The party responsible under data protection legislation (in particular the EU’s General Data Protection Regulations, GDPR) is:
CRUSE Offshore GmbH (COG)
Eppendorfer Marktplatz 10
E-mail address: email@example.com
You can exercise the following rights at any time using the contact details provided above:
• Information regarding data about you stored with us and its processing (Art. 15 of the GDPR),
• Correction of incorrect personal data (Art. 16 of the GDPR),
• Deletion of data about you that is stored with us (Art. 17 of the GDPR),
• Restriction of data processing (provided that we are not entitled to delete your data on the basis of legal obligations) (Art. 18 of the GDPR),
• Objection to us processing your data (Art. 21 of the GDPR) and
• Transferability of data if you have consented to the processing of your data or have entered into a contract with us (Art. 20 of the GDPR).
If you have given us consent, you can revoke it any time, with future effect. You can refer a complaint to a regulatory authority at any time, such as to the competent supervisory authority of the Federal State of your place of residence or to our relevant responsible office with competent authority status. A list of regulatory authorities (for the non-public sector) with addresses can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Type of data to be processed
• Inventory data (e.g. names, addresses)
• Contact data (e.g. e-mail, telephone numbers)
• Content data (e.g. text entries, photographs, videos)
• Usage data (e.g. websites visited, interest in contents, times of access)
• Meta-/communications data (e.g. devices information, IP addresses)
Categories of persons affected
Visitors to and users of our online offering (we hereinafter also refer to persons concerned collectively as “Users”).
Purpose of processing
Provision of the online offering, and its functions and contents Answering contact requests and communication with users Security measures Reach measurement/marketing
“Personal Data” means all information relevant to an identified or identifiable natural person (hereinafter known as the “person concerned”); a natural person is accepted as identifiable if they can be identified, directly or indirectly, in particular by means of relation to an identifier, such as a name, an identification number, location data, an online identifier (e.g. cookies) or by one or more particular features which constitute an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of the said natural person.
“Processing” means any process or sequence of processes in connection with personal data, performed with or without the aid of automated procedures. The term has a broad meaning; it includes practically every process related to data.
“Pseudonymisation” means the processing of personal data in such a way that personal data can no longer be assigned to a specific person concerned without the need for additional information, provided that the said additional information is stored separately and there are technical and organisational measures in place which guarantee that the said personal data cannot be assigned to any identified or identifiable natural person.
“Profiling” means any type of automated processing of personal data with the intent of using the said personal data to evaluate certain personal aspects relevant to a natural person, in particular aspects pertinent to analysing or predicting elements of the said natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, place of residence or change of location.
A “party responsible” means the natural or legal person, authority, institution or other body which, whether alone or together with others, makes decisions regarding the purposes and the means for processing of personal data. “Processor” means a natural or legal person, authority, institution or other body which processes personal data on behalf of the party responsible.
Relevant legal bases
The legal basis for obtaining consent is Art. 6 (1) (a) and Art. 7 of the GDPR; the legal basis for the processing of data as part of the fulfilment of our services and the execution of contractual measures and for answering queries is Art. 6 (1) (b) of the GDPR; the legal basis for the processing of personal data as part of the fulfilment of our legal obligations is Art. 6 (1) (c) of the GDPR; and the legal basis for the processing of personal data for the purpose of safeguarding our legitimate interests is Art. 6 (1) (f) of the GDPR. In the event that vital interests of any given person concerned or another natural person make the processing of personal data necessary, Art. 6 (1) (d) of the GDPR shall serve as the legal basis in this regard.
We take appropriate technical and organisational measures under Art. 32 of the GDPR – taking into consideration technological status, implementation costs, and the type and scope and conditions and purposes for the processing of personal data, as well as varying risk probability and severity with regard to natural persons’ rights and liberties – in order to guarantee a level of protection appropriate to the risk.
These measures include the following in particular: securing confidentiality, integrity and availability of data by monitoring physical access to it, including the access conditions with respect to the latter and its input, disclosure, protection of availability and separation. We have also established procedures that guarantee observance of the rights of persons concerned, the deletion of data and response to compromised data. We also take into account the protection of personal data during the development/selection of hardware or software and individual procedures, in accordance with the principle of data protection through technology design and privacy-friendly default settings (Art. 25 of the GDPR).
