We, CSS AG (CSS/we), are pleased that you are visiting our website and that you are interested in CSS. In the following provisions we inform you about the type, scope and purpose of the collection and use of your personal data on this website. Personal data is any information relating to an identified or identifiable natural person. This includes in particular your name, your address and your e-mail address.
1. Data processing to enable website use
Every time you access the content of our website, connection data is transmitted to our web server. This connection data includes:
the IP address (Internet Protocol address) of the respective user,
the date and time of the request,
the referrer URL,
Device numbers such as UDID (Unique Device Identifier) and comparable device numbers, device information (e.g. device type) as well as
the browser type / browser version
This connection data is not used to draw conclusions about the person of the user or combined with data from other data sources, but is used to provide the website. The legal basis for the processing of your data is Article 6 Paragraph 1 Clause 1 Letter f GDPR. After 7 days at the latest, the data will be anonymized by shortening the IP address at domain level.
2. Data processing on request
We process your personal data if you use the following service offers from us:
2.1. contact forms
If you contact us via the contact forms provided (e.g. for a consultation appointment or to receive information material), your details will be saved so that they can be used to process your request. We would like to point out that data transmission on the Internet can have security gaps. A complete protection of the data against access by third parties is not possible.
The legal basis for the processing of your data is based on Art. 6 Para. 1 S. 1 lit. f GDPR. Our legitimate interest then consists in answering your request. In the case of the implementation of pre-contractual or contractual measures, the legal basis is Article 6 (1) sentence 1 lit. b GDPR. The legal basis for applications is Art. 88 GDPR in conjunction with Section 26 (1) BDSG.
2.2. CSS info service
If you have given your express consent, you will receive our CSS information service. With this we inform you up to 8 times a year about news from the areas of accounting & finance, human resources & management, controlling and business English. The CSS Infoservice is aimed at specialists and executives from the respective areas.
It is sufficient to provide your e-mail address for receipt. The additional voluntary information about you is only used to personalize the newsletter for you.
We use the so-called double opt-in procedure to register for the CSS Infoservice. This means that after you have registered, we will send you an e-mail to the e-mail address you provided, in which we ask you to confirm that you would like the CSS Infoservice to be sent or received. If you do not confirm your registration within 30 days, your information will be automatically deleted.
You can revoke your consent at any time with effect for the future. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation. There is a link at the end of each newsletter for exercising the revocation. Alternatively, you can revoke your consent at any time by sending an email to (firstname.lastname@example.org).
The processing of your personal data takes place on the basis of your express consent in accordance with Article 6 Paragraph 1 Clause 1 Letter a GDPR.
As part of the registration for the CSS Infoservice, we also save your IP address and the time of registration in order to be able to fulfill our legal documentation obligations. In this case, the legal basis for data processing is Art. 6 (1) sentence 1 lit. c GDPR.
2.3. Online application
You can apply for a job with us on our website. You have the option of using our online application form. Alternatively, you can also apply by email or post.
As part of the online application, you will be asked for personal information (e.g. name and contact details). The provision of certain data is required to establish and carry out a possible employment relationship. If you do not provide these data, which are marked separately as mandatory fields, your application is incomplete and cannot be further considered in the application process. The provision of other information and the upload of files or documents (e.g. CV or application photo) is not mandatory, but optional. If you only provide mandatory information, there will be no disadvantages for your application.
After we have received your online application, you will receive an automatic confirmation of receipt from us. Further communication regarding the application process then takes place via our HR department.
Your data will be processed by us for the purpose of making a decision on the establishment of an employment relationship. The legal basis for data processing is Art. 88 (1) GDPR in conjunction with Section 26 (1) sentence 1 BDSG. If special categories of personal data are affected, the processing is based on Art. 88 GDPR in conjunction with Section 26 (3) BDSG. In the event of a rejection or the completion of the application process, your data will be deleted within 6 months.
