Data privacy statement

1. IDENTITY AND CONTACT DETAILS OF THE CONTROLLER AND THE CONTROLLER'S REPRESENTATIVE

Computop Paygate GmbH
Schwarzenbergstraße 4
D-96050 Bamberg

Phone +49 (0)951.98009-0
info(at)computop.com

Represented by the managing directors:
Ralf Gladis, Stephan Kück, Thomas Egglseder, Kenneth M. Overgaard-Nielsen

2. CONTACT DETAILS OF THE DATA PROTECTION OFFICER

Computop has appointed an data protection officer. You may contact the data protection officer at: dataprotection(at)computop.com

3. DATA PROCESSING OPERATIONS, PURPOSES OF THE PROCESSING AND LEGAL BASIS OF THE PROCESSING

On our websites, data is processed for the following purposes, to the following extent and on the following legal bases:

3.1 Web server logs

During your visit our websites, the web server (meaning the server on which our websites are located) automatically collects certain data about your visit on our websites. These include, for example, your IP address, date and time of your visit, the website you previously visited, the pages on our website you looked at and your activities performed there, the amount of data transmitted, the duration of data transmission, the operating system you are using, the browser you are using, details on your internet provider as well as details on any cookies potentially set by our website.

This information will, on one hand, be used in cases of a system misuse in order to investigate, in cooperation with the competent authorities and, if necessary, other parties, such as your internet provider, who is the author of this misuse.

Web server logs will only be stored together with other personal data of the user in cases where there is a legal basis or consent and where this is necessary for the respective purpose. This applies in particular to the following cases: Provided that some of our websites require a log-in, in this context the user name of the respective user will be stored together with the web server logs in order to be able to facilitate and trace the log-in. Moreover, storage of web server logs together with other personal data may be necessary in cases in which our websites require the submission of electronic consents. Furthermore, storage of other personal data together with web server logs takes place for the purpose of technical steering of payment transactions via the Computop Paygate. Details are described in the section „Data processing in the Computop Paygate”.

Legal basis: Article 6 Section 1 Sentence 1 lit. b GDPR (data processing in the Computop Paygate) and Article 6 Section 1 Sentence 1 lit. f GDPR (other data processing). Legitimate interests of Computop according to Article 6 Section 1 Sentence 1 lit. f GDPR: Investigation of potential system misuses, facilitation and traceability of log-ins, documentation of potentially given electronic consents.

3.2 Cookies

Some of our websites are using so-called cookies. Cookies are small text files which are stored on your device in the directory of the browser being used as soon as you visit the respective website. Cookies may store information which can be read by the web server from which the respective cookie originates. Due to this feature, they can, for example, enable a login or the use of form fields on the website, save a login or other settings for future visits, or analyze the user behavior of website visitors.

In general, there are the following types of cookies:

Technically necessary cookies: First of all, some of our websites are placing so-called technically necessary cookies. Technically necessary cookies are being used for the purpose of making a website display and function smoothly. In case you should not want to allow the placement of technically necessary cookies, you have the option to deactivate the acceptance of cookies in your browser. In this case, you will still have access to the largest part of our websites; however, it may happen that you will not be able to use all functions of our websites to their full extent.
Technically non-necessary cookies: In addition, with your consent, some of our websites are placing so-called technically non-necessary cookies. You may grant your consent via our consent banner (see section "Management of consents on our website"). Details regarding the technically non-necessary cookies are described in this privacy policy at the respective services and can also be looked up on our consent platform. To do this, you can either click on "Adjust" in the consent banner or on the blue fingerprint and then use the "Services" tab to access detailed information about each individual service.
Session Cookies / Persistent Cookies: Cookies can, in general, also be distinguished by their period of storage, which again depends on the purpose of the respective cookie. These can either be so-called "session cookies" which are automatically being deleted as soon as you close the browser. Or it might possibly also be persistent cookies which are not being deleted after you have closed your browser, but which may help to recognize you as a visitor at a later time.
Computop-Cookies / Third Party Cookies: Cookies can either be placed by Computop itself or by other providers whose services Computop has integrated into its websites. The descriptions of the services used on this website are each also containing information on whether cookies are being used.

Legal bases:

Technically necessary cookies: § 25 Section 2 no. 2 TDDDG (if the cookies are necessary in order to be able to provide the services you have requested) as well as Article 6 Section 1 Sentence 1 lit. f GDPR (weighing up of interests). Legitimate interests of Computop according to Article 6 Section 1 Sentence 1 lit. f GDPR: Implementation of security services on our websites, smooth functioning and display of our website, enabling the use of logins and other forms on our websites.

Technically non-necessary cookies: Article 6 Section 1 Sentence 1 lit. a GDPR (consent). In case you should not give your consent, you may possibly not be able to use the respective service or to use it only to a limited extent. You have the right to withdraw your consent at any time with effect for the future. Details on the granting and withdrawal of consents can be found in section "Management of consents on our website".

