Privacy Policy

I. General 

If you have any questions or concerns about data protection, you can contact our data protection officer or us as the controller at any time. 

1. Name and address of the controller

Controller within the meaning of the General Data Protection Regulation (GDPR): 

Chevron Services GmbH 

Wilhelm-Leuschner-Str. 9

63179 Obertshausen

Germany

Email: info@chevron.group


2. Name and address of the controller

If you have any questions about data protection, or if you would like to make an enquiry or receive further information about data processing at Chevron Services GmbH, please contact our data protection officer:


Email: datenschutz@chevron.group


3. Supervisory authority  

If you believe that Chevron Services GmbH has not processed your personal data properly, you have the right to contact a supervisory authority in the Member State of your residence, your place of work or the place of the alleged infringement. The competent supervisory authority pursuant to Art. 55 GDPR is:


Hessian Commissioner for Data Protection and Freedom of Information

Postfach 3163

65021 Wiesbaden

Phone +49 611 1408 0

Email poststelle@datenschutz-hessen.de-mail.de


Contact and/or complaint form:

https://datenschutz.hessen.de/service/beschwerde-uebermitteln


II. General information on data processing

1.  General information on data processing and scope of application 

As a matter of principle, Chevron Services GmbH only processes your personal data with your consent and in order to provide content and services for a functioning website. Your personal data is processed when you create an account with us. This privacy policy applies to all pages of our online offering.

2. Definitions

a)  Definitions pursuant to Art. 4 GDPR: 

  • Personal data: 
    any information relating to an identified or identifiable natural person; A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Examples include contact details, communication data and billing information.
  • Processing: 
    any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution or any other form of making available, alignment or combination, restriction, erasure or destruction of personal data and/or parts thereof.
  • Controller: 
    the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of Member States, the controller or the specific criteria for his or her nomination may be provided for by Union law or the law of Member States. 
  • Recipient: 
    a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not that person is a third party. 
  • Third party:
    a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or the processor, are authorised to process personal data.   
  • Profiling: 
    any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. 
  • Restriction of processing: 
    the marking of stored personal data with the aim of restricting its future processing. 

b)  "Need-to-know principle":

The principle that every data processing employee may only access those data sets and execute those programmes that are actually required for the performance of their respective tasks.   


3. Legal basis for the processing of your data 

The legal basis for the processing of your personal data is provided by Art. 6 para. 1 of the EU General Data Protection Regulation (GDPR).

a) In the event that the processing of your personal data is based on your consent, Art. 6 para. 1 lit. a GDPR.
b) If the processing of your personal data is necessary for the performance of a contract or for pre-contractual measures, Art. 6 para. 1 lit. b GDPR.
c) If the processing of your personal data is necessary for the performance of a contract or for pre-contractual measures, Art. 6 para. 1 lit. b GDPR.

d) Art. 6 para. 1 lit. c GDPR For the fulfilment of legal obligations on the part of Chevron Services GmbH Art. 6 para. 1 lit. c GDPR. 

e) In the event of processing to protect vital interests, Art. 6 para. 1 lit. d GDPR. 

f) For processing in the public interest, Art. 6 para. 1 lit. e GDPR. 

g) If the processing of personal data is necessary to safeguard the legitimate interests of Chevron Services GmbH or other third parties, and the interests, fundamental rights and freedoms of the data subjects do not override these interests, Art. 6 para. 1 lit. f GDPR.     


4. Categories of recipients

  • Employees of Chevron Services GmbH in accordance with the "need-to-know" principle.
  • Group companies of Chevron Services GmbH
  • Service providers and business partners of Chevron Services GmbH companies within the scope of the tasks assigned to them
  • Companies that are legal successors to Chevron Services GmbH and/or companies that acquire parts of the business of Chevron Services GmbH in the event of the sale of all or part of Chevron Services GmbH, its business operations or parts thereof.
  • Government agencies and courts: Personal data may be disclosed in connection with government requests, court orders or legal proceedings, if necessary for the prosecution or enforcement of legal claims. 


