Thank you for your interest in our company. CITO-SYSTEM GMBH values data protection highly. CITO‑SYSTEM GmbH's website(s) may, in principle, be used without any provision of personal data. If a data subject wishes to make use of particular services of our company via our website, it could, however, be necessary to process personal data. If the processing of personal data is required and there are no legal grounds for such processing, we will generally obtain the consent of the data subject.
The processing of personal data, such as the name, address, email address or telephone number of a data subject, shall always be carried out in accordance with the General Data Protection Regulation and in accordance with the country-specific data protection regulations as applicable for CITO‑SYSTEM GmbH. Via this privacy statement, our company seeks to inform the public about the nature, scope and purpose of the collected, used and processed personal data. In addition, this privacy statement will inform data subjects of their rights.
CITO‑SYSTEM GmbH, as the data controller, has implemented technical and organisational measures in order to protect the personal data processed via this website, such that the protection is as seamless as possible. In principle, however, the transmission of data via the internet can lead to security gaps, so that absolute protection cannot be guaranteed.
In this privacy statement, we use the following terms, amongst others:
a) Personal Data
"Personal Data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "Data Subject"). A natural person is considered to be identifiable, directly or indirectly, in particular by means of assignment to an identifier, such as a name, an identification number, location data, Online ID or one or more specific characteristics.
b) Data Subject
The "Data Subject" is any identified or identifiable natural person whose Personal Data is processed by the Data Controller.
"Processing" means any operation or set of operations performed with or without the help of automated procedures, in connection with Personal Data, such as collection, obtention, storage, changing, use, distribution or any other form of provision, deletion or destruction.
d) Restriction of Processing
"Restriction of Processing" is the marking of stored Personal Data with the aim of limiting its Processing in the future.
e) Controller, or Data Controller
The "Controller", or the "Data Controller" is the natural or legal person, public authority, agency or other body which decides – alone or jointly with others – on the purposes and means of Processing the Personal Data.
A "Processor" is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
A "Recipient" is a natural or legal person, public authority, agency or other body to whom the Personal Data is disclosed, regardless of whether it is a third party or not.
h) Third Party
A "Third Party" is a natural or legal person, public authority, agency or other body apart from the Data Subject, the Controller, the Processor and persons who are under the direct responsibility of the Controller or the Processor and are authorised to process the Personal Data.
"Consent" means any informed and unequivocal expression of will, voluntarily submitted for the specific case by the Data Subject, in the form of a declaration or any other unambiguous affirmative action, where the Data Subject makes it understood that he/she agrees to the processing of the Personal Data.
2. Name and address of the Data Controller
The Controller in the sense of the General Data Protection Regulation and of other data protection provisions of legal character is:
Haimendorfer Straße 37 + 46
90571 Schwaig bei Nürnberg
3. Name and address of the Data Protection Officer
The Data Protection Officer of the Data Controller is:
a.s.k. Datenschutz e.K.
Any Data Subject can approach our Data Protection Officer at any time with any questions or suggestions with regard to data protection.
The Data Subject can prevent the placement of cookies by our website at any time by means of a corresponding setting of the internet browser being used, and thus permanently reject the placement of cookies. Furthermore, cookies which have already been placed may be deleted at any time, via an internet browser or other software program. This is possible on all popular internet browsers. If the Data Subject disables the placement of cookies in the internet browser used, he/she may not be able to use all the features of our website.
5. Collection of general data and information
Each time a Data Subject or an automated system accesses CITO‑SYSTEM GmbH's website, some general data and information is collected. This general data and information is saved in the log files of the server. The following may be collected: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system arrived at our website (the "referrer"), (4) the sub-websites which are accessed via an accessing system on our website, (5) the date and time of accessing the website, (6) an Internet Protocol address (IP address), (7) the internet service provider of the accessing system and (8) other related data and information, which serve to aid security in the event of attacks on our information technology systems.
In using this general data and information, CITO‑SYSTEM GmbH does not draw conclusions regarding the Data Subject. Rather, this information is needed in order to (1) correctly deliver the content of our website, (2) optimise the content of our website and the advertising for it, (3) ensure the long-term functional capability of our information technology systems and the technology of our website and (4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber-attack. This anonymous data and information collected will be evaluated statistically by CITO‑SYSTEM GmbH and also with the aim of increasing the level of data protection and data security in our company and, ultimately, to ensure an optimal level of protection for Personal Data processed by us.
6. Registration on our website
The Data Subject has the option of registering on the Data Controller's website, by giving Personal Data. Which Personal Data is transmitted to the Data Controller is derived from the respective input mask used for the registration process The Personal Data entered by the Data Subject is collected and stored exclusively for internal use by the Data Controller and for our own purposes. The Data Controller may authorise transfer to one or more Processors – for example, a parcel service – who will likewise use the Personal Data exclusively for internal use, which is attributable to the Data Controller.
