Data Privacy
The following text is an English translation of our German Privacy Terms and is provided for information purposes. In case of doubt, the German version shall apply.
We value your interest in our company. Data protection is of paramount importance to the management of kyberio GmbH. Using kyberio GmbH’s website is generally possible without providing personal data. However, if a data subject wishes to use special services of our company via our website, processing personal data may be necessary. In such cases, we generally obtain the data subject’s consent if there is no legal basis for the processing.
The processing of personal data, such as the name, address, email address, or telephone number of a data subject, always takes place in accordance with the General Data Protection Regulation and compliance with the country-specific data protection regulations applicable to kyberio GmbH. Through this data protection declaration, our company aims to inform the public about the type, scope, and purpose of the personal data we collect, use, and process. Furthermore, data subjects are informed about their rights using this data protection declaration.
As the data controller, kyberio GmbH has implemented various technical and organizational measures to ensure the utmost protection of the personal data processed through our website. However, it’s important to note that internet-based data transmissions can have security vulnerabilities, making absolute protection impossible. That’s why we offer alternative means, such as telephone, for you to transmit personal data to us.
1. Definitions
The privacy policy of kyberio GmbH is based on the terminology used by the European Directive and Regulation Maker when issuing the General Data Protection Regulation (GDPR). Our privacy policy is intended to be easily readable and understandable for the public, our customers, and business partners. We want to explain the terminology used in advance to ensure this.
In this privacy policy, we use, among other things, the following terms:
a) Personal Data
Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific factors expressing the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
b) Data Subject
The data subject is any identified or identifiable natural person whose personal data is processed by the controller.
c) Processing
Processing is any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
d) Restriction of Processing
Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
e) Profiling
Profiling is any form of automated processing of personal data that involves using personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
f) Pseudonymization
Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
g) Controller or controller responsible for the processing
The controller or controller responsible for the processing is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
h) Processor
A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
i) Recipient
A recipient is a natural or legal person, public authority, agency, or another body to which the personal data are disclosed, whether a third party or not. However, authorities who may receive personal data in the framework of a particular inquiry under Union or Member State law shall not be regarded as recipients.
j) Third Party
A third party is a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who are authorized to process personal data under the controller’s or processor’s direct authority.
k) Consent
Consent is any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and Address of the Data Controller
The data controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union, and other provisions with a data protection character is:
kyberio GmbH
Am Mittelfelde 29
30519 Hannover
Germany
Tel.: +49 (0) 511 71260 – 0
Email: info@kyberio.com
Website: https://www.kyberio.com
3. Name and Address of the Data Protection Officer
The Data Protection Officer for the Controller responsible for the Processing of Data is:
Mr. Stefan Siefert
kyberio GmbH
Am Mittelfelde 29
30519 Hannover
Germany
Tel.: +49 (0) 61269 375200
Email: dsb@kyberio.com
Website: https://www.kyberio.com
Any data subject can contact our data protection officer directly at any time with any questions or suggestions regarding data protection.
4. Cookies
The websites of kyberio GmbH use cookies. Cookies are text files stored on a computer system via an internet browser.
Many websites and servers use cookies, which contain a unique identifier called a cookie ID. This string consists of a character string through which websites and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited websites and servers to distinguish the individual browser of the data subject from other web browsers containing other cookies. The unique cookie ID recognizes and identifies A specific Internet browser.
By using cookies, kyberio GmbH can provide users of this website with more user-friendly services that would not be possible without the cookie setting.
By means of a cookie, the information and offers on our website can be optimized for the user’s benefit. As mentioned above, cookies allow us to recognize the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, a website user who uses cookies does not have to re-enter their access data every time they visit the website, as the website takes this over. The cookie is stored on the user’s computer system. Another example is the cookie of a shopping cart in an online shop. The online shop remembers the items a customer places in the virtual shopping cart via a cookie.
The data subject can prevent cookies from being set by our website at any time by using a corresponding setting of the internet browser and thus permanently object to the setting of cookies. Furthermore, already set cookies can be deleted anytime via an internet browser or other software. This is possible in all common internet browsers. If the data subject deactivates the cookies settings in the internet browser, not all website functions will be usable.
5. Collection of General Data and Information
Each visit to the website of kyberio GmbH by a data subject or an automated system leads to a range of general data and information collection. This general data and information are stored in the server’s log files. The following data may be collected: (1) types and versions of browsers used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-pages accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information that serve to avert threats in the event of attacks on our information technology systems.
kyberio GmbH does not draw any conclusions about the data subject when using this general data and information. Instead, this information is required to (1) deliver the contents of our website correctly, (2) optimize the contents of our website and the advertising for it, (3) ensure the permanent functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack. Therefore, the anonymously collected data and information are statistically evaluated by kyberio GmbH, on the one hand, and, on the other hand, to increase data protection and data security in our company to ultimately ensure an optimum level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
6. Comment Function in the Blog on the Website
kyberio GmbH allows users to leave individual comments on blog posts on the the data controller website. A blog is a portal maintained on a website, typically publicly accessible, where one or more individuals, known as bloggers or web bloggers, can post articles or thoughts in so-called blog posts. Third parties can typically comment on Blog posts.
