Compulsory information data protection
in accordance with Article 12 et seq. GDPR
Data protection declaration
pursuant to the EU General Data Protection Regulation (GDPR)
Applicable for customers, interested parties, suppliers, as well as sales and cooperation partners of Werner Sobek (Werner Sobek Group GmbH, Werner Sobek Holding GmbH, Werner Sobek AG, alphaINSIDE GmbH, AH Aktiv-Haus GmbH, Werner Sobek Design GmbH, Werner Sobek Green Technologies GmbH, Sobek & Hall GmbH, Ingenieurbüro htp GmbH, Werner Sobek Frankfurt GmbH & Co. KG, IFT GmbH) (hereinafter referred to as “Controller”).
With the following information pursuant to Art. 12 et seq., GDPR we will provide an overview of the processing of your personal data and your rights from the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA). The requested or commissioned products and services shall be decisive for the data to be processed in detail and the manner these are used.
1. Controller for data processing
2. Data protection officer of the controller
Werner Sobek AG
3. Data and data sources
We process personal data provided by you in line with our business relationship. Moreover, we process (as far as required for the provision of our products and rendering our service) personal data obtained by other companies of the Controller corporate group (Werner Sobek Group GmbH, Werner Sobek Holding GmbH, Werner Sobek AG, alphaINSIDE GmbH, AH Aktiv-Haus GmbH, Werner Sobek Design GmbH, Werner Sobek Green Technologies GmbH, Sobek & Hall GmbH, Ingenieurbüro htp GmbH, Werner Sobek Frankfurt GmbH & Co. KG, IFT GmbH) or other third parties (e. g. for the performance of contracts, the execution of contracts or due to the consent granted by you). On the other hand we process personal data we have permissibly gained from publicly accessible sources (e.g. trade and association register, press, media, Internet) and which may be processed.
b) Categories of personal data
When initiating a business relationship or when master data are created the following personal data can be collected, processed or saved:
Address and communication data (name, address, telephone, e-mail address, other contact data), person master data (date/place of birth, gender, nationality, marital status, legal capacity, professional group code) legitimation data (e. g. card data), authentication data (e. g. specimen signature), tax ID)
When products and services are utilized in line with the contracts concluded with us, the following further personal data can be primarily collected, processed and saved in addition to the aforementioned data:
Contract master data (order data, data from the compliance with our contractual obligations, information about potential third-party beneficiaries), account, performance and payment data (debit data, tax information further person master data (profession, employer), documentation data (e. g. logs), product data (e. g. requested or booked services and products), as well as the following business creditworthiness documents: Net income accounts, balance sheets, business assessment, type and term of self-employment.
c) Customer contact information
In the context of the period of initiating a business relationship and during the business relationship, in particular by personal, telephone or written contacts initiated by you or the Controller further personal data are created. This includes e.g. information on the contact channel, date, occasion and result (electronic) copies of the correspondence, as well as information on the participation in direct marketing activities.
d) Services of the information society
When data is processed in line with services of the information society, you will obtain further data protection information related to the respective service.
4. Purpose and legal basis of processing
We process the personal data mentioned in 3 in compliance with the regulations of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA).
a) For compliance with contractual obligations (Article 6 (1) lit. b GDPR)
The processing of personal data is made for justification, performance (content and modification) and termination of a contract for the provision of products or the rendering of services, as well as for the performance of pre-contractual activities for the preparation of quotations, contracts or other requests directed at the conclusion of the contract which are made on the basis of your request.
The purposes of data processing are first of all based on the specific products and services and can comprise needs analyses, consulting and support etc. Further details of the purpose of data processing can be gathered from the respective (also pre-contractual) contract documents of our cooperation.
Interested parties may be contacted under consideration of potentially stated limitations during the initiation of the contract and customers, suppliers, as well as cooperation partners during the business relationship using the data they have communicated.
b) Due to your consent (Article 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR)
Provided that you have given us your consent to process personal data for certain purposes (e. g. disclosure of data within the corporate group), the processing shall be legitimate on the basis of your consent. A given consent may be revoked at all times. This shall also be applicable for the cancellation of declarations of consent that were given vis-à-vis us prior to the validity of the EU General Data Protection Regulation, this means prior to 25 May 2018. Please note that the cancellation will only be valid for the future. Processing made before the cancellation shall not be affected. You may request an overview of the status of the contents you have given at all times.
c) Due to your consent to special categories of personal data (Art. 9 (2) lit. a GDPR combined with § 26 (2) FDPA)
The processing of special categories of personal data (such as health data) is based on your consent under Art. 9 (2) lit. a GDPR combined with § 26 (2) FDPA, as far as not legal permission facts like Art. 9 (2) lit. b combined with § 26 (3) FDPA are relevant (see under d)).
d) Due to statutory requirements (Article 6 (1) lit. c GDPR or for the public benefit (Article 6 (1) lit. e GDPR)
We are subject to various legal obligations, as well as legal requirements and process data for the following purposes among others: the compliance with fiscal control and reporting obligations, as well as the assessment and control of risks within the corporate group.
Due to legal requirements, in particular according to § 257 of the German Commercial Code (HGB) and § 147 of the German Tax Code (AO), the Controller is obliged to store and store business documents and data for several years. In addition, all access to the communication systems are logged, stored and evaluated as needed to meet legal requirements and ensure information security.
