Data privacy statement

3. DATA PROCESSING OPERATIONS, PURPOSES OF PROCESSING AND LEGAL BASIS FOR PROCESSING

On our websites, data is processed for the following purposes, to the following extent, and on the following legal bases:

3.1 Web server logs

During your visit on our websites, the web server (meaning the server on which our websites are located) automatically collects certain data about your visit. These include, for example, your IP address, the date and time of your visit, the website you visited previously, the pages you viewed on our website and your activities performed there, the amount of data transmitted, the duration of data transmission, the operating system used by you, the browser used by you, details on your internet provider as well as details on cookies potentially set by our website.

On the one hand, this information is used to determine the originator of system abuse in cooperation with your internet provider and/or the relevant authorities.

In addition, the web server logs are used, with your consent, to analyze user behavior on our websites to optimize our Internet presence and analyze whether a user became aware of Computop via an advertising measure on the Internet or a previously defined search term.

Storage of the advertising server logs and other personal data of the user only takes place in cases where a legal basis or consent exists, which is necessary for the respective purpose. This applies in particular to the following cases: If a login is required on some of our websites, the user name of the user concerned is stored in this context together with the web server logs in order to be able to carry out or trace the login. Storage of the web server logs and other personal data may also be necessary in cases where our website provides for the submission of electronic declarations of consent. Furthermore, further personal data is stored together with the web server logs for technical control of payment transactions via Computop Paygate. Details of this are described in the section "Data processing in Computop Paygate".

Legal basis: Article 6 section 1 sentence 1 lit. a GDPR (web analyses), Article 6 section 1 sentence 1 lit. b GDPR (data processing in Computop Paygate) and Article 6 section 1 sentence 1 lit. f GDPR (other data processing). Legitimate interests of Computop within the scope of Article 6 section 1 sentence 1 lit. f GDPR: Detection of possible system abuses, enabling and traceability of logins, documentation of possible electronic declarations of consent.

 

3.2 Cookies

Some of our websites use so-called cookies. Cookies are small text files stored on your terminal device in the directory of the browser used as soon as you visit the respective website. Cookies can store information that the web server from which the respective cookie originates can read. Due to this property, they can, for example, enable a login or the use of form fields on the website, save login or other settings for future visits or analyze the user behavior of website visitors.

In general, the following types of cookies can be distinguished from each other:

Technically necessary cookies: First of all, some of our websites set so-called technically necessary cookies. Technically necessary cookies serve the purpose of allowing a website to function and display smoothly. If you do not want technically necessary cookies to be installed, you can deactivate the acceptance of cookies in your browser. You will then still have access to the majority of our websites; however, you may not be able to use all the functions of our websites to their full extent.

Technically unnecessary cookies: In addition, some of our websites set so-called technically unnecessary cookies with your consent. These technically unnecessary cookies serve the following purposes in particular:

• Embedding content on our websites that is located on online platforms of other providers on which we maintain presences (in particular video and music streaming portals as well as social networks).
• Analysis of user behavior on our web pages to be able to optimize our Internet presence and analyze whether a user became aware of Computop via an advertising measure on the Internet or a previously defined search term.
• Storage of your data in the context of the use of comment functions so that you do not have to enter them again in the future.

Cookies can also generally be differentiated according to their storage duration, which in turn depends on the purpose of the respective cookie. These can either be so-called "session cookies", which are automatically deleted when you close the browser. Or they may also be long-lived cookies that are not deleted after you close the browser, but by means of which you can still be recognized as a visitor at a later time.

Cookies can either be set by Computop itself or by other providers whose services Computop has integrated on its websites.

The descriptions of the services used on this website also contain information on whether cookies are used.

Legal basis:
Technically necessary cookies: Article 6 section 1 sentence 1 lit. f GDPR (balance of interests). Legitimate interest of Computop within the scope of Article 6 section 1 sentence 1 lit. f GDPR: Implementation of security services on our websites, smooth functioning, and display of our website, enabling the use of logins and other forms on our websites.
Technically unnecessary cookies: Article 6 section 1 sentence 1 lit. a GDPR (consent). If you do not give your consent, you may not be able to use the corresponding service or only to a limited extent. You can revoke your consent at any time with effect for the future. Please refer to the section "Management of consent on our website" for details on granting and revoking consent.
 

 

3.3 Management of consents on our website

Consents for cookies, plugins, and web analytics services:

Cookie banner:
On most of our websites, you will first be shown a banner asking you to either agree to cookies or reject them when you get there. If you decline, only technically necessary cookies will still be set, plugins and web analytics services will not be activated. Your decision regarding cookies is subsequently stored in a technically necessary cookie with the designation "tx_cookies_disabled" or with the designation "tx_cookies_accepted". Should you wish to change your decision regarding the setting of cookies (and thus also the activation of plugins and web analytics services) at a later point in time, we ask you to delete the aforementioned cookie in your browser directory and reload the website. Afterward, the cookie banner will be displayed again, with which you can specify your decision accordingly.

Shariff:
In addition, instead of regular "share" buttons and plugins from online platforms on which we maintain presences (such as social networks, video or music streaming portals), we use alternative buttons on most of our websites that use the privacy-friendly "Shariff" technology. Regular buttons from online platforms on which we maintain presences already connect to the servers of the respective platforms when a page is loaded on which the buttons are located, and cookies are usually also set. The "Shariff" buttons, on the other hand, behave like regular links and only establish direct contact between the online platform and the visitor when the visitor actively clicks on the corresponding button. Before this click, the online platforms cannot collect any data about visitors. More information about Shariff technology can be found here: www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html, www.heise.de/newsticker/meldung/Datenschutz-und-Social-Media-Der-c-t-Shariff-ist-im-Einsatz-2470103.html.

Consent Management WordPress:
On the part of our websites based on the WordPress software (this concerns, in particular, our blog "PAYMENT INSIGHTS by Computop"), we use the WordPress plugin "GDPR ALL IN ONE FOR WORDPRESS" for the management of consents related to cookies, plugins and web analytics services. When you arrive at our blog, you will first see a cookie banner that allows you to accept cookies or personalize the settings. If you choose "Personalize", you can decide individually for all services used. You also have the option to change your setting at any time (i.e., for example, to revoke related consents) by clicking on the "Privacy settings" field at the bottom left of the web page.

