We are pleased that you are interested in our company and our products and services and would like you to feel secure when visiting our website with regard to the protection of your personal data. We want you to know when we store which data and how we use it. We are subject to the provisions of the European General Data Protection Regulation (GDPR) and the supplementary regulations of the German Federal Data Protection Act (FDPA). To ensure that the regulations on data protection are observed both by us and by service providers commissioned by us, we have taken appropriate technical and organizational measures.
This data protection information applies to our online offers. This includes our websites, their functions and content as well as external online presences, such as our presences in social media. This general data protection information also serves to inform you about further processing of your personal data and our fulfillment of the information obligations towards you.
The terms used in this privacy notice, such as data controller or personal data, are used in accordance with the definitions of the GDPR. For reasons of readability and thus also in the sense of a comprehensible provision of information, the naming of individual articles, paragraphs or the like is generally omitted.
The responsible party within the meaning of the GDPR and other national data protection laws of the member states as well as other data protection regulations is the
79108 Freiburg im Breisgau
Phone: +49 761 557769-0
Data protection officer
The responsible party has appointed a data protection officer. His contact details are
Bechtle GmbH IT System House Freiburg
79108 Freiburg im Breisgau
For questions, suggestions or comments on the subject of data protection and to enforce your rights listed below, please contact our data protection officer.
General information on data processing
Legal basis for the processing of personal data
Within the framework of data protection law, the processing of personal data is generally not permitted unless there is a legally permissible reason for processing. We are obliged to inform you about the legal basis for data processing.
If we obtain your consent for processing operations of personal data, this serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which you are a party, the performance of the contract serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
Insofar as processing of personal data is necessary for compliance with a legal obligation to which we are subject, this serves as the legal basis.
In the event that vital interests of the data subject or another natural person make processing of personal data necessary, this serves as the legal basis. If the processing is necessary to protect a legitimate interest of our company or a third party and if these interests, your fundamental rights and freedoms do not override, this serves as the legal basis for the processing.
Data transfer to third countries
The GDPR ensures a uniformly high level of data protection within the European Union (EU) and the European Economic Area (EEA). When selecting our service providers and cooperation partners, we therefore rely on European partners wherever possible if your personal data is to be processed.
If we have your data processed in a third country – i. e. outside the EU/EEA – this is always done in accordance with the legal requirements.
In addition to your express consent or contractually or legally required transfer, we only have your data processed in third countries with a recognized level of data protection, through a contractual obligation by so-called standard contractual clauses of the EU Commission, in the presence of certifications or binding corporate rules.
Existence of automated decision making
We do not use automated decision making.
Recipients of the data / categories of recipients
Within our company, we ensure that only those persons receive your data who need them to fulfill contractual and legal obligations.
In some cases, we use carefully selected external service providers to process your data. If data is passed on to service providers to be processed on our behalf, this is done within the framework of the requirements of the GDPR. Our processors are carefully selected, bound by our instructions and are checked at regular intervals. We only commission processors who offer sufficient guarantees that appropriate technical and organizational measures are taken in such a way that the processing is carried out in accordance with the requirements of GDPR and FDPA and ensures the protection of your rights.
Disclosure of personal data to third parties
As a matter of principle, we do not pass on any personal data to third parties without your express consent. If, in the course of processing, we nevertheless disclose your data to third parties, transmit it to them or otherwise grant them access to the data, this will also take place exclusively on the basis of one of the aforementioned legal grounds.
For example, we transmit data to payment service providers or suppliers if this is necessary for the performance of the contract. If we are obliged to do so by law or by court order, we must transfer your data to the respective authorities entitled to receive the information.
Use of our online services
In principle, you can use our online services without disclosing your identity. In this section, we explain when and in what context we process data when you use our online offers, which offers from service providers we have implemented, how they work and what happens to your data.
Our offer is basically aimed at adults. Persons under 16 years of age may not transmit any personal data to us without the consent of their parents or legal guardians.
To protect your transmitted data in the best possible way, we use a so-called transport encryption. To ensure the security of your data during the transmission process, we use a state-of-the-art SSL/TLS encryption process.
