Data Protection
Stand: 15.05.2025
1. General information
1.1 We, Capiton AG, would like to inform you about the processing of personal data when you visit our website.
1.2 The terms used below have the same meaning as in the General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: “GDPR”).
2. Data controller
The entity responsible for the processing of personal data within the meaning of Art. 4 No. 7 GDPR is
Capiton AG
Bleibtreustrasse 33
10707 Berlin, Germany
Berlin, Germany
Phone: +49 30 315 945 0
Fax: +49 30 315 945 57
3. Data protection officer
Our Corporate Data Protection Officer is always available to answer questions and act as a point of contact on data protection issues. The contact details are
Capiton AG
Bleibtreustrasse 33
D-10707 Berlin
Berlin, Germany
storch@capiton.de
4. Data subject rights
4.1 You have the following rights in relation to the processing of your personal data, which you can exercise against us at any time:
a) in accordance with Art. 15 GDPR, you may request information about the data we process. In particular, you may request information about the purposes of the processing, the category of data, the categories of recipients to whom your data has been or will be disclosed, the intended storage period, the existence of a right to rectify, erase, restrict or object to the processing, the existence of a right to lodge a complaint, the origin of the data if it was not collected by us, and the existence of automated decision making, including profiling, and, where applicable, meaningful information about its details;
b) in accordance with Art. 16 GDPR, to request the immediate correction of inaccurate data or the completion of your data stored by us
c) in accordance with Art. 17 GDPR, the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims
d) in accordance with Art. 18 GDPR, to request the restriction of the processing of your data if the accuracy of the data is contested by you or if the processing is unlawful;
e) in accordance with Art. 20 GDPR, to obtain the data provided by you in a structured, commonly used and machine-readable format or to request its communication to another controller (“data portability”);
f) object to the processing pursuant to Art. 21 GDPR, insofar as the processing is based on Art. 6 para. 1 lit. e or lit. f GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims. If you object to the processing of your data for direct marketing purposes, we will stop the processing immediately. This also applies to the creation of profiles in connection with direct marketing;
g) in accordance with Art. 7 para. 3 GDPR, you may revoke your consent to us at any time if you have given it. As a result, we will no longer be able to continue the data processing based on this consent in the future;
h) lodge a complaint with a supervisory authority pursuant to Art. 77 OF THE GDPR. As a general rule, you may contact the supervisory authority of your usual place of residence or work or our registered office.
4.2 We would like to point out that we process your personal data in accordance with Art. 6 para. 1 lit. c GDPR in order to process your request and for identification purposes.
5. Visiting the website
5.1 When you visit our website, we collect, store and process the following categories of personal data:
a) Scope of data processing
When you visit our websites, our web server temporarily and anonymously stores a so-called log data record (so-called server log files). This consists of
- the page from which the website was requested (so-called referrer URL)
- the name and URL of the page requested
- the date and time of the request
- the description of the type, language and version of the web browser used
- the IP address of the requesting computer, which is shortened so that it cannot be traced back to a specific person
- the volume of data transmitted
- the browser
- the operating system
- the message indicating whether the request was successful (access status/Http status code)
- the GMT time zone difference
b) Purpose of data processing
The storage of log data for the duration of the session is necessary in order to be able to display our website to you. The processing also serves to ensure the continued functioning and security of our websites and information technology systems.
c) Legal basis for data processing
The legal basis for the processing of log data is Art. 6 para. 1 lit. f GDPR with our legitimate interest in achieving the stated purposes.
d) Recipients of the data
We use external service providers for the operation of the website, who process personal data strictly according to instructions on the basis of an order processing agreement in accordance with Art. 28 GDPR. We use the following service provider to host the website: Raidboxes GmbH, Hafenstraße 32, 48153 Münster, Germany.
e) Duration of storage
The log data is stored for a period of 7 days and then deleted, except in exceptional cases where it is necessary to retain it for longer in order to investigate an identified attack.
5.2 We use cookies on our websites. Please refer to the cookie policy for details of the types and purposes of each cookie.
a) Technically necessary cookies: The legal basis for the processing of these cookies is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. The basis of our legitimate interest is to ensure the security and functionality of this website. In addition, the storage of the necessary cookies in your browser or in your terminal device is absolutely necessary pursuant to Section 25 (2) No. 2 TDDDG so that the website you have called up can be made available with its services.
b) We also use statistical cookies: The legal basis for the processing of these cookies is your consent in accordance with Art. 6 par. 1 lit. a GDPR. You may withdraw your consent at any time without giving reasons.
5.3 We use Borlabs Cookie to manage cookies on our website and to obtain the necessary consent.
6. Business communication
We set out below how we process data relating to our business partners or their employees.
6.1 Scope of data processing:
As part of our business relationship with you as a business partner or employee of business partners, we process the data we receive from you or your employer. In particular, this is data that we receive when you come into contact with our employees. In this context, we process the following categories of data:
- Professional contact and organisational data: e.g. name, first name, title, academic degree, gender, name of the company you work for, department, professional e-mail address, address, telephone number;
- Professional data: e.g. job title, duties, activity, qualifications;
- Other: In addition, we may process other data that you provide to us during interactions with our employees or that we have lawfully collected about you from publicly available sources (e.g. commercial registers).
6.2 Purpose of Data Processing:
We process your data for the purpose of establishing and executing the contractual relationship with our business partner, as well as to comply with legal requirements.
6.3 Legal Basis of Data Processing:
a) If you are personally our business partner, the processing is carried out on the basis of Article 6(1)(b) GDPR for the performance or initiation of a contract.
b) For the purpose of fulfilling legal obligations, processing is carried out on the basis of Article 6(1)(c) GDPR in conjunction with legal and regulatory requirements (e.g., from tax and commercial law).
c) If you are an employee of one of our business partners, your data is processed on the basis of our overriding legitimate interests pursuant to Article 6(1)(f) GDPR. Our legitimate interest lies in maintaining effective and practical cooperation with our business partners and their employees.
