Information duties according to Art. 12, 13 et seq. of the EU GDPR for business partners

Status 09/16/2019

Dear Madam,
Dear Sir,
Dear business partner,

Based on the legal provisions of the EU General Data Protection Regulation ("EU GDPR") we are obliged to provide you with comprehensive information relating to the processing of your personal data in the context of our contractual relationship, and we are pleased to do so.

Data protection and the handling of your personal data is very important to us, and we therefore always take care to ensure that we process your personal data in a correct manner.

Should you have any questions about your personal data and the processing of it, our Data Protection Officer will be happy to help you. He is not subject to any instructions, he undertakes his role independently, and he is legally obliged to maintain secrecy and confidentiality, so he is a trustworthy source of advice.

In relation to the processing of your personal data in the context of our contractual relationship, we wish to inform you of the following:


1.    Name and address of the controller

Your point of contact – the controller within the meaning of the EU General Data Protection Regulation ("EU GDPR") and other national data protection laws within the Member States and other data protection regulations – is:

Leitz GmbH & Co. KG
Leitzstraße 2
73447 Oberkochen

(hereinafter referred to as "we", "us" or "our")


2.    Name and address of the Data Protection Officer

Please send your written enquiry relating to the subject of data protection and data security in our company to: The Data Protection Officer, Leitz GmbH & Co. KG, Leitzstraße 2, 73447 Oberkochen, or to the following email address: datenschutz@leitz.org.

 

3.    General information about data processing

a.    Scope and purpose of the processing of personal data

In the context of our cooperation with business partners we process the personal data of contact partners, i.e. of customers, potential customers, distribution partners, suppliers and partners (each respectively referred to as a "business partner"):

  • contact information, e.g. first name(s) and surname, title and name prefixes/suffixes, business address, business telephone number, business mobile phone number, business fax number, and business email address,
  • payment data, such as information which is required for the processing of payment transactions,
  • further information the processing of which is required within the context of a project or the handling of a contractual relationship with us, or which is voluntarily provided by business partners,
  • personal data which is gathered from publicly available sources, information databases or credit agencies, and
  • insofar as it is required, information about relevant court proceedings and other legal disputes in which the business partners are involved.

We process the personal data for the following purposes:

  • communication with business partners in relation to products, services and projects, e.g. in order to handle enquiries from the business partner or to provide technical information about products,
  • the planning, maintaining and administration of the (contractual) business relationship between us and the business partner, e.g. in order to process the ordering of products and services or to collect payments, for bookkeeping and accounting purposes, and in order to make deliveries or to carry out maintenance activities or repairs,
  • the carrying out of customer surveys, marketing campaigns, market analyses, and the running of lotteries, competitions or similar promotions and events,
  • the carrying out of customer satisfaction surveys and direct marketing
  • the maintaining and ensuring of the safety of our products and services and of our webpages
  • compliance with legal requirements (e.g. with retention duties under taxation law and commercial law)
  • the resolving of legal disputes and the enforcing of existing contracts, and for making, exercising and defending legal claims.

b.    Legal basis for the processing of personal data
Insofar as we obtain the consent of the person concerned for personal data processing transactions, the legal basis for this is Art. 6 para. 1 (a) of the EU GDPR.

Art. 6 para. 1 (b) of the EU GDPR provides the legal basis for the processing of personal data which is required for the fulfilling of a contract between you and us. This also applies to processing transactions which are required for the carrying out of pre-contractual measures.

If any processing of personal data is required for the fulfilling of a legal obligation to which we are subject, 6 para. 1 (c) of the EU GDPR provides us with the legal basis for this.

If the vital interests of you or another natural person necessitate the processing of personal data, 6 para. 1 (d) of the EU GDPR provides us with the legal basis for this.

