Privacy policy

We, cysmo Cyber Risk GmbH, take the protection of your personal data seriously and would like to inform you about the collection, processing, and use of your data in our company.

As far as we decide alone or together with others on the purposes and means of data processing, we inform you transparently about the type, scope, purpose, duration, and legal basis of the processing (see Art. 13 and 14 GDPR).

General Information

Responsible Entity

cysmo Cyber Risk GmbH
Moorfuhrtweg 13
22301 Hamburg

Phone: +49 40 227433-0
Fax: +49 40 227433-1333
Email: info(at)cysmo.de
Internet: www.cysmo.de

Terms

Below we explain key terms of data protection that are regularly used in the following. These all derive from the General Data Protection Regulation (GDPR), which, along with the Federal Data Protection Act (BDSG), provides the regulatory framework for the protection of your data.

1. "Personal data" are all information relating to an identified or identifiable natural person ("data subject") (Art. 4 No. 1 GDPR).
2. “Data subject” of data processing is the natural person whose personal data is processed.
3. "Processing" is any operation or set of operations which is performed on personal data, whether or not by automated means. This includes collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying personal data (Art. 4 No. 2 GDPR).
4. "Controller" is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 No. 7 GDPR).
5. "Processor" processes personal data on behalf of the controller. This can be a natural or legal person, public authority, agency or other body. The processor is always bound by the controller’s instructions and may not use the data for its own purposes. Processing is always based on a processing agreement. Therefore, processors are not third parties in the data protection sense (Art. 4 No. 8 GDPR).
6. "Third parties" are any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorized to process the personal data; this also includes other affiliated legal entities (Art. 4 No. 10 GDPR).

Processing Purposes and Legal Basis

We only process your data if there is a permissible legal basis for it. The GDPR provides six possible legal bases for this:

1. Consent: If the data subject has given consent to the processing of their personal data for one or more specific purposes (Art. 6 (1) sentence 1 lit. a GDPR).
2. Contract performance: If processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (Art. 6 (1) sentence 1 lit. b GDPR).
3. Legal obligation: If processing is necessary for compliance with a legal obligation to which the controller is subject, e.g., a statutory retention obligation (Art. 6 (1) sentence 1 lit. c GDPR).
4. Protection of vital interests: If processing is necessary to protect the vital interests of the data subject or another natural person (Art. 6 (1) sentence 1 lit. d GDPR).
5. Public interest task: If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 6 (1) sentence 1 lit. e GDPR).
6. Legitimate interests: If processing is necessary for the purposes of the legitimate (in particular legal or economic) interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (in particular where the data subject is a child). Before relying on this legal basis, an interest balancing is always carried out (Art. 6 (1) sentence 1 lit. f GDPR).

For the processing operations carried out by us, we indicate the applicable legal basis below. Processing can also be based on multiple legal bases.

Contact

If you contact us (e.g., via contact form, email, phone, or social media), the information provided by the requesting persons will be processed. The personal data you provide to us in this way will, of course, only be used for the purpose for which you provide it to us when contacting us.

The response to contact requests within the context of contractual or pre-contractual relationships is made to fulfill our contractual obligations or to respond to (pre-)contractual inquiries (Art. 6 (1) sentence 1 lit. b GDPR) and otherwise on the basis of legitimate interests in responding to inquiries (Art. 6 (1) sentence 1 lit. f GDPR).

Data Deletion and Retention Period

For the processing operations carried out by us, we indicate below how long the data is stored with us and when it is deleted or blocked. Unless an explicit retention period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage ceases to apply. Your data will generally only be stored on servers in Europe, subject to any transfer in accordance with the provisions of the individual tools. However, storage may continue beyond the specified period in the event of (imminent) legal disputes with you or other legal proceedings or if storage is provided for by statutory provisions to which we, as the controller, are subject. When the legally prescribed retention period expires, the personal data will be blocked or deleted, unless further storage is required and there is a legal basis for this.

Data Security

We protect your data through technical and organizational security measures to prevent accidental or intentional manipulation, loss, destruction, or unauthorized access by third parties. Our security measures, such as data encryption, are regularly improved in line with technological developments.

Cooperation with Processors

We use external domestic and foreign service providers (e.g., in the areas of IT, logistics, telecommunications, sales, and marketing) to handle our business transactions. These service providers act only on our instructions and have been contractually obligated to comply with data protection regulations under Art. 28 GDPR.

If personal data from you is transferred to our subsidiaries or if our subsidiaries transfer personal data to us (e.g., for advertising purposes), this is based on legitimate interests under Art. 6 (1) lit. f GDPR, on processing agreements, or a joint controller agreement.

