Data Privacy Statement
We take the protection of your personal data very seriously and handle your data confidentially and in accordance with the legal regulations for data protection of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (FDPR), as well as this data privacy statement.
With the following information, we offer you an overview of how we process your personal data and your rights.
1. Who is responsible for handling data and who can I contact?
The entity responsible is:
You can reach our data protection officer at:
CCP Certified Compliance Professional (Finance)
2. To whom does this data privacy statement apply?
This data privacy statement applies to all visitors to our website, to customers and interested parties, to candidates responding to job postings, as well as initial information for all individuals whose data we have researched from publicly accessible sources or obtained from business cards.
3. Which data do we use?
In principal, you can visit our website without informing us of your identity, unless you send us an e-mail or a message via a contact form, advertise with use, or wish to use our demo versions. In such cases, we only process the data necessary to answer your query or provide our services. The relevant input form makes it clear which data are collected. The necessary data are marked as mandatory fields. If we ask for further information, this is given voluntarily. We use this information to personalise our offers or to better meet your needs. In all other cases we only use the data that is necessary for making contact.
4. For what purposes and on what legal basis do we use your data?
We process your personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and Federal Data Protection Act (FDPA). Please also refer to our information on your right of objection according to Article 21 of the GDPR.
a) For the fulfilment of contractual obligations (Art. 6 Para.1b of the GDPR)
Personal data are processed to produce a contract and to implement pre-contractual measures at your request.
- Provision of our solutions and services
b) In the context of balancing interests (Art. 6 Para. 1f of the GDPR)
Where necessary, we process your data beyond the actual fulfilment of the contract to safeguard our legitimate interests and those of third parties.
- Assertion of legal claims and defence in the event of any legal disputes
- Guarantee of IT security
- For the purpose of direct marketing
- Processing your application
- Answering your query
c) Subject to your consent (Art. 6 Para. 1a of the GDPR)
Provided you give your consent for your personal data to be processed for specific purposes, the lawfulness of this processing is assigned on the basis of your consent. Consent that has been given can be revoked at any time. Please note that revocation only applies to the future. Any processing of data that occurred before the revocation of consent is not affected.
- Sending out informational material
- In application procedures
- Provision of newsletters: We use the so-called double opt-in procedure for sending out newsletters. This means that we only send you an e-mail newsletter once you have expressly agreed to receive newsletters. The option to directly unsubscribe from these newsletters is included in each newsletter e-mail.
d) Due to legal requirements (Art. 6 Para. 1c of the GDPR) or when in the public interest (Art. 6 Para. 1e of the GDPR)
As a company, we are also subject to various legal obligations (such as the German Commercial Code and Tax Code).
4.1 Data Protection Directive for applications
Please also note our data privacy statement for the application procedure.
The legal basis for processing your personal data in this application procedure is primarily Article 26 of the GDPR in the version applicable as of 25.05.2018. Thereafter, the processing of data shall be permitted only if required in connection with a decision regarding the establishment of a business relationship. If any data should be required after completion of the application procedure or for prosecution, the data may be processed on the basis of the conditions of Article 6 of the GDPR, in particular for safeguarding legitimate interests in accordance with Article 6 Para. 1 f of the GDPR. Our interest is then in the assertion or the defence of claims.
In sending your application, you agree to us storing and processing your data for the purpose of application, job appointment and recruitment. You can revoke this consent and withdraw your application at any time.
We only process the personal data in your application for the purpose of the application procedure and job appointment process. Job appointments are made by the relevant employees of our human resources department in cooperation with departmental managers.
Your data will be deleted six months after completion of your application procedure, unless you agree to your data being stored for a longer period of time, in order to consider you for a future job appointment, for example. In the event of your recruitment, your data will be added to our personnel files.
5. Who receives my data?
Within Carano, access to your data is granted to the departments that require this data to fulfil our contractual and legal obligations or in the context of balancing interests. Service providers and agents employed by us can also be granted access to data for these purposes, so long as they maintain confidentiality and observe our data protection policies. Data will only be passed on to third parties exclusively within the framework of the provisions of the GDPR and FDPA.
6. Are data passed on to third countries?
No data will be passed on to countries outside of the EU or the European Economic Area (so-called non-member states).