If the processing is necessary for the purposes of a legitimate interest held by us or a third party, and if your interests, basic rights and basic freedoms do not override the aforementioned interest, 6 para. 1 (f) of the EU GDPR provides us with the legal basis for the processing.

c.    Data deletion and storage period
Your personal data will be deleted or blocked once the purpose of its storage no longer applies. Storage may be continued for longer if provision for doing so has been made by European or national legislators in EU directives, laws or other regulations to which we are subject. The deletion or blocking of the data takes place even if a retention period specified by the stated standards expires, unless there is a need to continue storing the data in connection with the concluding of a contract or the performance of a contract.


4.    Direct marketing by post

a.    The legal basis for data processing
The legal basis for the processing of your personal data in connection with postal direct marketing is Art. 6 para. 1 (f) of the EU GDPR.

b.    Purpose of data processing
The purpose of the processing of your personal data in connection with postal direct marketing is to enhance the turnover derived from the sale of goods or services. This purpose constitutes our legitimate interest in the processing of the data in accordance with Art. 6 para. 1 (f) of the EU GDPR.

c.    Duration of storage
Your personal data will be deleted once it is no longer required for the achievement of the purpose for which it was gathered; this is the case in particular once an objection to its storage is received.

d.    Right of objection and removal
You may object at any time to the future processing of your personal data in connection with postal direct marketing.


5.    Newsletter

a.    The legal basis for data processing
The legal basis for the processing of your personal data in connection with the sending of the newsletter is Art. 6 para. 1 (a) of the EU GDPR if consent has been provided.

b.     Purpose of data processing
The gathering of your personal data is undertaken in order to enable the newsletter to be sent to you. The purpose of the processing of your personal data in connection with the sending of the newsletter is to provide business partners with current information regarding relevant issues relating to the machining of wood and plastics and advanced materials as well as the development of the company.

c.    Duration of storage
Your personal data will be deleted once it is no longer required for the achievement of the purpose for which it was gathered. Your personal data will accordingly be stored for as long as your subscription to the newsletter remains active.

d.    Right of objection and removal
You may cancel your subscription to the newsletter at any time. There is a corresponding link for this purpose in each newsletter. Cancelling the subscription also enables the consent to be revoked.


6.    Getting in touch via email

a.    The legal basis for data processing
The legal basis for the processing of your personal data which is transmitted in connection with the sending of an email is Art. 6 para. 1 (f) of the EU GDPR. If the aim of getting in touch via email is the concluding of a contract, Art. 6 para. 1 (b) of the EU GDPR constitutes the additional legal basis for the processing of your personal data.

b.    Purpose of the data processing
In the event of us getting in touch via email the processing of your personal data is undertaken exclusively for processing the establishing of contact.

c.    Duration of storage
Your personal data will be deleted once it is no longer required for the achievement of the purpose for which it was gathered. In relation to personal data which has been sent via email this is the case once the respective conversation with you has ended. The conversation has ended once the circumstances indicate that the matter concerned has been definitively clarified between you and us.

d.    Right of objection and removal
You may object at any time to the future processing of your personal data in connection with the establishing of contact via email. Once you do so, the conversation between you and us can no longer be continued. In this case all the personal data which has been stored in connection with the establishing of contact will be deleted.


7.    Legal defence and legal redress

a.    The legal basis for data processing
The legal basis for the processing of your personal data in connection with legal defence and legal redress is Art. 6 para. 1 (f) of the EU GDPR.

b.    Purpose of the data processing
The purpose of the processing of your personal data in connection with legal defence and legal redress is the filing of a defence against unjustified claims as well as the legal enforcement of claims and rights. This purpose constitutes our legitimate interest in the processing of the data in accordance with Art. 6 para. 1 (f) of the EU GDPR.

c.    Duration of storage
Your personal data will be deleted once it is no longer required for the achievement of the purpose for which it was gathered.

d.    Right of objection and removal
The processing of your personal data in connection with legal defence and legal redress is absolutely essential for legal defence and legal redress. You consequently have no right to object to it.


