Data Protection Notice
Status: 25 May 2018 (older versions)
We, INTERSEROH Dienstleistung GmbH, take the protection and security of your data very seriously, and we take account of this issue in all our business processes. In this Data Protection Notice we would like to give you an overview of those aspects of our online services which are relevant to data protection law. In the following sections we shall explain:
• Which data we collect when you use our online services
• For what purposes these data are processed by INTERSEROH Dienstleistung GmbH
• What rights and options you have with regard to the processing of your data
• How you can contact us on the subject of data protection.
When does this Data Protection Notice come into effect?
This Data Protection Notice applies to the online services supplied by INTERSEROH Dienstleistung GmbH at the domain interseroh.de and the social media accounts operated by Interseroh on Facebook, Twitter, LinkedIn and Xing (hereinafter called “social media accounts”).
Online services of Interseroh companies other than the foregoing are subject to each of their own data protection notices, which you can view on the websites in question.
1. Control and personal contact
The controller under the terms of the European General Data Protection Regulation (GDPR) is
INTERSEROH Dienstleistungs GmbH
When the words “we” or “us” are used in this Data Protection Notice, this shall mean solely INTERSEROH Dienstleistung GmbH.
You can reach Interseroh’s Data Protection Officer at firstname.lastname@example.org or by post, to be marked “FAO Data Protection Officer.”
2. Data processing when visiting our website
2.1. Automatic collection of access data
You can visit our website without providing any personal data. Only the access data which are transmitted automatically by your browser will then be collected. This will comprise, for example, your online identification (e.g. IP address, session IDs, device IDs), information about the web browser and operating system used, the website from which you are visiting our website (i.e. if you have visited one of our websites via a link), the names of the files requested (i.e. which texts, videos, pictures etc. you have viewed on our websites), your browser’s language settings, any error reports, and the times of access.
These access data must be processed to enable you to visit our website and to use it conveniently, and to ensure its permanent functional capability and security.
These access data will also be stored on a short-term basis in internal logfiles, in order to produce statistical information on the use of our websites. This enables us to optimise our website constantly, taking our visitors’ usage patterns and technical resources into account, and to rectify breakdowns and security risks. The information stored in the logfiles does not allow any direct conclusion to be drawn about your person – in particular, we store IP addresses only in truncated, anonymised form. Logfiles are stored for 30 days and archived following subsequent anonymisation.
The legal basis for this data processing is Article 6 (1) (f) of the GDPR (balance of interests, grounded on our foregoing legitimate interests).
We use our own cookies and cookies from third parties on our websites. A cookie is a standardised text file which is stored by your browser for a set time. Cookies make possible the local storage of information, such as language settings and temporary identifiers which can be retrieved on subsequent website visits by the server which has set the cookie. In your browser’s security settings you can view and erase the cookies in use. You can adjust your browser settings as you wish and in this way, for instance, refuse to accept cookies from third parties or all cookies. Please note that in this case you may not be able to use all our websites’ functions.
Our own cookies serve to make your visit to our websites more user-friendly and secure. The legal basis for the data processing associated therewith is Article 6 (1) (f) of the GDPR.
2.3. Your messages and communications
We collect all information and all data which you communicate to us via our websites. For example, you are able at various points on our websites, via functions such as the Contact Form or Contact function, to send us messages and, in some cases, files (e.g. PDF documents). Any information which is compulsory for these functions is marked as such. The information which you provide will be used by us solely in order to process your application.
We shall erase the data accrued thereby once their storage is no longer required, or we shall restrict their processing should statutory data retention obligations exist.
Disclosure of your message to another Interseroh company or to an external third party will only be made insofar as this is necessary in order to process your application (for example, we disclose your message to another Interseroh Group company if the latter is responsible for dealing with your request). If you do not wish your message to be disclosed to another company, you can say this – also as a precautionary measure, of course – directly in your message. We shall then pass on your message to the other company without such information as could identify you (e.g. your name, customer number or contact details).
The legal basis for the foregoing data processing is Article 6 (1) (b) of the GDPR. Insofar as you have consented to the disclosure or processing elsewhere of the data which you have communicated to us, the legal basis will be Article 6 (1) (a) of the GDPR.
2.4. Use of YouTube videos
We use YouTube videos on parts of our websites. YouTube is a video platform operated by the Google company YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”). The YouTube videos can be played directly on our websites. They are embedded in “extended data-protection mode”, i.e. no data about you as a user will be transmitted to YouTube if you do not play the videos. Only if you play the videos will data be transmitted to YouTube. We have no influence on this data transmission. Should personal data be transmitted to the USA, Google and YouTube have acceded to the EU-US Privacy Shield .
The legal basis for the foregoing data processing, insofar as we are the controlling body, is Article 6 (1) (f) of the GDPR (balance of interests grounded on our legitimate interest in incorporating video contents).
2.5. Analysis tools
2.5.1. Google Analytics
You can object at any time to the foregoing production and evaluation of pseudonymised user profiles by Google. For this purpose you have various options:
(1) You can set your browser to block cookies from Google Analytics.