7. How long will my data be stored for?
We will process and store your personal data so long as these are necessary to fulfil our contractual and legal obligations or in the context of balancing interests. If the data are no longer needed for these purposes, they will be deleted on a regular basis, unless further short-term processing is needed to comply with commercial and tax law retention periods, such as those of the German Commercial Code and Tax Code. The periods of retention or documentation specified in these codes amount to six to ten years.
8. What are my data protection rights?
You have the right of access to data under Article 15 of the GDPR, the right to demand correction of data under Article 16 of the GDPR, the right to have data deleted under Article 17 of the GDPR, the right to restrict the processing of data under Article 18 of the GDPR, the right of appeal under Article 21 of the GDPR, as well as the right to data portability under Article 20 of the GDPR. You also have the right to appeal before a data protection authority (Article 77 of the GDPR in conjunction with Article 19 of the FDPA).
A list of regulatory authorities and their contact details can be obtained via the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
You may revoke any consent given to us for the processing of personal data at any time. Please note that revocation only applies to the future. Any processing of data that occurred before the revocation of consent is not affected. Please also refer to our information on your right of objection according to Article 21 of the GDPR.
To exercise your rights, please use the above-mentioned contact details for our data protection officer.
9. Is there an obligation to provide data?
In the context of our business relationship or the ordering of services, you must provide the personal data necessary for us to conduct the business relationship or provide a service and fulfil related contractual obligations, or the personal data we are legally obligated to collect. Without these data, as a general rule, we must decline completion of the contract or execution of the order, or may no longer be able to carry out an existing contract and may therefore terminate this contract.
10. Is there any automated decision-making such as profiling?
In general, we do not use any fully automated decision-making such as profiling in accordance with Article 22 of the GDPR.
11. Information on your right of objection under Article 21 of the GDPR
a) Right of objection in individual cases
You have the right to file an objection to the processing of your personal data for reasons arising from your particular situation. The precondition for this is that the processing of data is being done in the public interest or on the basis of a balancing of interests. This also applies to profiling. In the event of any objection, we will no longer process your personal data, unless we can prove compelling legitimate grounds for the processing of these data that outweigh your interests, rights and freedoms. Alternatively, your personal data may serve the assertion, exercise or defence of legal claims.
b) Objection to the processing of your data for direct marketing
If your personal data are processed for our direct marketing, you have the right to file an objection to this at any time; this also applies to profiling when this is associated with direct marketing. In the event of an objection, we will no longer process your personal data for these purposes. An objection can be filed in any form and should preferably be directed to the above-mentioned contact details for our data protection officer.
12. Which data are processed in the use of the website?
a) Information related to usage
We receive usage data whenever anyone visits our website. These include information such as the screen resolution, the browser version, the Internet connection, the operating system, the language, the installed plug-in, the origin in terms of country/region, and the search engine. The stored data are analysed for statistical purposes and to optimise our web pages. Data are not passed on to third parties and no user-related analysis is carried out. We also store the connection data related to our website (IP addresses) for a short period of a few days to ensure IT security.
So-called session cookies are used when visiting individual web pages to facilitate navigation. These cookies expire once the session has ended and contain no personal data, which means that the contents of the cookies are not subject to user-related analysis. You can configure your browser to forbid cookies or only allow cookies in individual cases.
Cookies that are necessary to communicate electronically or to provide
certain functions are stored on the basis of Article 6 Para. 1f of the GDPR. In this case, cookies are stored so that we can provide our services without technical issues and in an optimised manner. The functionality of our website may be restricted through the deactivation of cookies.
13. How safe are my data?
To protect the personal data of our customers and prospective customers, we use a safe online transmission protocol: so-called “Secure Socket Layer” (SSL)transmission. All information transmitted with this safe protocol are encrypted before they are sent. Your personal data are only processed by data centres and computers protected by industry standard security technology (such as firewalls, password protection, and access controls).
14. What plugins and tools are used on the website?
a) Google Analytics
We only use Google Analytics with IP anonymisation activated. This means that the IP address of the user is shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. The full IP address is only transmitted to a Google server in the USA and shortened there in exceptional cases. The IP address transmitted from the browser of the user is not merged with any other data from Google. The user can prevent cookies from being stored by changing the appropriate settings in their browser software. The transmission to Google of data generated by the cookie and related to the use of the online service, as well as the processing of these data by Google, can be prevented by downloading and installing the browser plugin available via the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
b) Social Plugins
Our web pages may contain so-called social plugins (“plugins”) for the social networks facebook.com, twitter.com, xing.com, linkedin.com, pinterest.com, addthis.com, reddit.com and plus.google.com.
