Types of data processed:
• master data (e.g. names, addresses)
• contact data (e.g. e-mail, telephone numbers)
• content data (e.g. text inputs, photos, videos)
• usage data (e.g. visited websites, interest in contents, access times)
• meta /communication data (e.g. device information, IP addresses)
• provision of the online offering, its functions, features and contents
• answering of contact requests and communication with users.
• security measures.
• measurement of coverage/marketing
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter called “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or several particular features specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” shall mean any operation carried out with or without automated procedures or any such series of operations in connection with personal data. The term is far reaching and comprises practically any kind of handling of data.
The term “controller” designates the natural person or legal entity, public authority, institution or other agency that decides alone or in conjunction with others on the purposes and means of processing of personal data.
Relevant legal bases
Cooperation with processors and third parties
In case we disclose or transmit any data to third persons or entities (processors or third parties) or otherwise grant access to them in the scope of our processing, this will only take place on the basis of a legal permit (e.g. if transmission of data to third parties, like payment service providers is required for performance of the contract according to Art. 6 (1) (b) GDPR), if you have consented, if this is provided for by a legal obligation or on the basis of our legitimate interest (e.g. when engaging delegates, webhosters, etc.).
As far as we entrust any third parties with processing of data on the basis of a so-called “data processor agreement”, this is done on the basis of Art. 28 GDPR.
Transmissions to third countries
In case we process any data in a third country (i.e. outside the European Union (EU) or European Economic Area (EEA)) or this is done in the scope of the use of services of third parties or disclosure or transmission of data to third parties, this will only take place, if required for performance of our (pre-)contractual obligations, on the basis of your consent, on account of a legal obligation or on the basis of our legitimate interest. Subject to statutory or contractual permits, we only process the data or have them processed in a third country, if the special prerequisites according to Art. 44 ff. GDPR apply. This means that processing takes place e.g. on the basis of special guarantees, like the officially recognised ascertainment of a data protection level being equivalent to that of the EU (e.g. by the “privacy shield” in case of the USA) or compliance with officially recognised particular contractual obligations (so-called “standard contractual clauses”).
Rights of the data subjects
You have the right to claim a certification, whether corresponding data are processed and to information about these data, as well as to further information and a copy of the data in conformity with Art. 15 GDPR.
Pursuant to Art. 16 GDPR, you are entitled to claim completion of your personal data or rectification of any incorrect personal data.
According to Art. 17 GDPR, you are entitled to claim immediate erasure of the relevant data or alternatively, a restriction of processing of the data according to Art. 18 GDPR.
You are entitled to claim that your personal data made available to us are provided to you and to claim their transmission to other controllers.
In accordance with Art. 77 DSGVO, you are entitled to lodge a complaint with the competent supervisory authority.
Right to withdraw consent
According to Art. 7 (3) GDPR, you are entitled to withdraw any consents given with effect for the future.
Right to object to processing
According to Art. 21 GDPR, you can at any time object to the future processing of your personal data. Objection can be declared in particular to processing for purposes of direct marketing.
Cookies and right to object in case of direct marketing
“Cookies” are short text files stored on the users’ devices. The cookies may include diverse information. A cookie primarily has the function to store data pertaining to a user (or the device on which the cookie is stored) during and after his visit in the scope of an online offering. Temporary cookies or “session cookies” or “transient cookies” are cookies that are erased after a user leaves the online offering and closes his browser. In such a cookie, e.g. the content of a shopping cart in an online shop or a log-in status may be stored. Cookies which remain stored even after closing the browser are designated as “permanent” or “persistent”. In this way, e.g. the login status can be stored, if the users return to the site after several days. Such a cookie may also be used to store the interests of the users, which are used for measure¬ment of coverage or marketing purposes. “Third-party cookies” are cookies which are offered by other providers than the controller who operates the online offering (otherwise, if they only consist of his own cookies, they are called “first-party cookies”).
If the users do not want that cookies are stored on their computer, they are requested to deactivate the corresponding option in the system settings of their browser. Stored cookies can be erased in the system settings of the browser. Exclusion of cookies can result in functional restrictions of this online offering.