3. Data processing for the needs-based design of the website and tracking
In order to make the use of our website as pleasant as possible for you, we use so-called web tracking systems. Cookies are usually used for this purpose, i.e. small text files that are sent to your browser from a web server and stored on your computer's hard drive. This enables us to recognize the end device you are using when you visit the website again. Most browsers are set to automatically accept cookies. You can deactivate the storage of cookies in your browser and have the option of deleting them from your hard drive at any time. However, you can also use your browser to prevent only certain cookies from being set (e.g. third-party cookies), for example if you want to prevent web tracking. You can find more information on this in the help function of your browser.
We would also like to point out that you can also install a plugin in your browser to protect your privacy, which offers the option of preventing tracking - e.g. AdBlock, Ghostery or NoScript (please note the data protection information of the respective plugin provider). Finally, we would like to point out that if cookies are deactivated, you may not be able to use all the functions of this website to their full extent.
The legal basis for the processing of your data follows, insofar as the following provisions in Section 3.1.ff. not shown differently, from Article 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in the needs-based design of the website.
3.1. Cookie consent with Cookiebot
In order to be able to administer your consent to the use of tracking tools, we use the cookie consent technology "Cookiebot" from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark; Website: www.cookiebot.com/de/ (hereinafter "Cybot"). In this context, in addition to the connection data, the granting or rejection of your consent or the revocation of consent are transmitted to Cybot. In order to be able to make the appropriate assignment, Cybot also sets a cookie in your browser.
Detailed information about our cookies and the possibility of changing your consent can be found in our cookie information.
3.2. Google Analytics
Our website uses the tracking tool "Google Analytics". This is a service provided by Google Ireland Limited, a company incorporated and operating under the laws of Ireland with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). This tracking tool helps us to make our website more interesting for you and to improve the user experience. Data about the use of our website is stored in pseudonymous user profiles. Cookies can also be used for this purpose. In addition, data from different devices, sessions and interactions can be linked to a so-called "User ID". The information generated is usually first sent to a Google server within the EU.
By default, Google automatically anonymises the IP addresses of users when collecting user data. In addition, the IP addresses are neither logged nor stored by Google. However, the shortening of the IP addresses does not mean that the complete data processing is carried out anonymously. When using Google Analytics, usage data is collected that is to be evaluated as personal data, such as identification features of the individual users, which also allow a link to an existing Google account, for example. On our behalf, Google will use the information obtained via Google Analytics to evaluate your use of our website, to compile reports on website activity and to provide us with other services related to website activity and internet usage. The pseudonymised usage profiles are not merged with personal data about the bearer of the pseudonym without a separate consent.
You can find more information about Google Analytics at:
Please note that Google also has independent access to your data collected via Google Analytics and can also use this data for its own purposes. In this way, Google can link this data with other data about you, such as search history, your personal account, usage data from other devices and all other data that Google has about you.
The legal basis for the use of Google Analytics is your consent, based on Section 25 Paragraph 1 Clause 1 TTDSG for the storage and access to information in end devices and Article 6 Paragraph 1 Clause 1 lit processing of your data. You give your consent via our cookie banner. Please note that Google is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and there is therefore a risk for the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses were agreed as suitable guarantees to ensure an appropriate level of protection during data transmission.
We use Adobe Typekit to display fonts on our website. Adobe Typekit is a font library access service provided by Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe). When you call up a page, your browser loads the required web fonts into your browser cache in order to display text and fonts correctly. In the course of providing the Typekit service, no cookies are placed or used to provide the fonts. In order to provide the Typekit service, Adobe may collect information about the font used to identify the website itself and the connected Typekit account.
3.4. Facebook Custom Audience via the pixel method (standard version)
We use the "Facebook Custom Audience" product offered by Meta Platforms Ireland Limited (formerly Facebook Ireland Ltd.), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta") via the pixel process (standard version ). Cookies are used in this process (see Section 3). The legal basis for the use of Facebook Custom Audience is your consent, based on Section 25 Paragraph 1 Clause 1 TTDSG for the storage and access to information in end devices and Article 6 Paragraph 1 Clause 1 lit. a GDPR for ours further processing of your data. You give your consent via our cookie banner.
