Privacy Policy & Cookie Settings

1. Definitions and Principles of Data Processing

“Personal data” means any information relating to an identified or identifiable natural person. This includes, for example, information such as your name, age, gender, address, telephone number, email address, date and place of birth, IP address, or user behaviour. Information that cannot be related to you personally (or only with a disproportionate effort)—for instance because it has been anonymised—does not constitute personal data within the meaning of Recital 26 GDPR.

“Processing” means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction.

Processing of personal data is lawful only if it is based on a legal basis. Personal data must be erased once the purpose of processing has been achieved and no statutory retention obligations apply any longer.

The “controller” is the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Where we process your personal data, we inform you below about the specific processing activities, the data concerned, the source of the data, the scope and purpose of processing, the legal basis, the storage periods, your rights as a data subject, potential transfers, and whether you are required to provide the data.

2. Name and Address of the Controller and the Data Protection Officer

Controller within the meaning of the GDPR and other applicable data protection laws is:

CeramOptec GmbH
Siemensstr. 44
53121 Bonn
Germany
Tel.: +49 (0)228 979670
E-mail: datenschutz@ceramoptec.de
Website: www.ceramoptec.com

Data Protection Officer: Regina Maria Mörth, reachable at datenschutz@ceramoptec.de or by post at the above address.

 

3. Overview of Purposes and Legal Bases of Processing

We process personal data of visitors and users of our website (“users”) only insofar as this is necessary for the provision of a functional website and of our content and services, or where you voluntarily provide such data to us. In particular, we process personal data for the following purposes:

• Provision, presentation, and security of the website (including hosting by SOL.Service Online GmbH & Co. KG / DomainFactory GmbH and operation of the WordPress content management system);
• Management and documentation of your consents via our cookie consent tool;
• Statistical analysis and optimisation of our online services through Google Analytics 4;
• Processing of contact and product enquiries submitted via our forms or by email;
• Communication via our LinkedIn company page;
• Processing of job applications submitted by email or via our forms.

Depending on the purpose, our processing is based on the following legal bases: Art. 6(1)(a) GDPR (consent, e.g., for analytics/marketing tools); Art. 6(1)(b) GDPR (contract performance or pre-contractual steps); Art. 6(1)(c) GDPR (legal obligations, in particular consent management under § 25 TTDSG); Art. 6(1)(f) GDPR (legitimate interests in secure, efficient, and user-friendly provision of our website and effective corporate communication).

Personal data are disclosed to third parties only where there is a legal basis for doing so or where you have given your explicit consent.

4. Specific Processing Activities: Categories of Data, Scope, Purpose, and Legal Bases

Below we describe the specific processing activities on our website, the data processed, scope and purpose of processing, and the applicable legal bases.

• Hosting of the Website

Our website is hosted by an external service provider (SOL.Service Online GmbH & Co. KG, Inselstraße 3, 31787 Hameln, Germany). Personal data collected via our website are stored on the host’s servers in Germany. These data may include IP addresses, contact requests, meta and communication data, contact details, names, page views and other data generated via the website.

Hosting is used for the purpose of fulfilling contracts with potential and existing customers (Art. 6(1)(b) GDPR) and in our legitimate interest in the secure, fast and efficient provision of our website by a professional provider (Art. 6(1)(f) GDPR). We have concluded a data processing agreement pursuant to Art. 28 GDPR with our hoster to ensure compliant processing and the protection of your data. According to our processor, processing takes place within the EU.

• Content Management (WordPress)

Our website is operated using the WordPress content management system. WordPress is open-source software developed and provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA.

The technical operation and maintenance of our WordPress instance are handled by our hosting provider DomainFactory GmbH, with whom we have concluded a data processing agreement pursuant to Art. 28 GDPR.

Depending on user interaction, the following technical data are processed to ensure website display, page rendering and system security: IP address of the requesting device; date and time of access; name and URL of the retrieved file; referrer URL; browser and operating system used; login data for the editorial backend (authorised users only).

