Data Privacy Statement of the SMARTCRM GmbH

1.  Generalities

1.1 Personal Data (Article 4(1) GDPR)

The subject matter of the data protection is the personal data (hereinafter also referred as data). Personal data mean all information relating to an identified or identifiable natural person. These concern in particular data such as last name, address, occupation, e-mail address, state of health, income, marital status, genetic characteristics, phone number and possibly user data such as IP address.

1.2 Controller (Article 4(7) GDPR)

The controller responsible for the processing of your personal data in connection with the use of the website www.smartcrm.gmbh (hereinafter referred as website) is SMARTCRM GmbH (hereinafter referred as operator or controller). The contact details are:

SMARTCRM GmbH
Georg-Todt-Str. 1
76870 Kandel
Germany

Managing director: Ralph Rastert

Phone: +49 7275 98866-0
Fax: +49 7275 98864
E-mail: info@smartcrm.gmbh

1.3 Data Protection Officer

The controller has appointed Jan Morgenstern as data protection officer. He can be reached under the e-mail address datenschutz@m-consecom.de.

1.4 Right to Object

If you wish to object to the processing of your data by the operator in accordance with this data privacy statement as a whole or for individual measures, you can do so under the contact details specified in the imprint or as part of your browser settings. Please note that in case of such an objection the use of the website and the retrieval of the offered services may be limited or not possible at all.

2. Scope and purpose of data processing and provision of data 

 

2.1 Access and use of the website

Each time you access the website and its subpages, usage data are transmitted by the respective internet browser and stored in log files (server log files). In this case, the records stored contain the following data:

  • Date and time of access
  • Name of the accessed web page
  • IP address
  • Referrer URL (origin URL from which you came to the website)
  • Transmitted data volumee
  • Product and version information of the browser used

The provision of the data is neither legally nor contractually prescribed. However, it is required to access the website of the operator. The non-provisioning implies that the website cannot be accessed.

2.2 Contact form and e-mail with one click

If you wish to contact the operator, you can use the contact form. In the framework of this form, you are required to provide the following data:

  • Salutation
  • Last name
  • E-mail address

In addition, you may provide additional information:

  • First name
  • Street
  • ZIP code and city
  • Phone number

In some sections on the website, you also have the option of opening an e-mail directed to the operator in a single click. In doing so the e-mail address linked to your e-mail program is automatically used as the sender. If you do not want your e-mail address to be retrieved this way, you can change this in the settings of your e-mail program.

The provision of the data is neither legally nor contractually prescribed. However, it is required since otherwise the user cannot send the operator any message.

2.3 Advertising

If you have consented to or a legal provision allows this, the operator uses your data for advertising purposes.

As customer of the operator, you regularly receive product recommendations per e-mail which are based on the products you have already ordered. This way, the operator wishes to keep you informed on its services that might be of interest for you given your last order or booking.

If you no longer want to receive any recommendations nor advertising news, you may object at any time. A textual message to the operator suffices. In addition, there is an unsubscribe link in every e-mail.

The provision of the data is neither legally nor contractually prescribed. The non-provisioning has the consequence that you cannot be addressed promotionally.

2.4 Use of cookies

The operator uses so-called cookies. They are small data packages consisting of letters and numbers that are usually stored in a browser when you visit certain websites. Cookies allow the website to remember your browser, to track your browser activities through different sections of the website and to identify you when you return to the website. Cookies do not contain any data that may identify you personally. However, the data stored about you by the operator may be assigned to the data retrieved and stored by the cookies.

Information that the operator receives from you through the help of cookies can be used for the following purposes:

  • Recognizing the user’s computer when visiting the website
  • Tracking the user‘s browsing activities on the site
  • Improving the user-friendliness of the site
  • Evaluating the use of the website
  • Operation of the website
  • Preventing fraud and improving the safety of the website
  • Individual design of the website taking into account the needs of the user

Cookies do not cause any damage to the browser. They do not contain any viruses and do not enable the operator to spy on you. Two types of cookies are used here:

  • Temporary cookies are automatically deleted when closing your browser (session cookies).
  • Persistent cookies have in contrast a maximal lifespan of up to 20 days. This type of cookies enables the website to remember your information and settings the next time you visit it.