Erasure of data
According to the statutory requirements in Germany, retention is prescribed for 6 years in conformity with Section 257(1) Commercial Code (books of account, inventories, opening balance sheets, annual financial statements, commercial correspondence, accounting vouchers etc.) or for 10 years in conformity with Section 147 (1) German fiscal code (ledgers, records, annual reports, accounting vouchers, commercial and business correspondence, documents being relevant in view of taxation etc.).
According to the statutory provisions in Austria, retention for 7 years is prescribed in particular according to Section 132 (1) BAO (accounting documents, vouchers/invoices, accounts, business papers, statement of revenue and expenditure etc.) or for 22 years in connection with real property and for 10 years for documents in connection with electronically provided services, telecommunications services, broadcasting and television services performed on behalf of non-entrepreneurs in EU member states, for whom the Mini-One-Stop-Shop (MOSS) regulation is invoked.
The hosting services used by us are intended for the provision of the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services like technical maintenance services, which we use in order to operate this online offering.
In this connection, we or our hosting provider process(es) master data, contact data, content data, contractual data, usage data, metadata and communication data of customers, prospects and visitors of this online offering on the basis of our legitimate interest in an efficient and safe provision of this online offering according to Art. 6(1)(f) GDPR in conjunction with Art. 28 GDPR (conclusion of the data processor agreement).
Collection of access data and log files
On the basis of our legitimate interest in the sense of Art. 6 (1)(f) GDPR, we or our hosting provider collect(s) data on every access to the server, on which this service is located (so-called server log files). The access data include the name of the retrieved website, file, date and time of retrieval, transmitted data quantity, message about successful retrieval, browser type with version, operating system of the user, referrer URL (the previously visited site), IP address and requesting provider.
For safety reasons (e.g. investigations into misuse and fraudulent actions), log file information is stored for 7 days at the maximum and erased afterwards. Data, which have to be retained as evidence, are excluded from erasure until final clarification of the respective event.
We process the data of our customers in the scope of our contractual services comprising conceptual and strategic advice, planning of campaigns, software and design development and consulting or maintenance, implementation of campaigns and processes/ handling, server administration, data analysis / consulting services and training services.
In this connection, we process master data (e.g. customer master data like names or addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text input, photos, videos), contractual data (e.g. subject matter of agreement, term of agreement), payment data (e.g. banking details, payment history), usage data and metadata (e.g. in the scope of analysis and success measurement of marketing measures). In principle, we do not process any special categories of personal data, unless they form part of a contracted processing. The data subjects include our customers, prospects as well as their customers, users, website visitors or employees, as well as third parties. The purpose of processing consists of the provision of contractual services, invoicing and our customer service. The legal bases of processing result from Art. 6 (1) (b) GDPR (contractual services), Art. 6 (1) (f) GDPR (analysis, statistics, optimisation, security measures). We process data, which are required for substantiation and performance of the contractual services and point out that their indication is required. Disclosure to third parties only takes place, it this is required in the scope of a contract. When processing the data provided to us in the scope of a contract, we proceed according to the instructions of the customer and in conformity with the statutory requirements of contracted data processing according to Art. 28 GDPR and do not process the data for any other purposes than according to the contract.
We erase the data after expiry of the statutory warranty and comparable obligations. The necessity of retention of the data is checked at intervals of three years. In case of statutory filing obligations, erasure takes place after their expiration (6 years according to Section 257 (1) Commercial Code, 10 years according to Section 147 (1) of the German fiscal code). In case of data disclosed to us by the customer in the scope of a contract, we erase the data according to the order specifications, in principle after completion of the order.
Provision of contractual services
We process master data (e.g. names and addresses, as well as contact data of users), contractual data (e.g. services used, names of company contacts, payment information) in order to perform our contractual obligations and services according to Art. 6 (1) (b) GDPR. The inputs marked as obligatory in online forms are required for conclusion of the contract.
In the scope of use of our online services, we store the IP address and the time of the respective user action. Storage takes place on the basis of our legitimate interest and of the interest of the user in protection against misuse and other unauthorised use. In principle, such data are not disclosed to any third parties, unless this is required for pursuing our claims or there is a statutory obligation to do so according to Article 6 (1) (c) GDPR.