8.    Categories of recipient

Those bodies and departments within our company receive personal data which need it in order to fulfil the aforementioned purposes. In addition, we sometimes make use of a variety of service providers and send your personal data to other trustworthy recipients. Examples of these include:

-    banks
-    scanning services
-    printers
-    lettershops
-    IT service providers
-    customer relationship service providers
-    lawyers and courts


9.    Transmission of data to third countries

Data transfers to third countries take place exclusively on the basis of a consent being provided, of their necessity in order to fulfil the contract or to pursue legal claims (Art. 49 of the EU GDPR).

 

10.    Rights of the data subject

If your personal data is processed by us, you are the data subject within the meaning of the EU GDPR and you have the following rights in relation to us:

a.    Right to information
Upon request we will provide you with confirmation as to whether personal data concerning you is being processed by us.

If such processing is taking place, you can demand information from us concerning the following specific points:

(1)    the purposes for which the personal data is processed;
(2)    the categories of personal data that are processed;
(3)    the recipients and/or categories of recipients to whom/which the personal data relating to you has been disclosed or is still being disclosed;
(4)    the planned period of storage of the personal data relating to you or, if it is not possible to provide definite information about this, the criteria used for setting the storage period;
(5)    the existence of a right of correction or deletion of the personal data relating to you, and of a right to restrict processing by us or to object to such processing;
(6)    the existence of a right to make a complaint to a supervisory authority;
(7)    all the available information about the origin of the data if the personal data is not collected from you;
(8)    the existence of an automated decision-making system including profiling in accordance with Article Art. 22 paras. 1 and 4 of the EU GDPR and – at least in such cases – meaningful information about the logic system used and the implications and intended effects of such processing as they relate to you.

You have the right to demand information about whether the personal data relating to you is transferred to a third country or to an international organisation. In this connection you may demand to be informed of the appropriate safeguards relating to the transfer according to Art. 46 of the EU GDPR.

b.    Right to correction
You have a right to obtain from us the correction and/or completion of the data if the processed personal data concerning you is incorrect or incomplete. We must carry out the correction without delay.

c.    Right to restrict processing
Subject to the following conditions, you may demand that the processing of the personal data relating to you be restricted:

(1)    if you question the correctness of the personal data relating to you for a period which enables us to check the correctness of the personal data;
(2)    if the processing is unlawful and you refuse the deletion of the personal data and instead demand that the use of the personal data be restricted;
(3)    if we no longer need the personal data for processing purposes, but you need it for making, exercising or defending legal claims, or
(4)    if you have objected to the processing in accordance with Art. 21 para. 1 of the EU GDPR and it is not yet clear whether our legitimate reasons override your reasons.

If the processing of the personal data relating to you has been restricted, such data may – apart from its storage – only be processed with your consent, or for the making, exercising or defending of legal claims or for the protection of the rights of another natural person or corporate body, or for the reasons of an important public interest of the European Union or of a member state.

If the restriction of processing has been applied according to the above conditions, you will be notified by us before the restriction is lifted.

d.    Right to deletion
d 1) Duty to delete
You may demand that the personal data relating to you be deleted without delay, and we are obliged to delete such personal data without delay if one of the following reasons applies:

(1)    The personal data relating to you is no longer needed for the purposes for which it has been collected or otherwise processed.
(2)    You revoke your consent on which the processing is based according to Art. 6 para. 1 (a) or Art. 9 para. 2 (a) of the EU GDPR, and there is no other legal basis for its processing.
(3)    In accordance with Art. 21 para. 1 of the EU GDPR you revoke your consent to the processing and there are no overriding legitimate reasons for processing, or you object to the processing in accordance with Art. 21 para. 2 of the EU GDPR.
(4)    The personal data relating to you has been unlawfully processed.
(5)    The deletion of the personal data relating to you is required in order to fulfil a legal obligation to which we are subject under European Union law or under the law of the Member States.
(6)    The personal data relating to you has been collected in relation to the offer of information society services as set out in Art. 8 para. 1 of the EU GDPR.