In the event of disclosure for reasons of data protection, freedom of information or other laws, legal proceedings or investigations by supervisors, data subjects must assume that e-mails, text messages, voicemail or other electronic communications can be accessed, read, heard or disclosed by third parties, if they are relevant to the questions examined.
5. Recipients of data
Within the Controller those entities shall be granted access to your data which are required to comply with our contractual and legal obligations. Service providers employed by us can receive data for these purposes, if they comply with our written data protection directions.
With regard to the disclosure of data to recipients not belonging to the Controller it has to be observed first of all that we shall only be entitled to disclose information about you if this is permitted by statutory stipulations, you have consented and/or processors commissioned by us guarantee similarly the requirements of the EU General Data Protection Regulation and the Federal Data Protection Act.
Under those conditions the recipients of personal data may for instance be:
– Public bodies and institutions in the circumstances of a statutory or official obligation.
– Processors to which we submit personal data for the execution of the business relationship. In detail: Support/maintenance of EDP/IT applications, archiving, document processing, call center services, compliance services, controlling, data destruction, purchasing/procurement, space management, recovery, customer management, letter shops, marketing, media technology, report system, research, risk controlling, claim for expenses, telephony, video legitimization, website management, auditing service, transactions.
Further data recipients may be those entities for which you have given the consent to data transfer.
6. Data transfer to third countries or international organizations
Data transfer to countries outside the EU or EEA (so-called non-member countries) or international organization shall only take place if it is required for the performance of your orders, statutory (e.g. fiscal reporting requirements), you have given us your consent or it is done in line with order processing. If service providers are employed in a non-member state, these shall be obliged to the compliance with the data protection level in Europe in addition to written instructions by the agreement of EU standard contractual clauses.
7. Term of data storage
We will process and save your personal data as long as required for the performance of our contractual and legal obligations. If the data are not required anymore for the performance of contractual or legal obligations, they will be deleted at regular intervals, unless their (limited) processing is necessary for the following purposes:
– Compliance with commercial and fiscal retention periods pursuant to Section 257 Commercial Code (HGB) and Tax Code with periods for storage or documentation of two to ten years laid down there.
– Receipt of evidence in the context of the statute of limitations. Pursuant to Sections 195 et seq. of the Civil Code (BGB) these limitation periods can be up to thirty (30) years, whereas the regular limitation period is three years.
8. Data protection rights of the data subject
Every data subject shall have a right of access by the data subject pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure (“Right to be forgotten”) pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to data portability from Article 10 GDPR, as well as the right to object from Article 21 GDPR. For the right to erasure and right of access the limitations pursuant to Articles 34 and 35 GDPR shall be applicable. Moreover, there is the right to lodge a complaint with a supervisory authority pursuant to Art. 13(2) lit. d GDPR and Article 77 GDPR combined with Section 19 FDPA (Federal Data Protection Act).
You may revoke the consent to the processing of personal data pursuant to Art 7 (3) GDPR at any time. This shall also be applicable for the cancellation of declarations of consent that were given vis-à-vis us prior to the validity of the EU General Data Protection Regulation, this means prior to 25 May 2018. The cancellation of the consent shall not affect the legitimacy of the processing made on the basis of the consent until the cancellation.
9. Obligation to provide data
In the context of our business relationship you must provide the personal data that is required for entering into and carrying out a business relationship and the compliance with the contractual obligations related to it or the collection to which we are legally bound. Without these data it is expected that we will normally be obliged to object to the conclusion of the contract, the provision of products and the rendering of services or to no longer carry out an existing contract or terminate the same.
10. Automated decision-making (including profiling)
As a general rule, we do not use fully automated decision-making (including profiling) for entering into and the performance of the business relationship pursuant to Article 22 GDPR. Should we use these processes on a case-by-case basis, we will inform you separately, provided that is stipulated by law.
WWe process your data partially automated with the aim of assessing certain personal aspects (profiling). We use profiling for instance to inform and advise you about our products by means of evaluation tools. These enable demand-driven communication and advertising including market and opinion research.
Information on your right to object
pursuant to Article 21 EU General Data Protection Regulation (GDPR)
1. Case-by-case-related right to object
You are entitled at any time, for reasons based on your special situation, to object to the processing of personal data related to you that is made on the basis of Article 6 (1) lit. e GDPR (data processing in the public interest) and Article 6 (1) lit. f GDPR (data processing based on the balancing of interests); this shall also be applicable to profiling in terms of Article 4 (4) GDPR based on this stipulation.
If you object to processing, your personal data will no longer be processed, unless we are able to prove compelling legitimate reasons for the processing that override your interests, rights and freedoms or the processing is for asserting, execution or defense of legal claims.
2. Right to object to data processing for advertising purposes
We process your personal data on a case-by-case basis for direct advertising purposes. You have the right to object to the processing of personal data related to you for the purpose of such advertising at any time; this shall also apply for profiling, provided that is related to such direct advertising. If you object to processing for direct advertising, your personal data will no longer be processed for these purposes. The objection can be addressed to the controller not subject to any condition as to form.
Version: December 2019