INFORMATION ON THE HANDLING OF YOUR DATA
An obligation under the General Data Protection Regulation.
1. PRELIMINARY REMARK
The following points are to provide you with information about your data. It has been defined by law what infor-mation is necessary.
Further details are available in the General Data Protection Regulation, Art. 12 to 22 and 34. The text of the Gen-eral Data Protection Regulation is published on the Internet at dsgvo-gesetz.de. If you have any further questions about the General Data Protection Regulation, you can contact the Data Protection Officer and/or the administration at any time.
2. WHAT ARE PERSONAL DATA?
All information relating to an identified or identifiable person. A person is considered identifiable if he or she can be identified in a direct or indirect way. This can be done, for example, by assigning a person to an identifier such as a name, an identification number, location data, an online identifier or one or more special features.
3. BASIC INFORMATION
3.1 Who is responsible for processing my data?
The party responsible for data processing is
Häcker Küchen GmbH & Co. KG, Werk St. 3, 32289 Rödinghausen
Tel. +49 05746/940-0
3.2 How can I contact you?
3.3 Which authority is responsible for monitoring and ensuring compliance with the Data Protection Act?
The competent data protection supervisory authority
Die Landesbeauftragte für den Datenschutz und Informationsfreiheit Nordrhein-Westfalen
(The State Commissioner for Data Protection and
Freedom of Information of North Rhine Westphalia)
P.O. Box 200444, 40102 Düsseldorf
Telephone: +49 (0211) 384240
3.4 How can I contact the company's data protection officer?
The contact details of the data protection officer are:
4. FURTHER IMPORTANT INFORMATION
4.1 Data processing (why?)
We process your data to fulfil the mutual obligations arising from the (possibly upcoming) contractual relationship or to fulfil legal obligations.
4.2 Why are we entitled to do so?
According to the Data Protection Act, (pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR), we are entitled to pro-cess the data necessary for the fulfilment of a contract or for the implementation of pre-contractual measures. If you voluntarily provide us with more information about yourself than is necessary, the Data Protection Act allows us to do so within the framework of a consent (pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR). According to the Data Protection Act under Art. 6 para. 1 sentence 1 lit. c, GDPR, we are entitled to process your data if there is a legal obligation to do so. We may process your data if we have a legitimate interest (e.g. company security, secur-ing our claims, external presentation of the company) and conflicting interests on your part do not prevail (Art. 6 para. 1 lit. f GDPR).
4.3 Who can receive my data?
As part of processing, your data may be transmitted to:
Persons within our company, who are directly involved in data processing (e.g.
Service providers who are bound by contract, who are obliged to confidentiality and who perform partial tasks of data processing, as well as other external bodies (companies, authorities, credit agencies, etc.), if this is necessary.
4.4 Will you transfer my data to countries outside the European Union?
We do not intend to do so. The only conceivable exception to this would be if you would arrange this or if it would be necessary for the fulfilment of the contract. Legal basis: Art. 6 para.1 sentence 1 lit. b GDPR, Art. 49 para. 1 lit. b GDPR.
4.5 How long will you store my data?
We will store your data for the time we need it to achieve the purposes outlined in 4.1 above. However, there are statutory provisions (e.g. German Fiscal Code, § 147) which oblige us to retain certain documents for six or ten years. Once the retention period has expired, we delete data that are no longer required.
4.6 Do I have to make my data available?
In order to achieve the reasons mentioned in item 4.1, it is necessary for you to provide us with your personal data.
For the fulfilment of the contract with you, this is absolutely necessary or required by law. If you do not provide us with your personal data, we are not able to fulfil the contract with you.
4.7 Automated decision-making / profiling
No automated decision-making / profiling takes place.
5. WHAT RIGHTS DO I HAVE?
5.1 Information about your rights
As a data subject, you have the following rights (hereinafter also referred to as "rights of the data subject ") under the General Data Protection Regulation:
5.2 Right to information (pursuant to Art. 15 GDPR)
You have a right to request information about whether or not we process your personal data. If we process your personal data, you have the right to know
- why we process your data (see also item 4.1);
- what type of data we process from you;
- what type of recipients receive or should receive data from you (see also item 4.3);
- how long we will store your data; if it is not possible to specify the storage period, we must inform you how the storage period is determined (e.g. after expiry of statutory retention periods) (see also item 4.5);
- that you have the right to have your data corrected or deleted, including the right to restrict pro-cessing and/or the possibility to object (see also items 5.2, 5.3 below ff.);
- that you have the right to appeal to a supervisory authority;
- the origin of your data, if we have not collected it directly from you;
- whether your data is used for an automated decision and, if so, what logic the decision is based on and what impact and consequences the automated decision may have for you;
- that, if data about you is transferred to a country outside the European Union, you are entitled to know whether an adequate level of protection is ensured at the data recipients and, if so, on the basis of which guarantees;
- that you have the right to request a copy of your personal data. Data copies are generally made available in electronic form.
- The first copy is for free; a reasonable fee may be charged for further copies. A copy can only be provided if this does not affect the right of others.
5.3 Right to data correction (pursuant to Art. 16 GDPR)
You have the right to request us to correct your data if it is incorrect and/or incomplete. This right also includes the right for completion by means of supplementary declarations or notifications. Corrections or completions must be made without culpable delay.