Please note that Meta is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and there is therefore a risk for the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. In the event that data is transmitted to Meta Platforms Inc. in the USA, the new standard data protection clauses have been agreed between Meta Platforms Ireland Limited and Meta Platforms Inc.
Meta collects and stores usage data in pseudonymous profiles for the purpose of web analysis or to enable interest-based advertising. This allows us to track user actions after they have seen or clicked on a Facebook ad. This allows us to record the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous to us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Meta, about which we will inform you according to our level of knowledge. Meta can connect this data to your Facebook account and also use it for its own advertising purposes in accordance with Meta's data usage policy. More information on data processing by Meta can be found in Meta's data protection declaration (https://www.facebook.com/privacy/explanation) and https://de-de.facebook.com/notes/facebook-and-privacy/relevant-ads-that-protect-your-privacy/457827624267125/.
In addition to us, Meta itself is also responsible for data processing. Meta processes the data in accordance with Meta's data usage guidelines. See Meta's Data Use Policy for details. Specific information and details about the Facebook pixel and how it works can be found in the Meta help section.
In this respect, we are jointly responsible with Meta within the meaning of Art. 26 GDPR for the processing of your personal data. In this case, you can generally assert your rights (see Section 11) both against us and against Meta. However, Meta serves as the first point of contact. We have concluded an agreement on joint controllership for the processing of personal data with Meta. You can view these under the following link: https://www.facebook.com/legal/controller_addendum.
3.5. LinkedIn Insight-Tag
On our website we use the tool Leadinfo from the provider Leadinfo B.V., Breite Str. 27, 40213 Düsseldorf ("Leadinfo"). This tool allows us to determine the names of the companies that visit our website and thus make more targeted B2B marketing efforts. Leadinfo identifies B2B website visitors by their IP address and creates profiles for them using information from publicly available databases. Cookies are also used for this. In addition, Leadinfo analyzes the behavior of website visitors, e.g. the length of stay on the website or which pages the user has visited.
If it turns out that a website visit is not from a company but from a private individual, the IP address of this visitor will be deleted and no profile will be created.
The legal basis for the use of Leadinfo is your consent, based on Section 25 Paragraph 1 Clause 1 TTDSG for the storage and access to information in end devices and Article 6 Paragraph 1 Clause 1 lit. a GDPR for our further processing your data. You give your consent via our cookie banner.
Our legal basis for the processing of your data is your consent, based on Section 25 Paragraph 1 Clause 1 TTDSG for the storage and access to information in end devices and Article 6 Paragraph 1 Clause 1 lit. a GDPR for our further processing your data. You give your consent via our cookie banner. Please note that Vimeo is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and there is therefore a risk for the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses were agreed as suitable guarantees to ensure an appropriate level of protection during data transmission.
Für unsere Online Marketing-Aktivitäten verwenden wir den Dienst von HubSpot Inc., ein Software-Unternehmen aus den USA, 25 First Street, Cambridge, MA 02141 USA, mit einer Niederlassung in Irland, Ground Floor, Two Dockland Central, Guild St, North Dock, Dublin, D01 K2C5, Irland („HubSpot“).
Bei HubSpot handelt es sich um eine integrierte Software-Lösung, mit der wir verschiedene Aspekte unseres Online Marketings abdecken. Dazu zählen unter anderem: E-Mail-Marketing, Kontaktmanagement (z.B. Nutzersegmentierung & CRM) sowie die Datenverarbeitung über Kontaktformulare.
Über unsere Kontaktformulare können Nutzer unserer Website z.B. mehr über die Produkte und Dienstleistungen von CSS erfahren und ihre Kontaktinformationen sowie weitere Informationen zur Verfügung stellen. Diese Informationen werden dann auf Servern unseres Softwarepartners HubSpot gespeichert. Sie können von uns genutzt werden, um mit Nutzern unserer Website in Kontakt zu treten und um zu ermitteln, welche Leistungen von uns für sie interessant sind. Alle von uns erfassten Informationen unterliegen dieser Datenschutzerklärung.