5. Description of the data and the purpose of processing 

The following personal data is processed:  

1. Technical device and access data 
such as device ID, operating system, user agent, IP address, referrer, geo-location data, etc.

Purpose:

    • To use the website and the services offered.
    • Provision of (customer) support services, regardless of the contact method chosen (email correspondence, telephone contact, etc.).
    • To protect Chevron Services GmbH and the rights of the data subject, the controller, the processor or affiliated third parties. Furthermore, the processing of personal data may be necessary to: (a) protect your and our safety and that of the public, and (b) protect and, if necessary, enforce your and our rights. 
    • To improve the services and functionality of the website.   
    • To comply with legal provisions, regulatory obligations or respond to requests from public authorities. 
    • For the purpose of marketing communications by Chevron Services GmbH, which are based exclusively on your voluntary consent or agreement to the corresponding processing of your personal data. Marketing communications include communication via email.  

​Legal basis: Art. 6 para. 1 lit. a, b, c, f GDPR

2. Partner information

such as advertising banners that you clicked on to reach us 
​​Purpose:

    • To use the website and the services offered. 
    • Provision of customer support services, regardless of the contact form chosen (email correspondence, telephone contact, etc.). 
    • To protect Chevron Services GmbH and the rights of the data subject, the controller, the processor or affiliated third parties. Furthermore, the processing of personal data may be necessary to: (a) protect your and our safety and that of the public, and (b) protect and, if necessary, enforce your and our rights.
    • To improve the services and functionality of the website. 
    • For the purpose of marketing communications by Chevron Services GmbH, which is based exclusively on your voluntary consent or agreement to the corresponding processing of your personal data. Marketing communications include communication via email.

Legal basis: Art. 6 para. 1 lit. a, b, c, f GDPR


6. Profiling and automated decision-making (Art. 22 GDPR) 

Chevron Services GmbH does not use profiling or automated decision-making on its website in accordance with Art. 22 GDPR. 


7. Duration of data storage and data deletion 

Chevron Services GmbH will delete your personal data as soon as the purpose for which it was collected no longer applies. The above-mentioned data is mandatory for the use and implementation of the website, as well as for the fulfilment of the General Terms and Conditions. However, it is conceivable that further storage may be required by European or national laws, regulations or other provisions to which Chevron Services GmbH is subject. Such data will only be deleted when the relevant storage periods specified in the aforementioned legal sources expire. The only exception to this is if the stored data is required for the fulfilment of a contract or for the conclusion of a contract. For example, storage periods of up to ten years are required by law for certain data due to tax regulations. 


The aforementioned data is also temporarily stored in internal log files for the purposes described above in order to compile statistical information about the use of our website, to further develop our website in line with the usage habits of our visitors (e.g. if the proportion of mobile devices used to access the site increases) and to maintain our website and for general administrative purposes. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR.


The log files are stored for 30 days and then archived after anonymisation by means of shortening, so that it is no longer possible to establish a reference to individual users.



8. Location of processing 

Your personal data will be processed by Chevron Services GmbH exclusively in data centres within the jurisdiction of the European Union. Our partners process personal data within the scope of fulfilling their contractual obligations to us at all times in accordance with the provisions of the GDPR in Germany and abroad. Even if personal data is processed outside the European Economic Area, it is ensured at all times that the processing of personal data by, for or on behalf of Chevron Services GmbH complies with the requirements of the GDPR. This applies in particular to the use of services based in third countries such as the USA (e.g. by providers such as Google).  When transferring personal data to recipients in third countries that do not offer an adequate level of data protection in accordance with the GDPR, we ensure that appropriate safeguards are in place to guarantee the security and confidentiality of your data.



9. Data transfer to third countries due to group structures 

When using the services of certain providers with whom we primarily cooperate via their branch in the European Union or the European Economic Area (EU/EEA), personal data may nevertheless be transferred to the respective parent company or other affiliated companies based in a third country. This is particularly relevant if the parent company is based in a country for which the European Commission has not issued an adequacy decision in accordance with Art. 45 GDPR. This means that the level of data protection in this third country may not meet the high standards within the EU.