Your Rights

Right of Access

You can obtain information at any time about your data stored with us according to Art. 15 GDPR, their origin, recipients, the purpose, and the duration of the data processing. You can submit a request by post or email to the above addresses.

Right to Rectification of Inaccur ate Data

You have the right to demand the immediate rectification of inaccurate personal data concerning you (Art. 16 GDPR). Please contact your contacts with us or the above contact addresses for this.

Right to Erasure

You have a right to immediate deletion ("right to be forgotten") of your personal data if the legal grounds of Art. 17 GDPR are met. These include, for example, if the personal data is no longer necessary for the purposes for which they were originally processed, if you withdraw your consent and there is no other legal basis for the processing, if you object to the processing, and there are no overriding legitimate grounds for the processing.

To exercise your right to deletion, please contact the above contact addresses.

Right to Data Portability

You have a right to data portability according to Art. 20 GDPR. You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and to transmit this data to another controller, e.g., another service provider. The prerequisite is that the processing is based on consent or on a contract and is carried out by automated means. To exercise your above-mentioned right, please contact the above contact addresses.

Right to Restriction of Processing

You have a right to restriction of processing if the conditions and according to Art. 18 GDPR are met. This includes, for example, if the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, or the data subject has objected to the processing under Art. 21 (1) GDPR, pending the verification of whether the legitimate grounds of the controller override those of the data subject. To exercise your above-mentioned right, please contact the above contact addresses.

Right to Object

You have the right to object at any time to the processing of personal data concerning you for reasons arising from your particular situation, including profiling based on these provisions, under Art. 21 GDPR. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims. To exercise your above-mentioned right, please contact the above contact addresses.

Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR if you believe that the processing of your personal data is not lawful:

Free and Hanseatic City of Hamburg
The Hamburg Commissioner for Data Protection and Freedom of Information

Visiting Our Websites

As part of providing the website, personal data is processed. Below we give you an overview of which personal data we collect for which purposes during your visit to our websites and how this data is further used. This information applies to the following web presences:

www.cysmo.com

Provision of the Website

When you visit our websites, our web servers automatically store the following data:

Information about the browser type and version used

The user's operating system

The user's IP address

Date and time of access

External websites from which the user's system accessed our website

External websites that are accessed by the user's system via our website

The data is stored to ensure the functionality of the website. In addition, the data is used to optimize the website and ensure the security of our information technology systems. Furthermore, we process this data for misuse detection and prosecution. In this respect, the legal basis is Art. 6 (1) lit. f GDPR. Our legitimate interest in data processing lies in ensuring the proper functioning of our website and the transactions conducted via it.

Personal data is also processed if you voluntarily provide it to us, for example, as part of an inquiry or the ordering of informational material or a newsletter. The legal basis is Art. 6 (1) lit. b GDPR or Art. 6 (1) lit. a GDPR, as applicable.

The data is stored in the server log files for a maximum of 30 days and then automatically deleted. An evaluation of the data for marketing purposes does not take place in this context.

Automated Data Collection on Our Websites

Cookies

We use cookies on our websites. Cookies are small text files that are stored on your hard drive by a browser assigned to you and through which the entity that sets the cookie receives certain information. Cookies cannot run programs or transmit viruses to your computer, and thus cannot cause any damage. They serve to make the Internet offering as a whole more user-friendly and effective, that is, more pleasant for you. Cookies can contain data that allows the recognition of the used device. However, some cookies only contain information on specific settings that are not person-related. Cookies cannot directly identify a user. There are session cookies that are deleted as soon as you close your browser and permanent cookies that are stored beyond the individual session. In terms of their function, cookies can be divided into:

Technical cookies: These are essential to move around the website, use basic functions, and ensure the security of the website. They neither collect information about you for marketing purposes nor do they store which websites you have visited.

Performance cookies: These collect information about how you use our website, which pages you visit, and, for example, whether errors occur in website usage. They do not collect information that could identify you – all information collected is anonymous and is only used to improve our website and find out what interests our users.

Advertising cookies, targeting cookies: These are used to provide the website user with customized advertising on the website or offers from third parties and to measure the effectiveness of these offers. The storage duration of advertising cookies is determined by the providers. We have no control over this.

Sharing cookies: These are used to improve the interactivity of our website with other services (e.g., social networks). The storage duration of sharing cookies is determined by the providers. We have no control over this.

Any use of cookies that is not absolutely technically necessary represents data processing that is only permitted with your explicit and active consent according to Art. 6 (1) sentence 1 lit. a GDPR. This applies in particular to the use of advertising, targeting, or sharing cookies. Furthermore, we only pass on your personal data processed through cookies to third parties if you have given your explicit consent to do so in accordance with Art. 6 (1) sentence 1 lit. a GDPR.

