We consider data protection to be extremely important. Your personal data is collected and processed in compliance with the applicable data protection regulations, in particular the General Data Protection Regulation (GDPR).
Last revised: July 2023
1. Name and Contact Details of the Data Controller
The data controller for data processing purposes is:
Christmann & Pfeifer Construction GmbH & Co. KG
In der Werr 11
Tel. +49 6464 929-0
Fax +49 6464 929-200
You can contact our data protection officer at the aforestated address or by sending an email to: datenschutz(at)cpbau.de.
2. Personal Data
Personal data within the meaning of Art. 4 No. 1 GDPR is all information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if they can be directly or indirectly identified, in particular by means of assignment to an identifier such as a name, an identification number, an online identifier, location data or with the help of information about their physical, physiological, genetic, psychological, economic, cultural or social identity characteristics. The identifiability can also be given by linking such information or other additional knowledge. The creation, form or embodiment of the information is irrelevant (photos, video or sound recordings can also contain personal data).
3. Legal Grounds for Data Processing
In principle, any processing of personal data is prohibited by law and is only permitted if the data processing falls under one of the following justifications:
- Art. 6 para.1 sentence 1 letter a GDPR ("consent"): If the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other clear affirmative act that he or she agrees to the processing of the personal data concerning him or her for one or more specific purposes;
- Art. 6 para.1 sentence 1 letter b GDPR: If the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject;
- Art. 6 para.1 sentence 1 letter c GDPR: If the processing is necessary to fulfil a legal obligation to which the controller is subject (e.g. a statutory retention obligation);
- Art. 6 para.1 sentence 1 letter d GDPR: If the processing is necessary to protect the vital interests of the data subject or another natural person;
- Art. 6 para.1 letter e GDPR if the processing is necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been assigned to us.
- Art. 6 para.1 sentence 1 letter f GDPR ("Legitimate Interests"): If the processing is necessary to safeguard legitimate (in particular legal or economic) interests of the controller or a third party, unless the conflicting interests or rights of the data subject prevail (in particular if this is a minor).
For the processing operations carried out by us, we specify the applicable legal basis in the following. Processing can also be based on several legal bases.
Furthermore, the storage of information in the end device by you as the end user and the access to information that is already stored in your end device takes place exclusively after you have given your consent in accordance with § 25 Para. 1 TTDSG, unless this according to § 25 Para. 2 TTDSG is dispensable.
4. Purpose and Scope of Data Processing
4.1. Server Log Files
When you visit our website, your internet browser automatically sends data to the server on this website and stores it in what is called a log file for a limited period of time. The following data, among others, is stored until it is automatically deleted:
- IP address of the visitor's terminal device
- Date and time of access by the visitor,
- Website from which the visitor accessed this website, and
- Browser and operating system of the visitor's terminal device and the name of the access provider used by the visitor.
The processing of the log data is used for statistical purposes and to improve the quality of our website, in particular the stability and security of the connection (the legal basis is art. 6 para.1 sentence 1 letter f GDPR).
4.2 Contact Form
If you use the contact form provided on the website to contact us, we will process the personal data you provide to us (including your name and contact details). We use this data only for the purpose of processing the contact you have provided.
The legal basis for the processing is Art. 6 para. 1 letter a and letter f GDPR. The processing is necessary for the communication with you and is in the legitimate interest of the company.
4.3 Data Processing During the Application Process
We offer you the opportunity to apply for positions with us (e.g., by email, post). In the following, we will inform you as to the scope, purpose and use of your personal data collected during the application process. We ensure that the collection, processing and use of your data is carried out in accordance with applicable data protection law and all other legal provisions and that your data is treated with strict confidentiality.
If you send us an application, we process your related personal data (e.g., contact and communication data, application documents, notes from job interviews etc.) insofar as this is necessary to decide on whether or not to establish an employment relationship. The legal basis for this is Article 26 of the Federal Data Protection Act (BDSG) in accordance with German law (initiation of an employment relationship), Art. 6 1 letter b GDPR (general contract initiation) and – if you have provided consent – Art. 6 para 1 letter a GDPR. Consent shall be revocable at all times. Your personal data will only be passed on within our company to individuals involved in processing your application.