d2) Information provided to third parties
If we have publicly disclosed the personal data relating to you and if we are obliged to delete it according to Art. 17 para. 1 of the EU GDPR, then – having due regard to the technology that is available and the implementation costs that are involved – we will take appropriate measures (including of a technical nature) to inform the data controllers who process the data that you as the data subject have demanded that they should delete any links to that personal data, or any copies or replicas of that personal data.

d3)    Exceptions
The right to deletion does not exist if the processing is required:

(1)    in order to exercise a right to the free expression of opinions and provision of information;
(2)    in order to fulfil a legal obligation which makes processing necessary according to the law of the European Union (or of the Member States) to which we are subject, or in order to carry out a task which is in the public interest or which is carried out through the exercising of official authority which has been transferred to us;
(3)    for public interest reasons in the public health field according to Art. 9 para. 2 (h) and (i) as well as Art. 9 para. 3 of the EU GDPR;
(4)    for public-interest archiving purposes or scientific or historic research purposes, or for statistical purposes according to Art. 89 para. 1 of the EU GDPR insofar as the right set out in Section a) may be expected to make the achievement of the aims of such processing impossible or to seriously jeopardise it, or
(5)    for the making, exercising or defending of legal claims.

e.    Right to be informed
If you have asserted the right to correction, deletion or the restriction of processing against us, we are obliged to inform all the recipients to whom/which the personal data relating to you has been disclosed of such correction or deletion of the data or restriction of its processing unless this proves to be impossible or involves disproportionate expense.

You have the right to be informed by us of who these recipients are.

f.    Right to data portability
You have the right to receive the personal data which relates to you, and which you have provided to us, in a structured, up-to-date and machine-readable format. In addition, you have the right to transfer such personal data that has been provided to us to another controller without us objecting to this, provided that

(1)    the processing is based on a consent according to Art. 6 para. 1 (a) of the EU GDPR or Art. 9 para. 2 (a) of the EU GDPR, or on a contract according to Art. 6 para. 1 (b) of the EU GDPR, and
(2)    the processing is carried out through the use of automated procedures.

When exercising this right you also have the right to have the personal data relating to you transferred directly from us to another controller insofar as this is technically feasible. The freedoms and rights of other persons may not impaired by this.

The right to data portability does not apply to the processing of personal data which is required for the carrying out of a task which is in the public interest or which is carried out through the exercising of official authority which has been transferred to us.

g.    Right to withdraw consent
You have the right at any time and for reasons which relate to your specific situation to withdraw your consent to the processing of the personal data relating to you which is undertaken in accordance with Art. 6 para. 1 (e) or (f) of the EU GDPR; this also applies to any profiling that is carried out based on these provisions.

We will no longer process the personal data relating to you unless we can prove that there are compelling, legitimate reasons for such processing which override your interests, rights and freedoms, or unless the processing is for the making, exercising or defending of legal claims.

If the personal data relating to you is processed for direct marketing purposes, you have the right to withdraw your consent at any time to the processing of the personal data relating to you for the purposes of such marketing; this also applies to profiling insofar as it is connected to such direct marketing.

If you withdraw your consent to processing for direct marketing purposes, the personal data relating to you will no longer be processed for such purposes.

In connection with the use of the services of the information society – irrespective of Directive 2002/58/EC – you may exercise your right of revocation through the use of automated procedures in relation to which technical specifications are used.

h.    Right to revoke the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. The revocation of consent does not affect the lawfulness of the processing that has been carried out based on the consent prior to the revocation.

i.    Automated decision in an individual case, including profiling
You have the right not to be subject to a decision that is based exclusively on automated processing – including profiling – which is legally effective in relation to you or which exerts a significant adverse effect on you in a similar manner. This does not apply if the decision

(1)    is required for the concluding or performance of a contract between you and us,
(2)    is permitted based on legal regulations of the European Union or of its Member States to which we are subject, and if these legal regulations contain appropriate measures for safeguarding your rights and freedoms and your legitimate interests, or
(3)    is made with your explicit consent.

Nevertheless, these decisions must not be based on specific categories of personal data as set out in Art. 9 para. 1 of the EU GDPR unless Art. 9 para. 2 (a) or (g) of the EU GDPR applies and appropriate measures have been taken to safeguard those rights and freedoms and your legitimate interests.

