Privacy policy by ZF Micro Mobility GmbH for the website:
https://zfmicromobility.com
Contents
1. Name and address of the
controller
2. Contact data of the data
protection officer
5. Collection of general data and information
6. E-mail, fax and telephone contact
7. Data protection with applications and application processes
9. Note on data processing
on our Facebook fan page
10. Privacy policy on
the use and application of external scripts jQuery and Cloudflare
CDN
1. Name
and address of the controller
The controller
within the meaning of the General Data Protection Regulation (GDPR), other data
protection laws applicable in the Member States of the European Union and other
provisions of a data-protection nature is:
ZF
MICRO MOBILITY GmbH
Escher-Wyss-Strasse
25
88212
Ravensburg
Germany
Website: www.zfmicromobility.com
E-Mail: info@zfmicromobility.com
Phone: +49(0) 6188 916 9065
2. Contact
data of the data protection officer
The external data protection officer of the controller for the processing is:
Mr. Jens Engelhardt, his representative is Mr. Erdem Durmus
c/o NOTOS Xperts GmbH
Heidelberger Str. 6
64283 Darmstadt
Phone: +49 6151-52010-0
Fax: +49 6151-52010-99
Website: www.notos-xperts.de
E-Mail: datenschutz@notos-xperts.de
Each data subject may contact us or our data protection officer directly with
any questions or suggestions regarding data protection.
3. Definitions
The data protection notice of ZF Micro Mobility GmbH
is based on the defined terms of the General Data Protection Regulation (GDPR).
Our data protection notice should be easy to read and understand. In order to
ensure this, we would like to clarify in advance the definitions used.
3.1 Personal data
Personal data is any information relating to an
identified or identifiable natural person (hereinafter "data
subject"). An identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.
3.2 Data
subject
Data subject is any identified or identifiable natural
person whose personal data are processed by the controller for the processing.
3.3 Processing
Processing means any operation or set of operations
which is performed upon personal data, whether or not by automated means, such
as collection, recording, organization, filing, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.
3.4 Restriction of processing
Restricting of the
processing is the marking of personal data as stored with the objective of
restricting its processing in the future.
3.5 Profiling
Profiling
is each type of automated processing of personal data that consists of using
such personal data to evaluate certain personal aspects relating to a natural
person, in particular to analyze or predict aspects relating to that natural
person’s job performance, economic situation, health, personal preferences,
interests, reliability, behavior, location or change of location.
3.6 Pseudonymization
Pseudonymization is
the processing of personal data in such a way that the personal data can no
longer be assigned to a specific data subject without the use of additional
information, in so far as this additional information is kept in a special way
and subjected to technical and organizational measures which ensure that the
personal data cannot be assigned to an identified or identifiable natural
person.
3.7 Controller or party responsible for the
processing
Controller or party
responsible for the processing (hereafter controller) is the natural person or
legal entity, authority, institution or other post, which alone or together
with others decides on the purposes and means of the processing of personal
data. If the purposes and means of the processing are laid down in European
Union legislation or the legislation of the member states, then the controller
or the particular criteria of the appointment of this controller in accordance
with European Union legislation or the legislation of the member states can be
provided.
3.8 Processor
Processor is a
natural person or legal entity, authority, institution or other post, which
processes the personal data on the instructions of the controller.
3.9 Recipient
Recipient is a
natural person or legal entity, authority, institution or other post to which
personal data are disclosed regardless of whether this is a third party or not.
However, authorities, which receive within the framework of a particular
investigation order in accordance with European Union legislation or the
legislation of the member states data which possibly may be/contain personal
data, do not hold good as recipients.
3.10 Third
party
Third party is a
natural person or legal entity, authority, institution or other post with the
exception of the data subject, the controller, the order processor and those
persons which are authorized under the direct responsibility of the controller
or of the order processor to process the personal data.
3.11 Consent
Consent is each
declaration of will given voluntarily by the data subject for the definite case
in an informed and unambiguous manner in the form of a declaration or other
unambiguous confirmatory action, with which the data subject makes clear that
he/she agrees to the processing of personal data relating to himself/herself.
4. General information on data processing; legal basis, purposes of
processing, duration of storage, objection, and possibility of erasure
4.1 General information on the legal
basis
Where we obtain the
consent of the data subject for the processing of personal data, Article
6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal
basis for the processing of personal data.