Consent Manager

We use the Consent Manager tool from consentmanager GmbH, Eppendorfer Weg 183, 20253 Hamburg, Germany, to inform website users about cookies used and to obtain consent for the setting of cookies that are not absolutely necessary. Consent Manager offers you the option of granting or rejecting your consent for all or individual cookies. You can also change the settings you have made at a later date. The purpose of the integration is to allow the users of our website to decide on the use of non-functional cookies and to offer the possibility to change settings already made during the further use of our website.

When you visit our website, a connection is established to the Consent Manager servers in order to obtain your consent and other declarations regarding the use of cookies. Consent Manager then stores a cookie in your browser in order to be able to assign the consents given or their revocation to you. The data collected in this way is stored until you ask us to delete it or delete the Consent Manager cookie yourself. The data collected will be deleted automatically no later than one year after the last processing.

The following categories of data are regularly processed: IP address, time and duration of the visit, device data such as operating system, browser version, screen resolution, websites visited and consent information.

The legal basis for the processing of your data is our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) in using non-functional cookies on our website and the fulfillment of the legal requirements of the GDPR and the TTDSG to only actually set cookies that are not mandatory after your explicit consent.

The Consent Manager is used within the framework of order processing in accordance with Art. 28 GDPR, so that consentmanager GmbH may only use your data on our behalf in accordance with our instructions.

Tracking with Google Analytics 4

If you have given your consent, Google Analytics 4 is used on this website, a web analysis service of Google LLC. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5 , Ireland ("Google").

Google Analytics uses cookies that allow an analysis of your use of our websites. The information generated by the cookies about your use of our websites is usually transmitted to a Google server in the USA and stored there.

We use Google Signals. This allows Google Analytics to collect additional information about users who have enabled personalized ads (interests and demographic data) and to deliver ads in cross-device remarketing campaigns to these users. If you do not want Google Signals to be used, please disable the "personalized advertising" option in your Google account settings.

IP anonymization is activated by default in Google Analytics 4. Due to IP anonymization, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser within the framework of Google Analytics is not merged with other Google data, according to Google.

During your website visit, your user behavior is recorded in the form of "events." Events can be: page views, first-time visit to the website, start of the session, your "click path," interaction with the website, scrolls (whenever a user scrolls to the end of the page (90%)), clicks on external links, internal searches, interaction with videos, file downloads, seen/clicked ads, and language settings.

Additionally, the following is recorded: your approximate location (region), your IP address (in shortened form), technical information about your browser and the devices you use (e.g., language setting, screen resolution), your internet service provider, and the referrer URL (through which website/through which advertising medium you came to our website).

On behalf of cysmo, Google will use this information to evaluate your use of the website and to compile reports on website activities. The reports provided by Google Analytics serve to analyze the performance of our website.

Whether you wish to participate in the tracking procedure, you can determine via the cookie settings. The legality of the processing carried out based on your consent until the revocation remains unaffected.

Users can prevent the storage of cookies by selecting the appropriate settings on their browser software; users can also prevent the collection of data generated by the cookie and related to their use of the online offering to Google as well as the processing of this data by Google by downloading and installing the browser plugin available at the following link: tools.google.com/dlpage/gaoptout.

Recipients of the data are/can be: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a processor under Art. 28 GDPR) and Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, as well as Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

If data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an adequate level of data protection. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: privacy.google.com/businesses/controllerterms/mccs/.

The parent company of Google Ireland, Google LLC, is based in California, USA. It cannot be ruled out that US authorities may access the data stored by Google. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not have legal remedies against access by authorities.

Further information on data usage by Google, settings, and objection options can be found in Google's privacy policy (https://policies.google.com/technologies/ads) and in the settings for displaying ads by Google (https://adssettings.google.com/authenticated).

The personal data of users will be deleted or anonymized after 14 months.

Google Tag Manager

We use Google Tag Manager on our website. Google Tag Manager is a service provided by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Through Google Tag Manager, we can integrate and manage various codes and services in an organized and simplified manner on our website. Google Tag Manager implements the tags or "triggers" the embedded tags. When a tag is triggered, Google may process personal data such as online identifiers (including cookie IDs) and IP addresses. It cannot be ruled out that Google will transfer the information to a server in a third country.

Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: privacy.google.com/businesses/controllerterms/mccs/.

Furthermore, we have concluded a processing agreement with Google for the use of Google Tag Manager (Art. 28 GDPR). Google processes the data on our behalf to trigger the stored tags and display the services on our website. Google may transfer this information to third parties if required by law or if third parties process this data on behalf of Google.

The legal basis for the described processing of personal data within the measurement procedure is your explicitly granted consent according to Art. 6 (1) lit. a) GDPR. The legal basis for processing the data processed in connection with obtaining consent is our legitimate interest according to Art. 6 (1) lit. f) GDPR. We have a legitimate interest in proving the consent given to us in the measurement procedure (Art. 7 (1) GDPR).

