data protection declaration

Thank you very much for your interest in our company. The management of Kopf Holding GmbH particularly values your privacy.

The personal data of a data subject, such as name, address, email address or telephone number, is processed in accordance with the General Data Protection Regulation and the country-specific data protection provisions applicable to Kopf Holding GmbH. This Privacy Notice serves the purpose of informing the public about the type, scope and purpose of the personal data collected, used and processed by our company. By means of this Privacy Notice, data subjects will furthermore be informed about their rights.

Kopf Holding GmbH in its capacity as the data controller has implemented numerous technical and organisational measures to ensure that the personal data processed via this app is protected to the fullest extent possible. However, it is not possible to guarantee absolute protection. For this reason, data subjects may also provide personal data through alternative means, e.g. by telephone.

1. Definitions

The Privacy Notice of Kopf Holding GmbH uses the terms defined in the General Data Protection Regulation (GDPR). Our Privacy Notice is to be read and understood easily for the public as well as our customers and business partners. In order to ensure this, we would like to explain the terms used beforehand.

We use inter alia the following terms in this Privacy Notice:

a) Personal Data

Personal Data means all information relating to an identified or identifiable natural person (hereinafter referred to as "Data Subject"). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Data Subject

Data Subject means every identified or identifiable natural person whose Personal Data is processed by the data controller.

c) Processing

Processing means any operation or set of operations which is performed involving Personal Data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other form of provision, reconciliation or linking, restriction, erasure or destruction.

d) Restriction of Processing

Restriction of Processing means that stored Personal Data is marked to restrict any future Processing.

e) Profiling

Profiling means any form of automated Processing of Personal Data which consists in using such Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning work performance, financial situation, health, personal preferences, interests, reliability, conduct, abode or change of location of this natural person.

f) Pseudonymisation

Pseudonymisation means the Processing of Personal Data in a way which ensures that the Personal Data can no longer be associated with a specific Data Subject without the assistance of additional information, provided that this additional information is stored separately and is subject to appropriate technical and organisational measures which ensure that the Personal Data is not linked to an identified or identifiable natural person.

g) Controller or Data Controller

Controller or Data Controller means the natural or legal person, public authority, agency or other body who/which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

h) Data Processor

Data Processor means a natural or legal person, public authority, agency or other body who/which processes Personal Data on behalf of the Controller.

i) Recipient

Recipient means a natural or legal person, public authority, agency or another body to whom/which the Personal Data is disclosed, whether being a third party or not. However, public authorities which may receive Personal Data within the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients.

j) Third Party

Third Party means a natural or legal person, public authority, agency or other body other than the Data Subject, the Controller, the Data Processor and the persons who are authorised to process Personal Data directly on behalf of the Controller or Data Processor.

k) Consent

Consent means every expression of will by Data Subjects voluntarily given for a specific case in an informed and unambiguous manner in the form of a declaration or other act clearly expressing consent by means of which Data Subjects show that they agree with the Processing of their Personal Data.

2. Name and Address of the Data Controller

Controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and any other provisions for the protection of Personal Data is

Kopf Holding GmbH
Heinkelstraße, 25
73230 Kirchheim/Teck
Germany
Telephone: +49 (0) 7021 / 97 55-50
Email: info@zinkpower.com
Website: www.zinkpower.com

Our data protection officer can be contacted by email to datenschutz@zinkpower.com or by mail addressed to "the data protection officer”.

3. Cookies

This app of Kopf Holding GmbH uses cookies. Cookies are text files which are placed and stored in the web browser on the user’s computer system.

Numerous apps and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by means of which app-sites and servers on which the cookie has been stored can be uniquely identified. This enables the app-sites and servers visited to distinguish the individual browser of the Data Subject from other browsers which contain different cookies. A specific browser can be recognised and identified via the unique cookie ID.

Through the use of cookies, Kopf Holding GmbH can provide customer-friendly services to the users of this app which would not be possible without the use of cookies.

