Data protection

The controller within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union and other provisions of a data-protection nature is:

 

ZF MICRO MOBILITY GmbH

Escher-Wyss-Strasse 25

88212 Ravensburg

Germany
Website: www.zfmicromobility.com
E-Mail: info.zf-micromobility@zf.com

Phone: +49(0) 6188 916 9065

 

The external data protection officer of the controller for the processing is:

 

Mr. Jens Engelhardt, his representative is Mr. Erdem Durmus

c/o NOTOS Xperts GmbH

Heidelberger Str. 6

64283 Darmstadt

Phone: +49 6151-52010-0

Fax: +49 6151-52010-99

Website: www.notos-xperts.de

E-Mail: datenschutz@notos-xperts.de

 

Each data subject may contact us or our data protection officer directly with any questions or suggestions regarding data protection.

The data protection notice of ZF Micro Mobility GmbH is based on the defined terms of the General Data Protection Regulation (GDPR).
Our data protection notice should be easy to read and understand. In order to ensure this, we would like to clarify in advance the definitions used.

 

3.1       Personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

3.2       Data subject

Data subject is any identified or identifiable natural person whose personal data are processed by the controller for the processing.

 

3.3       Processing

Processing means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

3.4       Restriction of processing

Restricting of the processing is the marking of personal data as stored with the objective of restricting its processing in the future. 

 

3.5       Profiling

Profiling is each type of automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.

 

3.6       Pseudonymization 

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, in so far as this additional information is kept in a special way and subjected to technical and organizational measures which ensure that the personal data cannot be assigned to an identified or identifiable natural person. 

 

3.7       Controller or party responsible for the processing

Controller or party responsible for the processing (hereafter controller) is the natural person or legal entity, authority, institution or other post, which alone or together with others decides on the purposes and means of the processing of personal data. If the purposes and means of the processing are laid down in European Union legislation or the legislation of the member states, then the controller or the particular criteria of the appointment of this controller in accordance with European Union legislation or the legislation of the member states can be provided. 

 

3.8       Processor

Processor is a natural person or legal entity, authority, institution or other post, which processes the personal data on the instructions of the controller. 

 

3.9       Recipient

Recipient is a natural person or legal entity, authority, institution or other post to which personal data are disclosed regardless of whether this is a third party or not. However, authorities, which receive within the framework of a particular
investigation order in accordance with European Union legislation or the legislation of the member states data which possibly may be/contain personal data, do not hold good as recipients.  

 

3.10     Third party

Third party is a natural person or legal entity, authority, institution or other post with the exception of the data subject, the controller, the order processor and those persons which are authorized under the direct responsibility of the controller or of the order processor to process the personal data.

 

3.11     Consent

Consent is each declaration of will given voluntarily by the data subject for the definite case in an informed and unambiguous manner in the form of a declaration or other unambiguous confirmatory action, with which the data subject makes clear that he/she agrees to the processing of personal data relating to himself/herself. 

4.1       General information on the legal basis 

Where we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.  

Art. 6 para. 1 lit. b GDPR serves as the legal basis for the processing of personal data required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.  

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.  

Art. 6 para. 1 lit. d GDPR serves as a legal basis in the event that vital interests of the data subject or another natural person necessitate the processing of personal data.  

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights, and fundamental freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.  

 

4.2       General information on data erasure
and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. In addition, the data may be stored if the European or national legislator has provided for this in EU regulations, laws or other provisions to which the person responsible is subject. The data shall also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless it is necessary for further storage of the data for the conclusion or performance of a contract.  

 

4.3       General information on processing on
our website       

Data protection, data security and secrecy protection have high priority for ZF Micro Mobility GmbH. The permanent protection of your personal data, your company data and your trade secrets is particularly important to us.  

In principle, you can visit our website without providing any personal information. However, if you make use of the services of our company via our website, this requires the disclosure of your personal data. In general, we use the data communicated by you and collected by the website and the data stored during use exclusively for our own purposes, namely for the implementation and provision of our website and for the initiation, implementation and processing of the services offered via the website (contract
performance) and do not pass these on to outside third parties, unless there is
an officially ordered obligation to do so. In all other cases, we will obtain your separate consent.  

