Privacy Policy for GMG Software

1. Data Controller

The data controller, as defined by the GDPR, is:

GMG GmbH & Co. KG
Moempelgarder Weg 10, 72072 Tuebingen, Germany
Telefon: +49 7071 93874-0 | Telefax: +49 7071 93874-22 | E-Mail: info(at)

Data controller’s representatives: Joerg Weihing, Robert Weihing

2. Data Protection Officer

Hillen Datenschutzberatung 
Dipl.-Jur Fareshta Hillen 
Weiherstraße 27  
73207 Plochingen

3. Personal Data

3.1 GMG Web Services

Personal data is processed when using the GMG Cloud Management Platform, GMG ColorProof GO and GMG ColorCard web services, in particular to keep functions running across systems, detect errors and disruptions, and to track unauthorized access. The following data categories are processed: First and last name, user logins, user passwords, e-mail addresses, login and logout time stamps, system names, and the time and date of capture. The customer may request that GMG delete this account data at any time and without providing any reason by sending an e-mail to support(at) GMG will delete this data within 30 days of receiving a customer request.

GMG points out that you are entitled to the following basic rights under the GDPR legislation:

1. The data subject has the right to obtain confirmation as to whether or not personal data concerning him or her are being processed and to obtain access to such data and further information and a copy of the data (Art. 15 GDPR).

2. The data subject has the right to request that personal data concerning him or her be completed or that inaccurate data concerning him or her be corrected (Art. 16 GDPR).

3. The data subject has the right to request that personal data concerning him or her be erased without undue delay (Art. 17 GDPR) or, alternatively, to request restriction of the processing of the personal data (Art. 18 GDPR).

4. The data subject has the right to obtain the personal data concerning him or her that he or she has provided and to request their communication to other data controllers (Art. 20 GDPR).

5. The data subject also has the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

6. The data subject has the right to withdraw his or her consent with effect for the future (Art. 7(3) GDPR).

7. The data subject has the right to object at any time to the processing of his or her personal data, in particular to the processing of personal data for direct marketing purposes (Art. 21 GDPR).

3.2 Contact

When contacting GMG, the customer's details are processed for the purpose of handling the contact request and its processing pursuant to Art. 6 (1) lit. b GDPR. GMG reviews the necessity of personal data every two years and deletes requests if they are no longer required. Furthermore, the statutory archiving obligations apply.

3.3 Hosting and E-Mail Dispatch

The cloud services used by GMG serve to provide infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services and technical maintenance services, which are used for the purpose of operating GMG ColorProof GO and GMG ColorCard.

3.4 Collection of Access Data and Log Files

On the basis of the contractual agreements for the web services of GMG ColorProof GO and GMG ColorCard in accordance with Article 6(1)(b) of the General Data Protection Regulation (GDPR) in conjunction with Article 28 of the GDPR, GMG and/or GMG’s contracted cloud provider AWS Frankfurt collects personal data attained via server log files for the servers on which these services are located. Log file information will be saved for a maximum of 3 months for security purposes and then deleted. Data that needs to be kept for longer as evidence shall not be deleted until the respective incident has been fully resolved.

3.5 Security Measures

GMG takes appropriate technical and organizational measures to ensure an appropriate amount of protection against risks, in accordance with Article 32 of the GDPR. This takes into account the maintaining of the state of the art, the implementation costs and the nature, scope, circumstances and purposes of processing, as well as the varying probability in occurrence and severity of the risk regarding the rights and freedom of natural persons. The measures in particular include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the respective access, input, transmission, security of availability and segregation of the data.

Furthermore, it should be noted explicitly that neither GMG nor anyone contracted by GMG can identify any of the data saved to the GMG Cloud by users because of the end-to-end encryption used by GMG ColorProof GO and GMG ColorCard.

Furthermore, GMG has established procedures to ensure the exercise of right of data subject, deletion of data and a reaction to endangerment of personal data. In addition, GMG already considers the protection of personal data during the development in accordance with the principle of data protection through design and data protection-friendly presets (Art. 25 GDPR).

3.6 Cooperation with Processors and Third Parties

In the case that GMG discloses personal data to other persons and companies (contract processors or third parties) as part of the processing, transmits such data to them or grants them access to the data, or GMG processes data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this is done in the course of using third-party services or for disclosure, or in the case of transmission of personal data to third parties, this is done on the basis of legal permission,

  • to meet contractual obligations, e.g. when the transfer of the data to third parties is necessary in order to fulfill a contract (Art 6(1) (b) GDPR);
  • to meet a legal obligation (Art 6(1) (c) GDPR);
    on the basis of a legitimate interest on the part of GMG, e.g. for purposes (Art 6(1) (f) GDPR) such as assessing usability, use of functions, and to develop new products and services.

3.7 Transmissions into Third Countries

Subject to legal or contractual permissions, GMG processes or allows personal data to be processed in a third country only if the special requirements pursuant to Art. 44 et seq. GDPR are met. I.e. the processing is carried out on the basis of special guarantees, such as the officially recognized special contractual obligations (so-called standard contractual clauses). Those affected have the right to request further information from GMG at any time.

3.8 GMG Software

No personal data will be collected and/or processed in the use of GMG Software (GMG ColorProof, GMG ColorServer, GMG OpenColor, GMG ProofControl, GMG ColorPlugin).

4. Deletion of Data

The personal data processed by GMG will be deleted at the request of the customer or 30 days after the end of the contract. The processing of any personal data that is not deleted because it is necessary for other legally permitted purposes shall be limited and/or blocked.


We tried to make the topic of data protection in the context of using GMG software easy to understand and transparent. However, if you still have questions or would like to raise a concern, you can always contact our data protection officer directly at: datenschutz(at)

As of 02/2024