If your application is successful, the data you submit will be stored in our data processing systems on the basis of Section 26 of the Federal Data Protection Act (BDSG) and Art. 6 para 1 letter b of the GDPR for the purpose of carrying out the work relationship in our data processing system.
If we are unable to offer you a position, you reject an offer of a position or withdraw your application, we reserve the right to store the data you have transmitted based on our legitimate interests (Art. 6 para 1 letter f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application).
The data is then deleted and the physical application documents destroyed. Data is stored in particular for evidence purposes in the event of a legal dispute. If the data will be foreseeably required after the 6-month period has expired (e.g., due to an impending or pending legal dispute), deletion will only take place if the purpose of further storage is no longer applicable.
Data can also be stored for a longer period of time if you consent to this in accordance with Art. 6 1 letter a GDPR or if there are legal retention requirements which prevent deletion.
4.4 Google Analytics
We use Google Analytics 4 to analyze and improve the use of our website.
Google Analytics 4 is a web analytics and tracking service provided by Google LLC (“Google”). Google Analytics 4 may use so-called “cookies” if we activate the cookie feature. In addition, Google Analytics 4 uses a standard anonymized user and client ID generated by our website or app as well as Google signals to identify users.
The anonymized user ID is assigned to a logged-in user after the user has been clearly identified. The user ID can be used to identify users regardless of the device they are using. For example, if users access the website or app via both smartphones and tablets, we can analyze the user paths using the user ID in a holistic overview of the data.
The client ID is a unique, randomly generated string that acts as a pseudo-anonymized identifier and anonymously identifies a browser instance. It is stored in the browser cookies so that subsequent views of the same website can be assigned to the same user.
Google signals are session data from websites and apps that Google links to users who are logged into their Google account and have activated personalized advertising. Linking data to these logged-in users enables cross-device reporting, cross-device remarketing, and the export of cross-device usage results (known as “conversions”) to Google Ads.
The data processed by Google Analytics 4 is personal data within the meaning of Art. 4 (1) DSGVO. Google Analytics 4 collects personal data in the form of user characteristics and event data, among other things. The latter are automatically recorded events (user activities, number of sessions, clicks on ads, which ads are viewed, removal or deletion of log-in data, crashing of websites or apps, conclusion or cancellation of subscriptions, clicks on links, scrolling behavior, ends of videos viewed, etc.), for events optimized analytics (page views, scrolls, actuation of external links, website searches, playing videos, file downloads, etc.), recommended (purchase process on the website, travel offers, games) as well as custom events (events that are neither automatically captured nor recommended). Furthermore, session data is also collected such as multiple page views, events (see above), social interactions and e-commerce transactions.
User characteristics are attributes of the users who interact with your website or app. They are used to describe user segments such as language preference or geographic location. Some user characteristics are automatically tracked in Google Analytics 4.
The information generated by the cookie, the user ID and Google signals about your use of this website is usually transmitted to a Google server in the USA and stored there. In case of activation of IP anonymization, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google uses this information to evaluate your use of the website, to compile reports on website activity, to make a forecast regarding your future web behavior and to provide other services to the website operator related to website and internet use. User data collected in one website or app cannot be shared or combined with data from another website or app. Data about devices and activities from different sessions on a website or app, on the other hand, can be merged and combined using the User ID or Google signals. The collection and combination of data is suitable to create usage profiles about you.
The legal basis for processing data using Google Analytics 4 is your express consent pursuant to Art. 6 (1) lit. a DSGVO.
You can revoke your consent to the processing of personal data using Google Analytics 4 at any time by changing your cookie settings accordingly. Moreover, you can also notify us of your revocation by letter mail or by e-mail to datenschutz(at)cpbau.de.