Other Consents:
For other types of consent that may be given through our websites (e.g., subscribing to newsletters or storing your data in form fields for future use), please refer to the description of the individual data processing operations within this Privacy Policy.

 

3.4 Security measures on our website and fast delivery of our web pages

We use various services of the provider Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA on our websites. Essentially, these are services that make our website faster and more secure. The services are provided directly by Cloudflare only on our general websites. For all websites concerning the payment area, corresponding solutions are installed on our own servers.

Specifically, Cloudflare provides the following services:

SSL encryption of our websites:
We use Cloudflare to provide you with secure data transmission on our website using SSL encryption. SSL encryption ensures that third parties cannot read data that you transmit to us via our websites. You can recognize that an encrypted connection exists because the link in the address line of the browser changes from "http://" to "https://". A lock symbol also appears in the address line of the browser.

Speed up the loading time of our website:
Cloudflare provides a so-called Content Delivery Network (CDN), also called Content Distribution Network. Due to the use of this CDN, the average loading time of our website is significantly reduced. Cloudflare places copies of our web pages on a network of Cloudflare servers. A system of load balancing ensures that our web pages are delivered optimally, even during large load peaks. They are always loaded from the server that can deliver them the fastest or where the loading time is the shortest.

Security services:
Cloudflare also provides various security services, such as in particular a reverse proxy server, a web application firewall, and protection against DDoS attacks. Cloudflare blocks attacks (e.g., by abusive bots, crawlers, or spam) that, for example, waste server resources, slow down the load time of our websites, or attempt to attack our systems in other ways.

In order to provide the aforementioned services, the entire data transfer between your browser and our websites flows via the infrastructure of Cloudflare. This concerns our websites' content and all data processing on our websites described in this privacy policy, such as web server log data or other data that you as a visitor may enter on our websites. Cloudflare delivers the content of our websites on the one hand and analyzes the data traffic to prevent attacks.

Cloudflare sets a cookie called "cfduid" to protect our website from attacks and distinguish legitimate traffic from attacks. The cookie is used to identify and distinguish individual visitors within shared IP addresses. This, in turn, serves the purpose of being able to evaluate whether an end-device within a shared IP address is trustworthy or not and accordingly apply security settings to each individual visitor. The setting of this cookie is necessary to enable you to access our websites.

Cloudflare processes personal data both in countries within and outside the EU or the EEA. Cloudflare has submitted to the EU-US Privacy Shield, which establishes an adequate level of data protection within the meaning of the GDPR.

Legal basis: Article 6 section 1 sentence 1 lit. f GDPR. Legitimate interests of Computop within the scope of Article 6 section 1 sentence 1 lit. f GDPR: It is in the legitimate interest of Computop to make the web presence faster using a content delivery system and more secure with SSL encryption and various security services. It is also in the legitimate interest of Computop to set a cookie in this context, by which legitimate data traffic can be distinguished from attacks. Cloudflare is active for Computop within the scope of order processing. Therefore, we have concluded an agreement with Cloudflare that complies with the requirements of Article 28 of the GDPR. Since Cloudflare processes personal data both in states within and outside the EU or EEA, the agreement also contains the EU standard contractual clauses. Cloudflare has also submitted to the EU-US Privacy Shield, which establishes an adequate level of data protection within the meaning of the GDPR.

 

3.5 Presence on well-known online platforms and integration of content via plugins

We maintain presences on various well-known online platforms where we present our company with different types of content, such as, in particular, texts, images, video, and audio content. The content can be marked, commented on, or shared through interactive buttons with predefined icons (such as "like"). Additionally, it is possible to follow us on the online platforms, subscribe to our content, and add video and audio content playlists.

Furthermore, we include content located on these online platforms as plugins or widgets on our websites or integrate other interactive buttons or elements of these online platforms on our websites. You can recognize these by the logo of the respective platform. Plugins or widgets are, so to speak, small web pages of the respective online platform within our websites. If you agree to use one of these services on our websites, a direct connection is established between your browser and the servers of the respective online platform. This allows the respective service to process personal data about you and set cookies on your terminal device.
The personal data about you processed by the online platforms may be web server log data, information about your visit to our website, and data about your use of the services offered by the online platforms or interactions with these services on our website (such as calling up certain content or pressing interactive buttons). If you have a user account with the respective online platform and are logged in there, the online platform may link this data with other data stored in your user account. If you do not wish to do this, you must log out of the respective online platform before visiting this website.

Insofar as we use plugins, we integrate them in a data protection-compliant manner either by using the data protection-friendly "Shariff" buttons or by obtaining your express consent before activating plugins and any associated data transmission and any setting of cookies by the online platforms. Details on "Shariff" as well as on the management of consent declarations in connection with plugins are described in the section "Management of consent on our website".

In some cases, individual online platforms offer additional opt-out options. In addition, you have the option to deactivate the acceptance of cookies in your browser generally. However, we would like to point out that in this case, you may not be able to use all functions of this website to their full extent.

The Services also process personal data in some cases in countries outside the EU or the EEA.

For further details on the processing of your personal data by the respective online platforms, please refer to the privacy statements of the respective providers, which we link to below in connection with the description of the individual services.

We also point out that some of the services may perform their own web analytics if you agree to their use (e.g., using Google services). Therefore, it may happen that providers of the online platforms, even if you have rejected web analytics on this website, perform their own web analytics independent of Computop, over which Computop has no influence.

Specifically, the services are as follows:

Spotify: Music streaming portal on which we present our company via a podcast with audio content.

• Provider: Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden („Spotify“).
• Cookies: Yes, the provider sets cookies.
• Data processing outside EU/EEA: Yes. The provider is a company based within the EU/EEA and therefore legally obliged to comply with the requirements of the GDPR. For details, please refer to the provider's privacy policy.
• Privacy policy: https://www.spotify.com/us/legal/privacy-policy/
• More information and overview of Spotify plugins and widgets: https://developer.spotify.com

Vimeo: Video portal where we present our company via videos.