3.3 Management Of Consents On Our Website

Consent banner: When you visit our websites, you will at first be shown a consent banner. In this context, we are using the consent management platform of Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany. Usercentrics works for us as a data processor according to Article 28 GDPR. Via the consent banner, you will be asked to consent to or reject cookies and connections to third-party providers. In case you should reject, only technically necessary cookies will be placed. Your decision will then be stored in a technically necessary cookie. In case you should want to change your decision at a later time, you may change your settings at any time via using the blue fingerprint.
Legal basis: The legal basis for Computop to employ a data processor for providing a consent management platform is Article 28 GDPR.
Other consents: For other types of consents that can be given via our websites (e.g. subscribing to newsletters or storing data in form fields for future use), please refer to the description of the respective data processing operations in this data privacy statement.

3.4 Security measures on our website and fast delivery of our websites

We are using various services of the provider Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA on our websites. Essentially, these are services that make our website faster and more secure. Only on our general websites, the services are provided directly by Cloudflare. For all websites that concern the payment division, corresponding solutions are installed on our own servers. In particular, Cloudflare provides the following services:

SSL encryption of our websites: We use Cloudflare in order to offer you secure data transmission on our website using SSL encryption. SSL encryption means that data that you transmit to us via our websites cannot be read by third parties. The fact that there is an encrypted connection can be recognized by the link in the address bar of the browser changing from "http://" to "https://". In addition, a lock symbol appears in the address bar of the browser.
Acceleration of the loading time of our website: Cloudflare provides a so-called Content Delivery Network (CDN), also called Content Distribution Network. Due to the use of this CDN, the average loading time of our website is significantly reduced. In this context, Cloudflare stores copies of our websites on a network of Cloudflare servers. A load balancing system ensures that our websites are delivered optimally even during peak loads. They are always loaded from the server that can deliver them the fastest or where the loading time is the shortest.
Security services: Cloudflare also provides various security services, such as a reverse proxy server, a web application firewall and protection against DDoS attacks. Cloudflare blocks attacks (e.g. by abusive bots, crawlers or spam) that, for example, are wasting server resources and thus slow down the loading time of our websites, or that try to attack our systems in other ways.

In order to provide the aforementioned services, the entire data transfer between your browser and our websites flows via Cloudflare's infrastructure. This applies not only to the content of our websites, but also to all data processing on our website described in this privacy policy, such as web server log data or other data that you as a visitor may enter on our websites.

Cloudflare places cookies in order to protect our website from attacks and to distinguish legitimate traffic from attacks. The cookies are used, among other things, to identify and distinguish individual visitors within shared IP addresses. This again serves the purpose to be able to evaluate whether or not a device is trustworthy within a shared IP address and, accordingly, to be able to apply security settings for each individual visitor. The placement of this cookie is necessary to enable you to access our websites.

Cloudflare processes personal data both in countries inside and outside the EU/EEA. Computop has therefore concluded the so-called EU Standard Contractual Clauses with Cloudflare by which an appropriate level of data protection within the meaning of the GDPR is established. As a supplementary measure, Computop has also activated the so-called Geo Key Manager at Cloudflare and configured it in such a way that private keys for TLS encryption are stored and managed exclusively in data centers within the EU.

Legal basis: Article 6 Section 1 Sentence 1 lit. f GDPR. Legitimate interests of Computop according to Article 6 Section 1 Sentence 1 lit. f GDPR: It lies in Computop's legitimate interest to make the website faster by means of a content delivery system and more secure with an SSL encryption and various security services. In addition, it lies in Computop's legitimate interest to place cookies in this context which can be used to distinguish legitimate data traffic from attacks. Cloudflare is employed by Computop as a data processor. We have therefore concluded an agreement with Cloudflare that meets the requirements of Article 28 GDPR and also contains the EU Standard Contractual Causes.

3.5 Security measures for integrated form fields

Computop uses on its websites the privacy-friendly bot protection service Friendly Captcha by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. Friendly Captcha is a system to make a misuse of form fields on websites by so-called “bots” more difficult. A bot (the word "bot" is an abbreviation for "robot") is a computer program that performs repetitive tasks largely automatically without relying on interaction with a human user. For protection against bots, Friendly Captcha provides a program code (widget) which is integrated into the websites that are to be protected. When the protected website is accessed, the widget establishes a direct connection to the Friendly Captcha servers. As soon as you click on a form field to fill it in, Friendly Captcha sends a calculation request to your device, which your device automatically solves in the background. Our web server then receives the result of the calculation task from Friendly Captcha and can thus determine whether the form field is used by a human or a bot. Friendly Captcha, in particular, processes the following types of data: HTTP request header data, in particular user agent, origin and referrer, date/time of the request, hash value (one-way encryption) of the incoming IP address (the IP address is discarded, only the hash value is stored), number of requests from the (hashed) IP address per period and response to the arithmetic problem solved by the visitor's computer. As the IP address is hashed, the processing is anonymized. Friendly Captcha also does not place any cookies.

Legal basis: Article 6 Section 1 Sentence 1 lit. f GDPR. Legitimate interests of Computop according to Article 6 Section 1 Sentence 1 lit. f GDPR: It lies in Computop's legitimate interest to protect forms on its websites against misuse by bots. Friendly Captcha GmbH is employed as a data processor on behalf of Computop. We have therefore concluded an agreement with Friendly Captcha that meets the requirements of Article 28 GDPR.