6.4 Recipients of the Data:
Only those individuals within our organization who require access to your data for the purposes described above will have access. Based on contracts pursuant to Article 28 GDPR, personal data may also be processed by external service providers (e.g., support, hosting, or analytics providers). These external service providers are carefully selected and contracted by us. They are contractually bound to our instructions, implement appropriate technical and organizational measures to protect the rights of the data subjects, and are regularly monitored by us.
6.5 Retention Period:
a) The data mentioned will be stored by us for as long as it is needed for the specific processing purpose. As a rule, we store your data for at least the duration of our business relationship with you or the business partner for whom you work.
b) Certain data will be retained beyond this period for the duration of statutory limitation periods (generally three years, in some cases up to thirty years) and for as long as legally required retention periods apply (e.g., under the German Commercial Code or the Fiscal Code), typically for no more than ten years.
c) In certain circumstances, we may be required to retain your data for a longer period. This may be the case, for example, if a ban on data deletion is imposed in connection with official or legal proceedings for the duration of such proceedings.
7. Marketing E-Mails
7.1 We occasionally send emails containing promotional content. In this context, we typically process the following data:
a) First name, last name, and title;
b) Professional position and company affiliation;
c) Email address; and
d) Information about whether and when the emails were opened and which content, if any, was clicked on within the email.
7.2 We send promotional emails for marketing purposes. If a business relationship already exists and our promotional message relates to similar products or services, the legal basis is Article 6(1)(f) GDPR. Otherwise, we obtain prior consent, in which case the legal basis is Article 6(1)(a) GDPR.
7.3 We use the service Salesforce to send and analyze marketing emails. We have concluded a data processing agreement with Salesforce in accordance with Article 28 GDPR.
7.4 You can object to receiving marketing emails at any time and without providing any reasons. To do so, click on the unsubscribe link included in every marketing email, or contact us using the contact details provided above.
8. Vide conferencing tools
8.1 We use third-party video conferencing tools to conduct video and audio conferences, webinars, and other types of video and audio meetings. The following categories of data are processed in this context:
a) Master data (e.g., names, addresses),
b) Contact details (e.g., email addresses, phone numbers),
c) Content data (e.g., text input, photographs, videos),
d) Metadata/communication data (e.g., device information, IP addresses).
8.2 The data is processed to set up and conduct online meetings or video conferences. The legal basis for the processing is Article 6(1)(b) GDPR for the performance of a contract, or Article 6(1)(f) GDPR based on our legitimate interest in efficient and secure communication with our communication partners.
8.3 We have concluded a data processing agreement with the providers of the video conferencing solutions in accordance with Article 28 GDPR.
9. Applications
If you would like to become part of our team and apply for a position with us, we process your personal data as follows:
9.1 Scope of Data Processing:
During the application process, we process the following categories of data:
a) Private contact and identification data: e.g., first and last name, academic title, gender, email address, address, and telephone number;
b) Information on professional qualifications, such as educational background, language skills, and details of your place of study or training, certificates;
c) Curriculum vitae and the data contained therein;
d) Any other information you provide as part of your application.
9.2 Purpose of Data Processing:
We process your application data solely for the purpose of managing the application process.
9.3 Legal Basis for Data Processing:
The legal basis for processing your data is Section 26 (1) of the German Federal Data Protection Act (BDSG) and Article 6(1)(b) GDPR.
9.4 Recipients of the Data:
The application documents are received by the contact person named in the job posting and are internally forwarded to other employees involved in the recruitment process.
9.5 Retention Period:
If an employment relationship is established, we continue to process the application data for the purposes of the employment relationship. Further details are provided in our employee privacy notice.
If no employment relationship is established, we typically retain the application data for six months from the date of rejection. The application documents are then deleted.
10. Social media
10.1 We operate various profiles on social media platforms in order to provide information and to interact with you. Please note that the respective social media providers may store cookies in your browser, which record your usage behavior for market research and advertising purposes. These usage profiles may also be created across different devices. Platform providers analyze these profiles to display personalized advertising. Data processing may also affect individuals who are not registered users of the respective platform. The platform providers may also share this data with other companies and transfer it to countries outside the EU.
10.2 We receive information from the platform operators, including statistical analyses of visits to our profile. This may include personal data. In this context, both we and the respective platform provider are jointly responsible for the processing of personal data. The platform providers publish the corresponding joint controller agreements. The processing of your personal data when visiting one of our profiles is based on our legitimate interest in a broad online presence of our company and the use of effective communication tools to improve our public image and to communicate with you. The legal basis for this is Article 6(1)(f) GDPR. If you have given the platform provider consent to process your data, the legal basis is Article 6(1)(a) GDPR.
10.3 Further information about the scope, purpose, and legal basis of data processing on LinkedIn, as well as your rights with regard to the platform operator, can be found here: https://de.linkedin.com/legal/privacy-policy
11. Data security
11.1 We implement appropriate technical and organizational security measures to protect your data from accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. These measures take into account the state of the art, implementation costs, the nature, scope, context, and purpose of the processing, as well as the risks to data subjects associated with a data breach (including the likelihood and potential impact). Our security measures are continuously improved in line with technological developments.
11.2 We are happy to provide more detailed information upon request. Please contact our data protection officer for further details.
12. Profiling
We do not use the personal data collected from you for any automated decision-making processes (including profiling).
13. Competent Supervisory Authority
The authority responsible for overseeing our compliance is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61, 10555 Berlin, Germany
Phone: +49 30 13889-0
Email: mailbox@datenschutz-berlin.de