Data protection declaration according to the GDPR

I.  Name and address of the responsible party

The responsible party in terms of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection law regulations is:

CODIXX AG
Steinfeldstraße 3
39179 Barleben
Germany

Tel.: +49(0)39203 9630
Email: [email protected]
Website: www.codixx.de

II. Name and address of the data protection officer

The responsible party's data protection officer is:

CODIXX AG
Steinfeldstr. 3
39179 Barleben
Germany

Tel.: + 49 (0)39203 9630
Email: [email protected]

III. General information on data processing

1. Scope of processing of personal data

We generally only process the personal data of our users if required to provide a functional website as well as our contents and services. The processing of personal data of our users only takes place, as a rule, after receiving consent from the user. One exception is such cases where it is not possible to obtain consent due to actual reasons and the processing of data is permitted based on legal regulations.

2. Legal basis for processing personal data

If we obtain the consent of the data subject for processing personal data for processing transactions, Art. 6 sec. 1 lit. a of the EU General Data Protection Regulation (GDPR) shall serve as a legal basis.

Art. 6 sec. 1 lit. b GDPR shall serve as a legal basis for processing personal data for the fulfilment of a contract with the data subject as the contractual party. This shall also apply to processing transactions required for performing pre-contractual measures.

If processing your personal data is necessary to fulfil a contractual obligation our company is subjected to, art. 6 sec. 1 lit. c GDPR serves as a legal basis.

In cases where essential interests of the affected person or another natural person require personal data to be processed, art. 6 sec. 1 lit. d GDPR shall serve as a legal basis.

If processing is required to protect the legitimate interests of our company or a third party and if the initially stated interest does not outweigh the interests, basic rights and basic freedoms of the affected person, art.6 sec. 1 lit. f GDPR shall serve as a legal basis for processing.

3. Data deletion and storage period

Personal data of the affected person shall be deleted or blocked as soon as the purpose of storage no longer exists. Storage can also take place if scheduled by the European or national legislation in legal Union directives, laws or other regulations, which the responsible party is subject to. Blockage or deletion shall also take place if a storage period stipulated by the specified norms expires, unless the requirement of continued storage of the data exists for conclusion of the contract or fulfilment of the contract.

IV. Provision of the website and creation of Logfiles

1. Description and scope of data processing

Every time our Internet site is accessed, our system automatically collects data and information from the computer system of the requesting computer.

The following data is collected:

(1)       Information about the browser type and version used
(2)       The user's operating system
(3)       The user's IP address
(4)       Date and time of access
(5)       Websites from which the user's system accesses our Internet site

The data is also saved in the Logfiles of our system. This data is not stored together with other personal data of the user.

2. The legal basis for data processing

The legal basis for temporary storage of data and Logfiles is Art. 6 sec. 1 lit. f GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to allow delivery of the website to the user's computer. For this, the user's IP address must remain stored for the duration of the session.

We have an authorised interest in data processing according to Art. 6 sec. 1 lit. f GDPR.

4. Duration of storage

The data shall be deleted as soon as it is no longer necessary to achieve the purpose of collection. In the case of collection of data to provide the website, this is the case when the respective session is terminated.

5. Objection and correction options

The collection of data to provide the website and the storage of data in Logfiles is essential for operation of the Internet site. It is therefore not possible for the user to object.

V. Use of Cookies

a) Description and scope of data processing

Our website uses Cookies. Cookies are small text files that are saved in the Internet browser or by the Internet browser on the user's computer system. If a user accesses a website, a Cookie can be saved on the user's operating system. This Cookie contains a characteristic string, which allows clear identification of the browser when the website is accessed again.

We use Cookies to make our website more user-friendly. Some elements of our website require that the requesting browser can also be identified after a change of page.

If other Cookies (e.g. Cookies for analysis of your surf behaviour) are saved, these shall be dealt with separately in this data protection declaration.

b) Legal basis for data processing

The legal basis for the processing of personal data using Cookies is Art. 6, sec. 1 lit. f GDPR.

c) Purpose of data processing

The purpose of use of technically necessary Cookies is to facilitate use of the website for users. Several functions of our Internet site cannot be offered without the use of Cookies. For this, it is necessary that the browser is also recognised after changing site.

