Data Privacy Policy
Thank you for visiting our website. In this Policy, we would like to inform you about how we handle your data in accordance with Art. 13 of the General Data Protection Regulation (GDPR).
Controller
The Controller for the data processing operations described below is the office named in the imprint.
USAGE Data
When you visit our website, our web server temporarily evaluates usage data for statistical purposes in order to improve the quality of our website. This data consists of the following data categories:
- the name and address of the requested content,
- the date and time of the query,
- of the transferred data volume,
- the access status (content transferred, content not found),
- the description of the used web browser and operating system,
- the referral link, which indicates from which page you reached ours,
- the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established.
The aforementioned protocol data is only evaluated anonymously.
Data Security
In order to protect your data from unwanted access as comprehensively as possible, we take technical and organisational measures. We use an encryption process on our websites. Your data is transferred from your computer to our server and vice versa via the internet using TLS encryption. You can usually recognise this by the fact that the lock symbol in the status bar of your browser is closed and the address line begins with https://.
Necessary Cookies
On our website, we use cookies which are necessary in order for the site to function.
Cookies are small text files that can be placed on your computer or mobile device by websites that you visit. A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session.
We do not use these necessary cookies for analysis, tracking or advertising purposes.
In some cases, these cookies only contain information on certain settings and cannot be linked to a person. They may also be necessary to enable user guidance, security and implementation of the site.
The legal basis for using these cookies is our legitimate interest according to Art. 6 (1) (f) GDPR.
You can set your browser to inform you about the placement of cookies. This is in order to make the use of cookies transparent for you.
You can also delete cookies or prevent the setting of new cookies at any time by using the appropriate browser settings.
Please note that if you delete certain cookies, our web pages may not be displayed correctly and some functions may no longer be available.
Service Provider / Processor | Level of Data Protection | Withdrawal of Consent |
|---|---|---|
Borelabs | Processing within the EU/EEA | If you wish to withdraw your consent, please click on the Consent Manager and adjust your settings via our banner. |
Consent Banner
We use a consent management platform (consent or cookie banner) on our websites. The processing related to the use of the consent management platform and the logging of your selected settings is carried out on the basis of Art. 6 (1) sentence 1 lit. f GDPR. This is based on our legitimate interest in displaying our content according to your preferences and being able to provide proof of the consent(s) you have given. Your selected settings, the corresponding consent(s), and parts of your usage data are stored in a cookie. This ensures that your preferences are preserved for subsequent page requests and that your consents can be tracked.
The provider of the consent management platform acts as a strictly instructed service provider (data processor) on our behalf. A data processing agreement in accordance with Art. 28 GDPR has been concluded.
Google Analytics
To tailor our website to your needs, we use the web analytics tool “Google Analytics”. Google Analytics creates pseudonymous user profiles. Permanent cookies are stored on your device and read by us. This allows us to recognize returning visitors and count them as such.
In the context of Google Analytics, we are supported by Google Ireland Limited, acting as our data processor in accordance with Art. 28 GDPR. Data processing may also take place by Google outside the EU or EEA, particularly in the USA. In the case of Google, due to processing in the USA, an adequate level of data protection cannot be guaranteed. There is a risk that authorities may access your data for security and surveillance purposes without informing you or allowing you to seek legal remedies. Please take this into consideration when deciding whether to consent to the use of Google Analytics.
Data processing is based on your consent, provided you have given it via our banner. The transfer of data to a third country is carried out in accordance with Art. 49 (1) lit. a GDPR.
You may withdraw your consent at any time. Please adjust your settings via our banner.
Service Provider / Processor | Level of Data Protection | Withdrawal of Consent |
|---|---|---|
For transfers to the USA, an adequate level of data protection is ensured based on the provider’s certification under the adequacy decision (EU-U.S. Data Privacy Framework). | If you wish to withdraw your consent, please click on the Consent Manager and adjust the relevant setting via our banner. |
Lead Forensics
We use Lead Forensics, a tool that captures company information to identify potential business contacts (leads). Lead Forensics uses your device’s IP address to retrieve publicly available information about the company associated with that IP address. No personal data is processed, as the service exclusively accesses company-related data. Processing is carried out on the basis of Art. 6 (1) lit. f GDPR.
For more information on data processing by Lead Forensics, please refer to their privacy policy at: Cookie Policy | Lead Forensics cookie usage and regulations.
Data processing is based on your consent, provided you have given it via our banner.
Service Provider / Processor | Level of Data Protection | Withdrawal of Consent |
|---|---|---|
Lead Forensics | For transfers to the USA, an adequate level of data protection is ensured based on the provider’s certification under the adequacy decision (EU-U.S. Data Privacy Framework). | If you wish to withdraw your consent, please click on the Consent Manager and adjust the relevant setting via our banner. |
Application via Application Portal
You have the option to apply for the positions we have advertised or submit a speculative application via our online application portal. As part of the application process, we require the information marked as mandatory fields in our application form.
