Privacy Policy

Table of Contents

Protecting your privacy is crucial for our business and we at commercetools are committed being a responsible, trustworthy custodian of our personal information. With this Privacy Policy we want you to better understand how we collect, use, protect, and share your personal data.  It describes the manner in which we collect, use, maintain, and may disclose personal data, within the contexts of visiting our websites, using our offerings through our website, and managing our relationships with prospects, customers, partners, suppliers, and other business partners.

As used in this Privacy policy, "personal data" or "personal information" means information relating to an identified or identifiable individual. This includes, for example, name, address, email address, business contact information or information collected through interactions with us via our websites or through other channels. Personal information is also referred to as "information about you."

In the following, the terms "user," "customer," "you" and "your" refer to the individuals whose personal data we may process or use and may occasionally be used interchangeably.

I. Name and contact details of the Controller

commercetools GmbH
Adams-Lehmann-Str. 44
80797 Munich
Email: info@commercetools.com
Phone: +49 (89) 99 82 996-0 

(hereinafter "commercetools", "we", "us").

However, the data controller may vary depending on the offer or the purpose of the processing and another of our commercetools Group companies may accordingly be the controller. You can find a list of our commercetools Group companies here.

We have concluded a joint controllership between commercetools GmbH and commercetools Inc. Please find the privacy notice regarding the joint controllership here.

II. Contact details of the Data Protection Officer

If you have general questions about data protection, please contact us:

privacy@commercetools.com

If you have any inquiries concerning the processing of personal data of individuals within Europe, you can also contact our Data Protection Officer directly:

Holzhofer Consulting GmbH
Martin Holzhofer
Lochhamer Str. 31
82152 Planegg

Email: info@commercetools.com

Phone: +49 (89) 99 82 996-0

III. Privacy policy for visitors to our website

The following information on data protection is to be provided pursuant to Art 13 et seq. GDPR where personal data are collected from the data subject on our website.

commercetools generally operates several websites, including but not limited to commercetools.com or modern-commerce-day.com (hereinafter "the websites") and would like to inform you in the following sections of this Privacy Notice, among other things, about the extent to which information about you is processed through the websites and the purposes for which such information is used.

The websites also include various subdomains (e.g. docs.commercetools.com) or other domains, many of which are covered by this Privacy Notice. Websites not covered by this Privacy Notice are governed by their own privacy policies.

1. Purposes for which the personal data are processed as well as the legal basis for the processing

1.1 Processing of access and analytics data

For technical reasons, we process a limited amount of data (so-called connection data) each time you access our website. This data is technically necessary to establish and execute a connection between your terminal device and our servers. This data is processed in the main memory of the web server for the duration of the connection:

The following data or data categories are collected:

  • IP address

  • Source port of the calling device or a gateway (e.g. firewall or proxy).

  • Timestamp (date and time) of the retrieval

  • Amount of data transferred

  • Message whether the retrieval was successful (using HTTP error code)

  • Message why a retrieval failed, if applicable (using HTTP error code).

  • Referer (web page from which calls were made to our main page or sub-pages)

  • User agent (type of browser you use to access our website and its version)

  • Display screen width and height

  • Language settings of your browser

  • Operating System used

  • Geographical point of view (only the country)

  • User UUID

  • Cloud vendor and region

  • Job title and company name

  • Usage patterns (e.g., clicks, scrolling, mouve movement)

The IP address, timestamp, HTTP error code, referer and user agent are automatically logged when our websites are accessed in order to ensure the functionality and protection of our websites. Furthermore, the logs serve to optimize the website. Your IP address is only processed in the logs in abbreviated form and is thus anonymized. A creation of user profiles with personal reference is not possible for us with this data.

The processing is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.  A legitimate interests assessment was carried out and came to the conclusion that the processings are necessary to safeguard our legitimate interests and that these outweigh your interests, fundamental rights and freedoms which require protection of personal data.

1.2 Cookies and related technologies

1.2.1 General

This website partly uses so-called cookies and related technologies (e.g. scripts). Cookies do not cause any damage to your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are stored on your terminal device and saved by your browser, for example to "remember" information about you, such as your language settings or login information. These cookies are sometimes set by us and are referred to as first-party cookies. We also use third-party cookies, which come from a different domain than the one of the website you are visiting.

Basically, we distinguish between the following cookie categories:

  • Technically necessary cookies

  • Functional cookies

  • Performance cookies

  • Cookies for marketing purposes

  • Social media cookies

You can also find more information on the individual categories as well as the option to reject each cookie category (with the exception of the technically necessary cookies) and in addition a list of all cookies used in the "Cookie Settings" under the following link:

1.2.2 Technically necessary cookies

Most of the cookies we use are so-called "session cookies". They are automatically deleted after the end of your visit. Such cookies are mandatory and technically necessary for the operation of the website and to provide the service requested by the user and can therefore not be disabled.

The processing is based on the legitimate interest pursuant to Art. 6 (1) lit. f GDPR.  A legitimate interests assessment was carried out and came to the conclusion that the processings are necessary to protect our legitimate interests and that these outweigh your interests, fundamental rights and freedoms which require protection of personal data.

1.2.3 Cookies requiring consent such as analysis and tracking cookies and related technologies (e.g. tracking scripts)

Additional advertising, marketing and analysis tools from third-party providers are integrated on our website. These are not technically necessary for the operation of the website, but serve, for example, to record the behavior of the user, to provide him advertising tailored to this or to enable an analysis of the use of our website.

These services become active only after you have explicitly given your consent using the Consent Banner.

An overview of all third-party services integrated on the Website, as well as detailed information on each of these services, can be found under section 6.

1.2.4 Data processing in connection with our contact form

When contacting commercetools via the contact form on the website, the information you provide will only be stored for the purpose of processing and answering the inquiry as well as for possible follow-up inquiries and, if necessary, for further support (unless you would like to subscribe to the newsletter at the same time by ticking the corresponding checkbox).

The following data or data categories are collected and processed in this process:

  • Name, first name

  • E-mail address

  • Name of your company

  • Position/Job Title

  • Phone number

  • Individual message

The legal basis for processing your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subject do not outweigh our interests in processing. We have a legitimate interest in answering your inquiry, for which the processing of the data and data categories mentioned here is necessary.

1.2.5 Newsletter registration

If you would like to be informed regularly about new products or other interesting topics, commercetools offers to receive a newsletter.

To subscribe to the newsletter, you can register by ticking the appropriate checkbox under the various forms (e.g. contact form, demo registration, whitepaper download). Subsequently, you will receive an activation link to the specified e-mail address, which you must activate to complete the registration (so-called double opt-in procedure).

