I – Name and address of the controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is: CROMATICS GmbH, Werner-Hartmann-Straße 3, 01099 Dresden, +49 351 799 050 00, info@cromatics.de.
II – Name and address of the data protection officer
The data protection officer of the controller is: IfDDS GmbH - Institut für Datenschutz und Datensicherheit, Dresdner Straße 58a, 01156 Dresden, +49 351 27 57 90 57, cromatics@ifdds.eu
III – General information on data processing
Scope
We collect and use personal data of our users only insofar as necessary to provide a functional website and our content and services. Collection and use of personal data generally takes place only with the user's consent. An exception applies where prior consent cannot be obtained for practical reasons and processing is permitted by law.
Legal basis
Where we obtain the user's consent, Art. 6(1)(a) GDPR is the legal basis for processing personal data. Where personal data is processed necessary for performance of a contract with the user, Art. 6(1)(b) GDPR applies. Where processing is necessary to protect a legitimate interest of our company or a third party and the user's interests do not override, Art. 6(1)(f) GDPR applies.
Storage period and deletion
The user's personal data is deleted once the purpose for which it was collected no longer applies. If the controller is legally obliged to retain data beyond that point, the data is blocked from the time the purpose is fulfilled until deletion.
IV – Access data
Each time our website is accessed, our system automatically collects data from the calling computer's system. The following data is collected: information about browser type and version, the user's operating system, the user's internet service provider, the user's IP address, date and time of access, websites from which the user's system reached our website, and websites accessed via our website. The data is also stored in our system's log files; it is not stored together with other personal data of the user. The legal basis for temporary storage of data and log files is Art. 6(1)(f) GDPR. Temporary storage of the IP address is necessary to deliver the website to the user's computer; the IP address must remain stored for the duration of the session. Log files are stored to ensure website functionality and to optimise the website and secure our IT systems. Data is not evaluated for marketing purposes in this context. These purposes also constitute our legitimate interest under Art. 6(1)(f) GDPR. Data is deleted when no longer necessary for the purpose of collection. For data collected to provide the website, this is when the respective session ends. For log files, this is after at most seven days. Longer storage is possible; in that case user IP addresses are deleted or anonymised so the calling client can no longer be identified. Collection of data to provide the website and storage in log files is strictly necessary for operation of the website. Users therefore have no right to object in this respect.
V – Technically necessary cookies
Our website uses technically necessary cookies. Cookies are text files stored in or by the internet browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system containing a characteristic string that allows the browser to be identified on return visits. We use cookies to make our website more user-friendly. Some elements require the browser to remain identifiable after a page change. The legal basis is Art. 6(1)(f) GDPR. The purpose is to simplify use of websites for users. Some functions cannot be offered without cookies; the browser must be recognised again after a page change. User data collected through technically necessary cookies is not used to create user profiles. Cookies are stored on the user's computer and transmitted to our site; users have full control via browser settings to deactivate or restrict cookies or delete stored cookies (including automatically). If cookies are deactivated, not all website functions may be fully usable.
VI – Contact form
Our website includes a contact form for electronic contact. If a user uses this option, data entered in the input mask is transmitted to us and stored: name, address, and your message. At the time the message is sent, the user's IP address and time of contact are also stored. Consent is obtained during submission and reference is made to this privacy policy. Data is not passed to third parties and is used solely to process the enquiry. The legal basis, where consent is given, is Art. 6(1)(a) GDPR. Processing serves solely to handle the contact request; other data processed during submission serves to prevent misuse of the contact form and secure our IT systems. Data is deleted when no longer necessary. For contact form data, this is when the respective conversation with the user has ended—when the matter can be regarded as finally resolved. Additional data collected during submission is deleted after at most seven days. Users may withdraw consent at any time; in that case the conversation cannot continue. Withdrawal is by email to info@cromatics.de; all personal data stored in connection with the contact will then be deleted.
VII – Email contact
Contact via the email address provided on our website is possible. Personal data transmitted with the email is stored, not passed to third parties, and used solely to process the conversation. The legal basis is Art. 6(1)(f) GDPR. Processing serves solely to handle the contact request, including our legitimate interest therein. Data is deleted when no longer necessary—when the conversation has ended and the matter is finally resolved. Users may object to storage of their personal data at any time; in that case the conversation cannot continue and stored personal data will be deleted.