The legal basis for processing this data is Section 26 (1) Sentence 1 of the German Federal Data Protection Act (BDSG), as the data is necessary to make a decision on establishing an employment relationship. Your data will not be processed for any other purpose.
In addition, you may voluntarily choose to provide further information that is marked as optional in the application portal. Providing this information is not required for your application. If you voluntarily provide us with personal data, we process it on the basis of your consent, which you may withdraw at any time with future effect, in accordance with Article 6 (1) Sentence 1 (a) GDPR in conjunction with Section 26 (2) BDSG. To withdraw your consent, please contact the party listed in the legal notice.
We use rexx systems as a data processor for applicant management, with whom we have concluded a data processing agreement in accordance with Article 28 GDPR. Your data will not be shared beyond this.
If your application results in an employment contract, we will retain the data from your application that is necessary for the execution of the employment relationship. The legal basis for this is Section 26 (1) Sentence 1 BDSG. In the case of an unsuccessful application, your documents and personal data will be reduced to so-called core data after four months. This core data (e.g., location, country, type of submission) is used solely for internal statistical purposes and cannot be traced back to individuals. After an additional period, this data will also be completely deleted. The legal basis for this processing is Article 6 (1) Sentence 1 (f) GDPR. The processing until deletion is based on our legitimate interest in being able to defend ourselves against any legal claims related to the application process. We only process the personal data you provide as part of the application process.
This does not apply if you expressly consent to a longer storage of your data (talent pool). Based on your consent, your data will be stored for a period of two years in order to consider your application for other or future job openings. The legal basis for storing your application documents and contacting you in the event of a suitable position is Article 6 (1) (a) GDPR in conjunction with Section 26 (2) BDSG. You may withdraw your consent at any time with future effect. To do so, please contact the party listed in the imprint.
Service Provider / Processor | Purpose | Level of Data Protection |
|---|---|---|
rexx Systems | Applicant Management | Processing within the EU/EEA |
Embedded Videos
We embed videos on our website that are not hosted on our own servers. To ensure that simply visiting our webpages with embedded videos does not automatically trigger the loading of third-party content, we initially display only locally stored preview images. This prevents the third-party provider from receiving any information upon page load.
Only when you click on the preview image will content from the third-party provider be loaded. As a result, the third party is informed that you have accessed our page and receives the technically necessary usage data. The third party may also implement tracking technologies at that point. We have no influence over any further data processing carried out by the third-party provider. By clicking on the preview image, you give us your consent to load content from the third party.
Embedding takes place based on your consent, provided via your click on the preview image. Please note that embedding many videos may result in your data being processed outside the EU or EEA (especially in the USA). In such cases, there is a risk that authorities may access your data for security and surveillance purposes without informing you or offering you legal recourse. If we use providers located in insecure third countries and you consent, the transfer to such a country is based on Article 49 (1) lit. a GDPR.
Storage Duration
Unless we have already provided specific information regarding the storage period, we delete personal data once it is no longer required for the purposes mentioned above and no legal retention obligations prevent deletion.
Other Data Processors
We pass on your data to service providers as part of a data processing agreement pursuant to Art. 28 GDPR. These service providers support us in operating our websites and related processes — for example, hosting providers. All service providers are strictly bound by our instructions and are contractually obligated accordingly.
Below, we list the data processors we work with, provided they have not already been mentioned in the sections above. If, in this context, data may be processed outside the EU or EEA, we will inform you accordingly in the following table.
Service Provider / Processor | Purpose | Level of Data Protection |
|---|---|---|
Mittwald | Webhosting and Support | Processing only within EU/EEA |
Whistleblowing Reporting
As part of our compliance management system, we have set up a whistleblower reporting. You have the opportunity to submit information on matters that are subject to the Whistleblower Protection Act (HinSchG) or that we otherwise have a legitimate interest in knowing about. You can reach our reporting office here: Whistleblower Reporting – Weischer
We have commissioned the law firm Heuking Kühn Lüer Wojtek as an outsourced internal reporting centre to receive and review such reports.
Reports to the outsourced internal reporting office can be submitted via the web form, by telephone, by e-mail, by post or in person.
Reports to the outsourced internal reporting centre can be made anonymously.
Use of the outsourced internal reporting centre is voluntary.
When you submit a report to the outsourced internal reporting centre, it collects the information you provide. This includes your personal data, if you disclose it, and usually the names and other personal data of the persons you name in your report. Further details on how the outsourced internal reporting centre handles your personal data can be found in the privacy policy of the outsourced internal reporting centre.
a) Categories of personal data that we process
We receive a report from the outsourced internal reporting centre once it has reviewed the report, which may contain the following personal data
- Names and other personal data of the whistleblower only if the whistleblower does not wish to remain anonymous and agrees to disclose it to us;
- Names and other personal data resulting from the report of the persons named in the report
In the course of further clarification of the reported facts and further processing, further personal data may be collected and processed by us.
b) Purposes of data processing, legal basis
The processing of the data transmitted to us by the outsourced internal reporting office serves to process and manage information on compliance violations, violations of legal regulations and violations in connection with our business operations by employees, customers, suppliers and other third parties.
