Privacy Notice

Compliance with data protection regulations is very important to CMC Technologies GmbH & Co. KG (hereinafter referred to as “CMC Technologies”, “we” or “us”). We would therefore like to inform you in the following about the processing of your personal data, in particular about the purposes of the respective data processing and the data categories processed, subdivided according to individual services or forms of use and about the rights to which you are entitled. With regard to the related terms, such as “personal data” or “processing”, we refer to the relevant definitions in Art. 4 General Data Protection Regulation (GDPR).

If you are a supplier, applicant or customer of CMC Technologies, you will find information on the processing of your personal data here:

Suppliers can find more information here
Applicants can find more information here
Customers can find the information here

We kindly ask you to inform yourself regularly about the content of our data protection declaration. We will adapt the data protection declaration as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require a cooperative action on your part (e.g. consent) or other individual notification.

Status: 27.01.2025

1. Responsible party and contact information

Responsible party:
CMC Technologies GmbH & Co. KG
Eichendorffstrasse 12-14
89567 Sontheim/Brenz
Telefon: +49-2421-8003-0
E-Mail: [email protected]

Contact Data Protection:
PAUL HARTMANN AG
Data Protection Officer
Paul-Hartmann-Straße 12
89522 Heidenheim
E-Mail: [email protected]

Do you have general questions or comments about this data protection declaration or specific questions about the processing of your data? We will gladly answer them.

2. Legal bases and purposes of data processing

In accordance with Art. 13, 14 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not expressly mentioned in this data protection declaration, the following applies:

The legal basis for obtaining consent is Article 6 (1) a and Article 7 GDPR as well as Article 9 (2) a and Article 7 GDPR (e.g. registration on offered portals/creation of customer accounts, delivery of user-specific offers and information about our products and services, surveys on our websites, analysis of the use of our products, services and websites, personalisation of offers on the Internet, by e-mail, fax and other channels, advertising or market and opinion research), the legal basis for processing for the purpose of fulfilling our services and carrying out contractual measures and responding to enquiries is Art. 6 (1) b GDPR (e.g. registration on offered portals/creation of customer accounts, execution of contract and/or service, processing of payments for purchases and other services, processing due to a complaint, communication in particular via telephone, e-mail, fax, live chat, video call, supply advice), the legal basis for processing for the fulfilment of our legal obligations is Art. 6 (1) c GDPR (e.g. compliance with the statutory retention periods) and the legal basis for processing to safeguard our legitimate interests listed below is Art. 6 (1) f GDPR (e.g. Analysis and clarification of misuse or attacks on communication systems, legitimation and authentication; protection against or investigation of possible fraudulent transactions, communication via telephone, e-mail, fax, live chat, video call and other channels; sending samples, premiums, products and information, providing user-specific offers and information about our products and services, surveys on our websites, personalisation of offers on the Internet, by e-mail, fax and other channels, determining the effectiveness of our advertising). In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) d GDPR serves as the legal basis.

3. Security measures

In accordance with Articles 24, 32 GDPR, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of natural persons. Such measures shall include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to personal data, as well as access, input, disclosure, safeguarding of availability and segregation thereof. Furthermore, we have established procedures to ensure the exercise of data subject rights, deletion of personal data and response to threats to personal data. Furthermore, we take the protection of personal data into account as early as the development and selection of hardware, software and procedures, in accordance with the principle of data protection by means of technological design and by means of data protection-friendly presettings (Art. 25 GDPR).

The security measures include in particular the encrypted transmission of data between your browser and our server. Third party security measures include in particular IP masking (pseudonymization of your IP address).

4. Joint controllership, information according to Art. 26 Para. 2 GDPR

Due to close cooperation in some areas, we may also process your personal data together with another data controller within the meaning of Art. 26 GDPR. The respective partners are determined by the individual cooperation with regard to the purposes presented below. Information on how the partners process your personal data can be found in their data protection declarations. In order to guarantee your rights in particular and taking into account the requirements of the GDPR, we have concluded an agreement on a case-by-case basis that sets out rules for the processing of your personal data. Thus, as so-called joint controllers, we are jointly responsible for the processing of your personal data.