Art. 6 para. 1 lit.
b GDPR serves as the legal basis for the processing of personal data required
for the performance of a contract to which the data subject is a party. This
also applies to processing operations that are necessary for the implementation
of pre-contractual measures.
Insofar as the processing of personal data is necessary
to fulfil a legal obligation to which our company is subject, Art. 6 para. 1
lit. c GDPR serves as the legal basis.
Art. 6 para. 1 lit. d GDPR serves as a legal basis in
the event that vital interests of the data subject or another natural person
necessitate the processing of personal data.
If the processing is necessary to safeguard a
legitimate interest of our company or a third party and if the interests,
fundamental rights, and fundamental freedoms of the data subject do not
outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the
legal basis for the processing.
4.2 General information on data erasure
and storage duration
The personal data of
the data subject will be deleted or blocked as soon as the purpose of storage
no longer applies. In addition, the data may be stored if the European or
national legislator has provided for this in EU regulations, laws or other
provisions to which the person responsible is subject. The data shall also be
blocked or deleted if a storage period prescribed by the aforementioned
standards expires, unless it is necessary for further storage of the data for
the conclusion or performance of a contract.
4.3 General information on processing on
our website
Data protection,
data security and secrecy protection have high priority for ZF Micro Mobility
GmbH. The permanent protection of your personal data, your company data and
your trade secrets is particularly important to us.
In principle, you can visit our website without
providing any personal information. However, if you make use of the services of
our company via our website, this requires the disclosure of your personal
data. In general, we use the data communicated by you and collected by the
website and the data stored during use exclusively for our own purposes, namely
for the implementation and provision of our website and for the initiation,
implementation and processing of the services offered via the website (contract
performance) and do not pass these on to outside third parties, unless there is
an officially ordered obligation to do so. In all other cases, we will obtain
your separate consent.
Your personal data will be processed in accordance
with the requirements of the General Data Protection Regulation and in accordance
with the country-specific data protection regulations applicable to us. By
means of this data protection note, we would like to inform you about the type,
scope and purpose of the personal data processed by us. In addition, we will
inform you of your rights by means of this data protection notice.
The ZF Micro Mobility GmbH has implemented technical
and organizational measures to ensure adequate protection of personal data
processed via this website. Nevertheless, Internet-based data transmissions can
in principle have security gaps, so that absolute protection cannot be
guaranteed.
5. Collection of general data and information
The website of ZF
Micro Mobility GmbH collects a range of general data and information each time
the website is called by a data subject or an automated system. This general
data and information is stored in the log files of the server. Able to be
collected are: (1) the browser types and versions used, (2) the operating
system used by the accessing system, (3) the website, from which an accessing
system reaches our website (so-called referrer), (4) the sub-websites, which
are steered to on our website via an accessing system, (5) the date and time of
an access to the website, (6) an Internet-protocol-address (IP-address), (7)
the Internet service provider of the accessing system and (8) other similar
data and information, which serve the warding off of hazards in the case of
attacks to our IT systems.
In using this general data and information ZF
Micro Mobility GmbH draws no conclusions about the data subject. Much more is this
information needed (1) to be able to deliver out the content of our website
correctly, (2) to permit the optimization of the content of our website and of
the advertising for this, (3) to ensure the durable functionality of our IT
systems and of the technology of our website and (4) to be able to make
available to the law enforcement authorities the information necessary for
criminal prosecution in the case of a cyber-attack. This anonymously collected
data and information is evaluated ZF Micro
Mobility GmbH on the one hand statistically and on the other hand with the objective
of increasing the data protection and the data security in our company in order
finally to ensure an optimal level of protection for the personal data
processed by ourselves. The anonymous data of the server-logfiles are stored
separately from all the personal data stated by a data subject.
|
Legal basis |
Article 6 Para. 1 lit. f GDPR (legitimate
interest) |
|
Storage purpose |
The temporary storing of the IP-address by the
system is necessary to permit the delivery of the website to the computer of
the user. For this the IP-address of the user must remain stored for the
duration of the session. |
|
Storage duration |
The data is deleted as soon as it is no longer necessary for achieving
the purpose of their collection. This is the case when the particular session
has ended in situations where the data is collected for making the website available. This is the case at the latest seven days after the
time when the data was stored in log files. More extensive storing is
possible. In this case the IP-addresses of the users are deleted or distorted
so that an assignment of the client calling in is no longer possible. |
|
Objection /
opportunity for elimination |
None, because the data is essential for operating of the
website |
6. E-mail, fax and telephone contact
It is possible to contact us via the provided e-mail address, fax or
telephone number. If you contact us via one of these options, your personal
data transmitted to us will be stored automatically (e-mail, fax) or recorded
by us and stored manually.
