Data Privacy Notice for Kappa optronics GmbH

Kappa optronics GmbH, together with our subsidiaries (hereinafter collectively referred to as "the company", "we" or "us"), places great importance on the protection of your data. Our data protection notices are modular in structure. They consist of a general section covering all processing of personal data and processing situations that apply whenever a website is accessed (A. General), and a specific section, the content of which relates only to the processing situation specified there, with reference to the respective offer or product.

 

1. General

1.1. Definitions

Following Article 4 of the GDPR, the following definitions apply to this data protection notice:

• “Personal data” (Art. 4 No. 1 GDPR) means all information relating to an identified or identifiable natural person (“data subject”). A person is identifiable if they can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, an online identifier, location data, or by information relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. Identifiability can also result from linking such information or additional knowledge. The form or embodiment of the information does not matter (photos, video, or audio recordings can also contain personal data).
• “Processing” (Art. 4 No. 2 GDPR) means any operation or set of operations which is performed on personal data, whether or not by automated means. This includes, in particular, the collection (i.e., acquisition), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data, as well as the modification of a purpose originally underlying the data processing.
• “Controller” (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• “Third party” (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data; this also includes other group-affiliated legal entities.
• “Processor” (Art. 4 No. 8 GDPR) means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, in particular according to their instructions (e.g., IT service providers). In the sense of data protection law, a processor is not a third party.
• “Consent” (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

 

1.2. Name and Address of the Controller

The controller responsible for processing your personal data within the meaning of Art. 4 No. 7 GDPR is:

Kappa optronics GmbH

Kleines Feld 6

37130 Gleichen

GERMANY

E-Mail:info@kappa-optronics.com
Website: www.kappa-optronics.com

Further information about our company can be found in the legal notice on our website:
https://www.kappa-optronics.com/de/impressum/

 

1.3. Contact Details of the Data Protection Officer

For all questions and as a contact person on the subject of data protection, our data protection officer is always available. Contact

Kappa optronics GmbH

The Data Protection Officer

Kleines Feld 6

37130 Gleichen

GERMANY

E-Mail: datenschutz@kappa-optronics.com

 

1.4. Legal Bases for Data Processing

We process your personal data only if we have a legal basis for doing so. For the processing operations we carry out, we specify the applicable legal basis below. Processing may also be based on several legal bases.

 

1.5. Data Deletion and Storage Duration

For the processing operations we carry out, we specify below how long the data is stored with us and when it is deleted or blocked. Unless a specific storage period is expressly stated below, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage ceases to apply. Storage of your data generally takes place only on our servers in Germany, subject to any transfer according to the regulations in 1.7 and 1.8.

However, storage may be extended in the event of (impending) legal disputes with you or other legal proceedings, or if storage is required by legal regulations to which we as the controller are subject (e.g., § 257 HGB, § 147 AO). When the legally prescribed retention period expires, the data is blocked or deleted unless further storage is necessary and legally justified.

 

1.6. Data Security

We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction, or unauthorized access by third parties (e.g., TLS encryption for our website), taking into account the state of the art, implementation costs, nature, scope, context, and purpose of processing, as well as the risks for the data subject. Our security measures are continuously improved in line with technological developments.

For more information, please contact our data protection officer (see 1.3).

 

1.7. Cooperation with Processors

Like any major company, we use external domestic and foreign service providers (e.g., IT, logistics, telecommunications, sales, and marketing) to conduct our business. These act only on our instructions and are contractually obligated to comply with data protection regulations in accordance with Art. 28 GDPR. If personal data is transferred to or from our subsidiaries (e.g., for advertising purposes), this is based on existing processing agreements.

1.8. Conditions for Transfer of Personal Data to Third

In the course of our business relationships, your personal data may be transferred to or disclosed to third-party companies, including those outside the European Economic Area (EEA). Such processing occurs only to fulfill contractual and business obligations and to maintain your business relationship with us. Details are provided at the relevant points below.

Some third countries are recognized by the European Commission as providing an adequate level of data protection (see: ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). In other countries, there may not be a consistently high level of data protection. In such cases, we ensure adequate protection through binding corporate rules, standard contractual clauses, certificates, or recognized codes of conduct. For more information, contact our data protection officer (see 1.3).

 

1.9. No Automated Decision-Making (Including Profiling)

We do not intend to use your personal data for automated decision-making (including profiling).

 

1.10. Obligation to Provide Personal Data

In the context of our business relationship, you must provide the personal data necessary for establishing and conducting the business relationship and fulfilling contractual obligations, or which we are legally required to collect. Without this data, we are generally unable to enter into or fulfill the business relationship.

 

1.11. Legal Obligation to Transmit Certain Data

We may be subject to a special legal or regulatory obligation to provide lawfully processed personal data to third parties, especially public authorities (Art. 6 Par. 1 Sect. 1 (c) of the GDPR).

