Castik Capital S.à r.l. considers data protection an extremely important issue. Our endeavours to satisfy the requirements of the European General Data Protection Regulation (GDPR) and the new amendment to the Federal Data Protection Act are directed primarily at respecting your privacy.
Nowadays, the use of electronic data processing systems (EDP) is indispensable for modern companies such as Castik Capital S.à r.l. In this respect, we of course do everything in our power to satisfy the statutory regulations.
In principle it is possible to use the internet pages of Castik Capital S.à r.l. without providing any personal data whatsoever. However, if a data subject wishes to use this website to access particular services provided by our company, it may become necessary to process personal data for this purpose. If the processing of personal data is necessary and there is no relevant statutory basis available for this, we will generally obtain consent from the data subject.
Under no circumstances will we sell or lease your personal information to third parties for marketing or other purposes. If you do not agree with the content of the data protection provisions, please do not send any personal data to us.
1. General information/Definitions
This Privacy Statement is based on definitions contained in the GDPR and it should be easily readable and comprehensible to everyone. For that reason, we would like to explain some terminology at the outset:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
A data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of restricting its processing in the future.
Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be laid down by Union or Member State law.
h) Processor/contract data processor
The processor/contract data processor is a natural person or legal entity, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient is a natural person or legal entity, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data connected with a particular inquiry in accordance with Union or Member State law will not be regarded as recipients.
j) Third party
Third party is a natural person or legal entity, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, is authorised to process personal data.
Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, indicates agreement to the processing of personal data relating to him or her.
2. Information on the collection of personal data
(1) The following information describes how we collect personal data from visitors who use our website. Personal data is all data pertaining to you personally, e.g. name, address, email address, usage behaviour.
(2) The controller according to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is
Castik Capital S.à r.l.
1, Route d´Esch
1470 Luxembourg, Luxembourg
Tel. +352 286690971
(3) Our Data Protection Officer is:
Sascha Weller, attorney – external data protection officer
(4) When you contact us by email or by using a contact form, we will store the date you provide (your email address and, where relevant, your name and your telephone number), in order to answer your questions. Such personal data transferred on a voluntary basis by a data subject to the data controller is stored solely for the purpose of processing or contacting the data subject. We will erase the data collected in this manner, when it is no longer necessary to store it, or we will restrict its processing if there are any legal retention obligations.
(5) If we use contracted service providers for individual functions of our online service, or if we wish to use your data for advertising purposes, we will inform you in detail below of the relevant procedures applied. In this respect, we will also state the specified criteria for the storage period.
(6) We have implemented a whole range of technical and organizational measures to ensure the most seamless possible protection of personal data processed through this website. Data transfer via the internet can nevertheless be exposed to gaps in security, meaning that it is not possible to guarantee absolute protection. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g. by telephone.
(7) As a responsible organisation, we refrain from automatic decision-making or profiling.
3. Your rights
(1) You can exercise the following rights against us with regard to your personal data:
- Right of access:
Each data subject will have the right granted by the GDPR to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:
- the purposes of the processing
- the categories of personal data that will be processed
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing
- the existence of the right to lodge a complaint with a supervisory authority
- where the personal data is not collected from the data subject, any available information as to its source:
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject
Furthermore, the data subject will have a right to obtain information as to whether personal data is transferred to a third country or to an international organisation. Where this is the case, the data subject will have the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact an employee of the controller.
- Right to withdraw data protection consent:
Every data subject will have the right to withdraw his or her consent to processing of his or her personal data at any time.
If a data subject wishes to avail himself of this right to withdraw consent, he or she may, at any time, contact an employee of the controller using any means of communication.
- Right to correction:
The data subject will have the right to obtain from the controller without undue delay correction of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject will have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact an employee of the controller.
- Right to erasure (right to be forgotten):
The data subject will have the right to obtain from the controller erasure of personal data concerning him or her without undue delay and the controller will have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- the data subject withdraws the consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing.
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).
- the personal data has been processed unlawfully.
- the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- the personal data has been collected for the offer of information society services referred to in Article 8(1).
If a data subject wishes to avail himself of this right to erasure (right to be forgotten), he or she may, at any time, contact an employee of the controller.
If we made the personal data public and are obliged pursuant to paragraph 1 to erase the personal data, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. Our employees will arrange for the necessary measures to be taken.