Your personal data will be processed in accordance with the requirements of the General Data Protection Regulation and in accordance with the country-specific data protection regulations applicable to us. By means of this data protection note, we would like to inform you about the type, scope and purpose of the personal data processed by us. In addition, we will inform you of your rights by means of this data protection notice.  

The ZF Micro Mobility GmbH has implemented technical and organizational measures to ensure adequate protection of personal data processed via this website. Nevertheless, Internet-based data transmissions can in principle have security gaps, so that absolute protection cannot be guaranteed. 

The website of ZF Micro Mobility GmbH collects a range of general data and information each time the website is called by a data subject or an automated system. This general data and information is stored in the log files of the server. Able to be collected are: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website, from which an accessing system reaches our website (so-called referrer), (4) the sub-websites, which are steered to on our website via an accessing system, (5) the date and time of an access to the website, (6) an Internet-protocol-address (IP-address), (7) the Internet service provider of the accessing system and (8) other similar data and information, which serve the warding off of hazards in the case of attacks to our IT systems. 

In using this general data and information ZF Micro Mobility GmbH draws no conclusions about the data subject. Much more is this information needed (1) to be able to deliver out the content of our website correctly, (2) to permit the optimization of the content of our website and of the advertising for this, (3) to ensure the durable functionality of our IT systems and of the technology of our website and (4) to be able to make available to the law enforcement authorities the information necessary for criminal prosecution in the case of a cyber-attack. This anonymously collected data and information is evaluated ZF Micro Mobility GmbH on the one hand statistically and on the other hand with the objective of increasing the data protection and the data security in our company in order finally to ensure an optimal level of protection for the personal data processed by ourselves. The anonymous data of the server-logfiles are stored separately from all the personal data stated by a data subject. 

Legal basis	Article 6 Para. 1 lit. f GDPR  (legitimate interest)
Storage purpose	The temporary storing of the IP-address by the system is necessary to permit the delivery of the website to the computer of the user. For this the IP-address of the user must remain stored for the duration of the session.
Storage duration	The data is deleted as soon as it is no longer necessary for achieving the purpose of their collection. This is the case when the particular session has ended in situations where the data is collected for making the website available.   This is the case at the latest seven days after the time when the data was stored in log files. More extensive storing is possible. In this case the IP-addresses of the users are deleted or distorted so that an assignment of the client calling in is no longer possible.
Objection / opportunity for elimination	None, because the data is essential for operating of the website

 

It is possible to contact us via the provided e-mail address, fax or telephone number. If you contact us via one of these options, your personal data transmitted to us will be stored automatically (e-mail, fax) or recorded by us and stored manually.

In this connection no data is passed on to third parties. The data is used exclusively for the processing of the conversation and will immediately be deleted if it is no longer needed. 

We collect and process the personal data of applicants for the purpose of progressing the application process. The processing can also be carried out electronically. This is in particular the case when an applicant sends to us relevant application documents by an electronic route, e.g. per e-mail. If we conclude a contract of employment with yourself as applicant, the data transmitted will be stored for purposes of progressing the employment relationship subject to observation of the legal regulations. If a contract of employment is not concluded by the party responsible for the processing with
the applicant, then the application documents will be automatically deleted six months after notification of the rejection in so far as there is no other legitimate interest of the party responsible for the processing against deletion. Another legitimate interest in this sense is, for example, an obligation of proof in a process in accordance with the German General Equal Treatment Act. 

Legal basis	Legal basis for the processing of the data is as a rule Article 6 Para. 1 lit. b. GDPR with job applications submitted via the contact form and/or e-mail.   (fulfilment of the employment contract; measures prior to the concluding of an employment contract);   Article 6 Para. 1 lit. c. GDPR (Fulfilment of a legal obligation, e.g. answering of questions in connection with the job-application process) and   apart from this Article 6 Para. 1 lit. f GDPR   (legitimate interest) and   special legal authorization rules such as a collective agreement, company agreement, income tax law etc. A supplementary reference is made to the Personnel / HR processing file.
Storage purpose	If we conclude an employment contract with you as job applicant, the data transmitted for the purpose of progressing the employment relationship will be stored whereby the legal obligations will be observed.
Storage duration	If no employment contract is concluded between the party responsible for the processing and the job applicant, then the job-application documents will be automatically deleted six months after the notification of rejection has been sent in so far as no other legitimate interest of the party responsible for the processing conflicts with the deletion.   A legitimate interest in this connection could be – for example – a proof obligation in a process in accordance with the German General Equal Treatment Act).
Objection / opportunity for elimination	Only general objection and elimination opportunities.