• Provider: Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA (“Vimeo”).
• Cookies: Yes, the provider sets cookies.
• Data processing outside EU/EEA: Yes. Vimeo has submitted to the EU-US Privacy Shield, which establishes an adequate level of data protection within the meaning of the GDPR.
• Privacy policy: https://vimeo.com/privacy

YouTube: Video portal where we present our company via videos.

• Provider: YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA („YouTube“), a subsidiary of Google LLC and represented by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“).
• Cookies: Yes, the provider sets cookies.
• Data processing outside EU/EEA: Yes. YouTube's parent company Google LLC has submitted to the EU-US Privacy Shield, which establishes an adequate level of data protection within the meaning of the GDPR.
• Privacy policy: http://www.youtube.com/t/privacy_at_youtube

LinkedIn: Social network on which we present our company with different types of content, such as in particular, texts, images, video, and audio content.

• Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, a subsidiary of LinkedIn Corporation, 1000 W. Maude Ave, Sunnyvale, California 94085, USA (“LinkedIn”).
• Cookies: Yes, the provider sets cookies.
• Data processing outside EU/EEA: Yes. The provider is a company based within the EU/EEA and therefore legally obliged to comply with the requirements of the GDPR. For details, please refer to the provider's privacy policy. LinkedIn's parent company LinkedIn Corporation, 1000 W. Maude Ave, Sunnyvale, California 94085, has submitted to the EU-US Privacy Shield, which establishes an adequate level of data protection within the meaning of the GDPR.
• Privacy policy: https://www.linkedin.com/legal/privacy-policy.
• Additional objection option / opt-out (in addition to the settings options on our website): www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

XING: Social network on which we present our company with different types of content, such as in particular, texts, images, video, and audio content.

• Provider: New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany („XING“).
• Cookies: Yes, the provider sets cookies.
• Data processing outside EU/EEA: Yes. The provider is a company based within the EU/EEA and therefore legally obliged to comply with the requirements of the GDPR. For details, please refer to the provider's privacy policy.
• Privacy policy: https://privacy.xing.com/en

Twitter: Social network on which we present our company with different types of content, such as in particular, texts, images, video, and audio content.

• Provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, a subsidiary of Twitter, Inc., 1355 Market Street #900, San Francisco, California 94103, USA („Twitter“).
• Cookies: Yes, the provider sets cookies.
• Data processing outside EU/EEA: Yes. The provider is a company based within the EU/EEA and therefore legally obliged to comply with the requirements of the GDPR. For details, please refer to the provider's privacy policy. Twitter's parent company Twitter, Inc., has submitted to the EU-US Privacy Shield, which establishes an adequate level of data protection in terms of the GDPR.
• Privacy policy: https://twitter.com/en/privacy

Legal basis: The legal basis for the processing of your personal data by online platforms, the use of plugins and widgets of these online platforms on our websites, and the setting of cookies by the online platforms is your consent (Article 6 section 1 sentence 1 lit. a GDPR). Details on obtaining consent declarations and your options to revoke them at any time with effect for the future can be found in the section "Management of consents on our website".

 

3.6 Web analytics services

On some of our websites, we use various web analysis services of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). The purpose of the aforementioned services is the statistical evaluation of visitors' user behavior to our websites to be able to optimize our Internet presence and measure the success of advertising measures.

Google Analytics:
We use the "Google Analytics" service on some of our websites. The purpose of the processing is the statistical evaluation of visitors' user behavior to our websites to be able to optimize our Internet presence.

If you visit our websites and have consented to the use of Google Analytics, Google Analytics will store so-called cookies on your terminal device, which enable an analysis of your use of the website. The information generated by the cookies about your use of this website (including your IP address) is usually transmitted to a Google server in the USA and stored there. We have activated IP anonymization in the context of our use of Google Analytics, i.e., your IP address will be truncated beforehand by Google within member states of the EU or EEA. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. Google may also transfer this information to third parties required to do so by law or where such third parties process the information on Google's behalf. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.

Google Tag Manager:
We use the "Google Tag Manager" service on some of our websites. The purpose of the processing is the statistical evaluation of visitors' user behavior to our websites to be able to optimize our Internet presence.

The Google Tag Manager makes it possible to control various Google services in an individualized way. Computop uses the Google Tag Manager to control Google Analytics. Google Tag Manager works with so-called tags, triggers, and variables. Tags are short sections of code integrated into the source code of those web pages that are to be analyzed. Tags are responsible for sending tracking data to a system like Google Analytics. Triggers are the rules that determine whether a tag is triggered or not (i.e., whether the tracking data is sent to the connected system or not). They check whether certain events occur, such as clicks, form submissions, or page loads. Variables are placeholders for values that can change; they can contain values that are used in a trigger to check a condition. Overall, Google Tag Manager thus enables individualized tracking that deviates from the standard Google Analytics settings according to Computop's requirements. The purpose is the statistical evaluation of the user behavior of visitors to our websites in order to be able to optimize our Internet presence.

The Google Tag Manager does not set any cookies and does not collect any personal data itself. It merely ensures the individualized control of other Google services but does not access this data itself.

Google Ads:
We also use the "Google Ads" service to attract new website visitors via Google advertising measures. For this purpose, we have defined several search terms in Google Ads that are tailored to our corporate offering. If you enter one of these search terms in Google, a sponsored search result or other advertising measures from Computop may appear in a Google search. If you reach our website via such a Google advertising measure or a sponsored search result and have consented to the use of Google Analytics on our websites, we can analyze the success of our advertising measures via Google Analytics.

Google processes personal data in the USA and, where applicable, also in countries outside the EU or the EEA. According to its own information in its privacy policy, Google complies with the regulations of the GDPR and has also submitted to the EU-US Privacy Shield, which creates an appropriate level of data protection in the sense of the GDPR.

For further details on the processing of your personal data by Google, please refer to the provider's privacy policy: policies.google.com/privacy.

