2. General for data processing by cvlogin
3. Deliberately transmitted Data
a. Access Data
b. Compulsory Information
c. Facebook Connect
d. CV Data
e. Email: Communication and Advertising
f. Payment Data
Payment via Stripe
Payment via PayPal
g. Contact Form Data
h. Job Applications
4. Automatically transmitted Data
a. Server Log Data
b. Data Analysis
5. Recipients of Personal Data
6. Data Transmission to Third Countries
7. Technologies used and Incorporation of Third-Party Services
a. Google Tools
Google Tag Manager
Google Remarketing Services
Google Invisible reCAPTCHA
Google Adwords (Conversion Tracking)
Google Web Fonts
c. Facebook Remarketing
e. Amazon Web Services
k. Jetpack / Wordpress Stats
8. Duration of Data Retention
9. User Rights
e. Restriction of Processing
f. Data Portability
g. Revocation of Consent
10. Data Protection Officer
The terms applied below have the following meaning:
"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Individuals with regard to the Processing of Personal Data, on the free Movement of Persons, repealing Directive 95/46 / EC, also called "General Data Protection Regulation"
"BDSG" means the Law adapting Data Protection Law to Regulation (EU) 2016/679 and implementing Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act of 30. June 2017, also called "Federal Data Protection Act").
"PLATFORM" means the internet service operated using the URLs www.cvlogin.com, www.cvlogin.net, www.cvlogin.in, www.cvlogin.es, www.cvlogin.de, www.cvlogin.co.uk, www.cvlogin.com .fr, www.cvlogin.com.br, www.cvlogin.ru and www.cvlogin.io.
"OPERATOR" means cvlogin GmbH, c / o iMaven GmbH, Schröderstrasse 12, 10115 Berlin, registered with the commercial register of the Landgericht (District Court) of Berlin-Charlottenburg under no. the HRB 204125 B, which operates the PLATFORM and is responsible within the meaning of the EU GDPR.
"THIRD-PARTY PROVIDER" means any third party company with which the OPERATOR is interacting on a commercial basis and which provides additional services to registered users of the PLATFORM.
"Personal data" are all information referring to an identified or identifiable natural person in accordance with Art. 4 (1) EU GDPR. A natural person is considered as identifiable if it can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special features, the expression of the physical , physiological, genetic, mental, economic, cultural or social identity of this natural person.
"Cookies" are small files that enable the OPERATOR to determine information specific to the online activity of the respective user on the device used by the user (eg computer, smartphone, etc.). Cookies have a limited validity, contain no personal data and are therefore not used for personal identification. Users can prevent the storage of cookies via their own browser settings.
"Web Beacons" are invisible graphics that allow to create traffic information on a web page.
"Pixel" describes an image file or a link to an image file that is inserted in the website code but is not located on the user's device.
"Profiling" describes any kind of automated processing of personal data, in accordance with Art. 4 (4) EU GDPR, using personal data to assess certain personal aspects relating to a natural person, in particular to analyze or predict aspects of work performance, economic condition, health, personal preferences, interests, reliability, behavior, whereabouts or relocation of that natural person.
2. GENERAL DATA PROCESSING BY CVLOGIN
The EU GDPR and the BDSG constitute the legal basis for the processing of personal data by cvlogin. Subject to these regulations, the OPERATOR processes personal data …
if and to the extent that users have consented in it
in order to fulfill contractual obligations vis-a-vis users
in order to safeguard justified own interests, taking into consideration the protection of interests of the users
as far as the OPERATOR is legally obliged to do so (for example, by providing personal data to investigative authorities).
Personal data used in creating a CV on the PLATFORM are initially stored only temporarily (peripherally) in the user's browser. The OPERATOR does not permanently save them until the relevant user registers on the PLATFORM.
The OPERATOR endeavors to permanently improve the PLATFORM and to always adapt it to the needs of its users. For this purpose, profiles of interests of users and their activity on the PLATFORM are automatically generated in order to display to users suitable recommendations for jobs, further training offers or services of THIRD PARTIES in connection with the creation of CVs and applications, furthermore with the aim of proposing users as valuable business contacts or potential employees to such THIRD PARTIES. To this end, cvlogin needs to understand what kind of interests users have. In order to determine such interests, two classes of information are used: (1) such information as users deliberately disclose to the OPERATOR and (2) such information as the OPERATOR retains by way of automated processes without the affected user deliberately transferring such information to the OPERATOR but triggered solely by the affected user’s activity on the PLATFORM, as described in detail hereinafter.
