We, CSS AG (CSS/we), are pleased about your visit to our website and your interest in CSS. In the following regulations we inform you on the type, scope and purpose of the collection and use of your personal data on this website. Personal data is all information referring to an identified or identifiable natural person. It particularly includes your name, your address and your e-mail address.
1. Data Processing to Enable the Use of the Website
With each access to contents of our website connection data is transferred to our web server. These connection details include:
These connection details are not used for drawing conclusions about the user's identity and are not combined with data from other data sources, but serve to provide the website. The legal basis for processing your data is art. 6 para. 1 s. 1 lit. f GDPR. After 7 days at the latest, the data is anonymized by shortening the IP address at domain level.
2. Data Processing on Request
We process your personal data, if you use the following services offered by us:
2.1. Contact Forms
Contact us via the provided form (e.g. for a consultation appointment or to receive information material) your details will be stored so that they can be used to process your enquiry. We would like to point out that data transmission on the internet may be subject to security gaps. Complete protection of data against access by third parties without any gaps is not possible.
The legal basis for processing your data is art. 6 para. 1 s. 1 lit. f GDPR. Our legitimate interest is then to answer your inquiry. In case pre-contractual measures are taken, the legal basis is art. 6 para. 1 s. 1 lit. b GDPR. For applications, the legal basis is art. 88 together with § 26 para. 1 Federal Data Protection Act.
2.2. CSS Info Service
If you have expressly consented, you will receive our CSS Info Service. With this service we inform you up to 8 times a year about news in the fields Accounting & Finance, Personnel & Management, Controlling, as well as Business English. The CSS Info Service is aimed at specialists and executives in the respective fields.
It is sufficient to provide your e-mail address to receive it. The additional voluntary information about yourself is only used to personalize the newsletter for you.
For the application to the CSS Info Service we use the so-called Double-Opt-In procedure. This means that after your registration we will send you an e-mail to the given e-mail address in which we ask you to confirm that you want us to send and wish receiving the CSS Info Service. If you do not confirm your registration within 30 days, your information will be automatically deleted.
You can revoke your consent at any time with effect for the future. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. There is a link at the end of each newsletter to make your revocation. Alternatively, you can revoke your consent at any time by e-mail to (email@example.com).
Your personal data will be processed on the basis of your explicit consent according to art. 6 para. 1 s. 1 lit. a GDPR.
As part of the registration for the CSS Info Service, we will also save your IP address and the time of registration in order to fulfil our legal documentation obligation. The legal basis for processing your data is art. 6 para. 1 s. 1 lit. f GDPR.
2.3. Online Application
On our website you can apply for a job with us. You have the possibility to use our online application form. Alternatively, you can also apply by e-mail or post.
During the online application process, you will be asked to provide personal information (e.g. name and contact details). Providing certain data is required to establish and implement a possible employment relationship. If you do not provide this information, which is separately marked as mandatory fields, your application is incomplete and cannot be considered in the further application process. The provision of other information and the upload of files or documents (e.g. CV or application photo) is not obligatory but optional. There will not be any disadvantages for your application if you only provide mandatory information,
Once we have received your online application, you will receive an automatic confirmation of receipt. The further communication regarding the application process is then carried out by our HR department.
Your data will be processed by us for the purpose of deciding on the establishment of an employment relationship. The legal basis for the data processing is art. 88 para. 1 GDPR in conjunction with § 26 para. 1 s. 1 Federal Data Protection Act. If special categories of personal data are involved, processing is governed by art. 88 GDPR in conjunction with § 26 para. 3 Federal Data Protection Act. In case of a rejection or the completion of the application procedure, your data will be deleted within 6 months.
3. Data processing for the Demand-Oriented Design of the Website and Tracking
In order to make your use of our website as pleasant as possible, we use so-called web tracking systems. Cookies are usually used for that purpose, i.e. small text files are sent from a web server to your browser and stored on your computer's hard disc. This allows us to recognize your device when you repeatedly visit our website. Most browsers are set to automatically accept cookies. You can deactivate the storage of cookies in your browser and you always have the possibility to delete them from your hard disk However, you can also use your browser to prevent only certain cookies from being set (e.g. cookies from third parties), for example if you want to prevent web tracking. Please refer to the help function of your browser for further information.
Moreover, we would like to point out that you can also install a plugin in your browser to protect your privacy, which allows you to prevent tracking - e.g. AdBlock, Ghostery or NoScript (please refer to the data protection information of the respective plugin provider).
Finally, we would like to point out that if cookies are deactivated, it might happen that not all functions of this website can fully be used.
The legal basis for processing your data derives from art. 6 par. 1 s. 1 lit. f GDPR unless otherwise stated in the following provisions in no. 3.1.ff. Our legitimate interest is the demand-oriented design of the website.
3.1 Cookie Consent with Cookiebot
In order to administer your consent to use tracking tools, we use the cookie content technology "Cookiebot" from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark; Website: www.cookiebot.com/de/ (in the following „Cybot“). In this context, further to the connection data, the granting or refusal of your consent or the revocation of a consent is transferred to Cybot. To enable making the appropriate assignment, Cybot additionally sets a cookie in your browser.
3.2. Google Analytics
Our website uses the tracking tool "Google Analytics". This is a service provided by Google Ireland Limited, a company incorporated and operated under the laws of Ireland with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). This tracking tool helps us to make the website more interesting for you and to improve the user experience. This involves storing data about the use of our website in pseudonymous user profiles. Cookies may also be used for this purpose. In addition, data from different devices, sessions and interactions can be linked to a so-called "user ID". The information generated is usually transferred to a Google server in the USA and stored there. We would like to point out that on our website Google Analytics has been extended by the "anonymizeIp" function. This means that your IP address is first shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and only then transferred to a Google server in the USA. Google will use the information obtained on our behalf for the purpose of evaluating your use of our website, compiling reports on website activity and providing us with other services relating to website activity and internet usage. The pseudonymised usage profiles will not be merged with personal data about the bearer of the pseudonym without a separately granted consent.
Further information on Google Analytics can be found under:
The legal basis for the use of Google Analytics is your consent, based on section 25 (1) s. 1 TTDSG (Telecommunications Telemedia Data Protection Act) for the storage and access to information in terminal equipment and art. 6 (1) s. 1 lit. a DSGVO (GDPR) for our further processing of your data. You give your respective consent via our cookie banner. Please note that Google is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. If you nevertheless wish to consent to the use of this tool, you can select this via the cookie banner.
We use Adobe Typekit to display fonts on our website. Adobe Typekit is a font library access service provided by Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe). When you open a page, the browser loads the required web fonts into your browser cache in order to display texts and font types correctly. On providing the Typekit service, no cookies are placed or used to provide the fonts. To provide the Typekit service, Adobe may collect information about the font used to identify the website itself and the linked Typekit account.
3.5. Facebook Custom Audience Using the Pixel Process (Standard Version)
Facebook has submitted to the EU-US privacy shield, www.privacyshield.gov/EU-US-Framework.
3.6 LinkedIn Insight-Tag
Since we have set up the "do not track" feature, Vimeo does not use third-party analyses as well as advertising cookies, even if you are logged into your Vimeo account.
Our legal basis for processing your data is your consent according to art. 6 (1) s. 1 lit. a GDPR. You give your respective consent via our cookie banner. Please note that Vimeo is a USA company. According to a recent ruling of the EUGH (European Court of Justice), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. Thus, for example, under certain circumstances your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses have been agreed as appropriate safeguards to ensure an adequate level of protection for data transfer.
Further information on data protection with Vimeo can be found here: https://vimeo.com/privacy, https://vimeo.com/privacy/california-privacy and https://vimeo.com/cookie_policy
4. Our Social Media Appearances
4.1. Links to Social Networks
Our website contains links to social networks (Facebook, XING and YouTube). These social networks are exclusively run by third parties. If you follow the links, your personal data may be processed by the respective social media providers. Please refer to the privacy policies of the social media providers in this regard.
4.2. Data Processing by CSS and Legal Basis
Our social media sites (Facebook, XING, YouTube and Instagram) serve the purpose of informing you about CSS and about new CSS developments, services and products. Depending on the offers of the respective social media providers, you have the option of different interactions (comments, recommendations, etc.) in connection with our social media presence. The interaction of the users is an important criterion for us in order to conduct targeted marketing. For example, this allows us to determine, which contributions are read with preference. Therefore we also use the respective statistics compiled by the social media providers for our own purposes. If we process personal data of social media users, the legal basis for this is art. 6 para. 1 s. 1 lit. f GDPR. Our legitimate interest then consists in particular in targeted information / advertising. The social media providers will inform you separately about the legal basis on which the social media providers process your data for their own purposes.
4.3. Joint Responsibility
In some cases, we are jointly responsible with the social media providers for processing your personal data. In this case you can assert your rights (see point 9) basically both against us and against the social media provider. However, the social media provider will be your first contact point.
We have concluded an agreement with Facebook Inc, 1 Hacker Way, Menlo Park, California 94025, USA (Facebook) on joint responsibility for processing personal data. This applies with regard to the processing of so-called "Insights data". These are page statistics particularly on the interactions of Facebook users Details to the Insights data can be found here: www.facebook.com/business/pages/manage.
You can view our agreement with Facebook under the following link: www.facebook.com/legal/terms/page_controller_addendum.