- Right of restriction of processing:
The data subject will have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of its use instead.
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, or
- the data subject has objected to processing pursuant to Article 21(1) pending verification of whether the legitimate grounds of the controller override those of the data subject.
If a data subject wishes to avail himself of this right to restriction of processing, he or she may, at any time, contact an employee of the controller.
- Right to object:
Each data subject will have the right to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6 para. 1 of the GDPR. This also applies to profiling based on these provisions.We will no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or of legal claims.If we process personal data for direct marketing purposes, the data subject will have the right to object at any time to processing of personal data concerning him or her for such marketing. This also applies to profiling if it is connected to such direct marketing. If the data subject objects to us regarding processing for direct marketing purposes, we will no longer process the personal data for these purposes.Furthermore, where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 para. 1 GDPR, the data subject, on grounds relating to his or her particular situation, will have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To assert the right to object, the data subject may at any time contact any employee directly. In addition, notwithstanding Directive 2002/58/EC, the data subject is free to exercise his or her right to object by automated means in connection with the use of information society services in which technical specifications are used.
- Right to data portability:
The data subject will have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transfer this data to another controller without hindrance from the controller to which the personal data have been provided, where
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
- the processing is carried out by automated means.
In exercising his or her right to data portability pursuant to Article 20 para. 1 of the GDPR, the data subject will have the right to have personal data transferred directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
If a data subject wishes to avail himself of this right to data portability, he or she may, at any time, contact an employee of the controller.
- Automated individual decision-making, including profiling
Each data subject will have the right granted by the GDPR not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision(1) is not necessary for entering into, or for the performance of, a contract between the data subject and a data controller, or(2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or(3) is not based on the data subject’s explicit consent.
If the decision is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or it is based on the data subject’s explicit consent, the company will take suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, which includes at least the right to obtain human intervention by the controller, to express his or her point of view and to contest the decision.
If a data subject wishes to avail himself of the rights pertaining to automated individual decision-making, he or she may, at any time, contact an employee of the controller.
(2) You also have the right to lodge a complaint with a data protection supervisory authority regarding how we process your personal data. The supervisory authority competent for our company is:
National Commission for data protection
1, avenue du Rock’n’Roll
Phone: (+352) 26 10 60-1
You may certainly contact any data protection supervisory authority responsible for your place of residence.
4. Collection of personal data when visiting the website/cookies
(1) If you merely use our website to find information, i.e. if you do not register or otherwise provide us with information, we will only collect the personal data that your browser transfers to our server. If you wish to view our website, we will collect the following data, which we need for technical reasons in order to display our website to you, and to ensure its stability and security (the legal basis is Art. 6 para. 1 sentence 1 letter f GDPR).
- IP address
- date and time of the inquiry
- time zone difference to Greenwich Mean Time (GMT)
- Internet Service Provider of the accessing system
- content of the inquiry (specific page)
- access status/HTTP status code
- any volume of data relayed
- website from which the request originates (referrer)
- operating system and its interface
- language and version of the browser software.
(2) Alongside the aforementioned data, cookies will also be stored on your computer when using our website. Cookies are small text files stored on your hard disk by your browser to make site-specific information available to the website using the cookie (in this case, our website). Cookies cannot run applications or transfer viruses to your computer. Their purpose is to make the general online experience more user-friendly and effective.
a) This website uses the following types of cookies, and their scope and function is described below:
- transient cookies (see b)
- persistent cookies (see c)
- flash cookies (see f).
b) Transient cookies are deleted automatically when you close your browser. This includes session cookies in particular. These store what is known as a session ID, which correlates various queries made by your browser during one common session. This helps to identify your computer when you return to the website. Session cookies are deleted once you log out or close your browser.
c) Persistent cookies are automatically deleted after a given time, which varies depending on the cookie. You may delete any cookie using the security preferences in your browser at any time.
d) You can configure your browser settings as required, and deny the acceptance of third-party cookies or all cookies. Please note that if you do so, you may not be able to enjoy all the services provided by this website.
f) The flash cookies we use are not captured by your browser but by your flash plug-in. We also use HTML5 storage objects, which are stored on your terminal device. These objects save the necessary data independently of the browser used and do not have an automatic expiry date. If you do not wish the flash cookies to be processed, you must install the applicable add-on, such as “Better Privacy” for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/) or the Adobe Flash Killer Cookie for Google Chrome. You can prevent the use of HTML5 storage objects by using the privacy mode of your browser. We also recommend that you manually delete your cookies and browser history regularly.
