GERMANCONSTRUCT GmbH
GERMANCERT - GERMANTRUSTMARK

Version: 1 June 2026

This Privacy Policy applies to the websites https://germancert.de and https://germantrustmark.com, hereinafter referred to as the “websites”. It explains which personal data we process when you visit and use our websites, for which purposes the processing takes place, on which legal basis, and which rights you have.

 

1. Controller

The controller responsible for data processing on these websites is:

 

2. Data Protection Officer

No data protection officer has currently been appointed. If you have any questions regarding data protection, you may contact the controller directly:

Email: post@germancert.de

If the nature or scope of processing changes, in particular due to additional data-intensive processes or a relevant number of employees involved in automated personal data processing, the obligation to appoint a data protection officer will be reviewed again.

3. Personal Data and General Purposes

Personal data means any information relating to an identified or identifiable natural person, for example name, address, email address, telephone number, IP address, order data, payment data or message content.

We process personal data in particular for the following purposes:

·        Providing, operating and securing the websites

·        Processing contact and quotation enquiries

·        Communicating with prospective customers, customers and business partners

·        Performing contracts, orders, payments and invoicing

·        Managing customer accounts, login areas and password reset functions

·        Providing certificate searches, trustmark checks and customer databases

·        Sending newsletters based on consent

·        Managing appointments and providing downloads

·        Processing job applications where applications are submitted

·        Protecting against spam, misuse, technical disruptions and attacks

·        Complying with statutory retention and documentation obligations

4. Legal Bases

We process personal data on the following legal bases under the General Data Protection Regulation:

Article 6(1)(a) GDPR - Consent: for newsletters, analytics and marketing cookies, external media or other processing operations requiring consent.

Article 6(1)(b) GDPR - Contract or pre-contractual measures: for enquiries, quotations, orders, customer accounts, appointment bookings, payments and contract performance.

Article 6(1)(c) GDPR - Legal obligation: for statutory retention obligations, in particular under the German Commercial Code and the German Fiscal Code.

Article 6(1)(f) GDPR - Legitimate interests: for IT security, prevention of misuse, legal defence, business communication and technical provision of the websites.

5. Server Log Files and Website Operation

When our websites are accessed, technical data is automatically processed. This may include:

·        IP address

·        date, time and duration of access

·        pages and files accessed

·        referrer URL

·        browser type, operating system and device used

·        transferred data volume, status codes and error messages

Legal basis: Article 6(1)(f) GDPR. Our legitimate interest is the secure and functional provision of the websites, attack detection and error analysis.

Retention period: Server log files are generally deleted or anonymised after 7 days. Longer storage only takes place where necessary to investigate attacks, disruptions or legal infringements.

6. Hosting

According to the current setup, our websites are hosted by STRATO AG, Pascalstrasse 10, 10587 Berlin, Germany.

STRATO processes technical data, content data and communication data on our behalf to the extent necessary for the operation, security and maintenance of the websites. Where required, a data processing agreement under Article 28 GDPR is in place.

Legal basis: Article 6(1)(f) GDPR. Where processing is related to pre-contractual measures or contract performance, Article 6(1)(b) GDPR also applies.

7. Cookies and Similar Technologies

Our websites use cookies and similar technologies such as local storage, session storage or pixels. We distinguish between technically necessary cookies and optional cookies for analytics, statistics, marketing or external content.

7.1 Technically Necessary Cookies

These cookies are required for the websites to function, for example for navigation, security, login, language settings, shopping cart/order functions or storing your cookie choices.

Legal basis: Article 6(1)(f) GDPR and Section 25(2) TDDDG where the storage or access is technically necessary.

7.2 Analytics, Statistics and Marketing Cookies

These cookies or similar technologies are used only if you have given your consent. They may help evaluate website usage, improve content or measure campaigns.

Legal basis: Article 6(1)(a) GDPR and Section 25(1) TDDDG.