Through cookies, information and offers can be optimised in the interest of the user. Cookies enable us, as already explained, to recognise the users of the app. A recognition of users enables us to facilitate their use of the app. The users of apps which use cookies are, for example, not required to re-enter their login data every time they visit an app as the data is provided by the app and the cookies stored on the user's computer system. Another example is the cookie of a shopping cart in online shops. The online shop remembers the items which the customer has put into the virtual shopping cart through a cookie. 

4. Collection of General Data and Information

When downloading the app, essential information will be transferred to the app store, i.e. in particular your user name, email address and the customer number of your account, time of download, possibly payment information and the individual device number. We have no control over the Processing of data through the app store and cannot be held responsible in this respect. We only process data to the extent required for the download of the app.

The app of Kopf Holding GmbH collects a set of general data and information each time a Data Subject or automated system accesses the app. These general data and information will be stored in the log files of the server. The following data and information may be collected: (1) type of browser used and versions, (2) the operating system used by the accessing system, (3) the website from which an accessing system is referred to our website (so-called referrer), (4) the sub-sites which are accessed on our website by an accessing system, (5) date and time of access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information serving the purpose of emergency responses in case of attacks on our information technology systems or safety and operation. 

When using such general data and information, Kopf Holding GmbH does not draw any conclusions regarding the Data Subject. This information is rather required to (1) properly provide the content of our app, (2) ensure the uninterrupted functionality of our IT systems and the technology of our app and, (4) in case of a cyber-attack, provide the prosecuting authorities with the information needed for the investigation of the criminal offence. Kopf Holding GmbH hence analyses such data and information for statistical reasons on the one hand and for the purpose of increasing data protection and data security in our company on the other hand to ultimately ensure an optimal data protection level for the Personal Data processed by us. The server log file data will be stored separately from all of the Personal Data provided by a Data Subject.

5. Registration for/Login to the Central Communication Platform of Kopf Holding GmbH

Data Subjects can register for/login to the central communication platform of Kopf Holding GmbH via the Data Controller's app providing Personal Data. The data required for the registration will be provided by the Controller. Which Personal Data is used for the registration follows from the respective input mask used for the registration. The Personal Data provided by the Data Subject will in principle only be used for the registration and for security purposes. A login is a security measure, e.g. against misuse or unauthorised use. In this respect, one or several Data Processor(s) may be involved in the Processing. 

Through a login to the communication platform, Data Subjects who have legitimately been granted to access the platform can access the app. In addition, this prevents a misuse and, if needed, the registration data may help to investigate criminal offences. Hence, the storage of such data is required as security measure for the access to the communication platform. Such data will in principle not be shared with Third Parties unless required by law or unless such disclosure serves the purpose of investigating a criminal offence. 

The legal basis for the Processing of data is Art. 6 para. 1 lit. b) GDPR and our legitimate interest (Art. 6 para. 1 lit. f) GDPR).

For further information about data protection on the communication platform, please refer to the privacy notice of the communication platform.

6. Contact

Kopf Holding GmbH's app contains information which enables you to easily contact our company by electronic means and communicate directly with us, including via a general email address. If a Data Subject contacts the Data Controller by email or via the available contact form, the Personal Data provided by the Data Subject will be processed. Such Personal Data which is voluntarily provided to the Data Controller by the Data Subject will be processed for the purposes of dealing with the request or contacting the Data Subject. The Personal Data will not be disclosed to Third Parties. The legal basis for the data processing is Art. 6 para. 1 lit. b) GDPR and our corresponding interest in replying to your request and maintaining the user and business relationship (Art. 6 para. 1 lit. f) GDPR).

7. Processing of Personal Data in Business Relations

We process the Personal Data of the contact persons of our business partners (e.g. suppliers and customers) to perform the business relationship and fulfil statutory requirements. The Processing is based on Art. 6 para. 1 lit. f) GDPR (our legitimate interest is the communication with the customer's contact persons). The Processing is furthermore based on Art. 6 para. 1 lit. c) GDPR as we may have a statutory obligation to store Personal Data, e.g. in situations of relevance under tax or trade law. We also process such data in our IT systems based on Art. 6 para. 1 lit. f) GDPR (our legitimate interest is an easier customer relationship management and contacting our customers).