5. Additional functions and services available on our website
(1) As well as simply providing information, our website offers various services available for you to use if you so choose. To do so, you will usually be required to enter additional personal data, which we will use for delivering the services in question, and which is subject to the data processing principles set out above.
(2) We sometimes use external service providers to process your data. These have been carefully selected and commissioned by us, and they are subject to our instructions and to regular checks.
(3) The hosting services we use are for the purpose of providing the following services: infrastructure and platform services, computer processing capacity, storage space and database services, security services and technical maintenance services, which we use for the purpose of operating this website.
In this context, we and our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communications data belonging to customers, potential customers and visitors to this website based on our legitimate interest in having an efficient and security provision of this website, in accordance with Art. 6 para. 1 letter f GDPR in conjunction with Art. 28 GDPR.
(4) In addition, we may also transfer your personal data to third parties, when we and our partner jointly host promotions, competitions, contract signatures and similar services. Detailed information will be displayed when you enter your personal data, and is also available at the end of the service description.
(5) If our service providers or partners have their registered address in a state outside the European Economic Area (EEA), we will inform you of the consequences of this situation in the service description.
6. Data protection for job applications
The data controller will collect and process the personal data of job applicants for the purpose of implementing the application procedure. The processing may also be carried out by electronic methods. This is particularly the case when an applicant submits application documents by electronic means, such as by email or via a contact form located on a website, which is then transferred to the data processing controller. If the controller concludes an employment contract with an applicant, the submitted data will be stored for the purpose of performing the employment contract in compliance with the legal requirements. If no employment contract is concluded between the applicant and the controller, the application documents will be erased automatically, provided there are no other overriding legitimate interests on the part of the controller to oppose erasure. Another example of legitimate interest in this relation is a burden of proof in a procedure pursuant to the General Equal Treatment Act (Gleichbehandlungsgesetz, AGG).
Job applicant data is processed for the purpose of fulfilling our (pre)contractual obligations as part of the application process within the definition of Art. 6 para. 1 letter b GDPR and Art. 6 para. 1 letter f GDPR provided the data processing is necessary for us, such as during the course of legal proceedings (§ 26 Federal Data Protection Act (BDSG) also applies in Germany).
7. Objection or withdrawal of consent to the processing of your data
(1) If you have given your consent for your data to be processed, you can withdraw this at any time, using any means of communication. This withdrawal of consent will affect the permissibility of the processing of your personal data, starting from the time you inform us of the withdrawal.
(2) If we use a balancing of interests to justify the processing of your personal data, you are entitled to object to this processing. This will be the case, particularly if the processing is not necessary for the performance of a contract with you, a fact that will be indicated with the ensuing description of the functions. If you choose to exercise your right to object, we ask you to provide us with the reasons why your personal data should not be processed in the manner performed by us. If your objection is justified, we will examine the matter, and will either cease or modify the data processing, or we will show our compelling legitimate grounds on the basis of which we will continue processing the data.
(3) Of course, you are entitled at any time to object to your personal data being processed for the purposes of advertising and data analysis. If you wish to object to your data being processed for advertising purposes, you can contact us using the address provided under No. 2. (2).
8. Provision of personal data as a statutory or contractual requirement/Requirement in order to enter into a contract /Consequences of failure to provide data/Erasure
(1) We would like to point out to you that the provision of personal data is sometimes required by law. It may also be necessary for a data subject to provide personal data so that a contract can be performed. Failure to provide this data could mean that no contract is concluded. Our employees are on hand to answer your questions about specific cases.
(2) The data we process will be deleted or its use will be restricted in accordance with Art. 17 and 18 GDPR. Unless expressly stated in this data protection policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any legal data retention obligations. If the data is not deleted because it is necessary for other legally permissible purposes, its processing is restricted. This means that the data is locked and will not be processed for any other purposes. This applies, for example, to data that must be kept for commercial or tax regulatory reasons.
According to legal requirements in Germany, the records will, in particular, be kept for 10 years in accordance with section 147, (1) of the German Fiscal Code (AO) (ledgers, records, inventories, management reports, accounting receipts, trading books, documents relevant for tax purposes, etc.), and for 6 years in accordance with section 257 (1) no. 2 and 3, (4) of the German Commercial Code (HGB) (commercial papers).