The legal basis for the processing is Art. 6 (1) lit. a GDPR, i.e. your explicit and voluntary consent in combination with the double opt-in procedure.

You can withdraw your consent at any time and without giving reasons. You have two options to choose from:

You can unsubscribe from future receipt of the newsletter by clicking on the "unsubscribe" button, which can be found in every newsletter.

You can also send an informal email with your unsubscribe request to privacy@commercetools.com.

1.2.6 Download of white papers and other publications

Our websites offer you the opportunity to learn more about our company and download content. In doing so, we ask you to provide us with your contact information and other demographic information about you.

In order to provide you with the download, the following data or categories of data must be provided:

  • First and last name

  • Business email address

  • Name of your company

If you do not wish to subscribe to the newsletter at the same time by ticking the corresponding checkbox, the information you give will only be used to provide the requested whitepaper. The legal basis for processing your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in processing. We have a legitimate interest in providing users with special content by means of whitepapers, for which the processing of the data and data categories mentioned here is necessary.

1.2.7 Registering for a trial version

You can register for a free 60-day trial on our website.

In order to complete the registration, the following data or categories of data must be provided:

  • Name, first name

  • E-mail address

  • Name of your company

  • Position/Job Title

  • Demand (planned project)

  • Region

The data collected during registration will be processed exclusively for the purpose of providing the offer, i.e. for the implementation of pre-contractual measures with interested parties, unless you wish to subscribe to the newsletter at the same time by ticking the corresponding checkbox. The legal basis for processing your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in processing. We have a legitimate interest in carrying out pre-contractual measures with interested parties by providing a test access to demonstrate the functionality of our products, for which the processing of the data and data categories mentioned here is necessary.

1.2.8 Event registration and online events

On our website, www.modern-commerce-day.com, we use a third-party service to manage the event organization. 

Our legitimate interest in using this online platform for online events and event registrations is to improve the quality and availability of our service and event experience. The third-party service provider only processes personal data on our behalf to the extent necessary for the provision of the service. The platform may use cookies.

1.2.9 Usage and registration for the Training Center

On our website we offer you the opportunity to be provided with training regarding our products and services that we provide you with. This training is available under https://learn.commercetools.com. In regard to the training, we may process the following personal data of you:

  • Name, first name

  • E-mail address

  • Name of your company

  • Position/Job Title

  • Demand (planned project)

  • Region

  • Descriptions / text messages

  • IP address

  • Source port of the calling device or a gateway (e.g. firewall or proxy).

  • Timestamp (date and time) of the retrieval

  • Amount of data transferred

  • Message whether the retrieval was successful (using HTTP error code)

  • Message why a retrieval failed, if applicable (using HTTP error code).

  • Referer (web page from which calls were made to our main page or sub-pages)

  • User agent (type of browser you use to access our website and its version)

  • Display screen width and height

  • Language settings of your browser

If you are not registered for the training services yet you need to register for this training and to create a new account accordingly. In this context the following personal data may be processed:

  • Name, first name

  • E-mail address

  • Name of your company

  • Position/Job Title

  • Demand (planned project)

  • Region

  • Descriptions / text messages

  • IP address

  • Source port of the calling device or a gateway (e.g. firewall or proxy).

  • Timestamp (date and time) of the retrieval

  • Amount of data transferred

  • Message whether the retrieval was successful (using HTTP error code)

  • Message why a retrieval failed, if applicable (using HTTP error code).

  • Referer (web page from which calls were made to our main page or sub-pages)

  • User agent (type of browser you use to access our website and its version)

  • Display screen width and height

  • Language settings of your browser

The data collected during the usage and registration will be processed exclusively for the purpose of providing the training services. The legal basis for processing your data is our contractual relationship pursuant to Art. 6 (1) lit. b GDPR.

Your account, user profile and credentials that are being created will be transferred to and processed for the log-in process by a third-party service provider, which also provides the service of a so-called "Single Sign On", which means that, in case you have registered several accounts with us, you can log-in with one account that is also valid for the other registered accounts of commercetools. Consequently, there is no need to log-in for each covered account separately when using it. In case you have already registered more than one covered account with us, these covered accounts will be merged by our third-party service provider. The following, but may be not limited to, personal data will be transferred to and processed by the third-party service provider:

  • User profile information

  • Contact information

  • Authentication information

2. Automated decision making including profiling

Automated individual decision-making including profiling according to Art. 22 (1) and (4) GDPR do take place on the part of commercetools GmbH.

3. Data transfer to a third country

Data transfers to countries outside the EU and the European Economic Area ("Third Countries") arise, for example, in the context of the administration, development and operation of IT systems. The transfer takes place only on the basis:

  • of an adequacy decision of the European Commission according to Art. 45 GDPR.

  • of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.

  • of standard data protection clauses adopted by the Commission in accordance with the examination procedure under Article 93 (2) GDPR.

Currently, when using our website, a transfer of personal data to third countries (in particular to the USA) takes place through the use of third-party services in the following cases:

  • Service provider for hosting and operation of logging in services with third party user data, 

  • Service provider for advertising, remarketing and analytics purposes (including cookies, tags, pixels)

  • Service provider for hosting servers for the provision of web-based services, such as videos that are integrated into our online offer, website performance, visualization and chatbot 

  • Service provider for operation of e-mail servers and social media analytics

  • Software service provider, e.g. for CRM systems

4. Categories of recipients of the personal data

For the processing of personal data for the purposes mentioned here, we use the following categories of recipients as processors pursuant to Art. 28 GDPR:

  • Provider of servers for the purpose of hosting our websites

  • IT service provider to maintain our IT infrastructure

  • External service providers for additional services

  • Marketing and analytics service providers

  • Further processors within the meaning of Art. 28 GDPR in the course of the order processing

 

These service providers process information about you on our behalf and based on our instructions and are contractually bound to comply with applicable data protection laws.

Other recipients are affiliated companies of the commercetools Group. As a global company, we also share your information with affiliates within the Group. You can find a list of commercetools Group companies here.

Your data will also be passed on if we are legally obliged to do so.

5. Period for which the personal data will be stored or criteria used to determine that period

Personal data will only be stored for as long as necessary to fulfill the purposes stated here or as required by the retention periods specified by law. After the respective purpose ceases to apply or after the retention periods have expired, the data will be deleted in accordance with the statutory provisions.

