Privacy Policy

We are committed to safeguard your privacy.

We are very pleased about your interest in Cammio. With this Privacy Policy, we aim to inform you about how, why and to what extent we process personal data, and what your rights are as a Data Subject. Personal data comprises all information that relates to an identified or identifiable natural person (Art. 4 para. 1 GDPR). This includes information such as your name, email address, postal address, or telephone number. Information that is not directly associated with your identity, e.g. the number of users of an website, does not fall within this scope. 

 

1. Data Controller

Unless otherwise stated in this Privacy Policy, the Data Controller in accordance with Art. 4 no. 7 GDPR is Cammio GmbH, Alexanderstraße 1-5, 10178 Berlin, Germany, Phone: +49 (0)30 2150 2890, E-Mail: info@cammio.com (hereinafter also “we” or “us”). 

 

2. Contact details of the data protection officer

The contact details of our data protection officer are as follows:
Cammio GmbH, Völklinger Straße 1, 40219 Düsseldorf, who can be contacted by phone on +49 (0) 211 93493-0 and by e-mail at datenschutz@stepstone.delegal@stepstone.de. 

 

3. Accessing the website

With each access to our website, we automatically collect data and information from the accessing device and store this data and information in the log files of the server. The data that is automatically collected and processed may include:  

| Information about the end device accessing the site and the software uses|
| Date and time of the access
| Websites from which the user has accessed our website or which the user accesses through our website
| IP address

This IP address must be stored for technical reasons, even if only temporarily, in order to enable the website to be downloaded to the user’s end device. The legal basis for data processing is provided by Art. 6 para. 1 point b GDPR. Our servers also store your IP address for up to 14 days for internal security purposes (Art. 6 para. 1 point f GDPR). 

 

4. Newsletters and news about similar services

If you have subscribed to one of our notification services or newsletters, we will use your e-mail address to send you the newsletter that you have subscribed to. The legal basis for data processing is provided by Art. 6 para. 1 point a GDPR. You can withdraw your consent at any time with future effect or unsubscribe from the subscribed newsletter, for example by clicking on the unsubscribe link provided for this purpose in each newsletter. 

 

5. Contact initiated by you

When you contact us, for example using one of our contact forms or e-mail addresses, the data that you provide (your e-mail address, possibly your name and your telephone number) will be processed by us for the purpose of responding to your enquiry. We will delete data collected in this connection once it is no longer required for the aforementioned purpose, unless the deletion of this data would contravene statutory retention obligations. The legal basis for data processing is provided by Art. 6 para. 1 sentence 1 point f GDPR. 

 

6. Involvement of data processors for hosting and platform safety

We use data processors, which we list below, to provide our services. The legal basis for using these data processors is a legitimate interest under Art. 6 para. 1 point f GDPR. The legitimate interest lies in the execution of our business activities, particularly to provide the services described elsewhere in this Privacy Policy. No conflicting interest is apparent because we have entered into a data processing agreement with the respective data processors under Art. 28 GDPR. 

6.1 Hosting 

We use data processors to host our platforms and for back-up services, meaning that personal data that is stored on our platforms is transferred to these data processors. These data processors are Cammio B.V., Spui 1 (3e verdieping), 2511 BL Den Haag, Netherlands (EU) and Amazon Webservices, Inc., 410 Terry Drive Ave North, WA 98109-5210 Seattle, USA (the data is processed exclusively in the EU). These data processors will store the data for the same duration as it is stored on our platforms for the various purposes defined in this Data Protection Policy. (Personal) data is stored exclusively in the German data centre in Frankfurt am Main, which is operated by Amazon Webservices. The storage service and administration services are provided to us by Cammio B.V., an affiliated company of Cammio GmbH within the meaning of Art. 15 et seq. German Stock Corporation Act (AktG) with its registered office in Den Haag, Netherlands (EU). Cammio B.V. and Amazon Webservices, Inc. have entered into the standard contractual clauses of the European Commission and have also agreed warranties that guarantee the safety of the data. The AWS Key Management System (KMS) – an encryption and key management service provided by AWS – and AES-256 encryption are used to protect the content stored in the AWS data centre. Consequently, the stored data can be accessed solely by Cammio GmbH and Cammio B.V., which performs the administration of the data using VPN and multi-factor authentication. 

6.2 Proxy caching and web application firewall 

We use Akamai Technologies GmbH, Parkring 20-22, 85748 Garching, Germany as a data processor for the purposes of proxy caching and for a web application firewall. That means that any visit to our websites is routed through the servers of Akamai, meaning that the user will not be connected directly to our servers but to those of Akamai and Akamai will then request the content from our servers and will deliver it to the user. Proxy caching in this context means that Akamai will cache selected content (but not personal data) for a period of 24 hours, so that this can be delivered faster to you. The web application firewall means that Akamai will try to identify malicious web traffic and will prevent it from accessing our websites. Akamai Technologies GmbH may commission Akamai Technologies, Inc., 150 Broadway, Cambridge, 02142 MA, USA with the handling of certain services as a subcontractor. In this case, processing by Akamai Technologies, Inc is performed in the USA and thus in a country outside the EU and the EEA. This transfer is permitted under Art. 46 para. 2 point c GDPR because the standard contractual clauses of the European Union have been agreed with Akamai Technologies, Inc., the wording of which can be accessed via the following link https://www.akamai.com/de/de/multimedia/documents/akamai/akamai-pre-signed-eu-standard-contractual-clauses.pdf. With respect to Akamai, the additional legitimate interest in the context of the legal basis is that we thereby are also implementing technical and organisational measures to protect our platforms and the personal data stored on them. 