9. Web Analytics and Google Maps
1. Use of Google Analytics
(1) This website uses Google Analytics, a web analysis service provided by Google Inc. (“Google”). Google Analytics employs cookies, i.e. text files that are stored on your computer and which enable your use of this website to be analysed. The information generated by the cookie on your use of this website will normally be transferred to a Google server in the United States and stored there. If IP anonymization is activated on this website, however, your IP address will firstly be truncated by Google from within a member state of the European Union or from within any other country which is party to the Agreement on the European Economic Area. Only in exceptional cases will the complete IP address be sent to a Google server in the United States and truncated there. Google will use this information on our behalf for purposes of evaluating your use of the website, compiling reports on website activity and for providing the website operator with other services relating to website use and internet usage.
(2) Your IP Address submitted by your browser within the framework of Google Analytics, will not be merged with other data collected at Google.
(3) You can prevent the storage of cookies by adjusting your browser settings accordingly; however, please note that doing so may mean you are not able to use all functions of this website. You can also prevent acquisition of the data generated by the cookie (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
(4) This website uses Google Analytics with the extension “anonymizeIp()”. This means that IP addresses are further processed in a truncated form, to prevent any reference to a particular person. If a reference to a person ever occurs on the basis of the data collected from you, this will be removed from the process immediately, and the personal data therefore erased without delay. The data we send, and which is linked to cookies, user IDs or advert IDs, will be automatically erased after 14 months. One the retention period for data has elapsed, this data will be automatically deleted once a month.
(5) We use Google Analytics to analyse the use of the website and to enable it to be improved regularly. The statistics obtained enable us to improve our website and design it to be more interesting to you personally as a user. To cover those exceptional cases in which personal data is transferred to the USA, Google has committed itself to the EU-U.S. Privacy Shield Framework, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is Art. 6 para. 1 sentence 1 letter f GDPR.
(7) This website also uses Google Analytics to perform a cross-device analysis of visitor traffic; this is performed with a User ID. Go to your customer account, and under “My data”, “personal data”, you can deactivate the cross-device analysis of your use of the website.
Opt-out cookies prevent the future collection of your data when you visit this website. To prevent Universal Analytics from recording information across various devices, you need to perform the opt-out procedure on all the systems used. Click here to activate the opt-out cookie: Google Analytics deaktivieren
2. Integration of Google Maps
(1) Our website uses the Google Maps service. This allows us to display interactive maps directly within our website, and you will have user-friendly control of the map function.
(2) When you visit the website, the third-party provider receives the information that you have retrieved the relevant sub-pages of our website. Furthermore, the data described in no. 4 of this Privacy Statement will be transferred. This takes place regardless of whether Google provides a user account which you have logged into, or if no user account exists. If you are logged onto Google, your data will be directly correlated with your account. If you do not Google to make the correlation with your profile, you need to log out before activating the button. Google stores your data in the form of a user profile, and uses it for the purposes of advertising, market research and/or for designing its website in a user-friendly manner. This kind of analysis is particularly performed (not only for logged-in users) for the purpose of delivering appropriate advertising, and to inform other users of the social network about your activities on our website. You have a right to object to the formation of these user profiles. You have to contact Google in order to exercise this right.
10. Plugins and tools
1. Google Web Fonts
This site uses web fonts provided by Google for the purpose of displaying fonts uniformly. When you visit a page, your browser will load the requisite web fonts into your browser cache, so that text and fonts will be displayed correctly. For this purpose, your browser must establish a connection to Google’s servers. This will enable Google to know that our website was visited via your IP address. Google Web Fonts are used to achieve a consistent and appealing website display. This constitutes a legitimate interest within the definition of Art. 6 para. 1 letter f GDPR.
If your browser does not support web fonts, your computer will provide a standard font.
Our website uses Ajax and jQuery technologies for the purpose of optimising loading speeds. As part of this process, Google servers will retrieve application libraries. Google’s CDN (Content Delivery Network) is used. If you previously used jQuery on another Google CDN page, your browser will retrieve the copy stored in the cache. If this is not applicable, it will request a download, at which point data will be transferred by your browser to Google Inc. (“Google”). Your data will be transferred to the USA. Further information is available from the provider’s website.
The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 letter f GDPR.