3.6 Presence on well-known online platforms and integration of content via plugins

We are maintaining profiles on various well-known online platforms (Spotify, Vimeo, YouTube, LinkedIn, XING, Twitter), on which we are presenting our company with various types of content, such as, in particular, texts, images, video and audio content. The content can be marked, commented on or shared by using interactive buttons with predefined icons (such as "like"). In addition, it is possible to follow us on those online platforms, subscribe to our content or add video and audio content to playlists.

In some cases, we integrate content located on those online platforms as plugins on our websites, in some cases, however, we use pure links or buttons (social media buttons) that are pure links to the respective platform. You can recognize the plugins or links by the logo of the respective platform.

3.6.1 Plugins:

Plugins are, so to speak, small websites of the respective online platform within our websites, which establish a direct connection between your browser and the servers of the respective online platform. This allows the respective service to process personal data about you and place cookies on your device. However, to protect your personal data, the plugins will not be active (i.e. no data will be transmitted and no cookies will be placed) until you have given your express consent to this via the consent banner. For details, please refer to the section "Management Of Consents On Our Website". In addition, you have the option to generally deactivate the acceptance of cookies in your browser. However, we would like to point out that in this case you might not be able to use all functions of this website to their full extent.

The personal data the online platforms are processing about you might include web server log data, information about your visit on our websites and data about your use of the services offered by the online platforms or interactions with these services on our websites (such as accessing certain content or pressing interactive buttons). In case you maintain a user account with the respective online platform and are logged in there, the online platform might be able to link this data with other data stored in your user account. If you should not want this, please log out of the respective online platform before visiting this website.

The aforementioned services are, in some cases, also processing personal data in countries outside the EU or the EEA.

For further details on the processing of your personal data by the respective online platforms, please refer to the data privacy statements of the respective providers which we are linking below in the context of the description of the different services. We would also like to point out that some of the services, in case you consent to their use, might carry out their own web analytics (e.g. using Google services), on which Computop has no influence.

Specifically, these are the following services:

Spotify: Music streaming portal on which we present our company via a podcast with audio content.
- Provider: Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden („Spotify“).
- Cookies: Yes, the providers places cookies.
- Data processing outside EU/EEA: Yes. The provider is a company based within the EU/EEA and is therefore legally obliged to comply with the requirements of the GDPR. For details, please refer to the provider's data privacy statement.
- Data privacy statement:
www.spotify.com/de/legal/privacy-policy/
- More information and overview over Spotify plugins and widgets: developer.spotify.com
Vimeo: Video portal on which we present our company via video content.
- Provider: Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA (“Vimeo”).
- Cookies: Yes, the providers places cookies.
- Data processing outside EU/EEA: Yes.
- Data privacy statement: vimeo.com/privacy
YouTube: Video portal on which we present our company via video content.
- Provider: YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA („YouTube“), a subsidiary of Google LLC and represented by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“).
- Cookies: Yes, the providers places cookies.
- Data processing outside EU/EEA: Yes.
- Data privacy statement:
www.youtube.com/t/privacy_at_youtube

Legal basis: The legal basis for the processing of your personal data by online platforms, the use of plugins of these online platforms on our websites and the placement of cookies by the online platforms is your consent (Article 6 Section 1 Sentence 1 lit. a GDPR. Details on obtaining declarations of consent and your options to withdraw your consent at any time with effect for the future can be found in the section " Management of consents on our website ".

3.6.2 Links (LinkedIn, Twitter, XING, WhatsApp, Telegramm)

For some of the social networks on which we are presenting our company with various types of content, such as, in particular, texts, images, video and audio content (LinkedIn, Twitter and XING), we have inserted buttons on our website that are pure links (not plugins). These links either lead to our profile with the content stored there or you can use them to share content from our website on these social networks. Furthermore, our website also offers the possibility to share content via the messengers WhatsApp and Telegram via a button with a link behind it. Since the aforementioned buttons are pure links, no automatic connection to the social networks is established. Data transfer only takes place when you click on one of the buttons.

Legal basis: Not required, as these are pure links (not plugins) and data transfer only takes place in case one of the links is deliberately clicked. After clicking on the respective link, the data privacy statement of the website of the respective social network applies where you can find out more about the processing of personal data by the respective network.

3.7 Web analytics

Matomo: On some of our websites, we are using the privacy-friendly web analytics software Matomo. Matomo is installed on our own servers and used without cookies. The recognition of returning website visitors is carried out with the help of a so-called "digital fingerprint" which is stored anonymously and changed every 30 days. "Digital fingerprint" means that movements of visitors on our websites are captured with the help of anonymized IP addresses ("anonymize IP" is activated) in combination with user device information in such a way that it is not possible to draw conclusions about the identity of individual users. In order to ensure the data protection of users, we have also configured Matomo in such a way that user browser settings are not included in the creation of the digital fingerprint.

You have the option to object against the collection of anonymized statistical data via Matomo by activating the "do not track" function in the security settings of your browser. Our Matomo installation is configured in such a way that it reads and applies the do-not-track header that your browser sends.

Legal basis: Not required, as web analytics are carried out anonymously.

Google Ads: Our website uses the Google Ads service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads enables us to display advertisements in Google search results and across the Google advertising network. Cookies are used to analyze user behavior and measure the effectiveness of our advertising campaigns.