3. DELIVERATELY TRANSMITTED DATA
a. Access Data
In the context of the mandatory registration process, the OPERATOR has to process certain personal data of users granting users initial access to the PLATFORM and their personal data stored there (access data). The same applies to the authentication process for subsequent visits of users on the PLATFORM. Such information is essential for the functioning of the PLATFORM. Without these data, the use of the PLATFORM is not possible. These data include:
optional: Facebook or LinkedIn login
The processing of access data by the OPERATOR is required for fulfilling his obligations under the agreement (Art. 6 par. (1), s.1, lit. b) EU GDPR). Access data are neither accessible nor passed on to any third party. Such data will be deleted when users delete their own user account. After that, it will no be longer possible for these users to access such data previously stored in their own customer account.
b. Compulsory Information
In order to register with the PLATFORM, it is furthermore required that users provide additional information such as
their first and last name
The processing of these data by the OPERATOR takes place for the fulfillment of the agreement (Art. 6 par. (1), s.1, lit. b) EU GDPR). Submission of such data to any THIRD-PARTY PROVIDER (see below) will only take place if the individual user has expressly consented to the disclosure in the cvlogin Dashboard by means of a corresponding setting (Art. 6 (1) (1) (a)) EU GDPR).
c. Facebook Connect
Alternatively to inserting individual registration data on the PLATFORM, users may opt to register via Facebook Connect. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. If users decide to do so and click on the "Login with Facebook" / "Connect with Facebook" button, they will automatically be redirected to the Facebook platform where they can log in with their user data, linking their Facebook profile with the PLATFORM. This link gives the OPERATOR access to certain user data stored on Facebook, such as …
Facebook name and first name
Facebook profile photo
Facebook email address
Facebook friends lists
These data are used to create, provide and personalize the cvlogin account. Such data processing takes place on the basis of the user’s consent (Art. 6 paragraph par. (1), s.1 lit. a) EU GDPR).
d. CV Data
In addition to the required access data and compulsory information, users of the PLATFORM can provide further personal information about themselves in accordance with their individual aspirations in their resume which is created and stored on the PLATFORM. Only then does the added value of using cvlogin for the users arise. These data may include the following information:
address, country (note that the OPERATOR will not collect geodata)
date and place of birth
telephone number (mobile and landline)
photo for job applications
professional experience, including the companies that have been worked for, title, working hours and role description
professional skills and special qualifications
foreign language skills
educational history (attended schools, universities, subjects and degrees)
student ID numbers of visited universities
certificates as well as evaluations and personal reference documents issued by third parties (in digitized form), including these third party’s names and titles, in which case the user will be responsible for ensuring that these third parties have effectively consented to the processing of their personal data
scholarships & projects
any other piece of personal information that the user provides about himself in his own profile (eg driver's license).
The knowledge of such CV data enables THIRD-PARTY PROVIDERs cooperating with the OPERATOR to get to know users better and to offer them suitable services or jobs. This concerns, in particular, providers of services around the creation of CVs, human resource agencies and job-offering companies, training institutions and providers of vocational training and services.
This processing of CV data by the OPERATOR is based on user consent (Art. 6, par. (1); s.1, lit a) EU GDPR): The OPERATOR only makes CV data of users available to third parties only if the individual user has expressly consented to it. Such consent is provided by a corresponding setting in the cvlogin Dashboard and can either be granted for a specific duration or without any time limit. The user can change his settings in the dashboard at any time. Privacy compliance of THIRD-PARTY PROVIDERs in their processing of such CV data and other personal data of users , based on consent, is subject to the THIRD-PARTY PROVIDERs‘ own sole responsibilty.
To the extent that such consent is denied or revoked, the OPERATOR and THIRD PARTY PROVIDERS can not or no longer, as the case may be, offer the affected user any matching service(s).
If users opt to use their own LinkedIn or Facebook profile data to create a cvlogin CV, they may use the Connect function with the websites of Facebook or LinkedIn (see above) to do so. Thereby, the PLATFORM enables users to contact their own Facebook and LinkedIn network contacts via cvlogin, to invite them to use cvlogin and / or to review these users‘ CVs. The Connect function does not run on the domain of the PLATFORM and the OPERATOR is unable to take notice of the login data of users on Facebook or Linkedin as these data are not processed by the OPERATOR. The PLATFORM will, however, store the relevant user‘s network contacts on Facebook or LinkedIn.
At the latest, the OPERATOR will completely delete or anonymize these data when users deletes their own user account.
e. Email: Communication and Advertising
In addition to being used in the registration process (see above), the e-mail address provided by users is also used by the OPERATOR
(1) to electronically provide users with information about products and services or surveys for the purpose of market research and to inform users about new functions of the PLATFORM and to propose interesting THIRD-PARTY PROVIDERs;
(2) to refer users to THIRD-PARTY PROVIDERs so they can connect with these users.
In both cases, such data processing takes place (1) in the OPERATOR‘s legitimate interest of improving his products based on his knowledge of the users interests and needs which outweighs the protected interests of the users concerned (Art. 6, par. (1), s.1 lit. f) EU GDPR) as well as (2.) if users have consented to this processing (Art. 6 par. (1) lit a) EU GDPR). Such consent may be revoked or restricted at any time in the notification settings in the cvlogin Dashboard.
If users chose to delete their own email address from their cvlogin Dashboard settings, it will be removed from the respective application. At the latest, the OPERATOR will completely delete e-mail addresses of users after they have deleted their own user account.
f. Payment Data
When users use paid services offered by cvlogin, the OPERATOR will process their payment data for payment and billing purposes according to the chosen means of payment. For payment processing, only certain payment data are stored, including …
the last four digits of the used credit card
paid products and fees
sums and balances of the respective customer account
The processing of such data by the OPERATOR takes place for the fulfillment of the agreement (Art. 6 par. (1), s.1, lit. b) EU GDPR). Payment data will not be disclosed to third parties except only if a third party is commissioned by the OPERATOR to assert any claim of the OPERATOR for payment against the relevant user in which case, the data transfer takes place in order to protect the legitimate interests of the OPERATOR (Art. 6 par. (1), s.1, lit. f) DSGO). The OPERATOR will store these data until the user account is deleted and beyond that point in time until storage of such data will no longer be subject to any tax, commercial or other statutory obligation. Thereafter, such data will be deleted or anonymized, as the case may be.