Cookies allow the operator to track your browsing activities for the aforementioned purposes and to the appropriate extent. They are used to provide an optimized browsing experience on the operator’s website. The operator also collects these data in anonymous form.

Needless to say, you can visit the website without using cookies. If, however, you do not want the operator to recognize your computer, you can prevent cookies from being stored by selecting the option “Do not accept cookies” in your browser settings. Please refer to the browser manual for detailed instructions. To delete cookies that have already been stored in your browser, please consult the browser manual.

The provision of the data is required in order to correctly use the website of the operator.

Please note that if you choose not to accept cookies or to delete cookies that have already been stored, this may limit the functions offered by the website.

2.5 Newsletter

In order to receive additional information concerning the services of the operator, you can also subscribe to an e-mail newsletter. For the sending of the newsletter, the so-called double opt-in process is used, which means that you will receive the newsletter per e-mail only if you have expressly confirmed that the newsletter service should be activated. After having activated the service, you will receive a notification per e-mail containing an activation link. Only by clicking on this link, you will receive the newsletter. You can unsubscribe at any time. To this end, contact the operator or use the unsubscribe link inserted in all newsletter.

For the newsletter dispatch, you have the possibility to use also the variant of the newsletter with tracking. This involves the use of web beacons or so-called tracking pixel. These are attached to the newsletter and can record personal data of the user (such as IP address, time of retrieval, details of the e-mail program). Thereby, the e-mail contains a picture file that is downloaded by the e-mail program of the recipient. The name of the picture file is individualized and provided with an ID, so that the e-mail recipients who have opened the newsletter can be determined. Concerning the newsletter tracking, the service of the provider Inxmail Gmbh, Wentzingerstr. 17, 79106 Freiburg, Germany, is used and the data is transmitted to it for this purpose.

The provision of the data is neither legally nor contractually prescribed. However, it is required to receive the newsletter.

2.6 Registration to training

On the website, you have the opportunity to sign up for training. The following data are then required:

  • Salutation
  • Last name
  • Company
  • E-mail address
  • Phone number
  • Persons to be registered (first name and last name)

In addition, you can make the following voluntary disclosures:

  • First name
  • Whether you have any question

The operator uses your data in order to make the registrations for the training.

The provision of the data is contractually prescribed. The non-provisioning has the consequence that no registration can be made.

2.7 Appointment for an online demo

On the website, you have the opportunity to make an appointment for an online demo. This requires the entry of the following data:

  • Salutation
  • Last name
  • Company
  • E-mail address

Additionally, you can give the following voluntary information.

  • First name
  • Phone number

The operator uses your data in order to make an appointment with you for an online demo.

The provision of the data is neither legally nor contractually prescribed. The non-provisioning has the consequence that you cannot make any appointment.

2.8 Google Maps

The operator uses the map service Google Maps. This is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. By using it, information about the use of the website (such as date and time of the access, IP address, etc.) are transmitted to Google server in the USA and stored. The data will be used by Google for the purposes of advertising market research and / or tailor-made design of its own website. This can also be linked to your user account provided that you are logged in. If this is not what you want, you have to log out before using this service. Google’s terms of use and privacy policies apply here. If you disable or block Java script in your browser settings, you can prevent Google Maps from running.

The provision of the data is neither legally prescribed nor contractually required. The non-provisioning has the consequence that you cannot use the function.

 

3. Legal basis

 

3.1 Access and use of the website

The admissibility of this processing is governed by Article 6(1)(b) GDPR. According to this, processing is lawful if it is necessary for the performance of a contract of which the data subject is a party or if pre-contractual measures are taken at the request of the data subject.

3.2 Contact form and e-mail with one click (Article 6(1)(b) GDPR)

The operator shall process the data you provide to respond to your request and to communicate with you. The data are mandatory for these processes. The admissibility of this processing is governed by Article 6(1) GDPR only if and to the extent that the processing is necessary for the performance of a contract to which the data subject is party or if pre-contractual measures are taken at the request of the data subject.

The contact request is a pre-contractual action that is taken by the data subject. The data collected by the operator are required for the implementation of the pre-contractual actions since without them the request cannot be replied to.