We store your data for advertising purposes until you object to its use, withdraw your consent, or until it is no longer legally permissible to use it.  We store your other data for as long as we need it to fulfill the specific purpose (e.g. to fulfill or process a contract) and delete it when the purpose no longer applies.

All connection data (access logs) are automatically deleted from the web server's memory shortly after the end of the connection. The anonymized access logs are stored for 31 days. In the event that parts of the access logs are required for the purpose of preserving evidence, these are excluded from deletion until the respective incident has been finally clarified.

IV. Privacy policy for our customers, prospective customers and partners

The following information is to be provided pursuant to Art. 13 et seq. GDPR where personal data are collected from our customers and prospective customers.

Our offer is addressed exclusively to entrepreneurs, tradesmen, freelancers and public institutions. Contracts with consumers according to Sec. 13 of the German Civil Code are not concluded.

1. Purposes for which the personal data are processed as well as the legal basis for the processing

1.1 Handling of inquiries and preparation of offers (Art. 6 (1) lit. f GDPR)

If you are interested in our offered goods and services (e.g. our cloud-based e-commerce platform and related training, consulting, technical support, licenses, maintenance contracts, etc.), we process and store the following data for the purpose of processing your inquiry and preparing an offer when you contact us (e.g. by e-mail, telephone or contact form on our website):

  • Title

  • Name, first name

  • Company/organization and possibly department within the company

  • Position in the company

  • Business address

  • Business phone numbers

  • Business fax number

  • Business email address

  • Individual message

  • Product interest

  • Conversation notes from sales and customer support calls and live chat sessions, if applicable.

We reserve the right to inquire about your decision by telephone or e-mail within 3 months after you have submitted our offer, provided you have not objected to our inquiry.

The legal basis for the processing is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the processing of your data is necessary to answer your inquiry and if necessary, for further pre-contractual measures and that our interest outweighs your interests or fundamental rights and freedoms to protect your data.

1.2 Implementation and execution of contracts (Art. 6 (1) lit. f GDPR)

In order to implement and fulfill an existing contractual relationship, in particular to provide services owed (e.g. provision of our cloud-based e-commerce platform and associated execution of services such as maintenance and support, consulting and training) and to send you contractual documents, we and any third parties or processors commissioned by us process the following data from you, insofar as you have provided us with this when concluding the contract or in the course of the contractual relationship:

  • Contact details of contact persons and, if applicable, other employees in the company of the business customer

    • Title

    • Name, first name

    • Company/organization and possibly department within the company

    • Position in the company

    • Business address

    • Business phone numbers

    • Business fax number

    • Business email address

  • Signature of the person(s) signing contractual documents, if applicable

  • Further information that is required to process in the context of a project or the handling of a contractual relationship with commercetools or which is provided voluntarily by our contact persons

    • Orders placed (especially products and services ordered)

    • Transacted inquiries

    • Project details

    • Conversation notes from sales and customer support calls and live chat sessions, if applicable.

  • Information collected from publicly available sources, information databases, or credit reporting agencies

For invoicing, monitoring and collection of trade receivables, we process contact details of accounting contacts and other persons entrusted with these processing operations.

If you make use of the offer of our trainings and courses and register for them (e.g. online via our website or by e-mail), we process the following data for the planning and execution of the trainings and, if applicable, for the creation and sending of personalized certificates of participation:

  • Personal data of the training participants

    • Name, first name

    • Company/organization and possibly department within the company

    • Email address

    • Address

  • Personal details of the payer

    • Name, first name

    • Company/organization and possibly department within the company

    • Field of activity

    • Company address

    • Phone number

  • Other information such as: Course date, duration, location, price, date of registration/time stamp.

The training participants are usually employees of our customers and prospective customers.

We also use online video conferencing systems of the respective customer or alternatively our own system for various services, e.g. for technical support or for conducting training/education for customers. The activation of video transmission is the responsibility of the respective participant and is not linked to any advantages or disadvantages in the provision of the service. A recording of the video conferences by us shall only be made upon request and in consultation with all participants. If, in exceptional cases, recording by us is necessary, consent will be obtained from the participants in accordance with Art. 6 (1) lit. a in conjunction with Art. 7 GDPR.

The legal basis for the processing of your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in the implementation and fulfillment of contracts with our customers. We have a legitimate interest in the implementation and performance of contractual obligations with our customers, for which the processing of the data and data categories mentioned here is necessary.

1.3 Implementation of marketing activities

In the case of an advertising approach, we will only contact you via the communication channels to which you have consented, subject to mailing. For this purpose, we use your data for the following purposes:

  • Quality assurance: In order to continuously improve our performance, our products and our services for you, we conduct surveys on your satisfaction, as well as your experiences from your contractual relationship.

  • E-mail advertising using newsletter

  • Invitations to specific events

  • Communication regarding downloaded whitepapers

We receive your personal data for contacting you either directly from you and/or from third-party providers. In this context, third-party providers are social networks and/or other contact data generating networks that provide us with your personal data collected from public sources or directly from you.

The legal basis for the processing is generally Article 6 (1) lit. a GDPR. Pursuant to Article 7 (3) GDPR, you can always withdraw your consent with effect for the future by sending an e-mail to the e-mail address specified in Section VII Section 1.

Without separate consent, the legal basis may also be our legitimate interest for the purpose of direct advertising (in accordance with Article 6 (1) lit. f GDPR in conjunction with Article 95 GDPR, Section 7 (3) German Act against Unfair Competition) provided that your fundamental rights and freedoms do not conflict. In accordance with Art. 21 GDPR, you can always object to data processing on the basis of our legitimate interests with effect for the future by contacting the e-mail address stated in Chapter VII, Section 1.

2. Obligation to provide the data

The provision of the data specified in section 1.2 is mandatory. If you do not provide us with this information, a contract will not be concluded with us. All other data is provided voluntarily.

3. Automated decision making including profiling

Automated individual decision making including profiling according to Art. 22 (1) and (4) GDPR do take place on the part of commercetools GmbH.

4. Data transfer to a third country

Data transfers to countries outside the EU and the European Economic Area ("Third Countries") arise, for example, in the context of the administration, development and operation of IT systems. The transfer takes place only on the basis:

  • of an adequacy decision of the European Commission according to Art. 45 GDPR.

  • of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.

  • of standard data protection clauses adopted by the Commission in accordance with the examination procedure under Article 93 (2) GDPR.

Currently, in the context of pre-contractual measures and in connection with the conclusion and performance of a contract, data transfers to countries outside the EU and the European Economic Area ("Third Countries") take place in the following cases:

  • In the course of our global sales, marketing and support services, our customer relationship management or in the course of using our central IT services, we transfer data to affiliated companies within the commercetools Group located outside the EU/EEA. You can find a list of commercetools Group companies here.

