Data Protection Declaration
A General information
B Definitions of terms
C Scope and supervisory authorities in charge
D Data collection and purpose (scope of usage)
E Transmission of data
F Contract data processing
G Storage of data
H Your rights as data subject affected by data processing measures
I Data Protection Officer
J Changes in this Data Protection Declaration
K Respect for special national features
A. General information
I. General notes pursuant to this Data Protection Declaration; our contact information
The purpose of this Data Protection Declaration ("DPD") of our company, TB designandfurniture GmbH (also deemed to be the "controller" in the meaning of the General Data Protection Regulation, i.e. EU Regulation 2016/679 from 27 April 2016 - "GDPR"), is in particular to inform you in your capacity as data subjects affected by data processing in a transparent, simple and understandable manner inter alia about:
- what data we collect, and how and why this is done;
- how we handle your data, if applicable including with the involvement of third parties;
- what substance matters the GDPR applies to;
- what rights and possibilities of influence you have with regard to your data and its use;
- what rights we have and how these may affect your rights.
Our contact information is as follows:
TB designandfurniture GmbH, Hatzfelder Straße. 135/137, 42281 Wuppertal, Germany Managing Director: Guido Busch, Website: www.tb-design.org, E-Mail: firstname.lastname@example.org
Tel. no.: 0049 202 94 63 000
II. Definitions of terms in the area of data protection law
In data protection law as well as in applications bearing relevance to data protection law, terms are sometimes used which are not self-explanatory per se and/or have not yet become so much a part of everyday language use that everyone could be expected to readily understand what the respective terms mean. For this reason, the following Section B. (Definitions of terms) explains some of the most frequently used terms in more detail.
III. Our understanding of our role with regard to data protection
Data protection is important to us, and we take a variety of measures to ensure that your data is in good hands with us. The principles laid down in the GDPR are also at the same time the principles we adhere to when handling your data. This includes not least the imperative of purpose limitation and minimisation. In this connection, we generally only request a minimum amount of data from you (or, if applicable, from third parties) which is necessary for us to structure the business / customer relationship with you in accordance with the recognised principles of business diligence / customary usage in business and to be able to offer you an excellent service. This principle of necessity continues to be applied at the level of our employees, i.e. generally only those employees who are absolutely necessary for the performance of the activities entrusted to them have access to personal data. At the same time, we only store data for as long as is necessary for the aforementioned purposes unless longer storage obligations emanate from statutory regulations. A further component in our data protection system is technology design and organisation. Through modern data processing systems, other technical precautions and, if necessary, the involvement of external specialised companies, we guarantee a high degree of data security (e.g. through the use of data encryption technology) within the company, ensuring that the risk of unauthorised external access is ruled out to the greatest extent possible. At the same time, data is stored in such a manner so that it can be easily located and, if necessary, restored at any time. In addition to the lawfulness of acquiring data, we endeavour to only use accurate data in our data processing. As a result, we are happy to receive update notices from you.
IV. Legal foundations
We execute data processing in particular on the basis of the GDPR as well as the German Federal Data Protection Act ("BDSG") and other relevant provisions of EU and national law in the field of law governing data protection, which may also include professional and other special legal regulations. To take one example: if you provide your effective consent, art. 6 sec. 1 a) of the GDPR may serve as the specific legal basis for collecting your data for certain purposes.
B. Definitions of terms
Contract processor: a natural or legal person that processes personal data on behalf of another party (namely the data controller), for example a data processing centre.
German Federal Data Protection Act (BDSG): a federal German law in the field of data protection, issued on 30 June 2017 and, like the GDPR, scheduled to enter into force on 25 May 2018.
Legitimate interest: there may be a legitimate interest both in enabling as well as avoiding data processing, depending on the perspective of the party (company) or data subject (natural person). In practice, it usually depends on which party's interests are of overriding importance in the specific situation, whereby a multitude of factors (type of data, situation surrounding its collection, intended use, etc.) must be accordingly weighed out while taking into account the fundamental rights and freedoms of the data subject concerned.
Data subject: the person whose data is the subject of a data processing procedure. To be specific, in this case: you. Browser: a computer program for displaying websites on the World Wide Web, i.e. a kind of user interface for Internet applications. Well-known examples include Microsoft Edge, Mozilla Firefox or Google Chrome.