Legal basis: The legal basis for the processing of your personal data by Google is your consent (Article 6 section 1 sentence 1 lit. a GDPR). Since Google acts for Computop by way of commissioned processing, we have also concluded a commissioned processing agreement with Google in accordance with Article 28 of the GDPR. Google has also submitted to the EU-US Privacy Shield, which establishes an appropriate level of data protection within the meaning of the GDPR. For details, please refer to the provider's privacy policy: policies.google.com/privacy.

Details on obtaining consent declarations and revocation options in this context are explained in the section "Management of consent on our website".

In addition, you have the option to download and install an extension for web browsers offered by Google for this purpose (so-called browser add-on or browser plugin) under the link tools.google.com/dlpage/gaoptout, by which the data collection by Google Analytics and the processing of this data by Google can be prevented.

Furthermore, you have the option to deactivate the acceptance of cookies in your browser generally. However, we would like to point out that in this case, you may not be able to use all functions of this website to their full extent.

Matomo:
Matomo is a privacy-friendly web analytics software that is used without cookies and recognizes returning users with the help of a so-called "digital fingerprint" that is stored anonymously and changed every 24 hours; with the "digital fingerprint", user movements within our online offering are recorded with the help of anonymized IP addresses in combination with user-side browser settings in such a way that it is not possible to draw conclusions about the identity of individual users; service provider: Self-hosted web analytics/reach measurement; Website: matomo.org.

Objection: Our Matomo installation is configured to read and follow the do-not-track header that your browser sends. Therefore, to object to our collection of statistical data via Matomo, you can enable the "Do not track" switch in your browser's security settings.

Legal basis: Article 6 section 1 sentence 1 lit. f GDPR. Legitimate interest of Computop within the scope of Article 6 section 1 sentence 1 lit. f GDPR: More user-friendly and effective design of our web presence. General success and reach measurement of our website and campaigns.

 

3.7 Blog

We have integrated our blog "PAYMENT INSIGHTS by Computop" on our websites. The blog is based on software from WordPress, which is installed on our own servers. In order to be able to use WordPress in accordance with data protection, we have taken various measures:

Plugins, cookies, and web analytics:
On our blog, we integrate different content (e.g., audio or video content) located on other Internet platforms on which we maintain presences (YouTube, Vimeo, Spotify, LinkedIn, Xing, Twitter). The provision takes place via so-called plugins, and cookies can also be set. Furthermore, we use web analytics services that also set cookies. Details of all the aforementioned services are described in separate sections of this privacy policy. For protecting your personal data, the plugins and web analytics services will not be active, and no cookies will be set until you have given your express consent to do so. For details, please refer to the section "Consent management on our website".

Comment function:
We also provide a comment function on our blog. Filling in the fields name, email address, and/or website is optional. You can also leave these fields completely blank or enter a pseudonym instead of a name. If a comment is published, a possibly specified name or a pseudonym and information on the time of the comment entry will appear next to the comment. The specification of website and email address are not required from the point of view of Computop, but the corresponding fields can not be disabled in the software of WordPress. If you specify a website, it will be linked in your comment behind your name or pseudonym. Any email address you provide will only be displayed to Computop but will not be used for any purpose; it would only be relevant for the "Gravatar" service, but we have disabled it for privacy reasons (see below). We have chosen the settings in WordPress so that IP addresses are not recorded when using the comment function (the web server logs only contain information about the call of the respective page by the corresponding IP address, but not about the use of the comment function). You, therefore, have the option of using the comment function entirely anonymously.

If you want to enter your name, email address, and/or website and have them saved for future comments, you must agree to the storage by clicking on the field provided for this purpose in the comment function. If you do this, your data will be stored separately for each field in a corresponding cookie (the names of the cookies begin with "comment_author", "comment_author_email", and "comment_author_url" and each end with a unique identification number). If you do not want the storage for the future, we ask you to delete the corresponding cookies.

The comment function is moderated at Computop, i.e., comments are only published after approval by Computop. The reservation of publication serves to prevent comments with illegal content, hate speech, or comments by bots.

You have the option of having comments deleted after publication by contacting marketing(at)computop.com. Since it is also possible to use the comment function anonymously, you can request deletion in particular if your actual name has been used, if the comment can be traced back to you or relates to you in any other way, or if reasons are arising from your particular situation. We only influence the deletion of comments on our own websites, but not on the fact that comments may have been copied after publication and published on other websites. In addition, some search engines on the Internet may also be able to find historical websites.

No profile pictures:
We have disabled the feature included in WordPress that allows profile pictures from the Gravatar service of Automattic Inc, 60 29th Street #343, San Francisco, CA 94110, USA, to be displayed next to comments for privacy reasons.

Legal basis: The legal basis for processing your personal data using plugins, cookies, and web analytics, as well as when using the comment function, is your consent (Article 6 section 1 sentence 1 lit. a GDPR). Details on obtaining declarations of consent and your options to revoke them at any time with effect for the future can be found in this section as well as the section "Management of consents on our website".

 

3.8 Promotional address

We may contact you for advertising purposes (e.g., by email, telephone or mail) if you have either given us your consent to do so or a legal requirement allows us to contact you for advertising purposes.

In the context of sending email newsletters, we use the services of the provider CleverReach GmbH & Co. KG, Mühlenstr 43, 26180 Rastede, Germany ("CleverReach"). We integrate a form for registering for email newsletters on our websites via the service provider, obtain the consent required to send the newsletters using the double opt-in process, and send email newsletters via the CleverReach platform.

Personal data that we process connected with the subscription to email newsletters are your email address, the information about your registration or consent to the email newsletter, and web server log data. Furthermore, we collect salutation, first name, last name, and company with your consent when you register for the newsletter in order to be able to address you in a personalized manner.  The newsletter delivery system automatically logs whether, when, and which newsletters were opened (opening rate) and whether, when, and which links in newsletters were clicked (click rate). This enables Computop to recognize how engaging the newsletters and their specific contents are for the recipients of the newsletters. Computop uses these findings to make future newsletters even more enjoyable.