This processing is technically required to ensure stability and security and to detect disruptions or attacks. Legal basis: Art. 6(1)(f) GDPR (legitimate interests).

WordPress uses technically necessary cookies to store session data and user preferences. No personal data are transmitted to third parties unless you consent to the use of additional tools (e.g., analytics or marketing).

• Use of Local Fonts (Google Fonts)

For a consistent display of our website, we use fonts from the Google Fonts library. The font files are stored locally on our servers, so no connection to Google servers is established and no data are transmitted to third parties when our pages are loaded.

• Consent Management (CCM19)

We use the consent management tool CCM19 provided by Papoo Software & Media GmbH, Auguststr. 4, 53229 Bonn, Germany, to obtain, manage and document your consents to the storage of certain cookies and the use of services in accordance with the GDPR and the German Telecommunications Telemedia Data Protection Act (TTDSG).

How it works: When you visit our website, CCM19 connects to our servers to store your consent preferences and withdrawals. The following data are processed: your IP address (anonymised/shortened); date and time of your consent status; technical information about browser, device and operating system; your selections (opt-in/opt-out); a randomly generated ID (cookie ID) for assignment.

Data are stored exclusively on servers located in Germany and are not shared with third parties. No data transfer to third countries takes place. Purpose: legally compliant consent collection and documentation. Legal basis: Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interests in proof of consent).

You can modify or withdraw your consent at any time via the “Cookie Settings” link in the footer. A current list of cookies, storage periods and categories can be viewed in CCM19. Further information: https://www.ccm19.de/datenschutzerklaerung.html

• Statistical Analysis / Online Marketing – Google Analytics 4 and Google Ads

We use Google Analytics 4 and, where applicable, Google Ads provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). For users within the EU/EEA, processing is carried out by Google Ireland Limited; servers may also be located in the USA. Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, is the recipient of these data.

Google Analytics 4 uses cookies and similar technologies to analyse website usage. The following data are processed: IP address (shortened/anonymised); usage and event data (page views, interactions, session duration); device and browser information; source/campaign data (referrer URL, marketing campaigns). IP addresses are anonymised prior to transmission (“IP masking”). GA4 does not store full IP addresses and provides pseudonymised statistics only.

Data may be transferred to Google servers in the USA. Such transfers are based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the EU–US Data Privacy Framework, for which Google LLC is certified. Purpose: statistical analysis and optimisation of our online presence. Legal basis: your consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG). You can withdraw consent at any time via our consent tool.

Google Ads (Conversion Tracking and Remarketing): if you have consented in the banner, we use Google Ads to advertise our services online and to measure campaign performance. Google uses cookies or similar technologies to determine whether you reached our website via a Google ad (conversion tracking) or to recognise you on subsequent visits (remarketing). The following data may be processed: pseudonymised online identifiers (cookie ID, advertising ID), access and interaction data, device and browser information, and potentially location data. If you are logged into your Google account, Google may link data across devices. We receive anonymous statistical reports only (e.g., number of conversions). Legal basis: your consent (Art. 6(1)(a) GDPR; § 25 TTDSG). Further information: https://policies.google.com/privacy

• Subscription, Sending and Receipt of Our Newsletter

We use the services of CleverReach (CleverReach GmbH & Co. KG, Schafjueckenweg 2, 26180 Rastede, Germany) to manage newsletters. If you subscribe to our newsletter using the double opt-in procedure, we process your first and last name, company name, email address, and—solely for documentation—your IP address and the date/time of your consent. These data are used exclusively for subscription and delivery. We also measure newsletter performance (opens, dwell time, click paths, conversion rates).

Legal bases: verification of your registration (Art. 6(1)(f) GDPR – legitimate interest in lawful handling of the registration); newsletter delivery based on your consent (Art. 6(1)(a) GDPR), which you may withdraw at any time with future effect via the unsubscribe link; performance measurement based on our legitimate interests (Art. 6(1)(f) GDPR). In some cases, processing may be based on our legitimate interest in direct marketing to existing customers (Art. 6(1)(f) GDPR; § 7 UWG).