Controller: a natural or legal person (including non-public) which alone or jointly with others determines the purposes and means of processing personal data; to be specific, in this case: us.
Cookie: text information in a smaller file format which is sent via the web browser of an Internet site that is visited to your computer (or another terminal device used for the Internet) and stored there. If you visit the site again, this will be recognised by the cookie that has been set, which allows you to for example directly activate certain usage preferences (such as the language setting) or intermediate statuses of previous usage (such as the shopping basket of an online shop).
Data processing: the use or pooling of data in the broadest sense, whether automated or not, such as the collection, recording, organisation, arrangement, storage, adaptation or alteration, read-out, enquiry, use, disclosure by transmission, dissemination or any other form of provision, comparison or linkage, restriction, erasure or destruction of data.
GDPR: a regulation of the European Union (EU 2016/679) in the field of data protection, issued on 27 April 2016 and entering into effect on 25 May 2018 (with direct effect for Germany as well).
Last contact: by last contact with you we mean a situation in which a contractual relationship between you and us has not come about and we have not "heard" from you for more than 3 (three) months, whereby it is not the acoustic nature of the contact that matters. Any type of contact between you and us that is perceivable to us, rather (including for example via email, letter or short message), is sufficient to allow the aforementioned 3-month period to begin anew.
Personal data: any information relating to an identified or identifiable natural person; the latter is the case when a person can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more specific characteristics which express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Special category of personal data: that personal data revealing a natural person's racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data (with identification function), health data or data relating to sex life or sexual orientation.
Profiling: any type of automated processing of personal data for the purpose of evaluating certain personal aspects of a natural person, in particular to analyse or predict aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, conduct, whereabouts or change in location by such person.
When in the following reference is made to data, this means personal data. The terms European Union, EU and Union are used interchangeably.
C. Scope and supervisory authorities in charge
I. Application independently of the nationality of the data subject
Data protection regulations usually involve the protection of natural persons and their personal data. This is also the case with the key laws and regulations bearing relevance in this context, the GDPR and the German Federal Data Protection Act ("BDSG"), to which we in our capacity as a German company (regularly referred to as "controller" or "controlling party " in law governing data protection) are automatically subject. The question as to the extent that legal persons can also claim protection under data protection law from data processing companies has not yet been fully clarified. As a precautionary measure and with the aim of having a data protection-friendly orientation and alignment, which also includes the granting of optional rights in connection with the release of information on your part, we treat legal persons like natural persons if they are affected in a personal way or where such affection at least comes close to how a natural person would be affected in a comparable situation. This is the case, for example, when natural persons behind the legal persons are involved, i.e. they also appear as natural persons in a recognisable manner in company-related actions. We must adhere to the legal data protection requirements described here (as well as other) legal requirements of a data protection nature not only towards German data subjects or nationals of EU member states, but towards all persons regardless of their nationality with regard to whom we perform (or have performed) actions bearing relevance to data processing relevant in the EU, even if the actual processing takes place outside the EU.
II. (Supervisory) authorities in charge
Our company is based in Germany. The following supervisory authority is therefore primarily responsible for monitoring our compliance with data protection obligations:
Data security officer of the Federal State of North Rhine-Westphalia, i.e. “Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen”, Kavalleriestr. 2-4, 40213 Düsseldorf, Germany, Tel. no.: 0049 211 / 38424-0, Fax: 0049 211 / 38424-10, E-Mail: email@example.com
Since we transact business outside the aforementioned federal state as well, even abroad as the case may be, other authorities may also be competent for assessing our conduct bearing relevance to data protection regulations in the (at any one time) relevant state or country.
D. Collection of data and purpose limitation (scope of use)
I. Type of data collection
Data collection is the first step and at the same time a part of data processing. It is only (legally) permissible if legal requirements (in particular those laid down in the GDPR and the BDSG) that are imposed on measures of this type are met. In our company's practice, the following four situations in particular may legitimate the collection of data (and its further processing as well):
(a) (possibly explicit) consent has been granted;
(b) the action is necessary either to execute a contract with you or, however, to perform pre-contractual measures at your request;
(c) the measure is necessary to fulfil a legal obligation incumbent on us (e.g. a legal obligation to store data);
(d) there is a legitimate interest to our benefit which overrides your interests, rights, etc., relating to data in individual cases.