Legal basis: The legal basis for advertising may be either Article 6 section 1 sentence 1 a GDPR or Section 7 of the Unfair Competition Act (UWG). You can object to the use of your personal data for advertising purposes at any time with effect for the future or revoke your consent to advertising at any time with effect for the future by sending an email to marketing(at)computop.com or, in the case of an email newsletter, by clicking on the link provided there. The legal basis for Computop to commission a processor in connection with the sending of email newsletters is Article 28 of the GDPR. For this purpose, Computop has concluded the legally required contract for commissioned processing with CleverReach in accordance with Article 28 GDPR.

 

3.9 Computop Services

Contact by email or via a contact form

Our websites offer the possibility to contact us via email addresses stored on our website or various contact forms. The personal data that you provide to us in this context will be processed for correspondence with you and for the purpose for which you have provided us with the data.

Among other things, a form is integrated on our websites with which you can contact our helpdesk (the Merchant Services department) with support requests. We use a ticketing system of the provider Zendesk Inc., 1019 Market St, San Francisco, CA 94103, USA ("Zendesk"), whereby we have chosen the option that our data is hosted exclusively within the European Economic Area (EEA). Zendesk acts on our behalf by way of commissioned processing, and we have entered into a commissioned processing agreement with Zendesk that complies with Article 28 of the GDPR. This agreement also includes the EU standard contractual clauses, as Zendesk uses service providers in third countries for parts of its services despite hosting our data in the EU. Zendesk has committed its service providers to the same standards as those contractually agreed between Computop and Zendesk. Zendesk also holds numerous data protection-related certifications ISO 27001:2013, ISO 27018:2014, SOC 2 (System Organization Controls 2 Report), SOC 3 (System Organization Controls 3 Report), PCI-DSS (Payment Card Industry Data Security Standard), and TRUSTe® Privacy Certification, and has also submitted to the EU-US Privacy Shield, which establishes an adequate level of data protection as defined by the GDPR. In addition, Zendesk has implemented Binding Corporate Rules within the Group, which the European data protection supervisory authorities have approved.

Legal basis: Various legal bases may come into consideration here depending on the request's content, particularly Article 6 section 1 sentence 1 lit. b, c, or f GDPR. Legitimate interest of Computop within the scope of Article 6 section 1 sentence 1 lit. f GDPR: Enabling contact via email or contact form.

Placing orders, online store, and boarding forms

If you place an order with us or place an order in our online store, the personal data you provide in this context will be processed to establish and implement the contract with the company for which you are acting or, in exceptional cases, the contract with you personally and for communicating with you and the company for which you are acting. The same applies if you access our boarding form following an order in the online store or if you receive a link to our boarding form following the conclusion of a contract outside the online store and provide information there. Our boarding forms are used for the selection of individual services following an order or placing of an order or for the correction of individual ordered services (e.g., in the case of ordered bundles which must be subsequently adapted to the individual requirements of the customer) as well as for the configuration of the customer's connection to Computop Paygate in general. Information provided in these forms is also used to execute the contract with you or with the company for which you act.

Legal basis: Legal basis is if you act for a company, Article 6 section 1 sentence 1 lit. f GDPR. Legitimate interest of Computop in the context of Article 6 section 1 sentence 1 lit. f GDPR: Establishment and execution of the contract between Computop and the company for which you are acting. If exceptionally, a contract is concluded between Computop and you personally, the legal basis is Article 6 section 1 sentence 1 lit. b GDPR.

Data processing in Computop Paygate

Computop offers merchants and other entities (merchants and other entities are hereinafter referred to as "clients") as a central service the connection to Computop Paygate, a payment platform specially developed and operated by Computop, which enables the technical control of payment transactions from different channels, e.g., for payments on the Internet or online stores (e-commerce), for payments using mobile devices such as smartphones or tablets, via in-app payment (m-commerce) or for payments via POS terminals (point-of-sale terminals, e.g., in the checkout environment, using mobile terminals or at vending machines). Technically controlled are payments made by payers to our clients who are connected to Computop Paygate. Computop Paygate currently offers more than 335 national and international payment methods and acquirer connections, such as credit cards, debit cards, e-wallet systems (such as PayPal), direct debit, online bank transfer, prepayment, invoice and installment purchase, and much more. Computop Paygate also supports various fraud prevention methods. With the Computop Analytics and Computop Reporter modules, Computop's clients have access to the data relevant to them for the payments managed on their behalf, and they have tools at their disposal for analyzing payments of all channels and payment types and for optimizing sales (including using visualized status reports, retrospectives and comparisons). If a person (e.g., a customer) makes a payment to one of our clients (e.g., in an online store), then he may reach a payment form hosted by Computop (the so-called hosted payment page) as part of the purchase process. The Computop Paygate with its previously described modules Computop Reporter and Computop Analytics and the component Hosted Payment Page is hereinafter collectively referred to as "Computop Paygate".

Computop provides its clients with the connection to Computop Paygate within the scope of order processing according to Article 28 GDPR. If you are connected to Computop Paygate as a client, you have the option of requesting the legally required agreement on commissioned processing pursuant to Article 28 GDPR including a description of the technical and organizational measures taken by Computop pursuant to Article 32 GDPR from us. Please contact dataprotection(at)computop.com in this regard.

Computop has taken technical and organizational measures at a very high security level for data processing in Computop Paygate. Computop is certified according to the Data Security Standard of the Payment Card Industry (PCI-DSS) and, in this context, regularly undergoes strict external audits of the technical and organizational measures. For details, please refer to the very extensive catalog of test criteria of the PCI Data Security Standard, the latest version of which is available on the website of the PCI Security Standards Council (https://www.pcisecuritystandards.org). This catalog of test criteria clarifies how comprehensively the technical and organizational measures are regularly certified at Computop.