Processing by Akamai Technologies, Inc. only takes place if Akamai Technologies GmbH identifies the web traffic created by you as being harmful or malicious. If you are in a European country when accessing our website, your traffic will also be analysed in Germany and always routed via German servers. If your activity on our website is flagged as “malicious” or “suspicious”, this activity will be forwarded to the Akamai servers in the USA and processed there for further analysis. The personal data used comprises the IP address, which is also processed to further assess whether similar activities are occurring elsewhere that could indicate a security incident. The log files concerning these activities are stored in the USA. If no “malicious” or at least suspicious activity is apparent, no connection details are processed in the USA.  

 

7. Cammio client account, use of the system 

In order for certain content, such as the content of the video interviews of our clients’ applicants, to be made available, the client is required to log on using an existing user account. This user account is set up for the client so they can access application videos or record and manage their own questions. The data collected on account creation is processed in order to perform the contract between us and the client. The legal basis for the processing of the data is Art. 6 para. 1 point b GDPR.  

Cammio processes personal data on behalf of the client within the meaning of Art. 28 GDPR in conjunction with the use of the system or the client account. The client is therefore the Data Controller within the meaning of Art. 4 point 7 GDPR. A corresponding data processing agreement is in place between the client and Cammio. 

In this context, Cammio processes such personal data of the respective client or its employees as was provided by them, as well as the respective contractually agreed or offered services. On each use and on each access to the client account, Cammio collects the user’s name and company ID (i.e. the name of this client on the basis of a specific user’s affiliation to a given Cammio client) to prevent improper use and as a result both to guarantee orderly billing procedures and also to ensure and be able to verify that the client account or system and the contractual services are functioning correctly at any time. Collection and storage is also performed in the context of fulfilling our client support tasks in order to be able to resolve any issues that may arise. 

If the client is a natural person, the legal basis is that the processing is required for the performance of a contract or for the performance of pre-contractual measures pursuant to Art. 6 para. 1 point 1 b GDPR. If we process personal data of the client’s employees/applicants, the legal basis is a legitimate interest pursuant to Art. 6 1 para. point 1 f GDPR. The legitimate interest lies in the conduct of our business and that of the client. There is no conflicting interest of the data subject because, from the point of view of our client, we are required to perform the processing in the context of the existing employment relationship with the data subject (section 26 revised German Data Protection Act (BDSG)). Personal data will be stored for this purpose for the term of the contract for the use of the Cammio system.  

 

8. Transmission of Data

Unless otherwise stated in this Privacy Policy, we will only transmit your personal data to third parties if transmission is required to comply with our contractual obligations to you and this evidently needs to be done through or jointly with another provider, if we are permitted or required by law to transmit the data on other grounds, or if you have provided us with the relevant consent.

 

9. Facebook Fan Pages

At the following links we use Facebook Fanpages, for which we are joint controllers with Facebook Ireland Limited: https://de-de.facebook.com/login/?next=https%3A%2F%2Fde-de.facebook.com%2FCammioVideoRecruitment%2F. 

As joint controllers with Facebook, we analyse how you use our Fanpage (Page Insights). The information required under the GDPR regarding data processing in relation to Page Insights is obtained from Facebook; it is currently available in Facebook’s Data Policy at https://www.facebook.com/legal/terms/information_about_page_insights_data. 

Facebook also provides the relevant content of the contract concluded between Facebook and us on processing under joint controllership pursuant to Art. 26 GDPR; this is currently available at the following link: https://www.facebook.com/legal/terms/page_controller_addendum. You may exercise your right of complaint to any Supervisory Authority that is competent to rule for you and seek legal remedy through them. 

Under the GDPR, you are entitled to object to the processing of your data. The Facebook Privacy Policies linked above provide more information on these and other rights of Data Subjects. 

For Page Insights on our Facebook Fanpages, Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland serves as the joint point of contact and will handle all requests for the exercise of Data Subject rights. 

In relation to Page Insights, we only receive anonymised statistics. We have no access to personal data processed by Facebook. Anonymised data is processed by us on the basis of statutory provisions that allow us to process personal data because we have an overriding legitimate interest in obtaining a better understanding of the interests of visitors to our Fanpages (Art. 6 para. 1 point f GDPR). 

On the Fanpages, Facebook offers various community functions which enable you to interact with other users, for example by making posts, leaving comments or liking or sharing posts. Please note that these areas are publicly accessible and any personal information that you post or provide while logged in can be seen by others. We have no control over how other Fanpage users use this information. In particular, we cannot stop unwanted messages being sent to you. 