  • By using third-party providers, personal data is transmitted to service providers in the USA and Australia in the context of:

    • Service provider of CRM Software services

    • Service provider of Marketing activities, such as sales engagement, leads generation, and customer review applications,

    • Service provider to optimize our relationship with potential customers, such as ABM software, communication platforms, 

    • Service provider to manage our relationship with customers and partners relationship and communication,

    • Service provider of contract management.

5. Recipients of data and data sources

5.1 Categories of recipients of the personal data

In order to process personal data for the purposes mentioned here, we use the following categories of recipients as processors pursuant to Art. 28 GDPR:

  • Service provider for hosting and operation of the online video conferencing system and the software for remote maintenance for technical customer support

  • Service provider for hosting servers for the provision of web-based services

  • Service provider for operation of e-mail servers

  • Software service provider, e.g. for CRM systems, ABM software, lead generation and communication platforms, etc. 

Other recipients who are not processors:

  • Financial institutions and providers of payment services for settlements as well as processing of payments

  • Lawyers for the defense and enforcement of claims

  • Tax consultant for financial accounting and preparation of balance sheets

  • Debt collection service providers and competent courts in order to collect receivables and enforce claims in court. If personal data (customer and contact data, payment data and data on the claim) is transferred to a debt collection service provider in the event of collection, we will inform you in advance of the intended transfer.

  • Affiliated commercetools Group companies: As a global company, we also share your information with affiliated companies within the commercetools Group. You can find a list of commercetools Group companies here.

In addition, we will only disclose your personal data to third parties if you have given your express prior consent. You have the right to withdraw your consent at any time with effect for the future.

Your data will also be passed on if we are legally obliged to do so.

5.2 Data sources

We process personal data that we have received from prospective customers and customers in the course of our business relationships.

Insofar as it is necessary for the provision of our service, we process personal data that we permissibly obtain from publicly accessible sources (debtor directories, land registers, commercial and association registers, press, Internet) or that we are legitimately provided with by other third parties (a credit agency or an address service provider).

6. Period for which the personal data will be stored or criteria used to determine that period

Personal data will only be stored as long as necessary to fulfill the purposes mentioned here or as required by the retention periods specified by law.

We delete data from inquiries about our products and services in accordance with the statutory retention obligations, which arise primarily from commercial and tax law (in particular §§ 147 AO and 257 HGB).

We store your data for the period of the existing contract and after termination of the contract with you for a period until receipt of the tax assessment notice for the year in which the contract was terminated. In the event that the notice is not final, the data will be stored until the completion of the complete company audit. In addition, we store your data for the duration of the settlement of legal disputes and the assertion, exercise or defense of legal claims. If there are statutory retention periods, we are obliged to store the data until these periods expire. After expiry of the statutory retention periods, which result primarily from commercial and tax law (in particular §§ 147 AO and 257 HGB), we delete this data again.

We store your data for advertising purposes until you object to its use, you withdraw your consent or the use is no longer permitted by law. We store your other data for as long as we need it to fulfill the specific purpose (e.g. to fulfill or process a contract) and delete it after the purpose no longer exists.

7. Security

commercetools takes appropriate technical and organizational measures (TOM) to protect personal data from loss, destruction, manipulation and unauthorized access.

Information about our security measures can be found here.

V. Privacy policy for our suppliers and business partners

The following information is to be provided pursuant to Art. 13 et seq. GDPR where personal data are collected from our suppliers and service providers commissioned by us.

1. Purposes for which the personal data are processed as well as the legal basis for the processing

Implementation and execution of our business relationship with suppliers and business partners (Art. 6 (1) lit. f GDPR)

In order to be able to carry out and maintain the business relationship with suppliers or business partners, in particular to carry out contract preparation and fulfillment, provide communication channels, deliver goods and carry out pre-contractual measures, we and any third parties or processors, process the following data from the supplier or business partner:

  • Contact information of the contact person and, if applicable, other employees at the supplier or business partner's company

    • First name and surname

    • Business address

    • Business phone number

    • Business mobile phone number

    • Business fax number

    • Business email address

  • Signature of the person(s) signing contractual documents, if applicable

  • Payment data, such as information required to process payment transactions or prevent fraud

  • Further information whose processing is required in the context of a project or the handling of a contractual relationship with commercetools, or which is provided voluntarily by our contacts

    • Orders placed

    • Transacted inquiries

    • Project details

  • Information collected from publicly available sources, information databases, or credit reporting agencies

The legal basis for the processing of your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in the implementation of pre-contractual measures and the implementation and fulfillment of supplier and business partner contracts. We have a legitimate interest in the initiation, implementation and settlement of the business relationship with our suppliers and business partners, for which the processing of the above mentioned data is necessary.

2. Obligation to provide the data

The provision of the data specified in section 1 is mandatory. If you do not provide us with this information a business relationship or a contract with us would not be possible.

3. Automated decision making including profiling

Automated individual decision making including profiling according to Art. 22 (1) and (4) GDPR do not take place on the part of commercetools GmbH.

4. Data transfer to a third country

Data transfers to countries outside the EU and the European Economic Area ("Third Countries") arise, for example, in the context of the administration, development and operation of IT systems. The transfer takes place only on the basis:

  • of an adequacy decision of the European Commission according to Art. 45 GDPR.

  • of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.

  • of standard data protection clauses adopted by the Commission in accordance with the examination procedure under Article 93 (2) GDPR.

Currently, in the context of pre-contractual measures and in connection with the conclusion and performance of a contract with suppliers and business partners, data transfer to countries outside the EU and the European Economic Area ("Third Countries") takes place in the following cases:

  • In the course of our global sales, marketing and support services, our customer relationship management or in the course of using our central IT services, we transfer data to affiliated companies within the commercetools Group located outside the EU/EEA. You can find a list of commercetools Group companies here.

  • By using third-party providers, personal data is transmitted to  service providers in the USA in the context of contract management.

5. Recipients of data and data sources

5.1 Categories of recipients of the personal data

In order to process personal data for the purposes mentioned here, we use the following categories of recipients as processors pursuant to Art. 28 GDPR:

  • Service provider for hosting servers for the provision of web-based services

  • Service provider for operation of e-mail servers

  • Software service provider e.g. for sales, marketing, contract management and support services

Other recipients who are not processors:

  • Financial institutions and providers of payment services for billings as well as processing of payments

  • Lawyers for the defense and enforcement of claims

  • Tax consultants for financial accounting and preparation of balance sheets

  • Credit bureaus and scoring providers for credit reports, for assessing the risk of default

  • Affiliated commercetools Group companies: As a global company, we also share your information with affiliated companies within the commercetools Group. You can find a list of commercetools Group companies here.

