Data Privacy Policy

Thank you for visiting our website. In this Policy, we would like to inform you about how we handle your data in accordance with Art. 13 of the General Data Protection Regulation (GDPR).

Controller

The Controller for the data processing operations described below is the office named in the imprint.

USAGE Data

When you visit our website, our web server temporarily evaluates usage data for statistical purposes in order to improve the quality of our website. This data consists of the following data categories:

• the name and address of the requested content,
• the date and time of the query,
• of the transferred data volume,
• the access status (content transferred, content not found),
• the description of the used web browser and operating system,
• the referral link, which indicates from which page you reached ours,
• the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established.

The aforementioned protocol data is only evaluated anonymously.

Data Security

In order to protect your data from unwanted access as comprehensively as possible, we take technical and organisational measures. We use an encryption process on our websites. Your data is transferred from your computer to our server and vice versa via the internet using TLS encryption. You can usually recognise this by the fact that the lock symbol in the status bar of your browser is closed and the address line begins with https://.

Necessary Cookies

On our website, we use cookies which are necessary in order for the site to function.

Cookies are small text files that can be placed on your computer or mobile device by websites that you visit. A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session.

We do not use these necessary cookies for analysis, tracking or advertising purposes.

In some cases, these cookies only contain information on certain settings and cannot be linked to a person. They may also be necessary to enable user guidance, security and implementation of the site.

The legal basis for using these cookies is our legitimate interest according to Art. 6 (1) (f) GDPR.

You can set your browser to inform you about the placement of cookies. This is in order to make the use of cookies transparent for you.

You can also delete cookies or prevent the setting of new cookies at any time by using the appropriate browser settings.

Please note that if you delete certain cookies, our web pages may not be displayed correctly and some functions may no longer be available.

DECLARATION OF CONSENT

We use a consent management platform (consent or cookie banner) on our websites. The processing in connection with the use of the consent management platform as well as the logging of the settings you have made is carried out on the basis of Art. 6 (1) sentence 1 lit. f DSGVO, in our legitimate interest to play out our content according to your preferences and to be able to prove the consent(s) you have given. The settings you have made, the consent you have given with them and parts of your usage data are stored in a cookie. This means that the cookie is retained for subsequent page requests and your consent can still be traced. You can find more information on this under the section “Required cookies”.

The provider of the consent management platform works for us as a strictly instruction-bound service provider (order processor). An order processing contract in accordance with Art. 28 DSGVO has been agreed.

Google Analytics

We use the web analysis tool “Google Analytics”. Google Analytics creates user profiles based on pseudonyms. For this purpose, permanent cookies are stored on your end device and read by us. In this way, we are able to recognize returning visitors and count them as such.

As part of the Google Analytics service, Google Ireland Limited supports us as a processor in accordance with Art. 28 GDPR. Data processing may also be carried out by Google outside the EU or the EEA (in particular in the USA). With regard to Google, no adequate level of data protection can be assumed due to processing in the USA. There is a risk that authorities may access the data for security and surveillance purposes without you being informed or having the right to appeal. Please bear this in mind if you decide to give your consent to our use of Google Analytics.

Data processing is based on your consent, provided that you have given your consent via our banner. The transfer to a third country takes place on the basis of Art. 49 para. 1 lit. a GDPR.

You can withdraw your consent at any time. Please make the appropriate settings via our banner.

Contact form

You may contact us via our contact form. In order to use our contact form, we will require you to provide the data marked as mandatory.

The legal basis for this processing is Art. 6 (1) (f) GDPR, being our legitimate interest to respond to your request.

Your data will only be used to process your request.  We delete your data if they are no longer required and there are no legal obligations to retain them.

Where the processing of your data is based on legitimate interest in accordance with Art. 6 (1) (f) GDPR, you have the right to object to that processing at any time. To do so, please use the email address provided in the imprint.

