Privacy statement

Below you will find the information that has to be provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (“GDPR”) on the processing of your personal data when you visit (hereinafter “you” or “your”) our websites www.soma.de, www.soma-prueftechnik-automation.de, www.flexassistant.de and www.soma-dosiertechnik.de (hereinafter each referred to as “Website”) by SOMA GmbH Systementwicklung-Software-Automation (hereinafter “we” or “us”).

A. Data controller and data protection officer

SOMA GmbH Systementwicklung-Software-Automation, Gewerbering 9, 58579 Schalksmühle,
info@soma.de, telephone: +49 (0) 2355 50828-0

Data Protection Officer of the KOSTAL Group, An der Bellmerei 10, 58513 Lüdenscheid, dataprotection@kostal.com

B. Information on the processing of personal data

Below you will find information on the processing of your personal data for the purposes specified in more detail there and, for example, about the legal basis for this processing. If the legal basis for the processing specified there is the balancing of interests, you can request additional information about the balancing of interests carried out by us using the contact details specified in Section A.

I. Use of the Website

1. Use of the Website for information purposes

When you visit our Website, we process the IP address of your device for technical reasons, i.e. in order to be able to display the Website at all. We cannot provide the Website content accessed without the provision of this data.

In order to protect our IT infrastructure, we also process the IP address of your device, the type and version of the internet browser used by you, information on the operating system of your device, information on the pages accessed, the site previously visited (referrer URL) and the access date and time and store this information in so-called log files.

The legal basis of this processing is the balancing of interests (point (f) of Article 6 paragraph 1 of the GDPR). Our legitimate interest for this processing is the provision of the Website content accessed by you and the protection of the IT infrastructure used to provide the Website, in particular to identify, remedy and document IT disruptions (e.g. DDoS attacks) for evidence purposes.

We generally store these personal data in the log files for 3 (three) months. In the case of any security-relevant event (e.g. an attack), we also store the log files until the security-relevant event has been eliminated and clarified in full.

2. Sitecore

To provide this website we use the web content management system Sitecore, which provides analysis functions to evaluate the surfing behaviour. For this purpose, cookies are used to generate information about the use of this website. This information stored in a database on a server of a service provider contractually bound to us. The collected data is anonymized by technical means (e.g. by deleting the last digits of the IP address), including the anonymized IP address (anonymization is achieved by deleting the last digit).

The legal basis for the use of Sitecore is the balancing of interests (point f of Art. 6(1) GDPR). Our legitimate interest is the provision of the website content accessed by the user and the protection of the IT infrastructure used to provide the website.

You can prevent the installation of cookies by setting your browser software accordingly. This is described in Section D.2. However, we would like to point out that this may mean that not all functions of this website can be used to their full extent.

The recipient of this data is our hosting provider Microsoft Azure, which acts as an order processor for us. Another recipient is Sitecore, which also acts as an order processor. We generally store this personal data in the log files for thirty (30) days. In the event of a security-relevant event (e.g. an attack), we store the log files until the security-relevant event has been eliminated and fully clarified.

3. Usercentrics

The Usercentrics Consent Manager is used by us to manage your consents, possible revocations of consents and objections to the use of cookies.

The data processing in this context is carried out to manage the user decisions regarding cookies (consent, revocation, opt-out) and to ensure the security of the application.

The IP address of your terminal device, the type and version of the Internet browser you are using, information about the operating system of your terminal device, information about the pages accessed, the previously visited page (referrer URL) and the date and time of access are processed. In addition, the user's decision on individual cookies or groups of cookies is stored at the time of the decision and the last visit.

Legal basis for the processing of the balance of interests (point f of Art. 6(1) GDPR). Our legitimate interest is the simple and reliable control of Cookies.

The recipient of the data is Usercentrics GmbH, which acts as our order processor.

We store the data for a period of 6 months. The revocation of a previously given consent is stored for three years (accountability). Server log data is anonymized before storage. We would like to point out that it is not possible to use the website without transmitting personal data, such as the IP address. An automatic decision-making process for consenting to the use of cookies does not take place.

II. Use of the contact form

If you contact us using our contact form due to a request, we process your contact data and information about your request in order to process your request. These data typically include your name, the name of a company you may work for, your position at the company, your request, address data and telephone numbers as well as any arrangements made with you. You are not obliged to provide these data. However, without these data we are unable to process your request properly. Such data, which have to be provided in the contact form, are marked with an asterisk (*).

