en
en
low angle photo of black high rise concrete city buildings

PRIVACY POLICY

As of: 01/01/2025

Table of Contents

1. Preamble
2. Controller
3. Overview of Processing Activities
4. Relevant Legal Bases
5. Security Measures
6. Data Deletion
7. Use of Cookies
8. Business Services
9. Provision of the Online Offer and Web Hosting
10. Contact and Inquiry Management
11. Changes and Updates to the Privacy Policy
12. Definitions of Terms

Preamble

This Privacy Policy provides comprehensive information about the processing of your personal data (hereinafter referred to as "data") by Compliance Management CMMK. We explain the purpose, nature, and scope of data processing that occurs as part of our business activities, particularly when using our online offerings.

Our online offerings include, among other things, our websites, mobile applications, and external online presences such as social media profiles. This Privacy Policy is based on the provisions of the General Data Protection Regulation (GDPR) and takes into account the specific requirements of national data protection regulations in Germany.

We use gender-neutral terms to ensure non-discriminatory communication.

Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable national data protection laws and legal provisions on data protection is:

Michael Koechig

Compliance Management CMMK

Am Obstwäldle 49

72461 Albstadt

Germans

Mail: info@cmmk.eu

Overview of Processing Activities

Below, we provide information about the types of personal data we process, the purposes of processing, and the categories of individuals affected. This overview offers transparency regarding the key processing activities carried out as part of our business operations.

Types of Processed Data

  • Master Data: e.g., names, addresses

  • Payment Data: e.g., bank details, invoices

  • Contact Data: e.g., email addresses, phone numbers

  • Content Data: e.g., entries in online forms

  • Contract Data: e.g., contract subject, duration

  • Usage Data: e.g., visited websites, access times

  • Meta, Communication, and Procedural Data: e.g., IP addresses, timestamps

Categories of Data Subjects

  • Customers and prospects

  • Communication partners

  • Users of the online offering

  • Business and contractual partners

Purposes of Processing

  • Fulfillment of contractual and legal obligations

  • Handling inquiries and communication

  • Implementation of technical and organizational security measures

  • Office and organizational processes

  • Analysis and evaluation of marketing efforts

  • Management and response to inquiries

  • Creation of profiles based on user-related information

  • Provision and optimization of our online offering

  • Protection and maintenance of IT infrastructure

Relevant Legal Bases

Below is an overview of the legal bases on which we process personal data. Processing is carried out in compliance with the General Data Protection Regulation (GDPR) and, where applicable, supplementary national regulations, particularly the Federal Data Protection Act (BDSG).

Legal Bases Under the GDPR

  • Consent (Art. 6 para. 1 sentence 1 lit. a GDPR): The data subject has given their consent to the processing of personal data concerning them for one or more specific purposes.

  • Contract Performance and Pre-Contractual Requests (Art. 6 para. 1 sentence 1 lit. b GDPR): Processing is necessary for the performance of a contract with the data subject or to take steps at the data subject's request prior to entering into a contract.

  • Legal Obligation (Art. 6 para. 1 sentence 1 lit. c GDPR): Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In addition to the GDPR, national regulations apply in Germany, particularly the Federal Data Protection Act (BDSG). These include specific provisions regarding the right to access, deletion, objection, the processing of special categories of personal data, data transfer, and automated individual decision-making.

Supplementary National Regulations

In addition to the GDPR, specific data protection provisions of the BDSG apply in Germany. These specifically address:

  • Rights of data subjects (e.g., right of access, right to deletion, right to object).

  • Special categories of personal data (e.g., health data).

  • Requirements for data transfer and automated individual decision-making.

Security Measures

We implement technical and organizational measures to ensure an appropriate level of protection for the processing of personal data. In doing so, we take into account the state of the art, implementation costs, as well as the nature, scope, circumstances, and purposes of processing. We also assess the likelihood and severity of potential risks to the rights and freedoms of natural persons. Measures implemented include, among others, access controls to prevent unauthorized access to personal data, securing data processing systems through up-to-date encryption technologies, restricting input, transmission, and availability rights, and separating data based on its purpose. We regularly review and update our security measures to ensure their effectiveness.

Furthermore, we have implemented procedures to facilitate the exercise of data subject rights, ensure the prompt deletion of personal data, and enable a rapid response to potential data security threats. When selecting and developing hardware, software, and processes, we adhere to the principles of privacy by design and privacy by default, as required by Art. 25 GDPR.

