Privacy policy

We would like to inform you below about the processing of personal data in connection with the use of our website. Further information on data protection can be found below.


We are 

ENERPARC AG
Kirchenpauerstraße 26
20457 Hamburg
Tel.: +49 (0)40 75 66 449-0
E-Mail: mail@enerparc.com
represented by the Management Board: Christoph Koeppen, Frank Müllejans, Stefan Müller.

We have appointed an external data protection officer. He can be contacted at the above address with the address suffix ‘personal - confidential for the data protection officer’ and via datenschutz@enerparc.com

Provided certain conditions are met, you have the right to

  • Information about your data, correction of incorrect data,
  • to the erasure of your data for which there is no longer a reason for storage,
  • to restriction of processing,
  • to data portability, to object to processing based on our legitimate interest (Article 6 (1) sentence 1 lit. f GDPR),
  • to revoke consent once given with effect for the future and
  • to lodge a complaint with the competent supervisory authority.

Of course, these rights are subject to conditions that are set out in the relevant laws, in particular the General Data Protection Regulation (GDPR).

If we transfer your data to countries that do not belong to the European Union (third countries), we need additional safeguards that are regulated in Articles 44 et seq. of the GDPR. These include in particular  

  • Adequacy decisions where the EU Commission has decided that a country or sector has an adequate level of data protection (Article 45 GDPR),
  • standard contractual clauses by which data recipients from third countries contractually undertake to observe an adequate level of data protection (Article 46 GDPR),
  • binding internal data protection rules that have been reviewed by EU supervisory authorities and by which data recipients from third countries undertake to observe an adequate level of data protection (Article 47 GDPR),
  • Declarations of consent with which you accept in individual cases that your data will be transferred to a third country (Article 49(1)(a) GDPR). Any risk information can be found in the glossary.

We have the following information: 

  • When we process your data, there is no automated decision-making and, in particular, no profiling.
  • We are only legally obliged to process your data if we expressly point this out in the following data protection information.

Contact us

Firstly, we collect your data in order to establish initial contact. It is possible for us to contact you first, for example in the context of acquiring shepherds and biologists. It is also conceivable that you contact us first. In any case, we process all data that we have either researched in advance and/or that you provide to us voluntarily. This is often your contact details (name, e-mail address, address, telephone number) and communication data (e.g. description of the content of the conversation, conversation notes, form entries). On this basis, we check your offer and store the corresponding data. The purpose of this processing is to initiate or establish a contract. The legal basis for this is Article 6 paragraph 1 sentence 1 lit. b GDPR.

Video conferencing

In some cases, you can communicate with us by video conference. In doing so, we process the resulting video and audio data as well as any transcripts taken. With this processing, we either want to negotiate a contract with you or, later, even fulfil it. The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.  

Recordings are only made if we suggest this and you consent. In order to fulfil a legal obligation (Article 7 (1) GDPR), we first store the information as to whether you have given your consent. The legal basis for this is Article 6 (1) sentence 1 lit. c GDPR. We then record the conversation and store the resulting image and audio data to document the conversation. The legal basis for this is Article 6 (1) sentence 1 lit. a GDPR. The prohibition under Article 9(1) GDPR does not prevent this, as the exception under Article 9(2)(a) GDPR applies.

Contract fulfilment

If a contract is actually concluded between us, we will communicate with you, make payments, etc., and process communication and billing data (e.g. for the delivery of services and answering enquiries) in order to fulfil the contract. The purpose of this processing is to fulfil the contract. The legal basis for this is Article 6 paragraph 1 sentence 1 lit. b GDPR.

Notification of changes to data processing

If we change the way we process your data (e.g. use new tools), we will inform you about the changes, e.g. by email. As a rule, we will send you updated data protection information. The processing is intended to fulfil a legal obligation (Articles 12 to 14 GDPR). The legal basis for this is Article 6 paragraph 1 sentence 1 lit. c GDPR.

Data processing for the purpose of asserting rights

If you assert your rights under the GDPR or other legal provisions, we process your data in order to verify these claims and, if necessary, fulfil them. The purpose of this processing is to fulfil a legal obligation. The legal basis for this is Article 6(1) sentence 1 point (c) GDPR in conjunction with the respective legal provision from which your right or claim arises.

Involvement of tax consultancy firm

We forward data relevant to you under tax law (e.g. offers, order confirmations, contracts, invoices, account statements, etc.) to an external tax consultancy firm. In doing so, we process your name and all data resulting from invoices and incoming payments. We therefore seek assistance with accounting and other tax-related matters. The legal basis for this is Article 6 (1) sentence 1 point (f) GDPR, whereby our legitimate interest follows from the stated purpose. Insofar as the external tax consultancy processes this data, it is not a matter of order processing (see DSK short paper 13), but of a data transfer that is justified by Article 6 (1) sentence 1 point (f) GDPR.

Data storage/storage period

We store your data both during and after the end of the contract. This is to inform you how long the data will be stored:

  • We keep internal records (e.g. annual financial statements, accounting vouchers) for ten years. This period begins on 31 December of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
  • We keep business communications (e.g. customer letters) and other tax-relevant documents for six years. This period begins on 31 December of the calendar year in which the respective document was created. We are legally obliged to do this (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
  • If you assert your rights under the GDPR, this will result in the creation of communication data (correspondence by email, post, etc.). We store this data for three years. This period begins on 31 December of the calendar year in which we responded to your request. We do this in order to protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 (f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)) and, in addition, on the statute of limitations for administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 GDPR).
  • If you assert other, non-GDPR rights, communication data will also be created, which we will store for three years. This period begins on 31 December of the calendar year in which we respond to your request. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(1)(f) of the GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)).
  • When you consent to data processing,
    - we store the information that you have given your consent for three years. This period begins as soon as you revoke your consent or the associated purpose expires, whichever occurs earlier. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 lit. f GDPR. The three-year period is based on the statutes of limitation for claims for damages (Sections 195 and 199 (1) of the German Civil Code (BGB)) and, in addition, on the statutes of limitation under the law governing administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 of the GDPR).
    - we store the data that we process based on your consent until you withdraw your consent. The purpose is evident from the respective declaration of consent and the legal basis for this is Article 6(1)(a) of the GDPR.