When a data subject leaves a comment on the blog published on this website, information about the time of the comment entry and the username (pseudonym) chosen by the data subject is stored and published along with the comments left by the data subject. Furthermore, the IP address assigned by the data subject’s internet service provider (ISP) is logged. This storage of the IP address is for security reasons and in case the data subject violates the rights of third parties or posts unlawful content through a comment. Therefore, storing this personal data is in the data controller’s legitimate interest so that they could possibly exculpate themselves in case of a legal violation. This collected personal data is not disclosed to third parties unless such disclosure is legally required or serves the legal defense of the data controller.
7. Subscription to Comments on the Blog on the Website
Comments posted on the blog of kyberio GmbH can be subscribed to by third parties. In particular, a commentator can subscribe to the comments following their own comment on a specific blog post.
Suppose a data subject chooses the option to subscribe to comments. In that case, the data controller sends an automatic confirmation email to verify, using the double opt-in procedure, whether the owner of the specified email address has indeed chosen this option. The option to subscribe to comments can be terminated at any time.
8. Routine Deletion and Blocking of Personal Data
The data controller processes and stores the data subject’s personal data only for the period necessary to achieve the storage purpose or as required by the European legislator or another legislator in laws or regulations to which the data controller is subject.
Once the storage purpose is no longer applicable or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or deleted following legal requirements.
9. Rights of the Data Subject
a) Right to Confirmation:
Every data subject has the right granted by the European legislator to obtain confirmation from the data controller as to whether personal data concerning them are being processed. If a data subject wishes to exercise this right to confirmation, they can contact an employee of the data controller at any time.
b) Right to Information:
Every data subject has the right granted by the European legislator to obtain from the data controller free information about the personal data stored about them and a copy of this information at any time. The European legislator has also granted the data subject the right to receive information about the following:
- The purposes of the processing
- The categories of personal data processed
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organizations.
- If possible, the envisaged duration for which the personal data will be stored, or, if not possible, the criteria used to determine that duration
- The existence of the right to request rectification or erasure of personal data or restriction of processing by the controller or to object to such processing
- The right to file a complaint with a supervisory authority
- If the personal data are not collected from the data subject, All available information about the origin of the data
- The existence of automated decision-making, including profiling, according to Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject
- Furthermore, the data subject has the right to be informed whether personal data have been transferred to a third country or an international organization. If this is the case, the data subject also has the right to obtain information about the appropriate safeguards relating to the transfer.
- If a data subject wishes to exercise this right to information, they can contact an employee of the data controller at any time
c) Right to Rectification:
Every data subject has the right granted by the European legislator to request the immediate rectification of inaccurate personal data concerning them. Furthermore, the data subject has the right to request the completion of incomplete personal data, taking into account the purposes of the processing.
If a data subject wishes to exercise this right to rectification, they can contact an employee of the data controller at any time.
d) Right to erasure (Right to be forgotten):
Every data subject has the right granted by the European legislator to demand from the controller the erasure of personal data concerning them without undue delay, and the controller shall have an obligation to erase personal data without delay if one of the following reasons applies and if the processing is not necessary:
- Personal data is no longer necessary for collecting or otherwise processing purposes.
- The data subject withdraws consent on which the processing is based according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, and there is no other legal ground for the processing.
- The data subject objects to the processing under Article 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing under Article 21(2) GDPR.
- The personal data have been unlawfully processed.
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
- Suppose one of the reasons above applies, and a data subject wishes to request the erasure of personal data stored by kyberio GmbH. In that case, they can contact a data controller employee anytime. The employee of the kyberio GmbH shall promptly ensure that the erasure request is complied with.
- Where the controller has made personal data public and is obliged according to Article 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. The employee of the kyberio GmbH will arrange the necessary measures in individual cases.
e) Right to restriction of processing:
Every data subject has the right granted by the European legislator to request the controller to restrict the processing of personal data if one of the following conditions applies:
- The data subject contests the accuracy of the personal data for a period, enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful, and the data subject opposes the erasure of the personal data and requests that they be restricted in use.
- The controller no longer needs personal data for processing, but the data subject requires it for the establishment, exercise, or defense of legal claims.