 

1.12. Your Rights

You can assert your rights as a data subject regarding your processed personal data at any time using the contact details provided above in [1.2.]. As a data subject, you have the right:

• pursuant to Art. 15 GDPR, to request information about your personal data processed by us. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
• pursuant to Art. 16 GDPR, to demand the immediate correction of incorrect or completion of your personal data stored by us;
• pursuant to Art. 17 GDPR, to demand the erasure of your personal data stored by us, unless processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims;
• pursuant to Art. 18 GDPR, to demand the restriction of processing of your data, insofar as the accuracy of the data is contested by you or the processing is unlawful;
• pursuant to Art. 20 GDPR, to receive your data, which you have provided to us, in a structured, commonly used, and machine-readable format or to request the transmission to another controller ("data portability");
• pursuant to Art. 21 GDPR, to object to the processing, provided that the processing is based on Art. 6(1) sentence 1 lit. e or lit. f GDPR. This is particularly the case if the processing is not necessary for the performance of a contract with you. If it is not an objection to direct advertising, we ask that you explain the reasons why we should not process your data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust the data processing or show you our compelling legitimate grounds on the basis of which we continue the processing;
• pursuant to Art. 7(3) GDPR, to withdraw your consent once given (also before the GDPR came into force, i.e., before 25.5.2018) – that is, your voluntary, informed, and unambiguous declaration or other clear affirmative action indicating that you consent to the processing of the personal data concerning you for one or more specific purposes – at any time with effect for the future. This means that we may no longer continue the data processing that was based on this consent for the future; and
• pursuant to Art. 77 GDPR, to lodge a complaint with a data protection supervisory authority about the processing of your personal data in our company, for example with the supervisory authority responsible for us:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Postfach 221, 30002 Hannover
Prinzenstraße 5, 30159 Hannover
Telefon: +49 511 120-4500
Fax: +49 511 120-4599
E-Mail: poststelle@lfd.niedersachsen.de

 

1.13. Changes to the Data Protection Notice

As part of the ongoing development of data protection law as well as technological or organizational changes, our data protection notices are regularly reviewed to determine whether they need to be adapted or supplemented.

 

2. Website Visits

2.1. Explanation of the Function

Our website serves to provide information about our company, our areas of activity, offers, and to enable contact. When you visit our website, personal data about you may be processed.

 

2.2. Processed Personal Data

When you use the website for informational purposes, the following categories of personal data are collected, stored, and further processed by us:

 

2.2.1. Log Data

When you visit our website, a so-called log data record (so-called server log files) is temporarily and anonymously stored on our web server. This consists of:

• the page from which the page was requested (so-called referrer URL)
• the name and URL of the requested page
• the date and time of the request
• the description of the type, language, and version of the web browser used
• the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established
• the amount of data transferred
• the operating system
• the message as to whether the request was successful (access status/HTTP status code)
• the GMT time zone difference

The processing of the log data serves statistical purposes and the improvement of the quality of our website, in particular the stability and security of the connection (legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR). These files are deleted within 4 days.

 

2.2.2. Consent with sgalinski Cookie OptIn for TYPO3

This website uses the consent tool from sgalinski to obtain and document your consent to the storage of certain cookies on your device or the use of certain technologies. The provider of this tool is:

Stefan Galinski Internetdienstleistungen
Bahnhofstr. 52
37339 Gernrode
Website: sgalinski.de (hereinafter "sgalinski").

When you enter our website, the following personal data is transmitted to sgalinski:

• your consent(s) or the withdrawal of your consent(s)
• your IP address
• information about your browser
• information about your device
• the time of your visit to the website

Furthermore, sgalinski stores a cookie in your browser to be able to assign the consents you have given or their withdrawal. The data collected in this way is stored until you ask us to delete it, you delete the sgalinski cookie yourself, or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected.

The use of the sgalinski tool is to obtain the legally required consents for the use of certain technologies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

 

2.2.3. Hosting

Our website is hosted by an IT service provider.

BRUNS_digital
Bruns Verlags-GmbH & Co. KG
Obermarktstraße 26-30
32423 Minden

We have concluded a data processing agreement with the hosting provider.

 

2.3. 2.3. Forms, Email Communication

If you wish to contact Kappa, you have communication channels such as email and various forms at your disposal. Depending on the form, the following data is requested:

• First name, last name
• Email address
• Company website
• Text input

The processing of contact form data is carried out for various purposes chosen by the customer, such as processing customer inquiries (legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR). Depending on the purpose, other legal bases may also apply, such as a legitimate interest under Art. 6 para. 1 lit. f GDPR or consent under Art. 6 para. 1 lit. a GDPR.

If you contact us by email or via a contact form, the personal data you provide will be processed by the web server and our email server and then automatically stored. Such personal data voluntarily transmitted by you to us will be stored for the purpose of processing or contacting the data subject. There is no disclosure of this personal data to third parties. The storage period depends on the respective purpose and content of the message.

 

2.4. Duration of Data Processing

Your data will only be processed for as long as is necessary to achieve the above-mentioned processing purposes; the legal bases specified in the context of the processing purposes apply accordingly.

Third parties used by us will store your data on their systems for as long as is necessary in connection with the provision of services for us in accordance with the respective order.

 

2.5.  Transfer of Personal Data to Third Parties; Legal Bases

The following categories of recipients, who are usually processors, may have access to your personal data:

Service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g., for data center services, payment processing, IT security, IT service providers, software as a service providers). The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR, unless they are processors;

Government agencies/authorities, insofar as this is necessary for the fulfillment of our services or for the fulfillment of a legal obligation. The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. c GDPR;

Persons involved in the operation of our business (e.g., auditors, banks, insurers, legal advisors, supervisory authorities, parties involved in company acquisitions or the formation of joint ventures). The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR.