The OPERATOR is cooperating with the online payment service providers Stripe and PayPal. During the online payment process, a connector to the respective payment service will be loaded into the users‘ browser. There, the users will enter their personal banking data. The OPERATOR has access to neither these banking data nor to the relevant website of the payment service provider. On the OPERATOR’s side, no processing of personal data of users takes place in this respect.
Payment via Stripe
If users opt for a payment method offered through the payment service provider "Stripe", payment will be processed via Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. In the course of the the payment process, Stripe will receive the information provided by the relevant user (name, address, account number, bank code, possibly credit card number, invoice amount, currency and transaction number) directly. Upon completion of the payment transaction, Stripe will send to the OPERATOR only the last 4 digits of the credit card used by the users when making the payment. These data are stored by the OPERATOR solely for the purpose of recording them as additional customer information on the respective invoice.
For more information about Stripe privacy, visit https://stripe.com/en/privacy.
Payment via PayPal
For payment via PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "installment payment" via PayPal, payment data go directly to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal") as far as this is required for the payment.
For the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "installment" via PayPal, PayPal reserves itself the right to execute a credit check. For this purpose, payment data of the users concerned may, if appropriate, be transferred to credit reporting agencies in accordance with Art. 6 par. 1 lit. f) EU GDPR, based on the legitimate interest of PayPal to determinate solvency. PayPal will use the results of such credit check based on the statistical probability of default to decide about whether or not to provide the respective payment method. The credit information may contain probability values (so-called score values). Insofar as score values are included in the results of the credit rating, they are based on a scientifically recognized mathematical-statistical procedure. The calculation of score values includes, but is not limited to, address data.
Users can object to this processing of their data at any time by sending a message to PayPal. However, PayPal may continue to be entitled to process this personal data, if required for the contractual payment.
Further data protection information, including information about credit reference agencies, are accessible on PayPal’s privacy protection information website at https://www.paypal.com/webapps/mpp/ua/privacy-full.
g. Contact Form Data
If users send inquiries to the OPERATOR via the contact form on the PLATFORM, their contact details will be stored by the OPERATOR for the purpose of processing their requests. This data processing takes place for the purpose of fulfilling the agreement and for carrying out pre-contractual measures (Art. 6, par. (1); s.1, lit b) EU GDPR). The OPERATOR forwards the personal data contained in the contact to Intercom (see section 7) based on the users‘ consent (Art. 6, par. (1); s.1, lit a) EU GDPR). This consent can be revoked at any time for which an message by e-mail to the OPERATOR will suffice in which case the legality of the data processing operations carried out prior to such revocation remains unaffected. Following such revocation, no communication between the user and the OPERATOR is possible via the communication method(s) specified in the contact form.
The data entered by users in the contact form will remain with the OPERATOR until the users concerned ask the OPERATOR to delete them, revoke their consent to the storage or the purpose for data storage (for example, after completion of the request). Mandatory statutory provisions - especially retention periods - remain unaffected.
h. Job Applications
If users apply for a job with the OPERATOR, they will be considered as giving their revocable consent to the processing of their personal data transmitted by them by the OPERATOR and such data shall be processed by the persons entrusted to do so by the OPERATOR and shall be stored there for the purpose of personnel selection. If such consent is revoked, the application process can not be continued and the application will be considered withdrawn. These data will be deleted by the OPERATOR after a rejection or withdrawal of the application. Documents on paper sent to the OPERATOR in the context of an unsolicitedly application will not be returned to the applicant but shall be destroyed.
4. AUTOMATICALLY TRANSMITTED DATA
When users visit the PLATFORM, the OPERATOR collects certain data automatically transmitted to him by the devices used by users.
a. Server Log Data:
The users‘ browser automatically transmits server log data to the OPERATOR. Such data include, in particular, browser type and version, operating system used, referrer URL, host name of the accessing computer, time of the server request and the IP address used by the users, products viewed or searched for by the users, site response times, download errors, the length of stay on visited cvlogin pages, page interaction information (such as scrolling, clicks and mouse-overs), and site browsing methods. There is no merge of these data with other data sources.
The processing of this data is based on Art. 6 par. (1), s.1, lit. f) EU GDPR, the OPERATOR having a legitimate and overriding interest in the technically error-free presentation and optimization of his website, including the processing of the server log data is required.
b. Data Analysis
The OPERATOR processes analysis data from the evaluation of the use of newsletters sent by him, such as the opening of the newsletter, reading time and duration as well as clicks on content. This data processing is carried out for the pursuit of legitimate and overriding interests of the OPERATOR (Art. 6, par. (1), s.1, lit. d) EU GDPR) in improving his product quality, in particular with a view of improving the targeting of his products to the interests of users.