In our practice, types of data collection are used that are described in more detail below:
1. Collection from you (the "data subject")
As a rule, we generally collect data relevant for the purposes of our company directly from you, which can be done in various ways:
- You contact us by using the contact form on our website, with which certain basic data is to be provided;
- You contact us in another way, e.g. by enquiring about a product, and would like more detailed information, which we are supposed to send to your address;
- You provide us with data on your own initiative - by whatever means of communication this may be - for example in order to receive an individual offer from us or to apply with us for a contract;
- We contact you (for instance at an informational event) within the scope of what is permissible under competition law, which results in a business transaction for which we ask you to provide us with certain data in order to complete such / perform additional actions.
As a rule, we regard the aforementioned processes as those in which either your (at least tacit) consent has been provided or, however, the data processing results from a request from you involving data. Your consent must not be provided in any particular form. However, since we have an obligation to submit proof that you have indeed provided your consent with regard to the processing of data on a consensual basis, but this cannot be documented directly in every communication situation (for example: telephone conversations), we may contact you again in the follow-up to such an event and ask for formal confirmation of your consent.
2. Collection in the case of third parties
Exceptionally, we (also) collect personal data relating to your person from third parties, essentially for the sake of assessing business-related risks which may ensue from an intended transaction, whereby this is – if you have not provided your consent to such way of collection – this is only permissible if there is a justified interest on our part or if there is a statutory constellation constituting an exception. Such an interest (to our benefit) may be deemed to be the case, for example, if we are involved in a transaction with you in which we are/would be subject to an extensive obligation to render advance performance, and we would consult an appropriate provider (such as Creditreform) to assess your creditworthiness in order to analyse the risk associated with such. If necessary, we would also inform ourselves by using public registers and generally accessible (public) sources (e.g. www.Bundesanzeiger.de), which would also lie in the domain of information collection from third parties and the requirements associated with this if such is to be deemed lawful. Data obtained in this way never involves automated decision-making in our company, however, and is instead merely intended to broaden the basis for our own decision-making process. If we collect data on you from third parties, we shall subsequently inform you of the nature and extent of this in accordance with legal requirements no later than within one month of obtaining the data collected in this manner. Our aforementioned information obligation may be waived in certain exceptional cases, e.g. if the fulfilment of this obligation would be associated with undue effort.
3. Automated data collection
Every time you access the contents of our website, data is temporarily stored which may allow identification. The following data are saved every time a page is called up at www.tb-design.org: date and time of the call- up, name of the Internet service accessed, the resource called up and the action/enquiry used by the client, amount of data transmitted, message as to whether the call-up was successful, IP address of the accessing computer. The stored data is collected for the purpose of statistical evaluation of the use of the website and summarised anonymously. Furthermore, it is used to defend against or analyse attacks on the website. If necessary, cookies may also be used in connection with your use of our website, in which case we shall keep a corresponding notice ready for you directly on the website and request your consent, which you are (of course) completely free to grant. You can also set your browser (see its "help" menu for more details) to block all cookies (and hence automatically those from our website as well) or alternatively to notify you before such a cookie is set. In this case, however, you may no longer be able to use our website to its full extent and/or only with considerable delay, and user-specific default settings for the purpose of more convenient use (e.g. correct language setting) may no longer be available. Once cookies have been set, you can delete them yourself at any time with the help of your browser.
Web analysis service of Google Inc. (https://www.google.de/ intl/en/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google"). Pseudonymised user profiles are created and cookies used in this context. The information generated by the cookie about your use of this website such as browser type/version, operating system used, referrer URL (the previously visited page), host name of the accessing computer (IP address) and time of the server request are transmitted to a Google server in the USA and stored there. This data is assessed to determine how the website is used. The assessment is issued in the form of reports on activities that then form the basis for market research. This data is then passed on to third parties to the extent that this is permissible or necessary. Your IP address will remain anonymous, however, and will not be merged with other Google data. You may furthermore refuse to allow cookies to be used by selecting the appropriate settings on your browser. Please note, however, that if you do this you may not be able to use the full functionality of this website. Finally, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en). As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting data by clicking on this link. An opt-out cookie will then be set to prevent future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie once again. For more information on privacy in connection with Google Analytics, please visit Google Analytics Help (https://support.google.com/analytics/answer/ 6004245?hl=en).