Although our contractual partner and, where applicable, our processor is based in the EU/EEA, due to internal data flows within the group, the global technical infrastructure or possible legal obligations of the parent company in the third country, it cannot be ruled out that personal data may be transferred to or accessed from there.


In order to ensure the highest possible level of data protection for such data transfers, providers generally rely on appropriate safeguards in accordance with Art. 46 GDPR. In most cases, these are the standard contractual clauses (SCCs) approved by the EU Commission. Despite these contractual precautions, we would like to point out that residual risks cannot be completely ruled out. In particular, it is possible that authorities in the third country (e.g. security authorities) may gain access to the transferred data on the basis of local legislation without you having effective legal remedies available to you as in the EU.


We will inform you at the appropriate points in this privacy policy if we use services where such a situation exists. For detailed information on the specific guarantees and the associated risks for the respective service, please refer to the privacy policy of the relevant provider.



10. Use of cookies 

We use cookies and similar technologies on our website to improve the user experience, provide and analyse our services, and display personalised advertising. Cookies are small text files that are stored on your device and contain information about your use of our platform. 

a) Types of cookies and purposes of processing

  • Essential cookies: 
    These are necessary to ensure the basic functions of the website, such as navigation and access to secure areas. Without these cookies, the website cannot function properly. 
  • Functional cookies: 
    These enable us to store settings such as language or game preferences in order to provide you with a personalised experience. 
  • Analytics and performance cookies: 
    These help us understand how our users interact with the platform by collecting anonymised information. This allows us to continuously improve the performance and usability of our services. 
  • Advertising and marketing cookies: 
    These cookies are used to show you relevant advertising and measure the success of our marketing campaigns.


b) Legal basis for processing:

Essential cookies are processed on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, as they are necessary for the operation of the website.

For all other cookies, we ask for your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time via our cookie settings.


c) Cookie settings and withdrawal of consent: 

You can adjust your cookie settings at any time in our cookie banner or in your browser settings and withdraw your consent. Please note that disabling certain cookies may limit the functionality of the platform.



11. Contact form, email contact  

a) Description and scope of data processing

There is a contact form on the Chevron Services GmbH website. If you use this option to contact us, the data you enter in the input mask will be transmitted to Chevron Services GmbH and stored there. This initially includes your contact details (email address, first name and surname, telephone number) and your enquiry (subject and message). It also includes your IP address.

Alternatively, you can contact us via our email address. Here, too, the personal data transmitted with the email will be stored. 

In both cases, the data will not be passed on to third parties. The data will be used by Chevron Services GmbH exclusively for the purpose of dialogue.


b) Legal basis for data processing

The data sent via the contact form or by email will be stored and used for the purpose of processing the enquiry or for establishing contact and for the associated technical administration. The legal basis for the processing of this data is the legitimate interest of Chevron Services GmbH pursuant to Art. 6 para. 1 lit. f GDPR in being able to respond to enquiries and the consent given prior to submitting the contact form pursuant to Art. 6 para. 1 lit. a GDPR.

If the purpose of the contact is to conclude a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b GDPR.


c) Purpose of data processing

The purpose of both the contact form and the use of the email address is to provide visitors or interested parties with a simple and convenient way to contact Chevron Services GmbH directly. The initial aim is to answer questions or, if necessary, to initiate pre-contractual measures.


d) Duration of storage

Once the dialogue has ended, i.e. when it is clear to both parties that there is no further need for clarification and the purpose of the collection has been achieved, the data will be deleted. The data will only be deleted if this is prevented by statutory retention periods. 


e) Right of revocation, objection and deletion

The user can revoke their consent to the processing of their data at any time. They can also use the contact form or email address for this purpose. In this case, the dialogue will be terminated immediately.