You can prevent the collection of your data by Google Analytics 4 by clicking on this link. An opt-out-cookie will be set that prevents the collection of your data during future visits to this website:
DISABLE GOOGLE ANALYTICS
We use Google Analytics with the extension “_anonymizelp()”. This shortens the IP addresses (so-called IP masking).
In order to be able to offer a technically flawless online offer, we use the analysis software Smartsupp.com s.r.o., Millay Horakove 13, 602 00 Brno, Czech Republic.
This tool captures movements on the observed web pages in so-called heatmaps. This allows us to anonymously recognise where visitors click and how far they scroll. This allows us to make our website better and more customer-friendly. All data is collected without us being able to assign it to specific users. We can only register how the mouse moves, where it was clicked, and how far it scrolled. Further, the screen size of the device, the device type, information about the browser, the country from which it was accessed and the preferred language are recorded. If personal data of you or a third party is displayed on a website, Smartlook automatically hides it. They are, therefore, incomprehensible to us.
If you do not agree with the recording, you can deactivate it using the opt-out switch under Smartlook Opt-Out.
4.6 YouTube Functions
We have integrated YouTube videos from the company Google LLC (Mountain View, California, USA) into our online offer, which are stored on www.YouTube.com and can be played directly from our website. By simply visiting our website – before you click on an embedded video – YouTube processes personal data by setting cookies. In this way, the information is transmitted that you have accessed a corresponding subpage of our website. In addition, log files are transmitted. The following data should be mentioned:
- Device information
- IP address
- Referrer URL
- Watched Videos
This takes place regardless of whether YouTube makes available a user account via which you are logged in or no user account exists. If you are logged in to Google, your information will be directly associated with your account. If you do not wish to be associated with your profile when using YouTube, you must first log out before clicking the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or requirements-oriented design of its website. Such evaluation also takes place (even for users who are not logged in) for the purposes of providing customized advertising and to inform other social network users about activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to make use of this right.
The legal basis for processing, in accordance with Art. 6 para. 1 letter a GDPR, which you can revoke at any time in the cookie settings.
The data transmitted to Google LLC via the YouTube video is mainly stored on servers managed by Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) in the European Economic Area (EEA). However, it cannot be ruled out that your personal data will also be stored on servers located outside the EEA in the USA. Once the EU-US Privacy Shield has been abolished, any data transfer to the USA must be based on standard contractual clauses and other guarantees issued by the EU Commission. Although the transfer of personal data is based on standard contractual clauses, this does not exclude the possibility that the US security authorities, which have comprehensive powers, can access your personal data at any time and without cause. This applies even if the servers are located in Europe. As a US company, Google may also be obliged to transfer personal data of EU citizens to the US security authorities, which are located on servers in the EU or the EEA. There are no effective legal remedies available to you.
5. Cooperation with Data Processors
As with any larger company, we also use external domestic and foreign service providers to process our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). These are only acting according to our instructions and have been contractually obliged within the meaning of Art. 28 GDPR to comply with the data protection regulations, in particular regulations to ensure data security by means of appropriate technical and organizational measures. This applies in particular to the use of analysis and marketing tools used on our website.
6. Disclosure of Information and Categories of Recipient
Personal data is only disclosed to third parties if the person concerned
- According to Art. 6 para. 1 letter a GDPR you have expressly consented to this,
- disclosure is required in accordance with Art. 6 para. 1 letter f GDPR for asserting, exercising or defending legal claims and there is no reason to assume that the data subject has an overriding legitimate interest in the data not being transmitted
- for data transmission in accordance with Art. 6 para. 1 letter c) GDPR when there is a legal requirement and/or
- according to Art. 6 para. 1 letter b GDPR it is necessary for the performance of a contractual relationship with you.