 

Our website uses cookies. Cookies are text files which are stored in the Internet browser or, as the case may be, in the Internet browser on the computer system of the user. If a user calls a website, then a cookie may be stored on the operating system of the user. Such a cookie contains a characteristic string which permits unambiguous identification of the browser if the website is called again.  

We employ cookies in order to arrange our website in a more user-friendly manner. Certain elements of our website require that the calling browser can also be identified after a page change.  

In the cookies the following date is stored and transmitted:  

• Language settings 
• Articles in a shopping basket  
• Log-in information  

We also use optional cookies on our website that enable an analysis of the user’s surfing behavior. However, these are only activated if you give us your consent to do so. Cookies that are not technically necessary for the operation of the site are therefore disabled by default.

In this way, the following data can be transmitted:

• Search terms entered 
• Frequency with which pages are called 
• Use of website functions 

When our website is called, the users are informed by means of an information banner about the use of cookies for analytical purposes and are referred to this data protection information. Following in this connection is a reference to how that storing of cookies can be prevented in the browser settings. 

Under the following links you can find out how to disable cookies on the main browsers:

Mozilla Firefox: https://support.mozilla.org/en-US/kb/block-websites-storing-cookies-site-data-firefox

Chrome Browser: https://support.google.com/accounts/answer/61416?hl=en

Legal basis	Article 6 Para. 1 lit. f GDPR (legitimate interests) for strictly technically essential cookies   Otherwise: Art. 6 para. 1 lit. a GDPR (consent), § 25 TTDSG (consent).
Storage purpose	The purpose behind the use of strictly technically essential cookies is that of making use of the website easier for the user. Certain functions of our website cannot be offered without the use of cookies. For these functions it is necessary that the browser is recognized even after a page change.   Analysis cookies are used for the purpose of improving the quality of our website and its content. Through the analysis cookies we learn how the website is used and in this way, we can continually optimize our offer.   These purposes also include our legitimate interest in the processing of the personal data in accordance with Article 6 Para. 1 lit. f GDPR.
Storage duration	Cookies are stored on the user’s computer and are transmitted from this to our website. Accordingly, you as user have full control over the use of cookies.
Objection / opportunity for elimination	By carrying out a change to the settings of your browser you can deactivate cookies or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be carried out automatically. However, if cookies for our website are deactivated, it may no longer be possible to use all the functions of the website in full.   The transmission of flash cookies cannot be prevented via the browser settings but requires changes to the setting of the flash player.

You can also find more information in our Cookie
Policy, at:

https://zfmicromobility.com/cookie-policy-eu/

·       Fundamental

 We, ZF Micro Mobility GmbH, operate our own Facebook fan page at https://www.facebook.com/ZFMicroMobility/. As the operator of this Facebook page, we are the responsible party together with the provider of the Facebook social network (Meta Platforms Ireland Ltd.) within the meaning of Art. 4 No. 7 of the General Data Protection Regulation (GDPR). When visiting our Facebook page, personal data of the page visitors are processed by both controllers.

We have concluded a data protection joint responsibility agreement (Page Controller Addendum) with Meta Platforms Inc. (also referred to as Facebook). With this agreement, Facebook recognizes the joint responsibility with regard to so-called insights data and assumes essential data protection obligations for informing data subjects, for data security or for reporting data protection breaches. The agreement also stipulates that Facebook is the primary contact for the exercise of data subjects’ rights (Art. 15 – 22 GDPR). As the provider of the social network, Facebook alone has direct access to the necessary information and can also take any necessary measures and provide information immediately. However, if our support is required, we can be contacted at any time.

 

·       Use of Insights and Cookies

In connection with the operation of this Facebook fan page, we use the Insights function from Facebook to obtain anonymized statistical data on the users of our Facebook fan page. Information about Insights and Facebook Fanpages is provided by Facebook, for example, via its privacy notice.

In connection with visiting our and other Facebook pages, Facebook also uses cookies and other comparable storage technologies. You can find more information about Facebook’s use of cookies in their cookie policy.

 

·       Comments and messages; participation in competitions

On our Facebook fan page, you also have the opportunity to comment on our posts, rate them and get in touch with us via private messages or participate in competitions.