Data collection when visiting our websites
If you use our websites for information purposes only, i. e. you do not register for an offer, conclude a contract with us or otherwise disclose information to us, we only collect the personal data that your browser transmits to our servers.
When you call up our websites, we collect the following data, which is technically necessary for us to be able to display our websites to you and to ensure stability and security:
- IP address of the visitor
- Date and time of the request
- Content of the request (specific page)
- access status/HTTP status code
- amount of data transferred in each case
- Website from which the request comes
- Operating system of the visitor
- Language and version of the browser software
This data is temporarily stored in the log files of our system for a maximum of seven days. Storage beyond this period is possible, but in this case the IP addresses are shortened or alienated so that it is no longer possible to assign the calling client. In this context, the log files are not stored together with other personal data relating to you. The legal basis for these processing operations is our legitimate interest.
Since the collection of data to display the websites and the storage of the data in log files is absolutely necessary for the operation of our websites and the maintenance of IT security, you have no possibility to object in this respect.
Inquiries to us
If you send us an inquiry via our website – for example, by using the contact form – your personal data will be processed in order to respond to your inquiry.
In addition to the previously mentioned data, cookies are stored on your terminal device when you use our websites. Cookies are data records that can be sent from a website to the browser, which stores them and sends them back again. Different data can be stored in cookies, which are read by the body that sets the cookie. They usually contain a characteristic string of characters (ID) that enables the browser to be uniquely identified when the website is called up again or when a page is changed. Their primary purpose is to make our online services more user-friendly and effective overall. The user data collected in cookies is pseudonymized by technical precautions, which means that it is generally no longer possible to assign the data to a specific user. Insofar as an identifiability is given, such as in the case of a login cookie, whose session ID is necessarily linked to the user’s account, we will point this out to you at the appropriate place.
We use different types of cookies:
- So-called “session cookies”, these are cookies that are deleted after you leave our online offer and close the browser. In such cookies, for example, language settings or the contents of a shopping cart are stored.
- “Permanent cookies”, remain stored even after the browser is closed. For example, the login status or entered search terms can be stored. We use such cookies for range measurement or marketing purposes, among other things. Persistent cookies are automatically deleted after a specified period of time, which may differ depending on the cookie. However, you can delete these cookies at any time using your browser.
In addition to so-called “first-party cookies” that are set by us as the data controller, “third-party cookies” that are offered by other providers, are also used.
- So-called “first-party cookies” are set by us as the data controller: The legal basis for the processing of your personal data here is our legitimate interest.
- External service providers who perform web tracking or reach measurements for us, for example, may also set cookies. The legal basis for the processing of your personal data is your consent.
Information about services used
Cookie Management Tool
We use a cookie management tool. This allows you to manage the cookies we use as well as the consents you have given, to find out more information about data processing using cookies and to view the purpose and storage period of the cookies used.
Information on data processing by third parties
If you have given your consent, Google Analytics is used on this website. This is a web analytics service provided by Google LLC, Gordon House, Barrow Street, Dublin 4, Ireland, (hereinafter referred to as Google). This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus analyze the activities of a user across devices.
We have extended Google Analytics on this website with a so-called IP anonymization to ensure only a shortened collection and transmission of IP addresses. The IP address transmitted by your browser as part of Google Analytics is not merged with other data from Google. However, we would like to expressly point out at this point that Google generally processes data for its own purposes, in particular also for the purpose of providing its web analysis and tracking service. Within the scope of Google Analytics, further usage data is collected that is to be assessed as personal data, such as identification features of the individual users, which also allow a link to an existing Google account, for example.
The following usage data is evaluated on our site by Google Analytics:
- Frequency of page views
- Number of users
- Bounce rate (page is closed again after a page view)
- Session duration (average duration of all users)
- Country from which the website was accessed
- Use of website functions
- Which page is visited how often
- From which website the user comes
- From which region the user comes
- Device and device category with which the user accesses our website
On our behalf, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity for our website operators.
The legal basis for the use of Google Analytics is your voluntarily given consent.