On our website, we use the fonts of Google LLC, corporate seat within the USA. The pertinent data protection declaration can be reviewed via: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
Our website makes use of the service “Google Maps”, offered by Google LLC, USA, insofar using IP- addresses and location data of user, however not without their consent. Normally, such consent is given by a respective choice made in the settings of the mobile device of the relevant user. Data saved in this context are processed in the USA. Data protection statement: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
We also use social networks to promote awareness of our practice. Commercial / professional aims and objectives which we pursue underlie this. Responsibility for data protection-compliant operation lies in the respective hands of providers of the corresponding service. We have integrated these services into our website using the so-called "two-click" procedure in order to protect your data.
We use the Facebook plugin on our website to personalize its use. We use the corresponding button as a service offered by Facebook. When you visit a site on our website that is equipped with such a plugin, your browser establishes a direct connection to Facebook servers.
The content of this plugin is transmitted directly through Facebook to the browser you are using and integrated into the website. This informs Facebook that your browser has called up the corresponding page of our web presence. This process takes place even if you do not have a Facebook account or if you do have one, but are not logged in. This information, including your IP address, is transmitted directly from your browser to a Facebook server in the USA and stored there. If you are logged in to Facebook, Facebook can associate your visit to our website directly with your account. If you interact with the plugins, for example by pressing the "like" or "share" button, this information will also be forwarded to Facebook servers. It will be stored there. Facebook publishes this information and it will be displayed to your Facebook friends. Facebook will use this information for the purposes of advertising, market research and demand-oriented design of Facebook sites. To this end, Facebook creates interest and relationship profiles, for example to evaluate your use of the website with regard to the advertisements you display and to suggest this information as advertising to other users whose profiles are similar. If you do not want Facebook to associate the information collected through our site with your Facebook account, you have the possibility to log out of Facebook before visiting our website. The purpose and scope of data collection and the further processing and use of data by Facebook as well as your rights and setting options to protect your privacy can be found in Facebook data protection policy information (https://www.facebook.com/about/privacy/).
We have integrated into our website the brief messaging platform of Twitter Inc. (“Twitter”), in fact via plug- ins. The respective interface is discernible via the Twitter logo on the respective buttons (plug-ins), an overview of which can be found via (https://about.twitter.com/resources/buttons). As soon as you call up one of our internet pages that features such a plug-in / Cookie, a direct connection is established between your browser and the Twitter server. By this, Twitter is automatically informed that you visited – with your IP- address – our website(s). In case you click on the “Twitter button” while being logged in at your Twitter account, it may occur that the content of our website is linked to your aforementioned account. By this, Twitter can attribute the visit of our website to your user account with them. We hereby inform you that we – as the (mere) controller of our own website – have no knowledge of the content and scope of information sourced by Twitter in such a fashion, nor the latter’s usage thereof. Should you wish to prevent Twitter from being able to attribute the use of our website(s) to your user account / profile with them, please log out of your Twitter account. Further information is provided by the data protection information on the Twitter website, the address of which reads https://twitter.com/privacy.
Our website also uses so called Social Plugins (“Plugins”) by Instagram, which are operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA („Instagram“), in fact via plug-ins. The respective interface is discernible via the Instagram logo / Instagram camera on the relevant page. As soon as you call up one of our internet pages that features such a plug-in / Cookie, a direct connection is established between your browser and the Instagram server. By this, Instagram is automatically informed that you visited – with your IP-address – our website(s), whether or not you have an account with Instagram themselves. Respective information is transferred to the USA and saved there. In case you click on the “Instagram button” while being logged in at your Instagram account, it may occur that the content of our website is linked to your aforementioned account. By this, Instagram can attribute the visit of our website to your user account with them. Moreover, respective information is published on your Instagram account and shared with your contacts. Should you wish to prevent Instagram from being able to attribute the use of our website(s) to your user account / profile with them, please log out of your Instagram before visiting our website. Information is provided by the data protection information on the Instagram website, the address of which reads https://help.instagram.com/155833707900388.