If you have disabled individual tracking services, the deactivation remains in place for all tracking tags embedded by Google Tag Manager. By integrating Google Tag Manager, we aim to simplify and streamline the integration of various services. Furthermore, the integration of Google Tag Manager optimizes the loading times of the various services. You have the option to prevent the sending of all tags of Google Tag Manager using your right to object (see point 1.8.6). Furthermore, you can prevent the installation of cookies by adjusting your browser settings accordingly.

For further detailed information about Google Tag Manager, please visit: marketingplatform.google.com/about/analytics/tag-manager/use-policy/.

The associated privacy policy for Google Tag Manager can be found at: policies.google.com/privacy.

Social Media Presence

We maintain publicly accessible profiles on various social networks. Your visit to these profiles triggers a variety of data processing operations. Below we give you an overview of which of your personal data we collect, use, and store when you visit our profiles.

When you visit one of our social media channels, we are jointly responsible, or in some cases solely responsible, with the operator of the social media platform for the data processing operations triggered by this visit. Joint responsibility means that joint purposes for processing exist and that data subjects can assert their rights under Art. 12-22 GDPR, including Art. 77 GDPR, with both controllers.

This means that you can generally exercise your rights (access, rectification, deletion, restriction of processing, data portability, and complaint) both against us and the operator of the respective social media portal. A more detailed description of your rights can be found in point 1.8.

By visiting our social media channels, numerous data protection-relevant processing operations are triggered, which we would like to explain to you in detail:

If you are logged into your social media account and visit our social media channel, the operator of the social media portal can associate this visit with your user account. However, your personal data can also be collected if you are not logged in or do not have an account with the respective social media portal. This data collection occurs, for example, through cookies stored on your device or by capturing your IP address.

With the help of the collected data, the operators of the social media portals can create user profiles in which your preferences and interests are stored. This allows you to be shown interest-based advertising both within and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or have been logged in.

Please also note that we cannot fully track all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. Details can be found in the terms of use and privacy policies of the respective social media portals.

We have no control over the storage duration of your data stored by the social network operators for their purposes.

LinkedIn

We, cysmo, would like to explain below which personal data we process from you as the operator of our LinkedIn presence.

The purpose of data processing with LinkedIn is the presentation of the company and interaction with our users. Therefore, the purpose of our LinkedIn presence is to provide information about our company, products, and services, combined with the opportunity for users to interact with us purposefully. The legal basis for data processing is Art. 6 (1) lit. f GDPR.

If we publish images of people, this is done via consent (legal basis: Art. 6 (1) lit. a GDPR), based on a contractual agreement (legal basis: Art. 6 (1) lit. b GDPR), and in exceptional cases based on legitimate interests (legal basis: Art. 6 (1) lit. f GDPR in conjunction with § 23 (1) No. 3 German Copyright Act).

For some processing, we are not solely responsible but jointly with one or more other controllers. For the processing of personal data with Page Insights on LinkedIn, we jointly determine the purposes and means with:

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2 (Ireland)

www.linkedin.com/legal/impressum

Contact details for LinkedIn's Data Protection Officer can be found at the following link: www.linkedin.com/help/linkedin/ask/TSO-DPO.

The LinkedIn terms of use and other terms and policies listed at the end of the page apply: de.linkedin.com/legal/user-agreement.

Furthermore, we have concluded a data processing agreement with LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The Joint Controller Addendum can be viewed here: www.linkedin.com/legal/l/dpa.

LinkedIn transfers personal data to the USA based on standard contractual clauses: www.linkedin.com/help/linkedin/answer/62538/data-transfers-from-the-eu-the-eea-and-switzerland.

The LinkedIn privacy policy can be found here: www.linkedin.com/legal/privacy-policy.

Use of Insight Data

With the help of the LinkedIn Insight Tag, we receive information about the visitors to our website. If a website visitor is registered with LinkedIn, we can, among other things, analyze the professional information (e.g., career level, company size, country, location, industry, and job title) of our website visitors and thus better tailor our page to the respective target groups. Furthermore, with the help of LinkedIn Insight Tags, we can measure whether visitors to our websites make a purchase or take other actions (conversion measurement). Conversion measurement can also be done across devices (e.g., from PC to tablet). LinkedIn Insight Tag also offers a retargeting function that allows us to display targeted advertising to visitors to our website outside the website, whereby, according to LinkedIn, no identification of the advertising recipient takes place.

LinkedIn itself also collects log files (URL, referrer URL, IP address, device, and browser properties, and access time). IP addresses are truncated or (if used to reach LinkedIn members across devices) hashed (pseudonymized). The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data will then be deleted within 180 days.