- The data subject has objected to processing according to Article 21(1) GDPR pending the verification of whether the controller’s legitimate grounds override those of the data subject.
Suppose one of the conditions mentioned above is met, and a data subject wishes to request the restriction of processing personal data stored by kyberio GmbH. In that case, they can contact a data controller employee anytime. The employee of the kyberio GmbH will arrange the restriction of processing
f) Right to data portability:
Every data subject has the right granted by the European legislator to receive personal data concerning them, which is provided to a controller in a structured, commonly used, and machine-readable format. They also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract according to Article 6(1)(b) GDPR. The processing is carried out by automated means as long as the processing is not necessary for performing a task in the public interest or in exercising official authority vested in the controller.
Furthermore, in exercising their right to data portability according to Article 20(1) GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible, and when doing so does not adversely affect the rights and freedoms of others.
To exercise the right to data portability, the data subject can contact any employee of the kyberio GmbH.
g) Right to Object:
Every data subject has the right granted by the European legislator to object, on grounds relating to their particular situation, at any time, to the processing of personal data concerning them, which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.
kyberio GmbH shall no longer process the personal data in the event of the objection unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to the kyberio GmbH for the processing for direct marketing purposes, kyberio GmbH will no longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to their particular situation, to object to the processing of personal data concerning them by kyberio GmbH for scientific or historical research purposes or statistical purposes according to Article 89(1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest. To exercise the right to object, the data subject can directly contact any employee of the kyberio GmbH or another employee. The data subject is also free to exercise their right to object concerning the use of information society services, notwithstanding Directive 2002/58/EC, using automated means using technical specifications.
h) Automated individual decision-making, including Profiling:
Every data subject has the right granted by the European legislator not to be subject to a decision based solely on automated processing, including Profiling, which produces legal effects concerning them or similarly significantly affects them, as long as the decision (1) is not necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) is not authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is not based on the data subject’s explicit consent.
If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject’s explicit consent, the kyberio GmbH shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view, and to contest the decision.
If the data subject wishes to exercise rights concerning automated individual decision-making, they can contact an employee of the kyberio GmbH at any time.
i) Right to withdraw Consent under Data Protection Law:
Every data subject has the right granted by the European legislator to withdraw consent to processing personal data at any time. To exercise the right to withdraw consent, the data subject can contact an employee of the kyberio GmbH at any time.
10. Data Protection in Job Applications and Application Process
The data controller collects and processes applicants’ personal data to manage the application process. Processing may also occur electronically, especially when an applicant submits relevant application documents electronically, such as via email or a web form on the data controller’s website. If the data controller concludes an employment contract with an applicant, the transmitted data will be stored to manage the employment relationship in compliance with legal requirements. Suppose no employment contract is concluded between the data controller and the applicant. In that case, the application documents will be automatically deleted two months after the decision of rejection is communicated unless other legitimate interests of the data controller oppose deletion. Another legitimate interest in this regard, for example, is an obligation to provide evidence in proceedings under the General Equal Treatment Act (AGG).
11. Data Protection Provisions for the Use of Website Analysis and Website Optimization Tools
a) Google Analytics
Purpose of Processing:
Google Analytics is a web analytics service that Google Ireland Ltd (“Google”) provides. Google uses the data collected to track and examine how this website/app is used, compile reports on its activities, and share them with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.
The company that processes the data, Google Ireland Ltd Gordon House, Barrow Street Dublin 4 IERlegal basis is your consent according to Art. 6 para. 1 lit. a. GDPR. We process data with the help of Google Analytics to optimize our website and for marketing purposes.
You have the right to revoke the consent given at any time without affecting the legality of the processing carried out based on the consent. This is possible in the footer under “Edit consent.”
b) Data protection provisions about the application of brevo (formerly sendinblue)
We only send newsletters, emails, and other electronic notifications (hereinafter “newsletter”) with the recipient’s consent or legal permission. If the newsletter’s contents are specifically described when registering for the newsletter, they are decisive for the user’s consent. Otherwise, our newsletters contain information about our services and us.
Providing your email address is generally sufficient to subscribe to our newsletters. However, we may ask you to provide a name so that we can address you personally in the newsletter or provide other information if this is necessary for the purposes of the newsletter.
Double opt-in procedure: Registration for our newsletter is always done using the so-called double opt-in procedure. This means that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary so no one can register with other people’s email addresses. Subscriptions to the newsletter are logged to be able to prove the registration process following legal requirements. This includes storing the time of registration and confirmation as well as the IP address. Changes to your data stored by the mailing service provider are also logged.
Deletion and restriction of processing: We may store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove that consent was previously given. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for erasure is possible at any time, provided that the former existence of consent is confirmed simultaneously. In the event of obligations to permanently observe objections, we reserve the right to store the email address in a block list solely for this purpose.