Deletion of data

We will delete your data as soon as the above-mentioned retention periods have ended. In doing so, we are complying with a legal obligation (Article 5 (1) (a), (e) GDPR). The legal basis is Article 6 (1) sentence 1 (c) GDPR.

Recipient

The following recipients and other external bodies process your data:

Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:

  • Backup tool providers
  • Software hosting company
  • Video conferencing system providers
  • Law firms specialising in legal, tax and auditing services 
  • Project management tools,
  • Providers of whistleblower platforms
  • Provider of accounting solutions
  • Providers of Microsoft assistance tools
  • Translation tool vendor

Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):

  • Microsoft: Various applications are used by Microsoft Corporation (USA), which has been commissioned in accordance with Article 28 of the GDPR, namely: Microsoft365-Cloud, Microsoft Teams (project management tool), Microsoft Teams (video conferencing tool), Microsoft Bookings, Microsoft Forms, Sharepoint.  A transfer of data to a third country (here USA) that cannot be ruled out is justified in accordance with Article 45 of the GDPR.
  • New Relic: The website monitoring tool ‘New Relic’ from New Relic, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (here the USA) that cannot be excluded is justified in accordance with Article 45 of the GDPR.
  • Lacework: The IT security tool ‘Lacework’ from Lacework, Inc. (USA) is used. A transfer of data to a third country (here the USA) that cannot be ruled out is justified in accordance with Article 46 of the GDPR.
  • ShareFile:The IT tool ‘ShareFile’ from Citrix Systems Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case the USA) that cannot be ruled out is justified in accordance with Article 46 of the GDPR.
  • Monday.com: The collaboration tool Monday.com, from Monday.com Ltd. (Israel), is used. The transfer of data to a third country (in this case, Israel) cannot be ruled out, but this is justified under Article 45 of the GDPR.
  • Atlassian: The project management tool from Atlassian Pty Ltd (Australia) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case, Australia) that cannot be ruled out is justified in accordance with Article 46 of the GDPR.
  • Autodesk: The project management tool ‘Autodesk’ from Autodesk, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out for employee data in accordance with Article 46 of the GDPR and for all other data in accordance with Article 45 of the GDPR.

On the special features of the responsibilities  

  • We are always looking for owners on whose land we can build solar parks and the like. We contact landowners for this purpose.
    • In some cases, we are supported by KLM-Architekten Leipzig GmbH and KLM Projektentwicklung GmbH & & Co. KG. These companies research the contact details and also approach the property owners on our behalf.

If you have been contacted in this way, please note that these companies and we have contractually agreed to process your data jointly. These contracts stipulate that you can contact both us and the above-mentioned companies if you wish to assert your rights. We have also agreed that both we and our contractors will independently ensure the lawfulness and security of the processing.

Making contact

Firstly, we collect your data in order to establish initial contact. We may research the data ourselves or have it researched by land registry or land registry offices (see the special features of the responsibilities). In this case, we receive and process your name, your address and the information as to which property belongs to you. The purpose of the processing is that we may wish to negotiate a lease agreement with you. The legal basis for the processing depends on the federal state in which your property is located.

The following laws come into consideration:

  • §§ 13ff. Hamburg Law on Surveying
  • § Section 5 (2) of the Lower Saxony Surveying Act
  • § Section 10 of the Bremen Land Surveying and Cadastre Act
  • § Section 13(3) of the Schleswig-Holstein Land Surveying and Cadastre Act
  • § Section 33(2) of the Act on Official Geoinformation and Surveying in Mecklenburg-Western Pomerania
  • § Section 10(1) of the Act on Official Surveying in the State of Brandenburg
  • § Section 17 (1) of the Law on Surveying in Berlin
  • § Section 13(1) of the Surveying and Geoinformation Act of Saxony-Anhalt
  • § Section 14(2) of the Surveying Act of Saxony
  • § Section 18 (2) of the Thuringian Surveying and Geoinformation Act
  • § Section 16 (2) of the Hessian Law on the Real Estate Cadastre and Land Surveying
  • Article 11(1) of the Bavarian Land Survey and Cadastre Act
  • § Section 2(3) of the Surveying Act for Baden-Württemberg
  • § Article 10(1) of the Saarland Land Survey and Cadastre Act
  • § Section 13(2) of the Rhineland-Palatinate Land Survey Act
  • § Section 14(2) of the North Rhine-Westphalia Land Surveying and Cadastre Act

In any case and if your property is located outside Germany, the processing is based on Article 6 (1) sentence 1 lit. f GDPR, whereby our legitimate interest follows from your expectable interest in a lease agreement.

Contract fulfilment

If a lease agreement is actually concluded between us, we will communicate with you, make payments, etc., and process communication and billing data (e.g. for the delivery of services and answering enquiries) in order to fulfil the contract. The purpose of this processing is to fulfil the contract. The legal basis for this is Article 6 paragraph 1 sentence 1 lit. b GDPR.

Notification of changes to data processing

If we ever change the way we process your data (e.g. use new tools), we will inform you of the changes, e.g. by email. As a rule, we will send you updated data protection information. The purpose of the processing is to fulfil a legal obligation (Articles 12 to 14 GDPR). The legal basis for this is Article 6 paragraph 1 sentence 1 lit. c GDPR.

Data processing for the assertion of rights

If you assert your rights under the GDPR or other legal provisions, we process your data in order to examine and, if necessary, fulfil these claims. The purpose of this processing is to fulfil a legal obligation. The legal basis for this is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.

Storage of the data/storage period

We store your data both during and after the end of the contract. Here we inform you how long the data will be stored:

  • We keep internal records (e.g. annual financial statements, accounting vouchers) for ten years. This period begins on 31 December of the calendar year in which the respective document was created. We are legally obliged to do so (§ 147 AO, § 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with. We retain business communications (e.g. customer letters) and other tax-relevant documents for six years. This period begins on 31 December of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with.