The data collected by LinkedIn cannot be assigned to specific individuals by us as the website operator. LinkedIn will store the personal data collected from website visitors on its servers in the USA and use it for its advertising purposes. For details, please refer to LinkedIn's privacy policy: www.linkedin.com/legal/privacy-policy.

If consent has been obtained, the use of the above service is based solely on Art. 6 (1) lit. a GDPR and § 25 TTDSG. The consent can be revoked at any time. If no consent has been obtained, the use of this service is based on Art. 6 (1) lit. f GDPR; the website operator has a legitimate interest in effective advertising measures, including social media.

Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: www.linkedin.com/legal/l/dpa and www.linkedin.com/legal/l/eu-sccs.

If your rights need to be asserted against LinkedIn, we will forward your request to LinkedIn. For more information on exercising your data subject rights against LinkedIn, please refer to LinkedIn's privacy policy under section 4.2: www.linkedin.com/legal/privacy-policy.

Further information on how to directly assert or exercise your data subject rights with LinkedIn (e.g., account settings, downloads, or applications) can be found at: www.linkedin.com/help/linkedin/answer/50191.

Objection to the use of LinkedIn Insight Tag:

You can object to the analysis of usage behavior and targeted advertising by LinkedIn at the following link: www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Xing & Kununu

We maintain an online presence on Xing to present our company and services and communicate with applicants/interested parties.

Some of the XING applications may appear under other brand names or using other XING websites, such as Kununu.

Xing is an internet-based social network that allows users to connect with existing business contacts and make new business contacts. Individual users can create a personal profile on Xing. We as a company can, for example, create a company profile or publish job offers. The operator of the platform is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany.

When visiting our company profile, Xing collects, among other things, your IP address and other information stored on your device in the form of cookies. Xing primarily uses this information to provide and maintain the security of the service. Furthermore, Xing uses this data to analyze user behavior and measure and optimize advertising. More information on this is provided by Xing & Kununu at the following link: privacy.xing.com/de/datenschutzerklaerung/informationen-die-wir-auf-grund-ihrer-nutzung-von-xing-automatisch-erhalten.

The data collected about you in this context is processed by New Work SE and may be transferred to countries outside the European Union. What information Xing receives and how it is used is described by Xing in general terms in its privacy policy. There you will also find information about contact options with Xing. The privacy policy is available at the following link: https://privacy.xing.com/de/datenschutzerklaerung.
 

Google reCAPTCHA

We use “Google reCAPTCHA” (hereinafter referred to as “reCAPTCHA”) on our websites. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

The purpose of reCAPTCHA is to check whether the data input on our websites (e.g. in a contact form) is made by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent on the website by the website visitor or mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place.

Data processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its website from abusive automated spying and SPAM.

Further information about Google reCAPTCHA and Google's privacy policy can be found at the following links: www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.
 

Business Customers and Partners

If you or your organization are in a business relationship with us (particularly customers, prospects, partners, service providers, and suppliers), we store relevant data about you. We would like to inform you about this below.

Scope of Data Collected

We generally process only data that we receive directly from you or your employer. In exceptional cases, we receive data about you from third parties. This is the case, for example, if a contractual service is provided to you jointly with a business partner and you have provided your data to them.

The data we process includes, in particular, contact data such as name, company, position, address, phone number, email address, and information about the business relationship, such as contractual relationship and its handling (current and completed orders, invoicing, payments).

Purposes and Legal Bases of Processing

The processing of your data is carried out for different purposes and is based on various legal bases. To the extent that the processing of your personal data is necessary for the initiation or execution of a contractual relationship or within the framework of pre-contractual measures, the processing is lawful according to Art. 6 (1) lit. b GDPR. The processing includes, in particular, communication for planning, execution, administration, and billing of the contractually defined services. If necessary and legally required, we process your data beyond the actual contractual purposes to fulfill legal obligations under Art. 6 (1) lit. c GDPR, e.g., to fulfill retention obligations under the Commercial Code and the Tax Code.

If you give us explicit consent to process personal data for specific purposes (e.g., disclosure to third parties, analysis for marketing purposes, or promotional contact), the legality of this processing is based on your consent under Art. 6 (1) lit. a GDPR. A given consent can be revoked at any time with effect for the future.

Furthermore, processing may be carried out to safeguard our legitimate business interests, the interests of our customers, and, if applicable, the interests of third parties under Art. 6 (1) lit. f GDPR. This includes, for example, the following cases: communication with business partners, customers, suppliers, direct advertising for similar products within the framework of our business relationships, ensuring IT security and IT operations, conducting customer satisfaction surveys, fulfilling accountability and/or reporting obligations to our business partners/customers or supervisory authorities, and preventing and investigating criminal offenses/administrative offenses. If applicable, we will inform you separately about the legitimate interest, as legally required.