Please note: Google Ads is implemented exclusively on the following pages of our website:
computop.com/de/checkout
computop.com/de/omnichannel-payment

and only if you arrived at one of these pages via a paid Google advertisement (click-through). In this case, a conversion tracking process is initiated to assess the success of our campaign.

The use of Google Ads is based solely on your explicit consent, pursuant to Art. 6 para. 1 lit. a GDPR. Consent is obtained via our cookie consent tool when you access one of the pages mentioned. You may withdraw your consent at any time with effect for the future.

For more information on how Google processes personal data, please refer to:
https://policies.google.com/privacy?hl=en

Legal basis: The legal basis for the processing of your personal data by Google Ads is your consent (Art. 6 para. 1 lit. a GDPR). Details on obtaining declarations of consent and your options to withdraw your consent at any time with effect for the future can be found in the section " Management of consents on our website ".

Microsoft Advertising: Our website uses Microsoft Advertising, a service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Microsoft Advertising allows us to run paid ads within the Microsoft advertising network and measure their effectiveness.

Please note: This service is used exclusively on the following pages:
computop.com/de/checkout
computop.com/de/omnichannel-payment

and only if you accessed these pages via a paid Microsoft ad (click-through). In this case, a conversion tracking process is initiated to assess the success of our campaign.

The use of Microsoft Advertising is also based solely on your explicit consent, pursuant to Art. 6 para. 1 lit. a GDPR. Consent is collected via our cookie consent tool when you access the relevant landing pages. You may withdraw your consent at any time with effect for the future.

Further information on Microsoft’s data processing practices can be found here: https://privacy.microsoft.com/en-us/privacystatement

Legal basis: The legal basis for the processing of your personal data by Microsoft Advertising is your consent (Art. 6 para. 1 lit. a GDPR). Details on obtaining declarations of consent and your options to withdraw your consent at any time with effect for the future can be found in the section " Management of consents on our website ".

3.8 Fundraising campaign

On our blog "PAYMENT INSIGHTS" in one of the posts (https://computop.com/payment-insights/en/social-responsibility/education-electricity-and-climate-protection/), we have embedded a donation form as a so-called widget. Directly when entering the page, the widget establishes a connection to the donation platform betterplace.org of the provider gut.org gemeinnützige Aktiengesellschaft, Schlesische Straße 26, 10997 Berlin, Germany (privacy policy: www.betterplace.org/c/rules/privacy-policy). The donation platform betterplace.org works together with the payment platform of the provider Stripe Payments Europe Ltd, Block 4, Harcourt Center, Harcourt Road, Dublin 2, Ireland and Stripe Payments UK, Ltd, 7th Floor, The Bower Warehouse, 211 Old Street, London EC1V 9NR, United Kingdom, to which a direct connection is also established (privacy policy: stripe.com/de/privacy). Both services are placing technically necessary cookies. The betterplace.org cookie is technically necessary because it sets the tracking preferences of betterplace.org's websites to "no".

Legal basis for the embedding of a donation form: Article 6 Section 1 Sentence 1 lit. f GDPR (balancing of interests). Legitimate interests of Computop according to Article 6 Section 1 Sentence 1 lit. f GDPR: Supporting charity project (school sponsorships in Tanzania) by user-friendly embedding of the donation form directly in one of our blog articles.

3.9 Promotional Approach

We might contact you for advertising purposes (e.g. by e-mail, telephone or postal mail), provided that you have either given us your consent to do so or there is a legal provision that allows to contact you for advertising purposes.

For the distribution of e-mail newsletters, we are using the services of the provider CleverReach GmbH & Co. KG, Mühlenstr 43, 26180 Rastede, Germany ("CleverReach"). Via this service provider, we are integrating a form for registering for e-mail newsletters on our websites, are obtaining the necessary consents for sending the newsletters by using the double opt-in procedure and are sending the e-mail newsletters via the CleverReach platform.

Personal data that we process in the context of the subscription to e-mail newsletters are your e-mail address, information about your registration and consent to the e-mail newsletter and web server log data. Furthermore, when you register for the newsletter, with your consent, we collect your title, first name, last name and company name in order to be able to address you in a personalized way. The newsletter dispatch system automatically logs whether, when and which newsletters were opened (opening rate) and whether, when and which links in newsletters were clicked on (click rate). This allows Computop to recognize how interesting the newsletters as such and their specific content are for the recipients of the newsletters. Computop uses these insights to make future newsletters even more interesting.

Legal basis: Legal basis for contacting you for advertising purposes may either be Article 6 Section 1 Sentence 1 lit. a GDPR or Section 7 of the Unfair Competition Act. You may object to the use of your personal data for advertising purposes at any time with effect for the future or revoke your consent to advertising with effect for the future by sending an e-mail to marketing(at)computop.com or, in case of an e-mail newsletter, by clicking on the link provided there. The legal basis for Computop to employ a data processor in the context of the dispatch of e-mail newsletters is Article 28 GDPR. For this purpose, Computop has concluded with CleverReach the legally required data processing agreement according to Article 28 GDPR.

3.10 Computop Services

3.10.1 Contacting us via e-mail or a contact form:

On our websites, you have the option to contact us via several e-mail addresses or contact forms. Personal data you are providing to us in this context will be processed for correspondence with you and for the purpose for which you have provided us with the data.