For ensuring an adequate level of data protection when transferring data to third countries, see 1.8.

In addition, we only transfer your personal data to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

 

2.6. Use of Cookies, Plugins, and Other Services on Our Website

2.6.1. Cookies

We use cookies on our websites. Cookies are small text files that are assigned to and stored on your hard drive by the browser you use and through which certain information flows to the party that sets the cookie. Cookies cannot run programs or transmit viruses to your computer and therefore cannot cause any damage. They serve to make the Internet offering as a whole more user-friendly and effective, i.e., more pleasant for you.

Cookies may contain data that makes it possible to recognize the device used. Some cookies, however, only contain information about certain settings that are not personally identifiable. Cookies cannot directly identify a user.

A distinction is made between session cookies, which are deleted again as soon as you close your browser, and permanent cookies, which are stored beyond the individual session.

In terms of their function, cookies are also distinguished as follows:

• Technical cookies: These are strictly necessary to navigate the website, use basic functions, and ensure the security of the website; they do not collect information about you for marketing purposes or store which websites you have visited;
• Performance cookies: These collect information about how you use our website, which pages you visit, and, for example, whether errors occur during website use; they do not collect information that could identify you – all information collected is anonymous and is only used to improve our website and find out what interests our users;
• Advertising cookies, targeting cookies: These are used to provide the website user with tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;
• Sharing cookies: These are used to improve the interactivity of our website with other services (e.g., social networks); sharing cookies are stored for a maximum of 13 months.

Any use of cookies that is not strictly technically necessary constitutes data processing that is only permitted with your express and active consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. This applies in particular to the use of advertising, targeting, or sharing cookies. In addition, we only transfer your personal data processed by cookies to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, § 25 para. 1 TDDDG.

 

2.6.2. YouTube with Enhanced Privacy

his website embeds videos from YouTube. The operator of the pages is:

Google Ireland Limited („Google“),

Gordon House, Barrow Street,

Dublin 4, Irland.

We use YouTube in enhanced privacy mode. According to YouTube, this mode ensures that YouTube does not store information about visitors to this website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the enhanced privacy mode. For example, YouTube establishes a connection to the Google DoubleClick network regardless of whether you watch a video.

As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. The YouTube server is informed which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, YouTube can store various cookies on your device after starting a video or use comparable recognition technologies (e.g., device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve user-friendliness, and prevent fraud attempts.

Further data processing operations may be triggered after starting a YouTube video, over which we have no influence.

The use of YouTube is in the interest of an attractive presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; § 25 para. 1 TDDDG; consent can be withdrawn at any time.

Further information on data protection at YouTube can be found in their privacy policy at: policies.google.com/privacy

 

2.6.3. Google Maps

This site uses the Google Maps map service. The provider is:

Google Ireland Limited („Google“),

Gordon House, Barrow Street,

Dublin 4, Irland.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transfer.

The use of Google Maps is in the interest of an attractive presentation of our online offers and to make it easy to find the locations we indicate on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TDDDG; consent can be withdrawn at any time.

Data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found here:

privacy.google.com/businesses/gdprcontrollerterms/ and

privacy.google.com/businesses/gdprcontrollerterms/sccs/

More information on the handling of user data can be found in Google’s privacy policy: https://policies.google.com/privacy?hl=en

 

2.7 Analyse-Tools and Advertising

2.7.1. Google Tag Manager

We use Google Tag Manager. The provider is:

Google Ireland Limited
Gordon House, Barrow Street,
Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies on our website. Google Tag Manager itself does not create user profiles, does not store cookies, and does not perform any independent analyses. It only serves to manage and play out the tools integrated via it. However, Google Tag Manager does record your IP address, which may also be transmitted to the parent company of Google in the United States.

The use of Google Tag Manager is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the fast and uncomplicated integration and management of various tools on its website. If a corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; consent can be withdrawn at any time.

 

2.7.2.Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is:

Google Ireland Limited („Google“),

Gordon House, Barrow Street,

Dublin 4, Irland.

Google Analytics enables the website operator to analyze the behavior of website visitors. Here, the website operator receives various usage data, such as page views, length of stay, operating systems used, and origin of the user. This data may be summarized by Google in a profile that is assigned to the respective user or their device.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there.

The use of this analysis tool is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its web offering and its advertising. If a corresponding consent has been requested (e.g., consent to the storage of cookies), processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TDDDG; consent can be withdrawn at any time.

Data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found here:

privacy.google.com/businesses/controllerterms/mccs/

IP Anonymization
We have activated the IP anonymization function on this website. As a result, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activities, and to provide other services related to website and internet use to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.

Browser Plugin
You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link:

tools.google.com/dlpage/gaoptout

More information on the handling of user data by Google Analytics can be found in Google’s privacy policy:

support.google.com/analytics/answer/6004245

Order Processing
We have concluded a contract for order processing with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

Storage Duration
Data stored by Google at user and event level that is linked to cookies, user IDs (e.g., User ID), or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) will be anonymized or deleted after 14 months. Details can be found at the following link:

support.google.com/analytics/answer/7667196

 

2.7.3 Google Ads

The website operator uses Google Ads. Google Ads is an online advertising program of:

Google Ireland Limited („Google“),

Gordon House, Barrow Street,

Dublin 4, Irland.