The OPERATOR reserves the right to process cryptographic hashes to identify information (eg name and date of birth) and blockchain IDs (eg blockchain addresses and public keys) for the purpose of using blockchain technology in the certification of documents uploaded to the PLATFORM by users , such certification being carried out by third parties, including the creation and maintenance of a Blockchain-based wallet (documents & ID wallet), if opted for by the individual user. Such data processing serves the purpose of fulfilling the agreement and implementing pre-contractual measures and is further in the legitimate and predominant interests of the OPERATOR (Art. 6 par. (1), s.1, lit. b) and d) EU GDPR).
On the one hand, tracking serves to ensure the protection of users and the security of user data, as well as the cvlogin websites and the cvlogin service.
In addition, tracking and user behavior analysis help the OPERATOR to validate and optimize the effectiveness of the service and to correct errors. This is done with the intention to adapt the products and services of cvlogin to the needs of the users: The evaluation of the information gained by tracking is required in order to provide personalized services to the user according to the purpose of the PLATFORM to ensure the maximum benefit of it to its users. The knowledge about their use of the PLATFORM, which users convey to the OPERATOR as a result of tracking through their use of teh PLATFORM, is key for the OPERATOR in order to understand which content and offers from THIRD-PARTY PROVIDERs users are interested in, and to determine which of the THIRD-PARTY PROVIDERs the OPERATOR may suggest to users as a valuable business contacts or potential employers.
Furthermore, tracking supports the OPERATOR in making the success of advertising campaigns measurable and in optimizing the display of advertising. In this context, tracking serves the purpose of range measurement with the aim of statistically determining the intensity of use, the number of users of a website and the surfing behavior - based on a uniform standard procedure - and thus of obtaining comparable data across the market. The legal basis for this is the OPERATOR’s legitimate interest in optimizing his advertising, which outweighs the protection interests of the users concerned (Art. 6, par. (1), s.1, lit. (f) of the EU GDPR).
In connection with the display of advertisements, servers of third-party (e.g., marketers) are necessarily also adressed directly by users of the PLATFORM. These third parties are solely responsible for the privacy-compliant operation of their IT systems. They are also responsible for deciding about the duration of storage of the data.
Users can opt to stop tracking to measure and optimize advertising. Occasionally, the OPERATOR is applying technology which users can only prevent directly on their end devices.
Applications on the PLATFORM may also contain content from external providers. These are integrated into the familiar cvlogin environment from external pages. The OPERATOR has no influence on the type of tracking applied to such external content. Users wishing to exclude tracking from external vendors within the cvlogin environment can disable the integration. Once users engage in external content, they will leave the cvlogin environment and will automatically be directed to the third party’s site. This does not necessarily lead to less tracking, but only to tracking which takes place outside off the PLATFORM.
When cookies are deactivated, the functionality of the PLATFORM may be restricted for the affected users.
5. RECIPIENTS OF PERSONAL DATA
Insofar as the OPERATOR cooperates with external service providers within the framework of data processing, this takes place within the framework of a so-called order processing. In such case, the OPERATOR remains responsible for the data processing and the OPERATOR commits each of these service providers to the measures necessary for data protection and data security and thus ensures the legally required protection of personal data of the users.
Insofar as data actively transmitted to the OPERATOR by users are transferred to third parties, this takes place based on consent of the users concerned in (Art. 6, par. (1); s.1, lit a) EU GDPR ), for the purpose of fulfilling the user agreement and for the performance of pre-contractual measures of the third party on request of the users concerned (Art. 6, par. (1); s.1, lit. b) EU GDPR), as well as to protect the OPERATOR's overriding legitimate interests in consideration of the rights of affected users (Art. 6 (1) (1) (f) DSGO), as set out with regard to the different types of personal data processed.
Transmission of data of users to third parties according to the settings chosen by the users takes place for the following purposes:
providing provision of information to career coaches, training providers and other THIRD PARTY PROVIDERS for the purpose of creating personalized offers for users and for contacting them
providing information to job offerers (potential employers, recruiting agencies) for the purpose of creating personalized job offers for users and for contacting them
certification of CV data on education and professional development by universities, colleges, schools, employers, educational institutions and training providers
inviting friends to use the PLATFORM and / or review resumes.
The OPERATOR does not intend to process the respective data for any purpose other than for the purpose of the data collection.
The OPERATOR is applying a variety of tools and technologies, some of which are transmitted to or disclosed to third parties through visits of the PLATFORM by users. Details are explained in section "Technology USED and Incorporation of Third Party Services", below.
Service providers cooperating with the OPERATOR are obliged by the OPERATOR to take all necessary measures for data protection and data security.