If you are a potential customer or a customer, the legal basis of the processing is to take steps at your request prior to entering into a contract or to perform a contract with you (point (b) of Article 6 paragraph 1 of the GDPR). If you are not acting for yourself, but – for example as an employee – for a legal entity, the legal basis of the processing is the balancing of interests (point (f) of Article 6 paragraph 1 of the GDPR). Our legitimate interest in this case is processing the request communicated by you.

The recipient of these data is our hosting provider Microsoft Azure, which acts for us as processor. A further recipient is comspace GmbH & Co. KG, which likewise acts as processor and has been commissioned with the development of the Website as well as its maintenance and servicing Leopold Kostal GmbH & Co. GmbH as further resipient of the data, acting as a processor, and storing the data in our Customer-Relations Management System (CRM System).

We store these data for the duration of processing your request and thereafter for the duration of the statutory retention periods (sec. 257 of the German Commercial Code (Handelsgesetzbuch – HGB) and sec. 147 of the German Tax Code (Abgabenordnung – AO)). These are currently 6 (six) years for business letters and 10 (ten) years for supporting documents. The legal basis for this further storage is compliance with our legal obligation (point (c) of Article 6 paragraph 1 of the GDPR).

III. Job vacancies

You can also find links to job vacancies on our Website. These links lead to an external website for which a separate data protection statement applies. You can find this here.

IV. Analysis of behaviour on the Website

1. Google Analytics

If you have given your consent, we use the web analysis tool “Google Analytics” to record and analyse usage behaviour on our Website by means of cookies (see Section C). Google Analytics is a service provided by Google LLC (“Google”), which is headquartered in the USA. The personal data collected with the help of these cookies include your IP address as well as information about the subpages visited, visit duration and the website via which you reached our site and the website you access after visiting our Website. There is no obligation to provide these data. If these data are not provided, we cannot measure web audience.

This processing serves the optimisation of the Website by analysing your usage behaviour on our Website. We can, for example, based on the frequency with which subpages are accessed, identify which content is particularly interesting for our Website visitors and which content has to be placed differently, for example, in order to be seen by visitors.

It is technically necessary that your full IP address is transmitted to Google. However, we use so-called IP anonymisation. This means that your IP address is shortened immediately after transmission to Google as our processor and is no longer stored by Google. It is then no longer possible to identify the user of the device.

Based on this shortened IP address and the information contained in the cookies, Google prepares the aforementioned analysis of usage behaviour on our Website. As a rule, it is not possible for us to identify you as an individual based on this usage profiles. We do not know which pseudonym you have been given. Therefore, based on the usage profiles of Google Analytics, we are generally unable to identify what specific actions you have taken on the Website.

The legal basis for this processing, including the setting and reading of cookies, is consent to be given separately by you (point (a) of Article 6 paragraph 1 of the GDPR)). You can withdraw this consent by deleting the cookies. This is described in Section C.2.

The data described in this Section B.IV can be transmitted to Google in the USA. For the purposes of EU data protection law, the USA is not considered a safe third country. We would like to point out that US companies are obliged to hand over personal data to security authorities without giving the data subject the possibility to take legal action against this.

We have no influence on this processing activity and it cannot be ruled out that US authorities (e.g. intelligence services) may process, evaluate and permanently store your data located on US servers for monitoring purposes.

We store usage profiles for 26 (twenty-six) months.

2. Google Analytics 4

The website, if you have given your consent, uses the web analytics service Google Analytics 4, provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). We integrate Google Analytics 4 via the Google Tag Manager. If you have not consented to the use of the analytics tools, your data will not be collected as part of Google Analytics 4.

Google Analytics 4 uses JavaScript and pixels to read information on your device and cookies to store information on your device. This is done to analyse your usage behaviour and improve our website. On our behalf, the access data is combined by Google into pseudonymous user profiles and transmitted to a Google server in the USA. We will use the information to evaluate the use of our website and to compile reports on website activities.

As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of the data. For example, Google Analytics 4 models conversions to the extent that not enough data is available to optimize the evaluation and reports. Information on this can be found in the associated Google documentation. The data analysis are carried out automatically with the help of artificial intelligence or on the basis of specific, individually defined criteria. You can find more about this in the associated Google documentation.

The data collected as part of the usage analysis of Google Analytics 4 is enriched with data from the Google Search Console and linked with data from Google Ads, in particular to measure the success of our advertising campaigns (so-called conversions).