Upon unsubscription, your data are removed from the distribution list to prevent future mailings; data stored for other purposes remain unaffected.

Note: At present, we do not operate an active newsletter service. As soon as this service becomes available, the above provisions will apply.

• Contact via the Website

If you contact us (e.g., by email, phone, fax, or via a contact form), we process and store your details in order to handle your request and any follow-up questions. The data processed include at least the contact data you provide (e.g., your email address for email requests; for form submissions your first and last name, phone number, email address, and the company you work for), as well as any additional information you provide in the course of communication. We do not share your data with third parties without your prior consent.

To comply with data minimisation, please limit your information to what is necessary. If you request contact, the legal basis is Art. 6(1)(f) GDPR (legitimate interests in processing your request). If contact aims at concluding or performing a contract, the legal basis is Art. 6(1)(b) GDPR. Where we have your consent, the legal basis is Art. 6(1)(a) GDPR (and, if special category data are provided, Art. 9(2)(a) GDPR).

• Contracts

We process personal data for the initiation and/or performance of contractual relationships to the extent necessary. Typically processed data include:

• Customers: name, customer number, address, contact data (email, phone), bank details, username and password where applicable;
• Service providers & suppliers: name, address, contact person details, contractual terms (e.g., pricing);
• Employees: name, address, contact data, date and place of birth, personnel number, social security number, health insurance, religious affiliation, bank account.

Legal bases: Art. 6(1)(b) GDPR (contract initiation/performance) and Art. 6(1)(f) GDPR (legitimate interests in efficient processing and assertion/defence of legal claims). For employee data: Art. 6(1)(b) GDPR and, where applicable, Art. 9(2)(b) GDPR in conjunction with § 26(1), (3) BDSG.

• Job Applications and Recruitment

If you apply to us (e.g., by email or via a contact form), we process your details and the documents you submit, including the personal data contained therein, for the purpose of handling your application. Required data typically include your first and last name, email address, phone number, the position applied for, driving licence ownership where relevant, preferred location, as well as any additional information or documents you provide.

If you apply by email or via form, the legal basis is our legitimate interests pursuant to Art. 6(1)(f) GDPR (complete handling of your application). If you consent, the basis is Art. 6(1)(a) GDPR (and where applicable Art. 9(2)(a) GDPR). If an employment relationship is established, data are processed for its establishment and performance under § 26(1), (3) BDSG. If the application does not result in employment, we have a legitimate interest (Art. 6(1)(f) GDPR) in retaining the data for a limited period (see Section 8) to assert or defend legal claims.

• Social Media Links (LinkedIn, YouTube)

Our website links to our corporate profiles on social networks to communicate with customers, partners, and interested parties and to provide information about our products and services. This currently includes LinkedIn, YouTube and Twitter/X.

Links are implemented as static text or graphic links. This means that no connection to the servers of the respective networks is established when you visit our website. A connection is created only when you click the link; from that point on, processing occurs under the sole responsibility of the platform provider.

LinkedIn: We operate a company page on LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland). For certain processing activities (in particular “Page Insights”), we are joint controllers with LinkedIn pursuant to Art. 26 GDPR. Agreement: https://legal.linkedin.com/pages-joint-controller-addendum. LinkedIn’s Privacy Policy: https://www.linkedin.com/legal/privacy-policy. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in external communications).

YouTube: Static links may lead to videos hosted by YouTube (Google Ireland Limited, Dublin; for users outside the EU: Google LLC, USA). When clicking a YouTube link, data such as IP address, referrer URL and device information are transmitted to Google. Transfers to the USA are based on the Standard Contractual Clauses and the EU–US Data Privacy Framework (Google LLC certified). Privacy Policy: https://policies.google.com/privacy

• Security Measures – Wordfence Security Plugin

To protect our website and to defend against unauthorised access and malicious cyberattacks, we use the Wordfence security plugin, a service of Defiant Inc., 800 5th Ave, Suite 4100, Seattle, WA 98104, USA.