We have integrated into our website the video portal YouTube LLC, San Bruno, CA, US (YouTube), in fact via plug-ins, Cookies. The respective interface is discernible via the YouTube logo. As soon as you call up one of our internet pages that features such a plug-in / Cookie, a direct connection is established between your browser and the YouTube server. By this, YouTube is automatically informed that you visited – with your IP-address – our website(s). In case you click on the “YouTube button” while being logged in at your YouTube account, it may occur that the content of our website is linked to your aforementioned account as a sort of background activity. By this, YouTube can attribute the visit of our website to your user account with them. We hereby inform you that we – as the (mere) controller of our own website – have no knowledge of the content and scope of information sourced by You-Tube in such a fashion, nor the latter’s usage thereof nor the companies or perhaps group(s) of companies that may have a stake in YouTube and act “behind the scenes”. Should you wish to prevent YouTube from being able to attribute the use of our website(s) to your user account / profile with them, please address this concern to YouTube for further action and inquiry, namely if logging out of your YouTube account is already sufficient to achieve this.
4. Non-collection of special data
We do not collect any personal data in special categories (see section B above), nor do we seek your express consent insofar (for instance to have it "on reserve” if needed at a future point in time).
II. Purpose limitation (scope of use), type of data collected
1. Main purposes
If we collect data, this is only done for the operational purposes of our company, in particular to ensure:
- orderly receipt as well as the awarding of contracts (irrespective of the type of legal transaction), including their execution;
- the possibility of preparing cost estimates, quotations and similar;
- the ability to formulate and execute contracts together with their payment and despatch-related processing;
- adherence to statutory warranty obligations and any applicable contractual guarantees (if any) or also to assert these ourselves against third parties (e.g. suppliers);
- (possibly also judicial) traceability and enforcement / enforceability of claims against customers as well as the defence of claims asserted against us;
- the provision of a customer service at high level, which can be received by and can support customers in various ways if necessary and at the same time meet their high expectations regarding our company.
2. Secondary purposes
In addition, your data may be used for secondary purposes by our company, e.g. for:
- determination of the satisfaction of our customers with our products / services (incl. website);
- improvement of our products and services (incl. website);
- enabling the development of tailor-made offers for customers;
- support / (and if necessary) goodwill for our products / services above and beyond the warranty periods.
With regard to the collection / use of data for such secondary purposes (especially in the case of direct advertising), you may be entitled to extended rights compared to those for the main operational purposes, even if you have expressly consented to the collection of data. Cf. (inter alia) section H XI for details.
3. Change in purpose
If we wish to process your data for purposes other than those for which it was collected, and if we do not have your (separate) consent, we will only do so if the current purpose is still compatible with the original purpose. In determining compatibility, we comprehensively weigh out interests while taking into account inter alia: the context of the data collection at the time, the degree of connection between the purposes of collection at the time and current processing, the type (sensitivity) of the data and the consequences of further processing such for you as well as the existence of guarantees accompanying processing (e.g. encryption).
4. Type of data collected or stored
The following data(s) may in particular be considered to be data collected by us and then stored: Your name, your address, your date of birth, if applicable (especially for commercial customers) your profession or the branch in which you work, possibly also your marital status (depending e.g. on the type of contractual agreement to be concluded), your (other) data to expedite contact (e.g. e-mail and / or telephone and / or fax), if applicable your bank account, if applicable certain additional data of your company (such as the company's key data, commercial register number, tax numbers, management relationships) or your personal environment (e.g. measurements of certain areas of your abode should we e.g. be requested to develop tailor-made furniture for same) as well as our own findings following data collection, such as your order history with us and associated payment history, complaints, assertion of replacement performance or other contract related rights, etc., possible need for additional products, services etc.