Legal basis	We operate this Facebook page in order to present, interact and communicate with the users of Facebook as well as other interested persons and our customers who visit our Facebook page. The processing of the users’ personal data is based on our legitimate interests, in an optimized company and product presentation (Art. 6 para. 1 lit. f GDPR) as well as when participating in competitions or answering product application questions based on a (pre-)contractual relationship according to Art. 6 para. 1 lit. b) GDPR.
Storage purpose	The processing of the information generated by Insights is intended to enable us, as the operator of the Facebook fan page, to obtain statistics that Facebook compiles based on visits to our Facebook fan page. The purpose of this is to control the marketing of our activity. For example, it allows us to gain knowledge of the profiles of visitors who like our Facebook page or use applications of the page in order to provide them with more relevant content and develop features that may be of greater interest to them.  In addition, to help us better understand how our Facebook Page can better achieve our business goals, demographic and geographic analyses are also created and provided to us based on the information we collect. We can use this information to target interest-based ads without directly knowing the identity of the visitor. If visitors use Facebook on multiple devices, the collection and analysis can also take place across devices if they are registered visitors who are logged into their own profiles.  The visitor statistics created are transmitted to us exclusively in anonymized form. We have no access to the underlying data.  Furthermore, we use our Facebook page to communicate with our customers, interested parties and Facebook users and to inform them about us and our products. In this context, we may receive further information, e.g. due to user comments, private messages or because you follow us or share our content. The processing takes place exclusively for the purpose of communication and interaction with you.
Storage duration	Your data will be deleted when the purpose ceases to exist, provided there is no obligation to retain it.
Objection / opportunity for elimination	Facebook users can influence the extent to which their user behavior may be recorded when visiting our Facebook page under the settings for advertising preferences. Further options are offered by the Facebook settings or the form for the right to object.

 

·       Transfer of data

Since Meta Platforms Inc. is a US company, a transfer of personal data to the USA cannot be conclusively ruled out in the given context. Against this background, we would like to inform you about the circumstances of a data transfer to the USA. As part of its more recent case law, the ECJ declared the previous basis of data transfers to the USA (Privacy Shield) to be invalid in its “Schrems II” ruling. The reason for this was far-reaching and comprehensive access and information authorizations of U.S. authorities with regard to personal data stored on servers of U.S. companies. In principle, the U.S. Patriot Act of 2001 authorizes access to personal data stored on servers of U.S. companies located in the United States. This authority was also extended under the Cloud Act 2018 to include data stored on servers of U.S. companies abroad, including within the European Union. Subsequently, the ECJ requires the integration of so-called EU “standard contractual clauses” in the context of a transfer of personal data in the context of a commissioned processing pursuant to Art. 28 GDPR in order to comply with the requirements of Art. 46 GDPR. We have concluded a joint responsibility agreement with Facebook incorporating the EU standard contractual clauses in order to be able to ensure the integrity and security of your personal data in the context of any transfer of those to the USA. We do not ourselves share any personal data that we receive through our Facebook page.

 

·       Information on contact options and further rights as a data subject

For further information on our contact details, including those of our data protection officer, the rights of data subjects vis-à-vis us and how we process personal data in other respects, please refer to the relevant sections of this data protection notice.

We operate an Instagram page (https://www.instagram.com/zf.micromobility/) on the platform “Instagram” of the provider Meta Platforms Inc. (Deborah Crawford 1601 Willow Road Menlo Park, California 94025, USA).  We use this Instagram page to present ourselves to our customers as well as potentially interested parties and to inform them about news and announcements.

 

10.1 Processing by Meta Platforms Inc.

We would like to point out that we have no influence or control over the type and scope of the data processed by Meta Platforms Inc. and the way in which this data is processed and used or transferred on to third parties.  Likewise, we have no knowledge of the content of your data transmitted to Meta Platforms Inc. and cannot provide any information about what data about you is stored by Meta Platforms Inc. as a result of your use of the service. The use of the services and related functions provided by Meta Platforms Inc. is the sole responsibility of the user.

By visiting our Instagram page, Meta Platforms Inc. stores your information in the form of cookies, provided that you have consented to the storage of cookies in advance. Cookies” are small text files that store information on the end device or in the memory of the browser. Meta Platforms Inc. can analyze the information stored in this way and use it to track your user behavior (including across devices for registered users).  The data included in an analysis also includes the type of content the person is viewing or interacting with. The following personal data is regularly processed:

• IP address
• Operating system
• Browser type
• Language settings

More information regarding the processing of personal data by Meta Platforms Inc. can be found here: https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect.  