In addition, we will only disclose your personal data to third parties if you have given your express prior consent. You have the right to withdraw your consent at any time with effect for the future.

Your data will also be passed on if we are legally obliged to do so.

5.2 Data sources

We process personal data that we have received from suppliers and business partners in the course of our business relationships.

Insofar as it is necessary for the provision of our service, we process personal data that we permissibly obtain from publicly accessible sources (debtor directories, land registers, commercial and association registers, press, Internet) or that we are legitimately provided with by other third parties (a credit agency or an address service provider).

6. Period for which the personal data will be stored or criteria used to determine that period

Personal data will only be stored as long as necessary to fulfill the purposes mentioned here or as required by the retention periods specified by law.

We store your data for the period of the existing contract and after termination of the contract with you, for a period until the completion of the tax audit of the last calendar year in which you were our supplier or business partner. In addition, we store your data for the duration of the settlement of legal disputes and the assertion, exercise or defense of legal claims. If there are statutory retention periods, we are obliged to store the data until the expiry of these periods. After expiry of the statutory retention periods, which result primarily from commercial and tax law (in particular §§ 147 AO and 257 HGB), we delete this data again.

VI. Privacy policy for applicants

1. Privacy notice for processing in connection with an access of our career portal at https://boards.greenhouse.io/commercetools and in the context of processing personal data for the purpose of recruiting

The following information is to be provided pursuant to Art. 13 et seq. GDPR when collecting personal data on https://boards.greenhouse.io/commercetools (hereinafter "career portal").

Note: If you are interested in one of the job offers on our career site (https://commercetools.com/careers/jobs) and therefore click on it, you will automatically be redirected to a (sub-) domain of our service provider Greenhouse. Greenhouse provides our career portal, which you can use to apply for a job with us (for more information on the service provider Greenhouse, see section 1.3.).

1.1 Processing of access data

For technical reasons, a limited amount of data (so-called connection data) is processed each time you access the Greenhouse career portal. These data (so-called log files) are technically necessary to establish and execute a connection between your terminal device and the servers of our career portal. The data is processed in the main memory of the web server for the duration of the connection:

The following data or data categories are collected:

  • IP address

  • Source port of the calling device or a gateway (e.g. firewall or proxy).

  • Timestamp (date and time) of the retrieval

  • Amount of data transferred

  • Message whether the retrieval was successful (by means of HTTP error code)

  • Message why a retrieval failed, if applicable (using HTTP error code).

  • Referer (web page from which calls were made to our main page or sub-pages)

  • User agent (type of browser you use to access our website and its version)

  • Display screen width and height

  • Language settings of your browser

The IP address, timestamp, HTTP error code, referer and user agent are automatically logged when the career portal is called up in order to ensure the functionality and protection of the website. Furthermore, the logs serve to optimize the website. A creation of user profiles with personal reference is not possible with this data.

The processing is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.  A legitimate interests assessment was carried out and came to the conclusion that the processing operations are necessary to protect our legitimate interests in providing and optimizing the content and informational functions of the career portal accessed by you in a user-friendly manner and in ensuring the security of the IT infrastructure used to provide the career portal and that these interests outweigh your interests, fundamental rights and freedoms that require the protection of personal data.

1.2 Cookies and related technologies

Greenhouse sometimes uses so-called cookies and related technologies (e.g. scripts) on the career portal. Cookies do not cause any damage to your computer and do not contain viruses. Cookies serve to make the offer more user-friendly, effective and secure. Cookies are small text files that are stored on your terminal device and saved by your browser, for example, to "remember" information about you, such as your language settings or login information.

Since these cookies are not set by us, they are so-called third-party cookies. These originate from a domain other than that of the commercetools website you originally visited. These cookies can be set either directly by the service provider Greenhouse or by another third-party provider.

1.3 Processing of personal data for the context of background checks as well as legal basis

In case of a successful hiring process, you may be required to verify identity and eligibility to work, which may also include a criminal background check under certain circumstances (e.g. depending on department and job position), in order to be validly employed by commercetools. The result of such background checks will only be stored while the record has not been evaluated and will be delete once the review is done by commercetools.

The following data or data categories may be collected and processed in this process, depending on the position and the location you have applied:

  • Personal identification data, such as name, nationality, date of birth/place, national identity card, parent’s name,  

  • Current and previous addresses

  • Name of your current and previous employer

  • Position/Job Title

  • Phone number

  • Educational history

  • Criminal records

The legal basis for processing your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subject do not outweigh our interests in processing. We have a legitimate interest in answering your inquiry, for which the processing of the data and data categories mentioned here is necessary.

1.4 Recipients of data and data sources

1.4.1 Categories of recipients of the personal data

In order to process personal data for the purposes mentioned here, we use the following categories of recipients as processors pursuant to Art. 28 GDPR:

  • Service provider for hosting servers for the provision of web-based services, in this case, the recruiting tool Greenhouse

  • Service provider for operation of fraud detection service

  • Service service provider for contract management

  • Service provider for background checks.

Other recipients who are not processors:

  • Affiliated commercetools Group companies: As a global company, we also share your information with affiliated companies within the commercetools Group. You can find a list of commercetools Group companies here.

2. Privacy notice for processing in connection with the recruiting process by submitting an application

2.1 EU/EEA/German Applicants

2.1.1 Personal data we use regarding the recruiting process

  • Personal master data (e.g. first name, surname, title, address, birthday, phone number, e-mail, location, social security number, tax code, signature in contractual documents, if applicable)

  • Job / application related data (e.g. position applied to, cover letter, qualifications, certifications, former activities, certificates of employment, interview protocols)

  • Communications data (e.g. e-mails, IP-address, login-data)

  • Special categories (e.g. health data)

2.1.2 Sources from where we collect personal data

We collect personal data from you during the application process.

2.1.3 Purpose for processing personal data

We process personal data from you for the purpose to carry out the recruiting process. In this context, if located in Germany, personal data may be processed that is necessary for the decision to enter into an employment relationship with you, pursuant to § 26 sec. 1 Bundesdatenschutzgesetz (BDSG).