12. Group companies 

All personal data processed will also be made available to other companies within the Chevron Group. Group companies to which personal data may be transferred are:

  • Chevron Consultants Germany GmbH & Co. KG.
  • Chevron Verwaltungs GmbH
  • Chevron Data & IT Compliance GmbH
  • CCM Limited 
  • ECCG GmbH


a)  Description and scope of data processing 

All data processed when visiting the website, subscribing to the newsletter, etc., and specified in this privacy policy, is also available to other companies within the Chevron Group for the purposes described below. 


b) Legal basis for data processing

Firstly, this data processing is carried out on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR and Art. 6 para. 1 lit. b GDPR for the fulfilment of the contract concluded with you. Furthermore, Chevron Services GmbH has a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in being able to offer you our services in full, on an ongoing basis and in line with the latest trends, which constitutes the legal basis for data processing.


c) Purpose of data processing

The website itself and the games and other services implemented are provided through cooperation between Chevron Services GmbH and other companies in the group, such as Chevron Services GmbH. This requires that all personal data and, for example, data collected by cookies, be available to all companies at all times in all group companies. This is the only way to carry out necessary work, e.g. on the programming code of the website, and to coordinate it so that it functions smoothly. For example, information about how many visitors are active on our website at what time is relevant for Chevron Services GmbH in order to be able to make adjustments to the current server capacities if necessary. Furthermore, information such as the type of browser website visitors prefer to use to access our offers is also important so that the relevant employees can make programming adjustments in the event of upcoming browser updates.   


d) Duration of storage

As soon as data stored by Chevron Services GmbH is to be deleted, the corresponding data stored by other group companies will also be irretrievably deleted. 


e) Right of revocation, objection and erasure

In the case of personal data processed in connection with Art. 6 (1) lit. a GDPR and thus on the basis of the consent of the data subject, revocation is sufficient to prohibit further processing. In the case of data processed in connection with the conclusion of a contract, termination of the usage agreement concluded with Chevron Services GmbH is required to end data processing. In order to terminate the processing of data carried out in connection with Art. 6 para. 1 lit. f GDPR on the basis of a legitimate interest of the controller, an objection by the website visitor with future effect is required.


III. Information on the necessary data processing and transfer

Analysis & Tracking

1. Google Analytics 

a) Description and scope of data processing 
Chevron Services GmbH uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics enables us to analyse user behaviour on our websites and thereby optimise our offering. Cookies are stored on the user's device, which enable an analysis of the user's use of the website. The information generated by the cookie about the use of the website (including the user's abbreviated IP address) is usually transferred to a Google server in the USA and stored there.

We use Google Analytics exclusively with activated IP anonymisation ("anonymizeIp()" function). This means that the IP address of users within the member states of the European Union or in other states party to the Agreement on the European Economic Area is shortened before being transferred to the USA in order to exclude direct personal references. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.

The following data is processed in particular within the scope of Google Analytics:

  • IP address (anonymised)
  • Usage data (e.g. pages visited, interactions, length of stay)
  • Technical information (e.g. browser type, operating system)
  • Referrer URL (previously visited page)
  • Location data (based on the anonymised IP address)
  • Google Analytics uses this information on our behalf to evaluate the use of the website, compile reports on website activity and provide other services related to website activity and internet usage to Chevron Services GmbH. 

The data will not be passed on to other third parties unless there is a legal obligation to do so.


b) Legal basis for data processing 
The legal basis for the use of Google Analytics is the consent of the user in accordance with Art. 6 para. 1 lit. a) GDPR. This consent is obtained and logged via the cookie banner integrated on the websites.

c) Purpose of data processing 
The processing of users' personal data by Google Analytics serves to analyse user behaviour and optimise our websites. This enables us to make our content more user-friendly and better tailor our offers to the needs of our customers and website visitors.


d) Duration of storage 
The data stored by Google Analytics is anonymised and automatically deleted after 14 months at the latest. Further information on the storage period can be found in the Google Analytics privacy policy.


e) Right of revocation, objection and erasure 
Users can revoke their consent to the use of Google Analytics at any time with future effect by adjusting the cookie settings on our website accordingly or by downloading and installing the browser add-on to deactivate Google Analytics.


Alternatively, the storage of cookies can be prevented by adjusting the browser software settings accordingly. In this case, however, not all functions of the website may be fully usable.


