With the following information we give you an overview of the processing of your personal data and your rights. Which data will be processed in detail and in which way it will be used will depend to a large extent on the agreed contracts and services.
1. WHO IS RESPONSIBLE FOR DATA PROCESSING AND WHOM DO I HAVE TO CONTACT?
The controller is Friedrich Ossenberg-Schule GmbH + Co KG
Phone: +49 2372. 558. 99. firstname.lastname@example.org
Managing Director: Jan Kaemper
Personally liable associate: Eberhard Kaemper, Friedrich Ossenberg-Schule Verw.-GmbH, Hemer, Germany
You can reach our data protection officer at:Mr. Dipl.-Inform. Olaf Tenti
GDI Gesellschaft für Datenschutz und Informationssicherheit mbH
Phone: +49 2331. 356832. email@example.com
2. WHAT SOURCES AND DATA DO WE USE?
We process data that we acquire from the business relationship with you. We receive the data directly from you, e.g. when concluding a contract or placing an order, enquiries and consultations.
Specifically, we process the following data:
- master data from the contract documents (e.g. name, address and contact data, bank details),
- data in connection with the performance of the contract (e.g. subject matter of the contract, billing address, method and manner of payment, contacts), correspondence (e.g. correspondence with you),
- advertising and sales data.
3. WHY DO WE PROCESS YOUR DATA (PURPOSE OF PROCESSING) AND ON WHAT LEGAL BASIS?
In the following, we will inform you for what purpose and on what legal basis we process your data.
3.1. TO FULLFILL CONTRACTUAL OBLIGATIONS – ART. 6 (1) (B) GDPR
We process your data for the performance of our contracts with you, i.e. in particular for the processing of your orders and our services towards you. The purposes of the data processing depend in detail on the specific services and the contract documents.
3.2 FOR THE PURPOSES OF THE LEGITIMATE INTERESTS PURSUED BY US – ART. 6 (1) (F) GDPR
We may also use your data on the basis of a weighing of interests to protect our or third-party's legitimate interests. This is done for the following purposes:
- Assisting our employees in advising and serving business customers and in sales
- General business management and further development of services and products
- Advertising, market and opinion research
- Assertion of legal claims and defense in legal disputes
- Prevention and investigation of criminal offences
- Ensuring IT security and IT operations
Our interest in the respective processing results from the respective purposes and is of an economic nature in other respects (efficient performance of tasks, distribution, avoidance of legal risks). Insofar as the specific purpose permits, we process your data pseudonymized or anonymized.
3.3 WITH YOUR CONSENT – ART. 6 (1) (A) GDPR
If you have given us your consent for the processing of personal data, the respective consent is the legal basis for the processing mentioned there. This applies in particular to your consent, if any, to the transfer of your data to our employees for consultation and support when concluding a contract. In addition, you may have agreed to be contacted by mail or telephone for advertising purposes. You can withdraw your consent at any time with effect for the future. This also applies to declarations of consent which you gave us before the GDPR came into effect, i.e. before May 25th 2018. The withdrawal only applies to future processing.
3.4 COMPLIANCE WITH LEGAL OBLIGATIONS – ART. 6 (1) (C) GDPR
We are subject to various legal obligations, i.e. legal requirements (e.g. commercial code, tax laws)
4. WHO RECEIVES MY DATA?
A transfer of your data will only take place as far as a legal basis permits it. Within our company, those departments receive your data that require it to fulfil our contractual and legal obligations or to fulfil their respective tasks (e.g. sales and marketing). Furthermore, personal data may be passed on to affiliated companies (group companies) for the purpose of order processing. This is necessary for the fulfilment of contractual obligations. In addition, the following parties may receive your data:
- Processors used by us (Art. 28 GDPR), in particular in the area of IT services and logistics, which process your data for us in accordance with our instructions
- Public bodies and institutions (e.g. tax authorities) in the event of a legal or official obligation, and
- Other bodies for which you have given us your consent for data transfer
In order to assess the risk of concluding a contract, it is possible that we send your personal data to a credit agency or request information about you there. This transfer is permitted pursuant to Art. 6 (1f) DS-GVO because we pursue legitimate interests by limiting the economic risk. The credit bureaus evaluate the information collected by us and others and provide us with an assessment of the risk of default in individual cases.
5. HOW LONG WILL THE DATA BE STORED?
If necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and performance of a contract. In addition, we are subject to various storage and documentation obligations, including those arising from the German Commercial Code (HGB) and the German Tax Code (AO). The time limits for storage and documentation specified therein vary between two and ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to Sec 195 et seq. of the German Civil Code (BGB) can generally be three years, but in certain cases also up to thirty years.
6. WILL DATA BE TRANSFERED TO A THIRD COUNTRY?
We do not intend to transfer personal data to third countries or international organizations. We only transfer your data to countries outside the European Economic Area – EEA (third countries) if this is necessary for the execution of our contractual relationship, required by law (e.g. accounting, administration), or if you have given us your consent.
Insofar as we use software from providers based in third countries or software from providers with subcontractors/service providers in third countries to carry out our contractual relationship, your data or parts of your data may – depending on the processing purpose – be transferred to third countries (e.g. to the United States of America).
We would like to point out that with the ineffectiveness of the EU-US Privacy Shield, there is currently no adequacy decision by the Commission for data transmission to the USA within for a sufficient level of data protection accorting to Art. 45 (3) GDPR. Therefore, we have concluded standard contractual clauses according to Art. 46 (2) (c) GDPR with the service providers/vendors we use, to protect your personal data. Furthermore, some of our service providers have implemented binding corporate rules (BCR) approved by the respective competent supervisory authority for their internal companies according to Art. 47 GDPR.
7. WHICH OTHER PRIVACY RIGHTS DO I HAVE?
In accordance with the relevant legal provisions, you have the right to information (Art. 15 GDPR, Sec. 34 of the Federal German Data Protection Act (FDPA) in its version effective by May 25th 2018), to rectification (Art. 16 GDPR), to erasure (Art. 17 GDPR, Sec. 35 FDPA), to restriction of processing (Art. 18 GDPR) and to data portability (Art. 20 GDPR). You also have the right to appeal to a data protection supervisory authority (Art. 77 GDPR, Sec. 19 FDPA).
8. DO I HAVE AN OBLIGATION TO PROVIDE DATA?
As part of our business relationship, you must only provide personal data that is required for the establishment, performance and termination of a business relationship or for which we are legally obliged to collect. Without this data we will normally have to refuse the conclusion of the contract or the processing of the order or will no longer be able to fulfil an existing contract and may have to terminate it.
9. TO WHAT EXTENT IS THERE AN AUTOMATED INDIVIDUAL DECISION MAKING?
We do not use automated individual decision making in accordance with Art. 22 GDPR for the conclusion and performance of the business relationship. If we decide to use these procedures in individual cases, we will inform you separately if this is required by law.
10. TO WHAT EXTENT WILL MY DATA BE USED FOR PROFILING?
We do not process your data with the purpose of evaluating certain personal aspects (so-called “profiling”).