Google Ads enables us to display advertisements in the Google search engine or on third-party websites when the user enters certain search terms on Google (keyword targeting). Furthermore, targeted advertisements can be displayed based on the user data available at Google (e.g., location data and interests) (audience targeting). We as website operators can quantitatively evaluate this data, for example, by analyzing which search terms led to the display of our advertisements and how many advertisements led to corresponding clicks.

The use of Google Ads is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the most effective marketing of its service products.

Data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found here:

policies.google.com/privacy/frameworks and

privacy.google.com/businesses/controllerterms/mccs/

Google Conversion Tracking
This website uses Google Conversion Tracking. The provider is:

Google Ireland Limited ("Google")
Gordon House, Barrow Street,
Dublin 4, Ireland.

With the help of Google Conversion Tracking, Google and we can recognize whether the user has performed certain actions. For example, we can evaluate which buttons on our website were clicked how often and which products were viewed or purchased particularly frequently. This information is used to create conversion statistics. We learn the total number of users who clicked on our ads and what actions they performed. We do not receive any information with which we can personally identify the user. Google itself uses cookies or comparable recognition technologies for identification.

The use of Google Conversion Tracking is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its web offering and its advertising. If a corresponding consent has been requested (e.g., consent to the storage of cookies), processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TDDDG; consent can be withdrawn at any time.

 https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/controllerterms/mccs/.

 

3. ION CRM

We use the CRM ION (Intelligent Office Manager) for managing our customer data. Provider is  

Intelligent Software, Peter Matzka
EDV Vertriebs KEG,

Johann Böhmgasse 14

2201 Gerasdorf Österreich.

his locally hosted CRM enables us, among other things, to manage existing and potential customers as well as customer contacts and to organize sales and communication processes. The use of the CRM system also allows us to analyze and optimize our customer-related processes. The customer data is stored exclusively on internal servers. Details about the functions of the CRM can be found here: www.ion.co.at/Beschreibung.htm

The use of the CRM is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the most efficient customer management and customer communication possible. If a corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; consent can be withdrawn at any time.

Details can be found in the privacy policy of ION:  http://www.ion.co.at/Impressum.htm

 

4. Microsoft 365

We use the cloud services of Microsoft 365. When using Microsoft 365, the following personal data about you may be processed.

4.1. Data Categories 

• Documents and files
• Tasks and solutions
• Communication data
• Basic personal data
• Authentication data
• Contact information
• Profiling
• Log file with accesses
• System-generated protocol data
• Entries in questionnaires
•  

4.2. Catagories of data subjects 

• For data categories 1–9: Persons who use or administer Office 365
• For data categories 3, 8, 9: Persons who are identifiable in communications and documents
• For data category 10: Persons who use Microsoft Forms surveys

 

Kappa pursues the following purposes when using Microsoft 365. The main aim is to enable its own employees to work mobile and to network our companies. However, we also want to simplify and improve collaboration with customers and third parties. The services and functions available in Microsoft Office 365 are used to create and store content, plan appointments, and communicate. This enables effective information exchange. In this way, Kappa can network employees and external parties and work on projects together without having to be in the same place. The processing of your personal data therefore serves the execution of contracts and collaboration in the project.

The release of personal data in the cloud (OneDrive and SharePoint) and the use of cloud computing in general specifically serve the following purposes: permanent and location-independent retrievability of documents, enabling location-independent work, involvement of third parties/external parties in the processing of documents and data, more efficient and faster processes, simplified planning, outsourcing of IT services to save own resources, reduced IT administration effort, and increased flexibility. The SharePoint service is used as a platform for data storage and data exchange between employees and external parties.

When using Microsoft Office 365, diagnostic data is transmitted to Microsoft so that the services can be provided (error-free). Since all applications are cloud-based, they are continuously checked. The processing of diagnostic data also serves to improve and update the software by installing new versions. Finally, processing also serves to ensure the security of the services and rapid troubleshooting by Microsoft.

 

4.3. Recipients  

• Microsoft Ireland Operations Limited, for order processing and contract fulfillment
• Microsoft Corporation, for order processing and contract fulfillment and for its own purposes
• As well as their Subprocessors and Support Service Providers

 

4.4. Guarantees for International Data Transfer  

• Microsoft Corporation  
  •  Standard data protection clauses

Counter-exceptions Art. 49 Par. 1 Subpar. 1 (c) of the GDPR for purposes 1. and 6. 

Counter-exceptions Art. 49 Par. 1 Subpar. 1 (d) of the GDPR for purposes 2.-5, 7., 8.

 Subcontracted processors 

• •  standard data protection clauses

Further information regarding the purpose and scope of data collection and processing of same by Microsoft Teams can be found in Microsoft’s data privacy statement at https://privacy.microsoft.com/de-de/privacystatement and Microsoft Teams at https://docs.microsoft.com/de-de/microsoftteams/teams-privacy as well as in the FAQ and Contact section https://support.microsoft.com/de-DE/privacy There,  you will find further information as well regarding your rights in these matters. Microsoft processes your personal data in the USA as well. EU standard contracts with Microsoft for 365 and Teams have been concluded in order to guarantee an appropriate level of data protection.