In this connection no data is passed on to third
parties. The data is used exclusively for the processing of the conversation
and will immediately be deleted if it is no longer needed.
7. Data protection with
applications and application processes
We collect and process the personal data of applicants
for the purpose of progressing the application process. The processing can also
be carried out electronically. This is in particular the case when an applicant
sends to us relevant application documents by an electronic route, e.g. per
e-mail. If we conclude a contract of employment with yourself as applicant, the
data transmitted will be stored for purposes of progressing the employment
relationship subject to observation of the legal regulations. If a contract of
employment is not concluded by the party responsible for the processing with
the applicant, then the application documents will be automatically deleted six
months after notification of the rejection in so far as there is no other
legitimate interest of the party responsible for the processing against
deletion. Another legitimate interest in this sense is, for example, an
obligation of proof in a process in accordance with the German General Equal
Treatment Act.
|
Legal basis |
Legal basis for the processing of the data is as a rule Article 6 Para. 1
lit. b. GDPR with job applications submitted via the contact form and/or
e-mail. (fulfilment of the employment contract; measures prior to the concluding
of an employment contract); Article 6 Para. 1 lit. c. GDPR (Fulfilment of a legal obligation, e.g.
answering of questions in connection with the job-application process)
and apart from this Article 6 Para. 1 lit. f GDPR (legitimate interest) and special legal authorization rules such as a collective agreement, company
agreement, income tax law etc. A supplementary reference is made to the
Personnel / HR processing file. |
|
Storage
purpose |
If we conclude an employment contract with you as job applicant, the data
transmitted for the purpose of progressing the employment relationship will
be stored whereby the legal obligations will be observed. |
|
Storage duration |
If no employment contract is concluded between the party responsible for
the processing and the job applicant, then the job-application documents will
be automatically deleted six months after the notification of rejection has
been sent in so far as no other legitimate interest of the party responsible
for the processing conflicts with the deletion. A legitimate interest in this connection could be –
for example – a proof obligation in a process in accordance with the German
General Equal Treatment Act). |
|
Objection /
opportunity for elimination |
Only general objection and elimination opportunities. |
8. Cookies
Our website uses
cookies. Cookies are text files which are stored in the Internet browser or, as
the case may be, in the Internet browser on the computer system of the user. If
a user calls a website, then a cookie may be stored on the operating system of
the user. Such a cookie contains a characteristic string which permits
unambiguous identification of the browser if the website is called again.
We employ cookies in order to arrange our website in a
more user-friendly manner. Certain elements of our website require that the
calling browser can also be identified after a page change.
In the cookies the following date is stored and
transmitted:
·
Language settings
·
Articles in a shopping basket
·
Log-in information
We also use
optional cookies on our website that enable an analysis of the user’s surfing
behavior. However, these are only activated if you give us your consent to do
so. Cookies that are not technically necessary for the operation of the site
are therefore disabled by default.
In this way, the
following data can be transmitted:
·
Search terms entered
·
Frequency with which pages are called
·
Use of website functions
When our website is called, the users are informed by
means of an information banner about the use of cookies for analytical purposes
and are referred to this data protection information. Following in this connection
is a reference to how that storing of cookies can be prevented in the browser
settings.