To secure data transmission, we use TLS/SSL encryption to protect communication over our online offerings from unauthorized access. You can recognize a secure connection by the "https://" prefix in the URL and the lock icon in your browser.

Data Deletion

Personal data processed by us will be deleted in accordance with legal requirements as soon as they are no longer necessary for their intended purposes or the data subject withdraws their consent for processing. Deletion also occurs if no other legal basis for further processing exists.

If personal data are still required for other legally permissible reasons, processing will be restricted to those purposes. In such cases, the data will be blocked and not used for other purposes. This particularly applies to data that must be retained for commercial or tax law reasons. Under German legal requirements, retention periods can be up to ten years.

Additionally, specific details regarding the storage and deletion of data may be provided in our privacy notices for the respective processing activities.

Use of Cookies

Cookies are small text files or similar technologies that can store and retrieve information on users’ devices. They are used to providing various functions of our online offerings, such as saving the login status in the user account, storing shopping cart contents, or applying preferred settings. Cookies can also be used to enhance user experience, improve security, and analyse visitor traffic.


Notes on Consent

We use cookies in accordance with legal regulations. Where necessary, we obtain users' consent in advance, unless the storage or retrieval of information is strictly required to provide the telemedia service (our online offering) explicitly requested by users. Technically necessary cookies that serve the functionality, security, or display of the online offering do not require consent. Consent to the use of cookies can be withdrawn at any time and is communicated to users in a transparent and understandable manner.


Legal Bases

The processing of personal data through cookies is based on users' consent in accordance with Art. 6 para. 1 lit. a GDPR, if such consent is obtained. If consent is not required, processing is based on our legitimate interests in improving user experience and ensuring the efficient operation of our online offering in accordance with Art. 6 para. 1 lit. f GDPR or to fulfill contractual obligations under Art. 6 para. 1 lit. b GDPR.

Types and Storage Duration of Cookies

  • Temporary Cookies (Session Cookies): These cookies are automatically deleted as soon as the user leaves the online offering or closes the device (browser or app).

  • Permanent Cookies: These cookies remain stored even after the device is closed and, for example, allow the login status or preferred content to be saved. Unless otherwise specified, the storage duration of these cookies is up to two years.


Withdrawal and Objection (Opt-Out)

Users can withdraw their consent at any time with future effect and object to processing. Cookies can be restricted or deleted in browser settings, which may, however, impair the functionality of our online offering. For online marketing purposes, users can also use opt-out options on websites such as https://optout.aboutads.info or https://www.youronlinechoices.com.

Consent Management

We use a consent management system that enables the collection, storage, and management of users' consents. Consents are stored server-side or through so-called opt-in cookies to comply with legal documentation obligations and avoid repeated requests. This storage is carried out for up to two years and includes pseudonymized data such as user IDs, browser and device information, and the scope of consent.

Business Services

We process personal data of our contractual and business partners (e.g., customers, prospects, and suppliers) within the scope of contractual and pre-contractual relationships, as well as for administrative and communication purposes. Processing is carried out in particular to fulfill our contractual obligations, perform pre-contractual measures, and address performance issues and warranty claims. Furthermore, we process data to safeguard our legitimate interests, such as proper corporate management, protection against misuse, and securing our business operations.


Processed Data

The personal data we collect includes:

  • Master Data: e.g., name, address

  • Contact Data: e.g., email address, phone number

  • Payment Data: e.g., bank details, invoices

  • Contract Data: e.g., contract subject, duration, customer category


Data Disclosure to Third Parties

Data is disclosed to third parties exclusively in accordance with legal requirements. This includes cases where the disclosure:

  • is necessary for contract fulfillment,

  • is required to meet legal obligations, or

  • is based on legitimate interests, provided the rights of the data subjects are not overridden.


As part of our business services, data may be shared with the following third parties:

  • Telecommunications companies

  • Payment service providers

  • Tax and legal advisors

  • Banks or financial authorities


The disclosure is carried out solely to fulfill contractual and legal obligations.


Retention Periods


Personal data is deleted after the expiration of statutory warranty periods or similar retention periods. Data that must be retained for commercial or tax law reasons is archived in accordance with legal requirements for up to ten years.


Legal Bases

The processing of personal data in the context of our business services is based on the following legal grounds:

  • Art. 6 para. 1 lit. b GDPR: Fulfillment of contractual and pre-contractual obligations.