Moreover, we may process personal data from you in relation to the recruiting process that you are providing to us based on a voluntary consent, pursuant to Article 6 sec. 1 lit. a General Data Protection Regulation (GDPR), § 26 sec. 2 BDSG (§ 26 sec. 2 BDSG if located in Germany). This can be in particular the case regarding the integration of your personal data in respect of our talent pool. Furthermore, we may process special categories of personal data from you in relation to the recruiting process that you are providing to us based on a voluntary explicit consent, pursuant to Article 9 sec. 2 lit. a GDPR. You can revoke this declaration of consent at any time without giving reasons, with effect for the future. Please send your revocation by email to jobs@commercetools.de in order to exercise your revocation right. From the receipt of your revocation declaration, we will process your personal data no longer than required by the provisions of law on retention of records.

2.1.4 To whom personal data will be passed on

Your personal data will be processed mainly within our human resources department. However, it can be the case that your personal data will be shared with the relevant departments, depending on the position you have applied to, within our company in order to carry out the recruiting process. Furthermore, your personal data may be passed on to certain service providers for the recruiting management, hosting and maintenance services.

2.1.5 Transfer of personal data outside the European Union and European Economic Area

We transfer personal data during the recruiting process outside the European Union (EU) and the European Economic Area (EEA). In this regard we particularly transfer personal data to the United States of America (US). There is currently no adequate decision from the EU Commission applicable for the US. Personal data that is processed outside the EU and EEA may not be covered by the same level of data protection as applicable in the EU and EEA. For this reason, we have entered into data processing agreements and the standard contractual clauses provided by the EU Commission with our service providers in countries outside the EU and EEA. In this regard, these measures provide an appropriate guarantee for the processing of your personal data outside the EU and EEA.

Data transfers to countries outside the EU and the European Economic Area ("Third Countries") arise, for example, in the context of the administration, development and operation of IT systems. The transfer takes place only on the basis:

  • of an adequacy decision of the European Commission according to Art. 45 GDPR.

  • of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.

  • of standard data protection clauses adopted by the Commission in accordance with the examination procedure under Article 93 (2) GDPR.

Currently, in the context of recruiting and in connection with the conclusion of a contract, if applicable, data transfers to countries outside the EU and the European Economic Area ("Third Countries") take place in the following cases:

  • In the course of recruiting or in the course of using our central IT services, we transfer data to affiliated companies within the commercetools Group located outside the EU/EEA. You can find a list of commercetools Group companies here.

  • By using third-party providers, data is transmitted to the following service providers in the USA, as informed in Section 1.3 of this Privacy Policy for applicants.

2.1.6 Automated decision-making, profiling

In respect of our recruiting process, we do not exercise any automated decision-making nor profiling.

2.1.7 Storage of personal data

Your personal data will be stored as long as it is necessary for the completion of the recruiting process. In principle, where no employment relationship has been established, we will store your personal data for up to six months after completion of the recruiting process due to evidence purposes in order to protect us against possible legal claims.

In cases where you revoke your declaration of consent for the processing of personal data we will stop processing your personal data from the point of your revocation and we will delete your personal data in accordance with the provisions of the applicable laws on retention of records.

2.2 UK Applicants

2.2.1 Personal data / information we use regarding the recruiting process

In order to carry out the recruiting process we process personal data / information that is necessary for this purpose. In this regard, the personal data / information may consist of the following:

  • Personal master data / information (e.g. first name, surname, title, address, birthday, phone number, e-mail, location, social security number, tax code, signature in contractual documents, if applicable)

  • Job / application related data / information (e.g. position applied to, cover letter, qualifications, certifications, former activities, certificates of employment, interview protocols)

  • Communications data / information (e.g. e-mails, IP-address, login-data)

  • Special categories (e.g. health data)

2.2.2 Sources from where we collect personal data / information

We collect personal data from you during the application process.

2.2.3 Purpose and legal basis for processing personal data / information

We process personal data / information from you for the purpose to carry out the recruiting process. In this context, personal data / information may be processed that is necessary for the decision to enter into an employment relationship with you. Furthermore, we process personal data / information from you that you have provided us voluntarily including your consent for us to process it. In addition, your provided personal data / information may be of particular importance to us, and we have a specific legitimate interest under law to process it or we may have a legal obligation to process it or where necessary to protect the vital interests of you or any person.

If the collection or processing is based on your consent, you may withdraw your consent at any time to the extent permitted by applicable law. Please send your revocation by email to jobs@commercetools.de in order to exercise your revocation right.

2.2.4 Use of your personal data / information

We process your personal data / information in accordance with the following:

  • Processing your application

  • Assessing your qualifications and capabilities

  • Conducting reference checks

  • Communicating with you regarding your application

  • Complying with or monitoring compliance with any applicable law or regulation

  • Enforcing our terms and conditions

  • Cooperating with law enforcements

  • Conducting background checks consistent with applicable law

If we are going to enter into an employment relationship with you, personal data / information we collect linked with your application may be incorporated into our human resources and contract management system and used to manage the onboarding process, including the execution of contractual documents, if applicable.

2.2.5 To whom personal data will be passed on

We may share personal data / information of you with our affiliates that are involved in the particular recruiting process. If your personal data / information will be shared the personal data / information will be shared on a need- to-know basis. We may also share personal data / information with approved third-party service providers to facilitate the services they provide to us, including hosting and operating our careers site and recruiting management.

2.2.6 Transfer of personal data / information outside your jurisdiction

We may transfer personal data outside your jurisdiction regarding the recruiting process. In this regard we may transfer personal data to the EU as well as US.

2.2.7 Storage of personal data / information

Your personal data will be stored as long as it is necessary for the completion of the recruiting process. In principle, where no employment relationship has been established, we will store your personal data for up to six months after completion of the recruiting process due to evidence purposes in order to protect us against possible legal claims.

In cases where you revoke your declaration of consent for the processing of personal data we will stop processing your personal data from the point of your revocation and we will delete your personal data in accordance with the provisions of the applicable laws on retention of records.

2.2.8 Your rights

You have the right at any time to exercise your rights, which include:

  • Right to information of your personal data / information

  • Right to rectification of your personal data / information

  • Right to erasure of your personal data / information

  • Right to restriction of processing of your personal data / information

  • Right to data portability of your personal data / information

  • Right to object the processing of your personal data / information

In order to enforce your rights please contact us.

2.2.9 Complaints

You also have the right to complain to your local data protection authority. In the UK this is the Information Commissioner’s Office whose contact details are accessible here: https://ico.org.uk/ and for complaints please see here: https://ico.org.uk/make-a-complaint/.

2.2.10 Information related to children

Our career site is not intended for minors in any jurisdiction. It is required that you prove you are over the age of majority in your jurisdiction regarding our recruiting process.