4.1. Purposes of data processing within the framework of joint controllership

Joint controllership in the context of processing of your personal data can take place for the following purposes:

  • Integration of our services on third-party websites, e.g. integration of wizards, plug-ins or other technical means;
  • Integration of third-party services on our websites, e.g. integration of wizards, plug-ins or other technical means;
  • Carrying out surveys, investigations, and their evaluation;

4.2. Categories of data processed under a joint controllership

In particular, we process the following categories of personal data:

  • Inventory data (e.g. first and last name);
  • Contact information (e.g. phone number, email address);
  • Content data (e.g. communication content);
  • Metadata (e.g. IP address).

4.3. Contact information to exercise your rights

In individual cases, together with our respective partners, we have agreed on how we will ensure your rights and specified in more detail which obligations are incumbent on each partner to fulfill the obligations of the GDPR. It is particularly relevant to ensure that your rights as data subjects are exercised and that the information obligations to you in accordance with Articles 13 and 14 of the GDPR are fulfilled. We will be happy to answer general inquiries or comments using the contact details provided in section 1 of this privacy notice. To exercise your rights, please use the form linked in section 14 of this privacy notice.

Regardless of the determined contact point, you can also assert your rights directly against the respective partner.

Note: Insofar as your personal data is processed by a partner – going beyond the scope of joint responsibility – you are free to exercise your rights against this partner.

5. Cooperation with third parties and data processors

If, in the course of our processing, we disclose (third parties) personal data to other persons and companies – including Group companies -, transmit it to them or otherwise grant them access to the data, this is only done on the basis of a legal authorisation (e.g. if a transfer of the data to third parties, such as to payment service providers, is necessary for the performance of the contract in accordance with Art. 6 (1) b GDPR), if you have consented to this, if a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosters, etc.).

Insofar as we commission so-called contract processors with the processing of personal data on the basis of a so-called “data processing agreement” and thereby secure for ourselves, among other things, the necessary powers of influence or control with regard to the processing and use of personal data, this is done on the basis of Art. 28 GDPR. However, we remain responsible to you for the legality of the data processing.

6. Data transfers to third countries

If we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using the services of third parties or if personal data is disclosed or transferred to third parties, this will only take place if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or transfer personal data in a third country only if the special prerequisites of Art. 44 ff. GDPR. This means that processing is carried out, for example, on the basis of special guarantees, such as the officially recognised establishment of a data protection level equivalent to that of the EU or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).

7. Additional information for website users

This information informs you about the type, scope and purpose of the processing of personal data within our online offer and the associated websites, functions and contents as well as external online presences, such as our social media profiles (hereinafter jointly referred to as “online offer“). You can find further information in our “Privacy Notice Customers”.

7.1 Cookies, analysis, tracking, optimisation

Information on the cookies we use is mainly found in our cookie policy. Information on technologies from us or from third parties, which are not only used to provide a function within our online offer, but also exclusively or additionally serve the analysis of user behaviour, tracking, the optimisation of our marketing activities or other purposes, is made available to you in this data protection declaration and in our cookie policy.

7.2 Purposes of data processing

We process your personal data in particular for the following purposes:

Provision of the online offer, its contents and functions; marketing, advertising, public relations and market research; security measures; tracking (e.g. interest/behavioural profiling, use of cookies); remarketing; visitor action evaluation, interest-based and behaviour-based marketing, profiling (creation of user profiles); version measurement (measurement of the effectiveness of marketing measures); target group formation (determination of target groups relevant for marketing purposes or other output of content); cross-device tracking (cross-device processing of user data for marketing purposes).

7.3 Categories of data

We process in particular the following data categories:

Usage data (e.g. websites visited, services used, interest in content, access times); meta/communication data (e.g. device information, IP addresses, browser type); location data (data indicating the location of an end user’s end device).