 

4.5.Storage Duration

90 days after deletion of the account upon request or after objection (data categories 4–7)

90 days after deletion of content data, after the necessity ceases (data categories 1–3)

180 days (data categories 8, 9)

 

4.6. We Conduct Online Meetings with Microsoft Teams

In the context of our online meetings via Microsoft Teams, we process the following data:

• Communication data (e.g., your email address, if you provide it)
• Personal data (if you provide it)
• Content of the online meeting (if you appear personally with contributions in word and/or writing)
• Authentication data
• Log files, protocol data
• Metadata (e.g., IP address, time of participation, etc.)
• Profile data (e.g., your username, if you provide it)

To be able to communicate with you online, we use the online meeting tool Microsoft Teams. The data processing is carried out on the basis of a legitimate interest under Art. 6 para. 1 lit. f GDPR. Our legitimate interest for data processing is:

• Personal communication even with distant conversation partners (saving travel time and costs)
• Health protection of communication participants by avoiding personal contact.
•  

4.7. We Use Microsoft Forms for Surveys

We use Microsoft Forms so that we can effectively create forms for surveys and questionnaires. For this purpose, personal data is processed and stored in Microsoft’s cloud servers. This data is not used for automated decisions including profiling.

Processed data:
In particular, the following information is collected:

• Name, email address, profile picture (if logged into MS365), preferred language, status (if logged into MS365), date and time of opening the questionnaire, date and time of submitting the response.
  In addition, Microsoft collects usage data, your IP address, and cookies, unless you have refused this in your browser. Further information on data processing by Microsoft can be found at: privacy.microsoft.com/en-us/privacystatement
  Depending on your role in the questionnaires, the type of data requested varies.

Creator/Owner:
Owners have access to the Forms and can create and distribute surveys, forms, and questionnaires either alone or with other owners. The usage data of the owners and their profile information are stored.

Respondents:
Respondents are persons who participate in a survey.

Contact information:
If you participate in an anonymous survey, your response does not contain any contact information and cannot be traced back to you. In this case, the information you enter and the information retrieved by Microsoft are processed.
In a confidential survey, only the content of your response is confidential, not the fact that you participated in the survey. In this case, we can see your name, your email address, and the date and time you opened and submitted the survey.

Data from surveys/forms/questionnaires:
The entered data is stored in the Microsoft cloud. Only we have access to the responses.

Data storage:
Unless we have a legitimate interest in longer storage, we delete all responses within one year after the survey is completed.
You can ask us how long your responses are stored in Forms.

 

 

5. Processing of Customer Data (Request for Quotation, Contract Initiation, Contract Conclusion, and Post-Contract Data Processing)

We collect, process, and use your personal data to the extent necessary for the establishment, content, or modification of the contract.

 

5.1. Categories of Data

The following data is required to register you as a customer with us:

• Company name with legal form (e.g., GmbH)
• Company headquarters (street / house number / postal code / city)
• Name and first name of the contact person
• Telephone
• Name and first name of the managing director/owner of the business

You can voluntarily provide us with the following data:

• Email address – Please note, however, that we require this for access to our online shop.
• Fax
• If applicable, different billing address
• Mobile phone
• Date of birth of the managing director/owner of the business
•  

5.2. Storage Duration

The data collected is stored by us as long as you are in a business relationship with us. After the end of the business relationship, your data will be deleted unless overriding legitimate interests on our part or statutory retention periods prevent this.

 

5.3. Legal Basis

The processing of personal data is carried out for contractual purposes. The legal basis for processing for these purposes is:

1. If you are a registered merchant or freelancer, Art. 6 para. 1 lit. b GDPR, i.e., data processing for the purpose of performing the contract or pre-contractual measures with the data subject; or
2. If you act as an employee of a company, e.g., as a purchasing employee, Art. 6 para. 1 lit. f GDPR, the legitimate interest of Kappa optronics GmbH. The legitimate interest of Kappa optronics GmbH here is to prepare the sale of products or services of Kappa optronics GmbH and group companies, which is particularly justified by entrepreneurial freedom and professional freedom.
    

5.4. Data Comparison with the Financial Sanctions List

If you request a quote from us, we are required to check your name and, if applicable, your date of birth against the official financial sanctions list via the official justice portal: www.finanz-sanktionsliste.de/fisalis/

Further information on data processing by the judiciary can be found at: justiz.de/datenschutz/index.php;jsessionid=3B55EEBC9013B9AD1CF257FDB52CDC99

We must carry this out due to a legal obligation. The legal basis for processing is therefore Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with eur-lex.europa.eu/LexUriServ/LexUriServ.do.

A negative result is stored for up to 3 years after the end of a contractual relationship. In the case of a positive result, we store this as well as the rejection of a contractual relationship for 3 years.

 

6. Social Media

We operate our own pages on various social networks to enable interaction with interested users or customers and to inform them about our activities and events. We do not process user data ourselves on social networks and can only evaluate and use the anonymized data provided by, for example, Facebook. In this context, user data may be transferred to countries outside the European Union. Furthermore, the collected user data is processed for marketing purposes, for example, to define target groups and then display targeted advertising material to them on the respective social media platform. To enable this, cookies are often stored by the social network/provider, which contain online behavior, interests, etc., of the users. Usage profiles on the respective platforms may also contain data that is stored independently of the device. The legal basis for this type of data processing is our legitimate interest in functional and stable communication with users via the respective online presence. In some cases, social media providers may ask you for consent to the respective data processing. In this case, the legal basis for data processing is precisely this consent.