  • Art. 6 para. 1 lit. c GDPR: Compliance with legal obligations.

  • Art. 6 para. 1 lit. f GDPR: Protection of legitimate interests, such as safeguarding against misuse and ensuring proper business operations.

Provision of the Online Offer and Web Hosting

We process personal data of our users to enable access to our online offering and its associated functions. This includes the transmission of content to users' browsers or devices, as well as ensuring the stability and security of our online offering.

Types of Processed Data

  • Usage Data: e.g., visited websites, interest in content, access times

  • Meta, Communication, and Procedural Data: e.g., IP addresses, timestamps, identification numbers

Purposes of Processing

  • Providing and improving our online offering

  • Ensuring information technology security

  • Optimizing user experience


Data Transmission to Web Hosting Providers

To efficiently provide our online offering, we use the services of an external web hosting provider. This includes providing storage space, computing capacity, and software on the provider's servers. Access to personal data by the web hosting provider occurs exclusively within the scope of contractual agreements and based on a data processing agreement in accordance with Art. 28 GDPR.


Collection of Access Data and Log Files

Access to our online offering is logged in the form of "server log files." These log files include:

  • Address and name of accessed websites and files

  • Date and time of access

  • Transferred data volumes and status messages

  • Browser type and version, as well as the user's operating system

  • Referrer URL (previously visited page)

  • IP address and requesting provider


The collected data serves to ensure system security, stability, and the optimization of our services.


Log File Retention Periods

Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data required to resolve security-related incidents may be retained until the incident is fully resolved.

Legal Bases

The processing of data to provide the online offering and ensure system security is based on our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR.

Contact and Inquiry Management

In the context of contacting us—whether by post, contact form, email, phone, or via social media—as well as within the scope of existing business relationships, we process the personal data you provide. This data is used to handle your inquiry and facilitate the desired communication. Processing is carried out only to the extent necessary to address your inquiry.

Types of Processed Data

  • Contact Data: e.g., email address, phone number

  • Content Data: e.g., information you entered in the contact form

  • Usage Data: e.g., visited websites, interest in content, access times

  • Meta, Communication, and Procedural Data: e.g., IP addresses, timestamps, identification numbers


Purposes of Processing

  • Responding to contact inquiries and conducting communication

  • Managing and processing inquiries

  • Gathering feedback to improve our offerings


Retention Periods

The data processed during contact is deleted once your inquiry has been fully addressed and no legal retention obligations (e.g., under commercial or tax law) exist.


Legal Bases

The processing of personal data is based on:

  • Art. 6 para. 1 lit. b GDPR: Fulfillment of contractual or pre-contractual obligations, or

  • Art. 6 para. 1 lit. f GDPR: Protection of our legitimate interests in efficiently handling inquiries and optimizing our offerings.

Changes and Updates to the Privacy Policy

We kindly ask you to regularly review the content of our Privacy Policy. We reserve the right to update this Privacy Policy if changes to our data processing activities or legal requirements make this necessary. Updates will be made, particularly when new legal provisions or regulatory requirements come into effect that necessitate changes to the content.

If the changes require action on the part of the data subjects (e.g., renewed consent) or if individual notification is legally required, we will inform you in advance and in an appropriate manner.

Please note that the contact information and addresses of external entities mentioned in this Privacy Policy, such as service providers, may change. Therefore, we recommend verifying this information before initiating contact.

Definitions of Terms

This section provides an overview of the terms used in this Privacy Policy. The definitions are intended to enhance clarity and transparency. Wherever possible, they are based on the legal definitions provided by the General Data Protection Regulation (GDPR).

  • Conversion Tracking: A method for evaluating the effectiveness of marketing campaigns. Typically, a cookie is placed on users’ devices to track whether certain advertisements or actions were successful.

  • Personal Data: Information relating to an identified or identifiable natural person. A person is considered identifiable if they can be identified directly or indirectly, for example, through a name, identification number, location data, or online identifiers.

  • Profiles with User-Related Information: Any automated processing of personal data intended to analyze, evaluate, or predict personal aspects of an individual. This includes, for example, demographic characteristics or interests derived from website interactions.

  • Controller: The natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

  • Processing: Any operation involving personal data, regardless of whether it is automated. Examples include collecting, storing, transmitting, and deleting data.

ContactLegal Notice Privacy Policy

©2025 Compliance Management CMMK. All Rights Reserved.