7.4 Collection of access data and log files

On the basis of our legitimate interests within the meaning of Art. 6 (1) f GDPR, we collect data on every access to the server on which this service is located (so-called server log files). The access data includes the path of the website accessed, files linked to it, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider as well as other browser header data. In particular, the processing of your IP address as personal data is necessary for communication between your browser and our server.

Log file information is stored for a period of 6 months for security reasons (e.g. for the clarification of abuse or fraud) and then deleted. Data whose further storage is required for evidential purposes is excluded from deletion until final clarification of the respective incident. This data will not be passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 (1) c GDPR.

Kunden finden die Information hier – deutsch | englisch
Lieferanten finden die Information hier – deutsch | englisch
Bewerber finden die Information hier – deutsch | englisch

8. Use of video conferencing tools

When you communicate with us by means of a video conference, we and the provider of the respective video conference platform (hereinafter referred to as “platform(s)”) process your personal data. With the following specific data protection declaration, we inform you about the processing of your personal data within the scope of use.

8.1. Purposes and legal basis

We use platforms, for example, to offer certain services (e.g., conducting webinars or training courses, etc.) or simply to enable communication (internal and external). The use of the platforms, along with other related purposes, is therefore necessary for the provision of our services and, in principle, for the performance of contracts (cf. Art. 6 (1) b GDPR, § 26 (1) BDSG).

In addition, the use of the platforms is regularly in our legitimate interest (cf. Art. 6 (1) f GDPR), as it simplifies the implementation or provision of our services and accelerates communication (internally and externally) or makes it possible in the first place, especially if face-to-face events are not possible. In the context of the provision of use, it may also be in our legitimate interest to carry out troubleshooting and generate evaluations.

Furthermore, the platforms may also be used based on a consent (cf. Art. 6 (1) a GDPR), in particular in connection with any recording within the scope of use. We will inform you about this separately in advance, in particular about the personal data processed in connection with the recording (e.g., recording of image and spoken contributions or transcription of these).

8.2. The processed (personal) data

When using platforms, we process (personal) data. Which (personal) data is processed and to what extent depends in particular on the service offered, the platform used, the technical functions used and the information you provide before, during or after participating in a meeting, e.g., a webinar. During a meeting, content may therefore also be exchanged, uploaded, or otherwise made available. Typically, we process the following (personal) data in particular:

Meeting participant details: To participate in a meeting or to enter the meeting room, at least the first and last name must usually be entered (depending on the platform used). Under certain circumstances, it is also possible to provide only a pseudonym. In addition to the first and last name, we process the email address and the access password to the meeting, optionally the profile picture and the telephone number.

If necessary, the data will be processed after the meeting for further purposes (e.g., issuing attendance confirmations). As a rule (depending on the platform and configuration used), the information is deleted 30 days after the end of the meeting. More information on the duration of the storage of personal data and on deletion can be found below under No.  5.

Metadata: The following metadata may be generated during a meeting: Time and date of meeting, duration of meeting, interruptions of meeting, log-in and log-out time(s), measurement of behaviour in the meeting, e.g., share of speech (optional), participant IP addresses, information on hardware and software used.

If necessary, metadata is used after the meeting for troubleshooting or evaluation purposes, among other things. Metadata is usually deleted 30 days after the end of the meeting (depending on the platform and configuration used). More information on the duration of the storage of personal data and on deletion can be found below under No.  5.

Text, audio, and video data: It is possible (if the function is enabled) to use the chat, question or poll function in a meeting. Text entries are processed to display them in the meeting and, if necessary, to record them. In addition, to enable the display of video and the playback of audio, (personal) data from the video camera and microphone of the terminal device are processed during the meeting. The video camera and/or microphone can be switched off or muted at any time.

After the meeting, text, audio and video data are only processed for a specific purpose (e.g., subsequent provision of a link to view the webinar). After the purpose has ceased to exist (e.g., expiry of the validity of the link), the data is generally deleted unless another purpose justifies the processing. More information on the duration of the storage of personal data and on deletion can be found below under no.  5.