3.3 Advertising (Article 6(1)(f) GDPR)

The operator may use your data on promotional purposes. The admissibility of this processing is governed by Article 6(1)(f) GDPR. According to this, processing is lawful if it is necessary to safeguard the legitimate interests of the controller or a third party and provided that the interests or fundamental rights and basic freedom of the data subject, who require the protection of personal data, do not prevail.

The use of data for advertising purposes constitutes a legitimate interest of the operator within the meaning of Article 6(1)(f) GDPR. The operator is required to actively present his services to new and existing customers.

The legal basis for direct advertising is governed under the § 7(3) UWG (German law against unfair competition), according to which an intolerable harassment in an advertisement using electronic mail in the cases mentioned there of direct mail is not to be accepted. You may object to the use at any time without incurring any costs other than the transmission costs according to the basic tariffs.

3.4 Use of cookies

The admissibility of this processing is governed under the Article 6(1)(f) GDPR. According to this, the processing is lawful if it is required for the protection of the legitimate interests of the controller or a third party and provided that the interests or fundamental rights and basic freedom of the data subject, who require the protection of personal data, do not prevail. The legitimate interest of the operator lies in the optimized representation of his website.

3.5 Newsletter

The admissibility of this processing is governed under the Article 6(1)(f) GDPR. According to this, the processing is lawful if the data subject has given his consent to the processing of his personal data for one or more specific purposes.

3.6 Registration to training

The admissibility of this processing is governed under the Article 6(1)(f) GDPR. According to this, the processing is lawful if it is required for the fulfillment of a contract whose contracting party is the data subject or for the execution of pre-contractual measures which take place at the request of the data subject. The registration of the data subject takes place as a pre-contractual measure for training.

3.7  Appointment for an online demo

The admissibility of this processing is governed under the Article 6(1)(f) GDPR. According to this, the processing is lawful if it is required for the fulfillment of a contract whose contracting party is the data subject or for the execution of pre-contractual measures which take place at the request of the data subject. The scheduling of an appointment is a pre-contractual measure that takes place at the request of the data subject.

3.8 Google Maps

The operator employs Google Maps to enable you to use the interactive maps for route determination. The admissibility of this processing is governed under the Article 6(1)(f) GDPR. According to this, the processing is lawful if it is required for the protection of the legitimate interests of the controller or a third party and provided that the interests or fundamental rights and basic freedom of the data subject, who require the protection of personal data, do not prevail. The use of data for the purposes of the providing maps for route determination constitutes a legitimate interest of the operator within the of Article 6(1)(f) GDPR. Hereby the access to the operator’s registered office is facilitated.

 

4. Ensuring fair and transparent processing of data

 

4.1 Retention period

 

(a) Access and use of the website

Your IP address will be deleted or made anonymous upon cessation of use. Anonymizing an IP address means changing it in a way that it can no longer be attributed to a specified or specifiable, respectively identified or identifiable natural person or then only with disproportionate investment of time, cost and efforts.

The server log files are evaluated by the operator in anonymous form in order to further improve the website, to make it more user-friendly, to find and fix errors more quickly and to manage server capacities. For instance, this can enable to track the time at which the use of the website is particularly strong, allowing the operator to provide appropriate data volume.

(b) Contact form

The personal data processed for communication purposes will be deleted after expiry of the relevant statutory retention periods, unless the controller has a legitimate interest in keeping the data for a longer period. In any event, only data required to achieve the specific purpose will be stored. Personal data are made anonymous to the possible extent.

(c) Advertising

The personal data processed for advertisement will be deleted unless the controller has a legitimate interest in keeping the data for a longer period. In any event, only data required to achieve the specific purpose will be stored.

(d) Newsletter

Your data will be deleted after the withdrawal of your consent, unless the controller has a legitimate interest in keeping the data for a longer period. This can be the case when the controller must record your data pursuant to a contract. In any event, only data required to achieve the specific purpose will be stored.

(e) Registration to training

The personal data processed for registration to training will be deleted after expiry of the relevant statutory retention periods unless the controller has a legitimate interest in keeping the data for a longer period. In any event, only data required to achieve the specific purpose will be stored. Personal data are made anonymous to the possible extent.