You can withdraw consent at any time with effect for the future, for example through the cookie settings on the website or through your browser settings.

8. Consent Management

We use a consent management system to manage your cookie and privacy settings. The following data may be processed:

·        consent and refusal records with timestamp

·        cookie categories and consent text

·        technical browser and device information

·        IP address where technically required

·        anonymous identification number to recognise your selection

Legal basis: Article 6(1)(c) GDPR for compliance with documentation obligations and Article 6(1)(f) GDPR. Consent records are stored for as long as required as evidence, generally up to 3 years.

9. Contact Form, Email, Telephone and Fax

When you contact us via a contact form, by email, telephone or fax, we process the data you provide. This may include:

·        name, company, email address, telephone number and address

·        message content

·        date and time of the enquiry

·        technical metadata

Legal basis: Article 6(1)(f) GDPR for general enquiries; Article 6(1)(b) GDPR for contract-related or pre-contractual enquiries.

Retention period: The data is deleted once the enquiry has been finally processed, unless statutory retention obligations apply.

10. Quotation Enquiries

For quotation enquiries, we process name, company, address, contact details, requested service, project data and communication history.

Legal basis: Article 6(1)(b) GDPR.

Retention period: Quotation and contract data is stored for the duration of the business relationship and thereafter in accordance with commercial and tax retention obligations, in particular 6 years under the German Commercial Code and 10 years under the German Fiscal Code.

11. Customer Account, Registration, Login and Password Reset

If you use a customer account, login area or password reset function, we process in particular:

·        first name, last name, email address and encrypted password

·        company, address and telephone number

·        usage and login data, IP address

·        order, certificate, trustmark or contract data

·        time of password reset request and technical security token

Legal basis: Article 6(1)(b) GDPR. For security logs and misuse prevention, Article 6(1)(f) GDPR also applies.

You may request deletion of your customer account, provided that no statutory retention obligations or legitimate reasons for further storage prevent deletion.

12. Online Shop, Orders and Payment Processing

Where products or services can be ordered through the websites, we process the data required for orders, contract performance, invoicing and customer support:

·        name, company, billing and delivery address

·        email address and telephone number

·        order, contract, payment and invoice data

·        communication data and IP address

Legal basis: Article 6(1)(b) GDPR. For statutory retention obligations, especially invoices, Article 6(1)(c) GDPR also applies.

Payment methods or providers may include PayPal, Stripe, credit card payments via the respective card provider or acquirer, and bank transfer. For payment processing, the required data is transmitted to the respective provider or participating bank.

Where payment service providers have their registered office or group affiliation outside the EU/EEA, transfers to third countries may take place. Such transfers are made only where an appropriate legal basis or suitable safeguards exist, for example an adequacy decision, EU Standard Contractual Clauses or certification under the EU-U.S. Data Privacy Framework.

13. Newsletter

When you subscribe to our newsletter, we process your email address and, where provided, your name and company. We use a double opt-in procedure.

For documentation, we store the email address, date and time of registration and confirmation, IP address and consent text.

Mailchimp, The Rocket Science Group LLC, USA, may be used for newsletter delivery. Mailchimp processes data for sending and technically providing the newsletter. Where newsletter tracking is used, openings and clicks may be statistically evaluated. This is carried out only on the basis of your consent.

Legal basis: Article 6(1)(a) GDPR. You may withdraw consent at any time using the unsubscribe link in the newsletter or by emailing us.

After unsubscribing, we delete your data from the active mailing list. An email address may be stored in a suppression list to prevent further mailings. The legal basis for this is Article 6(1)(f) GDPR.

14. Appointment Management

If you arrange an appointment through our websites or as part of communication with us, we process name, email address, telephone number, company, requested appointment and, where applicable, the matter or message content.

Legal basis: Article 6(1)(b) GDPR where the appointment relates to pre-contractual measures or contract performance; otherwise Article 6(1)(f) GDPR.