VIII – Google Analytics
We have integrated Google Analytics with anonymisation on this website. Cookies (text files) stored on your computer allow analysis of your use of the website. Information collected by the cookie is generally transmitted to and stored on a Google server in the USA. To prevent this, we use IP anonymisation: the IP address is truncated within EU member states or other EEA contracting states before transmission. Exceptionally, the full IP address may be transmitted to a Google server in the USA and truncated there. Google uses the information on our behalf to evaluate website use, compile reports on website activity, and provide related services. The IP address transmitted by your browser is not merged with other Google data. You can prevent cookie storage via browser settings; we note that you may then not be able to use all website functions fully. You can also prevent collection of data generated by the cookie relating to your use of the website (including your IP address) and its processing by Google by downloading and installing the browser plugin at http://tools.google.com/dlpage/gaoptout?hl=de. The operator is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Tracking and data collection by Google Analytics can be prevented by clicking the following link, which sets an opt-out cookie preventing data collection when visiting www.cromatics.de:
Deactivate Google Analytics tracking
IX – Rights of the data subject
If your personal data is processed, you are a data subject under the GDPR and have the following rights against the controller.
Right of access
You may request confirmation of whether personal data concerning you is processed and, if so, information about:
(1) purposes of processing;
(2) categories of personal data;
(3) recipients or categories of recipients;
(4) planned storage duration or criteria for determining it;
(5) existence of rights to rectification, erasure, restriction, or objection;
(6) right to lodge a complaint with a supervisory authority;
(7) source of data if not collected from you;
(8) existence of automated decision-making including profiling under Art. 22(1) and (4) GDPR and meaningful information about the logic involved and intended effects.
You may request information on whether data is transferred to a third country or international organisation and on appropriate safeguards under Art. 46 GDPR.
Right to rectification
You have the right to rectification and/or completion if processed data concerning you is inaccurate or incomplete. The controller must rectify without undue delay.
Right to restriction of processing
You may request restriction where:
(1) you contest accuracy for a period enabling verification;
(2) processing is unlawful and you oppose erasure and request restriction instead;
(3) the controller no longer needs the data but you need it for legal claims; or
(4) you have objected under Art. 21(1) GDPR pending verification whether legitimate grounds override yours.
Where processing is restricted, data may apart from storage only be processed with your consent or for legal claims, protection of others' rights, or important public interest. You will be informed before restriction is lifted.
Right to erasure
a) Obligation to erase
You may request erasure without undue delay where:
(1) data is no longer necessary for the purposes collected or otherwise processed;
(2) you withdraw consent under Art. 6(1)(a) or Art. 9(2)(a) GDPR and no other legal basis applies;
(3) you object under Art.21(1) or (2) GDPR and no overriding grounds exist;
(4) data was unlawfully processed;
(5) erasure is required by EU or member state law; or
(6) data was collected in relation to information society services under Art. 8(1) GDPR.
b) Information to third parties
Where data has been made public and the controller must erase it, reasonable measures including technical measures will be taken to inform processors to erase links, copies, or replications.
c) Exceptions
The right does not apply where processing is necessary for:
(1) freedom of expression and information;
(2) legal obligation or public-interest task;
(3) public health under Art. 9(2)(h), (i), or (3);
(4) archiving, research, or statistics under Art. 89(1) GDPR where erasure would make objectives impossible or seriously impair them; or
(5) establishment, exercise, or defence of legal claims.
Right to notification
Where you have obtained rectification, erasure, or restriction, the controller must notify recipients unless impossible or disproportionate effort; you have the right to be informed of those recipients.
Right to data portability
You have the right to receive personal data you provided to the controller in a structured, commonly used, machine-readable format and to transmit it to another controller without hindrance where processing is based on consent under Art. 6(1)(a) or Art. 9(2)
(a) GDPR or a contract under Art. 6(1)
(b) GDPR and is carried out by automated means.
You also have the right to have data transmitted directly between controllers where technically feasible, without affecting others' rights. This does not apply to processing necessary for a task in the public interest or exercise of official authority.
Right to object
You may object at any time on grounds relating to your particular situation to processing based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. The controller will no longer process the data unless compelling legitimate grounds override your interests, rights, and freedoms, or processing is for legal claims. Where data is processed for direct marketing, you may object at any time, including profiling linked to such marketing; data will then no longer be processed for those purposes. You may exercise the right regarding information society services using automated procedures where technically specified.
Right to withdraw consent
You may withdraw consent at any time. Withdrawal does not affect lawfulness of processing based on consent before withdrawal.
Automated individual decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing including profiling that produces legal or similarly significant effects, except where:
(1) necessary for contract with you;
(2) authorised by EU or member state law with suitable safeguards; or
(3) based on your explicit consent
provided decisions do not rely on special categories under Art. 9(1) GDPR unless Art. 9(2)(a) or (g) applies with suitable safeguards. In cases (1) and (3), suitable measures protect your rights including at least the right to human intervention, to state your point of view, and to contest the decision.
Right to lodge a complaint with a supervisory authority
Without prejudice to other remedies, you may lodge a complaint with a supervisory authority, in particular in your member state of residence, workplace, or place of the alleged infringement, if you believe processing of your personal data infringes the GDPR. The authority will inform you of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.
This disclaimer is part of the internet offering from which reference was made to this page. If parts or individual formulations of this text do not, no longer, or not fully correspond to the applicable legal position, the remaining parts of the document remain valid in content and effect.