  • We keep business communications (e.g. customer letters) and other tax-relevant documents for six years. This period begins on 31 December of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with.

  • If you assert your rights under the GDPR, communication data (correspondence by email, post, etc.) will be generated. We store this data for three years. This period begins on 31 December of the calendar year in which we responded to your request. This is in our own legitimate interests. In the event of a dispute, we want to be able to prove that we have handled your claims correctly. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) BGB) and additionally on the statute of limitations for administrative offences (Section 31 (2) (1) OWiG in conjunction with Article 83 GDPR).

  • If you assert other, non-GDPR rights, communication data is also created, which we retain for three years. This period begins on 31 December of the calendar year in which we responded to your request. In doing so, we are safeguarding our own legitimate interests. In the event of a dispute, we want to be able to prove that we have handled your claims correctly. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) BGB).
  • When you consent to data processing,
    - we store the information that you have consented to for three years. This period begins as soon as you withdraw your consent or the associated purpose expires, whichever comes first. In doing so, we are safeguarding our own legitimate interests. In the event of a dispute, we want to be able to prove that we have handled your claims correctly. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) BGB) and additionally on the statute of limitations for administrative offences (Section 31 (2) (1) OWiG in conjunction with Article 83 GDPR).
    - we store the data that we process on the basis of your consent until you withdraw your consent. The purpose results from the respective declaration of consent and the legal basis for this is Article 6 paragraph 1 sentence 1 lit. a GDPR.

Deletion of the data

As soon as the above-mentioned retention periods end, we will delete your data. In doing so, we fulfil a legal obligation (Article 5(1)(a), (e) GDPR). The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR.

Recipients

The following recipients and other external bodies process your data:

Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:

  • Backup tool providers
  • Software hosting companies,
  • Providers of video conferencing systems,
  • Law firms, tax and auditing firms  
  • Project management tools,
  • Providers of whistleblowing platforms,
  • Providers of accounting solutions
  • Provider of Microsoft assistance tools
  • Providers of translation tools

Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):

  • Microsoft: Various applications are used by Microsoft Corporation (USA), which has been commissioned in accordance with Article 28 GDPR, namely: Microsoft365-Cloud, Microsoft Teams (project management tool), Microsoft Teams (video conferencing tool), Microsoft Bookings, Microsoft Forms, Sharepoint. A transfer of data to a third country (in this case the USA) that cannot be ruled out is justified in accordance with Article 45 GDPR.

  • New Relic: The website monitoring tool ‘New Relic’ from New Relic, Inc. (USA) is used, which was commissioned in accordance with Article 28 GDPR.A transfer of data to a third country (here USA) that cannot be ruled out is justified in accordance with Article 45 GDPR.

  • Lacework: The IT security tool ‘Lacework’ from Lacework, Inc (USA) is used. A transfer of data to a third country (here USA) that cannot be ruled out is justified in accordance with Article 46 GDPR.

  • ShareFile: The IT tool ‘ShareFile’ from Citrix Systems Inc. (USA) is used, which was commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (here USA) that cannot be ruled out is justified in accordance with Article 46 GDPR.

  • Monday.com: The collaboration tool ‘Monday.com’ from Monday.com Ltd (Israel) is used. A transfer of data to a third country (here Israel) that cannot be ruled out is justified in accordance with Article 45 GDPR.

  • Atlassian: The project management tool of Atlassian Pty Ltd (Australia), which was commissioned in accordance with Article 28 GDPR, is used. A transfer of data to a third country (in this case Australia) that cannot be ruled out is justified in accordance with Article 46 GDPR.

  • Autodesk: The project management tool ‘Autodesk’ from Autodesk, Inc. (USA) is used, which was commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (here USA) that cannot be ruled out is justified for employee data in accordance with Article 46 GDPR and for all other data in accordance with Article 45 GDPR.

Special features of the responsibilities

Insofar as we maintain company pages on social media/networks, we would like to point out that 

  • Insofar as we analyse your use of our company website, we and the respective provider are jointly responsible under data protection law in accordance with Article 26 of the GDPR. 
  • we have commissioned the providers in all other cases in accordance with Article 28 of the GDPR.

Website display

You have the option of using our website for information purposes only. This means that you can simply access the page without clicking on anything or entering anything. Even then, we process the following data from you so that you can view the website in your browser:  

  • IP address, 
  • Date and time of the request, 
  • Time zone difference to Greenwich Mean Time (GMT), 
  • Content of the request (specific page), 
  • Access status/HTTP status code, 
  • transferred data volume, 
  • the page from which the request comes, 
  • Browser, 
  • operating system and its interface, 
  • Language and version of the browser software. 

The legal basis for this is Article 6(1)(f) GDPR, whereby our legitimate interest arises from this purpose.

Web hosting

We use an external web host to make our website accessible. The web host processes all the data mentioned in the previous section (display of the website) for this purpose. The legal basis for this is Article 6(1)(f) GDPR, whereby our legitimate interest arises from this purpose.

Cookie-Consent

We give you the opportunity to consent to the use of cookies and use a cookie consent tool for this purpose. In doing so, we process all the data already mentioned in the previous section (presentation of the website), as well as the information as to whether, in what and when you have given your consent. By processing this data, we intend to fulfil a legal obligation (Article 7(1) GDPR). The legal basis is Article 6(1) sentence 1 point (c) GDPR.

Form

On our website, there is a form that you can use to communicate with us. All the information you enter there will be transmitted to us and processed by us.

Either:

  • the processing serves the initiation, execution and/or termination of contracts (purpose 1) or 
  • it enables you to contact us for another reason, e.g. to assert claims for information (purpose 2). 

The legal basis for purpose 1 is Article 6 paragraph 1 sentence 1 point b of the GDPR and for purpose 2 Article 6 paragraph 1 sentence 1 point f of the GDPR, whereby the legitimate interest follows from your request.