Retention Period 

Your data will only be stored in our systems for as long as permitted by applicable law, particularly as long as necessary to fulfill the contract in connection with applicable retention obligations. Furthermore, we will delete your data if you request it or withdraw your consent to processing. In these cases, we will check whether the data can be deleted or only a restriction of processing can be made due to legal requirements.

Disclosure of Data

We only share your personal data within our company with departments and individuals who need it to fulfill contractual and legal obligations or to implement our legitimate interests.

The use of service providers and contractual and legal obligations require the disclosure of your data to the following categories of public or internal entities, as well as external service providers:

Business partners/service providers where data transfer is necessary for task fulfillment, such as our clients/customers, payment service providers/banks, postal/package services, external consultants, IT service providers, other processors, etc.

Auditors, tax advisors, lawyers

Authorities in the course of fulfilling legal notification or verification obligations (e.g., tax authorities, police, and prosecutors, supervisory authorities)

Other third parties if you have given us consent to data transfer, e.g., partner companies

Parent company of cysmo Cyber Risk GmbH (PPI AG) as well as subsidiaries of PPI AG

When using external service providers, we ensure that necessary contractual agreements are made, processing is in accordance with applicable data protection regulations, and the protection of the data subject's rights is guaranteed. In no case will the collected data be sold. Our employees are obliged by us to maintain confidentiality and protect the personal data provided.

There is generally no regular transfer of personal data to a third country (states outside the European Union (EU) or the European Economic Area (EEA)) or an international organization. However, it may occur that we use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection comparable to the standards within the EU is established at the recipient before transferring your personal data. This can be achieved, for example, through EU standard contracts, binding corporate rules, or special agreements to which the company can adhere. Furthermore, there may be cases where transfer is necessary to fulfill the contract or, at your request, to carry out pre-contractual measures, the transfer is legally required, or you have given us consent.

Participants in Seminars/Webinars/Events

We also offer paid and free seminars, webinars, and other events (collectively referred to as events) as part of our activities.

Scope of Data Collected

In the course of booking an event, we collect data for processing and conducting the event. This usually includes contact data such as name, company, position, address, phone number, email address, and billing information for paid events.

We usually receive the collected data directly from the participants. However, it is possible that you or your employer has appointed another person to transmit the data to us.

For the conduct of online events, we use Microsoft Teams. Microsoft Teams is a service of Microsoft Corporation.

Purposes and Legal Bases of Processing

The collection of participants' contact information is necessary for conducting the event. The legal basis for this is our legitimate interest in conducting the event (Art. 6 (1) sentence 1 lit. f GDPR) for free events and the contractual obligation according to Art. 6 (1) sentence 1 lit. b GDPR for paid webinars.

Online events are sometimes recorded by us for quality purposes. You will be informed of this before the event. During and after the webinar, statistical data is collected. This includes information about your participation duration, questions asked, or answers given.

After an event, we may send you important information from the event and further information about our services. The legal basis for this is our legitimate interest (Art. 6 (1) sentence 1 lit. f GDPR) to further develop the customer relationship with you.

Retention Period

We store your personal data for as long as necessary to fulfill our legal and contractual obligations, e.g.:

Invoices: Fulfillment of, for example, commercial and tax retention obligations. These include, among others, retention periods from the Commercial Code (HGB) or the Tax Code (AO). Retention periods are up to 10 years.

The participant lists of paid webinars are subject to the 3-year retention period under the Civil Code (BGB). There are no statutory retention periods for the participant lists of free webinars. These participant lists are deleted as soon as they are no longer needed.

Disclosure of Data

For conducting online events, your data will necessarily be transferred to the online service used. This is either an independently responsible telecommunications service provider or a processor contractually bound by us. The following data is often transferred in the course of use: metadata of the meeting (title, time, participant IP addresses, browser data, location data, etc.).

If materials are sent to you for participation in the event, shipping or postal service providers will be used for postal delivery.

If you participate in a paid event, your data will also be passed on to other public or internal entities as described in the section "Business Customers and Partners". This also includes the transfer of data to certification service providers for participation in relevant events.

We strive to process your data within the EU/EEA. However, it may occur that we use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection comparable to the standards within the EU is established at the recipient before transferring your personal data. This can be achieved, for example, through EU standard contracts, binding corporate rules, or special agreements to which the company can adhere.

Use of Collaboration Tools

HubSpot

General Information

cysmo Cyber Risk GmbH uses HubSpot, a service provided by HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, for analytical purposes on its websites.