(2) You can adjust your Google ad settings.
(3) You can install the opt-out plug-in provided by Google at https://tools.google.com/dlpage/gaoptout?hl=de on your Firefox, Internet Explorer or Chrome browser (this option does not work on mobile devices).
(4) You can set an “opt-out” cookie by clicking here: Disable Google Analytics.
The legal basis for this data processing is Article 6 (1) (f) of the GDPR (balance of interests grounded on our legitimate interest in evaluating general usage patterns).
3. Data processing when you use our career portal
You can apply for job vacancies on our career portal. The purpose of this data collection is to select applicants for potential employment. To receive and process your application we collect the following data in particular: first name and surname, e-mail address, application documents (e.g. references, CV), earliest date on which you can take up the job, and desired salary. The legal basis for the processing of your application documents is Article 6 (1) (b) and Article 88 (1) of the GDPR in conjunction with Section 26 of the German Data Protection Act (BDSG).
4. Data processing for social media accounts
Interseroh is represented on the following networks with its own social media accounts:
On these sites we tell you the latest news from Interseroh and everything we have been doing, and we are glad to use the facilities provided by the social networks to communicate directly with their members.
Please note, however, that we have no influence of the data processing carried out by the social networks. Therefore please check carefully what personal information and what messages you send us via the social networks and, in case of doubt, use other ways of contacting us which we provide. We therefore cannot undertake any liability for the conduct of the operators of these social networks and of their other members.
If you communicate with us via our social media accounts, we shall process the information supplied to us for this purpose by the social network in question (e.g. your name, your profile page and the contents of the messages which you have sent to us) in accordance with the purpose for which you have sent it (e.g. service requests, suggestions and criticism). We shall erase the data thus accrued after their storage is no longer necessary, or we shall restrict their processing should statutory data retention obligations exist. In the case of public posts on our social media accounts, we shall decide in the individual case, weighing your interests and ours, whether and when we may delete these.
The legal basis for the foregoing data processing will depend on the purpose of your message. Should the purpose be that of using our customer service or of requesting provision by Interseroh, the legal basis will be Article 6 (1) (b) of the GDPR. Otherwise the legal basis will be Article 6 (1) (f) of the GDPR (balance of iterests grounded on our legitimate interest in processing your message). Insofar as you have consented to the processing of the foregoing data, the legal basis is Article 6 (1) (a) of the GDPR.
5. Disclosure of data
We only disclose your data if:
• You have given your express consent thereto, pursuant to Article 6 (1) (a) of the GDPR
• Disclosure is necessary under Article 6 (1) (f) of the GDPR in order to bring, exercise or defend the legal claims of an Interseroh company, and no grounds exist to suppose that you have a compelling interest in your data not being disclosed which overrides these considerations,
• We have a statutory duty of disclosure under Article 6 (1) (c) of the GDPR
• Disclosure is permitted by law and is necessary, under Article 6 (1) (b) of the GDPR, for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
5.2. Disclosure to external service providers of INTERSEROH Dienstleistungs GmbH
A part of the data processing set out in this Data Protection Notice may be carried out on our behalf by external service providers. Along with the service providers named in this Data Protection Notice, these may include in particular data centres which store our websites and databases, IT service providers which maintain our systems, and corporate consultants.
Should we disclose data to our service providers, these providers may only use the said data to carry out their tasks. These service providers are carefully selected and commissioned by ourselves. They are contractually bound to follow our instructions, have suitable technical and organisational measures in place to protect the rights of data subjects, and are monitored regularly by ourselves.
Should we, over and above this Data Protection Notice, pass on your data to a service provider located in a country outside the European Economic Area (EEA), we shall inform you separately of this fact as it becomes necessary and tell you of the specific guarantees on which this data transfer is based. Should you wish to receive copies of guarantees certifying an adequate level of data protection, please communicate with our Data Protection Officer (see Section 1).
6. Period of storage
Unless stated otherwise in this Data Protection Notice, we shall store and use your data only as long as this is necessary to perform our contractual or statutory duties or to satisfy the purpose for which the data were collected. Following expiry of the statutory period of limitation, however, we shall restrict their processing, i.e. from that time your data will only be used to comply with statutory duties.
We shall then erase your data immediately, unless we still need these data until expiry of the statutory period of limitation for purposes of evidence in civil claims or to comply with statutory retention periods. Even thereafter it may be necessary for us to store your data for accounting purposes. We have a duty to do this in order to satisfy statutory rules of documentation which may arise under the German Commercial Code, the German Tax Code, the German Credit and Loans Act, the German Money Laundering Act and the German Securities Trading Act. The periods of storage stipulated in these Acts run from two to ten years.
The legal basis for this data protection for purposes of compliance with statutory duties of documentation and storage is Article 6 (1) (c) of the GDPR.
7. Your rights
To exercise your rights as set out below, you can communicate at any time with our Data Protection Officer (see Section 1):
• You have the right at any time to access information on the processing of your personal data by ourselves. In supplying such information we shall explain this data processing to you and provide you with an overview of the data which we have saved relating to your person.
• