Zur Hauptnavigation springenZum Inhalt springen

Privacy Policy

We, CSS AG (CSS/we), are pleased about your visit to our website and your interest in CSS. In the following regulations we inform you on the type, scope and purpose of the collection and use of your personal data on this website. Personal data is all information referring to an identified or identifiable natural person. It particularly includes your name, your address and your e-mail address.

1. Data Processing to Enable the Use of the Website

With each access to contents of our website connection data is transferred to our web server.  These connection details include:

  • the IP address (Internet Protocol Address) of the respective users
  • date and time of the inquiry
  • the referrer URL
  • device numbers like UDID (Unique Device Identifier) and similar device numbers, device information (e.g. device type) as well as
  • browser type/browser version

These connection details are not used for drawing conclusions about the user's identity and are not combined with data from other data sources, but serve to provide the website.  The legal basis for processing your data is art. 6 para. 1 s. 1 lit. f GDPR. After 7 days at the latest, the data is anonymized by shortening the IP address at domain level.

2. Data Processing on Request

We process your personal data, if you use the following services offered by us:

2.1. Contact Forms

Contact us via the provided form (e.g. for a consultation appointment or to receive information material) your details will be stored so that they can be used to process your enquiry.  We would like to point out that data transmission on the internet may be subject to security gaps.  Complete protection of data against access by third parties without any gaps is not possible.

The legal basis for processing your data is art. 6 para. 1 s. 1 lit. f GDPR. Our legitimate interest is then to answer your inquiry.  In case pre-contractual measures are taken, the legal basis is art. 6 para. 1 s. 1 lit. b GDPR.  For applications, the legal basis is art. 88 together with § 26 para. 1 Federal Data Protection Act.

2.2. CSS Info Service

If you have expressly consented, you will receive our CSS Info Service. With this service we inform you up to 8 times a year about news in the fields Accounting & Finance, Personnel & Management, Controlling, as well as Business English.  The CSS Info Service is aimed at specialists and executives in the respective fields.

It is sufficient to provide your e-mail address to receive it. The additional voluntary information about yourself is only used to personalize the newsletter for you.

For the application to the CSS Info Service we use the so-called Double-Opt-In procedure. This means that after your registration we will send you an e-mail to the given e-mail address in which we ask you to confirm that you want us to send and wish receiving the CSS Info Service. If you do not confirm your registration within 30 days, your information will be automatically deleted.

You can revoke your consent at any time with effect for the future. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. There is a link at the end of each newsletter to make your revocation. Alternatively, you can revoke your consent at any time by e-mail to (marketing@css.de).

Your personal data will be processed on the basis of your explicit consent according to art.  6 para. 1 s. 1 lit. a GDPR.

As part of the registration for the CSS Info Service, we will also save your IP address and the time of registration in order to fulfil our legal documentation obligation.  The legal basis for processing your data is art. 6 para. 1 s. 1 lit. f GDPR.

2.3. Online Application

On our website you can apply for a job with us. You have the possibility to use our online application form. Alternatively, you can also apply by e-mail or post.

During the online application process, you will be asked to provide personal information (e.g. name and contact details). Providing certain data is required to establish and implement a possible employment relationship. If you do not provide this information, which is separately marked as mandatory fields, your application is incomplete and cannot be considered in the further application process. The provision of other information and the upload of files or documents (e.g. CV or application photo) is not obligatory but optional. There will not be any disadvantages for your application if you only provide mandatory information,

Once we have received your online application, you will receive an automatic confirmation of receipt. The further communication regarding the application process is then carried out by our HR department.

Your data will be processed by us for the purpose of deciding on the establishment of an employment relationship. The legal basis for the data processing is art. 88 para. 1 GDPR in conjunction with § 26 para. 1 s. 1 Federal Data Protection Act.  If special categories of personal data are involved, processing is governed by art. 88 GDPR in conjunction with § 26 para. 3 Federal Data Protection Act. In case of a rejection or the completion of the application procedure, your data will be deleted within 6 months.

3. Data processing for the Demand-Oriented Design of the Website and Tracking

In order to make your use of our website as pleasant as possible, we use so-called web tracking systems. Cookies are usually used for that purpose, i.e. small text files are sent from a web server to your browser and stored on your computer's hard disc.  This allows us to recognize your device when you repeatedly visit our website. Most browsers are set to automatically accept cookies. You can deactivate the storage of cookies in your browser and you always have the possibility to delete them from your hard disk However, you can also use your browser to prevent only certain cookies from being set (e.g. cookies from third parties), for example if you want to prevent web tracking.  Please refer to the help function of your browser for further information.

Moreover, we would like to point out that you can also install a plugin in your browser to protect your privacy, which allows you to prevent tracking - e.g. AdBlock, Ghostery or NoScript (please refer to the data protection information of the respective plugin provider).
Finally, we would like to point out that if cookies are deactivated, it might happen that not all functions of this website can fully be used.

The legal basis for processing your data derives from art. 6 par. 1 s. 1 lit. f GDPR unless otherwise stated in the following provisions in no. 3.1.ff. Our legitimate interest is the demand-oriented design of the website.

3.1 Cookie Consent with Cookiebot

In order to administer your consent to use tracking tools, we use the cookie content technology "Cookiebot" from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark; Website: www.cookiebot.com/de/ (in the following „Cybot“). In this context, further to the connection data, the granting or refusal of your consent or the revocation of a consent is transferred to Cybot. To enable making the appropriate assignment, Cybot additionally sets a cookie in your browser.

Cybot is used to obtain the legally required consent for the use of cookies. The legal basis for this is art. 6 para. 1 s. 1 lit. c GDPR.

3.2. Google Analytics

Our website uses the tracking tool "Google Analytics". This is a service provided by Google Ireland Limited, a company incorporated and regulated under Irish law with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). This tracking tool helps us to make our website more interesting for you and to improve the user experience. Data about the use of our website is stored in pseudonymous user profiles.  Cookies may also be used for this purpose. Moreover, data from various devices, sessions and interactions can be linked with a so-called "User ID". The information generated is usually transferred to a Google server in the USA and stored there.  We would like to point out that the "anonymizeIp" function has been added to Google Analytics in our website.  As a result, within member states of the European Union or in other signatory states to the Agreement on the European Economic Area your IP address will be shortened first by Google and only afterwards transferred to a Google server in the USA. Google has submitted to the EU-US privacy shield, www.privacyshield.gov/EU-US-Framework. On our behalf Google will make use of this information to analyse your use of our website, to draw up reports on the website activities and to provide us with further services with regard to the use of web pages and the internet.  The pseudonymized user profiles will not be combined with personal data about the person using this pseudonym without a separately given consent.

Further information on Google Analytics can be found under:

The legal basis for processing your data is your consent according to art. 6 para. 1 s. 1 lit. f GDPR. You give your corresponding consent via our cookie banner. As described above in point 3, you can prevent the use of cookies by selecting the appropriate settings in your browser software or object to the use of cookies in the future. You can also prevent the recording of data generated by the cookie and related to your use of our website by downloading and installing the browser plugin available under following link: (tools.google.com/dlpage/gaoptout)

Moreover you can prevent recording by means of Google Analytics by clicking on the following text:  Google Tag Manager / Deactivating Google Analytics. In this way you set an opt-out cookie, which prevents future recording of your data when you visit our website.  If you use different devices, you must carry out the above-mentioned measures on each device. Please note, however, that if you delete your cookies, this means that the opt-out cookie will also be deleted and you may have to activate it again if you require.

3.3. Typekit

We use Adobe Typekit to display fonts on our website.  Adobe Typekit is a font library access service provided by Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe).  When you open a page, the browser loads the required web fonts into your browser cache in order to display texts and font types correctly. On providing the Typekit service, no cookies are placed or used to provide the fonts.  To provide the Typekit service, Adobe may collect information about the font used to identify the website itself and the linked Typekit account.

You will find further information on the information page  e Adobe Data Protection with Adobe Typekit as well as in the Privacy policy by Adobe.

3.4. MINQ - ADDVALUE Technology for Customer Acquisition

This website uses the MINQ service, a technology of ADDVALUE GmbH.  MINQ uses a so-called tracking script, which is integrated on the website. This tracking script analyses the visitors of the website. The information generated about visitors to this website is transmitted to addvalue GmbH and processed there.  The information is collected, stored and made available there for sales purposes and to identify website visitors. The visit data of individuals / private individuals are not stored or processed. Only companies are identified.  So-called cookies are used here (see also point 3). The legal basis for processing your personal data is your consent according to art. 6 para. 1 s.1 lit. f GDPR. You give your corresponding consent via our cookie banner.

3.5. Facebook Custom Audience Using the Pixel Process (Standard Version)

We use the "Facebook Custom Audience" product offered by Facebook Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (in the following "Facebook"), via the pixel process (standard version). Cookies are used in this process (see point 3). Our legal basis for processing your data is your consent according to art. 6 para. 1 s. 1 lit. f GDPR. You give your corresponding consent via our cookie banner. Facebook collects and stores usage data in pseudonymous profiles for the purpose of web analysis or to enable interest-oriented advertising. This allows us to track users' actions after they have seen or clicked on a Facebook advertisement. This allows us to measure the effectiveness of Facebook advertisements for statistical and market research purposes. The data collected in this way is anonymous for us, i.e. we do not see the personal data of individual users. This data, however, is stored and processed by Facebook, about which we inform you according to our state of knowledge. Facebook may associate this information with your Facebook account and may also use it for its own promotional purposes, in accordance with Facebook's data use policy. You can object to this data collection and storage at any time with effect for the future by setting an opt-out cookie on your device. Further information on this opt-out option and on data processing by Facebook can be found in the Facebook privacy policy (www.facebook.com/privacy/explanation) as well as de-de.facebook.com/notes/facebook-and-privacy/relevant-ads-that-protect-your-privacy/457827624267125/.

Facebook has submitted to the EU-US privacy shield, www.privacyshield.gov/EU-US-Framework.

3.6 LinkedIn Insight-Tag

On our website we use the conversion tool "LinkedIn Insight-Tag" of LinkedIn Ireland Unlimited Company (LinkedIn Ireland). This tool creates a cookie in your web browser, which - among others - enables recording the following data: IP address, device and browser features and page events (e.g. page views). LinkedIn Ireland does not share any personal data with us, but provides anonymised reports on website target audience and ad performance. In addition, LinkedIn Ireland offers the possibility of retargeting via the Insight tag. By means of this data, we can display targeted advertising outside our website without identifying you as a user of the website. Our legal basis for processing your data is your consent according to art. 6 para. 1 sentence 1 lit. f GDPR. You give your respective consent via our cookie banner. Please note that LinkedIn Ireland may also process your data outside the EU/EEA. According to a recent ruling of the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain circumstances your data might be processed by US authorities for control and monitoring purposes. If you still wish to consent to the use of this tool, you can do so via the cookie banner. For more information on the LinkedIn Insight tag, please see the following link. For more information about data protection at LinkedIn Ireland, please see the LinkedIn Ireland Privacy Policy.

4. Our Social Media Appearances

4.1. Links to Social Networks

Our website contains links to social networks (Facebook, XING and YouTube). These social networks are exclusively run by third parties. If you follow the links, your personal data may be processed by the respective social media providers.  Please refer to the privacy policies of the social media providers in this regard.

4.2. Data Processing by CSS and Legal Basis

Our social media sites (Facebook, XING, YouTube and Instagram) serve the purpose of informing you about CSS and about new CSS developments, services and products. Depending on the offers of the respective social media providers, you have the option of different interactions (comments, recommendations, etc.) in connection with our social media presence. The interaction of the users is an important criterion for us in order to conduct targeted marketing. For example, this allows us to determine, which contributions are read with preference. Therefore we also use the respective statistics compiled by the social media providers for our own purposes. If we process personal data of social media users, the legal basis for this is art. 6 para. 1 s. 1 lit. f GDPR. Our legitimate interest then consists in particular in targeted information / advertising. The social media providers will inform you separately about the legal basis on which the social media providers process your data for their own purposes.

4.3. Joint Responsibility

In some cases, we are jointly responsible with the social media providers for processing your personal data. In this case you can assert your rights (see point 9) basically both against us and against the social media provider. However, the social media provider will be your first contact point. 

We have concluded an agreement with Facebook Inc, 1 Hacker Way, Menlo Park, California 94025, USA (Facebook) on joint responsibility for processing personal data. This applies with regard to the processing of so-called "Insights data". These are page statistics particularly on the interactions of Facebook users Details to the Insights data can be found here: www.facebook.com/business/pages/manage.

You can view our agreement with Facebook under the following link: www.facebook.com/legal/terms/page_controller_addendum.

With regard to the storage period of your data processed by us for our own purposes, we refer to our explanations under point 7. For the rest, please observe the data protection regulations of the respective social media provider.

5. GoToMeeting/GoToWebinar

In the following regulations we inform you on the type, scope and purpose of the collection and use of your personal data with regard to the online platform GoToMeeting/GoToWebniar ("GoTo"). As for the rest the general data protection information in this privacy policy applies (esp. regarding CSS' responsibility, the period in which personal data is stored and your rights).

GoTo is a service of LogMeIn Inc., 320 Summer Street, Boston, MA 02210, which has its headquarters in the USA („LogMeIn“). For more information from LogMeIn about GoTo's privacy policy, please click here and see the Data processing supplement of LogMeIn. 

5.1. Own Responsibility of LogMeIn

If you visit LogMeIn's website to use GoTo, LogMeIn will be responsible for data processing. However, it is only necessary to access the website in order to download the software for the use of GoTo. You can also use GoTo, if you enter the respective meeting ID and, if required, any further access data for the meeting directly into the GoTo app. If you would not like to use the GoTo app, you can also use the basic functions by means of a browser version.

5.2. Purpose of Processing and Types of Personal Data

We use GoTo to hold phone conferences and/or video conferences, especially in connection with online seminars for interested parties or professional groups and/or within employment relationships („Online-Meetings“). In this context, we process various types of personal data. Type and scope of data particularly depend on the information you provide before or while participating in an online meeting. However, to be identified as an authorised participant, you must at least enter your name. You can deactivate the video and microphone function by means of the GoTo application any time.
Personal data which is used and processed in connection with GoTo includes:

  • Profile data: first name, last name, phone number (optional), e-mail address, password (if "Single-Sign-On" is not used), profile picture (optional), department (optional)
  • Meeting meta: data topic, description (optional) participant IP-addresses, device/hardware information
  • Call history data: details to incoming and outgoing phone numbers, country name, start and end time. If necessary, further connection data, such as IP-address of the device can be stored.
  • Content data: You may have the option of using any required chat, question or survey functions in an online meeting. Your text entries and other approved data is processed in order to be displayed in the online meeting.

Further details of LogMeIn's data processing can be found in LogMeIn's Data Processing Supplement.

5.3. Data Processing by CSS and Legal Basis

As far as personal data of employees is processed by us, § 26 para. 1 Data Protection Act is the general legal basis for data processing. If special categories of personal data are involved, processing is governed by § 26 para. 3 Federal Data Protection Act.

If, however, in connection with the use of GoTo, personal data is not required for the establishment, execution or termination of the employment relationship, the legal basis for data processing is, in principle, article. 6 para. 1 letter f) GDPR. In these cases our interest is the effective organisation of online meetings. Furthermore, the legal basis for data processing when conducting online meetings is article. 6 para. 1 letter b) GDPR, insofar as the meetings are conducted within the framework of contractual relationships. In special cases (e.g. a recording of online meetings) in which you are asked for a declaration of consent in advance, the legal basis is article. 6 para. 1 letter a) GDPR.

5.4. Data Transfer

Please refer to the LogMeIn Data Processing Supplement.

5.5. Data Transfer to Countries Outside the EU

GoTo is a service provided by a US supplier. Personal data is therefore also processed in a third country. We have entered into an order processing agreement with LogMeIn pursuant to article 28 GDPR. An adequate level of data protection is basically ensured by the conclusion of the so-called EU standard contractual clauses. Please note, however, that according to a recent ruling of the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain circumstances your data may be processed by US authorities for control and monitoring purposes. As for the rest we refer to article 49 GDPR regarding the legal basis for data transfer.

6. Data Transfer to Countries Outside the EU

As far as necessary for our purposes, we also transfer your data to recipients outside the EU if it is ensured that the recipient of the data guarantees an appropriate level of data protection and that there are no other interests worthy of protection speaking against the data transfer.

7. Storage Period for Personal Data / Criteria Determining the Duration

Your personal data will be stored by us for as long as necessary for the mentioned purposes of processing; in case of an objection, no compelling reasons worthy of protection are opposed by CSS or in case of a revocation, there is no other legal basis for data processing. In certain cases, however, e.g. if there is a legal obligation to store your personal data, it is not deleted immediately, but blocked first.  For example, the retention period for messages via the contact form with business content can be ten years.

8. Safety Measure to Protect Your Personal Data

We protect your data against unauthorized access, loss or destruction with the help of technical and organizational measures. 
 Our safety measures are continuously improved according to the technical development.  Our employees and all persons involved in data processing are obliged to comply with data protection laws and to confidential handling of personal data.  Our employees are trained accordingly. 

To protect the personal data of our users, we use a secure online transmission procedure, the so-called "Secure Socket Layer" (SSL) transmission.  You will recognize this by the "-s" which is attached to address element http:// (turning it into "https://") or a green closed lock symbol which is displayed.  By clicking on the icon you will receive information about the SSL certificate used.  Whether the symbol is displayed depends on the browser version you are using.  SSL encryption guarantees the encrypted and complete transmission of your data.

9. Your Rights

Within the framework of legal requirements, you have a general claim against CSS for

  • confirmation whether personal data concerning you is processed by CSS,
  • information about this data and the circumstances of processing,
  • correction in case this data is incorrect,
  • deletion, if there is no justification for processing and no obligation to store (any longer),
  • limitation of processing in special cases provided for by law and
  • objection in case of data processing on the basis of art. 6 para. 1 lit. f. GDPR and  
  • transmission of your personal data - as far as you have provided it - to you or a third party in a structured, common and machine-readable format.

If the processing of your personal data is based on your consent, you have the right to revoke your consent at any time, with the consequence that processing your personal data will no longer be allowed in future.  However, this does not affect the legality of data processing carried out with your consent before your revocation.

Please send your specific request in writing or by e-mail to our data protection officer and make yourself clearly identifiable in this letter.

Mr. Elmar Kümmel
Friedrich-Dietz-Str. 1
36093 Künzell
E-Mail: datenschutz@css.de

Insofar as we process your data in joint responsibility for the purposes of art. 26 GDPR with the respective social media provider (see no. 4.3.), the social media provider is centrally responsible for exercising all rights of the persons concerned. However, you are at liberty to assert your rights against us as well.

Finally, we would like to draw your attention to your right of appeal to the supervisory authority.

10. No Automatised Single Decision

We will not use your personal data for automatised single decisions.

11. Change to this Privacy Policy

New legal requirements, business decisions or technical developments might require changes to our privacy policy.  The privacy policy will then be adapted accordingly.  You can always find the latest version on our website.