Information about cookies set by Meta Platforms Inc. can be found here: https://help.instagram.com/1896641480634370/?locale=en_US&cms_id=1896641480634370&force_new_ighc=false

 

10.2 Use of Insights

In addition, Meta Platforms Inc. also collects and uses information to provide so-called “Insights” for operators of Instagram pages. Insights are an analytics service that compiles and logs aggregate statistics of certain user interactions with Instagram pages and related content.

Further information on processing of personal data in connection with Insights can be found here: https://www.facebook.com/legal/terms/page_controller_addendum

 

10.3 Processing by ZF Micro Mobility

We only have access to aggregated page insights, with the help of which we are able to view anonymous statistics (e.g. account reach, likes, etc.). The data contained in the details are anonymized and include evaluations according to gender, age and location of users. Against this background, it is not possible for us to draw conclusions about specific persons. Furthermore, we are able to make settings or filters with regard to the selection of a specific time period, the viewing of a specific post and comparable.

Likewise, we process your personal data when you interact with us via our Instagram page (e.g., “liking”, commenting, posting pictures, etc.). In addition, as part of your interaction with us, we may view your personal data publicly provided in your profile.

We cannot exclude the possibility that your personal data may be transferred to non-EU third countries such as the USA during processing by us using the “Instagram” service as described. We are aware of the associated risks and have taken measures (appropriate safeguards) within the meaning of Article 46 GDPR to ensure the security and integrity of your personal data.

We base the processing of your personal data in the context of the use of “Instagram” on the pursuit of a legitimate interest (provision of information, self-promotion, customer support) pursuant to Art. 6 para. 1 lit. f GDPR. As a matter of principle, we only store your personal data for as long as it is required to achieve its collection purpose. You have the right to object the described processing of your personal data at any time according to Art. 21 GDPPR.

 

Legal basis	Storage purpose	Storage duration	Objection / elimination possibility
We operate this Instagram page to present ourselves to our visitors, customers and interested parties and to inform them about news and promotions. This processing is based on a legitimate interest (self-promotion, company presentation, product presentation). Art. 6 para. 1 lit. f GDPR	We operate this Instagram page to present ourselves to Instagram users and other interested persons who visit this Instagram page and to communicate with our users. This is also our legitimate interest in an optimized presentation of the company.	As a matter of principle, we only store your personal data for as long as it is required to achieve the purpose for which it was collected and no statutory retention periods to which we are subject prevent us from erasing the data. Erasure may also become necessary if you object to the processing of your personal data.	To object, you may send us an informal email to the email address listed in this Privacy Policy.

 

We use external JavaScript code. The libraries of the various providers are integrated externally via a CDN (Content Delivery Network) in order to always have access to the latest and most secure version. In addition, we thus reduce loading times of our pages, since the probability is very high that you have already used the CDN on another page. In that case, your browser can access the cached copy and does not have to download it again. If your browser does not have a cached copy, data such as your IP address is transferred from your
browser to the corresponding CDN. The data may also be processed in the USA for this purpose.

 

ZF Micro Mobility GmbH is aware of the transfer of its personal data to a third country and has implemented appropriate safeguards in accordance with Art. 46 GDPR to ensure lawful and secure processing of its personal data.

We use external code of the JavaScript framework jQuery, provided by the third-party provider jQuery Foundation (https://jquery.org). We use external code of the JavaScript framework provided by Cloudflare https://www.cloudflare.com.

Legal basis	Art. 6 para. 1 lit. f GDPR.(legitimate interest)
Storage purpose	The purpose of the storage is the improvement of our website and in visual and functional level.
Storage duration	The data will be deleted as soon as our legitimate interest no longer exists or we are obliged to delete the data due to statutory or legal orders.
Objection / opportunity for elimination	As a user, you have the option to object to the processing of your data at any time.