Under the following
links you can find out how to disable cookies on the main browsers:
Mozilla Firefox: https://support.mozilla.org/en-US/kb/block-websites-storing-cookies-site-data-firefox
Chrome Browser: https://support.google.com/accounts/answer/61416?hl=en
|
Legal basis |
Article 6 Para. 1 lit. f GDPR (legitimate interests) for strictly
technically essential cookies Otherwise: Art. 6 para. 1 lit. a GDPR (consent), § 25 TTDSG (consent). |
|
Storage
purpose |
The purpose behind the use of strictly technically essential cookies is
that of making use of the website easier for the user. Certain functions of
our website cannot be offered without the use of cookies. For these functions
it is necessary that the browser is recognized even after a page
change. Analysis cookies are used for the purpose of improving the quality of our
website and its content. Through the analysis cookies we learn how the
website is used and in this way, we can continually optimize our
offer. These purposes also include our legitimate interest in the processing of
the personal data in accordance with Article 6 Para. 1 lit. f
GDPR. |
|
Storage duration |
Cookies are stored on the user’s computer and are transmitted from this
to our website. Accordingly, you as user have full control over the use of
cookies. |
|
Objection /
opportunity for elimination |
By carrying out a change to the settings of your browser you can
deactivate cookies or restrict the transmission of cookies. Cookies that have
already been stored can be deleted at any time. This can also be carried out
automatically. However, if cookies for our website are deactivated, it may no
longer be possible to use all the functions of the website in
full. The transmission of flash cookies cannot be
prevented via the browser settings but requires changes to the setting of the
flash player. |
You can also find more information in our Cookie
Policy, at:
https://zfmicromobility.com/cookie-policy-eu/
9. Note
on data processing on our Facebook fan page
· Fundamental
We, ZF Micro Mobility GmbH, operate our own
Facebook fan page at https://www.facebook.com/ZFMicroMobility/. As the operator of
this Facebook page, we are the responsible party together with the provider of
the Facebook social network (Meta Platforms Ireland Ltd.) within the meaning of
Art. 4 No. 7 of the General Data Protection Regulation (GDPR). When visiting
our Facebook page, personal data of the page visitors are processed by both
controllers.
We have concluded a data protection joint
responsibility agreement (Page Controller
Addendum) with Meta Platforms Inc. (also referred to as Facebook). With this
agreement, Facebook recognizes the joint responsibility with regard to
so-called insights data and assumes essential
data protection obligations for informing data subjects, for data security or
for reporting data protection breaches. The agreement also stipulates that
Facebook is the primary contact for the exercise of data subjects’ rights (Art.
15 – 22 GDPR). As the provider of the social network, Facebook alone has direct
access to the necessary information and can also take any necessary measures
and provide information immediately. However, if our support is required, we
can be contacted at any time.
· Use of Insights and Cookies
In connection
with the operation of this Facebook fan page, we use the Insights function from
Facebook to obtain anonymized statistical data on the users of our Facebook fan
page. Information about Insights and Facebook Fanpages is provided by Facebook,
for example, via its privacy notice.
In connection
with visiting our and other Facebook pages, Facebook also uses cookies and
other comparable storage technologies. You can find more information about
Facebook’s use of cookies in their cookie policy.
·
Comments
and messages; participation in competitions
On our Facebook
fan page, you also have the opportunity to comment on our posts, rate them and
get in touch with us via private messages or participate in competitions.
|
Legal basis |
We operate this
Facebook page in order to present, interact and communicate with the users of
Facebook as well as other interested persons and our customers who visit our
Facebook page. The processing of the users’ personal data is based on our
legitimate interests, in an optimized company and product presentation (Art.
6 para. 1 lit. f GDPR) as well as when participating in competitions or
answering product application questions based on a (pre-)contractual
relationship according to Art. 6 para. 1 lit. b) GDPR. |
|
Storage
purpose |
The processing of the information generated by Insights is intended to
enable us, as the operator of the Facebook fan page, to obtain statistics
that Facebook compiles based on visits to our Facebook fan page. The purpose
of this is to control the marketing of our activity. For example, it allows
us to gain knowledge of the profiles of visitors who like our Facebook page
or use applications of the page in order to provide them with more relevant
content and develop features that may be of greater interest to them. In addition, to help us better understand how our Facebook Page can
better achieve our business goals, demographic and geographic analyses are
also created and provided to us based on the information we collect. We can
use this information to target interest-based ads without directly knowing
the identity of the visitor. If visitors use Facebook on multiple devices,
the collection and analysis can also take place across devices if they are
registered visitors who are logged into their own profiles. The visitor statistics created are transmitted to us exclusively in
anonymized form. We have no access to the underlying data. Furthermore, we use our Facebook page to communicate
with our customers, interested parties and Facebook users and to inform them
about us and our products. In this context, we may receive further
information, e.g. due to user comments, private messages or because you
follow us or share our content. The processing takes place exclusively for
the purpose of communication and interaction with you. |
|
Storage duration |
Your data will be deleted when the purpose ceases to
exist, provided there is no obligation to retain it. |
|
Objection /
opportunity for elimination |
Facebook users can influence the extent to which
their user behavior may be recorded when visiting our Facebook page under the
settings for advertising
preferences. Further options are
offered by the Facebook settings or the form for the right to object. |
·
Transfer of data
Since Meta Platforms Inc. is a US company, a transfer
of personal data to the USA cannot be conclusively ruled out in the given
context. Against this background, we would like to inform you about the
circumstances of a data transfer to the USA. As part of its more recent case law,
the ECJ declared the previous basis of data transfers to the USA (Privacy
Shield) to be invalid in its "Schrems II" ruling. The reason for this
was far-reaching and comprehensive access and information authorizations of
U.S. authorities with regard to personal data stored on servers of U.S.