Processed data: The following data can be processed by Google Analytics 4:

IP address;
User ID and device ID;
referrer URL (previous visited page);
Pages viewed (date, time, URL, title, duration of visit);
downloaded files;
clicked links to other websites;
Achievement of specific goals (Conversions);
Technical information (operating system; browser type, version and language; device type, brand, model and resolution);
approximate location (country, region and city, if applicable, based on anonymized IP address).

Privacy settings: We have made the following privacy settings for Google Analytics 4:

Anonymization of the IP address;
deactivated advertising function;
deactivated personalized advertising;
deactivated remarketing;
retention period of 2 months (and no reset of retention period with new activity);
disabled cross-device and cross-page tracking (Google Signals);
disabled data shares (especially Google products and services, benchmarking, technical support, account specialist).

We have concluded a data processing agreement with Google Ireland Limited for the use of Google Analytics 4. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46 point (c) paragraph 2 GDPR. In addition, we also obtain your explicit consent for the transfer of your data to third countries in accordance with Art. 49 point (a) paragraph 2 GDPR.

You can find more information about Google Analytics 4 in Google’s privacy statement and in the Google Analytics privacy policy.

C. Use of cookies

When you use our Website, we store cookies in your device’s browser, unless you prohibit this with appropriate settings in your browser.

1. General information on Cookies

Cookies are small text files containing information which can be placed on the user’s device via its browser when a website is visited. When the website is visited again with the same device, the cookie and the information stored in it can be read.

Generally and also in the description of the individual cookies used by us in Section C.3, a distinction is made between (i) first-party and third-party cookies, (ii) transient and persistent cookies as well as (iii) cookies that do not require consent and those that do require consent.

First-party cookies are cookies placed by us or a processor commissioned by us, whereas third-party cookies are cookies that are placed and accessed by another controller.

Transient cookies are deleted when you close your browser, whereas persistent cookies are cookies that are stored on your device for a specific period of time.

Cookies that do not require consent are cookies whose sole purpose is to transmit a message via an electronic communications network. Cookies that are strictly necessary so that the provider of an information society service expressly requested by the subscriber or user can make this service available do not require consent either (also referred to as “strictly necessary cookies”). All other cookies require consent.

2. Cookie management

If the user’s consent is required for the use of certain cookies, we only place these cookies when you use the Website if you have given your consent to this beforehand. Please refer to Section C.3 for information about whether the use of a cookie requires consent.

When you visit our Website, we display a so-called cookie banner in which you can give your consent to the use of cookies on this Website. By clicking on the button provided for this, you have the possibility to consent to the use of all cookies requiring consent described in detail in this Section C.3 of this cookie information. You may also revoke your consent here at any time.

We likewise store your consent and, where applicable, your individual selection of cookies requiring consent in an additional cookie (“opt-in cookie”) on your device so that we can determine whether you have already given your consent when the Website is accessed again. The opt-in cookie is valid for a limited period of 1 (one) month.

Strictly necessary cookies cannot be deactivated with the cookie management function of this Website. However, you can at any time deactivate these cookies generally in your browser.

You can also manage the use of cookies in your browser settings. Additional detailed information can, for example, be found at http://www.allaboutcookies.org/manage-cookies/.

When you deactivate the storage of cookies in your browser, some Website functions may no longer work or no longer work properly.

3. Cookies used on this Website

Below we provide you with information about the cookies we use. These are exclusively first-party cookies.

a) Name: cookieconsent_status

Purpose and content: Strictly necessary opt-in cookie (see Section C.2 above) used to store your consent and, where applicable, your individual selection for the use of cookies on your device, in order to determine whether you have already given your consent when the Website is accessed again.

Validity: persistent (1 month)
Consent required: no

Legal basis under data protection law: Balancing of interests (point (f) of Article 6 paragraph 1 of the GDPR). Our legitimate interest is the management of cookie consents given by the user for this Website.

b) Name: _ga

Purpose and content: For use with Google Analytics and Google Analytics 4(see Section B.IV), used to differentiate users by means of an assigned ID.

Validity: persistent (2 years)
Consent required: yes

Legal basis under data protection law: Consent (point (a) of Article 6 paragraph 1 of the GDPR).

c) Name: _gid

Purpose and content: For use with Google Analytics and Google Analytics 4(see Section B.IV), used to differentiate users by means of an assigned ID.

Validity: persistent (24 hours)
Consent required: yes

Legal basis under data protection law: Consent (point (a) of Article 6 paragraph 1 of the GDPR).

d) Name: GA (GA 4 ID)

Purpose and content: For use with Google Analytics 4 (see Section B.IV), used to secure the information of the valid session.