Among other things, on our websites a form is integrated via which you may contact our helpdesk (the Merchant Services department) for support requests. In this context, we are using a ticketing system provided by Zendesk Inc., 1019 Market St, San Francisco, CA 94103, USA ("Zendesk"); we have chosen the option that our data at Zendesk is exclusively hosted within the European Economic Area (EEA). Zendesk is working for us as a data processor and we have therefore concluded a data processing agreement compliant with the requirements of Article 28 GDPR with Zendesk. This agreement also contains the EU Standard Contractual Clauses, as Zendesk uses service providers in third countries for parts of its services despite hosting our data in the EU. Zendesk has committed its service providers to the same standards that were contractually agreed between Computop and Zendesk. Zendesk also holds a number of privacy-related certifications: ISO 27001:2013, ISO 27018:2014, SOC 2 (System Organisation Controls 2 Report), SOC 3 (System Organisation Controls 3 Report), PCI-DSS (Payment Card Industry Data Security Standard), and TRUSTe® Privacy Certification. In addition, Zendesk has implemented so-called Binding Corporate Rules within the group of companies, which have been approved accordingly by the European data protection supervisory authorities.

Legal basis: Depending on the content of the request, various legal bases may come into consideration, in particular Article 6 Section 1 Sentence 1 lit. b, c or f GDPR. Legitimate interests of Computop according to Article 6 Section 1 Sentence 1 lit. f GDPR: Enabling communication via e-mail or contact form.

3.10.2 Data Processing in the Computop Paygate:

Computop provides to merchants and other bodies (hereinafter referred to as "clients") as a central service the connection to the Computop Paygate, a payment platform developed and operated by Computop. Via the Computop Paygate, clients have the option of connecting to various payment methods worldwide as well as other services in order to be able to receive payments from end customers via various channels, e.g. payments in online shops (e-commerce), payments via mobile devices, such as in-app payment (m-commerce) or payments via POS terminals (point-of-sale terminals) in cash desk surroundings or at vending machines. Computop, in this context, facilitates the technical steering of data flows between payers and customers as well as the entities relevant to the use of the respective payment methods or services (e.g. banks, providers of payment methods or providers of other services used, such as fraud prevention services). Via the modules Computop Analytics and Computop Reporter, Computop's clients have access to the relevant data of the payments technically steered on their behalf, and they have tools at their disposal for analyzing payments of all channels and payment methods as well as for optimizing turnovers (e.g. by means of visualized status reports, reviews and comparisons). If an end customer makes a payment to one of our clients (e.g. in an online shop), he might be taken to a payment form hosted by Computop (the so-called Hosted Payment Page) as part of the purchase process. The Computop Paygate with its previously described modules Computop Reporter and Computop Analytics as well as the componet Hosted Payment Page are hereinafter collectively referred to as the "Computop Paygate".

Computop provides the connection to the Computop Paygate to its clients as a data processor according to Article 28 GDPR. In case you should be connected to the Computop Paygate as a client, you have the option to request the legally required data processing agreement according to Article 28 GDPR, including a description of the technical and organizational measures taken by Computop according to Article 32 GDPR. For this purpose, please contact dataprotection(at)computop.com.

For the data processing in the Computop Paygate, Computop has taken technical and organizational measures at a very high level of security. Computop is certified according to the Data Security Standard of the Payment Card Industry (PCI-DSS) as well as ISO 27001 and, in this context, regularly undergoes strict external audits of its technical and organizational measures.

For data processing in the Computop Paygate, independent web server logs are being written which are kept separate from the general web server logs. All data bases of the payment division and, therefore, also the corresponding web server logs are, in accordance with the requirements of the PCI-DSS, being located in a separate and highly encrypted area of our servers. Web server logs from the Computop Paygate will only be stored together with other personal data of the user in cases where this is necessary for the respective purpose. This applies, in particular, to the following cases: Provided that during the data processing a log-in is required (in particular for Computop Analytics and Computop Reporter), in this context the user name of the respective user will be stored together with the web server logs in order to be able to facilitate and trace the log-in. Furthermore, the web server logs of the Computop Paygate contain the name of the specific service which is being used. Moreover, storage of web server logs together with other personal data is also necessary for the purpose of technical steering of payment transactions via the Computop Paygate. The data from the web server logs are, in this context, stored in the single payment transactions together with the other data of a payment, in order to be able to technically steer the payments on behalf of the respective client and also to ensure the subsequent traceability. In addition, follow-up actions such as chargebacks or credits are made possible that way. Depending on what a client has specifically ordered at Computop, some data from the web server logs may also be used for the purpose of fraud prevention within the extent permitted by law.

In the Computop Paygate’s modules Computop Analytics and Computop Reporter which allow clients access to the payment transactions processed on their behalf, session cookies are being placed. The functioning of session cookies and your options to object in this context are being explained in the section „Cookies“.