 

8. Google Maps

Data Subjects may use the map services of Google Maps based on their Consent (Art. 6 para. 1 lit. a) GDPR). Via Google Maps, interactive maps and geographic information are visually displayed and map functions, including route planning, are provided. In this respect, the IP address as well as the address or place inserted in the search function will be processed. The map services provider is Google LLC with its seat in 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data Subjects may access Google's privacy notice here.

 

9. Routine Erasure and Blocking of Personal Data

The Data Controller will only process and store the Personal Data of Data Subjects for the period required to achieve the purpose for which they were stored or as stipulated in the laws and regulations of the European policy maker and regulator or other legislators which apply to the Data Controller.

If the purpose for which the data was stored no longer applies or if a retention period set forth by the European policy maker and regulator or any other competent legislator expires, the Personal Data will be either blocked or erased as a matter of routine pursuant to the statutory requirements.

10. Data Subject Rights

a) Right to obtain a confirmation

Data Subjects are entitled to request from the Data Controller a confirmation as to whether their Personal Data is processed. If Data Subjects wish to exercise this right of confirmation, they may at any time contact an employee of the Data Controller.

b) Right of access

Every Data Subject whose Personal Data is processed is at any time entitled to request the Data Controller to provide information, free of charge, about the Personal Data stored relating to the Data Subject along with a copy of that information. The Data Subject is also entitled to request information about:

o the purposes of the Processing

o the categories of Personal Data which are processed

o the recipients or categories of recipients to whom the Personal Data has been or will be disclosed, in particular in case of recipients located in third countries or in case of international organisations

o if possible, the period for which the Personal Data is to be retained or, if that is not possible, the criteria used to determine that period

o the existence of a right to request the rectification or erasure of Personal Data relating to that Data Subject or the restriction of the Processing of Personal Data by the Controller or a right to object to such Processing

o the existence of a right to file a complaint with a supervisory authority

o where the Personal Data is not collected from the Data Subject: any available information as to the source of the data

o the existence of automated decision making including profiling pursuant to Art. 22 para. 1 and para. 4 GDPR and – at least in these cases – relevant information about the logic involved and the impact and planned consequences of such Processing for the Data Subject

In addition, Data Subjects have a right to be informed as to whether Personal Data was transferred to a third country or international organisation. If this is the case, Data Subjects are furthermore entitled to receive information about the appropriate safeguards in place for the transmission.

If Data Subjects wish to exercise this right of access, they may at any time contact an employee of the Data Controller.

c) Right to rectification

Every Data Subject whose Personal Data is processed is entitled to request an immediate rectification of incorrect Personal Data relating to them. Taking the purposes of the Processing into account, Data Subjects are also entitled to request a completion of incomplete Personal Data - also by means of a supplementary declaration.

If Data Subjects wish to exercise this right of rectification, they may at any time contact an employee of the Data Controller.

d) Right to erasure (“right to be forgotten”)

Every Data Subject whose Personal Data is processed is entitled to request the Data Controller to immediately erase any Personal Data relating to them. The Controller is generally obliged to immediately erase Personal Data if one of the following reasons applies:

o The Personal Data was collected or otherwise processed for purposes for which it is no longer required.

o The Data Subjects revoke their Consent on which the Processing was based pursuant to Art. 6 para. 1 lit. a) GDPR or Art. 9 para. 2 lit. a) GDPR and there is no other legal basis for further Processing.

o The Data Subjects object to the Processing pursuant to Art. 21 para. 1 GDPR and there are no other legitimate reasons for the Processing which have priority or the Data Subjects object to the Processing pursuant to Art. 21 para. 2 GDPR.

o The Personal Data has been processed for illegitimate reasons.

o The erasure of the Personal Data is required to fulfil a legal obligation under Union or Member State law which applies to the Controller.

o The Personal Data was collected in relation to the offer of information society services pursuant to Art. 8 para. 1 GDPR.

If Data Subjects wish to have Personal Data stored by Kopf Holding GmbH erased, they may at any time contact an employee of the Data Controller. The employee of Kopf Holding GmbH will then arrange for the immediate erasure of such data. If there is any reason as to why the data cannot be erased, the Data Subject will be informed accordingly.