 

 

11.1      Your rights

If your personal data is processed, then you are the data subject in the sense of the GDPR and you are entitled to the following rights against the controller: 

 

11.2     Right of access by the data subject

You can demand from the controller confirmation as to whether personal data that relates to you has been processed by us

If such processing has taken place, you can demand information on the following from the controller: 

(1)           The purposes for which the personal data is processed; 

(2)           The categories of personal data which are processed; 

(3)           The recipients or, as the case may be, the categories of recipients to
which the personal data relating to you has been disclosed or will be
disclosed; 

(4)           The planned duration of the storage of the personal data relating to you or – if concrete statements on this are not possible – the criteria for the laying down of duration of storage; 

(5)           The existence of a right to correction or deletion of the personal data relating to yourself, of a right to a restriction of the processing by the controller or of a right of objection to this processing;  

(6)           The existence of a right of appeal at a supervisory authority; 

(7)           All the available information on the origin of the data if the personal
data was not collected at the data subject; 

(8)           The existence of an automated decision-finding process including
profiling in accordance with Article 22 Para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved and its scope and the effects strived for of such a processing for the data subject in question. 

You are entitled to the right to demand information on whether the personal data relating to yourself is transmitted to a third country or an international organization. In this connection you can demand to be instructed on the suitable guarantees in accordance with Article 46 GDPR in connection with the transmission. 

 

11.3     Right to rectification

You have a right to correction and/or complementing vis à vis the controller in so far as the personal data as processed and which relates to yourself is incorrect or incomplete. The controller has to carry out the correction without delay. 

 

11.4     Right to restriction of the processing

Subject to the meeting of the following preconditions you can demand restriction of the processing of the personal data relating to you: 

(1)   if you dispute the correctness of the personal data relating to yourself for a period which makes it possible for the controller to check the correctness of the personal data; 

(2)  the processing is unlawful and you reject deletion of the personal data and instead demand restriction of the use of the personal data; 

(3)   the controller no longer needs the personal data for purposes of the processing but you need the data for the advancing, exercising or defending of legal claims, or  

(4)   if you have advanced objection to the processing in accordance with Article 21 Para. 1 GDPR but it has not yet been established whether the justified reasons of the controller outweigh your reasons. 

If the processing of the personal data relating to yourself has been restricted, then this data – apart from the storing of this – may only be processed with your consent or for the assertion, exercising or defending of legal claims or for the protection of the rights of another natural person or legal entity or for reasons relating to an important public interest of the European Union or of a member state.  

If the restriction of the processing has been restricted in accordance with the afore-mentioned preconditions, then you will be informed by the controller before the restriction is removed.  

 

11.5     Right to erasure

·       Delation obligation

You can demand from controller that the personal data relating to yourself is deleted without delay and the controller is then obliged to delete this data without delay in so far as one of the following reasons applies: 

(1)  The personal data relating to yourself is no longer required for the purposes for which it was collected or for which it was processed.  

(2)  You revoke your consent, on which processing in accordance with Article 6 Para. 1 lit. a or Article 9 Para.2 lit. a GDPR was based, and there is no other legal foundation for the processing.  

(3)   You submit an objection to the processing in accordance with Article 21 Para. 1 GDPR and there are no justified reasons for the processing with a higher priority, or you submit an objection to the processing in accordance with Article 21 Para. 2 GDPR.  

(4) The personal data relating to you was processed in an unlawful manner.  

(5)   The deletion of the personal data relating to you is required to fulfil a legal obligation in accordance with European Union law or the law of the member states, which laws the controller is subject to.  

(6)   The personal data relating to you was collected in relation to services offered by the information company in accordance with Article 8 Para. 1 GDPR. 

 

·       Information to third parties

If the controller has made the personal data relating to you public and if he/she is obliged to delete this data in accordance with Article 17 Para. 1 GDPR, then he/she shall take reasonable measures including ones of a technical nature – whereby account shall be taken of the available technology and the implementation costs – to inform the responsible parties for the data processing which process the personal data that you as data subject have demanded from them the deletion of all links to this personal data or of copies or replicates of these.  

·       Exceptions

The right to deletion does not exist in so far as the processing is necessary for 

(1)     the exercising of the right of free expression of opinion and to information; 

(2)           for the fulfilment of a legal obligation, which requires the processing in accordance with the law of the European Union or the law of the member states, which laws the controller is subject to, or for the carrying out of a task, which lies in the public interest or which is carried out in the exercising of public authority, which authority was transferred to the controller; 

(3)       for reasons of public interest in the field of public health in accordance with Article 9 Para. 2 lit. h and i as well as Article 9 Para. 3 GDPR; 

(4)           for archiving purposes, scientific or historical research purposes lying in the public interest or for statistical purposes in accordance with Article 89 Para. 1 GDPR, in so far as the right named in section a) probably makes the reaching of the objectives of the processing impossible or impairs it seriously, or 

(5)           for the advancing, exercising or defending of legal claims. 