Responsibility: First-Party
Validity: persistent (24 hours)
Consent required: yes

Legal basis under data protection law: Consent (point (a) of Article 6 paragraph 1 of the GDPR).

e) Name: _gc_gb

Purpose and content: For use with Google Analytics 4 (see Section B.IV), used to store campaign-related information and, if necessary, link it to Google Ads Conversion Tracking.

Responsibility: First-Party
Validity: persistent (90 days)
Consent required: yes

Legal basis under data protection law: Consent (point (a) of Article 6 paragraph 1 of the GDPR).

f) Name: _gat_UA-81341348-9 (for www.soma.de), _gat_UA-81341348-10 (for www.soma-dosiertechnik.de) and _gat_UA-81341348-11 (for www.soma-prueftechnik-automation.de)

Purpose and content: For use with Google Analytics (see Section B.IV), used to throttle the request rate, i.e. the maximum number of requests that can be sent to Google’s servers.

Validity: persistent (1 minute)
Requires consent: yes

Legal basis under data protection law: Consent (point (a) of Article 6 paragraph 1 of the GDPR).

g) Name: ASP.NET_SessionId

Purpose and content: When the Website is visited, each visitor is assigned an individual ID for the duration of the visit. Your input and your behaviour on the Website are assigned to this ID by our web server. It is, for example possible, to associate your input with you while you navigate through the Website.

Validity: transient
Requires consent: no

Legal basis under data protection law: Balancing of interests (point (f) of Article 6 paragraph 1 of the GDPR). Our legitimate interest is providing the informational function of the Website requested by the user.

h) Name: SC_ANALYTICS_GLOBAL_COOKIE

Purpose and content: This cookie is used to recognise returning users by means of an assigned ID.

Validity: persistent (2 years)
Requires consent: yes

Legal basis under data protection law: Consent (point (a) of Article 6 paragraph 1 of the GDPR).

i) Name: __RequestVerificationToken

Purpose and content: This cookie is used to prevent, by means of an assigned ID, unauthorised content being published on the Website (cross-site request forgery).

Validity: transient
Requires consent: no

Legal basis under data protection law: Balancing of interests (point (f) of Article 6 paragraph 1 of the GDPR). Our legitimate interest is ensuring the security of our Website.

j) Name: soma#lang (for www.soma.de), somadosiertechnik#lang (for www.soma-dosiertechnik.de) and somaprueftechnik#lang (for www.soma-prueftechnik-automation.de)

Purpose and content: Stores the language chosen by you on the Website.

Validity: transient
Requires consent: no

a) Name: privacy-notification

Purpose and content: The cookie keeps track of whether or not the visitor consents to Sitecore tracking.

Responsibility: first party
Validity: persistent (one (1) year)
Requires consent: no

Legal basis under data protection law: Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is to ensure that tracking only takes place with prior consent.

D. Information on the rights of data subjects

As a data subject, you have the following rights with respect to the processing of your personal data. You can contact us for the purpose of exercising your rights using the contact details in Section A:

A right to obtain access to and information (Article 15 GDPR) about which personal data from you we process. This includes additional information on the data processing, such as the purpose and legal basis as well as the recipients of these data. You also have the right to request a copy of these data.
A right to obtain from us the rectification of inaccurate personal data concerning you and the completion incomplete personal data concerning you (Article 16 of the GDPR).
A right to obtain the erasure of personal data concerning you in the cases provided for by law (Article 17 of the GDPR), such as when the data are no longer needed for the purposes for which they were collected or have been unlawfully processed.
A right to obtain the restriction of processing in the cases provided for by the law (Article 18 of the GDPR).
A right to receive the personal data concerning you that we process on the basis of consent which has been given or for the performance of a contract (see Section B) in a structured, commonly used and machine-readable format (right to data portability, Article 20 of the GDPR).
A right to withdraw the consent given to us at any time. This does not affect the lawfulness of processing based on consent before its withdrawal.
A right to lodge a complaint with a supervisory authority (Article 77 of the GDPR). A list of the data protection supervisory authorities and their addresses can be found here.

Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (f) of Article 6 paragraph 1 of the GDPR (see Section B). We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

The above rights do not necessarily apply to you without limitation in every case. The law provides for restrictions in each case. You can find the full extent of your rights in the Articles of the GDPR specified above, which you can access by using the following link:

http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

Last modified: 20 th of February 2023