The user data collected via technically required Cookies shall not be used to create user profiles.

The use of analysis Cookies is for the purpose of improving the quality of our website and its contents. Analysis Cookies allow us to find out how the website is used and thereby constantly optimise our service.

These purposes also represent our legitimate interest in processing personal data according to Art. 6 sec. 1 lit. f GDPR.

e) Duration of storage, objection and correction options

Cookies shall be saved on the user's computer and transmitted from it to our site. You therefore have full control over the use of Cookies as the user. You can deactivate or restrict the transmission of Cookies by changing the settings in your Internet browser. Cookies already saved can be deleted at any time. This can also take place automatically. If Cookies are deactivated for our website, all functions of the website may no longer be able to be used in full.

VI. Contact form and email contact

1. Description and scope of data processing

Our Internet site includes a contact form, which can be used to contact us electronically. If a user makes use of this option, the data entered in the entry mask shall be transmitted to us and saved. This data is:

Company name
Form of address
Name
Email
Telephone
Country

Your consent shall be obtained for processing of data within the scope of the dispatch procedure and reference shall be made to this data protection declaration.

Alternatively, it is possible to make contact via the email address provided. In this case, the user's personal data transmitted with the email address shall be saved.

The data will not be passed on to third parties in association with this. The data is exclusively used for processing the conversation.

2. Legal basis for data processing

The legal basis for processing data according to Art. 6 sec. 1 lit. a GDPR if the user has given consent.

The legal basis for processing data transmitted as part of sending an email is Art. 6 sec. 1 lit. f GDPR. If email contact is for the purpose of concluding a contract, the additional legal basis for processing is Art. 6 sec. 1 lit. b GDPR.

3. Purpose of data processing

The processing of personal data from the entry mask shall be for the sole purpose of processing contact. In the case of making contact by email, this includes the necessary legitimate interest in data processing.

Other personal data processed during the dispatch procedure serves to prevent misuse of the contact form and ensure the security of our information technology systems.

4. Duration of storage

The data shall be deleted as soon as it is no longer necessary to achieve the purpose of collection. For personal data from the entry mask of the contact form and the data that has been transmitted by email, this shall be the case when the respective conversation with the user is finished. The conversation shall be finished when the circumstances show that the respective matter has been fully clarified.

 Additional data collected during the dispatch procedure shall be deleted after a period of one month at the latest.

5. Objection and correction options

The user has the option of withdrawing consent to the processing of personal data at any time. If the user contacts us by email, he or she can object to the storage of personal data at any time. The conversation cannot be continued in such a case.

Please send your withdrawal of consent and objection to storage to:

 CODIXX AG
Steinfeldstraße 3
39179 Barleben
Germany
Email: [email protected]

 All personal data saved during the course of contact shall be deleted in this case.

VII. Web analysis by Matomo (formerly PIWIK)

1. Scope of processing of personal data

We use the open source software tool Matomo (formerly PIWIK) on our website to analyse the surf behaviour of our users. This software places a Cookie on the user's computer (see above for information on Cookies). The following data shall be saved if individual pages of our website are accessed:

(1)       Two bytes of the IP address of the user's requesting system
(2)       The accessed website
(3)       The website from which the user has reached the accessed website (referrer)
(4)       The sub-pages called up from the accessed website
(5)       The time spent on the website
(6)       Frequency of website visits

The software shall run solely on our website servers, which is where the user's personal data is exclusively stored. The data will not be passed on to third parties.

The software is set in such a way that the IP addresses are not fully stored, but that 2 bytes of the IP address are hidden (e.g. 192.168.xxx.xxx). Assignment of the shortened IP address to the requesting computer is thereby no longer possible.

2. Legal basis for processing personal data

The legal basis for processing the user's personal data is Art. 6 sec. 1 lit. f GDPR.

3. Purpose of data processing

Processing the personal data of our users allows us to analyse the surf behaviour of our users. The data obtained by the analysis puts us in a position to compile information about use of the individual components of our website. This helps us to constantly improve our website and its user-friendliness. These purposes also represent our legitimate interest in processing personal data according to Art. 6 sec. 1 lit. f GDPR. Anonymisation of the IP address takes sufficient account of the users' interest in the protection of their personal data.