6. DATA TRANSMISSION TO THIRD COUNTRIES
The OPERATOR uses certain third-party services to transfer data to the United States, that is, to a third country outside the European Union or the European Economic Area (see section "Technology used and Incorporation of Third Party Services", below). The United States has an adequate level of legal privacy protection within the meaning of Art. 45, par. (3) EU GDPR in the form of the EU-US Privacy Shield. Information is available online at http://ec.europa.eu/justice/data-protection/document/citizens-guide_en.pdf
7. TECHNOLOGIES USED AND INCORPORATION OF THIRD-PARTY SERVICES
The OPERATOR uses various third-party technologies and services to improve product performance, measure range, and optimize advertising delivered on the PLATFORM, as described below. Certain data automatically generated by users visiting the PLATFORM are transmitted to these third parties or made available to them. This data processing takes place on the basis of a revocable consent (Art. 6, para. (1), s.1 a) EU GDPR) or on the OPERATORS legitimate interest in the analysis of user behavior, both on the PLATFORM and his advertising, outweighing the protection interests of the users concerned (Art. 6, par. (1), s.1, lit. (f) EU GDPR).
a. Google Tools
The Operator uses various technologies and services provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (hereinafter "Google"), including Google Tag Manager, Google Analytics, Google Optimize, Google Remarketing Services, Google Invisible reCAPTCHA, Google Adwords (Conversion Tracking), Google Web Fonts and Google Adsense, as described below. Detailed information about Google's privacy policies can also be found at https://www.google.com/intl/en/policies/privacy/
Google Tag Manager
On the PLATFORM, the function "IP anonymization" is activated for the use of Google Analytics. This will cut off the IP address from data of users within Member States of the European Union or other parties to the Agreement on the European Economic Area prior to transmission of such data to the United States. Only in exceptional cases will the full IP address be sent to a Google server in the US and will be cut off there. In addition, Google has entered into a data processing agreement whereby Google's user data will not be merged with other data collected by Google to identify the user's identity.
Google Analytics also helps the OPERATOR to analyze data from AdWords and the Double-Click Cookie for statistical purposes. Users not wishing this feature can use the Ads Preferences Manager https://www.google.com/settings/u/0/ads/authenticated to rearrange far reaching settings or disable the service compeletely.
The OPERATOR also uses the demographics feature of Google Analytics. As a result, reports can be produced that contain information on the age, gender and interests of site visitors. These data stem from interest-based advertising by Google and from visitor data provided by third parties. These data cannot be assigned to a specific person. Users can disable this feature at any time through the ad settings in their Google Account or generally prohibit the collection of their data by Google Analytics, as shown below.
Google Optimize is a tool integrated with Google Analytics and is used by the OPERATOR to analyze the use of different variations of the PLATFORM. This helps the OPERATOR to improve the usability of the PLATFORM according to the behavior of the users on the website. (To opt-out or opt-out of this service, see above: Google Analytics.)
Google Remarketing Services
Google Invisible reCAPTCHA
The OPERATOR uses Google's Invisible reCAPTCHA service for the purpose of distinguishing between input from a human and that by an automated machine processing. In the background, Google collects and analyzes usage data, which Invisible reCAPTCHA will then use to differentiate regular users from bots. For this purpose, the input is transmitted to Google and used there. In addition, the IP address and any other data required by Google for the Invisible reCAPTCHA service will be transmitted to Google. These data are processed by Google within the European Union and potentially also in the USA.
This data processing is based on the legal basis of Art. 6 par. (1) s.1, lit. f) EU GDPR as it is in the the legitimate interest of the OPERATOR to protect the PLATFORM against automated spying, abuse and spam.
Google AdWords (Conversion Tracking)
The OPERATOR uses the online advertising program "Google AdWords" and in this context conversion tracking (visit evaluation). When users click on an ad displayed by Google, a conversion tracking cookie is placed on their machine. These cookies have a limited validity, contain no personal data and are therefore not for personal identification (see above). If users visit certain pages and the cookie has not yet expired, Google and the OPERATOR can detect that these users clicked on the ad in question and were redirected to this page. Each Google AdWords customer receives a different cookie. Thus, there is no way that cookies can be tracked through the websites of advertisers.
The information obtained through the conversion cookie is for the purpose of generating conversion statistics. Here, the OPERATOR learns the total number of users who clicked on the ad on the PLATFORM and were redirected to a page tagged with a conversion tracking tag. However, the OPERATOR does not receive any information that personally identifies users.
Data processing is based on the legal basis of Art. 6 par. (1), s.1 lit. (f) EU GDPR as it is the legitimate interest of the OPERATOR to perform targeted advertising and an analysis of the impact and efficiency of this advertising. Users have the right to object to this processing at any time and can prevent the storage of cookies by selecting the appropriate technical settings of their browser software. In this case, they may no longer be able to use all features of the PLATFORM. They will no longer be included in the conversion tracking statistics. They can also turn off personalized advertising in the Ads Ads Settings on Google. Instructions can be found at https://support.google.com/ads/answer/2662922?hl=en.
Google Web Fonts
The OPERATOR uses so-called Web Fonts provided by Google for a uniform representation of fonts on the PLATFORM. When a webpage is adressed, the browser of the respective user will load the required web fonts into the browser cache in order to display texts and fonts correctly. For this purpose, the browser used must connect to Google's servers. As a result, Google obtains knowledge that the PLATFORM was accessed via the IP address of the respective user. If the browser you are using does not support web fonts, a default font will be used by the user's computer.