"Web beacons" and "cookies" are used in this process, which are stored on your computer and enable us to analyze your use of the website. The information collected (e.g., IP address, geographic location, type of browser, duration of visit, and pages viewed) is analyzed by HubSpot on behalf of cysmo Cyber Risk GmbH to generate reports on visits and pages viewed on the cysmo Cyber Risk GmbH websites.

As described in section 3c, if you subscribe to cysmo Cyber Risk GmbH email news and download studies and other documents, we can use HubSpot to link your visits to the cysmo Cyber Risk GmbH websites with your personal information (mainly name/email address) based on your given consent. This allows us to personalize and target information on preferred topics for you.

If you generally do not want HubSpot to collect your information, you can prevent the storage of cookies at any time through your browser settings.

For more information about how HubSpot works, please see the HubSpot Germany GmbH privacy policy at: http://legal.hubspot.com/de/privacy-policy.

Mailings, Downloads, Forms, Calendar Bookings, Chatbot

On the websites of cysmo Cyber Risk GmbH, we offer a wide range of mailings, downloads, forms, calendar bookings, and chatbot services based on user consent according to Art. 6 Para. 1a EU GDPR, possibly in conjunction with § 7 Para. 2 No. 3 UWG. We may also send certain information via email based on a legal permission under § 7 Para. 3 UWG.

To sign up for topic-related mailings, download specific documents (e.g., studies), and use forms, calendar bookings, and the chatbot from cysmo Cyber Risk GmbH, you need to provide your name and email address. By signing up or downloading, you also give cysmo Cyber Risk GmbH consent to track future visits to our websites on a personalized basis to send you targeted and personalized information on relevant topics (e.g., current studies, surveys). We track individual pages and topics viewed by a registered user during visits using a cookie from our service provider HubSpot.

After signing up for mailings, downloads, forms, calendar bookings, or chatbot services on the websites of cysmo Cyber Risk GmbH, each user will receive a confirmation email to the provided email address (so-called double opt-in procedure). The registration is only complete after clicking the link contained in this email.

Consent to receive mailings, downloads, forms, calendar bookings, or chatbot services can be revoked at any time via a link at the end of each email or by sending a message to the cysmo Cyber Risk GmbH inbox [please insert the appropriate email address here].

Registrations for mailings, downloads, forms, calendar bookings, or chatbot services are logged based on our legitimate interest to be able to prove the user's registration and consent at any time (Art. 6 Para. 1 lit. f EU GDPR).

If you do not use our services in any form for a year, you will be considered uninterested and automatically deleted from HubSpot.

 

Microsoft Teams

We use the tools Microsoft Teams for telephone conferences, video conferences, online meetings, webinars, or online training (hereinafter: online meetings). Microsoft Teams is part of Microsoft Office 365 from Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 (hereinafter: "Microsoft").

The controller for data processing directly related to the conduct of online meetings is cysmo Cyber Risk GmbH. However, when you visit Microsoft's website, the provider is responsible for data processing. Visiting the website is only required to download the software for using Microsoft Teams. If you do not want or cannot use the Microsoft Teams app, you can also use Microsoft Teams via your browser. The service will then be provided via the Microsoft Teams website. Further information on data protection by Microsoft Corporation can be found here: privacy.microsoft.com/en-us/privacystatement.

When using Microsoft Teams, various types of data are processed. The scope of the data also depends on the information you provide before or during participation in an online meeting. The following personal data is subject to processing:

User information: first name, last name, or display name, possibly email address, profile picture (optional), preferred language

Meeting metadata: topic, description (optional), date, time, meeting ID, phone numbers, location, participant IP addresses, device/hardware information

Text, audio, and video data: You may have the opportunity to use the chat function in an online meeting. In this case, the text inputs you make will be processed to display them in the online meeting. To enable video display and audio playback, the data from the microphone of your device and any video camera of the device will be processed accordingly during the meeting. You can turn off or mute the camera or microphone yourself at any time via the online meeting applications.

Recording the online meeting (optional): MP4 file of all video, audio, and presentation recordings, M4A file of all audio recordings, text file of the online chat

When dialing in by phone: Information about the incoming and outgoing phone number, country name, start and end time. Other connection data, such as the IP address of the device, may also be stored.

For more information on the data processed by Microsoft Teams, please visit: learn.microsoft.com/en-us/microsoftteams/teams-privacy.

To the extent that personal data of employees of cysmo Cyber Risk GmbH is processed, § 26 BDSG is the legal basis for data processing. If personal data is not required for establishing, conducting, or terminating the employment relationship in connection with the use of the online services but is nonetheless an essential component in using the online services, Art. 6 (1) lit. f) GDPR is the legal basis for data processing. Our interest in these cases is the effective conduct of online meetings.