With regard to the storage period of your data processed by us for our own purposes, we refer to our explanations under point 7. For the rest, please observe the data protection regulations of the respective social media provider.
5.1. Own Responsibility of LogMeIn
If you visit LogMeIn's website to use GoTo, LogMeIn will be responsible for data processing. However, it is only necessary to access the website in order to download the software for the use of GoTo. You can also use GoTo, if you enter the respective meeting ID and, if required, any further access data for the meeting directly into the GoTo app. If you would not like to use the GoTo app, you can also use the basic functions by means of a browser version.
5.2. Purpose of Processing and Types of Personal Data
We use GoTo to hold phone conferences and/or video conferences, especially in connection with online seminars for interested parties or professional groups and/or within employment relationships („Online-Meetings“). In this context, we process various types of personal data. Type and scope of data particularly depend on the information you provide before or while participating in an online meeting. However, to be identified as an authorised participant, you must at least enter your name. You can deactivate the video and microphone function by means of the GoTo application any time.
Personal data which is used and processed in connection with GoTo includes:
Further details of LogMeIn's data processing can be found in LogMeIn's Data Processing Supplement.
5.3. Data Processing by CSS and Legal Basis
As far as personal data of employees is processed by us, § 26 para. 1 Data Protection Act is the general legal basis for data processing. If special categories of personal data are involved, processing is governed by § 26 para. 3 Federal Data Protection Act.
If, however, in connection with the use of GoTo, personal data is not required for the establishment, execution or termination of the employment relationship, the legal basis for data processing is, in principle, article. 6 para. 1 letter f) GDPR. In these cases our interest is the effective organisation of online meetings. Furthermore, the legal basis for data processing when conducting online meetings is article. 6 para. 1 letter b) GDPR, insofar as the meetings are conducted within the framework of contractual relationships. In special cases (e.g. a recording of online meetings) in which you are asked for a declaration of consent in advance, the legal basis is article. 6 para. 1 letter a) GDPR.
5.4. Data Transfer
Please refer to the LogMeIn Data Processing Supplement.
5.5. Data Transfer to Countries Outside the EU
GoTo is a service provided by a US supplier. Personal data is therefore also processed in a third country. We have entered into an order processing agreement with LogMeIn pursuant to article 28 GDPR. An adequate level of data protection is basically ensured by the conclusion of the so-called EU standard contractual clauses. Please note, however, that according to a recent ruling of the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain circumstances your data may be processed by US authorities for control and monitoring purposes. As for the rest we refer to article 49 GDPR regarding the legal basis for data transfer.
6. Data Transfer to Countries Outside the EU
As far as necessary for our purposes, we also transfer your data to recipients outside the EU if it is ensured that the recipient of the data guarantees an appropriate level of data protection and that there are no other interests worthy of protection speaking against the data transfer.
7. Storage Period for Personal Data / Criteria Determining the Duration
Your personal data will be stored by us for as long as necessary for the mentioned purposes of processing; in case of an objection, no compelling reasons worthy of protection are opposed by CSS or in case of a revocation, there is no other legal basis for data processing. In certain cases, however, e.g. if there is a legal obligation to store your personal data, it is not deleted immediately, but blocked first. For example, the retention period for messages via the contact form with business content can be ten years.
8. Safety Measure to Protect Your Personal Data
We protect your data against unauthorized access, loss or destruction with the help of technical and organizational measures.
Our safety measures are continuously improved according to the technical development. Our employees and all persons involved in data processing are obliged to comply with data protection laws and to confidential handling of personal data. Our employees are trained accordingly.
To protect the personal data of our users, we use a secure online transmission procedure, the so-called "Secure Socket Layer" (SSL) transmission. You will recognize this by the "-s" which is attached to address element http:// (turning it into "https://") or a green closed lock symbol which is displayed. By clicking on the icon you will receive information about the SSL certificate used. Whether the symbol is displayed depends on the browser version you are using. SSL encryption guarantees the encrypted and complete transmission of your data.
9. Your Rights
Within the framework of legal requirements, you have a general claim against CSS for
If the processing of your personal data is based on your consent, you have the right to revoke your consent at any time, with the consequence that processing your personal data will no longer be allowed in future. However, this does not affect the legality of data processing carried out with your consent before your revocation.
Please send your specific request in writing or by e-mail to our data protection officer and make yourself clearly identifiable in this letter.
Mr. Elmar Kümmel
Insofar as we process your data in joint responsibility for the purposes of art. 26 GDPR with the respective social media provider (see no. 4.3.), the social media provider is centrally responsible for exercising all rights of the persons concerned. However, you are at liberty to assert your rights against us as well.
Finally, we would like to draw your attention to your right of appeal to the supervisory authority.
10. No Automatised Single Decision
We will not use your personal data for automatised single decisions.