During data processing in Computop Paygate, separate web server protocols are written, which are kept separate from the general web server protocols. All databases of the payment area and the associated web server logs are located in a separate, highly encrypted area of our servers according to PCI-DSS requirements. Storage of the web server logs from Computop Paygate and other personal data of the user only takes place in cases in which this is necessary for the respective purpose. This applies in particular to the following cases: If a login is required for data processing (in particular in Computop Analytics and Computop Reporter), the user name of the user concerned is stored in this context together with the web server logs in order to be able to carry out or trace the login. Furthermore, the Computop Paygate web server logs contain the name of the specific service used. Storage of the web server logs and other personal data is also necessary for technical control of payment transactions via Computop Paygate. The data from the web server logs are stored together with the other data for a payment in the individual transactions in order to be able to technically control the payments on behalf of the respective customer or to ensure traceability afterward. Furthermore, this enables follow-up actions such as chargebacks or credit notes. Depending on the specific order placed with Computop by the client, some of the data from the web server logs may also be used to the legally permissible extent for fraud prevention.

Session cookies are set in the Computop Analytics and Computop Reporter modules belonging to Computop Paygate, which enable clients to access the payment transactions processed on their behalf. The functionality of session cookies and your objection options in this context are described under the point "Cookies".

On the payment form (the hosted payment page), on the other hand, no cookies are set by default. Computop's clients, however, have the option to adapt the payment form to their needs or to use their own payment form. In doing so, it is also possible that the customized payment page could set cookies. Customized payment pages are always the client's responsibility to whom the payment was made, and reference is made in this regard to the privacy policy of the respective client. In general, the data protection declaration of our respective customer applies as long as the payer is still on the customer's website before the payment is initiated (e.g., in an online store or the shopping basket there) or, if applicable, also on a customer's own payment form. The data protection declaration of Computop only applies at the time when the payer actually changes from the website of the customer to the website of Computop (to the payment form located there, the hosted payment page) and the payer has received a notice from the customer of Computop in accordance with § 13 paragraph 5 TMG on the forwarding from a service provider in the sense of the TMG to another service provider in the sense of the TMG. In summary, this means that either the data protection declaration of the client or the data protection declaration of Computop can apply to the payment form depending on the design.

Analyses of user behavior are not carried out in Computop Paygate, its modules Computop Analytics and Computop Reporter, or on the payment form (hosted payment page).

Legal basis: For the technical control of payment transactions on behalf of clients, the legal basis is Article 6 section 1 sentence 1 lit. b GDPR in conjunction with Article 28 GDPR; otherwise, e.g., for the use of cookies, the legal basis is Article 6 section 1 sentence 1 lit. f GDPR. Legitimate interest of Computop within the scope of Article 6 section 1 sentence 1 lit. f GDPR (related to cookies): More user-friendly and effective design of our website.

Merchant notification service

We use the service Statuspage.io to enable clients (such as merchants) to subscribe to general notifications with crucial technical information via email, SMS, RSS feed, or Atom feed. In particular, this is information about maintenance work or malfunctions.

Provider of the Service is: Dogwood Labs, Inc, 1098 Harrison Street, San Francisco, CA 94103, USA ("Dogwood Labs"), a subsidiary of Atlassian, Inc, 341 George Street, Sydney, NSW 2000, Australia / 350 Bush Street, San Francisco, CA 94104, USA ("Atlassian").

The type of personal data processed in connection with the subscription to notifications depends on the type of subscription. In the case of email notifications, the subscriber's email address is processed, and in the case of notifications via SMS, the cell phone number. Statuspage.io also sets cookies; for details, please refer to the provider's privacy policy: www.atlassian.com/legal/privacy-policy.

Statuspage.io also processes personal data in countries outside the EU or the EEA. Dogwood Labs, Inc., as well as its parent company Atlassian, Inc., have submitted to the EU-US Privacy Shield, which establishes an adequate level of data protection within the meaning of the GDPR.

Legal basis: The legal basis for the processing of your personal data to send notifications with technical information is your consent (Article 6 section 1 sentence 1 lit. a GDPR), which you give when you subscribe to notifications. You can revoke your consent at any time with effect for the future by terminating your subscription to the relevant notifications.
The legal basis for Computop to commission a processor for this data processing is Article 28 GDPR. For this purpose, Computop has concluded the legally required contract for commissioned processing according to Article 28 GDPR with Dogwood Labs, Inc., which also contains the EU standard contractual clauses.

 

3.10 Applicant Portal

You have the opportunity to apply to us via our applicant portal.

Our applicant portal is operated and hosted by the provider softgarden e-recruiting GmbH, Tauentzienstraße 14, 10789 Berlin ("Softgarden"). For this purpose, we have concluded the legally required data processing Agreement according to Article 28 GDPR with Softgarden.

Account:
As part of the application process, after setting a user name and password, you can create and manage an account in the applicant portal. Legal basis for the creation of an account in the applicant portal: Article 6 Section 1 Sentence 1 lit. a GDPR (consent). You have the option to revoke this consent at any time with effect for the future.

Cookies:
In the application portal, the technically necessary session cookie "JSESSIONID" is being placed. This cookie stores a so-called session-ID, with which various requests from your browser can be assigned to the joint session. This allows your computer to be recognized when you return to our website. The session cookie is deleted when you log out or close the browser. Legal basis for the setting of technically necessary cookies: Article 6 Section 1 Sentence 1 lit. f GDPR (balancing of interests). Legitimate interest of Computop within the scope of Article 6 Section 1 Sentence 1 lit. f GDPR: User-friendly design of our applicant portal.