To improve the safety of your data during visits to our website, plugins are embedded in the web pages using the so-called “2-click” or “Shariff” solutions. This method of embedding plugins ensures that no connection is established with the servers of Facebook, Twitter, Xing, linkedin, pinterest, addthis, reddit or Google when loading a website containing such plugins. Only once you activate the plugins and thereby agree to the transmission of data does your browser establish a direct connection with the servers of Facebook, Twitter, Xing, Linkedin, pinterest, addthis, reddit and Google +. The content of each plugin is directly transmitted to your browser and embedded in the web page. The plugin then transmits data (including your IP address) to the providers of the social networks in question. We have no influence over the volume of the data that the social networks gather with help of the plugin. To our knowledge, Facebook, Twitter, Xing, linkedin, pinterest, addthis, reddit and Google+ at least obtain information on which of our web pages you are currently visiting and have previously visited. By loading the plugin, Facebook, Twitter, Xing, linkedin, pinterest, addthis, reddit and Google+ also receive the information that your browser has loaded the relevant page of our website if you have no account with the corresponding social networks or are not currently logged in to your account. This information (including your IP address) is transmitted by your browser directly to a server of the providers of Facebook, Twitter, linkedin, pinterest, addthis, reddit and Google + in the USA and stored there. In the case of Xing, the data are stored in Germany. The information may be published on the respective social networks and your contacts displayed there.
For the purpose and scope of data collection and the further processing and use of data by the mentioned social networks, as well as your corresponding rights and configuration options related to the protection of your privacy, please refer to the data protection information under:
www.facebook.com/policy.php, https://twitter.com/privacy, www.google.com/intl/de/+/policy/+1button.html, www.xing.com/privacy, www.linkedin.com/legal/privacy-policy, https://about.pinterest.com/de/privacy-policy, www.addthis.com/privacy/privacy-policy, www.reddit.com/help/privacypolicy
If you are registered with a social network and would like to restrict the collection of data by our website as well as the merging of your user data with the data on you stored by the respective social network, you should log out of your social network account before visiting our website.
Our website uses plugins of the Google-operated site YouTube. The operator of the site is
YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. If you visit one of our pages with an embedded YouTube plugin, a connection is established with YouTube servers. The YouTube servers are thereby informed which of our pages you have visited. If you are logged in to your YouTube account, you allow YouTube to directly assign your browsing behaviour to your personal profile. You can prevent this by logging out of your YouTube account. Further information on the handling of user data can be found in YouTube’s data privacy statement: https://www.google.de/intl/de/policies/privacy
d) Google AdWords Remarketing
Our website uses the functions of Google AdWords Remarketing, which we use to advertise our website in Google search results and on third-party websites. The provider is Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). For this purpose, Google places a cookie in the browser of your end device, which automatically enables interest-based advertising through the use of a pseudonymous cookie ID and on the basis of websites you have previously visited. Processing is carried out on the basis of our legitimate interest in the optimal marketing of our website in accordance with Article 6 Para. 1 f of the GDPR.
Any further data processing only takes place if you have agreed to Google linking your Internet and app browsing history with your Google account, and using information from your Google account to personalise advertisements that you see on the Internet. If you are logged in to Google while visiting our website, Google will use your data together with Google Analytics data to generate and define target group lists for remarketing across all platforms and devices. This means that Google will temporarily combine your personal data with Google Analytics data to generate target groups.
You can permanently deactivate the placement of advertising cookies by downloading and installing the browser plugin available via the following link : https://www.google.com/settings/ads/onweb/. Alternatively, you can read up on the placement of cookies with the Digital Advertising Alliance at the address www.aboutads.info and make corresponding adjustments to settings. Finally, you can configure your browser so that you are informed about the placement of cookies and can individually decide whether to accept or reject them, or to allow the placement of cookies in certain cases or generally reject their use. The rejection of cookies can restrict the functionality of our website. Google LLC located in the USA is certified for the EU–US Privacy Shield, a data protection agreement that ensures compliance with the level of data protection applicable in the EU. Further information and the data protection regulations regarding advertising and Google can be viewed here: http://www.google.com/policies/technologies/ads/
15. Links to websites of other providers
Our website may contain, for additional information, links to websites of other providers, whose compliance with data protection and safety regulations we have no influence over. Our data protection statement therefore does not extend to these websites.
As of 05-2018