Recruiting

You have the option of applying for a job with us via our website in the recruiting section or through other contact channels. We collect this data in order to determine whether or not we can enter into an application process. The legal basis for this is Article 6(1)(b) of the GDPR. In addition, our data protection information for employees applies.

Analysis of user behaviour

We use cookies to analyse how you arrive at our website and what you do there exactly. Cookies are text files that are stored on your computer and enable us to perform this analysis (reports on your activities and interactions on the website, e.g. order of interactions, length of stay).

We use this data and analysis to improve our website and the user experience and to tailor it to you and other users. Further details can be found in the information on the tools (see below). 

The purpose of the processing is to optimise our website. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.

Social media/networks

We are active on social media and networks. If you access our company pages on social media/networks from our website, some of your data will be processed. Of course, this also applies if you access our company pages on social media/networks by other means than our website.

We would like to make it clear from the outset that we have no influence over which data is processed, how it is processed and how long it is stored. There is always the possibility that the providers of these platforms may store your data and use it for advertising purposes, market research and/or to tailor their services to your needs. You can find more details below in the information about the providers.

The following data is processed: 

  • cookie- or pixel-based data about your interactions with our company pages
  • your email address
  • your name
  • your contact details

The processing serves to present our company. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.

Video playback

Our website displays videos that are embedded via plugins from video and streaming portals. Every time you access a subpage/page with a video clip, a direct connection to a server of the video portal is established. Further details can be found in the information about the providers.

The following data is processed:

  • cookie-based data about your interactions with the video subpages
  • information about which video you clicked on

The purpose of the processing is to display videos and optimise our website. The legal basis is Article 6(1)(a) GDPR.

External fonts

We display the texts on our website using external fonts. In doing so, data is transmitted to the providers of these directories in order to analyse and optimise the frequency of use and the success of certain fonts. As soon as you visit our website, your browser sends HTTP requests to the provider's server, whereby, among other things, the URL of the requested font is transmitted. This data is logged in order to determine the frequency of use and to create statistical reports. In addition, cookie-based data about your interactions (e.g. order of interactions, length of stay) is processed.

The purpose of this processing is to generate aggregated usage statistics on the popularity of fonts. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.

Citizen participation

Under certain conditions, you can participate in one of our projects by using a registration form on our website. For this purpose, you will be redirected to the provider AUDITcapital GmbH, to whose data protection declaration we refer. In doing so, we receive all the data necessary to carry out your investment (contact details, information from investment contracts, billing data). The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.

Data processing for the assertion of rights

If you assert your rights under the GDPR or other legal provisions, we process your data to check these claims and, if applicable, fulfil them. The purpose of this processing is to fulfil a legal obligation. The legal basis for this is Article 6(1) sentence 1 point (c) GDPR in conjunction with the respective legal provision from which your right or claim arises.

Data storage/storage period

We store your data both during and after the end of the contract. This is where we inform you how long the data will be stored:

  • If you assert your rights under the GDPR, this will result in the creation of communication data (correspondence by email, post, etc.). We store this data for three years. This period begins on 31 December of the calendar year in which we responded to your request. We do this in order to protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 (f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)) and, in addition, on the statute of limitations for administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 GDPR).
  • If you assert other, non-GDPR rights, communication data will also be created, which we will store for three years. This period begins on 31 December of the calendar year in which we respond to your request. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(1)(f) of the GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)).
  • When you consent to data processing,
    - we store the information that you have given your consent for three years. This period begins as soon as you revoke your consent or the associated purpose expires, whichever occurs earlier. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 lit. f GDPR. The three-year period is based on the statutes of limitation for claims for damages (Sections 195 and 199 (1) of the German Civil Code (BGB)) and, in addition, on the statutes of limitation under the law governing administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 of the GDPR).
    - we store the data that we process based on your consent until you withdraw your consent. The purpose is evident from the respective declaration of consent and the legal basis for this is Article 6(1)(a) of the GDPR.

Deletion of data

We will delete your data as soon as the above-mentioned retention periods have ended. In doing so, we are complying with a legal obligation (Article 5 (1) (a), (e) GDPR). The legal basis is Article 6 (1) sentence 1 (c) GDPR.

Recipient

Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:

  • Hosting provider
  • Providers of cookie consent tools
  • Social networks
  • Software hosting company
  • Video conferencing system providers
  • law firms specialising in legal, tax and auditing services 
  • Project management tools,
  • Providers of whistleblower platforms,
  • Provider of accounting solutions
  • Providers of Microsoft assistance tools
  • Translation tool vendor

Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):