Server & backend services 

2. Websitehosting 

a) Description and scope of data processing

Our website is operated on the infrastructure of Odoo S.A. Odoo is an integrated enterprise resource planning (ERP) system which, in our case, also provides web hosting and cookie consent management functions.


The website is managed by DIXMIT Consulting, S.L.U., based in Barcelona, Avinguda Roma 139, 2º 1ª (08011), Spain. It hosts the website on the servers of Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany. Each time you visit our website, data that is technically necessary for the delivery of the website and to ensure security is automatically processed on Hetzner's servers. This includes:

  • Server log files: 
    Each time you visit our website, the Odoo hosting system automatically collects information that your browser transmits. This typically includes:
    • Your IP address
    • Date and time of the request
    • Page accessed (request line)
    • Amount of data transferred
    • Browser type and version
    • Operating system
    • Referrer URL (the previously visited page)
    • HTTP status code (e.g. "200 OK") 
  • Cookie consent management: 
    We use the cookie consent tool integrated into Odoo to query, manage and document your preferences regarding the use of cookies. This tool sets a technically necessary cookie to store your selection (consent or rejection) for future visits. Your consent status, the time of your decision and an anonymous or pseudonymous identifier are processed. A detailed description of how this works can be found in the section on the "Cookie consent tool".

The recipient of the data processed within the scope of hosting is our technical service provider and processor:


DIXMIT Consulting, S.L.U.

Avinguda Roma 139, 2º 1ª (08011)

Barcelona

Spain


Through this provider, we obtain the services of Odoo S.A., Chaussée de Namur 40, 1367 Grand-Rosière, Belgium, which is why we cannot rule out that Odoo S.A. may also process your data.


b) Legal basis for data processing

The processing of server log files is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our legitimate interest is to ensure the secure and functional operation of our website, to defend against attacks and to deliver the content correctly.

The processing of data by the cookie consent tool and the setting of the necessary cookies is carried out to fulfil a legal obligation in accordance with Art. 6 para. 1 lit. c) GDPR. We are legally obliged to be able to prove your consent to the use of certain technologies.


c) Purpose of data processing

The purpose of data processing within the scope of hosting is:

  • The reliable delivery and presentation of the content of our website.
  • Ensuring network and information security (e.g. defence against cyber attacks such as DDoS attacks).
  • The detection and rectification of technical faults.
  • The creation of anonymised access statistics.

This data is not merged with other data sources or evaluated for marketing purposes.


d) Duration of storage 

Server log files are stored for security reasons (e.g. to investigate misuse or fraud) for a period of usually 7 to 14 days and then automatically deleted or anonymised. Longer storage may occur in individual cases if this is necessary to pursue legal claims or to investigate a specific security incident.

Please refer to the relevant section of this privacy policy for the storage period of the data collected by the cookie consent tool and our Cookie Policy.


e) Right of revocation, objection and erasure 

To exercise your rights, please contact our data protection mailbox. However, please note the following restrictions on your rights:

  • No right of revocation or objection if data processing is necessary to ensure IT operational security or to comply with legal requirements (Art. 6 para. 1 lit. b) and c) GDPR).
  • Restricted right to erasure if statutory retention obligations (e.g. under commercial or tax law) prevent immediate erasure or if system logs are necessary for a defined period of time.


3. Google Fonts

a) Description and scope of data processing

Chevron Services GmbH uses external fonts from the Google Fonts service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") on our website. Google Fonts enables us to display fonts on our website in a uniform manner, regardless of the user's device.

In order to display the fonts correctly, the user's browser loads the required fonts directly from Google's servers. This establishes a connection between the browser you are using and Google's servers. In this context, personal data may be transferred, in particular:

  • Your IP address
  • Technical information about the browser type and version used
  • Your operating system
  • Date and time of access

The fonts are usually integrated via the Google Fonts API. According to our information, Google does not store this data permanently and does not use it for any purpose other than to deliver the fonts. Further information on data processing by Google can be found in Google's privacy policy.