companies. In principle, the U.S. Patriot Act of 2001 authorizes access to
personal data stored on servers of U.S. companies located in the United States.
This authority was also extended under the Cloud Act 2018 to include data
stored on servers of U.S. companies abroad, including within the European
Union. Subsequently, the ECJ requires the integration of so-called EU
"standard contractual clauses" in the context of a transfer of
personal data in the context of a commissioned processing pursuant to Art. 28
GDPR in order to comply with the requirements of Art. 46 GDPR. We have
concluded a joint responsibility agreement with Facebook incorporating the EU
standard contractual clauses in order to be able to ensure the integrity and
security of your personal data in the context of any transfer of those to the
USA. We do not ourselves share any personal data that we receive through our
Facebook page.
·
Information
on contact options and further rights as a data subject
10. Privacy
policy on the use and application of external scripts jQuery and Cloudflare CDN
We use external
code of the JavaScript framework jQuery, provided by the third-party provider
jQuery Foundation (https://jquery.org). We use external code of the JavaScript
framework provided by Cloudflare https://www.cloudflare.com.
|
Legal basis |
Art. 6 para. 1 lit. f GDPR. (legitimate interest) |
|
Storage purpose |
The purpose of
the storage is the improvement of our website and in visual and functional
level. |
|
Storage duration |
The data will be
deleted as soon as our legitimate interest no longer exists or we are obliged
to delete the data due to statutory or legal orders. |
|
Objection / opportunity for elimination |
As a user, you
have the option to object to the processing of your data at any time. |
11. Your rights
If your personal
data is processed, then you are the data subject in the sense of the GDPR and
you are entitled to the following rights against the controller:
11.1 Right of
access by the data subject
You can demand
from the controller confirmation as to whether personal data that relates to
you has been processed by us
If such
processing has taken place, you can demand information on the following from
the controller:
(1)
The purposes for which the personal data is processed;
(2)
The categories of personal data which are processed;
(3)
The recipients or, as the case may be, the categories of recipients to
which the personal data relating to you has been disclosed or will be
disclosed;
(4)
The planned duration of the storage of the personal data relating to you
or – if concrete statements on this are not possible – the criteria for the
laying down of duration of storage;
(5)
The existence of a right to correction or deletion of the personal data
relating to yourself, of a right to a restriction of the processing by the controller
or of a right of objection to this processing;
(6)
The existence of a right of appeal at a supervisory authority;
(7)
All the available information on the origin of the data if the personal
data was not collected at the data subject;
(8)
The existence of an automated decision-finding process including
profiling in accordance with Article 22 Para. 1 and 4 GDPR and – at least in
these cases – meaningful information on the logic involved and its scope and
the effects strived for of such a processing for the data subject in question.
You are entitled to the right to demand information on
whether the personal data relating to yourself is transmitted to a third
country or an international organization. In this connection you can demand to
be instructed on the suitable guarantees in accordance with Article 46 GDPR in
connection with the transmission.
11.2 Right to rectification
You have a
right to correction and/or complementing vis à vis the controller in so far as
the personal data as processed and which relates to yourself is incorrect or
incomplete. The controller has to carry out the correction without delay.
11.3 Right to restriction of the processing
Subject to
the meeting of the following preconditions you can demand restriction of the
processing of the personal data relating to you:
(1) if you dispute the correctness of the personal data
relating to yourself for a period which makes it possible for the controller to
check the correctness of the personal data;
(2) the processing is unlawful and you reject deletion of
the personal data and instead demand restriction of the use of the personal
data;
(3) the controller no longer needs the personal data for
purposes of the processing but you need the data for the advancing, exercising
or defending of legal claims, or
(4) if you have advanced objection to the processing in
accordance with Article 21 Para. 1 GDPR but it has not yet been established
whether the justified reasons of the controller outweigh your reasons.