By registering on the Data Controller's website, the IP address assigned by the Internet Service Provider (ISP) of the Data Subject is saved, as well as the date and the time of registration. This data is stored against the backdrop of this being the only way of preventing abuse of our services, where this data enables crimes to be investigated if need be. In this respect, the storage of this data is required for the purpose of protecting the Data Controller.
The registration of the Data Subject following the voluntary disclosure of Personal Data is used by the Data Controller to offer the Data Subject content or services which, due to the nature of the matter, can only be offered to registered users. Registered persons have the option of modifying the Personal Data given upon registration at any time, or of having it completely deleted from the Data Controller's database at any time.
The Data Controller shall provide each Data Subject – at any time upon request – information about what Personal Data is stored regarding the Data Subject.
7. Subscription to our newsletter
On the CITO‑SYSTEM GmbH website, users are given the option of subscribing to the newsletter of our company. The input mask used determines which Personal Data is communicated to the Data Controller when subscribing to the newsletter.
CITO‑SYSTEM GmbH keeps its customers and business partners informed of the products/services available from the company at regular intervals, by means of a newsletter. Our company's newsletter can be received by the Data Subject only if (1) the Data Subject has a valid email address and (2) the Data Subject is registered for the newsletter. By way of a double opt-in procedure, a confirmation email will be sent for legal reasons to the Data Subject, to the email address given for receipt of the newsletter. This confirmation email is used to check whether the holder of the email address has authorised the receipt of the newsletter as the Data Subject.
When subscribing to the newsletter, we also store the IP address (assigned by the Internet Service Provider (ISP)) of the computer system used by the Data Subject at the time of registration, as well as the date and time of the registration. The collection of this data is required so as to be able to prove – at a later date – the (possible) abuse of the email address of a Data Subject, and therefore serves as a legal safeguard for the Data Controller.
Personal Data collected in the context of a registration for the newsletter will only be used to send you our newsletter. Subscribers to the newsletter may also be informed by email if this is necessary for the operation of the newsletter service or for registration in this respect, as could be the case of changes to the newsletter offering or a change in the technical conditions. The Personal Data collected within the framework of the newsletter service will not be transferred to third parties. Subscription to our newsletter may be cancelled at any time by the Data Subject. Consent to the storage of Personal Data sent by the Data Subject for the purpose of the dispatch of newsletters may be revoked at any time. Every newsletter contains a link enabling the revocation of consent.
8. Newsletter tracking
CITO‑SYSTEM GmbH's newsletters contain so-called "web bugs". A web bug is a thumbnail graphic embedded into such emails sent in HTML format, so as to enable log-file recording and log-file analysis. This allows for the statistical evaluation of the success or failure of online marketing campaigns. On the basis of the embedded web bugs, CITO‑SYSTEM GmbH can detect whether and when an email is opened by a Data Subject, and which links located in the email are accessed by the Data Subject.
Personal Data of this type, collected via the web bugs contained in the newsletters, will be stored by the Data Controller and evaluated in order to optimise the dispatch of newsletters and to better adapt the content of future newsletters to the interests of the Data Subject. This Personal Data will not be disclosed to Third Parties. Persons Concerned are entitled – at any time – to revoke the separate declaration of consent submitted in this respect via the double opt-in procedure. Suspending the receipt of the newsletter is automatically deemed by CITO‑SYSTEM GmbH to be a revocation.
9. Contact via the website
As a result of statutory provisions, CITO‑SYSTEM GmbH's website contains information which enables rapid electronic contact with our company, as well as a direct communication with us, which likewise includes a general address for electronic mail (email address). Insofar as a Data Subject contacts the Data Controller via email or via a contact form, the Personal Data communicated by the Personal Concerned will be automatically stored. Personal Data communicated by the Data Subject to the Data Controller in this manner will be stored for the purposes of processing or for contacting the Data Subject. This Personal Data will not be transferred to Third Parties.
10. Routine deletion and blocking of Personal Data
The Data Controller shall process and store the Personal Data of the Data Subject only for the period of time that is required to achieve aim of the storage, or if envisaged by the European body issuing directives and regulations, or by another legislator of laws or regulations, to which the Data Controller is subject.