If Kopf Holding GmbH published the Personal Data and if our company as the Controller is obliged to erase the Personal Data pursuant to Art. 17 para. 1 GDPR, Kopf Holding GmbH will, taking into account the available technology and implementation costs, take appropriate, also technical, measures to inform other data controllers which process the published Personal Data that the Data Subject requested such other data controllers to erase any and all links to this Personal Data or copies or replications thereof to the extent a Processing is not required. The employee of Kopf Holding GmbH will then take any necessary steps in the individual case.

e) The right to restrict the Processing

Every Data Subject whose Personal Data is processed is entitled to request the Data Controller to restrict the Processing if one of the following requirements is fulfilled:

o The Data Subject contests the accuracy of the Personal Data for a period which enables the Controller to verify the accuracy of the Personal Data.

o The Processing is unlawful but the Data Subject objects to the erasure of the Personal Data and requests a restriction of its use instead.

o The Controller no longer needs the Personal Data for the purposes of the Processing but the Data Subject requires the Personal Data to assert, exercise or defend legal claims.

o The Data Subject objected to the Processing pursuant to Art. 21 para. 1 GDPR and the decision is pending as to whether the legitimate reasons of the Controller override those of the Data Subject.

If one of the aforementioned requirements is fulfilled and a Data Subject wishes that Personal Data stored by Kopf Holding GmbH is erased, they may at any time contact an employee of the Data Controller. Kopf Holding GmbH's employee will then arrange for the restriction of the Processing.

f) Right to data portability

Every Data Subject whose Personal Data is processed is entitled to receive the Personal Data relating to them, which the Data Subject provided to the Controller, in a structured, common and machine-readable format and the Data Subject is entitled to transfer such data to another controller without interference by the Controller to which the Personal Data was disclosed provided that the Processing is based on a Consent pursuant to Art. 6 para. 1 lit. a) GDPR or Art. 9 para. 2 lit. a) GDPR or on a contract pursuant to Art. 6 para. 1 lit. b) GDPR and the data is processed by means of automated procedures or provided that the Processing is not required for the performance of a task carried out in the public interest or for the exercise of official authority vested in the Controller.

When exercising the right to data portability pursuant to Art. 20 para. 1 GDPR, Data Subjects are entitled to request that their Personal Data be directly transferred from one controller to another controller if this is technically feasible.

To exercise the right to data portability, the Data Subject may at any time contact an employee of Kopf Holding GmbH.

g) Right to object

Every Data Subject whose Personal Data is processed pursuant to Art. 6 para. 1 lit. e) or lit. f) GDPR is at any time entitled to object to the Processing of their Personal Data on grounds relating to their particular situation. This also applies to any profiling based on these provisions.

Kopf Holding GmbH will no longer process the Personal Data in case of an objection unless we can demonstrate compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject or the Processing is required to assert, exercise or defend legal claims.

If Kopf Holding GmbH processes Personal Data for the purposes of direct marketing, Data Subjects are at any time entitled to object to the Processing of their data for such advertising purposes. This also applies to profiling insofar as it is connected with such direct marketing. If Data Subjects object to the Processing for direct marketing purposes, Kopf Holding GmbH will no longer process their Personal Data for these purposes.

To exercise the right to object, Data Subjects may at any time directly contact an employee of Kopf Holding GmbH or other employees. 

h) Automated decisions including profiling in the individual case

Every Data Subject whose Personal Data is processed has the right not to be subjected to a decision solely based on automated Processing - including profiling - which has legal effects for the Data Subject or considerably affects the Data Subject in a similar way. This does not apply if the decision (1) is not required to conclude or fulfil a contract between the Data Subject and the Controller or (2) is admissible based on Union or Member State law which applies to the Controller and such legal provisions contain appropriate measures to safeguard the rights and freedoms as well as legitimate interests of the Data Subject or (3) is performed with the express Consent of the Data Subject.

If the decision (1) is required to conclude or fulfil a contract between the Data Subject and the Controller or (2) is performed with the express Consent of the Data Subject, Kopf Holding GmbH will take appropriate measures to safeguard the rights and freedoms as well as legitimate interests of the Data Subject which shall at least include the right of the Controller to have a person interfere, the right to present one's views and the right to contest the decision.