As a data subject, you can assert various rights against the controllers (see above). However, please note that exercising these data subject rights is generally most effective if you assert them directly with the platform provider. As a rule, only the platform providers have direct access to the processed data and can take appropriate measures themselves. Of course, we are available if you have further questions.

To provide you with as much relevant information as possible regarding data processing in social networks, we also refer to the data protection notices or privacy policies of the individual platform providers:

• Facebook: www.facebook.com/about/privacy
• Xing: privacy.xing.com/en/privacy-policy
• LinkedIn: www.linkedin.com/legal/privacy-policy
• Twitter: twitter.com/en/privacy
• Instagram: help.instagram.com/519522125107875
• YouTube: www.youtube.com/howyoutubeworks/privacy/

Um Ihnen möglichst alle relevanten Informationen bezüglich der Datenverarbeitung in Sozialen Netzwerken bereitzustellen, verweisen wir außerdem auf die Datenschutzhinweise bzw. die Datenschutzerklärungen der einzelnen Plattform-Anbieter:

• Facebook: https://www.facebook.com/about/privacy 
• Xing: https://privacy.xing.com/de/datenschutzerklaerung 
• Linked-In: https://www.linkedin.com/legal/privacy-policy 
• Twitter: https://twitter.com/de/privacy
• Instagram: https://de-de.facebook.com/help/instagram/519522125107875
• Youtube: YouTube Privacy Settings to Protect Your Data - How YouTube Works
   

6.1. LinkedIn Plugin

This website uses functions of the LinkedIn network. The provider is:

LinkedIn Ireland Unlimited

Company, Wilton Plaza, Wilton Place,

Dublin 2, Irland.

Each time a page of this website containing LinkedIn functions is accessed, a connection to LinkedIn servers is established. LinkedIn is informed that you have visited this website with your IP address. If you click the “Recommend” button from LinkedIn and are logged into your LinkedIn account, LinkedIn is able to associate your visit to this website with you and your user account. We point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by LinkedIn.

The use of the LinkedIn plugin is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the widest possible visibility in social media. If a corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; consent can be withdrawn at any time. Data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found here: www.linkedin.com/help/linkedin/answer/62538/datenubertragung-aus-der-eu-dem-ewr-und-derschweiz

Further information can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy

 

6.2.Google My Business

We operate a so-called Google My Business entry. If you find us in this way, we use the information service and services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google").

We point out that you use the Google page and its functions at your own responsibility. This applies in particular to the use of social and interactive functions (e.g., commenting, sharing, rating, direct messages). When visiting and interacting with our Google My Business entry, Google also collects your IP address and other information that is stored as cookies on your device. This information is used to provide us, as the operator of the Google My Business entry, with statistical information about the use of Google services. The data collected about you in this context is processed by Google and may be transferred to countries outside the European Union. What information Google receives and how it is used is described by Google in its privacy policy. More information is provided by Google in its privacy policy: policies.google.com/privacy

We do not know how Google uses the data from your visit for its own purposes, to what extent activities of individual users are assigned, how long Google stores this data, and whether data is passed on to third parties. When accessing Google services, the IP address assigned to your device is transmitted to Google. Google also stores information about the devices of its users. It is therefore possible that Google can assign IP addresses to individual users or user accounts. If you contact us via our Google My Business entry or other Google services by direct message, we cannot rule out that these messages can also be read and evaluated by Google (both by employees and automatically). We therefore advise against providing us with personal data there. Instead, another form of communication should be chosen as early as possible. We delete conversations no later than 14 days after the last chat activity or immediately after switching to another communication channel. The use of this service is subject to the Google privacy policy, which you have already agreed to by using it.

As the provider of our Google My Business entry, we do not collect or process any further data from your use of this Google offering.

 

7. Applications

7.1. Handling of Applicant

We offer you the opportunity to apply to us (e.g., by email, by post, or via online application form). Below, we inform you about the scope, purpose, and use of your personal data collected as part of the application process. We assure you that the collection, processing, and use of your data is in accordance with applicable data protection law and all other legal provisions and that your data will be treated strictly confidentially.

 

7.2. Scope and Purpose of Data Collection

If you send us an application, we process your associated personal data. We process personal data that we receive from you in the course of your application. At the time of your contact and during the application process, the following data may be collected, provided you submit it to us:

• Personal details (name, address and other contact details, date and place of birth, nationality)
• Bank details (for the purpose of travel expense reimbursement)
• Identification data (e.g., ID data)
• Health data* (e.g., information on disability/severe disability and, if applicable, a rejection for health reasons)
• Qualification documents (e.g., certificates, references, and other training certificates)
• Information about your personal background
• Information about your school background
• Information about your academic background
• Information about your professional background
• Photographs
• If you send your application by email:
• Email address
• Mail server
• IP address of the server
• If you send your application via our online form or portal:
• IP address
• Special categories of data within the meaning of Art. 9 para. 1 GDPR.

This data is collected insofar as it is necessary for the decision on the establishment of an employment relationship. The legal basis for this is § 26 BDSG-new under German law (initiation of an employment relationship), Art. 6 para. 1 lit. b GDPR (general contract initiation), and – if you have given consent – Art. 6 para. 1 lit. a GDPR. Consent can be withdrawn at any time. Your personal data will only be passed on within our company to persons involved in processing your application.