2.3 US Applicants

2.3.1 Personal data / information we use regarding the recruiting process

In order to carry out the recruiting process we process personal data / information that is necessary for this purpose. In this regard, the personal data / information may consist of the following:

  • Personal master data / information (e.g. first name, surname, title, address, birthday, phone number, e-mail, location, social security number, tax code, signature in contractual documents, if applicable)

  • Job / application related data / information (e.g. position applied to, cover letter, qualifications, certifications, former activities, certificates of employment, interview protocols)

  • Communications data / information (e.g. e-mails, IP-address, login-data)

  • Special categories (e.g. health data)

As permitted with applicable law, we may ask questions about race/ethnic origin, gender, veteran status and disability of our applicants, for the monitoring of equal employment opportunity compliance. Furthermore, we may ask about criminal records following a conditional offer of employment, where permitted by applicable law.

If you provide us with personal information of a reference or any other individual as part of your application, it is your responsibility to obtain consent from that individual prior providing the information to us. By providing that personal information, you are affirming that you have obtained such consent from the individual.

2.3.2 Sources from where we collect personal data / information

We collect personal data from you during the application process.

2.3.3 Purpose and legal basis for processing personal data / information

We process personal data / information from you for the purpose to carry out the recruiting process. In this context, personal data / information may be processed that is necessary for the decision to enter into an employment relationship with you. Furthermore, we process personal data / information from you that you have provided us voluntarily including your consent for us to process it. In addition, your provided personal data / information may be of particular importance to us, and we have a specific legitimate interest under law to process it or we may have a legal obligation to process it or where necessary to protect the vital interests of you or any person.

If the collection or processing is based on your consent, you may withdraw your consent at any time to the extent permitted by applicable law. Please send your revocation by email to jobs@commercetools.de in order to exercise your revocation right.

2.3.4 Use of your personal data / information

We process your personal data / information in accordance with the following:

  • Processing your application

  • Assessing your qualifications and capabilities

  • Conducting reference checks

  • Communicating with you regarding your application

  • Complying with or monitoring compliance with any applicable law or regulation

  • Enforcing our terms and conditions

  • Cooperating with law enforcements

  • Conducting background checks consistent with applicable law

If we are going to enter into an employment relationship with you, personal data / information we collect linked with your application may be incorporated into our human resources and contract management system and used to manage the onboarding process, including the execution of contractual documents, if applicable.

2.3.5 To whom personal data will be passed on

We may share personal data / information of you with our affiliates that are involved in the particular recruiting process. If your personal data / information will be shared the personal data / information will be shared on a need- to-know basis. We may also share personal data / information with approved third-party service providers to facilitate the services they provide to us, including hosting and operating our careers site and recruiting management.

2.3.6 Transfer of personal data / information outside your jurisdiction

We may transfer personal data / information outside your jurisdiction regarding the recruiting process. In this regard we may transfer personal data / information to the EU.

2.3.7 Storage of personal data / information

Your personal data will be stored as long as it is necessary for the completion of the recruiting process. In principle, where no employment relationship has been established, we will store your personal data for up to six months after completion of the recruiting process due to evidence purposes in order to protect us against possible legal claims.

In cases where you revoke your declaration of consent for the processing of personal data we will stop processing your personal data from the point of your revocation and we will delete your personal data in accordance with the provisions of the applicable laws on retention of records.

2.3.8 Your rights

You have the right at any time to exercise your rights, which include:

  • Right to information of your personal data / informationRight to rectification of your personal data / information

  • Right to erasure of your personal data / information

  • Right to restriction of processing of your personal data / information

  • Right to data portability of your personal data / information

  • Right to object the processing of your personal data / information

In order to enforce your rights please contact us.

2.3.9 Information related to children

Our career site is not intended for minors in any jurisdiction. It is required that you prove you are over the age of majority in your jurisdiction regarding our recruiting process.

2.4 Australian Applicants

2.4.1 Personal data / information we use regarding the recruiting process

In order to carry out the recruiting process we process personal data / information that is necessary for this purpose. In this regard, the personal data / information may consist of the following:

  • Personal master data / information (e.g. first name, surname, title, address, birthday, phone number, e-mail, location, social security number, tax code, signature in contractual documents, if applicable)

  • Job / application related data / information (e.g. position applied to, cover letter, qualifications, certifications, former activities, certificates of employment, interview protocols)

  • Communications data / information (e.g. e-mails, IP-address, login-data)

  • Special categories (e.g. health data)

2.4.2 Sources from where we collect personal data / information

We collect personal data from you during the recruiting process.

2.4.3 Purpose and legal basis for processing personal data / information

We process personal data / information from you for the purpose to carry out the recruiting process. In this context, personal data / information may be processed that is necessary for the decision to enter into an employment relationship with you. Furthermore, we process personal data / information from you that you have provided us voluntarily including your consent for us to process it. In addition, your provided personal data / information may be of particular importance to us, and we have a specific legitimate interest under law to process it or we may have a legal obligation to process it or where necessary to protect the vital interests of you or any person.

If the collection or processing is based on your consent, you may withdraw your consent at any time to the extent permitted by applicable law. Please send your revocation by email to jobs@commercetools.de in order to exercise your revocation right.

2.4.4 Use of your personal data / information

We process your personal data / information in accordance with the following:

  • Processing your application

  • Assessing your qualifications and capabilities

  • Conducting reference checks

  • Communicating with you regarding your application

  • Complying with or monitoring compliance with any applicable law or regulation

  • Enforcing our terms and conditions

  • Cooperating with law enforcements

  • Conducting background checks consistent with applicable law

If we are going to enter into an employment relationship with you, personal data / information we collect linked with your application may be incorporated into our human resources and contract management system and used to manage the onboarding process, including the execution of contractual documents, if applicable.

2.4.5 To whom personal data will be passed on

We may share personal data / information of you with our affiliates that are involved in the particular recruiting process. If your personal data / information will be shared the personal data / information will be shared on a need- to-know basis. We may also share personal data / information with approved third-party service providers to facilitate the services they provide to us, including hosting and operating our careers site and recruiting management.

2.4.6 Transfer of personal data / information outside your jurisdiction

We may transfer personal data / information outside your jurisdiction regarding the recruiting process. In this regard we may transfer personal data / information to the EU.

2.4.7 Storage of personal data / information

Your personal data will be stored as long as it is necessary for the completion of the recruiting process. In principle, where no employment relationship has been established, we will store your personal data for up to six months after completion of the recruiting process due to evidence purposes in order to protect us against possible legal claims.