When using Google Fonts, Google acts as an independent controller in accordance with Art. 4 No. 7 GDPR. To the best of our knowledge, there is no order processing within the meaning of Art. 28 GDPR.


Since Google operates servers worldwide, it cannot be ruled out that data may also be transferred to countries outside the EU/EEA. Google relies on appropriate safeguards in accordance with Art. 46 GDPR for such international data transfers, in particular on the standard contractual clauses of the EU Commission.


b) Legal basis for data processing

The legal basis for the integration of Google Fonts is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the technically secure, appealing and uniform presentation of fonts and the optimisation of the loading times of our website. In our view, there are no conflicting interests of the data subjects, in particular as the data collection is limited to a minimum and is primarily limited to technical information.


c) Purpose of data processing

The purpose of integrating Google Fonts is to ensure the uniform display of fonts on our website. This contributes to the user-friendliness, consistency and better loading performance of the website, as many users already have Google fonts stored in their browser cache.


d) Duration of storage

We ourselves do not store any personal data in connection with the use of Google Fonts. Whether and to what extent Google stores the transmitted data is beyond our control. According to , Google does not log or evaluate requests to the Google Fonts API on a personal basis.


e) Special information on rights in connection with Google Fonts

For information on your rights as a data subject (e.g. information, correction, deletion, restriction, objection), please refer to the chapter on data subject rights in this privacy policy.

The following applies in connection with Google Fonts: 

Right to object (Art. 21 GDPR): You have the right to object at any time to the processing of personal data concerning you that is based on Art. 6 para. 1 lit. f) GDPR. However, we would like to point out that Google Fonts would not be usable or only usable to a limited extent without a connection to Google's servers, and that this may result in technical restrictions when visiting our website.



Social Media

1. Integration of social media functions 

a) Description and scope of data processing

We use functions from various social networks on our website to make it easier for you to share content and to increase our online presence. This applies to plugins and functions from the following providers:


LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland

When you visit a page on our website that contains a feature of these social networks (e.g. LinkedIn button/plugin), your browser establishes a direct connection to the servers of the respective provider. This provides the provider with the information that you have visited our site with your IP address. Personal data such as your IP address, the URL accessed, browser information, the time of access and, if applicable, further technical information may be transmitted to the respective provider. This happens regardless of whether you are logged in to the respective network or even have an account there, and also without you actively clicking on a button.


If you are logged into your social network account while visiting our website, the respective provider can assign your visit to our pages directly to your personal profile. If you actively interact with the plugins (e.g. by clicking the "Share" or "Like" button), this information is also transmitted to the provider, stored there and, if applicable, displayed in your profile.

b) Legal basis for data processing  

The processing of your data in connection with the use of these social media functions is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. You give this consent via our cookie consent tool when you visit our website. You can revoke your consent at any time with effect for the future by adjusting the cookie settings on our website.


c) Purpose of data processing

The main purpose of integrating these functions is to provide you with an easy way to share content from our website via social networks and thus increase the visibility of our content. The aforementioned providers also use the collected data for their own purposes, such as analysing user behaviour, improving their services, market research and displaying personalised advertising.


d) Duration of storage

The data collected by the social media plugins is stored and processed by the respective providers in accordance with their own privacy policies. We have no influence on the specific storage period. This depends on the policies of the respective provider and, if applicable, on your personal privacy settings in your user account with the service. Further information can be found directly in the privacy policies of the providers. 


e) Right of revocation, objection and deletion

You can revoke your consent to the use of social media functions granted via our cookie consent tool at any time with future effect. To prevent your visit to our website from being directly linked to your social media profile, please log out of your respective accounts (Facebook, Instagram, LinkedIn, Twitter/X) before visiting our website. 

In addition, you have the option of managing the collection and use of data by the providers via the privacy settings in your respective user accounts and, if necessary, objecting to this: 

​LinkedIn: Settings and information at https://www.linkedin.com/legal/privacy-policy 

Please refer to the respective privacy policies of the providers for detailed information on data processing and your rights. 