 

10. Storage Duration

We will only process personal data as long as it is necessary for the relevant purpose stated above. Personal data will then be deleted unless data erasure is prohibited by a statutory retention period. 

 

11. Your application with Cammio

When you submit an application via Cammio, we process your personal data in the context of your application as follows: 

Purpose and legal basis of the processing 

We process personal data concerning you for the purpose of your application for an employment relationship provided that this is necessary in order to make a decision regarding the establishment of such an employment relationship. The legal basis for this is Art. 88 GDPR in conjunction with section 26 para. 1, para. 8 point 2 BDSG (new version). 

In the event that an employment relationship is established between you and us, under section 26 (1) BDSG (new version) we may process the personal data already received from you for the purpose of such an employment relationship if necessary for the performance or termination of such employment relationship or for exercising or fulfilling the rights and obligations of the workforce representation or employees resulting from a law or a collective agreement. 

Categories of personal data that are processed 

We process data related to your application. This may include general information about you (such as your name, address and contact details), information about your professional qualifications and schooling or information about professional development or other information you provide to us in connection with your application, in particular the application video transferred by you. Additionally, we may process your publicly available, job-related information, such as profiles in professional social media networks, insofar as this is required in the context of the decision on whether to enter into an employment relationship with you. 

Categories of recipients of the data 

We may transfer your personal data to companies affiliated with us, insofar as this is permissible within the scope of the purposes and legal bases set out above because it is possible that you may likewise work for these companies within the scope of your employment relationship. Additionally, personal data may be processed on our behalf on the basis of contracts under Art. 28 GDPR, specifically by providers of the applicant management systems deployed. 

Within the company, access to your data is provided to such points as require this to fulfil the contractual, statutory and supervisory obligations as well as to take account of legitimate interests, e.g. HR department, competent department, management. 

Is a transfer to a third country intended?

We do not intend to transfer to a third country. 

Storage duration of your data 

We store your personal data for as long as it is necessary to make a decision about your application. If we do not hire you, we may also continue to store your data if necessary to defend against possible legal claims. The application documents will be deleted two (2) months after announcement of the rejection decision, unless storage for a longer period is necessary due to legal disputes, or another legal basis applies to this, for example because you have given your consent that we may retain your application for consideration for other jobs.

 

12. Contact Details and your Rights as a Data Subject

Should you have any queries or comments on data protection and privacy or wish to exercise your rights as a Data Subject, please contact our Data Protection Officer at any time: 

Cammio GmbH
Data Privacy
Alexanderstraße 1-5
10178 Berlin
Germany
E-mail-adress: datenschutz@stepstone.delegal@stepstone.de 

Where data is processed in relation to Page Insights on our Facebook Fanpages (https://de-de.facebook.com/login/?next=https%3A%2F%2Fde-de.facebook.com%2FCammioVideoRecruitment%2F), Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland serves as the joint point of contact and will handle all requests for the exercise of the specified rights. 

Information and Rectification 

You can receive information at any time and at no charge about whether we are processing personal data related to you and also about which information we are specifically storing about you. You are also entitled to receive a copy of the stored information. You can also have errors in your data corrected and missing information completed. 

Erasure, Restriction of processing and “Right to be forgotten” 

You can request that your data be erased and its processing restricted. Where erasure of your personal data is prohibited by statutory retention obligations, your data will be marked with the aim of restricting its future processing. 

Data Portability 

Where applicable, you also have the right to have your personal data transmitted to you or to another Data Controller in a structured, standardised and machine-readable format, as long as processing is performed on the basis of consent or contract using automated procedures. This does not apply, however, where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. You also have the right to have the personal data transmitted directly from one Data Controller to another, provided that it is technically feasible to do so and does not infringe upon the rights and freedoms of other persons. 

Withdrawal of Consent, Objecting to processing 

You can withdraw your previously-given consent at any time with future effect by contacting the aforementioned address. 

Moreover, you have the right to object to the processing of your personal data at any time (where such processing is based on a legitimate interest) for reasons arising from your particular circumstances. This also applies to profiling activities based on these provisions. If such an objection is received, we will cease to process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the Data Subject, of if the processing is for the establishment, exercise or defence of legal claims. 

If we are processing personal data for the purpose of direct marketing, you have the right to object to the processing of your personal data at any time for the purpose of such marketing by contacting the aforementioned address. This also applies to profiling insofar as it is connected with such direct marketing. You also have the right to file an objection for reasons arising from your particular circumstances against processing of your personal data that we are engaged in for scientific, historical research or statistical purposes, unless such processing is required to perform a task that is in the public interest. 

Right of Complaint 

You also have the right to submit a complaint to the competent supervisory authority and to seek legal remedies. The supervisory authority with whom the complaint was lodged will notify the complainant about the status and result of their complaint, including the option of seeking a judicial remedy. The competent supervisory authority for us is the Berlin Commissioner for Data Protection and Freedom of Information, https://www.datenschutz-berlin.de/. 

 

Last revised: November 16, 2021