If the processing of the personal data relating to
yourself has been restricted, then this data – apart from the storing of this –
may only be processed with your consent or for the assertion, exercising or
defending of legal claims or for the protection of the rights of another
natural person or legal entity or for reasons relating to an important public
interest of the European Union or of a member state.
If the restriction of the processing has been
restricted in accordance with the afore-mentioned preconditions, then you will
be informed by the controller before the restriction is removed.
11.4 Right to erasure
· Delation obligation
You can demand from controller that the personal data
relating to yourself is deleted without delay and the controller is then
obliged to delete this data without delay in so far as one of the following
reasons applies:
(1) The personal data relating to yourself is no longer
required for the purposes for which it was collected or for which it was
processed.
(2) You revoke your consent, on which processing in
accordance with Article 6 Para. 1 lit. a or Article 9 Para.2 lit. a GDPR was
based, and there is no other legal foundation for the processing.
(3) You submit an objection to the processing in
accordance with Article 21 Para. 1 GDPR and there are no justified reasons for
the processing with a higher priority, or you submit an objection to the
processing in accordance with Article 21 Para. 2 GDPR.
(4) The personal data relating to you was processed in an
unlawful manner.
(5) The deletion of the personal data relating to you is
required to fulfil a legal obligation in accordance with European Union law or
the law of the member states, which laws the controller is subject to.
(6) The personal data relating to you was collected in
relation to services offered by the information company in accordance with
Article 8 Para. 1 GDPR.
· Information to third parties
If the controller has made the personal data relating
to you public and if he/she is obliged to delete this data in accordance with
Article 17 Para. 1 GDPR, then he/she shall take reasonable measures including
ones of a technical nature – whereby account shall be taken of the available
technology and the implementation costs – to inform the responsible parties for
the data processing which process the personal data that you as data subject
have demanded from them the deletion of all links to this personal data or of
copies or replicates of these.
· Exceptions
The right to deletion does not exist in so far as the
processing is necessary for
(1)
the exercising of the right of free expression of opinion and to
information;
(2)
for the fulfilment of a legal obligation, which requires the processing
in accordance with the law of the European Union or the law of the member
states, which laws the controller is subject to, or for the carrying out of a
task, which lies in the public interest or which is carried out in the
exercising of public authority, which authority was transferred to the
controller;
(3)
for reasons of public interest in the field of public health in
accordance with Article 9 Para. 2 lit. h and i as well as Article 9 Para. 3
GDPR;
(4)
for archiving purposes, scientific or historical research purposes lying
in the public interest or for statistical purposes in accordance with Article
89 Para. 1 GDPR, in so far as the right named in section a) probably makes the
reaching of the objectives of the processing impossible or impairs it
seriously, or
(5)
for the advancing, exercising or defending of legal claims.
Moreover, the right to deletion does not exist in so
far as the personal data has to be stored by the controller in order to fulfill
legal duties to preserve records and legal retention periods. In such a case
instead of deletion blockage of the personal data applies.
11.5 Right
to information
If you have
advanced the right to the correcting, deleting or restricting of the processing
vis à vis the controller, then the latter is obliged to inform all recipients,
to which the personal data relating to you was disclosed, of this correction or
deletion of the data or of the restricting of the processing, unless this
proves itself to be impossible or linked with unreasonable expenditure.
You have the right against the
controller to be informed about these recipients.
11.6 Right
to data portability
You have the
right to receive the personal data relating to you, which you made available to
the controller, in a structured, conventional and machine-readable format. In
addition, you have the right to transmit this data to another controller
without hindrance by the controller to whom the personal data was made
available, in so far as
(1) the processing is based on a consent in accordance
with Article 6 Para. 1 lit. a GDPR or Article 9 Para. 2 lit. a GDPR or on a
contract in accordance with Article 6 Para. 1 lit. b GDPR and
(2) the processing is carried out with the aid of
automated processes.
In exercising this right, you have in addition the
right to bring about the situation that the personal data relating to you is
transferred directly from one controller to another controller in so far as
this is technically possible. The freedoms and rights of other persons may not
be impaired thereby.