In relation to the cases specified in (1) and (3) we take appropriate measures to safeguard the rights and freedoms and your legitimate interests; such measures include as a minimum the right to get us to secure the intervention of a person in the matter, the right to set out your own standpoint, and the right to contest the decision.

j.    Rights to make a complaint to a supervisory authority
Regardless of any other legal remedy under administrative or judicial law, you have the right to make a complaint to a supervisory authority – in particular in the Member State in which you reside or have your place of work or in which the alleged breach occurred – if in your opinion the processing of the personal data relating to you contravenes the EU GDPR.

The responsible supervisory authority for us is:

Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg
Königstraße 10 a
70173 Stuttgart


The supervisory authority to which you have submitted the complaint will inform you of the status and results of the complaint, including the possibility of pursuing a judicial remedy in accordance with Art. 78 of the EU GDPR.

If you have any queries, please feel free to contact our Data Protection Officer at any time.

Information duties for applicants according to Art. 12, 13 et seq. of the EU GDPR (m/f/x)

as at 08/2019

Based on the legal provisions that are specified in the EU General Data Protection Regulation ("EU GDPR") we are obliged to provide you with comprehensive information about the processing of your personal data in the context of your application, and we are pleased to do so.

Data protection and the handling of your personal data is very important to us, and we therefore always take care to ensure that we process your personal data in a correct manner.

In relation to the processing of your personal data in the context of your application, we wish to inform you of the following:

1.    Controller

Your point of contact as the controller within the meaning of the EU General Data Protection Regulation ("EU GDPR") and other national data protection laws within the member states as well as other data protection provisions is:

Leitz GmbH & Co. KG,
Leitzstraße 11, D-73447 Oberkochen
(hereinafter referred to as "we", "us" or "our")

 

2.    Data Protection Officer

Please contact our Data Protection Officer directly concerning any questions relating to data protection and data security in our company. Email: datenschutz@leitz.org


3.    Miscellaneous information about data processing

As a matter of principle we process your personal data only insofar as it is necessary to do so for setting up the employment relationship. Further processing of your personal data normally takes place only if we have obtained your consent to this beforehand. An exception applies in those cases in which it is not possible to obtain prior consent owing to factual reasons, or in cases in which the processing of your personal data is permitted by a statute.


4.    Data processing within the application procedure

a.    Legal basis for the processing of data

Personal data
If we obtain your consent to the processing of personal data, the legal basis for us doing so is Art. 6 para. 1 (a) of the EU GDPR and Art. 88 para. 1 of the EU GDPR in conjunction with § 26 para. 2 of the BDSG (Federal Data Protection Act).

The legal basis for the processing of personal data which is required for the setting up of an employment relationship is Art. 6 para. 1 (b) of the EU GDPR and Art. 88 para. 1 of the EU GDPR in conjunction with § 26 para. 1 of the BDSG and § 611a BGB (German Civil Code).

If any processing of personal data is required for the fulfilling of a legal obligation to which we are subject, 6 para. 1 (c) of the EU GDPR provides us with the legal basis for this.

If the vital interests of you or another natural person necessitate the processing of personal data, 6 para. 1 (d) of the EU GDPR provides us with the legal basis for this.

If the processing is necessary for the purposes of a legitimate interest held by us or a third party, and if your interests, basic rights and basic freedoms do not override the aforementioned interest, 6 para. 1 (f) of the EU GDPR provides us with the legal basis for the processing.

Special categories of personal data
If we obtain your consent for the processing of special categories of personal data (Art. 9 para. 1 EU GDPR), such as religious affiliation, nationality and health data, Art. 9 para. 2 (a) of the EU GDPR provides the legal basis for this.

If the processing of specific categories of personal data is necessary in order for us to be able to exercise the rights that are conferred on us by employment law and social security law, and in order for us to fulfil our duties in this respect, the legal basis for the processing is provided by Art. 9 para. 2 (b) of the EU GDPR and Art. 88 para. 1 of the EU GDPR in conjunction with § 26 para. 3 of the BDSG.