On the payment form (Hosted Payment Page), on the other hand, as a standard no cookies are being placed. However, Computop’s clients have the possibility to adapt the payment form according to their needs or use their own payment form. Thus, it is possible that the adapted payment page may potentially place cookies. The responsibility for adapted payment pages always lies with the client to whom the payment was made; in this regard, we refer you to the data privacy statement of the respective client. In general, the following applies: The data privacy statement of our respective client applies as long as the payer is, before initiating a payment, still on the client’s websites (e.g. in an online shop or in the shopping basket there) or on a potentially used own payment form of the client. Computop’s data privacy statement will not apply until the point in time when the payer actually changes from the client’s website to Computop’s websites (to the payment form there, the Hosted Payment Page) and the payer has received from Computop′s client a notice according to Section 13 Subsection 5 of the German Telemedia Act (TMA) concerning the redirection from one service provider in the meaning of the TMA to another service provider in the meaning of the TMA. Summarized, this means that for the payment form, depending on the respective setup, either the client’s data privacy statement or Computop’s data privacy statement may apply.

Analyses of user behavior are not performed in the Computop Paygate, its modules Computop Analytics and Computop Reporter as well as on the payment form (Hosted Payment Page).

Legal basis: For the technical steering of payment transactions on behalf of clients, the legal basis is Article 6 Section 1 Sentence 1 lit. b GDPR in conjunction with Article 28 GDPR; apart from that, e.g. regarding the placement of cookies, the legal bases are § 25 Section 2 no. 2 TDDDG (if the cookies are necessary in order to be able to provide the services you have requested) as well as Article 6 Section 1 Sentence 1 lit. f GDPR. Legitimate interests of Computop according to Article 6 Section 1 Sentence 1 lit. f GDPR (regarding cookies): More user-friendly and more effective design of our website.

3.10.3 Merchant Notification Service:

We are using the service Statuspage.io to enable our clients (such as merchants) to subscribe to notifications with important technical information via email, SMS, RSS feed or Atom feed. In particular, these notifications contain information about maintenance work or disruptions.

Provider of the service is: Dogwood Labs, Inc., 1098 Harrison Street, San Francisco, CA 94103, USA ("Dogwood Labs"), a subsidiary of Atlassian, Inc., 341 George Street, Sydney, NSW 2000, Australia / 350 Bush Street, San Francisco, CA 94104, USA ("Atlassian").

The type of personal data processed in the context of subscribing to notifications depends on the type of subscription. In case of e-mail notifications, the subscriber's e-mail address is processed, and in the case of notifications by SMS, the mobile phone number is processed. Statuspage.io also uses cookies, for details please refer to the provider's privacy policy: www.atlassian.com/legal/privacy-policy.

Statuspage.io processes personal data in countries outside the EU or the EEA. Computop has therefore concluded the so-called EU Standard Contractual Clauses with Dogwood Labs, Inc., which establish an appropriate level of data protection within the meaning of the GDPR.

Legal basis: Legal basis for the processing of your personal data for the purpose of sending notifications with technical information is your consent (Article 6 Section 1 Sentence 1 lit. a GDPR) which you are granting when you subscribe to notifications. You may revoke your consent at any time with effect for the future by terminating your subscription to the corresponding notifications. The legal basis for Computop to employ a data processor in this context is Article 28 GDPR. For this purpose, Computop has concluded the legally required data processing agreement according to Article 28 GDPR with Dogwood Labs, Inc. which also contains the EU Standard Contractual Clauses.

3.11 Applicant Portal

You have the opportunity to apply to us via our applicant portal.

Our applicant portal is operated and hosted by the provider softgarden e-recruiting GmbH, Tauentzienstraße 14, 10789 Berlin ("Softgarden"). For this purpose, we have concluded the legally required data processing Agreement according to Article 28 GDPR with Softgarden.

