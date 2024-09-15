I. Name and address of the Data Controller

The Data Controller within the meaning of the General Data Protection Regulation and other national data protection laws of member states as well as other data protection provisions is:

corporate benefits GmbH

Schiffbauerdamm 40

10117 Berlin

Germany

Tel. +49 30 - 206 21 66 0

Fax +49 30 - 206 21 66 20

E-mail: info@cb-gmbh.com

Web: https://www.corporate-benefits.de

II. Contact details of the Data Protection Officer

Please be aware that the data protection officer for corporate benefits GmbH is named here in connection with the use of the portal https://apsteam.mitarbeiterangebote.de . For information on the APS privacy officer please visit the corresponding company website.

The Data Protection Officer of corporate benefits GmbH can be reached at:

TÜV Informationstechnik GmbH

Unternehmensgruppe TÜV NORD

IT Security, Business Security & Privacy

Langemarckstrasse 20

45141 Essen

Tel. 0201 - 8999-461

Fax 0201 - 8999-666

e-mail: privacyguard@tuvit.de

III. General Information concerning data processing

2. Extent of processing of personal data

In principle, we collect and use the personal data of our users only to the extent necessary to provide a functional website and to provide our content and services. The collection and use of personal data of our users is carried out on a regular basis only with the consent of the user. An exception applies in cases where prior consent cannot be obtained for practical reasons and the data processing is permitted by law.

3. Legal basis for the processing of personal data

Whenever we obtain the consent of the Data Subject to the processing of his or her personal data, Article 6(1) point a of the European General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

Where the processing of personal data is necessary to perform a contract to which the Data Subject is a party, Article 6(1) point b GDPR serves as the requisite legal basis. This also applies to processing operations required to carry out pre-contractual actions.

Insofar as processing of personal data is required to fulfil a legal obligation to which our company is subject, Article 6(1) point c GDPR serves as the requisite legal basis.

If processing is necessary to safeguard the legitimate interests of our company or of a third party, and if the interests, fundamental rights and freedoms of the Data Subject do not prevail over the interests previously mentioned, Article 6(1) point f GDPR serves as the legal basis for processing.

4. Data deletion and length of storage

The personal data of the Data Subject will be deleted or blocked as soon as the purpose for its storage ceases to exist. In addition, such storage may take place if provided for by the European or national legislator in EU regulations, laws or other regulations to which the Data Controller is subject. Blocking or deletion of data is also carried out whenever a storage period stipulated by the rules mentioned expires, unless there is a need for further storage of the data in order to conclude or perform a contract.

IV. Provision of the website and creation of log files

1. Type and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the visiting computer.

During this process, the following information is collected:

● Information about the type of browser and version used

● The user’s operating system

● The IP address of the user

● Date and time of access

● Other websites accessed by the user's system via our website

Data is also stored in our system's log files. None of this data is stored together with any other personal data of the user.

When a coupon code is generated, we store the following personal data for one year as a safeguard against abuse of the services (such as commercial re-sales):

● Coupon code

● Offer

● The company portal through which coupon code is offered

● First name

● Last name

● E-mail address

● The time the coupon code was generated (date & time)

● The user’s IP address

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is constituted by Article 6(1) point f GDPR.

3. Purpose of data processing

Temporary storage of the IP address by the system is necessary to enable the website to be served to the computer of the user. To do this, the user's IP address must be stored for the duration of the session.

Storage in log files takes place, so as to ensure the functionality of the website. In addition, data is used to optimize the website and to ensure the security of our information technology systems. No evaluation of data for marketing purposes is carried out in this context.

For these purposes, our legitimate interest in the processing of data exists pursuant to Article 6(1) point f GDPR.

4. Storage period

Data will be deleted as soon as it is no longer needed for the purpose for which it was collected. In the case of data collected for the purpose of provision of the website, this will be the case once the respective session has ended.

Storage is possible. In this case, the IP addresses of users are either deleted or anonymised, so that it is no longer possible to associate them with the visiting client.

In order to prevent abuse, logfiles relating to the creation of coupon codes will be deleted after one year at the latest.