If an external appointment booking service is embedded, the specific provider must be added to this Privacy Policy.

15. Certificate Search, Trustmark Search and Customer Database

Our websites may provide search functions for certificates, licence numbers, trustmarks, companies or customer entries. When such search functions are used, the following data may be processed:

·        search term

·        certificate, licence or trustmark number

·        company data

·        IP address

·        date and time of the search

·        browser and device data

Legal basis: Article 6(1)(f) GDPR. Our legitimate interest lies in providing transparent and verifiable certificate and trustmark information. Where the search is connected with a contractual relationship, Article 6(1)(b) GDPR also applies.

16. Blog, Comments, Downloads and Job Applications

Where comments on blog posts are possible, we process name or username, email address, comment content, IP address and date and time of the comment. The legal basis is Article 6(1)(f) GDPR.

When a download area is used, technical access data may be processed. For protected downloads, name, email address, company, login data, download history, IP address and time of download may additionally be processed. The legal basis is Article 6(1)(b) GDPR for contract-related downloads and Article 6(1)(f) GDPR for other downloads.

If you apply to us, we process application data such as name, contact details, CV, certificates, qualifications, cover letter and communication data exclusively for the application procedure. The legal basis is Article 6(1)(b) GDPR and Section 26 BDSG. Application documents are generally deleted no later than 6 months after completion of the procedure unless the applicant is hired or statutory reasons prevent deletion.

17. WhatsApp Communication

Contact via WhatsApp is voluntary. Alternative contact channels are email, telephone, fax or contact form.

Provider: WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, a company of the Meta group. Data that may be processed includes telephone number, name or profile name, message content, time of communication and metadata.

We have no influence on the further data processing carried out by WhatsApp/Meta. Due to the group structure, data may be transferred to the USA or other third countries.

Legal basis: Article 6(1)(b) GDPR for contract-related communication; otherwise Article 6(1)(f) GDPR. Where you actively initiate communication, your consent may additionally be relevant.

18. External Services: Google, Videos, Maps, Social Media and Captcha

The following services process data only where they are actually embedded on the websites or loaded through your consent or active selection.

Google Tag Manager and Google Analytics

Where Google Tag Manager or Google Analytics is used, the provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used to manage website tags. Google Analytics is used for statistical analysis of website usage and is used only with consent. The legal basis for non-essential services is Article 6(1)(a) GDPR and Section 25(1) TDDDG.

Google Fonts and Google Maps

Google Fonts are hosted locally where possible. Local hosting does not establish a connection to Google servers. Where Google Fonts are loaded dynamically or Google Maps is embedded, IP address, browser and device data and usage data may be transmitted to Google. Non-essential integrations are used only with consent.

YouTube, Vimeo and Social Media

Where videos from YouTube or Vimeo or active social media content are embedded, they are loaded only if you have given consent or actively load the content. Simple social media links transmit data only when you click the link.

reCAPTCHA and hCaptcha

Google reCAPTCHA or hCaptcha may be used to protect against spam and automated access. Technical data such as IP address, browser and device data, interactions and cookies may be processed. The legal basis is Article 6(1)(f) GDPR; where consent is required, Article 6(1)(a) GDPR and Section 25(1) TDDDG.

19. CRM Systems and Service Providers

CRM systems or other technical service providers may be used to manage customer relationships, enquiries, quotations and contracts. Data processed may include name, company, contact details, communication history, quotation and contract data, interests and customer status.

Where service providers act as processors, we conclude data processing agreements under Article 28 GDPR. Where providers act as independent controllers, their privacy notices also apply.

Legal basis: Article 6(1)(b) GDPR for contract performance and pre-contractual measures; Article 6(1)(f) GDPR for customer relationship management and organisation.