Application process:
Your personal data that you provide to us as part of the application process (such as name, address and contact details, cover letter, curriculum vitae, application photos, certificates, profiles in social networks (e.g. XING, LinkedIn), and any other data and documents) will be processed to carry out the application process and, in case of a potential employment, to carry out the employment relationship. In case of a successful application, your application documents will become part of the personnel records, in the event of a rejection of an application for a specific job offer, your application documents will be deleted 6 months after receipt of the rejection (however, regardless of the application for a specific job offer, you have the opportunity to register in our talent pool for an undefined period of time, details are explained below). Legal basis for the processing of your personal data in the context of the application process and for the initiation of an employment relationship is Article 6 Section 1 Sentence 1 lit. b GDPR or Article 88 GDPR in connection with § 26 Section 1 Sentence 1 German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

Automated CV analysis:
In our applicant portal, documents uploaded by you are automatically being analyzed in order to extract CV data and convert it into a structured form. For this purpose, Softgarden uses the ISO 27001-certified sub-processor Textkernel B.V., Nieuwendammerkade 26 A 5, (1022AB) Amsterdam, The Netherlands, with whom Softgarden has concluded a data processing agreement according to Article 28 GDPR. Data processing takes place within the EU on servers in the Netherlands and Germany. Legal basis for processing your data via an automated CV analysis: Article 6 Section 1 Sentence 1 lit. f GDPR (balancing of interests). Legitimate interest of Computop in the context of Article 6 Section 1 Sentence 1 lit. f GDPR: Efficient design of the application process.

Talent pool:
Regardless of an application for a specific position, or after an unsuccessful application, you have the option to voluntarily register in our talent pool on the basis of a consent. This is can be done via the "Get in touch" button or by using an opt-in link that has been provided to you in this context. Should a suitable position be open, we have then the opportunity to contact you in this regard. Legal basis for registration in the talent pool: Article 6 Section 1 Sentence 1 lit. a GDPR (consent). You can revoke this consent at any time with effect for the future. We will also contact you at regular intervals and ask if you would like to continue to be registered in the talent pool.

Recommendation of potential applicants:
Our applicant portal also offers the opportunity to recommend potential applicants. Should you apply to us on the basis of such a recommendation, the person who has recommended you will receive the information that you have applied to us, together with your profile photo, your name and information about the position for which you have applied. Should you not wish that the referring person receives this information, you have the option to choose, before completing the application, that the referring person will only see this information without a direct personal reference, which means the person who recommended you will then only receive the information that someone has applied on the basis of their recommendation but does not see which person this is. Legal basis for the processing of personal data when recommending potential applicants: Article 6 Section 1 Sentence 1 lit. f GDPR (balancing of interests). Legitimate interest of Computop according to Article 6 Section 1 Sentence 1 lit. f GDPR: Our legitimate interest is to give our employees the opportunity to recommend persons known to them for vacancies. This gives us the opportunity to make our applicant selection process more efficient.

Subscription to job advertisements:
On the Careers Board, you have the option of being automatically informed about new vacancies via e-mail newsletter or RSS feed. Legal basis for subscribing to job advertisements by e-mail newsletter: Article 6 Section 1 Sentence 1 lit. a GDPR (consent). You can revoke this consent at any time with effect for the future by clicking on the unsubscribe link in the newsletter. Legal basis for subscribing to job advertisements via RSS feed: Not required, as personal data is not processed.

Social media buttons (links) for sharing job advertisements:
Our applicant portal offers the possibility to share our job advertisements on various social networks (Facebook, Twitter, LinkedIn, XING). The buttons to these social networks on our applicant portal are pure links (not plugins). This means that no automatic connection to the social networks is established. A data transfer only takes place when you click on one of the buttons. Legal basis: Not required, as these are pure links (not plugins) and data transmission only takes place if one of the links is deliberately clicked. After clicking on the respective link, the data protection declaration of the website of the respective social network applies, there you can inform yourself about the processing of personal data by the respective network.

Feedback survey to improve the applicant portal:
At the end of the application process via our applicant portal, you may be shown a link to an anonymous survey that is carried out and evaluated by and in the own interest of Softgarden, the provider of the applicant portal, in order to improve and further develop their products and services as well as the overall application experience, and to carry out studies on recruiting trends. For this purpose, Softgarden uses the platform of the service provider easyfeedback GmbH in Koblenz. Participation in such a survey is voluntary and, according to Softgarden, takes place anonymously and via a connection secured by the SSL encryption method SHA256 (SSL 3.0 fallback deactivated). The survey system cannot establish a connection between you and the results. The cookie tracking and IP blocking options to prevent multiple participations are not activated. You also have the option of cancelling the survey at any time by closing the browser window – the answers given up to this point will be transmitted to Softgarden. Legal basis for conducting feedback surveys: Article 6 Section 1 Sentence 1 lit. f GDPR (balancing of interests, legitimate interest of a third party). Legitimate interest of Softgarden (provider of Computop's applicant portal) accordung to Article 6 Section 1 Sentence 1 lit. f GDPR: Improvement and further development of products and services as well as the overall application experience, conducting studies on recruiting trends.

 

4. RECIPIENTS OF PERSONAL DATA

For the hosting of our websites and some functions integrated on our websites, we use the services of third parties. Excluded from this are all websites that belong to Computop's payment area. These websites run on Computop's own servers. Insofar as we use services of third parties on our websites, we observe the strict legal requirements and structure the contractual relationships with the respective providers following the applicable legal regulations on data protection.  Details are explained in each case with an indication of the corresponding providers in this section as well as in section 3 of this data protection declaration in the description of individual services.

 

4.1 Hosting of the Computop website

General web presence:
The general web presence of Computop, including the online store, is hosted externally by Amazon Web Services EMEA SARL, 5 Rue Plaetis, 2338 Luxembourg, Luxembourg, and exclusively on servers in Frankfurt am Main. Computop has concluded the legally required contract with Amazon Web Services for order processing according to Article 28 GDPR.

Web forms:
Furthermore, individual web forms on Computop's website are hosted externally by the provider JotForm.com. Computop has selected the so-called "EU Safe Mode" of the provider for these hosting services, where the data is located in Europe, specifically in two data centers in Germany (Frankfurt am Main and Nuremberg). Although the direct contractual partner is JotForm Inc., 111 Pine St. Suite 1815, San Francisco, CA 94111, USA, JotForm assures that no data transfers to the USA and other non-European countries as well as no accesses from the USA and other non-European countries take place. Computop has concluded a Data Processing Agreement with JotForm, which both complies with the requirements of Article 28 GDPR and contains the EU standard contractual clauses (although there is ultimately no scope of application for the EU standard contractual clauses due to the data processing taking place exclusively within Europe). The web forms currently hosted by the provider are our boarding forms for boarding clients following orders in the online store or following contract conclusions outside the online store. Our boarding forms are used for the selection of individual services following an order or placing of an order or for the correction of individual ordered services (e.g., in the case of ordered bundles which still have to be subsequently adapted to the individual requirements of the customer) as well as for the configuration of the connection of the customer to Computop Paygate in general. Information provided in these forms only concerns the general contractual relationship with clients of Computop. However, data processing in Computop Paygate itself is not affected. The latter takes place exclusively on Computop's own servers.