  • Google: Various applications from Google Ireland Ltd. (Ireland - EU) are used, which were commissioned in accordance with Article 28 of the GDPR.  A transfer of data to a third country (in this case to Google LLC in the USA) that cannot be ruled out is justified under Article 45 of the GDPR. The following Google tools are used:
    - We use Google Analytics. Google generally processes IP addresses only within the European Union or the signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a provider server in the United States and shortened there. To the best of our knowledge, the transmitted IP address is not merged with other data. We also use Google Analytics for a cross-device analysis of visitor flows, which is carried out via a user ID.
    - We use Google Remarketing and Google Ads. This is how it works: when you interact with us online, for example by visiting our website, you can be identified as a suitable recipient of advertisements (so-called ‘ads’) through the use of cookies (so-called ad server cookies). These cookies also help us measure and evaluate the success of an advertising campaign. If you then visit Google pages (YouTube, Google search engine, etc.), you will be recognised by these cookies and our ‘ads’ will be displayed to you (so-called ‘remarketing’). This happens when your browser automatically establishes a direct connection to the Google server. The ads are then delivered via Google Ad Servers. The ad server cookies used are generally valid for 30 days and are not used for personal identification. Typically, the following analysis values are stored: a unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions) and opt-out information (indication that you do not wish to receive any further ads).
    - You can restrict or prevent tracking, for example (a) by making the appropriate settings in your browser software (in particular, blocking third-party cookies prevents you from receiving advertisements) or (b) by disabling cookies for conversion tracking by setting your browser to block cookies from the provider's domain. However, this setting will be deleted if you delete the cookies in your browser.
    - The purpose of this processing is to present our company, to analyse user behaviour in relation to interaction with our website and to communicate with you via social media, including for advertising purposes if applicable.
    - We use Google Tag Manager. This is how it works: the tool enables us to integrate various codes and services into our website in a structured and simplified way. The tool implements tags or triggers the integrated tags. When a tag is triggered, Google may also process personal data under certain circumstances.
    - We use DoubleClick. This is how it works: DoubleClick uses cookies to show you relevant adverts, to improve reports on campaign performance and to prevent you from seeing the same adverts multiple times. Google uses a cookie ID to record which adverts were shown in which browser in order to avoid showing the same advert twice. It also allows cookie IDs to be used to record conversions that are associated with advertising requests. This is the case, for example, if you see a DoubleClick ad and later visit our company's website using the same browser and make a purchase there. Through the marketing tools used, your browser automatically establishes a direct connection with the Google server. Through the integration of DoubleClick, Google receives the information that you have accessed the corresponding part of our website or clicked on one of our ads. If you are registered with a Google service, Google can assign the visit to your respective account. Even if you are not registered or logged in, it is possible that Google will collect and store your IP address.
    - My Fonts Counter: The analysis tool ‘My Fonts Counter’ from My Fonts Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR.  A transfer of data to a third country (in this case to Google LLC in the USA) that cannot be ruled out is justified under Article 45 of the GDPR.
  • Vimeo:  The video playback tool ‘Vimeo’ from Vimeo, LLC (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR.  The transfer of data to a third country (in this case, the USA) cannot be ruled out. This is justified for employee data in accordance with Article 46 of the GDPR and for all other data in accordance with Article 45 of the GDPR. The controller uses this video portal as follows:  Operating your own channel, publishing media recordings. The terms used here are explained in the glossary at the end of the declaration.
  • X (formerly Twitter): The social network ‘X’ from Twitter International Company (Ireland - EU) is used. Further details on the processing methods of this provider can be found here: https://twitter.com/de/privacy. A transfer of data to a third country (here the USA) that cannot be ruled out is justified under Article 46 of the GDPR.   The controller uses this social network as follows: to operate a company page. The terms used here are explained in the glossary at the end of the declaration.
  • LinkedIn: The social network ‘LinkedIn’ from LinkedIn Ireland Unlimited Company (Ireland - EU) is used.  A transfer of data to a third country (here the USA) that cannot be ruled out is justified under Article 46 of the GDPR.  The controller uses this social network as follows: to operate a company page. The terms used here are explained in the glossary at the end of the declaration.
  • Cloudflare: The content delivery network (CDN) ‘Cloudflare’ from Cloudflare, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR.  A transfer of data to a third country (in this case, the USA) that cannot be ruled out is justified under Article 45 of the GDPR.

Entering the premises

When you visit the above-mentioned property, we collect the following data when you enter: name, reason for visit, date, time of entry and exit, and any additional voluntary information. The processing of this data serves both to protect you (for example, to be able to determine in the event of a fire whether you are still in the building) and to protect the right of access to the building, property and possessions, as well as access control. The legal basis for this is Article 6(1)(f) GDPR, whereby our legitimate interest arises from the stated purposes.

Data processing in the event of the assertion of rights

If you assert your rights under the GDPR or other legal provisions, we process your data to check these claims and, if applicable, fulfil them. The purpose of this processing is to fulfil a legal obligation. The legal basis for this is Article 6(1) sentence 1 point (c) GDPR in conjunction with the respective legal provision from which your right or claim arises.

Data storage/storage period

We store your data both during and after the end of the contract. This is where we inform you how long the data will be stored:

  • If you assert your rights under the GDPR, this will result in the creation of communication data (correspondence by email, post, etc.). We store this data for three years. This period begins on 31 December of the calendar year in which we responded to your request. We do this in order to protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 (f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)) and, in addition, on the statute of limitations for administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 GDPR).
  • If you assert other, non-GDPR rights, communication data will also be created, which we will store for three years. This period begins on 31 December of the calendar year in which we respond to your request. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(1)(f) of the GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)).
  • When you consent to data processing,
    - we store the information that you have given your consent for three years. This period begins as soon as you revoke your consent or the associated purpose expires, whichever occurs earlier. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 lit. f GDPR. The three-year period is based on the statutes of limitation for claims for damages (Sections 195 and 199 (1) of the German Civil Code (BGB)) and, in addition, on the statutes of limitation under the law governing administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 of the GDPR).
    - we store the data that we process based on your consent until you withdraw your consent. The purpose is evident from the respective declaration of consent and the legal basis for this is Article 6(1)(a) of the GDPR.

Deletion of data

We will delete your data as soon as the above-mentioned retention periods have ended. In doing so, we are complying with a legal obligation (Article 5 (1) (a), (e) GDPR). The legal basis is Article 6 (1) sentence 1 (c) GDPR.

Recipient

Recipient within the European Union Within the European Union, your data will be processed by companies (recipients) in the following categories:

  • Supplier of room management systems

Initial contact in the application process

During the application process, we receive and check your application documents. This involves all the data you disclose. In the event of continued interest, this will be followed by an interview, whereby data (contact details, usually name, telephone number, e-mail address) will be collected, stored and used to arrange an appointment. In the event of continued interest, we will make you an offer of employment, whereby the contact data (usually name, telephone number, e-mail address) and the data from the employment contract (usually activity, holiday periods, salary) will be processed. In each of the aforementioned processing steps, it is also possible that a cancellation will be made. The purpose of the aforementioned processing operations is to carry out the application procedure. The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.