Collaboration with processors and third parties
If we disclose data to other persons and companies (processors or third parties) as part of our data processing, forward it to them or otherwise grant them access to data, this may be done only on the basis of a statutory permit (e.g. if it is necessary to transfer data to third parties, or to lettershops (as per Art. 6 (1) (b) of the GDPR) for the purpose of contractual fulfilment), you have consented, there is a legal obligation mandating it or if it is relevant to our legitimate interests (e.g. when using agents, web hosters, etc.).
If we commission third parties to process data on the basis of a so-called “order processing agreement”, this shall be performed on the basis of Art. 28 of the GDPR.
Transmission to third party countries
If we process data in a third party country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or this happens in the context of use of third party services or of disclosure or transmission of data to third parties, this may be done only for the purpose of fulfilment of our (pre)-contractual obligations, or on the basis of your consent, a legal obligation or our legitimate interests. Subject to legal or contractual permission, we will process data (or allow it to be processed) in a third party country only if the special conditions included in Art. 44 ff. of the GDPR apply. That is to say: such processing can be carried out on the basis of special guarantees, such as the officially recognised establishment of an EU-standard data protection level (e.g. with the “Privacy Shield” in the case of the USA) or the observation of officially recognised special contractual obligations (so-called “standard contractual clauses”).
Right of revocation
You can revoke future processing of data applicable to you, at any time, pursuant to Art. 21 of the GDPR. Such a revocation can be initiated in particular to prevent processing of data for direct marketing purposes.
Cookies and right of revocation with direct marketing
“Cookies” are small files stored on users’ computers. Different kinds of information can be stored within cookies. The primary purpose of a cookie is to save information on a user (or on the device on which the cookie is saved) during or after their visit as part of an online offering. Cookies that are deleted after a user has left an online offering and closed their browser are labelled as temporary cookies, “session cookies” or “transient cookies”. Aspects that can be saved in such a cookie include the content of a shopping cart in an online shop or a login status. Cookies are known as “permanent” or “persistent” if they remain saved after the browser has been closed. With this, login status, for example, can be saved if the users visit again after several days. The interests of users can also be saved in such a cookie, for use for range measurement or marketing purposes. Cookies offered by providers other than the party responsible (i.e. that has provided the online offering), are known as “third-party cookies” (otherwise, if it’s only their own cookies, these are known as “first-party cookies”).
If you, as the user, do not want cookies to be stored on your computer, you will be asked to deactivate the appropriate option in the system settings of your browser. Saved cookies can be deleted in the system settings of your browser. Exclusion of cookies can lead to functional restrictions with the online offering.
Deletion of data
In accordance with existing legal requirements in Germany, the period for such storage may be 10 years (pursuant to §§ 147 (1) of the German Fiscal Code, 257 (1) (1) and (4) of the German Commercial Code (for books, records, status reports, accounting documents, trading books, for taxation of relevant documents, etc.)) or 6 years (pursuant to § 257 (1) nos. (2) and (3) of and Clause 4 of the German Commercial Code (business letters)).
When we are contacted (e.g. via e-mail or telephone), the information of the user in question shall be processed as part of the processing of the contact request and its conclusion in accordance with Art. 6 (1) (b) (as part of contractual/pre-contractual relationships) or Art. 6 (1) (f) of the GDPR (in connection with our own legitimate interests). Your data will be deleted as soon as your request has been finally answered and such deletion is not precluded by any statutory retention obligations e.g. with any subsequent contract.
Hosting and e-mail dispatching
The hosting services that we use serve the purpose of provision of the following services: infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatching, security services and technical maintenance services that we employ as part of the operation of this online offering.
As part of this, we/our hosting provider process inventory data, contact data, content data, contract data, usage data, and metadata and communication data of clients and prospective clients and visitors to this online offering, on the basis of our legitimate interests pertinent to providing this online offering in an efficient and secure manner as per Art. 6 (1) (f) of the GDPR in conjunction with Art. 28 of the GDPR.
Collection of access data
We/our hosting provider collect data on each access to the server which hosts this service, on the basis of our legitimate interests as per Art. 6 (1) (f) of the GDPR (so-called server log files). Said access data includes: name of the requested website, file, date and time of the request, volume of transferred data, notification of successful request, browser type and version, the user’s operating system, the referrer URL (the site visited previously), the IP address and the requesting provider.
Log file information shall be saved for a maximum period of 7 days, for security reasons (e.g. in the interests of investigation of abuse or fraud), after which it shall be deleted. Data which needs to be retained for longer for evidence purposes shall be exempt from such deletion up until the time of the final clarification of the incident in question.