Wordfence detects and blocks attacks, monitors server integrity and secures the website against unauthorised access. The plugin analyses website traffic (e.g., IP addresses, browser information, timestamps, referrer URLs, number of access attempts) and compares patterns with known attack signatures.

Data processed include in particular: IP address of the requesting person; URL of the accessed pages; browser type, language, date and time of access; and, where applicable, backend login attempts.

Data transfer and storage: to identify and block malicious traffic, IP addresses may be stored in firewall and brute-force protection lists. In exceptional cases, IP addresses or security-relevant event data may be transferred to servers of Defiant Inc. in the USA. Transfers are based on the EU Standard Contractual Clauses (Art. 46 GDPR). Further information: https://www.wordfence.com/privacy-policy/. Legal basis: Art. 6(1)(f) GDPR.

5. Categories of Recipients of Personal Data

5.1 Processors: We work with service providers bound by our instructions on the basis of data processing agreements (Art. 28 GDPR), who may have access to your data—for example, consent management providers, hosting providers, or newsletter delivery providers. Examples include: SOL.Service Online GmbH & Co. KG (Germany); Automattic Inc. (WordPress, USA); Google Ireland Ltd. (Ireland); CleverReach GmbH & Co. KG (Germany); fr financial relations GmbH (Germany).

5.2 Other Recipients: Data may also be shared with (i) public authorities where legally permissible or required; (ii) other legal entities within our corporate group (e.g., Ceram Optec SIA, Domes iela 1a, Livani, LV-5316, Latvia) where involved, lawful and necessary; and (iii) any legal successor to our company or parts thereof.

6. Data Transfers to Third Countries

As explained in Section 3 and where you give consent or another legal basis applies, personal data may be transferred to third countries without an EU adequacy decision. In such cases, transfers are based on your consent or, where applicable, appropriate safeguards under Art. 46 GDPR (in particular the EU Standard Contractual Clauses). Please note that an equivalent level of protection to the GDPR may not be guaranteed in all third countries with regard to your data subject rights and legal remedies.

Where transfers are made to companies certified under the EU–US Data Privacy Framework (e.g., Google LLC, Defiant Inc.), these are based on the adequacy decision of the European Commission of 10 July 2023.

7. Storage Period

We process and store personal data only for as long as necessary to achieve the respective purpose or as long as statutory retention periods require. Once the purpose ceases to apply or a retention period expires, data are routinely blocked or erased in accordance with legal requirements.

Applicant documents are stored for the duration of the recruitment process and for two months after a rejection has been communicated, provided that (i) no employment relationship is established, (ii) no consent to longer storage has been given, and (iii) no claims have been asserted within the exclusion period set out in § 15(4) AGG. If claims are asserted within that period, storage is extended at least by the three-month period under § 61b(1) ArbGG. If no action is filed within that period, documents are destroyed; otherwise, they are stored until a court decision becomes final. In the event of successful recruitment, applicant documents that are necessary are stored in the personnel file for the duration of the employment relationship and statutory limitation periods; in the event of litigation, storage continues until a final court decision.

8. Your Rights as a Data Subject

You have the following rights under the GDPR with respect to the processing of your personal data: right of access (Art. 15 GDPR in conjunction with §§ 29, 34 BDSG); right to rectification (Art. 16 GDPR); right to erasure (Art. 17 GDPR in conjunction with § 35 BDSG); right to restriction of processing (Art. 18 GDPR); right to data portability (Art. 20 GDPR); and right to object (Art. 21 GDPR). You also have the right to withdraw consent at any time with future effect (Art. 7(3) GDPR). You may exercise these rights at any time by contacting us at datenschutz@ceramoptec.de.

You also have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. The supervisory authority at our place of business is: State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW), https://www.ldi.nrw.de/.