(f) Appointment for online demo

The personal data processed for appointment arrangement will be deleted after expiry of the relevant statutory retention periods unless the controller has a legitimate interest in keeping the data for a longer period. In any event, only data required to achieve the specific purpose will be stored. Personal data are made anonymous to the possible extent.

(g) Google Maps

The operator does not store personal data via the integration of Google Maps. The personal data collected by Google will be deleted unless Google has a legitimate interest in keeping the data for a longer period. In any event, only data required to achieve the specific purpose will be stored. Personal data are made anonymous to the possible extent. The data are stored by Google according to its own privacy policy. For more information, see the Google privacy policy and terms of use.

 

4.2 Right of access, right to erasure, right to restriction of processing and right to data portability

 

(a) Right of access

You shall have the right to obtain from the operator the confirmation as to whether or not your personal data are being processed. You are also entitled to receive the following information:

  • the personal data undergoing processing and the categories of the concerned personal data,
  • the available information regarding the origin of the data,
  • the purposes of the processing and their legal basis,
  • the recipients or categories of recipients to whom the personal data have been disclosed, in particular the recipient in third countries or international organizations,
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible the criteria used to determine that period,
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data,
  • the right to lodge a complaint with a supervisory authority, as well as
  • the contact details of the supervisory authority.

The operator strives toward replying to such requests for information as soon as possible.

(b) Right to erasure

You shall have the right to obtain from the operator the erasure of your personal data without undue delay and the operator shall have the obligation to erase personal data without undue delay where one of the following criteria applies:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • You withdraw your consent on which the processing is based according to Article 6(1)(a) GDRP or Article 9(2)(a) GDRP and where there is no other legal reason for the processing.
  • You object to the processing pursuant to Article 21(1) GDRP and there are no overriding legitimate reasons for the processing or you object to the processing pursuant to Article 21(2) GDRP.
  • The personal data have been unlawfully processed.
  • The personal data have to be erased for compliance with a legal obligation in the Union or Member State law to which the operator is subject.
  • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDRP.

The operator strives toward processing requests for deletion as soon as possible.

(c) Right to restriction of processing

You shall have the right to obtain from the operator restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by you and this for a period enabling the operator to verify the accuracy of your personal data,
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead,
  • the operator no longer needs the personal data for the purposes of the processing but they are required by you for the establishment, exercise or defense of legal claims, or
  • you have objected to processing pursuant to Article 21(1) GDRP, pending the verification whether the legitimate reasons of the operator override those of you as the data subject.

The operator strives toward processing request for restriction as soon as possible.

(d) Right to object

You shall have the right, on grounds relating to your particular situation, to object the processing of your personal data which is based on Article 6(1)(e) GDRP and Article 6(1)(f) GDRP; this includes profiling based on those provisions. The operator shall no longer process your personal data unless the operator demonstrates compelling legitimate reasons for the processing that override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to the processing of your personal data for such marketing; this includes profiling to the extent that it is related to such direct marketing.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, you shall have the right, on ground relating to your particular situation, to object the processing of your personal data, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Please use the contact address given in the imprint to send your inquiry.

(e) Right to data portability

You shall have the right to receive your personal data which you have provided to the operator in a structured, commonly used and machine-readable format, and you shall have the right to transmit those data to another controller without hindrance from the operator to whom the personal data have been provided, where the processing is based on consent pursuant to Article 6(1)(a) GDPR or to Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR and when the processing is carried out by automated means.

4.3 Revocation of your consent 

Where you have consented to the processing of your personal data and revoked this consent, the processing carried out until revocation of such consent shall remain unaffected.

4.4 Right to lodge a complaint with a supervisory authority

You shall have the right to lodge a complaint with a supervisory authority at any time.

5. Recipients

The data collected during the access and the use of the website and the data you provided from the first contact shall be transmitted to the server of the operator and stored there. Apart from that, your data may be disclosed to the following categories of recipients:

  • Computer centers
  • IT service providers
  • Providers of tracking tools

6. Links to third-party websites

When visiting the website, contents linked to third-party websites may be displayed. The operator shall have no access to the cookies or other features used by third-parties, nor be able to control them. Such third-party websites are not subject to the data protection regulations on the part of the operator.