The registration process is logged based on our legitimate interests to verify that it is carried out correctly. If we commission a service provider to send emails, this is done based on our legitimate interests in an efficient and secure sending system.Inhalte: Informationen zu uns, unseren Leistungen, Aktionen und Angeboten.
- Processed data types: Inventory data (e.g., names, addresses); Contact data (e.g., email, telephone numbers); Meta, communication, and process data (e.g., IP addresses, time data, identification numbers, consent status); Usage data (e.g., websites visited, interest in content, access times).
- Data subjects: Communication partners.
- Purposes of Processing: Direct marketing (e.g., by email or postal); Web Analytics (e.g., access statistics, recognition of returning visitors).
- Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
- Possibility of objection (opt-out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. You will find a link to unsubscribe from the newsletter either at the end of each newsletter or you can use one of the contact options listed above, preferably email.
Further information on processing operations, procedures, and services:
- Measurement of opening and click rates: The newsletters contain a so-called “web beacon”, i.e., a pixel-sized file retrieved from our server when the newsletter is opened or, if we use a dispatch service provider, from their server. As part of this retrieval, technical information, such as information about the browser and your system, your IP address, and the time of retrieval, is initially collected. This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined with the help of the IP address) or the access times. This analysis also determines whether the newsletters are opened, when, and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until they are deleted. The evaluations help us recognize the reading habits of our users, adapt our content to them, or send different content according to the interests of our users. The measurement of opening rates and click rates, as well as the storage of the measurement results in the profiles of the users and their further processing, are based on the consent of the users. Unfortunately, it is impossible to revoke the performance measurement separately; in this case, the entire newsletter subscription must be canceled or objected to. In this case, the stored profile information will be deleted; legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
SendinBlue: Email marketing platform; Service provider: SendinBlue SAS, 55, rue d’Amsterdam, 75008 Paris, France; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website:https://de.sendinblue.com/; Privacy Policy:https://www.sendinblue.com/legal/privacypolicy/; Data processing agreement: Provided by the service provider.
12. Legal Basis of Processing
Article 6(1)(a) of the GDPR serves as the legal basis for processing operations where we obtain consent for a specific processing purpose. Suppose the processing of personal data is necessary for the performance of a contract to which the data subject is party, such as processing operations required for the delivery of goods or the provision of any other service or consideration. In that case, the processing is based on Article 6(1)(b) of the GDPR. The same applies to processing operations necessary for performing pre-contractual measures, such as inquiries regarding our products or services. Suppose our company is subject to a legal obligation by which processing of personal data is required, such as for compliance with tax obligations. In that case, the processing is based on Article 6(1)(c) of the GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. For example, this would be the case if a visitor to our premises were injured and his or her name, age, health insurance data, or other vital information would have to be passed on to a doctor, hospital, or other third party. Then the processing would be based on Article 6(1)(d) of the GDPR. Finally, processing operations could be based on Article 6(1)(f) of the GDPR. This legal basis is used for processing operations not covered by any of the aforementioned legal grounds, where processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Such processing operations are particularly permitted because the European legislator has specifically mentioned them. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).
13. Legitimate Interests pursued by the Controller or a Third Party
Suppose the processing of personal data is based on Article 6(1)(f) of the GDPR. In that case, our legitimate interest is conducting our business activities to benefit the well-being of all our employees and shareholders.
14. Duration for which the Personal Data will be stored
The criterion for the duration of the storage of personal data is the respective statutory retention period. After the expiration of the period, the relevant data will be routinely deleted, provided they are no longer necessary for the performance or initiation of a contract.
15. Legal or contractual Provisions for the Provision of Personal Data; Necessity for the Conclusion of the Contract; Obligation of the Data Subject to provide the Personal Data; possible Consequences of Failure of their Provision
We inform you that the provision of personal data is partly required by law (e.g., tax regulations) or may also result from contractual provisions (e.g., information on the contractual partner). Sometimes it may be necessary to conclude a contract that the data subject provides us with personal data, which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company enters into a contract with them. Failure to provide the personal data would result in the contract with the data subject not being concluded. Before providing personal data by the data subject, the data subject must contact one of our employees. Our employee will inform the data subject on a case-by-case basis whether the provision of personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of not providing the personal data would be.
16. Existence of automated decision-making
As a responsible company, we refrain from automated decision-making or profiling.
This data protection declaration was created using the data protection declaration generator of the DGD Deutsche Gesellschaft für Datenschutz GmbH, which acts as an external data protection officer in Stuttgart in cooperation with the Cologne data protection lawyer Christian Solmecke.