1. Data Controller
The data controller, as defined by the GDPR, is:
GMG GmbH & Co. KG
Moempelgarder Weg 10, 72072 Tuebingen, Germany
Telefon: +49 7071 93874-0 | Telefax: +49 7071 93874-22 | E-Mail: firstname.lastname@example.org
Data controller’s representatives: Joerg Weihing, Robert Weihing
2. Data Protection Officer
Tercenum AG, Georgenstraße 22, 10117 Berlin, Germany
3. Personal Data
As a matter of principle, no personal data is collected and processed in the course of using GMG software. However, if personal data is exceptionally affected, GMG processes it to maintain the security and integrity of the web services GMG ColorProof GO and GMG ColorCard, in particular to detect malfunctions and errors and to track unauthorized access. GMG points out that you are entitled to the following basic rights under the GDPR legislation.
1. The data subject has the right to obtain confirmation as to whether or not personal data concerning him or her are being processed and to obtain access to such data and further information and a copy of the data (Art. 15 GDPR).
2. The data subject has the right to request that personal data concerning him or her be completed or that inaccurate data concerning him or her be corrected (Art. 16 GDPR).
3. The data subject has the right to request that personal data concerning him or her be erased without undue delay (Art. 17 GDPR) or, alternatively, to request restriction of the processing of the personal data (Art. 18 GDPR).
4. The data subject has the right to obtain the personal data concerning him or her that he or she has provided and to request their communication to other data controllers (Art. 20 GDPR).
5. The data subject also has the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
6. The data subject has the right to withdraw his or her consent with effect for the future (Art. 7(3) GDPR).
7. The data subject has the right to object at any time to the processing of his or her personal data, in particular to the processing of personal data for direct marketing purposes (Art. 21 GDPR).
When contacting GMG, the customer's details are processed for the purpose of handling the contact request and its processing pursuant to Art. 6 (1) lit. b GDPR. GMG reviews the necessity of personal data every two years and deletes requests if they are no longer required. Furthermore, the statutory archiving obligations apply.
3.3 Hosting and Email Dispatch
The cloud services used by GMG serve to provide infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services and technical maintenance services, which are used for the purpose of operating GMG ColorProof GO and GMG ColorCard.
3.4 Collection of Access Data and Log Files
GMG, respectively the cloud provider commissioned by GMG, collects personal data on the basis of GMG's legitimate interest in the efficient and secure provision of the web services of GMG ColorProof GO and GMG ColorCard on access to the server on which these services are located (so-called server log files) pursuant to Art. 6 (1) f GDPR in conjunction with Art. 28 GDPR. Log file information is stored for security reasons for a maximum of 30 days and then deleted. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
GMG also expressly points out that, due to the end-to-end encryption used by GMG ColorProof GO and GMG ColorCard, no files uploaded by users to the GMG Cloud can be identified by GMG or by anyone commissioned by GMG.
3.5 Security Measures
GMG takes appropriate technical and organizational measures to ensure an appropriate amount of protection against risks, in accordance with Article 32 of the GDPR. This takes into account the maintaining of the state of the art, the implementation costs and the nature, scope, circumstances and purposes of processing, as well as the varying probability in occurrence and severity of the risk regarding the rights and freedom of natural persons. The measures in particular include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the respective access, input, transmission, security of availability and segregation of the data.
Furthermore, GMG has established procedures to ensure the exercise of right of data subject, deletion of data and a reaction to endangerment of personal data. In addition, GMG already considers the protection of personal data during the development in accordance with the principle of data protection through design and data protection-friendly presets (Art. 25 GDPR).
3.6 Cooperation with Processors and Third Parties
In the case that GMG discloses personal data to other persons and companies (contract processors or third parties) as part of the processing, transmits such data to them or grants them access to the data, or GMG processes data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this is done in the course of using third-party services or for disclosure, or in the case of transmission of personal data to third parties, this is done on the basis of legal permission,
- if the customer expressly consents to this (Art. 6 para. 1 lit. a GDPR);
- for the fulfillment of contractual obligations, e.g. if a transfer of the data to third parties is necessary for the fulfillment of the contract (Art. 6 para. 1 lit. b GDPR);
- on the basis of a legal obligation (Art. 6 para. 1 lit. c GDPR);
- on the basis of a legitimate interest of GMG or third parties, e.g. when using contracted web hosts, cloud providers, etc. (Art. 6 para. 1 lit. f GDPR).
If GMG commissions third parties with the processing of data on the basis of a so-called "order processing agreement", this is done on the basis of Art. 28 GDPR.
3.7 Transmissions into Third Countries
Subject to legal or contractual permissions, GMG processes or allows personal data to be processed in a third country only if the special requirements pursuant to Art. 44 et seq. GDPR are met. I.e. the processing is carried out on the basis of special guarantees, such as the officially recognized determination of the data protection level corresponding to the EU (e.g. for the USA by the "Privacy Shield") or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").
4. Anonymized Usage Data
As a matter of principle, usage data is generally collected and processed on a non-personal basis. By using GMG software, the customer consents to GMG collecting minimum anonymous information to improve the software which may be send to a third-party cloud server for processing by GMG for internal use.
The customer may withdraw his or her consent to the data collection at any time in the respective system settings of the GMG software with effect for the future, without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation.
The data is collected in aggregate form without identifying any user individually. The IP address is only used to determine the country of location and is then immediately deleted so that the personal identity is not disclosed.
Further information on what usage data is collected and why GMG collects this data can be found on the following web page: https://www.gmgcolor.com/lux/
4.1 Google Analytics
The web services GMG ColorProof GO and GMG ColorCard use Google Analytics, a service for the collection and analysis of usage data, provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Irland; hereinafter referred to as "Google").
Google Analytics uses so-called "cookies", small text files that are stored on the customer's computer and enable an analysis of the usage of GMG ColorProof GO and GMG ColorCard. In this context, pseudonymized usage profiles are created and cookies are used, generating information such as:
- Browser type/version,
- operating system,
- referrer URL (website previously visited),
- host name of the accessing computer (IP address),
- time of the server request,
which is transmitted to a Google server in the US and stored there. The information is used to evaluate the use of GMG ColorProof GO und GMG ColorCard, and to enable a needs-based design and barrier-free user experience on different browsers and end devices.
This information may also be sent to third parties if this is legally required or if third parties process this data on behalf of Google. Under no circumstances will your IP address be associated with any other data from Google. IP addresses are anonymized so that it is not possible to assign them to individuals (known as IP masking).
The installation of cookies can be prevented by configuring the web browser accordingly. In addition, the following browser add-on can be downloaded and installed to prevent activity data from being shared with Google Analytics:
These processing operations are carried out when explicit consent is given in accordance with Art. 6 Para. 1 lit. a GDPR.
Additional information on data protection with respect to Google Analytics is available on the Google Analytics website in the help section.
5. Deletion of Data
The personal data processed by GMG will be deleted as soon as it is no longer required for the intended purpose and the deletion does not subject to any legal storage obligations. If personal data is not deleted because it is required for other legitimate purposes, the processing will be restricted or blocked.
We tried to make the topic of data protection in the context of using GMG software easy to understand and transparent. However, if you still have questions or would like to raise a concern, you can always contact our data protection officer directly at: datenschutz(at)ddsb.de
As of 09/2021