If Data Subjects wish to exercise rights relating to automated decisions, they may at any time contact an employee of the Data Controller.

i) Right to withdraw Consent under data protection law

Every Data Subject whose Personal Data is processed is at any time entitled to withdraw their Consent to the Processing of Personal Data which will not affect the legitimacy of the Processing carried out on the basis of the Consent prior to such withdrawal.

If Data Subjects wish to exercise their right to withdraw a Consent, they may at any time contact an employee of the Data Controller.

j) Exercising your rights and right to file a complaint

Please contact us as indicated above if you wish to exercise any of these rights (for more information, please visit https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights_de). If you believe that we have not complied with data protection regulations when Processing your Personal Data, you may lodge a complaint with the competent supervisory authority pursuant Art. 77 GDPR.

 

11. Data Protection in case of Job Applications and as part of the Application Procedure

The Data Controller will process the Personal Data of job applicants for the purpose of performing the application procedure. The data may also be processed electronically. This is in particular the case if applicants provide their application documents to the Data Controller by electronic means in an encrypted form, e.g. by email or via a web form in the app. If an employment contract is concluded between the Data Controller and an applicant, the data provided will be stored for the performance of the employment relationship in accordance with the statutory provisions. If no employment contract is concluded between the Data Controller and the applicant, the application documents will be automatically erased after two months from the notification that the application was not successful unless other legitimate interests of the Data Controller prevent such erasure. Another legitimate interest in this sense is, for example, the obligation to provide evidence in proceedings pursuant to the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz, AGG).

12. Data Protection Provisions regarding the Application and Use of Google Analytics (with Anonymization Function)

The Data Controller has integrated Google Analytics (with anonymization function). Google Analytics is a web analysis service. Web analysis refers to the collection, gathering and evaluation of data through the conduct of users. An analysis service inter alia collects the following data: app or website from which the Data Subject was referred to the app-site or website (so-called referrer), sub-sites of the app or website which were accessed and for how long and how many times a sub-site was viewed. An app analysis is mainly used to optimise an app or website and perform a cost-benefit analysis of advertising.

The operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States of Amerika.

The Data Controller uses the anonymisation function provided by Google for the app analysis. With this function, the IP address of the Data Subject's Internet connection is shortened and anonymised by Google.

The purpose of the Google Analytics component is the analysis of the visitor flow on our app and website The Data Controller uses the data and information collected inter alia to evaluate the use of our app and website, to compile reports about the activities on our app and website and to enable further services related to the use of our app and website.

Google Analytics places a cookie on the IT system of the Data Subject. Cookies have already been explained above. The placing of cookies enables Google to analyse the use of our app and website. Each time an individual page of the app or website which is operated by the Data Controller and on which a Google Analytics component has been integrated is opened, the Google Analytics component will automatically cause the browser on the Data Subject's IT system to transfer data to Google for the online analysis. Within the framework of this technical procedure, Google gains knowledge about Personal Data, such as the IP address of the Data Subject, which is used by Google inter alia to retrace the visitor's origins and clicks and, as a consequence, to enable the calculation of commissions.

By means of the cookies, personal information is stored, such as the time of access, the location from which the app or website was accessed and the frequency of visits to our app and website by the Data Subject. Each time our app or website is visited, this Personal Data, including the IP address of the Data Subject's Internet connection, is transferred to Google in the United States of America. Google stores this Personal Data in the United States of America. Google may share this Personal Data which was collected via the technical procedure with Third Parties.

As already explained above, Data Subjects can at any time object to the placing of cookies by our app or website by respectively adjusting the settings of the web browser used and thus permanently prevent the use of cookies. Such setting of the browser would also prevent Google from placing a cookie on the IT system of the Data Subject. Moreover, any cookie already placed by Google Analytics can at any time be removed in the web browser or via other software programs.