Recipients / categories of recipients
The recipients / categories of recipients of the collected data can be found in our Cookie Management Tool.
Duration of data storage
You can find out how long the cookies are stored on your terminal device from our Cookie Management Tool.
We integrate the videos stored on YouTube using a so-called two-click solution. This means that when you call up a page in which a video is embedded, the video is initially deactivated and thus not loaded. Only after we have received your consent, the corresponding video is loaded.
The integration of YouTube content takes place in the so-called extended data protection mode. YouTube provides this mode and thus ensures that no cookies are stored on your device. However, when you call up the relevant pages, the data mentioned above under Data collection when visiting our websites is transferred. This information cannot be assigned to you, however, unless you have logged in to YouTube or another Google site before accessing the page or are permanently logged in. We would like to point out at this point that Google processes this data worldwide and therefore a third country transfer also takes place.
The legal basis for the use of YouTube is your voluntarily given consent.
Online services in social media
We offer online services on various platforms in order to provide information there and to be able to contact you.
We have no influence on the processing of personal data by the respective platform operator. As a rule, when you visit our offers there, cookies are stored in your browser by the platform operator, in which your usage behavior or interests are stored for market research and advertising purposes.
The usage profiles obtained in this way – usually across devices – are used by the platform operators to display personalized advertising to you. Data processing may also affect persons who are not registered as users with the respective platform. Under certain circumstances, your data may be processed outside the area of the European Union, which may make it more difficult to enforce your rights. However, when selecting such platforms, we make sure that the operators undertake to comply with EU data protection standards.
The processing of your personal data when visiting one of our offers on social media is based on our legitimate interests in a diverse external presentation of our company and the use of an effective information opportunity and communication with you.
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
Agreement on the joint processing of personal data in accordance with the requirements of the GDPR.
XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany.
Commercial and business services
We process data of our contractual and business partners, e.g., suppliers, customers and interested parties (hereinafter referred to as business partners) within the scope of contractual or comparable legal relationships as well as related measures and within the scope of communication with our business partners.
We process this data to fulfill our contractual obligations, to secure our rights and for the purposes of related administrative tasks as well as our business organization. We disclose the data of our business partners to third parties within the framework of applicable law only to the extent that this is necessary for the aforementioned purposes or for the fulfillment of legal obligations or with the consent of the data subjects (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Contractual partners will be informed about other forms of processing, e.g. for marketing purposes, as part of this data protection notice.
We inform our business partners which data is required for these purposes before or in the course of data collection or personally.
Deletion of data and storage period
As soon as the purpose for processing ceases to apply, we delete or block your personal data. However, data may be stored beyond this period if this is required by legal regulations to which we are subject. This applies in particular to data that must be retained for legal archiving reasons (e.g. for commercial law reasons usually for 6 years or for tax law reasons usually for 10 years).
Inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. e-mail, telephone numbers), contract data (e.g. subject of contract, term)
Purposes of processing:
Provision of contractual services and customer service, contact requests and communication, internal organizational procedures, administration and response to requests
Contract performance/pre-contractual inquiries, Legal obligation, legitimate interests
If you purchase goods or services from us and provide your e-mail address, we reserve the right to use it for sending newsletters with direct advertising for our own similar goods or services. This serves to protect our legitimate interests in addressing our customers in an advertising manner, which are outweighed in the context of a balancing of interests. You can object to this use of your data at any time via the unsubscribe link in the advertising e-mail, without incurring any costs other than the transmission costs according to the basic rates. Insofar as the newsletter is sent on the basis of the sale of goods or services, we refer to the provisions of the Unfair Competition Act (UWG).
Right to object (Opt-Out)
You can object to receiving our newsletter at any time. You will find a link to cancel the newsletter either at the end of each newsletter or you can otherwise use one of the contact options given above, preferably by e-mail, for this purpose.
In the event of obligations to permanently observe objections, we reserve the right to store the e-mail address in a blacklist for this purpose alone.
When you apply for a job with us, the data you provide – such as your contact details and qualifications – will be used exclusively to process the application procedure.