5. Objection and removal options

The collection of data for provision of the website and the storage of data in log files is essential for the website to be operated correctly. For this reason, no objection option is available to the user.

V. Use of cookies

a) Type and scope of data processing

Our website uses "cookies". Cookies are text files that are either stored in the Internet browser itself or are stored on the user's computer system by the Internet browser. Whenever a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that allows the browser to be identified uniquely whenever the website is revisited.

We use cookies in order to make our website more user-friendly. Some elements of our website require the calling browser to be re-identified even when a new page is visited.

The following data is stored and transmitted in cookies:

● An ID that enables identification of the user

In addition, on our website we use the services and cookies of Webtrekk GmbH to collect statistical data on website use and to improve our offering accordingly. Webtrekk numbers are used to identify the "Top 5 Offers from Colleagues" on a corporate platform. Webtrekk GmbH is certified for data protection, in the area of ​​Web Controlling Software, by TÜV Saarland.

With each access to the Internet content provided by our portal, some information is collected and evaluated for web controlling purposes; and this will have been transmitted by the user's browser during the registration process. Such collection is carried out by a pixel embedded on each page. The following data is collected:

● Request (file name of the requested file)

● Browser type and version (e.g. Internet Explorer 6.0)

● Browser language (e.g. German)

● Operating system used (e.g. Windows XP)

● internal resolution of browser window

● Screen resolution

● Javascript activation

● Java on/off

● Cookies on/off

● Colour depth

● Referrer URL (the previously visited website)

● shortened IP address for geographical recognition

● Time of access

● Clicks

Webtrekk stores the IP address only in an abbreviated (anonymized) form and uses it only for session detection, for geolocation and to defend against cyber attacks. The IP address is then deleted immediately, so that the data collected becomes anonymous.

Webtrekk uses the following cookies:

● Session cookie (for session detection, lifetime: one session)

Further information can be found on the website of Webtrekk GmbH, Robert-Koch-Platz 4, 10115 Berlin, http://www.webtrekk.com .

b) Legal basis for data processing

The legal basis for the processing of personal data using cookies is Article 6(1) point f GDPR.

c) Purpose of Data Processing

The purpose of the use of technically necessary cookies is to facilitate the use of websites for users. Some features of our website cannot be provided without the use of cookies. For these, it is necessary for the browser to be recognized anew each time a new page is consulted. In detail, the following objectives apply:

e) Period of storage, objection and removal options

Cookies are stored on the user's computer and then transmitted by it to us. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may not be possible to use all the functions of the website to the full.

VI. Newsletter

1. Type and scope of data processing

On our website you can subscribe to free newsletters. Registration for the monthly newsletter can be done simultaneously with registration. In addition, subscribing to the newsletter is possible at any time in the "My Data" area. During the newsletter registration process, data from the input form will be sent to us:

● Salutation and title

● First name and last name

● Date of birth

● Company postcode

● Company e-mail address

● Password

● Date and time of registration

● Distributor affiliation (company platform)

In addition to monthly newsletters, once registration and login have been completed successfully, you can also subscribe to a special newsletter, which will be sent out at irregular intervals.

For data processing purposes, your consent is obtained during the registration process and reference is made to this privacy declaration.

As regards data processing for the purpose of sending out newsletters, data is passed on to Mapp Digital Germany GmbH, Dachauer Strasse 63, 80335 Munich. Such data is used exclusively to send out newsletters.

To send out newsletters, we supply a data package to mapp with the following personal content:

● E-mail address

● Salutation

● Last name

● Distributor affiliation (company platform & newsletter type)

2. Legal basis for data processing

The legal basis for data processing after the user has registered for the newsletter is in the case of consent of the user Article 6(1) point a GDPR.

3. Purpose of data processing

The user's e-mail address is collected in order to deliver the newsletter.

The collection of other personal data in the context of the registration process serves to prevent misuse of the services or the e-mail address used.

4. Storage period

Data will be deleted as soon as it is no longer needed for the purpose for which it was collected. The e-mail address of the user is therefore stored as long as the subscription to the newsletter is active.