E. Transmission of data
No data are transmitted by us to third parties in principle unless this is necessary for:
- the fulfilment of primary and secondary purposes, whereby such forwarding is restricted to companies associated with us (parent company, subsidiaries and affiliates, i.e. companies which we either control or which control us or are under the joint control of a third party and us) or other companies if we are contractually associated with or similarly connected to them in order to fulfil operational purposes towards you (e.g. subcontractors, cooperation partners, servants in legal terms);
- coordination with our (external) advisors in tax, business and legal matters, which as a rule involves persons who are already subject to statutory confidentiality requirements due to their professional status;
- the execution of payment transactions, regardless of whether we are the paying party or the party that is to effect payment;
- enabling assessment of the (in particular) financial risk of a contemplated or already agreed-upon, but not yet fully completed, legal transaction with regard to various characteristics of the (future) contracting partner, such as its creditworthiness, liquidity, payment history, etc.
- the fulfilment of public-law obligations, for example in response to a request by a government authority on the basis of pertinent statutory provisions
F. Contract data processing
We do not work together with contract processors. Should we ever do so, then guarantee contracts would safeguard that such contractors comply in particular with our Data Protection Guidelines as well as the GDPR itself.
G. Storage of data
In accordance with the principle of storage limitation, we only store your data for as long as is necessary for the purposes for which it is being/has been processed. For example, if a business contact with you has not been solidified following a phase of attempting to initiate a contractual relationship, and if there are no prospects that this will still happen in the foreseeable future, either, there is no longer any operative interest in the storage of data after the expiry of the time-barring period in which possible claims - regardless of which party such have accrued to - would come about due to a possible pre-contractual obligation. In some situations, such an interest in storage may even lapse in an even shorter period of time. However, due to legal regulations - over which we naturally have no control - we may be forced to retain data longer than we ourselves would consider necessary. Such storage obligations arise in particular under commercial and tax law, in some cases under professional law or other special legal regulations, according to which, for example, every commercial/business letter, whether received or sent must be kept for a period of 6 years (beginning at such date). This can, among other things, influence your claim for cancellation, postponing it for a certain period of time or downgrading it to a claim for restriction. For further details, please refer to section H VI. (below).
H. Your rights (rights of the data subject)
I. General information
1. Not an exhaustive list of your rights under this DPD, no formal requirements
To promote readability, we have not explained every right to which you may or actually are entitled down to the last detail, and we have also looked at which cases may arise for our company or for you in your capacity as the data subject in practical terms through the data processing to be carried out by us. The present discussion is therefore not exhaustive with regard to the rights to which you are entitled, but is supplemented (especially in marginal areas) by the GDPR and other pertinent legislation wherever applicable. No special form or formal requirements must be met to assert your rights, i.e. this can also be done by telephone or e- mail.
2. Periods and deadlines for our reaction to the assertion of your rights
If you assert rights under this section H, we will inform you without undue delay, but at the latest - subject to the following clause - within a period of one month after receipt of your application about the effects this will have in your specific case (in particular what legal consequences this may have). If your application is based on a complex issue and at the same time we are confronted with a large number of applications, we are entitled to only react within a period of 3 months, whereby we will notify you of and justify such a delay within the aforementioned one-month period. We must also respond to you within one month and state the grounds for such if we do not wish to take action at your request.
Notification of your rights, the fulfilment of other information obligations by us and measures taken to implement your rights are free of charge to you. We are only entitled to charge a reasonable fee corresponding to our time and effort or to refuse to process the request in the case of manifestly unfounded or (in particular excessive) requests.
4. Contact details for the filing / execution of your rights
All of your rights contained in this section H – with the exception however of your right to appeal – are to be addressed towards us. Insofar, we hereby inform you again of our contact details which read as follows:
TB designandfurniture GmbH, Hatzfelder Straße. 135/137, 42281 Wuppertal, Germany E-Mail: firstname.lastname@example.org, Tel. no.: 0049 202 94 63 000
II. Right to information
You have the right to obtain information from us as to whether we process personal data relating to you. If this is the case, the information also extends to inter alia:
(a) what kind of data are processed and for what purposes;
(b) to whom data may have been passed on (and which guarantees, if applicable, have been provided by the recipient with respect to handling of your data in compliance with law governing data protection, for example in the event that a third country is involved)
(c) duration - or criteria for the duration - of the (planned) storage of this data;
(d) if applicable, the origin of data (in the case of collection from third parties);
(e) if necessary, pertinent information on the (system) logic used and the scope and intended effects of data processing on you if these were the subject of an automated decision-making process (note: we do not perform such processes at our company ourselves).