The legal basis for the processing of your personal data as a whistleblower is your consent (Art. 6 para. 1 sentence 1 lit. a GDPR), provided that you disclose your identity and agree to your name being passed on to us by the outsourced internal reporting centre.
Insofar as facts are concerned that are subject to the Whistleblower Protection Act (HinSchG), Section 10 HinschG is the legal basis for the processing of the personal data of you as the whistleblower and of the persons affected by the whistleblowing.
Outside the scope of the HinschG, the legal basis for processing the personal data of you and the persons affected by the report is our legitimate interest in the detection and prevention of legal violations and misconduct (Art. 6 para. 1 sentence 1 lit. f GDPR). We have a legitimate interest in detecting and preventing breaches of the law and misconduct if we are legally obliged to do so in certain areas. In addition, such violations can not only cause considerable economic damage, but also lead to a considerable loss of reputation.
If the person concerned is one of our employees, the legal basis for the processing in the course of processing or further investigation of the reported facts is also Section 26 para. 1 sentence 1 BDSG (processing for the purposes of the employment relationship) or Section 26 para. 1 sentence 2 BDSG (processing for the detection of criminal offences) and, if applicable, our legitimate interest described above (Art. 6 para. 1 sentence 1 lit. f GDPR).
c) Disclosure to third parties
The confidential treatment of all reports and data by the Reporting Centre is ensured at all times and in every processing step. This applies in particular to the personal data of the person making the report and the persons affected by the report. Only individual, previously defined, authorised persons who are committed to confidentiality have access to incoming reports and information about the processing of the report or follow-up measures.
If the report concerns another company in our group of companies, we will pass on the contents of the report and the results of the further clarification of the facts to this company in our group of companies.
We may pass on the contents of the report and the results of the further clarification of the reported facts to courts, authorities and other public bodies. This may be the case if we are legally obliged to disclose the data or if it is necessary for the assertion, exercise or defence of legal claims.
In the course of clarification measures and in the assertion, exercise or defence of legal claims, we may also rely on the support of law firms or auditing companies.
In addition, we may involve (technical) service providers in the clarification and processing of the reported facts, who work for us as processors within the meaning of Art. 28 GDPR and are bound by instructions on the basis of corresponding agreements. They may also become aware of the content of the whistleblower report, but are obliged to handle the data concerned confidentially.
Personal data of the whistleblower and the data subject may come to the attention of authorities, courts or third parties in exceptional situations despite the confidentiality obligation. This is the case if the disclosure of this information is mandatory for us, for example as part of an official investigation (e.g. as part of an investigation procedure) or if this is necessary for the assertion, exercise or defence of legal claims. In addition, under certain circumstances, the reported information must also be disclosed by us to the persons affected by the report.
d) Duration of data storage
The personal data will be stored for as long as is necessary for the clarification of the report and any subsequent measures, or for as long as we have a legitimate interest in doing so, or for as long as is required by law. Thereafter, the data will be deleted in accordance with legal requirements.
Your rights as a data subject
When processing your personal data, the GDPR grants you certain rights as a data subject:
Right of access by the data subject (Art. 15 GDPR)
You have the right to obtain confirmation as to whether personal data concerning you are being processed; if this is the case, you have the right to be informed of this personal data and to receive the information specified in Art. 15 GDPR.
Right to rectification (Art. 16 GDPR)
You have the right to rectification of inaccurate personal data concerning you and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement without delay.
Right to erasure (Art. 17 GDPR)
You have the right to obtain the erasure of personal data concerning you without undue delay if one of the reasons listed in Art. 17 GDPR applies.
Right to restriction of processing (Art. 18 GDPR)
You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have objected to the processing, for the duration of our examination.
Right to data portability (Art. 20 GDPR)
In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format, or to request that this data be transferred to a third party.
Right to withdraw consent (Art. 7 GDPR)
If the processing of data is based on your consent, you are entitled to withdraw your consent to the use of your personal data at any time in accordance with Art. 7 (3) GDPR. Please note that the withdrawal is only effective for the future. Processing that took place before the withdrawal is not affected.
Right to object (Art. 21 GDPR)
If data is collected on the basis of Art. 6 (1) 1 f GDPR (data processing for the purpose of our legitimate interests) or on the basis of Art. 6 (1) 1 e GDPR (data processing for the purpose of protecting public interests or in the exercise of official authority), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or if data is still needed for the establishment, exercise or defence of legal claims.
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
According to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates data protection regulations. This right may be asserted in particular with a supervisory authority in the Member State of your habitual residence, your place of work or the place of the suspected infringement.
Asserting your rights
Unless otherwise described above, please contact us to assert your rights. You will find our contact details in our imprint.
Contact details of the data protection officer
Our external data protection officer is available to provide further information on data protection.
datenschutz nord GmbH
Konsul-Smidt-Straße 88
28217 Bremen
Web: www.dsn-group.de
M: office@datenschutz-nord.de
When contacting our data protection officer, please specify the name of the company, stated in our imprint.