Recording, storage: Optionally, video, audio and presentation recordings or, if necessary, a transcription of the spoken word are made. Recordings require that the camera and microphone are switched on, that the screen is shared if necessary and that the resulting functions are also used. The transcription can also be used anonymously (depending on the platform and configuration used).

If the chat function is also used, the information you provide will be saved in the text file of the meeting chat. This also applies to sent files.

Recordings or other stored data are only processed after the meeting if this is necessary to achieve the purpose (e.g., subsequent provision of a link to view the webinar). If the purpose ceases to apply (e.g., expiry of the validity of the link), the recordings or other stored data will generally be deleted unless a further purpose justifies the processing. More information on the duration of the storage of personal data and on deletion can be found below under No. 5.

Dial-up with the telephone: As a rule, the telephone number and country are processed, optionally – location and connection data.

If necessary, dial-in data is used after the meeting, e.g., for troubleshooting or evaluation. They are usually deleted 30 days after the end of the meeting (depending on the platform and configuration used). More information about the duration of storage of personal data and deletion can be found below under No.  5.

8.3. Platforms used, recipients of the (personal) data

To fulfil the aforementioned purposes, we currently use the following platforms in particular: Teams and Skype from Microsoft, GoToMeeting from LogMeIn, WebEx from Cisco and Zoom from Zoom Video Communications.

The data protection declarations of the platform providers (hereinafter “providers”), with each of which we have concluded a commissioned processing agreement in accordance with Art. 28 GDPR, can be found here:

Teams and Skype from Microsoft:
https://docs.microsoft.com/de-de/microsoftteams/teams-privacy

GoToMeeting from LogMein:
LogMeIn (USA) Privacy Policy

WebEx from Cisco:
Cisco Online Privacy Statement – Cisco

Zoom by Zoom Video Communications:
Data protection | Zoom

Within our company, (only) those internal offices or employees receive personal data insofar as they need it to fulfil the aforementioned purposes in particular (enabling communication via a platform by creating a meeting). However, the data recipients are obliged in each case to use personal data only to the extent necessary.

If we transmit personal data to other (external) persons, companies or other third parties (e.g., downstream transmission of the recording of the meeting to participants) or grant them other access to personal data, this is only done on the basis of a legal permission or a corresponding consent. If we commission third parties with the processing of personal data based on a so-called “order processing agreement” and thereby secure for ourselves, among other things, the necessary powers of influence or control with regard to the processing and use of personal data, this is done on the basis of Art. 28 GDPR. However, we remain responsible to you for the lawfulness of the data processing. In this context, we also ensure that the providers maintain appropriate technical and organisational measures to protect the personal data.

In addition, providers may also process personal data for their own purposes. Please note that in this case, the providers themselves are responsible and must fulfil the obligations arising from the GDPR (e.g., obligation to inform, obligation to delete after the purpose has been achieved, etc.). Further information can be found in the data protection declarations of the providers (see above).

8.4. Processing of personal data in a third country

As far as possible, we will carry out the processing of personal data on the territory of the Federal Republic of Germany, in another member state of the European Union or in another state party to the Agreement on the European Economic Area (e.g., store (have stored) the data arising during use in an “EU cluster”).

However, if processing of personal data in third countries (e.g., USA) is necessary, in particular in connection with the commissioning of providers, we will ensure that the specific legal requirements for such processing operations are met and thus that an adequate level of data protection exists in the respective third country. This includes, in particular, checking whether the European Commission has decided that an adequate level of protection exists in a third country (cf. Art. 45 GDPR) or whether suitable or adequate safeguards (e.g., standard contractual clauses) are in place and the enforcement of your rights is guaranteed as well as whether sufficient technical and organisational measures are in place to protect the personal data.

For further information on the appropriate or adequate safeguarding measures and how and where to obtain a copy of them, please contact [email protected].

8.5. Duration of the storage of personal data, deletion

In principle, we process and store personal data for the duration of a meeting or webinar and any subsequent services/processes (e.g., issuing certificates of attendance, providing the link to a webinar or the transcription, etc.). In addition, we may also process or store personal data for other purposes, e.g., for troubleshooting and evaluation purposes.