Account: As part of the application process, after setting a user name and password, you can create and manage an account in the applicant portal.
Legal basis for the creation of an account in the applicant portal: Article 6 Section 1 Sentence 1 lit. a GDPR (consent). You have the option to revoke this consent at any time with effect for the future.
Cookies: In the application portal, the technically necessary session cookie "JSESSIONID" is being placed. This cookie stores a so-called session-ID, with which various requests from your browser can be assigned to the joint session. This allows your computer to be recognized when you return to our website. The session cookie is deleted when you log out or close the browser.
Legal basis for the setting of technically necessary cookies: Article 6 Section 1 Sentence 1 lit. f GDPR (balancing of interests). Legitimate interest of Computop within the scope of Article 6 Section 1 Sentence 1 lit. f GDPR: User-friendly design of our applicant portal.
Application process: Your personal data that you provide to us as part of the application process (such as name, address and contact details, cover letter, curriculum vitae, application photos, certificates, profiles in social networks (e.g. XING, LinkedIn), and any other data and documents) will be processed to carry out the application process and, in case of a potential employment, to carry out the employment relationship. In case of a successful application, your application documents will become part of the personnel records, in the event of a rejection of an application for a specific job offer, your application documents will be deleted 6 months after receipt of the rejection (however, regardless of the application for a specific job offer, you have the opportunity to register in our talent pool for an undefined period of time, details are explained below).
Legal basis for the processing of your personal data in the context of the application process and for the initiation of an employment relationship is Article 6 Section 1 Sentence 1 lit. b GDPR or Article 88 GDPR in connection with § 26 Section 1 Sentence 1 German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).
Automated CV analysis: In our applicant portal, documents uploaded by you are automatically being analyzed in order to extract CV data and convert it into a structured form. For this purpose, Softgarden uses the ISO 27001-certified sub-processor Textkernel B.V., Nieuwendammerkade 26 A 5, (1022AB) Amsterdam, The Netherlands, with whom Softgarden has concluded a data processing agreement according to Article 28 GDPR. Data processing takes place within the EU on servers in the Netherlands and Germany.
Legal basis for processing your data via an automated CV analysis: Article 6 Section 1 Sentence 1 lit. f GDPR (balancing of interests). Legitimate interest of Computop in the context of Article 6 Section 1 Sentence 1 lit. f GDPR: Efficient design of the application process.
Talent pool: Regardless of an application for a specific position, or after an unsuccessful application, you have the option to voluntarily register in our talent pool on the basis of a consent. This is can be done via the "Get in touch" button or by using an opt-in link that has been provided to you in this context. Should a suitable position be open, we have then the opportunity to contact you in this regard.
Legal basis for registration in the talent pool: Article 6 Section 1 Sentence 1 lit. a GDPR (consent). You can revoke this consent at any time with effect for the future. We will also contact you at regular intervals and ask if you would like to continue to be registered in the talent pool.
Recommendation of potential applicants: Our applicant portal also offers the opportunity to recommend potential applicants. Should you apply to us on the basis of such a recommendation, the person who has recommended you will receive the information that you have applied to us, together with your profile photo, your name and information about the position for which you have applied. Should you not wish that the referring person receives this information, you have the option to choose, before completing the application, that the referring person will only see this information without a direct personal reference, which means the person who recommended you will then only receive the information that someone has applied on the basis of their recommendation but does not see which person this is.
Legal basis for the processing of personal data when recommending potential applicants: Article 6 Section 1 Sentence 1 lit. f GDPR (balancing of interests). Legitimate interest of Computop according to Article 6 Section 1 Sentence 1 lit. f GDPR: Our legitimate interest is to give our employees the opportunity to recommend persons known to them for vacancies. This gives us the opportunity to make our applicant selection process more efficient.
Subscription to job advertisements: On the Careers Board, you have the option of being automatically informed about new vacancies via e-mail newsletter or RSS feed.
Legal basis for subscribing to job advertisements by e-mail newsletter: Article 6 Section 1 Sentence 1 lit. a GDPR (consent). You can revoke this consent at any time with effect for the future by clicking on the unsubscribe link in the newsletter. Legal basis for subscribing to job advertisements via RSS feed: Not required, as personal data is not processed.
Social media buttons (links) for sharing job advertisements: Our applicant portal offers the possibility to share our job advertisements on various social networks (Facebook, Twitter, LinkedIn, XING). The buttons to these social networks on our applicant portal are pure links (not plugins). This means that no automatic connection to the social networks is established. A data transfer only takes place when you click on one of the buttons.
Legal basis: Not required, as these are pure links (not plugins) and data transmission only takes place if one of the links is deliberately clicked. After clicking on the respective link, the data protection declaration of the website of the respective social network applies, there you can inform yourself about the processing of personal data by the respective network.
Feedback survey to improve the applicant portal: At the end of the application process via our applicant portal, you may be shown a link to an anonymous survey that is carried out and evaluated by and in the own interest of Softgarden, the provider of the applicant portal, in order to improve and further develop their products and services as well as the overall application experience, and to carry out studies on recruiting trends. For this purpose, Softgarden uses the platform of the service provider easyfeedback GmbH in Koblenz. Participation in such a survey is voluntary and, according to Softgarden, takes place anonymously and via a connection secured by the SSL encryption method SHA256 (SSL 3.0 fallback deactivated). The survey system cannot establish a connection between you and the results. The cookie tracking and IP blocking options to prevent multiple participations are not activated. You also have the option of cancelling the survey at any time by closing the browser window – the answers given up to this point will be transmitted to Softgarden.
Legal basis for conducting feedback surveys: Article 6 Section 1 Sentence 1 lit. f GDPR (balancing of interests, legitimate interest of a third party). Legitimate interest of Softgarden (provider of Computop's applicant portal) according to Article 6 Section 1 Sentence 1 lit. f GDPR: Improvement and further development of products and services as well as the overall application experience, conducting studies on recruiting trends.

4. RECIPIENTS OF PERSONAL DATA

For the hosting of our websites as well as for some functions integrated on our websites, we are using the services of third parties. Details are explained in this section and in section 3 of this data privacy statement at the decriptions of the respective services, also by specifying the respective providers. As far as we are using services of third parties on our websites, we are complying with the strict legal provisions and are drawing up the contractual relationships with the respective providers in accordance with the applicable legal provisions on data protection

4.1 Hosting of Computop’s Website in General

Computop's general website is hosted externally by Amazon Web Services EMEA SARL, 5 Rue Plaetis, 2338 Luxembourg, Luxembourg and exclusively on servers in Frankfurt/Main, Germany. Computop has concluded the legally required Data Processing Agreement according to Article 28 GDPR with Amazon Web Services.

Legal basis: Legal basis for the external hosting of the website is Article 6 Section 1 Sentence 1 lit. f GDPR in conjunction with Article 28 GDPR. Legitimate interest of Computop according to Article 6 Section 1 Sentence 1 lit. f GDPR: Economic considerations of Computop.