Please note: When exercising your rights under Arts. 15–22 GDPR, we will process the personal data you submit in order to handle your request and to demonstrate compliance. This processing is based on Art. 6(1)(c) GDPR in conjunction with § 34(2) BDSG and/or Art. 12 GDPR and Art. 6(1)(f) GDPR (our legitimate interest in evidenced compliance and defence of legal claims).

9. Necessity to Provide Personal Data

The provision of personal data may be required by law, contract, pre-contractual necessity, or for technical reasons. On our website, data that are necessary for use are marked accordingly. If you do not provide required data, certain functions may not be available and our services may not be usable.

Before providing personal data, you may contact us at any time at datenschutz@ceramoptec.de. We will inform you on a case-by-case basis whether the provision of personal data is legally or contractually required or necessary for the conclusion of a contract, whether there is an obligation to provide personal data and what the possible consequences of not providing such data would be.

As a rule, there is no statutory obligation to provide personal data, though such an obligation may arise from tax, commercial or employment law provisions.

10. Existence of Automated Decision-Making

As a responsible company, we do not use automated decision-making or profiling.

11. Data Security

We implement technical and organisational measures in accordance with Art. 32 GDPR and continuously adapt these to the state of the art. We use SSL/TLS 1.2 encryption to protect the transmission of confidential content (e.g., orders, applications, or enquiries). You can recognise an encrypted connection by the browser address line changing from “http://” to “https://” and the lock symbol in your browser bar.

Where we engage third parties to process your data, they are carefully selected and bound by contract in accordance with legal requirements.

If you require further information, please contact us at datenschutz@ceramoptec.de.

12. Cookies and Similar Technologies

Our website uses cookies and similar technologies. “Similar technologies” are technical means that enable identification of visitors or analysis of website use without strictly setting cookies, such as tracking pixels or local storage.

Cookies are small text files stored by the browser on the user’s device. When a user visits our website, a cookie may be stored or, for example, a tracking pixel may be triggered. Cookies contain a unique identifier (e.g., a browser ID). Cookies can be session cookies (deleted when the session ends), time-limited cookies (deleted after a defined period), or persistent cookies (remain until you delete them). Third-party cookies may also be used when you visit our site.

Technically necessary cookies and technologies are those without which our website would not be functional and usable. This category includes only those ensuring basic functions, display and security of the website as well as the consent request for non-essential cookies and technologies (cookie banner). These may be set without consent.

Non-essential cookies and technologies include all those not strictly required for functionality, display or security of the website. This includes function cookies (e.g., live chat) and, in particular, technologies that collect and process personal data for statistics, performance, marketing and analytics. Non-essential cookies and technologies require your prior informed consent.

We request your consent via our cookie banner when you visit our website. If you consent, we and, where applicable, third parties process the data collected on the basis of your consent (Art. 6(1)(a) GDPR and § 25 TTDSG). You may withdraw consent at any time with future effect via the “Manage consent preferences” function; processing will cease immediately. The lawfulness of processing prior to withdrawal remains unaffected.

The legal basis for the processing of personal data when using technically necessary cookies and technologies is our legitimate interest in the technically error-free, secure and visually appealing provision of the website and its functions (Art. 6(1)(f) GDPR). The legal basis for the storage and processing of personal data when using non-essential first-party cookies and any third-party cookies is your consent (Art. 6(1)(a) GDPR; § 25 TTDSG). You can configure your browser to be informed about the setting of cookies, to allow cookies only in individual cases, to exclude acceptance of cookies for certain cases or in general, and to enable the automatic deletion of cookies when closing the browser. Disabling cookies may limit website functionality.

Where third-party cookies or consent-requiring technologies are used, you will be informed in this Privacy Policy and in our cookie policy within CCM19 about the specific technologies, purposes and storage periods.

13. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy at any time in compliance with applicable laws and regulations. The version available online at the time of your visit applies. The current version can always be accessed at https://www.ceramoptec.com/privacy-policy/.

 

Last updated: November 2025 – CeramOptec GmbH