You will receive a copy of this information from us, in the case of an electronic application on your part in electronic form (i.e. in a common electronic format). We may charge a reasonable fee for additional copies in accordance with the administrative expenses associated with this.
III. Right to withdraw consent that has already been given
You have the right to withdraw your consent at any time. Such withdrawal does not affect the lawfulness of consent-based data processing performed before the point in time of withdrawal, but means that beginning at such point in time we may no longer perform any activities relating to your data if the consent withdrawn in the meantime was the only legal basis for this. This is not the case, for example, if we are still obligated to store the data. The withdrawal can be notified without adhering to any formal requirements and is in any case also possible in the form in which you previously provided your consent.
IV. Right to correction
You have the right to request us to correct any inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you furthermore have the right to request completion of incomplete personal data, including by means of a supplementary declaration. If your data has been disclosed to third parties, we will inform them of the correction unless this is impossible or would be associated with unreasonable effort and expense. If you so request, we will disclose the aforementioned third parties to you.
V. Right to erasure (also the so-called "right to be forgotten")
1. Claim to erasure
Subject to the exceptions set out in subsection 3. below, you may request us to erase your personal data immediately if:
(a) this/these data (in particular their further storage) is (are) no longer necessary for the purposes of the collection;
(b) you have withdrawn your consent in the case of consent-based data processing;
(c) you object to further processing;
(d) the processing of data was unlawful;
(e) the erasure is necessary in order to fulfil a legal obligation under European Union law or national law;
(f) the data have been collected from a child (under 16 years of age) relating to services of the
information society, which in this context is understood as a service generally provided subject to charge, and which is performed electronically by means of distance selling (i.e. without direct physical contact between the parties involved) and by individual call-up.
In the event your data is erased, we usually assume that you consent to our including your name in our list of persons who do not (no longer) wish to be contacted by us. This minimises the chance that you will be contacted in the future, for example if your data is collected in another context. If you do not desire this, please let us know.
2. Additional rights in the event of publication of your data and third-party participation
If we have disclosed the data to which your erasure claim relates, we will (while taking into account the technology available and implementation costs) undertake reasonable measures to ensure that the controllers responsible for such data are informed that you have requested the erasure of the data (including links to and reproductions of the data). If your data has been disclosed to third parties (in another manner), we will inform them of the erasure unless this is impossible or would involve unreasonable effort and expense. Upon your request, we will disclose the aforementioned third parties to you.
3. Exceptions from the claim to erasure
You are not entitled to an erasure claim - even only temporarily if applicable - especially if data processing is necessary:
(i) to exercise freedom of expression and information;
(ii) to fulfil a legal obligation applicable to us under European Union law or national law (this may be e.g.
a legal obligation to keep records [before their expiry]);
(iii) to assert, exercise or defend legal claims, or if
(iv) in the event of your withdrawal in the above meaning (section III), there is another legal basis for
(v) in the event of your objection in the above meaning (section V. 1. c), firstly, there are overriding legitimate grounds for data processing and, secondly, your objection is not only directed against direct advertising and any possibly related profiling (in the latter case - involving direct advertising, profiling relating to such - you are always entitled to a right of erasure).
4. Rights similar to erasure
If you (at least temporarily) have no claim to erasure, you may nevertheless have a claim to a limitation on (further) data processing by us. For more information, please refer to section VI immediately following.
VI. Right to restriction of processing
If we have collected data unlawfully and you are therefore (actually) entitled to an erasure claim, you can demand from us that we restrict data processing instead of such erasure. The same applies to lawfully collected data in the case we have in the meantime achieved the purpose, but you need the data to assert, exercise or defend legal claims. If you have filed an objection to the data processing involving you (and we do not have to comply with this if only because it is directed against direct advertising/related profiling) or if you dispute the accuracy of data, you can request us to restrict the use of your data during the corresponding review phase (weighing of interests in the event of an objection, examination of the data for actual inaccuracy). This means that we may only process such limited data (aside from its storage and special cases of overriding public interest) with your consent or in order to assert, exercise or defend against legal claims or to protect the rights of another natural or legal person.