The right to data portability does not hold good for
the processing of personal data, which is necessary for the carrying out of a
task, which lies in the public interest or in the exercising of public
authority and which task was transferred to the controller.
11.7 Right
to object
For reasons
which result from your particular situation you have the right to advance at
any time objection to the processing of the personal data relating to you,
which processing is carried out on the basis of Article 6 Para. 1 lit. e or f
GDPR; this right also holds good for profiling based on these provisions.
The controller shall then no longer process the
personal data relating to you, unless he/she can demonstrate compelling reasons
worthy of protection, which reasons overweigh your interests, rights and
freedoms or where the processing serves the advancing, exercising or defending
of legal claims.
If the personal data relating to you is processed for
the carrying out of direct advertising, then you have the right to advance at
any time objection to the processing of the personal data relating to you for
purposes of such advertising; this holds good too for profiling in so far as
this is carried out in connection with such direct advertising.
If you object to the processing for purposes of direct
advertising, then the personal data relating to you will no longer be processed
for these purposes.
You have the opportunity – in connection with the use
of services of the information company and regardless of directive 2002/58/EC –
to exercise your right of objection with the aid of automated processes in
which technical specifications are used.
11.8 Right to withdraw from the declaration of consent under
data protection law
You have the
right to withdraw your consent at any time and without giving reasons. In the
event of withdrawal, we immediately will delete your personal data and no
longer process it. The legality of the processing carried out on the basis of
your given consent and carried out prior to your withdrawal is not affected by
your withdrawal.
11.9 Automated decision-making in individual cases including
profiling
You have the
right to not subject yourself to a decision based solely on an automated
processing process – including profiling – which unfolds a legal effect vis à
vis yourself or which impairs you significantly in a similar way. This does not
hold good if the decision
(1) is necessary for the concluding or fulfilment of a
contract between you and the controller,
(2) is permissible on the basis of legal regulations of
the European Union or of its member states, which the controller is subject to,
and these regulations contain reasonable measures for the maintenance of your
rights and freedoms as well as for your legitimate interests or
(3) is carried out with your explicit consent.
However, these decisions may not be based on
particular categories of personal data in accordance with Article 9 Para. 1
GDPR, in so far as Article 9 Para. 2 lit. a or g does not hold good and
reasonable measures have been taken for the protection of the rights and
freedoms as well as of your legitimate interests.
In respect of the cases named in (1) and (3) above the
controller shall take reasonable measures to ensure the rights and freedoms as
well as your legitimate interests, whereby belonging thereto is at the least
the right to the affecting of the intervention of a person on the side of the
controller for the representation of the controller’s standpoint and to the
challenging of the decision.
11.10 Right
to complain at a supervisory authority
Regardless of another regulatory or judicial remedy,
you are entitled to the right to lodge a complaint at a supervisory authority
and here in particular at a supervisory authority in the member state of your
place of residence, of your place of work or of the place where the suspected
infringement took place when you are of the opinion that the processing of the
personal data relating to you infringes the GDPR.
In this situation the supervisory authority, at which
the complaint was lodged, shall inform the complainant on the status and the
results of the complaint including the possibility of a judicial remedy in
accordance with Article 78 GDPR.
12. Customer
and supplier information, at the same time information on data processing
according to Art. 12 ff. GDPR
12.1 Purpose of the
data processing
12.2 Data
categories
In the context of this, we process the
following personal data or categories of personal data from you in particular:
·
Company
·
Surname
·
First name
·
Date of birth
·
Address data
·
Mail addresses
·
Bank details
·
Information about orders placed
12.3 Legal
basis for processing
The legal basis for the processing of your
personal data follows from:
·
Contract
according to Art. 6 para. 1 lit. b) GDPR (e.g.: purchase, delivery and service
contracts)
·
Consent
according to Art. 6 para. 1 lit a), 7 GDPR (e.g. newsletter, transfer to
branches in third countries),
·
Fulfillment
of a legal obligation and in individual cases pursuant to Art. 6 para. 1 lit c)
GDPR (e.g. notifications to the tax office; responses to legal and data
protection inquiries).