We use an online application portal to organize applications. When using this online portal, the following personal data is processed (title, first name, last name, street and house number, postal code and city, e-mail address, telephone/mobile number, free field for application letters, attachment upload for application letters and documents). The transmission of the data is encrypted.
Your data will be forwarded internally to the responsible department heads. We process your personal data for the purpose of your application for an employment relationship, insofar as this is necessary for the decision on the establishment of an employment relationship with us.
Furthermore, we may process personal data about you insofar as this is necessary for the defense of asserted legal claims against us arising from the application process.
Your data will generally be deleted 6 months after completion of the application process, unless otherwise agreed with the applicant (see, among other things, inclusion in the applicant pool). If your application is followed by the conclusion of an employee contract, the data will be included in the personnel file.
How long will your data be stored?
We store your personal data for as long as is necessary for the decision on your application. Insofar as an employment relationship between you and us does not come about, we may continue to store data beyond this, insofar as this is necessary for the defense against possible legal claims. In this case, the application documents will be deleted 6 months after notification of the rejection decision, unless longer storage is required due to legal disputes.
Inclusion in the applicant pool
We will be happy to include your application in an applicant pool. Your consent is required for this. You can give this consent by activating the corresponding option before sending your application.
If your application documents in the applicant pool are not used by us within one year, your application documents will be automatically deleted.
No automated decision making
No automated decision-making takes place in individual cases, which means that the decision about your application is not based exclusively on automated processing.
When using the CARL Academy, the following additional personal data is processed.
A user account is required to use the Academy’s services. During the registration process, you will be asked for your first and last name, your date of birth and your professional contact information, among other things. After successful registration, you will receive an initial welcome e-mail at the e-mail address you provided, which contains all relevant information for using the Academy.
After registration, you can log in to the CARL Academy with your access data and view the content intended for you and complete your training courses. After successful participation in a training course, a certificate is generated which you can retrieve at any time.
Your data subject rights
As a data subject, you are entitled to various rights, which we would like to inform you about below. Depending on the reason and type of processing of your personal data, you are entitled to the rights described in the following sections.
Your right to information
As a data subject, you have the right to know from us whether we are processing personal data about you and, if so, what personal data we are processing about you.
You also have the right to request from us a copy of your personal data that is the subject of processing.
Your right to rectification
You have the right to request that we correct any personal data that you consider to be inaccurate without undue delay.
You also have the right to request us to complete such personal data that you consider incomplete.
Your right to deletion
If the legal requirements are met, you can request the deletion of your personal data.
This is the case, for example, if we process your data based on your consent and you revoke it.
However, we may not delete data, for example, if we have to store it due to legal retention periods. We also cannot comply with your deletion request if it is necessary for us to process your personal data in order to assert, exercise or defend legal claims.
Your right to restriction of processing
Under certain conditions, you as a data subject have the right to demand that we restrict the processing of your personal data.
One of these conditions is, for example, that you dispute the accuracy of your personal data. Or also the case in which we no longer need your personal data, but you need this data to assert, exercise or defend legal claims.
Your right to object
If we process your personal data, on the basis of a legitimate interest, you have the right to object to this processing if this arises due to your particular personal situation. However, this right of objection does not exist insofar as there is a compelling public interest in the processing which outweighs your interest, a legal provision obliges us to process or the processing serves the assertion, exercise or defense of legal claims.
If we use your personal data for direct marketing, then you have the right to object at any time to processing for the purpose of such marketing. If you object to processing for this purpose, your personal data will no longer be processed for this purpose.
If we process your data based on your consent, then you have the right to revoke your consent at any time with effect for the future. Your revocation does not affect the lawfulness of the processing that took place until the revocation.
Your right to data portability
You only have this right with regard to personal data that you have provided to us yourself. You have the right to request that we transfer this personal data directly to another controller.
Alternatively, you have the right to request that we provide you with your data in a machine-readable format. However, this only applies if we process your personal data on the basis of your consent or on the basis of a contract and the processing is carried out with the help of automated processes.
Complaint to the supervisory authority
You also have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data concerning you violates data protection laws.
Version status: January 2022