The use of Google Web Fonts is in the interest of a consistent and attractive presentation of the online offers of the OPERATOR as well as the optimization and economic operation of the PLATFORM. This constitutes an overriding legitimate interest within the meaning of Art. 6, par. (1) lit. (f) EU GDPR.
The OPERATOR uses the Google AdSense service to engage advertisers and analyze the use of the PLATFORM. Cookies and so-called web beacons are stored on the terminal via the Internet browser used by the user. Information about the use of the website as well as advertising formats, which also include users‘ IP address, will be transmitted to Google and stored there. Contractors of Google can also obtain this information. According to Google, IP addresses are not merged with other user data.
If users do not agree with this data processing, they have the possibility to prevent the installation of cookies by the corresponding settings in their internet browser (see above), which may result in a restriction of the use of the PLATFORM.
The OPERATOR uses Hotjar, an analysis software from Hotjar Ltd. (Level 2, St Julian's Business Center, 3, Elia Zammit Street, St Julian's STJ 1000, Malta; www.hotjar.com). With Hotjar, it is possible to measure and evaluate user acticity on the PLATFORM (e.g., clicks, mouse movements, scroll heights, etc.). This allows to track movements on the PLATFORM (so-called heatmaps). For example, it is possible to see how far users are scrolling and which buttons they click and how often they do so. In this way, the OPERATOR gains valuable information in order to make the PLATFORM even faster and more customer-friendly. Hotjar Ltd. uses data on an anonymous or pseudonymous basis for the preparation of evaluation reports on the visit of the PLATFORM for the OPERATOR. The information generated by the so-called tracking code and cookies on the visit to the PLATFORM, collected by the device and browser used by the user in and server of Hotjar Ltd. in Ireland, includes the following information:
IP address of the device used (in anonymized format)
screen size, device type and browser information of the device used
preferred language(s) in the presentation of the website
date and time of access to the PLATFORM
country from which the PLATFORM was accessed
Hotjar Ltd., for its part, also uses services provided by other companies, such as Google Analytics and Optimizely from Google (see above). Google may store information that the browser applied by users sends as part of the site visit, such as cookies or IP requests. For more information, such as Google Analytics and Optimizely store and use data, their privacy statements apply.
The use of Hotjar and the related data processing is based on Art. 6 par. (1), s.1 lit. (f) EU GDPR as the legitimate and interest of the OPERATOR to better understand the needs of its users and to optimize the offer on the PLATFORM takes prevails over users‘ interests.
Users can prevent the processing of their data by Hotjar by clicking on the following link and follow the instructions there: https://www.hotjar.com/opt-out.
c. Facebook Remarketing
The OPERATOR uses remarketing feature "Custom Audiences" on the PLATFORM offered by Facebook (Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, "Facebook"). This function serves to target visitors to the PLATFORM with interest-based advertising in the social network Facebook. For this purpose, Facebook's remarketing tag was implemented on the PLATFORM. Through this tag, a direct connection to the Facebook servers will be made when visiting the PLATFORM. Thereby, information will be transmitted to the Facebook server about which of the cvlogin websites users have visited. Facebook assigns this information to their personal Facebook user account. When users visit the social network Facebook, they are then shown personalized, interest-based Facebook ads.
This data processing is based on Art. 6 par. (1), s.1, lit. (f) EU GDPR, i.e. the legitimate interest of the OPERATOR in the above-mentioned purpose.
SendinBlue is a service used by the OPERATOR to organize and analyze the sending of newsletters. The provider of this service is SendinBlue SAS, 55, rue d'Amsterdam, 75008 Paris, France. The data entered by users in order to receive newsletters (such as their e-mail address) is stored on SendinBlue's servers. Using SendinBlue, the OPERATOR also analyzes how many recipients have opened the newsletter message and how often which link in the newsletter has been clicked.
Data processing is based on user consent, which can be revoked at any time by unsubscribing from the newsletter. For this purpose, a corresponding link is available in every newsletter message. The revocation can alternatively be sent by email to the address given in the imprint. The legality of the already completed data processing operations remains unaffected by such revocation.
The user data stored by the OPERATOR for the purpose of subscribing to the newsletter is stored until cancellation of the newsletter service and then deleted from both the PLATFORM servers and the SendinBlue servers. Data stored for other purposes with the OPERATOR remains unaffected.
e. Google Cloud Services
The OPERATOR makes use of Google Cloud services (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, https://cloud.google.com) in the form of infrastructure and platform services, computing and data storage capacity, database services, as well as data security and technical maintenance services used to operate the PLATFORM. Google Could Services also provides various technical services for use over the Internet, which are also used by the OPERATOR.
If users visit the PLATFORM, the OPERATOR automatically transfers the personal data of the persons concerned to Google Could Services. For this purpose, it has concluded an agreement with Google Could Services for order processing in accordance with the requirements of the EU GDPR, according to which the data of the users concerned are in no case processed in a third country outside the scope of the EU GDPR.
Users who do not wish Google Could Services to process their personal data must stop using the PLATFORM. The services of Google Could Services are an integral part of the PLATFORM; without them, the use of the PLATFORM is not possible. Additional information on privacy at Google Could Services is available at https://cloud.google.com/security/gdpr?hl=de
The OPERATOR uses services of Contabo GmbH ("Contabo", Aschauer Straße 32a 81549 Munich; www.contabo.de) in the form of infrastructure and platform services, computing capacity, data storage and database services, and data security as well as technical maintenance services used to operate the PLATFORM.