Wir nutzen alle erfassten Informationen ausschließlich zur Optimierung unserer Marketing-Maßnahmen.
Die Rechtsgrundlage für die Verwendung von HubSpot ist Ihre Einwilligung, basierend auf § 25 Abs. 1 S. 1 TTDSG für die Speicherung und den Zugriff auf Informationen in Endeinrichtungen sowie Art. 6 Abs. 1 S. 1 lit. a DSGVO für unsere weitere Verarbeitung Ihrer Daten. Ihre entsprechende Einwilligung erteilen Sie über unseren Cookie-Banner. Bitte beachten Sie, dass es sich bei HubSpot um ein Unternehmen aus den USA handelt. Nach einem aktuellen Urteil des Europäischen Gerichtshofs (EuGH) besteht in den USA kein angemessenes Datenschutzniveau und damit ein Risiko für den Schutz Ihrer Daten. So können z.B. unter bestimmten Voraussetzungen Ihre Daten durch US-Behörden zu Kontroll- und Überwachungszwecken verarbeitet werden. Als geeignete Garantien zur Gewährleistung eines angemessenen Schutzniveaus bei der Datenübermittlung wurden die neuen EU-Standarddatenschutzklauseln vereinbart.
Nähere Informationen zum Datenschutz bei HubSpot finden Sie unter:
Our website contains links to social networks (Facebook or Meta, XING and YouTube). These social networks are operated exclusively by third parties. If you follow the links, your personal data may be processed by the respective social media provider. In this regard, please note the data protection notices of the social media providers.
4.2. Data processing by CSS and legal basis
Our social media appearances (Facebook or Meta, XING, YouTube and Instagram) serve the purpose of informing you about CSS and new developments, services and products from CSS. Depending on the offer of the respective social media provider, you have, for example, the possibility of different interactions (comments, recommendations, etc.) in connection with our social media presence. User interaction is an important criterion for us in order to conduct targeted marketing. In this way we can, for example, determine which articles are preferably read. We therefore also use the statistics determined in this regard by the social media providers for our own purposes. If we process personal data of social media users, the legal basis for this is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest then consists in particular in targeted information/advertising. You will be informed separately by the social media providers about the legal basis on which the social media providers process your data for their own purposes.
4.3. Shared Responsibility
In individual cases, we are jointly responsible with the social media providers for the processing of your personal data. In this case, you can exercise your rights (see Section 10) in principle. us as well as claim against the social media provider. The first point of contact, however, is the social media provider.
We have also concluded an agreement on joint responsibility with LinkedIn Ireland in relation to so-called “page insights”. With the page insights, LinkedIn Ireland does not provide us with any personal data, only aggregated data from you. It is not possible for us to draw conclusions about individual users from the information on the page insights. Details of the Page Insights and our agreement with LinkedIn Ireland can be found at the following link:
Please note that Facebook and LinkedIn Ireland also process your data outside of the EU/EEA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and there is therefore a risk for the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes.
With regard to the storage period of the data we process from you for our own purposes, we refer to our explanations under Section 9. In addition, please note the data protection regulations of the respective social media provider.
In the following provisions we inform you about the type, scope and purpose of the collection and use of your personal data in connection with the online platform GoToMeeting/GoToWebinar ("GoTo"). In all other respects, the general data protection notices (in particular regarding the responsibility of CSS, the duration for which personal data is stored and your rights) apply in this data protection declaration.
GoTo is a service provided by LogMeIn Inc., 320 Summer Street, Boston, MA 02210, which is based in the USA ("LogMeIn"). For more information from LogMeIn on privacy at GoTo, see
If you access the LogMeIn website to use GoTo, LogMeIn is responsible for data processing. However, it is only necessary to call up the website in order to download the software for using GoTo. You can also use GoTo if you enter the respective meeting ID and, if necessary, other access data for the meeting directly in the GoTo app. If you do not want to use the GoTo app, the basic functions can also be used via a browser version.