In cases where you revoke your declaration of consent for the processing of personal data we will stop processing your personal data from the point of your revocation and we will delete your personal data in accordance with the provisions of the applicable laws on retention of records.

2.4.8 Your rights

You have the right at any time to exercise your rights, which include:

  • Right to access your personal data / information

  • Right to have your personal data / information being corrected

  • Right to withdraw your consent for processing your personal data / information

In order to enforce your rights please contact us.

2.4.9 Complaints

If you think your personal data / information has been mishandled you can contact us at any time and we will review your complain and, if appropriate, we will act accordingly in order to stop / correct the mishandling.

2.4.10 Information related to children

Our career site is not intended for minors in any jurisdiction. It is required that you prove you are over the age of majority in your jurisdiction regarding our recruiting process.

2.5 Singapore Applicants

2.5.1 Personal data / information we use regarding the recruiting process

In order to carry out the recruiting process we process personal data / information that is necessary for this purpose. In this regard, the personal data / information may consist of the following:

  • Personal master data / information (e.g. first name, surname, title, address, birthday, phone number, e-mail, location, social security number, tax code, signature in contractual documents, if applicable)

  • Job / application related data / information (e.g. position applied to, cover letter, qualifications, certifications, former activities, certificates of employment, interview protocols)

  • Communications data / information (e.g. e-mails, IP-address, login-data)

  • Special categories (e.g. health data)

2.5.2 Sources from where we collect personal data / information

We collect personal data from you during the recruiting process.

2.5.3 Purpose and legal basis for processing personal data / information

We process personal data / information from you for the purpose to carry out the recruiting process. In this context, personal data / information may be processed that is necessary for the decision to enter into an employment relationship with you. Furthermore, we process personal data / information from you that you have provided us voluntarily including your consent for us to process it.

If the collection or processing is based on your consent, you may withdraw your consent at any time to the extent permitted by applicable law. Please send your revocation by email to jobs@commercetools.de in order to exercise your revocation right.

2.5.4 Use of your personal data / information

We process your personal data / information in accordance with the following:

  • Processing your application

  • Assessing your qualifications and capabilitiesConducting reference checks

  • Communicating with you regarding your application

  • Complying with or monitoring compliance with any applicable law or regulation

  • Enforcing our terms and conditions

  • Cooperating with law enforcements

  • Conducting background checks consistent with applicable law

If we are going to enter into an employment relationship with you, personal data / information we collect linked with your application may be incorporated into our human resources and contract management system and used to manage the onboarding process, including the execution of contractual documents, if applicable.

2.5.5 To whom personal data will be passed on

We may share personal data / information of you with our affiliates that are involved in the particular recruiting process. If your personal data / information will be shared the personal data / information will be shared on a need- to-know basis. We may also share personal data / information with approved third-party service providers to facilitate the services they provide to us, including hosting and operating our careers site and recruiting management.

2.5.6 Transfer of personal data / information outside your jurisdiction

We may transfer personal data / information outside your jurisdiction regarding the recruiting process. In this regard we may transfer personal data / information to the EU.

2.5.7 Storage of personal data / information

Your personal data will be stored as long as it is necessary for the completion of the recruiting process. In principle, where no employment relationship has been established, we will store your personal data for up to six months after completion of the recruiting process due to evidence purposes in order to protect us against possible legal claims.

In cases where you revoke your declaration of consent for the processing of personal data we will stop processing your personal data from the point of your revocation and we will delete your personal data in accordance with the provisions of the applicable laws on retention of records.

2.5.8 Your rights

You have the right at any time to exercise your rights, which include:

  • Right to access your personal data / information

  • Right to have your personal data / information being corrected

  • Right to withdraw your consent for processing your personal data / information

In order to enforce your rights please contact us.

2.5.9 Complaints

If you think your personal data / information has been mishandled you can contact us at any time and we will review your complain and, if appropriate, we will act accordingly in order to stop / correct the mishandling.

2.5.10 Information related to children

Our career site is not intended for minors in any jurisdiction. It is required that you prove you are over the age of majority in your jurisdiction regarding our recruiting process.

VII. Information on your data subject rights

1. Data subject rights according to Chapter III of the GDPR

You have the right to request from us access to personal data (Art. 15 GDPR) and the rectification of inaccurate personal data (Art. 16 GDPR). Furthermore, you have the right to obtain the erasure of personal data (Art. 17 GDPR) concerning your person, the right to restriction of processing (Art. 18 GDPR) and the right to receive (Art. 20 GDPR) the personal data provided to us by you, in a structured, commonly used and machine-readable format.

In addition, you have the right to object at any time to the use of your data based on public or legitimate interests (Art. 21 GDPR).

Where the processing is based on your given consent you can withdraw the consent (Art. 7 Sec. 3 GDPR) at any time. Upon receipt of your withdrawal of consent, we will no longer use or process the data concerned for purposes mentioned in your consent.

If you wish to exercise your data subject rights, please send your request by e-mail to privacy@commercetools.com or by mail to the address mentioned in chapter I (Name and contact details of the controller).

2. Rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

If you live in California and have a business, employment, independent contractor, or application for employment relationship with us, in addition to any other rights provided herein (including those in Section VI.2.3 “US Applicants”), you may request a list of the third parties to whom we have disclosed information about you for their marketing purposes. You may make such a request no more than twice per year. To exercise your rights or if you have questions or concerns about our privacy policies or practices, you may email us at privacy@commercetools.com or write to us at the address provided here. We will respond to you within 30 days.

You may also request that we provide you with an accounting of your personal data held by commercetools. You may also request that commercetools delete your personal data or correct any inaccurate personal data. You may also make such requests to privacy@commercetools.com

Upon verification of your identity and within 45 days, we will provide you with a paper copy of your personal information via the United States Postal Service.

commercetools will not discriminate against any end user who exercises his or her rights under the California Consumer Privacy Act and California Privacy Rights Act. commercetools does not sell or share your personal information as those terms are defined in the California Consumer Privacy Act.

3. Right to lodge a complaint with a supervisory authority

Furthermore you have the right to lodge a complaint with a supervisory authority. The Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach, P.O. Box 1349, 91504 Ansbach, e-mail: poststelle@lda.bayern.de, telephone: +49 (0) 981 180093-0, is generally responsible for us.

Alternatively, you can approach the supervisory authority that is locally responsible for you.

Effective Date: January 2024

This Privacy Policy is subject to ongoing review and commercetools reserves the right to make changes at any time. Such changes will be published accordingly on this website.