4.2 No external Hosting in the Payment Division

Generally excluded from external hosting is the entire data processing in the Computop Paygate and thus also all web-based parts of the Computop Paygate. Although some of those are linked on Computop's general website, they are located on Computop's own servers. This means, in particular, that Computop's clients who access a login page for their access to Computop-Paygate via the Computop website are already on Computop's own servers on the login page itself, which means even before logging in.

5. DATA TRANSFERS TO COUNTRIES OUTSIDE THE EU/EEA

In some cases in which we use services of third parties, personal data is also transferred to countries outside the EU or EEA. In this data privacy statement, we refer to this accordingly in the context of the description of individual services in sections 3 and 4, are complying with the strict legal provisions on data protection in this regard and explain what kind of contractual agreements, if necessary, we have made with the respective provider whereby an appropriate level of data protection within the meaning of the GDPR is established.

6. PERIOD OF STORAGE

The following criteria will apply for determining the period of storage of personal data which has been collected via our website:

6.1 Discontinuation of the purpose

Personal data are being stored as long as they are necessary for the fulfilment of the purposes for which they were collected or processed. They will be deleted as soon as the purpose ceases to exist.

6.2 Statutory retention periods (minimum retention periods determined by law)

Personal data may, even after the discontinuation of the purposes for which they have been collected or processed, still be stored if Computop has to comply with statutory retention periods. Statutory retention periods are minimum retention periods determined by law. In these cases, personal data will be deleted after the expiry of the statutory retention periods.

6.3 Statutory deletion periods (maximum retention periods determined by law)

Personal data will always be deleted in due time before the expiry of statutory deletion periods. Statutory deletion periods are maximum retention periods determined by law.

6.4 Longer retention in exceptional cases

In exceptional cases, personal data may in compliance with the applicable statutory provisions be retained for a longer period (e.g. if this is necessary for the establishment, exercise or defence of legal claims).

7. YOUR RIGHTS

In order to exercise your legal rights to access, rectification, erasure, restriction of processing, objection, data portability and the rights related to automated individual decision making including profiling, please contact:

dataprotection(at)computop.com.

You have the aforementioned rights if the legal requirements for these are fulfilled.

In particular, you have the right to

Access, which means you have the right to obtain confirmation whether personal data about you is being processed and, where this is the case, the right to information about which personal data this is as well as to other legally required information in this context. Details are laid down in Article 15 GDPR.
Rectification of your personal data in case these should be incorrect. This also includes the right to completion of your personal data in case it should be incomplete. This right arises from Article 16 GDPR.
Erasure of your personal data in case one of the statutory reasons applies that are laid down in Article 17 GDPR (which means discontinuation of the purpose of the processing, withdrawal of a consent, objection to the processing, unlawful processing which is not based on a legal ground, existence of a legal obligation to erasure, or processing of a child’s data in relation to the offer of information society services) and provided that none of the exceptions as also laid down in Article 17 GDPR apply (for example necessity of the processing for compliance with a legal obligation such as compliance with statutory retention obligations, or necessity for the establishment, exercise or defence of legal claims).
Restriction of processing where one of the statutory reasons applies that are laid down in Article 18 GDPR (which means in case you should have contested the accuracy of the personal data for the period of verification, in case you should for unlawful processing oppose the erasure and request restriction instead, in case you should, despite the discontinuation of the purpose of the processing, require the personal data for the establishment, exercise or defence of legal claims, or, in case you should have objected to the processing and it is not yet clear whose interests are overriding),
Data Portability, which means the right to receive your personal data (as far as the processing is based on a contract or a consent) in a structured, commonly used and machine-readable format in order to be able to transmit those to another controller, or, as far as technically possible, the right to have the personal data transmitted directly from one controller to another.
Objection
- as far as the data processing (including a potential profiling) is based on a balancing of interests and there are reasons against the data processing arising from your particular situation, or
- where personal data are processed for direct marketing purposes or a profiling related to such direct marketing.
Details are laid down in Article 21 GDPR.

In addition, you have a
- Right to withdrawal if the data processing is based on consent,
- Right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you, unless this is necessary for the conclusion or performance of a contract between you and us or you have granted your consent. Details are laid down in Article 22 GDPR.
- Right to lodge a complaint: Furthermore, you also have the right to lodge a complaint with a data protection supervisory authority. This right arises from Article 77 GDPR.

8. OTHER

Provided that, in the individual case, the provision of personal data is legally required or necessary for the performance of a contract with you, we will, in case of need, point that out to you during our communication with you, and we will also point out if you are obliged to provide the personal data or if this is optional, as well as which consequences a non-disclosure might have. It may happen, for example, that the non-disclosure of personal data will have the possible consequence that requests cannot be answered or only incompletely answered (e.g. in the context of exercising the rights of the data subject), or that the conclusion of a contract with Computop is not possible.

Computop will not process personal data collected or obtained via our websites for other purposes than those described in this data privacy statement, unless this is legally admissible and Computop complies with the applicable information obligations in this context.

Within this data privacy statement, we are providing you with information insofar as you yourself are not already having the necessary information (e.g. because the data processing was transparent to you because you have been entering the data into a contact form yourself).

9. VALIDITY OF THIS PRIVACY STATEMENT

We reserve the right to modify this data privacy statement from time to time. For your visit on our websites, always the respective current version of the data privacy statement available there shall apply.

Latest update of this data privacy statement: February 12, 2025