On the basis of an agreement for order processing between the OPERATOR and Contabo gem. Art. 28 EU GDPR, Contabo processes personal data, in particular inventory, contact, content, contract, usage, meta and communication data of customers, interested parties and visitors to the PLATFORM. The legal justification lies in the legitimate, predominant interest of the OPERATOR in an efficient and secure provision of its services in accordance with. Art. 6, para. (1), s.1, lit. (f) EU GDPR. More information on the privacy of Contabo is available at https://contabo.de/datenschutz.html.
Users who do not wish Contabo to process their personal data must stop using the PLATFORM. The services of Contabo are an integral part of the PLATFORM; without them, the use of the PLATFORM is not possible.
The OPERATOR uses the storage service "Cloudinary" for content that is uploaded to the PLATFORM by users. Its provider is Cloudinary Ltd., 111 W Evelyn Ave, Suite 206 Sunnyvale, CA 94086, USA. Cloudinary does not grant third parties access to this content. Data processing is based on the consent of the users. This consent can be revoked at any time. Thereafter, however, the further use of the PLATFORM is no longer possible. For more information about Cloudinary's privacy, visit http://cloudinary.com/privacy and http://cloudinary.com/tos.
The OPERATOR uses this information to evaluate the use of the PLATFORM and to optimize its products based thereon. The OPERATOR also uses Intercom as a communication medium for (push) messages within the user area (after login) or emails via the contact form. The OPERATOR also uses Intercom to analyze the use of the website, to improve it regularly and to process inquiries. This allows the OPERATOR to improve his offer and make it more interesting for users.
This data processing is legally based on user consent (Art. 6, par. (1), s.1, lit. a) EU GDPR). It is further justified by the purpose of fulfilling the agreement (Art. 6, par. (1), s.1, lit. b) EU GDPR) and the legitimate interest of the OPERATOR, which outweighs the protection interests of the users concerned (Art. 6, par. (1), s.1, lit. f) EU GDPR). The consent can be revoked at any time. Thereafter, however, then the further use of the PLATFORM is no longer possible. Further information on the privacy of Intercom can be found at http://docs.intercom.io/privacy.
In order to ensure that e-mail addresses entered on the PLATFORM are valid, the OPERATOR uses the e-mail verification feature of Kickbox Inc (2556 Elm Street, Dallas, TX 75226, USA; www.kickbox.com; "Kickbox"). E-mail addresses of users are transferred to Kickbox directly after input via a 256-bit SSL encrypted request, verified and then immediately deleted or irreversibly hashed and pseudonymized stored for a maximum of 7 days. If an e-mail address is incorrect, the user will be asked to enter it once more. Since the OPERATOR primarily contacts users of the PLATFORM via e-mail, a correct e-mail address is required to answer their inquiries and to fulfill the agreement. The verification thus lies in the predominant legitimate interest of the OPERATOR according to Art. 6, par. (1), s.1, lit. f) EU GDPR. If the registration of the e-mail address aims at the conclusion of a contract, then Art. 6, par. (1). s.1 lit. b) provides an additional legal basis for data processing.
Kickbox is certified under the EU-US Privacy Shield. A current certificate can be viewed at https://www.privacyshield.gov/list.
The OPERATOR uses the service "Sucuri" to ensure the full functionality of the PLATFORM. Sucuri is also the business name used by the service provider Media Temple, Inc. (6060 Center Drive, 5th Floor, Los Angeles, CA 90045, USA), a subsidiary of Go Daddy Operating Company, LLC. The PLATFORM is reviewed by Sucuri for potential malware and vulnerabilities. The OPERATOR does not send any personal information about users to Sucuri. However, during the scan, Sucuri may find personal information that has been publicly published (for example, in comments).
Go Daddy Operating Company, LLC is certified under the EU-US Privacy Shield Agreement (see above) also with effect for its subsidiary Media Temple, Inc. (see https://www.privacyshield.gov/list).
The legal basis for data processing is Art. 6, para. (1); s.1 lit. f) EU GDPR: The legitimate interest of the OPERATOR in the analysis, optimization and economic operation of his PLATFORM prevails over user interests.
Users can prevent the collection and processing data by Sucuri / Media Temple, Inc. by deactivating the execution of script code in their browser settings or by installing a script blocker in their browser (this can be found at www.noscript.net or www.ghostery.com). The deletion of the data takes place as soon as the purpose of its collection has been fulfilled.
Further information on how Sucuri deals with users' data can be found at https://sucuri.net/privacy.
k. Jetpack / Wordpress Stats
The OPERATOR uses the service "Jetpack" with the extension "WordPress Stats". This is a web analytics service provided by Automattic Inc. (132 Hawthorne Street, San Francisco, CA 94107, USA) for the purpose of analyzing the PLATFORM's usage behavior.