If the processing of specific categories of personal data is necessary in order for the protection of vital interests, the legal basis for the processing is provided by Art. 9 para. 2 (c) of the EU GDPR.

If the processing relates to specific categories of personal data which have evidently been made public by you, the legal basis for such processing is provided by Art. 9 para. 2 (e) of the EU GDPR.

If the processing of specific categories of personal data is necessary for healthcare or occupational medicine purposes, or for assessing working capacity, the legal basis for such processing is provided by Art. 9 para. 2 (h) of the EU GDPR.

b.    Purposes of data processing
The processing of your personal data is undertaken for the purposes of setting up the employment relationship, and in particular for the fulfilling of obligations under employment law and legal obligations – including colIective bargaining obligations if applicable as well as obligations under social insurance law.

c.    Storage period
Your personal data will be deleted or blocked once the purpose of its storage no longer applies. Storage may be continued for longer if provision for doing so has been made by European or national legislators in EU directives, laws or other regulations to which we are subject. The deletion or blocking of the data takes place even if a retention period specified by the stated standards expires, unless there is a need to continue storing the data in connection with the concluding of a contract or the performance of a contract.

Thereafter we will store your application documents and application details (among other data) for the following periods:

If you are appointed, the application documents become part of your personnel file.
If your application is rejected, the data is deleted 6 months after the corresponding information was provided.


d.    Right of objection and removal
The processing of your personal data in connection with the application procedure is absolutely essential for setting up the employment relationship. You have the right to object to further processing at any time.

If the processing of your personal data is carried out on the basis of a consent, you may revoke your consent at any time.


5.    Legal defence and legal redress

a.    Legal basis for the processing of data
The legal basis for the processing of your personal data in connection with legal defence and legal redress is Art. 6 para. 1 (f) of the EU GDPR and/or Art. 9 para. 2 (f) of the EU GDPR.

b.    Purpose of the data processing
The purpose of the processing of your personal data in connection with legal defence and legal redress is the filing of a defence against unjustified claims as well as the legal enforcement of claims and rights. This purpose constitutes our justified interest in the processing of the data in accordance with Art. 6 para. 1 (f) of the EU GDPR and/or Art. 9 para. 2 (f) of the EU GDPR.

c.    Duration of storage
Your personal data will be deleted once it is no longer required for the achievement of the purpose for which it was gathered.

d.    Right of objection and removal
The processing of your personal data in connection with legal defence and legal redress is absolutely essential for legal defence and legal redress. You consequently have no right to object to it.

 

6.    Categories of recipient

Those bodies and departments within our company receive personal data which need it in order to fulfil the aforementioned purposes. In order to do this we sometimes make use of a variety of service providers, and we send personal data to other recipients. Examples of these include:

 

  • The Human Resources department
  • Potential line managers of the applicant concerned
  • Specific departments
  • The financial accounting department
  • The Works Council
  • The representative body for disabled employees / the state integration agency
  • The Equal Opportunities Officer
  • The Federal Employment Agency
  • Banking institutions
  • Insurance companies


7.    Rights of the data subject

If your personal data is processed by us, you are the data subject within the meaning of the EU GDPR and you have the following rights in relation to us:

a.    Right to information
Upon request we will provide you with confirmation as to whether personal data concerning you is being processed by us.

If such processing is taking place, you can demand information from us concerning the following specific points:

(1)    the purposes for which the personal data is processed;
(2)    the categories of personal data that are processed;
(3)    the recipients and/or categories of recipients to whom/which the personal data relating to you has been disclosed or is still being disclosed;
(4)    the planned period of storage of the personal data relating to you or, if it is not possible to provide definite information about this, the criteria used for setting the storage period;
(5)    the existence of a right of correction or deletion of the personal data relating to you, and of a right to restrict processing by us or to object to such processing;
(6)    the existence of a right to make a complaint to a supervisory authority;
(7)    all the available information about the origin of the data if the personal data is not collected from you;
(8)    the existence of an automated decision-making system including profiling in accordance with Article Art. 22 paras. 1 and 4 of the EU GDPR and – at least in such cases – meaningful information about the logic system used and the implications and intended effects of such processing as they relate to you.