Active recruitment

Before the application process, we research data about potential employees; this is done using generally accessible sources. We contact you. In doing so, we process the data required for establishing contact (e.g. name, address, email address) as well as job-specific data about your qualifications (e.g. degrees, certificates, etc.). The purpose of the aforementioned processing operations is to initiate the application process. The legal basis is Article 6 (1) sentence 1 lit. b GDPR.

Requesting certificates and references

We request special certificates and qualifications that are essential for the job. In doing so, we process the data that appears in the certificates and other documents that arise in the process. The purpose of the aforementioned processing operations is to initiate the application process and, at a later stage, to carry out the employment relationship. The legal basis is Article 6 (1) sentence 1 lit. b GDPR.

Conducting a trial workday

You will complete a trial workday and we will note our findings, which we will then use to decide on your application. In doing so, we process the data required for establishing contact (e.g. name, address, email address) as well as any notes taken during the trial working day. The purpose of the aforementioned processing operations is to initiate the application process. The legal basis is Article 6(1)(b) GDPR.

Video conferencing

(1) We enable you to communicate via video conference. (2) If you decide to use the video conference, we will obtain the necessary consent. For this purpose, we process the name, time and status of the consent. The purpose of this is to fulfil a legal obligation. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 7 paragraph 1 GDPR. (3) We conduct conversations via video conference. In doing so, we process the image and sound data that is generated, as well as any transcripts. The purpose of this is to communicate with you in relation to the contract. The legal basis for this is Article 6(1)(a) GDPR. This is not precluded by the prohibition under Article 9(1) GDPR, as the exception under Article 9(2)(a) GDPR applies here.

Involvement of tax consultancy firm

We forward tax-related data concerning you (e.g. offers, order confirmations, contracts, invoices, account statements, etc.) to an external tax consultancy firm. In doing so, we process your name and all data resulting from invoices and incoming payments. We therefore seek support with accounting and other tax-related matters. The legal basis for this is Article 6 (1) sentence 1 point (f) GDPR, whereby our legitimate interest follows from the stated purpose. Insofar as the external tax consultancy processes this data, it is not a matter of order processing (see DSK short paper 13), but of a data transfer that is justified by Article 6 (1) sentence 1 point (f) GDPR.

Implementation of the employment relationship

During the active employment relationship, all access and/or communication data in connection with the fulfilment of the employment contract (e.g. e-mails) are processed. The purpose of the aforementioned processing operations is to carry out the employment relationship. The legal basis is Article 6 (1) sentence 1 lit. b GDPR.

Recording of driving licence data

If you receive a company car from us in order to fulfil your employment obligations, we will collect your driving licence data in advance with the help of an external provider where you can digitally register your driving licence. All driving licence data is processed here. The purpose of this is to fulfil our duty to maintain safety and our obligations to insurers, namely to ensure that you are authorised to drive a company car. The legal basis is Article 6 (1) sentence 1 lit. f GDPR, whereby the legitimate interest arises from the aforementioned purposes.

Employee benefits (with legitimate interest)

(1) In some selected cases, we offer you the opportunity to take advantage of employee benefits. (2) We transmit the contact data required for granting the benefits to external third-party providers (usually name, address, information that you are employed by us). The purpose is to grant benefits; this is to retain employees and to increase the attractiveness of the employer. The legal basis is Article 6(1)(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purpose. Whether and, if so, which benefits are granted is the subject of an agreement under labour law, which may still have to be made in the abstract from this data protection information. No claim arises for you merely from the fact that this possibility is mentioned.

Handover of keys (including logging)

In some cases, you will receive keys and/or chip cards for access to operating rooms, whereby the handover is recorded. In doing so, we process the following data: name, status of the assignment of the above-mentioned objects. The purpose of the aforementioned processing operations is to fulfil a data protection obligation, namely that of taking sufficient organisational security measures. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 32 GDPR.

Provision of access data (including logging)

In some cases, you will receive access data for company software and hardware, whereby both this access data and the assignment to you are recorded and stored. The allocation itself is also logged. We process the following data for this purpose: name, access data, status of the allocation of access data. The purpose of the aforementioned processing operations is to fulfil a data protection obligation, namely to take sufficient organisational security measures. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 32 GDPR.

Handover of operating devices (including logging)

In some cases, you will receive company hardware, and the handover will be recorded. In doing so, we process the following data: name, status of the allocation of the hardware. The purpose of the aforementioned processing operations is the internal organisation of the services owed under the employment contract. The legal basis is Article 6 paragraph 1 sentence 1 lit. f DSGVO, whereby the legitimate interest follows from the above-mentioned purpose.

Mental Health Coaching

(1) We enable you to participate in mental health coaching in a few selected cases. (2) If you decide to do so, we will obtain the necessary consent. For this purpose, we process the name, time and status of the consent. The purpose is to fulfil a legal obligation. The legal basis is Article 6 paragraph 1 sentence 1 lit. c DSGVO in conjunction with Article 7 paragraph 1 DSGVO. (3) We ourselves do not process any data regarding participation in coaching and/or content, but only receive a bill. The legal basis is Article 6 (1) sentence 1 lit. a GDPR.

Changes in data processing

If we change the processing, in particular if we use new recipients, we will inform you of the change by email; we will do this by sending you the updated data protection information by email. The purpose of this is to fulfil the transparency obligations under the GDPR (Articles 12 to 14 GDPR). The legal basis is Article 6(1), sentence 1, point (c) GDPR.

Assertion of rights

If you assert your rights under the GDPR or other legal provisions, we process the data in order to check these claims and, if necessary, to fulfil them. The purpose is to fulfil a legal obligation. The legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the standard from which the legal obligation arises.

Conflicts in the employment relationship

In the event of a legal or labour dispute between you and us, the data will be processed in order to provide appropriate explanations and, if necessary, to obtain external legal advice. The following data is processed in this context: name, contact details, all matters related to the labour dispute. The processing serves to obtain external labour law advice/support and to exercise our own rights. The legal basis is Article 6 (1) sentence 1 lit. f GDPR, whereby the legitimate interest follows from the aforementioned purposes. Insofar as data is processed externally, this does not constitute order processing (see DSK-Kurzpapier 13), but rather a data transfer, which in turn is justified by Article 6 (1) sentence 1 lit. f GDPR. It is therefore a case of other outsourcing.