5.2. Purpose of processing and types of personal data
We use GoTo to conduct telephone conferences and/or video conferences, in particular in connection with online seminars for interested parties and specialist groups and/or employment relationships ("online meetings"). In this context, various types of personal data are processed by us. The type and scope of the data depends in particular on what information you provide before or when you participate in an online meeting. However, in order to be able to identify you as an authorized participant, you must at least provide your name. You can deactivate the video or microphone function at any time via the GoTo application. Personal data processed in connection with GoTo includes:
Profile data: first name, last name, phone number (optional), email address, password (if "single sign-on" is not used), profile picture (optional), department (optional)
Meeting metadata: topic, description (optional), participant IP addresses, device/hardware information
Call History Data: Incoming and outgoing phone number details, country name, start and end time. If necessary, further connection data such as the IP address of the device can be saved.
Content Data: You may have the option to use chat, question, or survey features in an online meeting. Your text entries and other released data will be processed in order to display them in the online meeting
Insofar as personal data of employees is processed by us, the legal basis for data processing is generally Section 26 (1) BDSG. If special categories of personal data are affected, the processing is based on Section 26 (3) BDSG. If, on the other hand, personal data is not required for the establishment, implementation or termination of the employment relationship in connection with the use of GoTo, Art. 6 Paragraph 1 lit. f) GDPR is the legal basis for data processing. In these cases, our interest is in conducting online meetings effectively. Otherwise, the legal basis for data processing when holding online meetings is Art. 6 (1) b) GDPR, insofar as the meetings are held within the framework of contractual relationships. In special cases (e.g. a recording of online meetings) in which you are asked for a declaration of consent in advance, the legal basis is Article 6 (1) (a) GDPR.
GoTo is a service provided by a US based provider. Processing of the personal data also takes place in a third country. We have concluded an order processing contract with LogMeIn in accordance with Art. 28 GDPR. An appropriate level of data protection is generally ensured by the conclusion of the so-called EU standard contractual clauses. Please note, however, that according to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and there is therefore a risk for the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. In addition, we refer to Art. 49 GDPR with regard to the legal basis for data transmission.
6. Moodle learning platform
As part of our training offer, the CSS Academy, we offer you online courses on various topics related to our eGECKO software. For this we use our learning platform Moodle, which is based on the Moodle LMS software from the provider Moodle Pty Ltd., PO Box 303, West Perth WA 6872, Australia ("Moodle").
The login function gives you access to the learning platform. For this purpose, you must first enter your user name and choose your password (“login data”). A password should be at least 8 characters long and, if possible, always consist of a combination of letters in upper and lower case, numbers and special characters. Trivial passwords such as "ABC" or keyboard sequences (e.g. "qwert" or "asdfgh"), all types of names (e.g. of friends, acquaintances, colleagues, family members, pets), city and building names, cartoon characters, car brands are problematic , license plates, terms, dates of birth, phone numbers, common abbreviations, etc.
Login data must be kept strictly confidential. Should it nevertheless have been passed on, for example in order to enable third parties to access certain databases in an emergency, the password must be changed immediately. For your own protection, it is forbidden to reuse passwords that have already been used.
In addition, connection data (e.g. IP address, browser type, date and time of access) are collected from you when you log in. This is necessary to ensure the security of our information technology systems. CSS also sets a session cookie (“MoodleSession”) every time you log in. This session cookie prevents automatic logout during active use of the user account or related services. After each logout, the session cookie is automatically deleted within a few minutes.
The legal basis for the processing of your data in connection with accessing Moodle, logging in and using the connection data and the session cookie is Article 6 Paragraph 1 Sentence 1 lit. f GDPR. Our legitimate interest lies in providing you with easy access to the learning platform via our website.