Google Maps

a) Description and scope of data processing
Our website uses Google Analytics, a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. Google Analytics uses cookies that are stored on your device and enable an analysis of your use of our website. The information generated by the cookies about your use of our website, such as your IP address, is transmitted to Google and stored on servers in the USA. By using Google Analytics, Google will receive information about how you used our website. This includes, among other things, data such as: 

  • The website from which you accessed our site (referrer URL) 
  • The pages of our website that you have accessed, 
  • The date and time of access, 
  • Your IP address.


b)  Legal basis for data processing 
The legal basis for the processing of data by Google Analytics is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You give this consent via our cookie consent tool and can revoke it at any time with effect for the future. 


c) Purpose of data processing
The purpose of data processing is to analyse user behaviour on our website in order to improve our website and optimise the user experience. Google Analytics helps us to collect information about the use of our site in order to tailor content and optimise our marketing activities.

d) Duration of storage
​The data collected by Google Analytics is stored in accordance with Google's privacy policy. The stored data may be retained for a period of up to 14 months. The exact duration depends on the settings you have made, which you can manage in your Google account.

e) Right to withdraw consent, object and erasure
​You can prevent Google Analytics from collecting data by disabling the relevant cookies in the cookie settings on our website. You can also prevent cookies from being stored by adjusting your browser software settings. You can also download and install the Google Analytics Opt-Out Browser Add-On to prevent Google Analytics from collecting data on all websites. For more information about data protection at Google Analytics, please refer to the Google Privacy Policy.


Cloud Service

1. Microsoft SharePoint 
a)  Description and scope of data processing 
​Chevron Services GmbH uses Microsoft SharePoint Online as part of the Microsoft 365 cloud platform. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, or Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft").


We use SharePoint Online for the storage, management and joint editing of documents and files, as well as a central storage location for company data. This includes documents of various types, which may also contain personal data of employees, customers or business partners (e.g. project documents, reports, internal documentation).


As part of the provision of SharePoint Online, Microsoft processes data on behalf of Chevron Services GmbH as a processor in accordance with Art. 28 GDPR. This includes:

  • Storage and processing of content data: The documents, files and other content uploaded, created or edited by us in SharePoint Online are stored and processed on the Microsoft Cloud infrastructure to enable the functions of SharePoint (e.g. display, editing, search, sharing). In accordance with the provisions of the Microsoft Online Services Terms (OST), Microsoft does not access this content data for its own purposes, but processes it exclusively for the provision of the service in accordance with our instructions. 
  • Processing of operational and diagnostic data: Microsoft processes technical data about the use of the service to ensure its security, stability and performance (e.g. login information, access logs – if configured by us – performance data, diagnostic data).

Chevron Services GmbH remains responsible for the legality of the collection and processing of the content data stored in SharePoint Online. 

The primary storage location for our SharePoint Online data is usually in data centres within the European Union (EU) or the European Economic Area (EEA), in accordance with the configuration of our Microsoft 365 tenant. As Microsoft is a global US company, data may be accessed or processed outside the EU/EEA in certain circumstances (e.g. for support purposes or to provide certain global services). In such cases, appropriate safeguards are ensured in accordance with Art. 46 GDPR, in particular through the use of Standard Contractual Clauses (SCCs). Microsoft is also certified under the EU-U.S. Data Privacy Framework.

b)  Legal basis for data processing  
The legal basis for the storage and processing of specific documents by Chevron Services GmbH within SharePoint Online depends on the content and purpose of the respective document (e.g. fulfilment of a contract with the data subject, fulfilment of legal obligations, protection of legitimate interests, consent, employee data protection) and is described elsewhere in this privacy policy, if applicable.

c) Purpose of data processing
The purpose of data processing by Microsoft is to provide the SharePoint Online cloud platform, which enables Chevron Services GmbH to centrally store, manage, search, jointly edit and share documents and data in accordance with the permissions specified by Chevron Services GmbH. The processing of operational data also serves to ensure the operation, security and reliability of the service.