5. Objection and removal options

Subscription to the newsletter may be terminated at any time by the user concerned. For this purpose, a corresponding link to the employee's "My Data" section can be found in each newsletter. Using this link, the employee can unsubscribe from the newsletters.

The "My data" section shows transparently when a monthly newsletter or a special newsletter was ordered or cancelled.

VII. Registration

1. Type and scope of data processing

On our website, we offer users the opportunity to register for our portal by providing personal data. This data is entered into an input form and transmitted to us and stored. No data is transferred to third parties. The following data is collected during the registration process:

● Salutation and title

● First name and last name

● Date of birth

● Postcode

● E-mail address

● Date of birth and newsletter

● Date and time of registration

As part of the registration process, the consent of the user to process this data is obtained. We also save:

● Language preference for multilingual platforms

● Location (web browser if shared by user. The user can also specify location manually)

● Date of registration

● Time stamp registration code

● Registration for the monthly e-mail newsletter with timestamp

● Registration for the special newsletter with timestamp

● Acceptance of the Terms of Use and Privacy Policy

● Linked enterprise platform

● Login with timestamp

● APP Use iOS / Android Yes / No

● Offers saved in watchlist

● Generation of coupon codes

● Storage of coupons

● Content of contact forms

● Content of callback form

● User ratings of offers with timestamp

iOS/Android app

● Access to location (Automatic detection of location / new - send push message, if branch in watch list is nearby)

● Access to camera (scan QR code)

● Receive push messages - New offers Yes / No

● Receive push messages - Expiring offers Yes / No

● Receive push messages - Branch in watch list nearby Yes / No

If this has been activated for your portal, the user has the option of placing classified ads there. In this case, the following data can be specified in order for the advertisem*nt to be created:

● Salutation and title

● First name and last name

● E-mail address

● Phone number

● Address

2. Legal basis for data processing

The legal basis for the processing of the optional data is Art. 6 (1) lit. a GDPR if the user has given his consent. The legal basis for the processing of the data in other respects is Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

User registration is required for the provision of certain content and services on our website. Registration gives the user access to our Employee Offers Platform. The function of this platform is simply to present discount offers. If an employee accepts these offers, he / she will be forwarded directly and anonymously to the chosen provider and thus will enter that provider's area of responsibility. Data collected by external companies on implementation of contracts in relation to employees is processed either by these external companies or their contractual partners. Only on actual purchase of a product does an employee provide the personal data usual at the time of a purchase and in so doing enter into a legal transaction with the provider. At this point, no data is transmitted by us, nor is the provider able to draw any conclusions regarding which company the employee belongs to. None of an employee's activities and purchases will give rise to any personal data processed by our company. Collection of personal data during registration serves the purposes of user identification and contact, customer support, legal proof, marketing and target group analyses and display of user-selected offers.

4. Storage period

Data will be deleted as soon as it is no longer needed for the purpose for which it was collected. This is the case for the data collected during the registration process if a registration on our website is either cancelled or modified.

5. Objection and removal options

As a user, you have the option of cancelling your registration at any time. You can change the data stored about you at any time. You can remove your access account at any time in the "My data" section via the "Delete Access" link and make changes in this area.

VIII. Contact form and e-mail contact

1. Type and scope of data processing

Our website has a contact form available, which you can use to get in touch with us online. Once a user accepts this option, all the data entered into the input form will be transmitted to us and saved. This data consists of:

● Salutation

● First name and last name

● Your e-mail address

● Subject

● and message content

● Browser version

● Operating system

At the time the message is sent, the following data is also stored:

● The IP address of the user

● Date and time of dispatch of e-mail

Alternatively, it is possible to get in touch using the e-mail address provided. In this case, the user's personal data transmitted by e-mail will be stored.

2. Legal basis for data processing

The legal basis for data processing is in the case of consent of the user Article 6(1) point a GDPR.

The legal basis for the processing of the data transmitted in the course of sending an e-mail is Article 6(1) point f GDPR. If the e-mail contact intends to conclude a contract, then an additional legal basis for the processing is Article 6(1) point b GDPR.

3. Purpose of data processing

The processing of personal data from the input form is only used by us to process the contact event. In the case of contact via e-mail, this also includes a necessary legitimate interest in processing the data concerned.