20. Disclosure of Personal Data

We disclose personal data only where this is legally permitted, necessary for the stated purposes or covered by your consent. Recipients may include:

·        hosting providers

·        IT and maintenance service providers

·        payment providers and banks

·        newsletter service providers

·        CRM and communication service providers

·        providers of external media, maps, analytics or security services

·        tax advisers, accounting service providers, lawyers and public authorities where required

Disclosure takes place only to the extent necessary.

21. Transfers to Third Countries

Some services may process personal data outside the European Union or the European Economic Area, in particular in the USA. This may apply especially to providers such as Google, Meta/WhatsApp, Stripe, Mailchimp, Vimeo or comparable services, where these are actually used.

Transfers to third countries take place only where the legal requirements of the GDPR are met, in particular through:

·        an adequacy decision by the European Commission

·        certification under the EU-U.S. Data Privacy Framework where the recipient is certified

·        EU Standard Contractual Clauses under Article 46(2)(c) GDPR

·        additional safeguards or, where required, your explicit consent

Despite such safeguards, there may be a residual risk that authorities in third countries access data and that data subject rights cannot be enforced in the same way as within the EU.

22. Retention Periods

We store personal data only for as long as necessary for the respective purpose or as required by statutory retention obligations. In particular:

·        Contact enquiries: until final processing and then deletion unless a statutory obligation applies

·        Contract, order and invoice data: generally 10 years under the German Fiscal Code; business correspondence 6 years under the German Commercial Code

·        Customer account data: for the duration of the account; thereafter only to the extent legally required

·        Newsletter data: until consent is withdrawn; suppression lists may be stored longer to prevent further mailings

·        Application data: generally no longer than 6 months after completion of the application procedure if the applicant is not hired

·        Server log files: generally 7 days; longer only to investigate attacks or incidents

·        Consent records and cookie consent logs: for as long as required as evidence

After the purpose has ceased to apply and statutory retention periods have expired, data is deleted or anonymised.

23. Your Rights

You have the following rights under the GDPR:

·        Right of access under Article 15 GDPR

·        Right to rectification under Article 16 GDPR

·        Right to erasure under Article 17 GDPR

·        Right to restriction of processing under Article 18 GDPR

·        Right to data portability under Article 20 GDPR

·        Right to object under Article 21 GDPR

·        Right to withdraw consent under Article 7(3) GDPR

Right to object: If your data is processed on the basis of legitimate interests, you may object to the processing on grounds relating to your particular situation. In the case of direct marketing, you may object at any time without giving reasons.

To exercise your rights, please contact: post@germancert.de

24. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is in particular:

The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate, Postfach 30 40, 55020 Mainz, Germany. Visitor address: Hintere Bleiche 34, 55116 Mainz, Germany. Phone: +49 6131 8920-0. Email: poststelle@datenschutz.rlp.de. Website: https://www.datenschutz.rlp.de

25. SSL/TLS Encryption and Security

Our websites use SSL or TLS encryption. You can recognise an encrypted connection by “https://” in the address bar and the lock symbol in your browser.

We implement technical and organisational measures under Article 32 GDPR to protect personal data. These include encrypted data transmission, access controls, secure password procedures, regular maintenance, security updates, protection against spam and attacks, backups, careful service provider selection and data processing agreements where required.

26. Special Categories of Personal Data, Minors and Automated Decisions

We do not intentionally process special categories of personal data within the meaning of Article 9 GDPR on our websites, such as health data, religious information, biometric data or trade union membership.

Our websites are not specifically directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If such data becomes known to us, we will delete it without undue delay unless legal reasons prevent deletion.

No automated decision-making, including profiling, within the meaning of Article 22 GDPR takes place. Statistical newsletter or website evaluations do not result in automated individual decisions with legal or similarly significant effects.

27. Source of the Data

As a rule, we collect personal data directly from you, for example through forms, by email, when you contact us, register or conclude a contract. Where, in individual cases, we receive data from other sources such as business partners, publicly accessible sources or credit agencies, we will inform you separately where required by law.

28. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy if our websites, the services used or legal requirements change. The current version is available on our websites.