Moreover, the right to deletion does not exist in so far as the personal data has to be stored by the controller in order to fulfill legal duties to preserve records and legal retention periods. In such a case instead of deletion blockage of the personal data applies. 

 

11.6     Right to information

If you have advanced the right to the correcting, deleting or restricting of the processing vis à vis the controller, then the latter is obliged to inform all recipients, to which the personal data relating to you was disclosed, of this correction or deletion of the data or of the restricting of the processing, unless this proves itself to be impossible or linked with unreasonable expenditure.  

You have the right against the controller to be informed about these recipients.

 

11.7     Right to data portability

You have the right to receive the personal data relating to you, which you made available to the controller, in a structured, conventional and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance by the controller to whom the personal data was made available, in so far as 

(1)  the processing is based on a consent in accordance with Article 6 Para. 1 lit. a GDPR or Article 9 Para. 2 lit. a GDPR or on a contract in accordance with Article 6 Para. 1 lit. b GDPR and 

(2)   the processing is carried out with the aid of automated processes. 

In exercising this right, you have in addition the right to bring about the situation that the personal data relating to you is transferred directly from one controller to another controller in so far as this is technically possible. The freedoms and rights of other persons may not be impaired thereby. 

The right to data portability does not hold good for the processing of personal data, which is necessary for the carrying out of a task, which lies in the public interest or in the exercising of public authority and which task was transferred to the controller. 

 

11.8     Right to object

For reasons which result from your particular situation you have the right to advance at any time objection to the processing of the personal data relating to you, which processing is carried out on the basis of Article 6 Para. 1 lit. e or f
GDPR; this right also holds good for profiling based on these provisions.  

The controller shall then no longer process the personal data relating to you, unless he/she can demonstrate compelling reasons worthy of protection, which reasons overweigh your interests, rights and freedoms or where the processing serves the advancing, exercising or defending of legal claims. 

If the personal data relating to you is processed for the carrying out of direct advertising, then you have the right to advance at any time objection to the processing of the personal data relating to you for purposes of such advertising; this holds good too for profiling in so far as this is carried out in connection with such direct advertising. 

If you object to the processing for purposes of direct advertising, then the personal data relating to you will no longer be processed for these purposes. 

You have the opportunity – in connection with the use of services of the information company and regardless of directive 2002/58/EC – to exercise your right of objection with the aid of automated processes in which technical specifications are used. 

 

11.9     Right to withdraw from the declaration of consent under data protection law

You have the right to withdraw your consent at any time and without giving reasons. In the event of withdrawal, we immediately will delete your personal data and no longer process it. The legality of the processing carried out on the basis of your given consent and carried out prior to your withdrawal is not affected by your withdrawal. 

 

11.10     Automated decision-making in individual cases including profiling

You have the right to not subject yourself to a decision based solely on an automated processing process – including profiling – which unfolds a legal effect vis à vis yourself or which impairs you significantly in a similar way. This does not hold good if the decision  

(1)  is necessary for the concluding or fulfilment of a contract between you and the controller, 

(2)   is permissible on the basis of legal regulations of the European Union or of its member states, which the controller is subject to, and these regulations contain reasonable measures for the maintenance of your rights and freedoms as well as for your legitimate interests or 

(3)   is carried out with your explicit consent. 

However, these decisions may not be based on particular categories of personal data in accordance with Article 9 Para. 1 GDPR, in so far as Article 9 Para. 2 lit. a or g does not hold good and reasonable measures have been taken for the protection of the rights and freedoms as well as of your legitimate interests. 

In respect of the cases named in (1) and (3) above the controller shall take reasonable measures to ensure the rights and freedoms as well as your legitimate interests, whereby belonging thereto is at the least the right to the affecting of the intervention of a person on the side of the controller for the representation of the controller’s standpoint and to the challenging of the decision. 