For the analysis of the usage behavior Jetpack - WordPress Stats saves cookies via the internet browser on the terminal of the respective user. During processing, the IP address, the visited website of the OPERATOR, the website from which the user switched to the PLATFORM (referrer URL), the time spent on the PLATFORM and the frequency with which it is accessed are recorded. The data collected is stored on a server of the supplier Automattic in the USA. However, the IP address is anonymized immediately after the processing and before its storage.
By his certification according to the EU-US Privacy Shield (see https://www.privacyshield.gov/list) the provider guarantees that he will comply with the data protection requirements of the EU GDPR also when processing data in the USA.
The legal basis for data processing is Art. 6 par. (1); s.1 lit. f) EU GDPR: The legitimate interests of the OPERATOR which prevails over users‘ interests are geared towards the analysis, optimization and economic operation of his PLATFORM.
If users do not agree with this data processing, they have the possibility to prevent the storage of the cookie by a setting in their Internet browser (see above).
8. DURATION OF DATA RENTENTION
The OPERATOR stores personal data of registered users as long as the person concerned does not
demand that such data shall bhe deleted or
revoke a required consent to the processing or
delete the user account.
The OPERATOR will retain such data beyond the aforesaid point in time as long as storage is required
to assert any unrestricted claims of the OPERATOR against the respective user and / or
for the preservation of legal storage requirements or / and
to comply with an administrative or judicial order.
Thereafter, the OPERATOR will delete or anonymize, as the cae may be, the personal data of users.
9. USERS‘ RIGHTS
Users can object to the processing of personal data at any time if such data processing is based solely on the interests of the OPERATOR according to Art. 6, para. (1) s.1, lit. (f) of the EU GDPR. This also applies to the processing of personal data for the purpose of direct mail and profiling insofar as it is associated with direct mail. Users may use the contact form on the PLATFORM for such objection. Users can unsubscribe from the cvlogin newsletter at any time in their own notification settings in the cvlogin Dashboard or by e-mail.
Users have the right to ask the OPERATOR for confirmation whether he is processing their personal data. If that is the case, users furthermore have the right to receive information about these personal data. If personal data are transmitted to a third country or to an international organization, affected users have the right to be informed about the appropriate guarantees (pursuant to Art. 46 EU GDPR) in connection with the transfer.
Users have the right to demand that the OPERATOR correct incorrect personal data without delay. In consideration of the purposes of the processing, they have the right to request the completion of incomplete personal data, including by means of a supplementary statement.
Users have the right to demand that the OPERATOR immediately delete their personal data if any of the following applies:
The data are no longer necessary for the purposes for which they were collected or otherwise processed.
The consent on which the processing was based has been revoked in accordance with Art. 6, par. (1); s.1, lit a) or 9, para. (2) lit. a) EU GDPR and there is no other legal basis for the processing.
In accordance with Art. 21 (1) or (2) of the EU TDSO, users object to the processing and there are no legitimate reasons for the processing.
The data was processed unlawfully.
The deletion of the data is necessary to fulfill a legal obligation under Union or national law to which the OPERATOR is subject.
The data was collected in relation to information society services offered directly to a child under the age of 16, in accordance with Art. 8, para. (1) EU GDPR.
Upon request by the user, the OPERATOR is obliged to immediately delete the relevant data. The legality of the processing carried out on the basis of the consent before the revocation remains unaffected.
e. Restriction of Processing
Users who deny the accuracy of their personal data are entitled to request a restriction on the processing of these data for the duration that allows the resposnible party to verify the accuracy. If the processing is unlawful and users reject the deletion of the personal data and instead demand the restriction of the use of this data, this will be done. The restriction of processing also applies if the OPERATOR no longer requires personal data for processing purposes, but the users concerned require them for the assertion, exercise or defense of their own legal claims, or objections to the processing pursuant to Art. 21 par. 1 EU GDPR have been filed, as long as it is not certain whether the legitimate reasons of the person responsible outweigh the users‘ reasons. The affected users will be notified before the restriction is lifted.
f. Data Portability
Users have the right to receive personally identifiable information which they have provided to the OPERATOR in a structured, common and machine-readable format, as well as to share that information with another operator without interference from the OPERATOR provided that
processing is based on on consent (Art. 6, para. (1). s.1, lit. a) and Art. 9, para. (2), lit a) EU GDPR) or on an agreement (Art. 6, par. (1), s.1, lit b) EU GDPR) and
the processing is done by automated methods.
When exercising the right to data portability, users may request that the personal data be transmitted directly by the OPERATOR to another responsible entity where technically feasible.
g. Revocation of Consent
If the processing is based on consent, users have the right to revoke the consent at any time. The lawfulness of the processing carried out on the basis of the consent prior to the revocation will not be affected.
If users believe that the processing of their personal data by the OPERATOR is unlawful, they may complain to a regulatory agency. In particular, they may contact the supervisor of their habitual residence, their place of work or the place of alleged infringement. The supervisory authority responsible for the OPERATOR is the Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin, Phone: +49 (0) 30 13889-0, Fax: +49 (0) 30 2155050, Email: [email protected]; www.datenschutz-berlin.de. Further rules on the appeal procedure can be found in Art. 77 EU GDPR.
10. DATA PROTECTION OFFICER
Users can also send suggestions, praise, questions and complaints to the cvlogin data protection officer, accessible at [email protected].