4. Duration of storage

The data is deleted according to the statutory periods as soon as it is no longer required for our recording purposes.

5. Objection and correction options

Cookies shall be saved on the user's computer and transmitted from it to our site. You therefore have fully control over the use of Cookies as the user. You can deactivate or restrict the transmission of Cookies by changing the settings in your Internet browser. Cookies already saved can be deleted at any time. This can also take place automatically. If Cookies are deactivated for our website, all functions of the website may no longer be able to be used in full.

More information on the private sphere settings of Matomo software can be found under the following link: https://matomo.org/docs/privacy/.

VIII. Rights of data subjects

The following list covers all rights of the data subjects according to the GDPR. Rights that are not relevant to our own website must not be stated. The list can therefore be shortened.

If your personal data is processed, you shall be the data subject in terms of the GDPR and you have the following rights with regard to the responsible party:

1. Right of access

You can request a confirmation from the responsible party stating whether your personal data is processed.

When such processing is undertaken, you can request the following information from the responsible party:

(1)       The purposes for which personal data is being processed;
(2)       The categories of personal data which are being processed;
(3)       The recipients or categories of recipients to whom your personal data has been or will be disclosed;
(4)       The planned duration of storage of the personal data concerning you or, if no concrete information can be given on this, the criteria for determining the duration of storage;
(5)       The existence of a right to correct or delete the personal data concerning you, the right to restrict processing by the responsible party or the right to object to such processing;
(6)       The existence of a right to complain to a regulatory authority;
(7)       All available information about the origin of the data, when the personal data is not collected from the person concerned;
(8)       The existence of automated decision-making including profiling as per Art. 22 sec. 1 and 4 GDPR and – and as a minimum in these instances – relevant information about the logic involved as well as the impact and the intended effects of such processing for the person concerned.

You have the right to ask for information on whether the personal data is transmitted to a third country or to an international organisation. In this context of transmission, you can ask for information on the appropriate guarantees according to Art. 46 GDPR.

2. Right to correction

You have a right to ask the responsible party to correct and/or complete your personal data, provided the processed personal data is incorrect or incomplete. The responsible party must undertake the correction immediately.

3. Right to restriction of processing

You are entitled to demand the restriction of the processing of personal data relating to you under the following conditions:

(1)       When you question the accuracy of the personal data for a duration, which allows the responsible party to check the accuracy of the personal data;
(2)       When processing is unlawful and you reject the deletion of the personal data and instead ask for the use of the personal data to be restricted;
(3)       The responsible party no longer needs the personal data for the purposes of processing, but you still need the same to assert, exercise or defend legal claims, or
(4)       When you have objected to the processing as per Art. 21 sec. 1 GDPR and it has not as yet been ascertained whether the legitimate grounds of the responsible party outweigh your grounds.

If the processing of the personal data has been restricted, then this data may be processed – apart from storing it – only with your consent or to assert, exercise or defend legal claims or to protect the rights of another individual or legal person or for reasons of important public interest to the Union or a member state.

If the restriction of processing has been imposed due to the above conditions, the responsible party shall inform you before this restriction is lifted.

4. Right to deletion

a) The duty to delete

You can ask the responsible party to delete the personal data concerned immediately and the responsible party shall be obliged to delete this data immediately, provided one of the following reasons apply:

(1)       The personal data is no longer required for the purposes it was collected for or processed otherwise.
(2)       You revoke your consent, upon which processing as per Art. 6 sec. 1 lit. a or Art. 9 sec. 2 lit. a GDPR was based, and there is no other legal basis for processing.
(3)       You object to the processing as per Art. 21 sec. 1 GDPR and there are no overriding legitimate reasons for processing, or you object  to the processing as per Art. 21 sec. 2 GDPR.
(4)       The personal data was processed unlawfully.
(5)       The deletion of personal data is required to fulfil a legal obligation according to Union law or the law of member states the responsible party is subject to.
(6)       The personal data was collected with regards to services offered by the information company as per Art. 8 sec. 1 GDPR.

b) Information to third parties

If the responsible party has published the personal data and is obligated as per Art. 17 sec. 1 GDPR to delete it, then it shall take appropriate measures, including technical support – whilst taking into consideration the available technology and costs of implementation – to inform parties responsible for processing this data that you, as the person concerned, have asked that all links to this personal data or copies or replications of this personal data are deleted.

