Data Privacy Policy
According to the General Data Protection Regulation ("GDPR")
Introduction and scope
In this Data Privacy Policy statement, you will learn how we process your personal data during the use of our eLearning platform (hereinafter referred to as "platform"). This privacy statement applies to all personal data that we collect, process, and use when you access and use the platform. It does not apply to personal data concerning individuals whose information is contained in documents and files that may be uploaded to the platform or otherwise entered into the system by users (e.g., in text fields).
Controller
This Data Privacy Policy applies to data processing by us as the Controller according to Art. 4 (7) GDPR. Our contact information is:
collaboration Factory GmbH
Arnulfstraße 34
D-80335 Munich
Register court and number: Munich, HRB 299416
https://www.cplace.com/impressum
Contact:
E-Mail: info@cplace.com
Tel: +49 (0)89 809133 230
Fax: +49 (0)89 809133 239
Website: https://www.cplace.com/kontakt
In this Data Privacy Policy, the Controller is also referred to as "we" and/or "us."
Data Protection Officer
The (external) Data Protection Officer of the Controller can be reached as follows:
Dr. Jochen Notholt
comp/lex -- Lösungen & Dienste
Lindwurmstr. 10
80337 Munich
Germany
E-Mail: privacy@collaboration-factory.de
Tel: +49-89-41614295-0
Definitions
Unless this Data Privacy Policy contains or implies a different definition, please refer to the definitions in Art. 4 GDPR concerning the terms used.
Processing of personal data
Processing of personal data by our hosting service provider as our subcontractor.
Our platform is operated or hosted on servers of our platform service provider, which are located within the European Union for customers from the EU, the EEA, Switzerland, or the UK.
We are currently working with the following hosting/platform service provider:
Susell GmbH (reteach)
Joachimstraße 7, 10119 Berlin
(hereinafter: „service provider")
For more information on data protection, the security of processing, and the status of the service provider's certifications, please refer to the following link:
https://www.reteach.com/datenschutzerklaerung/
Our contractually bound service provider processes personal data for us on our behalf and according to our instructions as a so-called "Processor" according to Art. 28 GDPR.
Use of the platform through reteach
During the use of the platform, we or the service provider acting on our behalf only collect such personal data that is transmitted by your browser to the servers or that you enter into the system yourself, especially during the registration or login process. This may generally include:
User Data
IP address
Email
First name, last name, title
Job title
Username
Company affiliation
Operating system
Language and version of the browser software
Internet Service Provider
Time-related Data
Date and time of registration
Date and time of the (last) login
Time zone difference to Greenwich Mean Time (GMT)
Usage Data
Content of the request (specific page on the platform, e.g., a particular chapter in the online course)
User actions (e.g., switching to another module of the online course)
Start and end times, as well as duration of course engagement
Training progress (especially the number of open, completed, and assigned courses or learning paths, results of success checks, percentage completion of a course or learning path)
This data is technically necessary for us to provide you with the desired service and enable you to work in the system (purpose of processing). The legal bases for this processing are Art. 6 (1) points (a), (b), (c), and (f) GDPR.
Our legitimate interest under Art. 6 (1) point (f) GDPR lies in enabling our customers, partners, employees, and interested parties to access the methodologically and didactically prepared cplace-knowledge. This serves to promote cplace in the market, especially among our customers, who can successfully carry out their projects with cplace or use cplace as a productive software solution. The purpose directly serves the business operations of collaboration Factory GmbH.
The personal data to be processed is typically in a business context, such as a business email address, an IP address sent from a work-used computer, etc. Furthermore, the categories of processed personal data are considered non-sensitive; also, we generally do not process special categories of personal data under Art. 9 (1) GDPR.
Misuse of or causing any other damage to the personal data we process requires technical means and significant IT expertise.
Considering the points above as a whole leads collaboration Factory GmbH to the assessment that the risk to our users of suffering damage as data subjects according to Art. 4 (12) GDPR (personal data breach) is to be classified as very low. As a result, we hold our legitimate interest to be true and feasible in consideration of the points above.
Vimeo
Courses are partially supported by video material.
The video recordings are uploaded to Vimeo and subsequently embedded in the eLearning courses. The data protection responsibility for the operation of the Vimeo platform lies with Vimeo (Vimeo LLC, 555 West 18th Street New York, NY 10011 USA). You can find the data privacy information from Vimeo at:
To the best of our knowledge, in this context Vimeo processes the following personal data:
IP address
Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Data volume transferred in each case
Website from which the request originates
Browser
Operating system and its interface
Language and version of the browser software
Data regarding interaction with the Vimeo plug-in
Possibly device identifier of your end device
The version of the Vimeo software we use
Information on previous playback of the video
Information about the manner of playback (e.g., full screen)
The legal basis for the processing of personal data in the context of the integration of the Vimeo videos and the corresponding transmission of personal data to Vimeo LLC is Art. 6 (1) point (b) GDPR, because, in doing so, we fulfill the agreed contractual obligations to provide learning content, which is, when methodologically/didactically appropriate, partially delivered through video material.
Vimeo necessarily gains knowledge of the above-mentioned data. Vimeo is a service by a provider from the USA. We also cannot rule out that data routing may occur through Internet servers located outside the EU. This may particularly be the case if you, as a participant, are in a third country. Thus, the processing of personal data also takes place in a third country. An adequate level of data protection is ensured by the conclusion of the so-called EU Standard Contractual Clauses. The legal basis for the data transfer is Art. 46 (2) point (c) GDPR. Vimeo is certified under the EU-US Data Privacy Framework. The data transfer therefore takes place on the basis of the adequacy decision of the EU Commission from 2023.