If the application is successful, the data you submitted will be stored on the basis of § 26 BDSG-new and Art. 6 para. 1 lit. b GDPR for the purpose of carrying out the employment relationship in our data processing systems.

 

7.3. Recipients of your Data

Data you provide to us is transmitted to management as well as to the managers in the respective responsible departments. For the possible reimbursement of travel expenses, your data is transmitted to the accounting department and our tax advisor.

However, we may use service providers for our organizational processes, the operation of our websites, or, for example, for email communication. We also use external service providers such as tax advisors and company doctors. In these cases, it may happen that a service provider becomes aware of personal data. We select our service providers carefully – especially with regard to data protection and data security – and take all data protection measures required for permissible data processing.

We only transfer your personal data to third parties if this is permitted by law or if you have consented.

 

7.4. Retention Period of Data

If we are unable to offer you a position, you reject a job offer, or you withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months after the end of the application process (rejection or withdrawal of the application). The data will then be deleted and physical application documents destroyed. Retention serves in particular as evidence in the event of a legal dispute. If it is apparent that the data will be required after the 6-month period (e.g., due to a pending or imminent legal dispute), deletion will only take place when the purpose for further retention no longer applies.

Longer retention may also take place if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if statutory retention obligations prevent deletion.

 

7.5. Inclusion in the Applicant Pool

If we are unable to offer you a position, there may be the possibility of including you in our applicant pool. In the event of inclusion, all documents and information from the application will be transferred to the applicant pool in order to contact you in the event of suitable vacancies.

Inclusion in the applicant pool is based solely on your express consent (Art. 6 para. 1 lit. a GDPR). Giving consent is voluntary and is not related to the ongoing application process. The data subject can withdraw their consent at any time. In this case, the data from the applicant pool will be irrevocably deleted, unless there are statutory retention reasons.

The data from the applicant pool will be irrevocably deleted no later than two years after consent is given.

Procedures according to the General Equal Treatment Act (AGG).

 

8. Career Portal Rexx Systems

We use a career portal from rexx systems GmbH, Süderstrasse 75-79, 20097 Hamburg. This runs on the servers of Rexx Systems and is embedded as an iframe in our website. When you click on it, you are taken to a separate website, the career portal on the server of rexx systems.

On the career portal (hereinafter also referred to as the website), you can enter data into a form and upload documents (online application process).

If you use the online application process, the data entered in the input mask and the documents uploaded are processed on the servers of rexx systems GmbH and transmitted to us and stored.

Only the data necessary for your application is collected.

Personal data includes:

• Salutation, if applicable title, name, first name, contact details
• Information about the current employment relationship, insofar as this exists with a federal authority with so-called surplus staff
• Information to fulfill the mandatory and desirable requirement criteria according to the job advertisement

Additionally, the following health data from the category of particularly sensitive data is processed:

• Information on the existence of a severe disability or equal status

We will, of course, use your information exclusively for processing your application. In the application process, personal data about you is processed, which may vary depending on the vacancy. The legal basis for processing your personal data in the application process is § 26 BDSG and Art. 6 para. 1 sentence 1 lit. a), b), and f) GDPR. If no contract is concluded, your personal data will be deleted 6 months after the end of the application process, unless you have given us explicit consent for longer storage of your data.

On the career portal itself, as is often the case with most websites, further data is processed:

 

8.1. Technical Provision of the Career Portal

When you use the career portal for informational purposes only, i.e., if you do not register or otherwise transmit information to us (e.g., via a contact form), the following technical information (log file data) is collected:

• Operating system of the device with which you visit our website
• Browser (type, version & language settings)
• The amount of data retrieved
• The current IP address of the device with which you visit our website
• Date and time of access
• The URL of the previously visited website (referrer)
• The URL of the (sub-)page you access on the website
• The internet service provider of the accessing system

The collection of this data is technically necessary to display the website (career portal) to you and to ensure stability and security. We (and our service provider) generally do not know who is behind an IP address. We do not combine the above data with other data. The legal basis for storing the data/log files is Art. 6 para. 1 sentence 1 f) GDPR in conjunction with § 25 TDDDG. Storage in log files ensures the proper functioning of the website and also serves to improve and secure our systems. Further evaluation of this data (e.g., for marketing purposes) does not take place in this context. The data stored by Kappa optronics is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case after a maximum of six weeks. Further storage is possible. In this case, the IP addresses of the users are deleted or anonymized so that assignment of the accessing client is no longer possible.