11. Rights of the Data Subject
a) Right to confirmation
Each Data Subject has the right – granted by the European body issuing directive and regulations – to demand from the Data Controller confirmation of whether Personal Data is being processed.
b) Right to information
Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to receive information from the Controller (at any time and free of charge) about the Personal Data stored regarding his/her person and a copy of this information.
c) Right to correction
Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to demand the correction of incorrect Personal Data relating to him/her.
d) Right to deletion
Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to demand that the Controller delete the relevant Personal Data, insofar as one of the following reasons is applicable and to the extent that Processing is not required:
- The Personal Data was collected (or otherwise processed) for purposes which are no longer required.
- The Data Subject revokes his/her consent to Processing according to Article 6(1a) GDPR or Article 9(2a) GDPR, and there is a lack of any legal grounds for the Processing.
- The Data Subject, in accordance with Article 21(1) GDPR, objects to the Processing, and there are no prevailing legitimate reasons for the Processing, or the Data Subject, in accordance with Article 21(2) GDPR, objects to the Processing.
- The Personal Data has been processed unlawfully.
- The Personal Data is to be deleted in order to fulfil a legal obligation, in accordance with EU law or the law of the Member States to which the Controller is subject.
e) Right to the Restriction of Processing
Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to demand a Restriction of Processing by the Controller, if any of the following conditions exist:
- The accuracy of the Personal Data is disputed by the Data Subject; this dispute must be for a period of time which allows the Controller to verify the accuracy of the Personal Data.
- The Processing is unlawful, the Person Concerns rejects the deletion of Personal Data and requires instead the restriction of the use of the Personal Data.
- The Controller no longer requires the Personal Data for Processing purposes, whilst the Data Subject, however, requires it for the assertion, exercise or defence of legal claims.
- The Data Subject has objected to the Processing in accordance with Article 21(1) of GDPR and it is still not clear whether the legitimate reasons of the Controller prevail over those of the Data Subject.
f) Right to data portability
Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to receive the Personal Data concerning him/her, as provided by the Data Subject to a Controller, in a structured, common and machine-readable format. In addition, that Data Subject has the right to communicate this data to any other controller without interference from the Controller to whom the Personal Data were provided, insofar as the Processing is performed based on Consent pursuant to Article 6(1a) GDPR or Article 9(2a) GDPR or on a contract in accordance with Article 6(1b) GDPR, and the Processing is carried out using automated procedures, unless the Processing is necessary for the performance of a task in the public interest or in the exercise of public authority, where such authority has been transferred to the Controller.
g) Right to revocation of Consent under data protection legislation
Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to revoke Consent to the Processing of Personal Data relating to him/her at any time.
12. Data protection rules regarding the deployment and use of Google Analytics (with anonymisation function)
The Data Controller has integrated the Google Analytics component (with anonymisation function) into this website. Google Analytics is a web analytics service. Web analytics is the gathering, collection and analysis of data about the behaviour of visitors to websites. Web analysis is primarily used to optimise a website and undertake a cost-benefit analysis of internet advertising.
The operator of Google Analytics is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.
The Data Controller uses the suffix "_gat._anonymizeIp" for web analytics using Google Analytics. By using this suffix, the IP address of the internet connection of the Data Subject is abbreviated and anonymised by Google, when access to our websites is from a Member State of the European Union or of another state which is party to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is the analysis of the flows of visitors to our website. Google uses the collected data and information, among other things, to evaluate the use of our website, so as to compile online reports for us, covering activities on our website, and to provide other services connected to the use of our website.
Google Analytics places a cookie on the IT system of the Data Subject. What "cookies" are is explained above. By placing the cookies, Google can analyse the use of our website. Upon accessing each individual page of this website, which is operated by the Data Controller and on which a Google Analytics component has been integrated, the internet browser of the IT system of the Data Subject is automatically triggered (by the respective Google Analytics component) into transferring data to Google for the purpose of online analysis. In the context of this technical process, Google becomes cognisant of Personal Data, such as the IP address of the Data Subject. Such data allows Google, among other things, to trace the origin of the visitors and of the clicks, and to effect commission settlement as a result.
Using cookies, personal information is stored, for example, the time of access, the location of access and the frequency of visits to our website by the Data Subject. Each time you visit our website, this Personal Data, including the IP address of the internet connection used by the Data Subject, is shared with Google in the United States of America. This Personal Data is stored by Google in the United States of America. Google may transfer the Personal Data gathered to Third Parties using technical processes.
The Data Subject can prevent the placement of cookies by our website at any time (as explained above) by means of a corresponding setting of the internet browser being used, and thus permanently reject the placement of cookies. Activating such settings of the internet browser used would also prevent Google from placing a cookie on the IT system of the Data Subject. In addition, a cookie which has already been placed by Google Analytics may be deleted at any time via the internet browser or other software programs.
You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this site: Disable Google Analytics.
More information and the applicable data protection provisions of Google can be retrieved at policies.google.com and www.google.com abgerufen werden. Google Analytics is explained in more detail at this link www.google.com.