The Data Subject may also prohibit and prevent the recording of data related to the use of this website which was generated by Google Analytics as well as the Processing of such data by Google. For this purpose, the Data Subject can download and install a browser add-on under the link https://tools.google.com/dlpage/gaoptout. This browser add-on will inform Google Analytics via JavaScript that it is not allowed to transfer any data and information about visits to the app or websites to Google Analytics. If the IT system of the Data Subject is deleted, formatted or re-installed at a later point in time, the Data Subject has to re-install the browser add-on to deactivate Google Analytics. If the browser add on is de-installed or deactivated by the Data Subject or another person belonging to the sphere of control of the Data Subject, the browser add-on can be re-installed or re-activated.

You can also prevent your data from being collected by Google Analytics by clicking the following link. A cookie will be placed which prevents the future collection of your data when visiting this website: Deactivate Google Analytics

For further information and the applicable data protection provisions of Google, please visit https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html. Under this link https://www.google.com/intl/de_de/analytics/, more detailed information about Google Analytics is provided.

13. Data Protection Provisions regarding the Application and Use of Google Ads

The Data Controller has integrated Google Ads. Google Ads is an online advertising service which enables advertisers to place ads in the search results of Google as well as on Google's advertising network. Google Ads enables advertisers to predetermine certain keywords based on which an ad is only displayed in the search results of Google if the user's search request with the search engine is relevant to the keyword. In Google's advertising network, ads are displayed by means of an automatic algorithm and distributed on websites relevant to the topic taking into consideration the predetermined keywords.

The operating company of the Google Ads services is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States of Amerika.

The purpose of Google Ads is the marketing of our app and website through the display of customised advertising on third-party websites and in the search results of Google's search engine and the display of third-party advertising on our website.

When a Data Subject accesses our app or website via a Google ad, a conversion cookie will be placed on the Data Subject's IT system by Google. Cookies have already been explained above. A conversion cookie expires after thirty days and does not serve the purpose of identifying the Data Subject. Unless the cookie has already been expired, it can be retraced via the conversion cookie whether certain sub-sites, such as the shopping cart of an online shop system, were accessed on our website. With the conversion cookie we as well as Google can retrace whether Data Subjects who were referred to our app or website via Google Ads have purchased anything, i.e. completed or cancelled a purchase.

Google uses the data collected through the use of conversion cookies for traffic statistics for our app and website. These traffic statistics will then be used by us to determine the total number of users referred to us via Google Ads advertisements, i.e. to determine whether certain Google Ads advertisements are successful or not and to optimise them in the future. Google will neither provide us nor other advertising customers of Google Ads with any information by means of which Data Subjects could be identified.

By means of the conversion cookies, personal information is stored, such as the app-sites and websites visited by the Data Subject. Hence, each time our app or website is visited, Personal Data, including the IP address of the Data Subject's Internet connection, is transferred to Google in the United States of America. Google stores this Personal Data in the United States of America. Google may share this Personal Data which was collected via the technical procedure with Third Parties.

As described above, Data Subjects can at any time also object to the placing of cookies by respectively adjusting the settings of the web browser used and thus permanently object to the use of cookies. Such setting of the web browser would also prevent that Google places a conversion cookie on the IT system of the Data Subject. Moreover, any cookie already placed by Google Ads can at any time be removed in the web browser or via other software programs.

Data Subjects may furthermore disenable customised advertising by Google. To do that, Data Subjects can also open the link www.google.de/settings/ads via any browser used by them and adjust the settings there accordingly.

For further information and the applicable data protection provisions of Google, please visit https://www.google.de/intl/de/policies/privacy/.