YouTube
Videos are partially embedded in YouTube.
By playing the videos embedded in YouTube, the service Google Fonts is used. For this, Google (Google Ireland Ltd) is legally responsible for data protection.
To the best of our knowledge, Google processes usage data and tracking data in this context. For more information on Google Fonts, please see here: https://policies.google.com/privacy.
Before playing a video, we will ask for your consent pursuant to Art. 6 (1) point (a) GDPR and Art. 49 (1) point (a). When the videos are played, the following personal data of yours will be processed:
Tracker
UUID
Recipients or categories of recipients
Personal data is disclosed to the following categories of recipients:
Our employees or (external) personnel in accordance with Art. 29 GDPR,
Depending on the (project/business) context, the employees of our partner companies, especially in the management of the company's own users,
As well as our Processors to the necessary extent, in particular our service provider, and
Possibly employees of the contracting customers (e.g., supervisors of an online course participant), especially regarding the progress of the participating individuals.
Beyond this, your personal data will not be shared with third parties without your explicit consent, unless we are legally obliged to do so or transmitting the data is absolutely necessary for the performance of our contractual relationship.
Transmission to third countries
We process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) only if it is necessary to fulfill our (pre)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. The same applies to processing by third parties on our behalf, the disclosure of personal data to third parties, and its transmission to third parties. Service providers who process personal data on our behalf in a third country are also only used if an "adequacy decision" by the European Commission (Art. 45 GDPR) exists for the third country, or if the recipient possesses "appropriate safeguards" (Art. 46 GDPR) or "binding corporate rules" (Art. 47 GDPR).
General information on data protection and further information, including on transfers to third countries, can be found on the websites of the European Commission:
https://commission.europa.eu/law/law-topic/data-protection_de
Provision of personal data and profiling
You are not required by law to provide personal data concerning yourself. However, providing the data may be necessary to conclude a contract or for some functions of our service. If you do not provide the data, a contract or a function of our service may not be offered. There is no automatic decision-making, including profiling, beyond designated measures dependent on consent.
Erasure of Data
The data we process will be deleted in accordance with Art. 17 GDPR or restricted in its processing in accordance with Art. 18 GDPR. Unless otherwise specified in this Data Privacy Policy, the data we process will be deleted as soon as it is no longer required for its intended purpose and the erasure is not subject to any legal obligations of retention.
Rights of data subjects
You have the right:
under Art. 15 GDPR to request information about the personal data concerning you that we process. In particular, you may demand information about the purposes of processing; the category of the personal data; the categories of recipients to whom your data has been or will be disclosed; the planned storage period; the existence of your right to rectification, erasure, restriction of processing or objection; the existence of your right of complaint; the origin of your data if it was not collected by us; the existence of automated decision-making including profiling and, if applicable, meaningful information about it in detail;
under Art. 16 GDPR to demand the rectification of inaccurate personal data or completion of incomplete personal data concerning you and stored by us without delay;
under Art. 17 GDPR to demand the erasure of your personal data stored by us, unless its processing is necessary for exercising the right to freedom of expression and information, for complying with a legal obligation, for reasons of public interest, or for establishing, exercising or defending legal claims;
under Art. 18 GDPR to demand the restriction of processing your personal data, insofar as you dispute the accuracy of the data; the processing is unlawful, but you oppose its erasure; we no longer require the data, but you require it for asserting, exercising or defending legal claims; or you have objected to the processing according to Art. 21 GDPR;
under Art. 20 GDPR to receive your personal data that you have provided to us in a structured, common and machine-readable format, or to demand its transmission to another Controller;
under Art. 77 GDPR to complain to a supervisory authority. As a rule, you may contact the supervisory authority of your usual place of residence or workplace or our company headquarters. The supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach.
Revocation of consent
If we process your personal data on the basis of consent given by you according to Art. 6 (1) point (a) GDPR, you have the right to revoke any consent given to us according to Art. 7 (3) GDPR with future effect.
If you wish to exercise your right of revocation, you may notify us by emailing privacy@collaboration-factory.de. Alternatively, you may use the contact information given above in section 2.
Objection in case of processing based on legitimate interest
If we process your personal data on the basis of our legitimate interests according to Art. 6 (1) point (f) GDPR, you have the right to object to the processing of your personal data under Art. 21 GDPR, provided that reasons exist that arise from your particular situation or that the objection is against direct marketing. In the latter case, you have a general right of objection, which we will implement without a particular situation being specified.
If you wish to exercise your right of objection, you may notify us by emailing privacy@collaboration-factory.de. Alternatively, you may use the contact information given above in section 2.
Security measures
We take state-of-the-art organizational, contractual and technical security measures to ensure that the provisions of data protection law are complied with in order to protect the data we process against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons.
Furthermore, the system operates with data protection-friendly default settings (privacy by default). Admin access permissions are regularly reviewed and adjusted (need-to-know principle).
Changes to this Privacy Policy
We reserve the right to change our Data Privacy Policy should it be necessary due to new technologies, changes in our data processing procedures, or in order to adapt it to changes in the legal situation concerning us. However, this only applies to this Data Privacy Policy. If we process your personal data on the basis of your consent or if parts of the Data Privacy Policy contain provisions of the contractual relationship with you, any changes will be made only with your consent.