Under the above conditions, categories of recipients, which are usually processors, may in particular be:
- Service providers for the operation of our website and the processing of the data stored or transmitted by the systems (e.g. for data centre services, payment processing, IT security). As an alternative to your consent pursuant to Art. 6 para.1 sentence 1 letter a GDPR, Art. 6 para.1 sentence 1 letter b or letter f GDPR, insofar as they are not processors;
- Government agencies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the transfer is Art.6 Para.1 sentence 1 letter c GDPR.
- Persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the transfer is Art.6 Para.1 sentence 1 letter b or letter f GDPR.
7. Duration of Data Storage
We adhere to the principles of data avoidance and data economy. Your personal data will therefore only be stored for as long as this is necessary to achieve the purposes stated for the respective data processing or as provided for by the various storage periods provided by the legislator. Once the purpose in question no longer exists or the storage period expires, the corresponding data will be routinely blocked or deleted corresponding to statutory requirements.
8. Transfer of Data to a Third Country
As part of our business relationships, your personal information may be shared or disclosed to third parties. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively for the fulfilment of contractual and business obligations and to maintain your business relationship with us. We will inform you about the respective details of the transfer at the relevant points.
For some third countries, the European Commission certifies by so-called adequacy decisions a data protection comparable to the EEA standard (a list of these countries as well as a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). In other third countries to which personal data may be transferred, however, there may not be a consistently high level of data protection due to the absence of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding corporate regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognised codes of conduct.
Please note that when personal data is transferred to the US, even if it is based on standard contractual clauses, it cannot be ruled out that the US security authorities, which have extensive powers, can access your personal data at any time and without cause, or force the disclosure of your data by the US company concerned. This applies even if the servers are located in Europe. There are no effective legal remedies available to you. Other third countries may also lack a level comparable to European data protection.
With regard to the individual services, we will inform you in a given place about the legal basis (e.g. standard contractual clauses) on which the data is transferred to third countries. Please contact our data protection officer (see under no. 1) if you would like more information.
9. Automated Decision-Making
Automated decision-making, including profiling, does not take place.
10. Your Rights as a Data Subject
If your personal data is processed by us, you as the data subject have the following rights:
- to request information about the personal data processed by us, according to Art. 15 GDPR. In particular, you may obtain information about the purposes of processing; the category of personal data; the categories of recipients to whom your data have been or will be disclosed; the planned retention period; the existence of a right to rectification, erasure, restriction of processing or objection; the existence of a right of appeal; the origin of your data, if not collected by us; the existence of automated decision-making including profiling and, where appropriate, meaningful information about the details of the above;
- in accordance with Art. 16 GDPR to request the correction of incorrect or the completion of your data stored by us without delay;
- in accordance with Art. 17 GDPR, to request the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims;
- to demand the restriction of the processing of your data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you or the processing is unlawful;
- in accordance with Art. 20 GDPR, to receive your data that you have provided to us in a structured, common and machine-readable format or to request the transmission to another controller ("data portability");
- pursuant to Art. 21 GDPR, object to the processing, provided that the processing is based on Art. 6 para. 1 sentence 1 letter e or letter f GDPR. This is the case if the processing is not necessary in particular for the fulfilment of a contract with you. If this is not an objection to direct advertising, we ask you to explain the reasons why we should not process your data as we have done. In the event of your justified objection, we will review the relevant facts and either discontinue or adjust data processing, or demonstrate to you our compelling and legitimate reasons for continuing the processing.
- in accordance with Article 7 paragraph3 GDPR, to revoke your consent once (also before the application of the GDPR, i.e. before 25 May 2018) – i.e. your voluntary, informed and unambiguously made clear by a declaration or other clear confirmatory act that you agree to the processing of the personal data concerned for one or more specific purposes – at any time to us, if you have given such consent. As a result we will no longer be allowed to continue processing data based on this consent in the future.
If you wish to make use of any of the rights set out above, you are welcome to contact our data protection officer. You will find our contact details under Item 1.
In addition, data subjects have the opportunity to lodge a complaint with the supervisory authority for data protection, which is responsible for the place of their stay or workplace or for the place of the alleged infringement.