14. Legal Basis of the Processing

The legal basis for Processing activities for which our company obtains a Consent for a certain Processing purpose is Art. 6 para. 1 lit. a) GDPR. If the Processing of Personal Data is required to fulfil a contract to which the Data Subject is a party which, for example, applies to Processing activities that are essential to deliver goods or render another service or consideration, the Processing is based on Art. 6 para.1 lit. b) GDPR. The same applies to Processing activities required for the performance of pre-contractual measures, such as in case of requests regarding our products and services. If our company is subject to a legal obligation which requires us to process Personal Data, such as for the fulfilment of tax obligations, the Processing will be based on Art. 6 para. 1 lit. c) GDPR. The Processing of Personal Data might in rare cases be required to protect the vital interests of Data Subjects or other natural persons. This would, for example, be the case if a visitor is injured on our business premises and his/her name, age, health insurance data or other vital information has to be forwarded to a doctor, hospital or other Third Parties. The Processing would then be based on Art. 6 para. 1 lit. d) GDPR. Ultimately, Processing activities may also be based on Art. 6 para. 1 lit. f) GDPR. Processing activities are performed on this legal basis if the Processing is necessary to safeguard the legitimate interests of our company or a Third Party unless the interests, fundamental rights and fundamental freedoms of the Data Subject prevail. We are in particular allowed to perform such Processing activities because the European legislator explicitly mentioned them. In this respect, the European legislator took the view that a legitimate interest can be assumed if the Data Subject is a customer of the Controller (recital 47 sent. 2 GDPR).

15. Legitimate Interests regarding the Processing Pursued by the Controller or a Third Party

If the Processing of Personal Data is based on Art. 6 para. 1 lit. f) GDPR, our legitimate interest is the performance of our business activities for the benefit of our employees and stakeholders.

16. Retention Period of Personal Data

We retain your Personal Data only for as long as such retention is necessary to fulfil the purposes described. The time periods required for this will be reviewed by careful consideration in the course of which we closely examine the necessity of the Processing of data:

If we process your Personal Data on the basis of your Consent, we will usually retain it until you withdraw your Consent.

Apart from that, we will only retain your Personal Data if this is necessary to fulfil our contractual or statutory obligations or to preserve evidence within the framework of the statutory provisions on limitation periods. The most important statutory retention obligations are set forth in commercial and/or tax law and the retention periods amount to six or ten years, respectively. The statutory limitation periods can be up to thirty years; the regular limitation period is in general three years.

 

After the expiry of the applicable retention periods, we will securely erase or anonymise your Personal Data.

17. Recipients or Categories of Recipients of Personal Data

We will only disclose your Personal Data to other recipients if this is necessary to fulfil the described purposes or if you gave your Consent to the disclosure or if we are entitled or obliged to do so by judicial or official authority.

Hence, your data may in particular be shared with our IT service providers, marketing service providers or public bodies (e.g. the tax authorities).

18. Transfer of Personal Data to Third Countries

In principle, your Personal Data is processed in Germany and in other European countries. If your Personal Data is processed in countries outside the European Union or European Economic Area (third countries), this is only done if an adequate level of data protection is ensured for this purpose by certain protective measures. In general, we take the following protective measures for this purpose:

  • Adequacy Decision of the EU Commission: recipients in Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, United Kingdom, Uruguay (for further information, please refer to https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
  • Standard contractual clauses: other recipients (further information at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en)
  • Exceptions pursuant to Art. 49 GDPR: other recipients.

For further information about transfers to third countries or copies of these measures, please refer to the contact addresses indicated above.

 

19. Statutory or Contractual Provisions regarding the Disclosure of Personal Data; Requirement for the Conclusion of a Contract; Obligation of Data Subjects to Provide Personal Data; Possible Consequences of Non-Provision

Please be informed that the provision of Personal Data is partly required by law (e.g. tax provisions) or may also result from contractual agreements (e.g. information about the contractual partner). For the conclusion of a contract, it may be required that a Data Subject provides us with Personal Data which we will then have to process. The Data Subject is, for example, obliged to provide us with Personal Data if our company concludes a contract with them. The non-provision of Personal Data would lead to a situation where it is not possible to conclude a contract with the Data Subject. Before providing Personal Data, the Data Subject has to contact one of our employees. The employee will then explain to the Data Subject on a case-by-case basis whether the provision of Personal Data is required by law or contract or is essential to conclude the contract, whether the Data Subject is obliged to provide the Personal Data and which consequences would follow from a non-provision of the Personal Data.

20. Existence of Automated Decision-Making

As a responsible company, we have refrained from any automated decision-making or profiling.

This Privacy Policy has been generated by the Privacy Policy Generator of the German Association for Data Protection that was developed in cooperation with RC GmbH and the filesharing Lawyers from WBS-LAW.