5.4 Right to deletion of personal data (pursuant to Art. 17 GDPR)
You have the right to request us to delete your personal data if
the personal data is no longer necessary for the purposes for which it was collected and processed;
the data is processed on the basis of your consent and you have revoked your consent; however, this does not apply if there is another legal authorisation for data processing;
you have objected to data processing whose legal permission is in the so-called 'legitimate interest' (according to Art. 6 para. 1 lit. e or f); however, deletion need not take place if there are overriding legitimate reasons for further processing;
you have objected to data processing for the purpose of direct advertising;
your personal data has been processed unlawfully;
the data relate to a child and have been collected for information society services (= electronic services) on the basis of consent (pursuant to Art. 8 para. 1 GDPR).
There is no right to the deletion of personal data if
- the right to freedom of expression and information precludes the request for deletion;
- the processing of personal data is necessary
o for the fulfilment of a legal obligation (e.g. legal retention obligations),
o for the performance of public tasks and interests under applicable law (including “public health”) or
o for archiving and/or research purposes;
the personal data is required to assert, exercise or defend legal claims.
Deletion must take place immediately (without culpable delay). If personal data has been made public by us (e.g. on the Internet), we must ensure, as far as technically possible and reasonable, that other data processors are also informed of the request for deletion, including the deletion of links, copies and/or replications.
5.5 Right to restrict data processing (pursuant to Art. 18 GDPR)
In the following cases, you have the right to have the processing of your personal data restricted:
If you have disputed the accuracy of your personal data, you may request that we do not use your data for any other purpose for the duration of the verification of its accuracy and thus restrict its processing.
In the event of unlawful data processing, you may request that the use of your data is restricted instead of having it deleted.
If you need your personal data to assert, exercise or defend legal claims, but we no longer need your personal data, you can demand that we restrict processing to the purposes of legal prosecution.
If you have objected to data processing (pursuant to Art. 21 para. 1 GDPR) (see also item 5.7) and it is not yet clear whether our interests in processing outweigh your interests, you may demand that your data not be used for other purposes for the duration of the review and that the processing of your data is therefore restricted.
Personal data whose processing has been restricted at your request may - subject to storage - only be processed
with your consent,
to assert, exercise or defend legal claims,
to protect the rights of other natural or legal persons, or
for reasons of an important public interest.
If the processing restriction is lifted, you will be informed in advance.
5.6 Right to data portability (pursuant to Art. 20 GDPR)
You have the right to claim from us the data that you have provided us with in a common electronic format (e.g. as PDF or Excel document).
You can also request us to transmit this data directly to another company (designated by you), provided that this is technically possible for us.
The prerequisite for you to exercise this right is that the processing is carried out by means of automated proce-dures on the basis of a consent or for the execution of a contract.
The exercise of the right to transfer data may not affect the rights and freedoms of other persons.
If you exercise the right to data transfer, you still have the right to request the deletion of the data in accordance with Art. 17 GDPR.
5.7 Right to object to certain data processing operations (pursuant to Art. 21 GDPR)
If your data processed for the performance of tasks in the public interest or for the protection of legitimate inter-ests, you can object to such processing. To do so, you are required to inform us of the reasons for your objection, which are based on your particular situation. These may include special family circumstances or secrecy interests worthy of protection etc.
In the event of an objection, we shall refrain from any further processing of your data for the aforementioned pur-poses, unless
there are compelling legitimate reasons for processing that outweigh your interests, rights and freedoms, or
the processing is necessary to assert, exercise or defend legal claims.
You may object to the use of your data for direct advertising purposes at any time; this also applies to profiling, insofar as it is connected with direct advertising. If you object, we may no longer use your data for direct advertis-ing purposes.
5.8 Prohibition of automated decisions/profiling (pursuant to Art. 22 GDPR)
Decisions reached by us which have a legal consequence for you or significantly affect you may not be based solely on automated processing of personal data. This also includes profiling. This prohibition shall not apply if the automated decision
is necessary for the conclusion or fulfilment of a contract with you,
is permitted by law, if such law contains appropriate measures to protect your rights and freedom, as well as your legitimate interests, or
is taken with your express consent.
Decisions based solely on the automated processing of special categories of personal data (= sensitive data) are only admissible if they are based on
your express consent or
if there is a substantial public interest in the processing
and appropriate measures have been taken to protect your rights and freedoms, as well as your legitimate inter-ests.
5.9 Exercise of the rights of the data subjects
In order to exercise data subject rights, please contact the body indicated in item 3.2. Requests submitted elec-tronically are usually answered electronically. The information, notifications and measures to be provided under the GDPR, including the “exercise of the rights of data subjects”, are generally provided free of charge. We are only entitled to charge a reasonable fee for processing or refrain from taking action in the case of obviously un-founded or excessive applications (pursuant to Art. 12 para. 5 GDPR).
If there is reasonable doubt about your identity, we may request additional information from you for identification purposes. We are entitled to refuse the processing of your request if identification is impossible for us. If we can-not identify you, we will inform you separately, if possible. (see Art. 12 para. 6 and Art. 11 GDPR).
Requests for information will normally be processed immediately, i.e. within one month of receipt of the request. The deadline may be extended by a further two months if the complexity and/or number of applications so require; in the event of an extension, we will inform you of the reasons for the delay within one month of receiving your application. If we do not take action upon a request, we will inform you immediately, i.e. within one month of re-ceipt of the request, of the reasons for the delay and indicate the possibility of lodging a complaint with a regulato-ry authority or seeking judicial remedy. (see Art. 12 para. 3 and para. 4 GDPR).
Please note that you can exercise your rights as a data subject only within the limits and restrictions laid down by the Union or the Member States. (Art. 23 GDPR)