Otherwise, the legal basis for data processing when conducting online meetings is Art. 6 (1) lit. b) GDPR, to the extent that the meetings are conducted within the framework of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) lit. f) GDPR. Here, too, our interest is in the effective conduct of online meetings.

Personal data processed in connection with participation in online meetings is not generally passed on to third parties unless it is intended for disclosure. Please note that content from online meetings is often intended to communicate information to customers, interested parties, or third parties and is therefore intended for disclosure.

Data processing outside the European Union (EU) does not generally occur, as we have restricted our storage location to data centers in the European Union. However, we cannot exclude that data will be transferred to Microsoft Corp. in the USA. Remote maintenance accesses can also be made by Microsoft from other third countries. Therefore, we have concluded the standard data protection clauses of the European Commission with Microsoft Corp.

Applicants

The following information is intended to provide you with an overview of the processing of your personal data as an applicant for a job offer or in the context of an unsolicited application.

Scope of Data Collected

We process only the personal data you send us with your application during the application process. The processed categories of personal data generally include first name, last name, name suffixes, date of birth, nationality, contact details (such as private address, (mobile) phone number, email address), protocol data generated by using IT systems, and other data from applicant management (e.g., resume, education data, disability information, skills, and competencies).

If special categories of personal data under Art. 9 (1) GDPR are included in your application documents, we process them in the application process to exercise rights or fulfill obligations under labor law, social security law, and social protection. The legal basis for this is Art. 6 (1) sentence 1 lit. c GDPR in conjunction with Art. 9 (2) lit. b GDPR.

If we did not collect the data directly from you, it is possible that we received it from third parties based on your consent, e.g.,

1. Personnel service providers/recruiters or
2. from publicly accessible sources (e.g., professional social networks or search engines)

If you use our offer for online application through our career portal (www.cysmo.com), your data will be transmitted to us securely.

Purposes and Legal Bases of Processing

We process your data to carry out the application process. The data is voluntarily transmitted by you and serves to decide on establishing an employment relationship under § 26 (1) BDSG.

If you have consented to being included in the applicant pool, this processing is based on your consent (Art. 6 (1) sentence 1 lit. a GDPR). In these cases, we store your application documents to consider you in future application processes.

Furthermore, we store the data after completing an application process to safeguard our legitimate interests in defending legal claims in a procedure under the General Equal Treatment Act (AGG). In the case of a legal dispute, we have a legitimate interest in processing the data for evidence purposes.

Retention Period

Your application data will generally be stored with us for the duration of the application process. If an employment relationship, training relationship, or internship relationship is established after the application process, your data will continue to be stored, if necessary and permissible, and subsequently transferred to the personnel file.

If we cannot offer employment as part of an application process, we will delete your data six months after the end of the application process. This retention period is justified by Art. 6 (1) sentence 1 lit. f GDPR so that we can defend against claims under the AGG if necessary.

If you wish to be included in our applicant pool, you consent to us storing your data beyond this period to contact you in future vacancies. In this case, deletion will occur after two years.

Disclosure of Data

Your applicant data will only be shared with departments or individuals within the company who need it to conduct the application process and review applicants. Additionally, your application data may be shared with processors under Art. 28 GDPR.

Data is not generally transferred to a third country. There is generally no regular transfer of personal data to a third country (states outside the European Union (EU) or the European Economic Area (EEA)) or an international organization. However, it may occur that we use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection comparable to the standards within the EU is established at the recipient before transferring your personal data. This can be achieved, for example, through EU standard contracts, binding corporate rules, or special agreements to which the company can adhere.

Status and Changes to Privacy Notices

Please note that we will occasionally adjust this privacy policy to comply with current legal requirements and cover all our offers. The applicable version is the current one according to the following update notice.

Your statutory rights to access, rectification, blocking, deletion, and objection remain unaffected by such a change.

Last update: March 28, 2023

These Cookies We Use

Google Analytics

Google Analytics is a web analytics service provided by Google Ireland Ltd ("Google"). Google uses the collected data to track and examine the use of this website/app, compile reports on its activities, and share them with other Google services. Google may use the collected data to contextualize and personalize the ads of its advertising network.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy Policy:

Google Tag Manager

Google Tag Manager is a service provided by Google Ireland Ltd ("Google"). Google enables the integration and management of tracking tags and external scripts. Google Tag Manager itself does not set any cookies on your system.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy Policy: https://policies.google.com/privacy?hl=en&gl=ZZ

Technical Cookies

Necessary

Status and Changes to Privacy Notices

Please note that we will occasionally adjust this privacy policy to comply with current legal requirements and cover all our offers. The applicable version is the current one according to the following update notice.

Your statutory rights to access, rectification, blocking, deletion, and objection remain unaffected by such a change.

Last update: May 28, 2024