You have the right to demand information about whether the personal data relating to you is transferred to a third country or to an international organisation. In this connection you may demand to be informed of the appropriate safeguards relating to the transfer according to Art. 46 of the EU GDPR.

b.    Right to correction
You have a right to obtain from us the correction and/or completion of the data if the processed personal data concerning you is incorrect or incomplete. We must carry out the correction without delay.

c.    Right to restrict processing
Subject to the following conditions, you may demand that the processing of the personal data relating to you be restricted:

(1)    if you question the correctness of the personal data relating to you for a period which enables us to check the correctness of the personal data;
(2)    if the processing is unlawful and you refuse the deletion of the personal data and instead demand that the use of the personal data be restricted;
(3)    if we no longer need the personal data for processing purposes, but you need it for making, exercising or defending legal claims, or
(4)    if you have objected to the processing in accordance with Art. 21 para. 1 of the EU GDPR and it is not yet clear whether our legitimate reasons override your reasons.

If the processing of the personal data relating to you has been restricted, such data may – apart from its storage – only be processed with your consent, or for the making, exercising or defending of legal claims or for the protection of the rights of another natural person or corporate body, or for the reasons of an important public interest of the European Union or of a member state.

If the restriction of processing has been applied according to the above conditions, you will be notified by us before the restriction is lifted.

d.    Right to deletion
d 1) Duty to delete
You may demand that we delete the personal data relating to you without delay, and we are obliged to delete such personal data without delay if one of the following reasons applies:

  1.     The personal data relating to you is no longer needed for the purposes for which it has been collected or otherwise processed.
    (2)    You revoke your consent on which the processing was based according to Art. 6 para. 1 (a) or Art. 9 para. 2 (a) of the EU GDPR, and there is no other legal basis for its processing.
    (3)    In accordance with Art. 21 para. 1 of the EU GDPR you revoke your consent to the processing and there are no overriding legitimate reasons for processing, or you object to the processing in accordance with Art. 21 para. 2 of the EU GDPR.
    (4)    The personal data relating to you has been unlawfully processed.
    (5)    The deletion of the personal data relating to you is required in order to fulfil a legal obligation to which we are subject under European Union law or under the law of the Member States.
     (6)    The personal data relating to you has been collected in relation to the offer of information society services as set out in Art. 8 para. 1 of the EU GDPR.

d 2) Information provided to third parties
If we have disclosed the personal data relating to you and if we are obliged to delete it according to Art. 17 para. 1 of the EU GDPR, then – having due regard to the technology that is available and the implementation costs that are involved – we will take appropriate measures (including of a technical nature) to inform the data controllers who process the data that you as the data subject have demanded that they should delete any links to that personal data, or any copies or replicas of that personal data.

d 3) Exceptions
The right to deletion does not exist if the processing is required:

(1)    in order to exercise a right to the free expression of opinions and provision of information;
(2)    in order to fulfil a legal obligation which requires processing according to the law of the European Union, or of the Member States, to which we are subject, or in order to carry out a task which is in the public interest or which is carried out through the exercising of official authority which has been transferred to us;
(3)    for public-interest reasons in the public health field according to Art. 9 para. 2 (h) and (i) as well as Art. 9 para. 3 of the EU GDPR;
(4)    for public-interest archiving purposes or scientific or historic research purposes, or for statistical purposes according to Art. 89 para. 1 of the EU GDPR insofar as the right set out in Section a) may be expected to make the achievement of the aims of such processing impossible or to seriously jeopardise it, or
(5)    for the making, exercising or defending of legal claims.

e.    Right to be informed
If you have asserted the right to correction, deletion or the restriction of processing against us, we are obliged to inform all the recipients to whom/which the personal data relating to you has been disclosed of such correction or deletion of the data or restriction of its processing unless this proves to be impossible or involves disproportionate expense.