Embedded videos

On our websites, we embed videos that are not hosted on our servers. In order to ensure that accessing our websites containing embedded videos does not automatically lead to the download of third-party content, we only show locally hosted preview images of the videos as a first step. As a result, the third-party provider does not receive any information.

Only after you click on the preview image, is content from the third-party provider downloaded. This provides the third party with information that you have accessed our site and with the usage data technically required for this purpose. Furthermore, the third party provider is then able to implement tracking technologies. We have no influence on the further data processing by the third-party provider. By clicking on the preview image, you give us your consent to download content from the third-party provider.

The embedding is based on your consent if you have given your consent by clicking on the preview image. Please note that the embedding of many videos leads to your data being processed outside the EU or EEA. In some countries, there is a risk that authorities may access the data for security and surveillance purposes without informing you or allowing you to take legal action. Where we use providers in third countries without an adequate level of protection and you give your consent, the transfer to this third country is based on Art. 49 (1) (a) GDPR.

Storage period

Unless otherwise specified, we will delete your personal data if they are no longer required for the relevant processing purposes and no legal retention obligations oppose deletion.

Data Processors

We transfer your data to service providers who support us in the operation of our websites and related processes. These service providers are usually data processors within the meaning of Art. 28 GDPR. Our service providers are strictly bound by contracts and our instructions.

Any processors who may not have been previously disclosed are listed below. If data is transferred outside the EU or the EEA, we will also provide information on the adequate level of data protection.

Whistleblowing Reporting

As part of our compliance management system, we have set up a whistleblower hotline. You have the opportunity to submit information on matters that are subject to the Whistleblower Protection Act (HinSchG) or that we otherwise have a legitimate interest in knowing about.

We have commissioned the law firm Heuking Kühn Lüer Wojtek as an outsourced internal reporting centre to receive and review such reports.

Reports to the outsourced internal reporting office can be submitted via the web form, by telephone, by e-mail, by post or in person.

Reports to the outsourced internal reporting centre can be made anonymously.

Use of the outsourced internal reporting centre is voluntary.

When you submit a report to the outsourced internal reporting centre, it collects the information you provide. This includes your personal data, if you disclose it, and usually the names and other personal data of the persons you name in your report. Further details on how the outsourced internal reporting centre handles your personal data can be found in the privacy policy of the outsourced internal reporting centre.

a) Categories of personal data that we process

We receive a report from the outsourced internal reporting centre once it has reviewed the report, which may contain the following personal data

• Names and other personal data of the whistleblower only if the whistleblower does not wish to remain anonymous and agrees to disclose it to us;
• Names and other personal data resulting from the report of the persons named in the report

In the course of further clarification of the reported facts and further processing, further personal data may be collected and processed by us.

b) Purposes of data processing, legal basis

The processing of the data transmitted to us by the outsourced internal reporting office serves to process and manage information on compliance violations, violations of legal regulations and violations in connection with our business operations by employees, customers, suppliers and other third parties.

The legal basis for the processing of your personal data as a whistleblower is your consent (Art. 6 para. 1 sentence 1 lit. a GDPR), provided that you disclose your identity and agree to your name being passed on to us by the outsourced internal reporting centre.

Insofar as facts are concerned that are subject to the Whistleblower Protection Act (HinSchG), Section 10 HinschG is the legal basis for the processing of the personal data of you as the whistleblower and of the persons affected by the whistleblowing.

Outside the scope of the HinschG, the legal basis for processing the personal data of you and the persons affected by the report is our legitimate interest in the detection and prevention of legal violations and misconduct (Art. 6 para. 1 sentence 1 lit. f GDPR). We have a legitimate interest in detecting and preventing breaches of the law and misconduct if we are legally obliged to do so in certain areas. In addition, such violations can not only cause considerable economic damage, but also lead to a considerable loss of reputation.