We process usage data (e.g. the websites visited of our online offering, interest in our products) and content data (e.g. entries in the contact form or user profile) for advertising purposes in a user profile in order to display product notes to the user on the basis of the services used by him/her so far.
Erasure of the data takes place after expiry of the statutory warranty and comparable obligations. The necessity of retention of the data is checked at intervals of three years. In case of statutory filing obligations, erasure takes place of their expiration. Statements contained in a customer account, if any, shall remain there until its deletion.
Administration, financial accounting, office organisation, contact administration
We process data in the scope of administrative tasks, as well as organisation of our business, financial accounting and compliance with statutory obligations, such as filing. In this connection, we process the same data that we process in the scope of performance of our contractual services. The processing bases are Art. 6 (1) (c) GDPR, Art. 6 (1) (f) GDPR. The processing concerns customers, prospects, business partners and website visitors. The purpose of and our interest in processing reside in the administration, financial accounting, office organisation, filing of data, i.e. tasks intended to maintain our business activities, to perform our duties and to provide our services. Erasure of the data in view of contractual services and the contractual communication is in line with the statements made in connection with such processing activities.
In this connection, we disclose or transmit data to the Treasury, consultants, e.g. tax advisors or chartered accountants, as well as other billing agencies or payment service providers.
On the basis of our business interest, we also store data concerning suppliers, organisers, promoters and other business partners, e.g. for subsequent contacting. In principle, we store such predominantly company-specific data in a permanent way.
As an option, users may create a user account. In the scope of registration, the required obligatory data are notified to the users. The data entered in the scope of registration are used for the purposes of using the offer. The users may be informed by e-mail about offer- or registration-specific information, like modifications to the scope of the offer or technical details. If users have terminated their user account, their data are erased with regard to the user account, unless their retention is required for commercial or tax law reasons according to Art. 6 (1) (c) GDPR. It is incumbent on the users to back up their data in case of termination prior to the end of the agreement. We are entitled to irretrievably erase any and all data of the user stored during the term of the contract.
In the scope of the use of our registration and login functions, as well as of the use of the user account, we store the IP address and the time of the respective user action. Storage takes place on the basis of our legitimate interest and of the interest of the user in protection against misuse and other unauthorised use. In principle, such data are not disclosed to any third parties, unless this is required for pursuing our claims or there is a statutory obligation to do so according to Article 6 (1) (c) GDPR. The IP addresses are anonymised or deleted after 7 days at the latest.
When contacting us (e.g. by contact form, e-mail, telephone or via social media), the data of the user are processed for handling the contact request and for handling according to Art. 6 (1) (b) GDPR. The user data can be stored in a Customer Relationship Management System (“CRM system”) or comparable inquiry organisation.
Any and all inquiries are deleted, if they are no longer required. The necessity is checked at intervals of two years. In addition to this, the statutory filing obligations apply.
Incorporation of third-party services and contents
On the basis of our legitimate interest (i.e. interest in the analysis, optimisation and economic operation of our online offering pursuant to Art 6 (1) (f) GDPR), we make use of content and services offered by third parties within our online offering, in order to incorporate their contents and services, like videos or fonts (hereinafter uniformly called “contents”).
This always implies that the external providers of such contents get aware of the user’s IP address, as they cannot send the contents to the browser without the IP address. The IP address is thus required for displaying such content. We make every effort to exclusively use content of providers who only use the IP address for displaying the content. External providers may use so-called pixel tags (invisible graphics, also designated as “web beacons”) for statistical or marketing purposes. The pixel tags enable them to evaluate information, such as the visitor traffic on the different pages of this website. The pseudonymous information can also be stored in cookies on the device of the users and among other things contain technical information about the browser and operating system, referring websites, visit time, as well as further data on the use of our online offering, and be linked with such information from other sources.
We incorporate the fonts (“Google Fonts”) from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
We incorporate the maps of the service „Google Maps“ from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data processed may in particular include IP addresses and location data of the users, which may, however, not be collected without their consent (as a rule given in the scope of the settings of their mobile devices). The data may be processed in the USA.
Issued by means of the data protection generator of lawyer Dr. Thomas Schwenke
Data Protection Officer
Schulz Concrete Engineering GmbH