees are contractually bound to secrecy, to compliance with IT/security provisions and to the applicable data protection provisions.
We protect your personal information from unauthorized access, loss, use or disclosure and ensure that your personal information is stored in a legally required, controlled, secure environment that prevents unauthorized access, loss or disclosure.
Our company has taken technical and organizational measures to ensure that we comply with the statutory requirements of the BDSG and the GDPR and to protect your data against damage, destruction, falsification, manipulation and unauthorized access.
To avoid unnecessary amounts of data, we only collect, process and use your personal data insofar as this is necessary within the scope of our range of services.