Even without your initiative, we will limit the use of your information to the extent described above if the last contact with you (see section B) goes back longer than a period corresponding to 3 (three) years plus the remainder of the year in which the last contact occurred. This shall not affect any rights of restriction or erasure that may have arisen at an earlier point in time.
If data restriction in the aforementioned meaning has occurred and is due to be revoked (e.g. because it could be determined that the data is not accurate), we will inform you before this step is taken. If your data has been disclosed to third parties, we will inform them of the data restriction unless this is impossible or would involve unreasonable effort and expenses. If you so request, we will name the aforementioned third parties to you.
VII. Right to transfer of data
If we process your data automatically on the basis of consent given by you or within the scope of a contractual relationship, you can require us to receive the corresponding data in a structured form in a common, machine-readable format, for example in order to be able to forward it ourselves (and without any influence whatsoever by us) to another data controller. As far as is technically feasible and such does not affect the rights of other persons, you may also request that we forward such data stocks directly to another data controller selected by you (e.g. a company with whom you wish to conclude a contract). An additional claim for erasure in your favour, if applicable, will not be affected by a data transfer request.
VIII. Right to notification in the event of data breach
If a situation occurs in which the violation of data (e.g. a so-called data breach) poses a great risk to your personal rights and freedoms, we will inform you immediately. Such notification includes inter alia the data of your contact person in this context as well as information on the impending consequences of injury and the measures already taken or planned to be taken to contain these consequences. Such notification may be waived if we have subsequently initiated such effective containment measures that no great risk in the aforementioned meaning can be assumed any longer and if the data have already been significantly secured against unauthorised access - particularly by means of technical measures (e.g. encryption) - or if the notification would involve unreasonable efforts and expenses (in which case we would arrange a public announcement or measure having a similarly broad impact).
IX. Your right to not be subject exclusively to automated decision-making processes in connection with data processing
In principle (i.e. except in exceptional cases), you have the right not to be subject to a decision based exclusively on automated processing - including profiling - if this has legal effect towards you or has a significantly negative effect on you in a similar manner. Our company does not use such decision-making structures at the present time and we would inform you separately should this change and your data be affected.
X. Right of appeal
You may complain at any time about our conduct relating to the processing of data to the supervisory authority in charge (cited above in section C II). Of course, you can also file a complaint with us, and we will try to solve any problems that may arise together.
XI. Right of objection
If we have processed your data to protect our legitimate interests (or to fulfil a task in the public interest), you can object to this at any time. Further processing by us is then (still) only permissible if we can demonstrate reasons for processing which are so important that they override your interests, rights and freedoms, or if such serves the purpose of asserting, exercising or defending against legal claims. If your objection is directed against the use of your data for purposes of direct advertising/related profiling, we will (no longer) use / process your data in this context. You may send your objection to us in any form.
I. Data Protection Officer
Due to the (small) size of our company, there is no legal obligation to appoint a data protection officer, nor have we appointed one on a voluntary basis. However, our entire company staff will be pleased to help you with all your questions in connection with this DPD, the Declaration of Consent as such, other questions regarding the processing of your data and, of course, your rights under section H and the assertion of these rights.
J. Changes in this Data Protection Declaration
This Data Protection Declaration may be changed from time to time, for example in order to adapt it to respective / updated decisions in case law involving data protection handed down by the courts, which were not yet known / foreseeable as of 25 May 2018. We will announce any changes on our website, with changes of a particularly serious nature being communicated in individual form (generally by e-mail) to all customers / users / suppliers / other data subjects relevantly affected whose contact data we still have at the respective point in time.
K. Respect for special national features
Our business activities extend to many European countries. If it should be the case that we owe you a higher data protection standard with regard to individual items than under the GDPR in the country in which our data protection activities have an effect, in which you are domiciled and which is also a Member State of the European Union or the EEA (except for Switzerland) under national law there, we would ask you to inform us as to the nature and scope of this without undue delay since we also want to abide by such requirements, whereby we - we mention this only by way of clarification - also perform our own research in such matters.