6.2. Data processing while using Moodle
When using Moodle, we process various types of personal data. The type and scope of the data depend in particular on the information you provide. The personal data that we process in connection with Moodle includes:
Connection data (e.g. IP address, browser type, date and time of access)
Access data (user name, password in encrypted form, e-mail address, first name, last name, company)
Content data (e.g. forum posts, quiz)
Course data (e.g. enrolled courses, course participation)
The aforementioned data can be viewed by the employees of the CSS Academy. All of these employees are sworn to secrecy. Your profile data, your e-mail address (if you have released it in the profile settings) and the content data are visible to other course participants.
The legal basis for our processing of your data is Art. 6 Para. 1 S. 1 lit. b GDPR.
7. Data Transfer
Your personal data will only be transmitted to third parties or other recipients if there is legal permission to do so or if you have given your prior consent. For example, data is transmitted to our technical service provider (server hosting) and service provider for the provision of marketing (sending the newsletter) and training services (CSS Academy). If necessary, we have concluded contracts for order processing with the recipients of your data in accordance with Art. 28 GDPR. We only pass on your data to government agencies within the framework of legal obligations or on the basis of an official order or court decision.
8. Data transfer to countries outside the EU
If necessary for our purposes, we also transfer your data to recipients outside the EU if you have given your consent, there is a legal obligation or the data transfer is permitted on the basis of another legal basis.
9. Duration for which personal data is stored / criteria for determining the duration
Your personal data will be stored by us for as long as is necessary for the aforementioned processing purposes; in the event of an objection, there are no compelling reasons worthy of protection by CSS or, in the event of a revocation, there is no other legal basis for the data processing. In certain cases, e.g. if there is a legal obligation to retain data, your personal data will not be deleted immediately but initially blocked. The retention period for messages via the contact form with a business content can be ten years.
10. Security measure to protect your personal data
We use technical and organizational measures to protect your data from unauthorized access, loss or destruction. Our security measures are continuously improved in line with technological developments. Our employees and all persons involved in data processing are obliged to comply with data protection laws and to treat personal data confidentially. Our employees are trained accordingly.
To protect the personal data of our users, we use a secure online transmission method, the so-called "Secure Socket Layer" (SSL) transmission. You can recognize this by the fact that an "s" ("https://") is appended to the http:// address component or a green, closed padlock symbol is displayed. By clicking on the symbol you will receive information about the SSL certificate used. The display of the symbol depends on the browser version you are using. The SSL encryption ensures the encrypted and complete transmission of your data.
11. Your Rights
Within the framework of the legal requirements, you have a basic right to claim against CSS
Confirmation as to whether personal data relating to you will be processed by CSS,
Information about this data and the circumstances of processing,
Correction if this data is incorrect,
Deletion, insofar as there is no justification for the processing and no obligation to store it (any longer),
Restriction of processing in special cases determined by law,
Objection in the case of data processing on the basis of Article 6 Paragraph 1 Sentence 1 lit. f GDPR and
Transmission of your personal data - insofar as you have provided them - to you or a third party in a structured, common and machine-readable format.
If the processing of your personal data is based on your consent, you have the right to revoke your consent at any time, with the result that the processing of your personal data will be inadmissible for the future. However, this does not affect the legality of the processing carried out on the basis of the consent until the revocation.
Please address your specific request in writing or by e-mail to our data protection officer, clearly identifying yourself:
Insofar as we process your data in joint responsibility within the meaning of Article 26 GDPR with the respective social media provider (see section 4.3.), the social media provider is responsible for exercising all of the rights of the data subject. However, you are free to assert your rights against us.
Finally, we would like to draw your attention to your right to lodge a complaint with the supervisory authority.
12. No automated individual decision-making
We do not use your personal data for automated individual decisions.
New legal requirements, business decisions or technical developments may require changes to our data protection declaration. The data protection declaration will then be adjusted accordingly. You can always find the latest version on our website.