11.11   Right to complain at a supervisory authority  

Regardless of another regulatory or judicial remedy, you are entitled to the right to lodge a complaint at a supervisory authority and here in particular at a supervisory authority in the member state of your place of residence, of your place of work or of the place where the suspected infringement took place when you are of the opinion that the processing of the personal data relating to you infringes the GDPR.  

In this situation the supervisory authority, at which the complaint was lodged, shall inform the complainant on the status and the results of the complaint including the possibility of a judicial remedy in accordance with Article 78 GDPR. 

12.1     Purpose of the data processing 

 

Your personal data is processed for the purpose of establishing, implementing and terminating a contractual relationship with you.

 

12.2     Data categories

In the context of this, we process the following personal data or categories of personal data from you in particular:

• Company
• Surname
• First name
• Date of birth
• Address data
• Mail addresses
• Bank details
• Information about orders placed

 

12.3     Legal basis for processing

The legal basis for the processing of your personal data follows from:

• Contract according to Art. 6 para. 1 lit. b) GDPR (e.g.: purchase, delivery and service contracts)
•      Consent according to Art. 6 para. 1 lit a), 7 GDPR (e.g. newsletter, transfer to branches in third countries),
• Fulfillment of a legal obligation and in individual cases pursuant to Art. 6 para. 1 lit c) GDPR (e.g. notifications to the tax office; responses to legal and data protection inquiries).
• Weighing of interests pursuant to Art. 6 (1) f) GDPR (e.g., advertising to existing customers, exercise of domiciliary rights; assertion of legal claims and defense in legal disputes; ensuring IT security and IT operations of the controller; prevention and investigation of criminal acts; video surveillance serves to collect evidence in the event of criminal acts. They thus serve to protect customers and employees as well as to exercise domiciliary rights; measures for building and facility security (e.g., access controls).

 

12.4 Recipient or category of recipients

In order to fulfill our contractual and legal obligations, your data will be forwarded to the following recipients or categories of recipients:

• Clerk
• Department manager
• Banking institutions
• External service providers (please specify)
• IT service provider
• Translation service provider
• Hosting service provider
• Tax office
• Document destruction
• Data Protection Officer

 

12.5 Transfer to a third country

Your personal data may be transferred to the above-mentioned recipients located in an insecure third country (e.g. USA). With an appropriate guarantee, we ensure that the transfer of your personal data is secure. The legal basis for the transfer is:

• Binding internal data protection rules (Art. 46 (2) (b) in conjunction with Art. 47 GDPR)
• Standard data protection clauses of the EU Commission (Art. 46 para. 2 lit. c GDPR)
• Approved rules of conduct (Art. 46 (2) (e) in conjunction with Art. 40 GDPR)
• Approved certification mechanism (Art. 46 (2) (f) in conjunction with Art. 40 GDPR)
• Existence of an exception (Art. 49 GDPR)

 

12.6 Duration of storage, deletion of personal data

In order to fulfill our contractual and legal obligations, we store the data for the following periods, unless there is a legitimate interest within the meaning of Art. 6 (1) f) GDPR that would justify longer storage:

To the extent necessary, we process and store your personal data for the duration of our business relationship, which includes, for example, the initiation and execution of a contract. In addition, we are subject to various retention and documentation obligations, which result, among other things, from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG) and the German Money Laundering Act (GwG). The retention and documentation periods specified there range from two to ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years..

In detail:

 

• Business correspondence: 10 years, § 147 I No. 4,5 in conjunction with III AO; § 257 I No. 1, 4 in conjunction with § 238 I HGB
• Contracts: 10 years, § 147 I No. 4,5 in conjunction with III AO; § 257 I No. 1, 4 in conjunction with § 238 I HGB
• Receipts for invoices: 10 years, § 147 I No. 4,5 in conjunction with III AO; § 257 I No. 1, 4 in conjunction with § 238 I HGB
• Applications: 6 months (if no employment relationship is established
• Judgments, decisions and titles: 30 years

 

12.7 Existence of a right to information, rectification, etc.

You have the following rights with respect to us regarding personal data concerning you:

• Right to information
• Right of rectification or erasure
• Right to restriction of processing
• Right to data portability
• The right to complain to a data protection supervisory authority about the processing of your personal data by us if you do not agree with the handling of your data as well as
• Right of revocation: You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation;
• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions
• The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

• • If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
  • If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
  • You have the possibility, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures using technical specifications.