No external hosting in the payment area:
Generally excluded from external hosting is the entire data processing in Computop Paygate and all web-based parts of Computop Paygate. Although these are partially linked on the general Computop website, they are located on Computop's own servers. This means that clients of Computop who access a login page for their access to Computop Paygate via the Computop website are already on Computop's own servers on the login page itself, i.e., even before logging in.

Legal basis: The legal basis for the external hosting of the website is Article 6 section 1 sentence 1 lit. f GDPR in conjunction with Article 28 GDPR. Legitimate interest of Computop within the scope of Article 6 section 1 sentence 1 lit. f GDPR: Economic considerations of Computop.

 

5. DATA TRANSFERS TO COUNTRIES OUTSIDE THE EU/ EEA

In some cases where we use third-party services, personal data is also transferred to countries outside the EU or the EEA. We refer to this accordingly in the description of the individual services in sections 3 and 4 of this privacy policy, implement the existing strict legal regulations on data protection in this context, explain what kind of contractual arrangements we have made with the respective provider, if necessary, and indicate which of the providers have also submitted to the EU-US Privacy Shield, which establishes an appropriate level of data protection within the meaning of the GDPR.

 

6. DURATION OF STORAGE

The following criteria apply for determining the duration of the storage of personal data collected via our websites:

6.1 Discontinuation of the purpose

Personal data are stored as long as they are necessary to fulfill the purposes for which they were collected or processed. They are deleted as soon as these purposes cease to apply.

 

6.2 Legal retention periods (legally defined minimum retention periods)

Personal data may continue to be stored after the purposes for which it was collected or processed have ceased to apply if Computop must observe statutory retention periods. Legal retention periods are legally defined minimum retention periods. In these cases, the personal data will be deleted after the expiry of the statutory retention periods.

 

6.3 Statutory deletion periods (legally defined maximum retention periods)

Personal data is always deleted in time for the expiry of statutory deletion periods. Legal deletion periods are maximum retention periods set by law.

 

6.4 Longer retention in individual cases

In individual cases, personal data may be retained for a longer period within the framework of the applicable legal provisions (e.g., if this is necessary for the assertion, exercise, or defense of legal claims).

 

7. YOUR RIGHTS

To exercise your statutory rights of access, rectification, erasure, restriction of processing, data portability, objection, revocation, and the rights in connection with automated individual decisions including profiling, please contact:

dataprotection(at)computop.com.

You have the aforementioned rights if the legal requirements are met.

In particular, you have a right to

• information about whether personal data about you is being processed. If personal data about you is processed, you have the right to information about what personal data this is and other legally required information in this context. Details are regulated in Article 15 of the GDPR.
• correction of your personal data if they are incorrect. This also includes the right to have your personal data completed if they are incomplete. This right arises from Article 16 of the GDPR.
• the erasure of your personal data if one of the legal grounds arising from Article 17 GDPR applies (i.e., cessation of the purpose of processing, withdrawal of consent, objection to processing, unlawful processing without a legal basis, the existence of a legally regulated obligation to erase or process a child's data in relation to information society services) and if none of the exceptions also arising from Article 17 GDPR apply (e.g., the necessity of the processing for compliance with a legal obligation, such as compliance with legal retention obligations, or necessity for the establishment, exercise or defense of legal claims).
• restriction of the processing of your personal data, provided that one of the legal grounds arising from Article 18 GDPR applies (i.e., if you have disputed the accuracy of your data during the period of review, if you request the restriction of processing instead of erasure in the event of unlawful processing, if you still require the data for the assertion, exercise or defense of legal claims although the purpose of processing no longer applies, or if you have objected to the processing and it is not yet clear whose interests prevail),
• data portability, i.e., the right to receive your personal data (where data processing is based on a contract or consent) in a structured, commonly used, and machine-readable format in order to transfer it to another controller or, where technically feasible, the right to have your personal data transferred directly to another controller.
• object
  • if the permissibility of the data processing (including any profiling) is based on a weighing of interests and reasons against the data processing arise from your personal situation or
  • if it is a matter of data processing for direct advertising or profiling in connection with such direct advertising

Details are regulated in Article 21 of the GDPR.

In addition, you have a

• Right of withdrawal if data processing is based on consent,
• right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless this is necessary for the conclusion or performance of a contract with us, is permitted by law or you have given your consent. Details are regulated in Article 22 of the GDPR.
• right of appeal: You also have a right of appeal to a data protection supervisory authority. This right arises from Article 77 of the GDPR.

 

8. MISCELLANEOUS

If the provision of personal data is required in individual cases by law or for the performance of a contract with you, we will inform you of this as part of our communication with you, as well as whether you are obligated to provide the personal data or whether the information is voluntary, as well as the possible consequences of not providing it. It can happen, for example, that a failure to provide personal data has the consequence that inquiries cannot be answered or can only be answered incompletely (e.g., when asserting rights of the data subject) or the conclusion of a contract with Computop is not possible.

Computop will not process personal data collected or obtained via our websites for purposes other than those described in this data protection declaration unless this is permitted by law and Computop complies with the relevant information obligations in this context.

Information is provided within the framework of this data protection declaration insofar as you do not already have the necessary information yourself (e.g., because the data processing was transparent to you by entering data yourself in a contact form).

 

9. VALIDITY OF THIS PRIVACY STATEMENT

We reserve the right to change this privacy policy from time to time. When you visit our websites, the privacy policy currently available there will always apply.

Last update of this privacy policy: 30.06.2020