The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Storage period

Data will be deleted as soon as it is no longer needed for the purpose for which it was collected. For personal data from the input form of the contact form and that sent by e-mail, this will be the case when the respective conversation with the user has ended. The conversation is ended once it can be inferred from the circ*mstances that the relevant facts have been conclusively clarified.

5. Objection and removal options

The user has the option at any time to revoke his or her consent to the processing of his or her own personal data. If the user contacts us by e-mail, he or she may object to the storage of his or her personal data at any time. In such a case, the conversation cannot be continued.

All personal data stored during the contact event will be deleted in this case.

IX. Disclosure of personal data to third parties

We use an external system from http://salesforce.com Germany GmbH (Registered office: München, Bavaria District court München HRB, 158525, Business address: Erika-Mann-Straße 31-37, 80636 Munich, Germany, Directors: Joachim Wettermark, José Luiz Moura Neto) to process service requests submitted by e-mail or via the Service Portal Forms. Data is stored only within the EU. We have entered into a contract processing agreement with Salesforce and also an additional EU standard contract. Please also note Salesfroce's data protection/privacy policy: https://www.salesforce.com/de/company/privacy/

We store our portal data with our technical service provider: mpex GmbH (Hosting), Werner-Voss-Damm 62, 12101 Berlin.

To determine location, a query is submitted to HERE Germany GmbH. This query does not involve any personal data. Furthermore, the location is artificially “blurred” by intentionally rounding down decimal places in the GPS coordinates.

In addition, data is passed on internally to corporate benefits IT solutions GmbH, Schiffbauerdamm 40, 10117 Berlin (formerly corporate benefits ventures GmbH), for the purpose of providing our services.

X. Rights of the Data Subject

If any personal data of yours is processed, you are the Data Subject within the meaning of the GDPR and you have the following rights in relation to the Data Controller:

1. Right to information

You may ask the Data Controller to confirm if personal data concerning you is being processed by us.

If that is the case, you can request information from the Data Controller about the following data:

(1) the purposes for which the personal data is being processed;

(2) the categories of personal data that is being processed;

(3) the recipients or categories of recipients to whom the personal data relating to you has been disclosed or is still being disclosed;

(4) the planned duration of any storage of personal data concerning you or, if specific information is not available, the criteria for determining the duration of such storage;

(5) the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the Data Controller or a right to object to such processing;

(6) Existence of a right of appeal to a supervisory authority

(7) all available information on the source of the data if the personal data is not collected from the Data Subject;

(8) the existence of automated decision-making, including profiling under Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on the Data Subject.

You have the right to request information about whether your personal information is transferred to a third country or an international organisation. In this connection, you can request to be informed about the appropriate guarantees under Article 46 GDPR in connection with the transfer of such data.

2. The right to correction of data

You have a right to correction and / or completion in relation to the Data Controller, if the personal data concerning you is being processed incorrectly or incompletely. The Data Controller must carry out this correction immediately.

3. The right to restricted processing

You may request that the processing of your personal data is restricted, under the following conditions:

(1) if you contest the accuracy of your personal information for a period of time that enables the Data Controller to verify the accuracy of your personal information;

(2) the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data is restricted;

(3) the Data Controller no longer needs the personal data for processing purposes, but you need it in order to assert, exercise or defend legal claims; or

(4) if you have objected to the processing pursuant to Article 21(1) GDPR and it is not yet certain whether the legitimate reasons of the Data Controller outweigh the grounds of your objection.

If the processing of personal data concerning you has been restricted, this data may – apart from their storage - only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of major public interest of the European Union or a Member State.

If the restriction on processing has been restricted in accordance with the above conditions, the Data Controller will inform you before the restriction is lifted.

4. Right to deletion

a) Duty to delete

You may require the Data Controller to delete your personal information without delay, and the Data Controller will be required to delete this information immediately, provided one of the following grounds applies:

(1) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.

(2) You withdraw your consent on which the processing pursuant to Article 6(1) point a or Article 9(2) point a GDPR was based, and there is no other legal basis for the processing.