c) Exceptions

The right to deletion does not apply when processing is required:

(1)       For exercising the right to freedom of expression and information;
(2)       To fulfil a legal duty, which the responsible party is obligated to process according to Union law or the member states law the responsible party is subject to, or to recognise an obligation, which is of public interest or is carried out to exercise an official authority, which has been transferred to the party concerned;
(3)       On grounds of public interest with regards to public health in accordance with Art. 9 sec. 2 lit. h and i as well as Art. 9 sec. 3 GDPR;
(4)       For reasons of archiving i.e. public interest, scientific or historical research purposes or for statistics in accordance with Art. 89 sec. 1 GDPR, in as far as that the right stated under section a) probably would make the realisation of these aims impossible or would seriously hamper them or
(5)       For asserting, exercising or defending legal claims.

5. Right to instruct

If you have asserted the right to correct, delete or restrict the processing with regards to the responsible party, then the party is obligated to inform all recipients to whom the personal data has been disclosed of this correction or deletion of data or restriction of processing, unless it proves impossible or it would involve unreasonable expense.

You have the right to be informed of these recipients in respect of the responsible party.

6. Right to data portability

You have the right to receive the personal data concerning you which you have provided to the responsible party, in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another responsible party without restriction by the responsible party to whom you provided the personal data, if

(1)       Processing is based on consent as per Art. 6 sec. 1 lit. a GDPR or Art. 9 sec. 2 lit. a GDPR or a contract as per Art. 6 sec. 1 lit. b GDPR and
(2)       Processing is carried out using automated procedures.

When exercising this right, you have a further right to insist that the personal data concerned is transmitted directly from one responsible party to another responsible party, provided this is technically possible. This must not affect other person’s freedoms and rights.

The right to data portability does not apply to the processing of personal data, which is needed to perform a task, which is in the public interest or which was transferred to the responsible party in order to exercise an official authority.

7. Right to object

You have the right to object at any time, for reasons that arise due to your particular circumstances, against the processing of personal data concerning you carried out on the basis of Art. 6 sec. 1 lit. e or f GDPR; this also applies to profiling based on this regulation.

The responsible party shall no longer process the personal data concerning you, unless it can prove urgent compelling reasons for processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data is processed for direct advertising, you have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling when it is connected to such direct advertising.

If you object to processing for the purposes of direct advertising the personal data will no longer be processed for these purposes.

You have the option to exercise your right to object in connection to use of the services of the information company – irrespective of directive 2002/58/EC – by means of automated procedures, which use technical specifications.

8. Right to withdraw the data protection consent declaration

You have the right to withdraw your data protection consent declaration at any time. Consent can be withdrawn without affecting the legitimacy of the processing that was carried out based on the consent before it was withdrawn.

9. Automated decision-making in individual cases, including profiling

You have the right to not be subjected to exclusively automated processing, including profiling, which has a legal impact on you or impairs you considerably in a similar way. This shall not apply if the decision

(1)       is required for the conclusion of fulfilment of a contract between you and the responsible party,
(2)       is permitted based on legal regulations of the Union or member states, which the responsible party is subject to and if these legal regulations contain appropriate measures to protect your rights and freedoms as well as your legitimate interests or
(3)       is made with your explicit consent.

However, these decisions may not be based on specific categories of personal data according as per Art. 9 sec. 1 GDPR, in so far as Art. 9 sec. 2 lit. a or g GDPR does not apply and appropriate measures to protect your rights and freedoms as well as your legitimate interests have been taken.

With regard to the cases stated in (1) and (3), the responsible party shall take appropriate measures to protect the rights and freedoms as well as your legitimate interests, which, as a minimum, include the right to obtain intervention of a person by the responsible party, present a personal point of view and defend the decision.

10. Right to complain to a regulatory authority

Irrespective of another regulatory or legislative remedy, you have the right to complain to a regulatory authority, in particular in the member state of your residence, workplace or the place of the alleged breach, if you are of the opinion that the processing of personal data is in breach of the GDPR.

The regulatory authority where the complaint is lodged informs the complainant of the status and results of the complaint, including the possibility of legal action as per Art. 78 GDPR.