Receiving and processing whistleblower reports

We offer you the opportunity to contact us as a whistleblower. We take note of and process incoming whistleblower reports from employees. Personal data is only processed if the report is not submitted anonymously. This data includes the following: name(s), content of the report. The purpose of the processing is to fulfil a legal obligation under §§ 12ff. HinSchG. The legal basis is Article 6 paragraph 1 sentence 1 lit. c DSGVO.

Production of media recordings

(1) We enable you to have media recordings (photo, film, sound) made in a few selected cases. (2) If you decide to do so, we will obtain the necessary consent. For this purpose, we process the name, time and status of the consent. The purpose is to fulfil a legal obligation. The legal basis is Article 6 paragraph 1 sentence 1 lit. c DSGVO in conjunction with Article 7 paragraph 1 DSGVO. (3) Media recordings will be made of you and, insofar as consent extends, published in some cases to be determined by us. In doing so, we process image, film and sound data. The purpose of this is to present our company to the public. The legal basis for this is Article 6 (1) sentence 1 lit. a GDPR. This is not precluded by the prohibition under Article 9 (1) GDPR, as the exception under Article 9 (2) lit a GDPR applies here.

Fulfilment of further legal obligations

In the employment relationship, data is processed to fulfil further legal obligations not yet mentioned here. These include the following situations:

  • Processing of all data on participation in training and instruction, including in particular first-aid training (Section 14 of the German Social Security Code (SGB) VII in conjunction with DGUV Regulation 1), conducting data protection training for employees (Article 32 GDPR), training for EuP (Section 14 SGB VII in conjunction with DGUV Regulation 3), driver safety training (Section 3 ArbSichV), fire extinguishing training (Section 14 SGB VII in conjunction with DGUV Regulation 1), IT training (BSI Kritisverordnung, Article 32 DSGVO). The following data is processed: name, company contact details, communication data, status and, if applicable, time of participation (day, time).
  • Processing of all data when ordering hardware or software that must be provided for occupational safety reasons, e.g. computer glasses (Section 3 ArbSchG). The following data is processed: name, company contact details, communication data, proof of the necessity of the hardware or software, time of order, time of delivery, time of commissioning, costs.
  • Processing of all data when keeping an accident book, in particular, keeping the completed accident book pages (Section 14 SGB VII in conjunction with DGUV Regulation 1, Section 24 (6)). The following data is processed: name, company contact details, communication data, data on all first-aid incidents, in particular the type of incident, time, measures, identity of the employees/persons providing assistance and affected.
  • Processing of all data collected in the course of occupational medical examinations (Section 3 ArbSchG). The following data is processed: name, company contact details, communication data, time of appointment, status of appointment.
  • Processing of all data collected in the course of occupational ophthalmological examinations (Section 3 ArbSchG). The following data is processed: name, company contact details, communication data, time of appointment, status of appointment.
  • Other training courses for which training obligations currently or in the future exist. The following data is processed here: name, company contact data, communication data.

All processing steps serve to fulfil the legal obligations mentioned in the respective parentheses. The legal basis is Article 6 paragraph 1 sentence 1 lit. c DSGVO in conjunction with the standards mentioned in the respective parenthesis.

Fulfilment of further contractual obligations

In the employment relationship, data is processed for the purpose of implementing the employment relationship. This includes, in particular, but not exclusively, the following situations:

  • The filing of planning documents and the documentation with station suppliers are recorded, stored and further used. The following data is processed in this context: name, company contact details, communication data, status and time of entry, identity of the employee making the entry.
  • The documentation of the filing of planning documents and the documentation with the substation installer are recorded, stored and further used. The following data is processed here: name, company contact data, communication data, status and time of entry, identity of the employee making the entry.
  • Absences due to parental leave, illness, holiday, special leave, educational leave, unpaid leave are recorded, stored and further used. The following data is processed: name, company contact details, communication data, period, reason, evidence for the reason for the absence.
  • In the case of procurements/purchases, including the ordering of work clothes, that affect you, the following data is collected, stored and used: name, company contact details, communication data, clothing size, assignment of work clothes, condition of work clothes.
  • Internal communication takes place regarding the management of work clothing. The following data is processed: name, company contact details, communication data, clothing size, assignment of work clothing, condition of work clothing.
  • In certain cases, electronic signatures are obtained. The following data is processed: name, company contact details, communication data, signature image, signature time, content of the signed document.
  • Hotel reservations are made and documented for you. The following data is processed for this purpose: name, company contact details, communication data, business trip status, business trip period, business trip costs.
  • The assumption of other travel expenses for business trips is recorded, stored and used. The following data is processed for this purpose: name, company contact details, communication data, business trip status, business trip period, business trip costs.

All processing steps serve the purpose of internal communication and the fulfilment of contractual obligations. The legal basis is Article 6 (1) sentence 1 lit. b GDPR.

Storage of data/storage period

We store your data both during and after the end of the contract. Here we inform you how long the data will be stored:

  • Internal records (e.g. annual financial statements, accounting vouchers) are to be kept for 10 years, starting on 31 December of the calendar year in which the respective document was created. The processing serves to fulfil a legal obligation and is based on Article 6 (1) sentence 1 lit. c GDPR in conjunction with Section 147 AO, Section 257 HGB.
  • Data from business correspondence (e.g. customer letters) and other tax-relevant documents must be kept for six years, starting on 31 December of the calendar year in which the respective document was created. The processing serves to fulfil a legal obligation and is based on Article 6 (1) sentence 1 lit. c GDPR in conjunction with § 147 AO, § 257 HGB.
  • Data from the documentation of working hours must be kept for two years, starting on 31 December of the calendar year in which the respective document was created. The processing serves to fulfil a legal obligation and is based on Article 6(1), sentence 1, point (c) of the GDPR in conjunction with Section 16 of the German Working Hours Act (ArbZG) and Section 17 of the German Minimum Wage Act (MiLoG).
  • Data from the payroll account must be kept for six years, starting on 31 December of the calendar year in which the last recorded wage payment is made. The processing serves to fulfil a legal obligation and is based on Article 6(1)(1)(c) GDPR in conjunction with Section 41 of the German Income Tax Act (EStG).
  • Data concerning health insurance status and sick leave are stored for five years. The processing serves to fulfil a legal obligation and is based on Article 6(1) sentence 1 point (c) GDPR in conjunction with Section 198 of the German Social Code, Book V (SGB V) and Section 165 of the German Social Code, Book VII (SGB VII).
  • Data that arises when you assert data protection claims is stored for three years, starting on 31 December of the calendar year in which we responded to it. The processing serves to protect the interest in defending against claims and is based on Article 6(1)(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purpose. The duration of the legitimate interest follows from the statutes of limitation for claims for damages (Sections 195, 199 (1) BGB) and, in addition, from the statutes of limitation of the law relating to administrative offences (Section 31 (2) no. 1 OWiG in conjunction with Article 83 GDPR).
  • Data that arises when you assert other claims is stored for three years, starting on 31 December of the calendar year in which we responded to it. The processing serves to safeguard the interest in defending against claims and is based on Article 6(1)(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purpose. The duration of the legitimate interest follows from the statute of limitations for claims for damages (Sections 195, 199 (1) BGB).
  • Data based on consent must be stored until consent is withdrawn or until the purpose associated with the processing no longer applies, whichever occurs earlier. The storage serves the purpose associated with the consent and is based on Article 6(1)(a) GDPR.
  • Data that proves that consent has been granted must be kept for three years, starting from the date of consent withdrawal or the date the purpose ceases to exist, depending on which occurs earlier. The processing serves to safeguard the interest in defending against claims and is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest follows from the aforementioned purpose. The duration of the legitimate interest follows from the statute of limitations of the law governing administrative offences (Section 31 (2) (1) OWiG in conjunction with Article 83 GDPR).
  • Data from an application is stored for 6 months, starting with the period of receipt of the rejection. The processing serves to safeguard the interest in defending against claims arising from the AGG and is based on Article 6 (1) sentence 1 lit. f GDPR, whereby the legitimate interest follows from the above-mentioned purpose. The duration of the legitimate interest follows from the time limit in Section 15 (4) UWG plus the time after which the receipt of a complaint can no longer be expected.

Deletion of data

After the retention periods have expired, the data will be deleted. The deletion is intended to fulfil a legal obligation and is based on Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 5 paragraph 1 lit. a, e GDPR.

Recipients

The following recipients and other external bodies process your data:

Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:

  • providers of backup tools
  • software hosting companies,
  • providers of video conferencing systems and remote working tools,
  • law firms, tax and auditing firms,
  • providers of password management systems,
  • project management tools,
  • providers of whistleblower platforms,
  • providers of compliance and training solutions,
  • providers of (payroll) accounting solutions,
  • providers of Microsoft assistance tools,
  • providers of translation tools,
  • providers of the provision and administration of work equipment (e.g. work clothes),
  • providers of HR systems,
  • providers of employee benefits,
  • providers of security and monitoring services.
  • Providers of social networks (for recruiting purposes)

Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):

  • Microsoft: Various applications are used by Microsoft Corporation (USA), which was commissioned in accordance with Article 28 of the GDPR, namely: Microsoft365-Cloud, Microsoft Teams (project management tool), Microsoft Teams (video conferencing tool), Microsoft Bookings, Microsoft Forms, Sharepoint. A transfer of data to a third country (here USA) that cannot be ruled out is justified in accordance with Article 45 of the GDPR.
  • New Relic: The website monitoring tool ‘New Relic’ from New Relic, Inc. (USA) is used, which has been commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (here the USA) that cannot be ruled out is justified in accordance with Article 45 GDPR.
  • Lacework: The IT security tool ‘Lacework’ from Lacework, Inc. (USA) is used. A transfer of data to a third country (here the USA) that cannot be ruled out is justified in accordance with Article 46 GDPR.
  • ShareFile: The IT tool ‘ShareFile’ from Citrix Systems Inc. (USA) is used, which was commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (here: USA) that cannot be ruled out is justified in accordance with Article 46 GDPR.
  • Monday.com: The collaboration tool Monday.com from Monday.com Ltd. (Israel) is used. A transfer of data to a third country (here: Israel) that cannot be ruled out is justified in accordance with Article 45 GDPR.
  • Atlassian: The project management tool from Atlassian Pty Ltd (Australia) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case Australia) cannot be ruled out, but this is justified in accordance with Article 46 of the GDPR.
  • Autodesk: The project management tool ‘Autodesk’ from Autodesk, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case the USA) cannot be ruled out for employee data in accordance with Article 46 of the GDPR and for all other data in accordance with Article 45 of the GDPR.
  • Adobe: In connection with the use and creation of documents, software offers from Adobe Systems Software Ireland Limited (Ireland - EU) are used, which were commissioned in accordance with Article 28 of the GDPR. A non-excludable transfer of data to a third country (here to Adobe Inc., USA) is justified for employee data in accordance with Article 46 of the GDPR and for all other data in accordance with Article 45 of the GDPR.
  • LinkedIn (social network): The social network LinkedIn, operated by LinkedIn Ireland Unlimited Company (Ireland – EU), is used. However, it cannot be ruled out that data may be transferred to or incorporated by the parent company, LinkedIn Corporation (USA). A transfer of data to a third country (in this case, the USA) cannot be ruled out, but is justified under Article 46 of the GDPR. The following tools are used: LinkedIn (company page), LinkedIn (recruiting)
  • Dropbox: The cloud service ‘Dropbox’ from Dropbox, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case the USA) that cannot be ruled out is justified in accordance with Article 45 of the GDPR.