(3) You raise an objection to the processing pursuant to Article 21(1) GDPR and there are no prior justifiable reasons for the processing, or else you raise an objection to the processing pursuant to Article 21(2) GDPR.

(4) The personal data concerning you has been processed unlawfully.

(5) The personal data concerning you must be deleted in order to fulfil a legal obligation under European Union law or the law of the Member States to which the Data Controller is subject.

(6) The personal data concerning you was collected in relation to information society services offered pursuant to Article 8(1) GDPR.

b) Passing information to third parties

If the Data Controller has rendered the personal data concerning you public and pursuant to Article 17(1) of the GDPR is subject to a duty to delete it, it shall, taking into account the available technology and implementation costs, take appropriate steps, including the relevant technical methods, to inform the data controllers who process the personal data that you have been identified as being the Data Subject who has requested deletion of all the links to such personal data or the deletion of all copies or replications of such personal data.

c) Exceptions

The right to deletion does not exist if the processing is required

(1) in order to exercise the right to freedom of expression and information;

(2) in order to fulfil a legal obligation that requires processing under European Union or Member State law to which the Data Controller is subject or for the performance of a public-interest or public-authority task transferred to the Data Controller;

(3) for reasons of public interest in the field of public health pursuant to Article 9(2) point h and i and Article 9(3) GDPR;

(4) for archival purposes of public interest, for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) GDPR, insofar as the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or

(5) in order to assert, exercise or defend legal claims.

5. Right to information

If you have asserted the right to correction, deletion or restriction of data processing against the Data Controller, he / she is obliged to notify all recipients to whom your personal data has been disclosed of this correction or deletion of the data or restriction of processing: except where this proves to be impossible or involves a disproportionate amount of effort.

In relation to the Data Controller, you have the right to be informed about these recipients.

6. Right to data portability

You have the right to receive personally identifiable information you provide to the Data Controller in a structured, commonly-used and machine-readable format. In addition, you have the right to transfer this data to another Data Controller without hindrance by the existing Data Controller, whereby the said data must be supplied to the former, provided that

(1) the processing is based on consent pursuant to Article 6(1) point a GDPR or Article 9(2) point a GDPR or on a contract pursuant to Article 6(1) point b GDPR and

(2) the processing is carried out using automated procedures.

In exercising this right, you also have the right to ensure that the personal data relating to you is transmitted directly from one Data Controller to another, insofar as this is technically feasible. The freedoms and rights of other persons may not be affected thereby, however.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the Data Controller.

7. Right to object

You have the right at any time, for reasons that arise from your particular situation, to raise an objection against the processing of your personal data, which takes place pursuant to Article 6(1) point e or f GDPR; this also applies to profiling based on these provisions.

The Data Controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of enforcing, exercising or defending legal claims.

If the personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

Regardless of Directive 2002/58 / EC, you have the option, in the context of the use of information society services, to exercise your right to object through automated procedures that follow certain technical specifications.

8. Right to withdraw data protection declaration

You have the right to revoke your data protection declaration at any time. The withdrawal of consent should not affect the lawfulness of the processing based on consent prior to the withdrawal.

9. Automated decision on an individual basis including profiling

You have the right not to be subjected to a decision based solely on automated processing - including profiling - that would have some legal effect or would significantly affect you in a similar manner. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between you and the Data Controller,

(2) is permitted by European Union or Member State legislation to which the Data Controller is subject, and where such legislation contains appropriate measures to safeguard your rights and freedoms and legitimate interests, or

(3) is carried out with your express consent.

However, these decisions must not be based on special categories of personal data under Article 9(1) GDPR, unless Article 9(2) point a or g applies and reasonable measures have been taken to protect rights and freedoms and your legitimate interests.

With regard to the cases referred to in (1) and (3), the Data Controller shall take appropriate measures to uphold the rights and freedoms and their legitimate interests, including at least the right to obtain the intervention of a person by the Data Controller, to express his / her own position and to challenge the decision.

10. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you believe that the processing of the personal data concerning you breaches the GDPR.

The supervisory authority to which the complaint has been submitted must inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

last updated: 07.2021

last updated: 01.2022