d) Duration of storage
The storage of content data stored by Chevron Services GmbH in SharePoint Online is governed by the retention and deletion policies set by Chevron Services GmbH, which can be configured within SharePoint Online (e.g. via retention labels or manual deletion). Microsoft stores this data in accordance with our instructions for the duration of our subscription. Items deleted by us or our users are first moved to a recycle bin by the system and then permanently deleted after a specified period (in accordance with Microsoft standards or our configuration). Operational data is stored and deleted by Microsoft in accordance with its internal policies. 

e) Right of withdrawal, objection and erasure 
Data subjects whose personal data is contained in documents or files stored by Chevron Services GmbH in SharePoint Online must assert their rights directly against Chevron Services GmbH as the responsible party.

  • There is no right of withdrawal vis-à-vis Microsoft pursuant to Art. 7 (3) GDPR, as the processing for the provision of services is not based on consent given to Microsoft. Any right of withdrawal with regard to processing by Chevron Services GmbH itself (e.g. withdrawal of consent that led to the storage of a document) is explained in the description of the respective processing by Chevron Services GmbH and must be exercised there.
  • There is no right to object pursuant to Art. 21 GDPR to the core processing by Microsoft for the provision of the SharePoint service (based on Art. 6 para. 1 lit. b) GDPR). Any objection to the processing of specific data by Chevron Services GmbH within SharePoint's " " is explained in the description of the respective processing by Chevron Services GmbH and must be asserted there.
  • The right to erasure pursuant to Art. 17 GDPR must be asserted against Chevron Services GmbH. Chevron Services GmbH is responsible for arranging the erasure of the data within SharePoint Online (e.g. by deleting documents or folders). Restrictions may arise from the requirements of contract performance or statutory retention obligations.

Chevron Services GmbH is your primary point of contact for exercising all data subject rights. We use the tools provided by SharePoint Online to respond to your requests.  


IV. Information on the necessary data processing and transfer

1.Your rights as a data subject

a) Right to information (Art. 15 GDPR)

You have the right to be informed whether and which personal data we process about you. In accordance with the GDPR, we will provide you with a summary of your personal data upon request. In accordance with the GDPR, we have a period of 30 days to respond to your request for information.

b) Right to rectification (Art. 16 GDPR)

If you inform us that the data we have processed about you is incorrect or incomplete, we will amend it immediately after positive verification.   

c)  Right to erasure (Art. 17 GDPR) 
We will delete personal data immediately upon request, provided that none of the reasons specified in Art. 17 GDPR prevent this. Deletion can only ever be carried out for the future.  

d) Right to restriction of processing (Art. 18 GDPR) 

If you wish, we will restrict the processing of your data if one of the conditions specified in this provision is met.   

e) Right to notification (Art. 19 GDPR)

We will inform recipients (e.g. order data processors) of personal data of any requests we receive to correct, restrict or delete your personal data.

f) Right to data portability (Art. 20 GDPR)

Upon request, we will provide your data in a commonly used, machine-readable format and transfer your personal data to another controller upon request.

g) Right to object (Art. 21 GDPR)

You may also object to the processing of personal data concerning you if it is based on certain legal grounds (e.g. Art. 6 para. 1 lit. e or f GDPR), provided that there are reasons for this within the meaning of this provision.

h) Right to withdraw consent (Art. 7 GDPR)

You have the right to withdraw your consent at any time in accordance with Art. 6 para. 1 lit. a GDPR with effect for the future. 


i) Right in the case of automated decision-making (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling. 


j) Right to lodge a complaint with supervisory authorities (Art. 77 GDPR)

If you believe that the processing of your data violates the provisions of the GDPR or that your data protection rights have been violated in any other way, you can contact your competent data protection authority (see point I 3 above) or another supervisory authority at any time. An overview of the supervisory authorities in the Federal Republic of Germany can be found at:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html 


To exercise these rights, please contact our data protection mailbox.


V. Changes to this privacy policy


This privacy policy may be amended due to new legal requirements. Chevron Services GmbH therefore recommends that users review this privacy policy regularly for any changes and/or additions.