If the person concerned is one of our employees, the legal basis for the processing in the course of processing or further investigation of the reported facts is also Section 26 para. 1 sentence 1 BDSG (processing for the purposes of the employment relationship) or Section 26 para. 1 sentence 2 BDSG (processing for the detection of criminal offences) and, if applicable, our legitimate interest described above (Art. 6 para. 1 sentence 1 lit. f GDPR).

c) Disclosure to third parties

The confidential treatment of all reports and data by the Reporting Centre is ensured at all times and in every processing step. This applies in particular to the personal data of the person making the report and the persons affected by the report. Only individual, previously defined, authorised persons who are committed to confidentiality have access to incoming reports and information about the processing of the report or follow-up measures.

If the report concerns another company in our group of companies, we will pass on the contents of the report and the results of the further clarification of the facts to this company in our group of companies.

We may pass on the contents of the report and the results of the further clarification of the reported facts to courts, authorities and other public bodies. This may be the case if we are legally obliged to disclose the data or if it is necessary for the assertion, exercise or defence of legal claims.

In the course of clarification measures and in the assertion, exercise or defence of legal claims, we may also rely on the support of law firms or auditing companies.

In addition, we may involve (technical) service providers in the clarification and processing of the reported facts, who work for us as processors within the meaning of Art. 28 GDPR and are bound by instructions on the basis of corresponding agreements. They may also become aware of the content of the whistleblower report, but are obliged to handle the data concerned confidentially.

Personal data of the whistleblower and the data subject may come to the attention of authorities, courts or third parties in exceptional situations despite the confidentiality obligation. This is the case if the disclosure of this information is mandatory for us, for example as part of an official investigation (e.g. as part of an investigation procedure) or if this is necessary for the assertion, exercise or defence of legal claims. In addition, under certain circumstances, the reported information must also be disclosed by us to the persons affected by the report.

d) Duration of data storage

The personal data will be stored for as long as is necessary for the clarification of the report and any subsequent measures, or for as long as we have a legitimate interest in doing so, or for as long as is required by law. Thereafter, the data will be deleted in accordance with legal requirements.

Your rights as a data subject

When processing your personal data, the GDPR grants you certain rights as a data subject:​​

Right of access by the data subject (Art. 15 GDPR)

You have the right to obtain confirmation as to whether personal data concerning you are being processed; if this is the case, you have the right to be informed of this personal data and to receive the information specified in Art. 15 GDPR.

Right to rectification (Art. 16 GDPR)

You have the right to rectification of inaccurate personal data concerning you and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement without delay.

Right to erasure (Art. 17 GDPR)

You have the right to obtain the erasure of personal data concerning you without undue delay if one of the reasons listed in Art. 17 GDPR applies.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have objected to the processing, for the duration of our examination.

Right to data portability (Art. 20 GDPR)

In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format, or to request that this data be transferred to a third party.

Right to withdraw consent (Art. 7 GDPR)

If the processing of data is based on your consent, you are entitled to withdraw your consent to the use of your personal data at any time in accordance with Art. 7 (3) GDPR. Please note that the withdrawal is only effective for the future. Processing that took place before the withdrawal is not affected.

Right to object (Art. 21 GDPR)

If data is collected on the basis of Art. 6 (1) 1 f GDPR (data processing for the purpose of our legitimate interests) or on the basis of Art. 6 (1) 1 e GDPR (data processing for the purpose of protecting public interests or in the exercise of official authority), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or if data is still needed for the establishment, exercise or defence of legal claims.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

According to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates data protection regulations. This right may be asserted in particular with a supervisory authority in the Member State of your habitual residence, your place of work or the place of the suspected infringement.

Asserting your rights

Unless otherwise described above, please contact us to assert your rights. You will find our contact details in our imprint.

Contact details of the data protection officer

Our external data protection officer is available to provide further information on data protection.

datenschutz nord GmbH
Konsul-Smidt-Straße 88
28217 Bremen

Web: www.dsn-group.de
E-Mail: office@datenschutz-nord.de

When contacting our data protection officer, please specify the name of the company, stated in our imprint.