If the processing or storage is no longer necessary, we delete the personal data. This does not apply if, among other things, legally prescribed retention periods prevent the deletion (cf. Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.

Incorrect and/or incomplete data will be deleted or – as far as possible – corrected without delay in accordance with Art. 5 (1) d GDPR.

8.6. Technical and organisational measures

To ensure that personal data is protected, the following technical and organisational measures are taken in particular:

  • User authentication;
  • Possibility for two-factor authentication (e.g., in Zoom and MS Teams);
  • Transport / end-to-end encryption;
  • Possibility to pixelate backgrounds after activating the camera;
  • Possibility of participation with video/sound off by default;
  • Participation without creation of an account (guest account);
  • Participation without installation of an application (web client);
  • Recording and storage turned off by default, recording only started after consent.

8.7. Further data protection information

Further information on the processing of your personal data, in particular your rights, can be found in the applicable / valid data protection declaration for you as an employee, customer, supplier, etc., available on the intranet or on our website, among other places.

9. Contact

When you contact us (by contact form, telephone, fax, post or e-mail), your personal data will be processed for the purpose of handling your enquiry and its processing in accordance with Article 6 (1) b and f GDPR. The information marked as mandatory in the contact form is required for the processing of your enquiry.

As a rule, we delete inquiries 3 months after their receipt, at the latest, however, if they have been answered. In the event of statutory storage obligations to be observed, the deletion shall take place after their expiry.

10. Deletion, anonymization and storage

The personal data processed by us will be deleted in accordance with Art. 17 GDPR. Unless expressly stated within the scope of this data protection declaration, the personal data stored by us will be deleted as soon as they are no longer required for their intended purpose and, in particular, there are no legal storage obligations to prevent deletion. If the personal data are not deleted because their processing is necessary for other and legally permissible purposes, the processing is restricted. This means that the personal data is blocked and not processed for other purposes.

Instead of deleting your personal data, we will, if necessary, make it anonymous in such a way that it is irreversibly impossible to retrieve it in the future.

In accordance with the legal requirements, storage takes place in particular for 6 years in accordance with § 257 (1) of the German Commerical Code (HGB) (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with § 147 (1) of the German Tax Code (AO) (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).

11. Your rights

You have the right to withdraw your consent to the processing of your personal data in accordance with Art. 7 (3) GDPR at any time with effect for the future. Processing that has taken place before the withdrawal therefore remains lawful.

In accordance with Art. 15 GDPR, you can request information about your personal data processed by us.

In accordance with Art. 16 GDPR, you can demand the immediate correction of incorrect or incomplete personal data stored by us.

In accordance with Art. 17 GDPR, you can request the deletion of your personal data stored with us in accordance with the conditions stated there, unless legally prescribed retention periods prevent immediate deletion (cf. Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.

In accordance with Art. 18 (1) GDPR, you can demand the restriction of data processing if one or more conditions in accordance with Art. 18 (1) GDPR lit. a to d apply..

In accordance with Art. 20 (1) GDPR, you can receive the personal data processed by us in a structured, common and machine-readable format and transfer this data to another responsible person without hindrance by us.

In addition, you can lodge an objection to the processing of your personal data in accordance with Art. 21 (1) GDPR. In the event of an objection, we will stop processing your personal data. However, the right of objection only applies if special circumstances arise from your personal situation. In addition, compelling reasons worthy of protection that speak in favour of processing may prevail. Furthermore, certain processing purposes may conflict with your right of objection.

According to Article 21 (2) GDPR, you have the right to object to the processing of your personal data for the purposes of direct marketing at any time and without further conditions. This also applies to profiling, insofar as it relates to such direct advertising. If you lodge an objection, your personal data will no longer be processed for these purposes (cf. Art. 21 (3) GDPR).

Without prejudice to any other administrative or judicial remedy, you also have the right to appeal to the competent supervisory authority (cf. Art. 77 GDPR) if you believe that the processing of your data violates data protection regulations. In this context, however, we would ask you to address a possible complaint to us first. We will then attempt to remedy the situation as quickly and effectively as possible.