You have the right to be informed by us of who these recipients are.

f.    Right to data portability
You have the right to receive the personal data which relates to you, and which you have provided to us, in a structured, up-to-date and machine-readable format. In addition, you have the right to transfer such personal data that has been provided to us to another controller without being hindered from doing so by us, provided that

(1)    the processing is based on a consent according to Art. 6 para. 1 (a) of the EU GDPR or Art. 9 para. 2 (a) of the EU GDPR, or on a contract according to Art. 6 para. 1 (b) of the EU GDPR, and
(2)    the processing is carried out through the use of automated procedures.

When exercising this right you also have the right to have the personal data relating to you transferred directly from us to another controller insofar as this is technically feasible. The freedoms and rights of other persons may not impaired by this.

The right to data portability does not apply to the processing of personal data which is required for the carrying out of a task which is in the public interest or which is carried out through the exercising of official authority which has been transferred to us.

g.    Right to withdraw consent
You have the right at any time and for reasons which relate to your specific situation to withdraw your consent to the processing of the personal data relating to you which is undertaken in accordance with Art. 6 para. 1 (e) or (f) of the EU GDPR; this also applies to any profiling that is carried out based on these provisions.

We will no longer process the personal data relating to you unless we can prove that there are compelling, legitimate reasons for such processing which override your interests, rights and freedoms, or unless the processing is for the making, exercising or defending of legal claims.

If the personal data relating to you is processed for direct marketing purposes, you have the right to withdraw your consent at any time to the processing of the personal data relating to you for the purposes of such marketing; this also applies to profiling insofar as it is connected to such direct marketing.

If you withdraw your consent to processing for direct marketing purposes, the personal data relating to you will no longer be processed for such purposes.

In connection with the use of the services of the information society – irrespective of Directive 2002/58/EC – you may exercise your right of revocation through the use of automated procedures in relation to which technical specifications are used.

h.    Right to revoke the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. The revocation of consent does not affect the lawfulness of the processing that has been carried out based on the consent prior to the revocation.

i.    Automated decision in an individual case, including profiling
You have the right not to be subject to a decision that is based exclusively on automated processing – including profiling – which is legally effective in relation to you or which exerts a significant adverse effect on you in a similar manner. This does not apply if the decision

(1)    is required for the performance of a contract that has been concluded between you and us,
(2)    is permitted based on legal regulations of the European Union or of its Member States to which we are subject, and if these legal regulations contain appropriate measures for safeguarding your rights and freedoms and your justified interests, or
(3)    is made with your explicit consent.

Nevertheless, these decisions must not be based on specific categories of personal data as set out in Art. 9 para. 1 of the EU GDPR unless Art. 9 para. 2 (a) or (g) of the EU GDPR applies and appropriate measures have been taken to safeguard those rights and freedoms and your legitimate interests.

In relation to the cases specified in (1) and (3) we take appropriate measures to safeguard the rights and freedoms and your legitimate interests; such measures include as a minimum the right to get us to secure the intervention of a person in the matter, the right to set out your own standpoint, and the right to contest the decision.

j.    Rights to make a complaint to a supervisory authority
Regardless of any other legal remedy under administrative or judicial law, you have the right to make a complaint to a supervisory authority – in particular in the Member State in which you reside or have your place of work or in which the alleged breach occurred – if in your opinion the processing of the personal data relating to you contravenes the EU GDPR.

The responsible supervisory authority for us is:

Der Landesbeauftragte für den Datenschutz und die
Informationsfreiheit Baden-Württemberg
Königstraße 10 a,
70173 Stuttgart

The supervisory authority to which you have submitted the complaint will inform you of the status and results of the complaint, including the possibility of pursuing a judicial remedy in accordance with Art. 78 of the EU GDPR.

If you have any queries, please feel free to contact our Data Protection Officer at any time.