·
Weighing
of interests pursuant to Art. 6 (1) f) GDPR (e.g., advertising to existing
customers, exercise of domiciliary rights; assertion of legal claims and
defense in legal disputes; ensuring IT security and IT operations of the
controller; prevention and investigation of criminal acts; video surveillance
serves to collect evidence in the event of criminal acts. They thus serve to
protect customers and employees as well as to exercise domiciliary rights;
measures for building and facility security (e.g., access controls).
12.4 Recipient or category of recipients
In order to fulfill our contractual and
legal obligations, your data will be forwarded to the following recipients or
categories of recipients:
·
Clerk
·
Department manager
·
Banking institutions
·
External
service providers (please specify)
·
IT service provider
·
Translation service provider
·
Hosting service provider
·
Tax office
·
Document destruction
·
Data Protection Officer
12.5 Transfer to a third country
Your personal data may be transferred to
the above-mentioned recipients located in an insecure third country (e.g. USA).
With an appropriate guarantee, we ensure that the transfer of your personal
data is secure. The legal basis for the
transfer is:
·
Binding
internal data protection rules (Art. 46 (2) (b) in conjunction with Art. 47
GDPR)
·
Standard
data protection clauses of the EU Commission (Art. 46 para. 2
lit. c GDPR)
·
Approved
rules of conduct (Art. 46 (2) (e) in conjunction with Art. 40 GDPR)
·
Approved
certification mechanism (Art. 46 (2) (f) in conjunction with Art. 40 GDPR)
·
Existence
of an exception (Art. 49 GDPR)
12.6 Duration of storage, deletion of personal data
In order to fulfill our contractual and legal
obligations, we store the data for the following periods, unless there is a
legitimate interest within the meaning of Art. 6 (1) f) GDPR that would justify
longer storage:
To the extent necessary, we process and store your
personal data for the duration of our business relationship, which includes,
for example, the initiation and execution of a contract. In addition, we are
subject to various retention and documentation obligations, which result, among
other things, from the German Commercial Code (HGB), the German Fiscal Code
(AO), the German Banking Act (KWG) and the German Money Laundering Act (GwG).
The retention and documentation periods specified there range from two to ten
years. Finally, the storage period is also assessed according to the statutory
limitation periods, which, for example, according to §§ 195 et seq. of the
German Civil Code (BGB), are generally three years, but in certain cases can be
up to thirty years..
·
Business
correspondence: 10 years, § 147 I No. 4,5 in conjunction with III AO; § 257 I
No. 1, 4 in conjunction with § 238 I HGB
·
Contracts:
10 years, § 147 I No. 4,5 in conjunction with III AO; § 257 I No. 1, 4 in
conjunction with § 238 I HGB
·
Receipts
for invoices: 10 years, § 147 I No. 4,5 in conjunction with III AO; § 257 I No.
1, 4 in conjunction with § 238 I HGB
·
Applications:
6 months (if no employment relationship is established
·
Judgments, decisions and titles: 30 years
12.7 Existence of a right to information, rectification,
etc.
You have the following rights with respect
to us regarding personal data concerning you:
·
Right to information
·
Right of rectification or erasure
·
Right to restriction of processing
·
Right to data portability
·
The
right to complain to a data protection supervisory authority about the
processing of your personal data by us if you do not agree with the handling of
your data as well as
·
Right
of revocation: You have the right to revoke your declaration of consent under
data protection law at any time. The revocation of consent does not affect the
lawfulness of the processing carried out on the basis of the consent until the
revocation;
·
Right
to object: You have the right to object at any time, on grounds relating to
your particular situation, to the processing of personal data relating to you
which is carried out on the basis of Article 6(1)(e) or (f) of the GDPR; this
also applies to profiling based on these provisions
·
The
controller shall no longer process the personal data concerning you unless it
can demonstrate compelling legitimate grounds for the processing which override
your interests, rights and freedoms, or for the establishment, exercise or
defense of legal claims.
- If
the personal data concerning you is processed for the purpose of direct
marketing, you have the right to object at any time to the processing of
personal data concerning you for the purpose of such marketing; this also
applies to profiling, insofar as it is related to such direct marketing.
- If
you object to processing for direct marketing purposes, the personal data
concerning you will no longer be processed for these purposes.
- You
have the possibility, in connection with the use of information society
services – notwithstanding Directive 2002/58/EC – to exercise your right
to object by means of automated procedures using technical specifications.
Version: January 2023
Controller: ZF Micro Mobility GmbH