13. Our presence on social media
Data processing by social networks
Social networks such as LinkedIn can usually analyse your user behaviour extensively when you visit their website or a website with integrated social media content (e.g. like buttons or ad banners). Visiting our social media sites triggers numerous processes that are relevant for data protection, in detail:
If you are logged into your social media account and visit our social media site, the operator of the social media portal can assign this visit to your user account. Your personal data may also be collected even if you are not logged in or if you do not have an account with the relevant social media portal. This data collection then takes place via cookies, for example, which are saved on your terminal device or by collecting your IP address.
The operator of the social media portal can create user profiles in which your preferences and interests are saved with the help of the data collected in this way. You can thus be shown interest-related ads both within and outside the social media site. We kindly ask you to note that we are not able to track all processing activities on the social media portals.
Our social media sites should guarantee the widest possible presence on the web. This is a legitimate interest within the meaning of point (f) of Art. 6 (1) GDPR. The analysis processes initiated by the social networks may be based on different legal grounds, which have to be specified by the operators of the social networks (e.g. consent within the meaning of point (a) of Art. 6 (1) GDPR).
Controller and exercise of rights
When you visit one of our social media sites, we are responsible for the data processing activities triggered by this visit together with the operator of the social media platform. You can exercise your rights (access, rectification, erasure, restriction of processing, data portability and complaint) vis-à-vis ourselves or the operator of the respective social media portal.
Please note that despite our joint responsibility together with the operators of the social media portals, we do not have full control over the data processing activities of the social media portals.
The data that we collect directly via the social media sites is deleted by our systems as soon as its storage is no longer necessary, you ask us to delete this, you revoke your consent to its storage or its storage is no longer necessary. Saved cookies remain on your terminal device until deleted by you. Compelling statutory regulations – in particular storage periods – remain unaffected. We have no influence over the storage period for your data that is saved by the operators of the social networks for their own purposes.
Social networks in detail
We have a profile with Google+. The provider is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA. Google is certified in accordance with the EU-US Privacy Shield:
You can configure you own ad settings in your user account. To do so, click the following link and log in:
We have a profile with LinkedIn. The provider is LinkedIn Ireland Unlimited Company,Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn is certified in accordance with the EU-US Privacy Shield: LinkedIn uses advertising cookies.
Please use the following link if you wish to deactivate LinkedIn advertising cookies:
14. Legal grounds for the Processing
Article 6(1a) GDPR serves as legal grounds for our company for Processing operations, whereby we obtain consent for a specific Processing purpose. If the Processing of Personal Data is required for the performance of a contract to which the data subject is party, for example, in the case of processing operations required for the delivery of goods or the provision of any other service or performance, then the Processing is based on Article 6(1b) GDPR. The same applies for such Processing operations which are required for the implementation of pre-contractual measures, such as in the case of requests for our products or services. If our company is subject to a legal obligation by which any processing of Personal Data is required, for example in order to fulfil tax obligations, then the Processing is based on Article 6(1c) GDPR. Finally, Processing may be based on Article 6(1f) GDPR. Processing operations have their legal grounds in the latter where none of the aforementioned legal grounds apply, if Processing is required in order to maintain a legitimate interest of our company or a Third Party, provided that the interests, fundamental rights and freedoms of the Data Subject do not prevail. Such Processing operations are permitted in particular when the European legislators have mentioned them especially. The legislator has taken the view that a legitimate interest could be assumed, if the Data Subject is a customer of the Controller (Recital 47 Sentence 2 of the GDPR).
15. Legitimate interests in respect of Processing pursued by the Controller or a Third Party
Where the Processing of Personal Data is based on Article 6(1f) GDPR, then our legitimate interest is in the implementation of our business activities in favour of the welfare of all our employees and our shareholders.
16. Duration for which Personal Data is stored
The criterion for the duration of the storage of Personal Data is the respective statutory retention period. After expiry of the period, the relevant data is routinely deleted if no longer required for the fulfilment of the contract or for contract negotiations.
17. Statutory or contractual provisions regarding the provision of Personal Data; necessity for conclusion of contract; requirement of the Data Subject to provide the personal data; possible consequences of non-provision
We hereby clarify that the provision of Personal Data is in part required by law (for example, tax regulations) or may also arise from contractual arrangements (e.g. information regarding the contract partner). Sometimes it may be necessary – for the purposes of contract conclusion – that a Data Subject provides us with Personal Data which must then be processed by us. The Data Subject is, for example, obliged to provide us with Personal Data, if our business enters into a contract with him/her. The non-provision of Personal Data would result in the contract not being concluded with the Data Subject.