 

8.2. Cookies

he career portal uses so-called "cookies" to make the website as a whole more user-friendly, effective, and secure. Cookies are small text files that are stored on your computer system. We point out that some of these cookies are transferred from our server to your computer system, mostly so-called "session cookies." "Session cookies" are characterized by the fact that they are automatically deleted from your hard drive after the browser session ends. Other cookies remain on your computer system and enable us to recognize your computer system on your next visit ("persistent cookies"). When you access the website, the user is informed about the use of cookies and their consent to the processing of the personal data used is obtained. No personal data is stored in the cookies used. Based on the cookies, we only receive anonymized information. Of course, you can refuse cookies at any time, provided your browser allows this. Please note that certain functions of this website may not or only partially be usable if your browser is set so that no cookies (from our website) are accepted. The legal bases for possible processing of personal data by means of cookies and their storage duration may vary. If you have given us your consent, the legal basis is Art. 6 para. 1 sentence 1 lit. a) GDPR. If data processing is based on our overriding legitimate interests, the legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR. The stated purpose then corresponds to our legitimate interest. Technically necessary cookies serve to simplify the use of websites. The user data collected by technically necessary cookies is not used to create user profiles. The use of analysis cookies serves to improve the quality of the websites and their content. Through the analysis cookies, we learn how the website is used and can continuously optimize our offering. Cookies are stored on the user's computer and transmitted from there to our site. Therefore, users also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies for our website are deactivated, it may no longer be possible to use all functions of the website to their full extent.

 

 

 

8.3. Jobalert Newsletter

You can subscribe to a job alert on the career portal. To do this, you must select the desired notifications and provide your email address. This data is used exclusively to send you suitable job offers. 

 

8.4 Contact Form and Email

We provide a contact form on our website for easy contact. The data entered in the input mask is transmitted to and stored by Kappa optronics. In addition, at the time of sending, the user's IP address and the date and time of transmission are stored. Alternatively, you can contact us via the provided email address. In this case, the personal data transmitted with the email is also stored. The data is not passed on to third parties. The data is used exclusively for processing the inquiry. The legal basis for processing the data is, if the user has given consent, Art. 6 para. 1 sentence 1 a) GDPR. The legal basis for processing the data transmitted in the course of sending an email is Art. 6 para. 1 sentence 1 f) GDPR. If the email contact aims at the conclusion of a contract, the legal basis for processing is Art. 6 para. 1 sentence 1 b) GDPR.

The processing of personal data serves solely to process the contact. In the case of contact by email, this also constitutes the necessary legitimate interest in processing the data. The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by email, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

 

8.5. Disclosure of Personal Data/Recipients

Your personal data is generally not transferred to third parties unless we are legally obliged to do so, the data transfer is necessary for the execution of the contractual relationship, or you have previously expressly consented to the transfer of your data. Your data will only be passed on to affiliated companies and service partners if they act on our behalf and support Kappa optronics in providing its services. Processing of your personal data by commissioned service providers takes place within the framework of order processing in accordance with Art. 28 GDPR. The aforementioned service providers only receive access to such personal information as is necessary for the performance of the respective activity. These service providers are prohibited from passing on your personal information or using it for other purposes, in particular for their own advertising purposes. As far as external service providers come into contact with your personal data, we have ensured through legal, technical, and organizational measures as well as through regular checks that they also comply with the applicable data protection regulations. Specifically, these are the following recipients: Commercial transfer of your personal data to other companies does not take place.

We place great value on processing your data within the EU / EEA. However, it may happen that we use service providers who process data outside the EU / EEA. In these cases, we ensure that an adequate level of data protection comparable to the standards within the EU is established at the recipient before your personal data is transferred. This can be achieved, for example, through EU standard contracts or binding corporate rules or special agreements to which the company can submit.

 

8.6. Matomo

On this website, data is collected and stored for marketing and optimization purposes using the web analytics software Matomo (www.matomo.org). Usage profiles are created from this data under a pseudonym, and cookies are used for this purpose. Cookies are small text files that are stored locally in the cache of the internet browser of the site visitor. The cookies enable the recognition of the internet browser. The data collected with Matomo technology (including your anonymized IP address) is transferred to our server and stored for usage analysis purposes, which serves to optimize our website. The information generated by the cookie in the pseudonymous user profile is not used to personally identify the visitor to this website and is not merged with personal data about the bearer of the pseudonym. You can prevent the use of cookies and thus participation in tracking by making the appropriate settings in your browser software, but it may be that you will not be able to use all functions of this website to their full extent. The legal basis for processing the personal data of users is Art. 6 para. 1 sentence 1 a) GDPR. The processing of personal data of users enables us to analyze the surfing behavior of our users. We are able to compile information about the use of the individual components of the website by evaluating the data obtained. This helps us to continuously improve the website and its user-friendliness. Data collection and storage only take place after express consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR, § 25 para. 1 TDDDG.

Storage duration
Cookies are stored on the user's computer and transmitted from there to our site. Therefore, you also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies for our website are deactivated, it may no longer be possible to use all functions of the website to their full extent. Further information on the privacy settings of the Matomo software can be found at the following link: https://matomo.org/docs/privacy/Speicherdauer

 

9. Events and Trade Fairs

You have the opportunity to register for certain events on our homepage, by email, by fax, or by telephone, providing personal data.

Which personal data is transmitted to the controller in this process results from the respective input mask used for registration.

 

9.1. Purpose of Processing and Legal Basis

The personal data you provide, in addition to the IP address and the time of registration for the event, is collected and stored exclusively for internal use by us and for the organization and execution of the event. The legal basis for processing is the fulfillment of a contract pursuant to Art. 6 para. 1 lit. b) GDPR.

 

9.2. Duration of Storage and Deregistration

We process your data until the event has been fully carried out and your data does not have to be retained for compelling legal reasons (e.g., for tax reasons).

 

9.3. Necessity of Provision

The provision of personal data is neither legally nor contractually required. You can cancel your registration at any time.

 

Status as of October 16, 2025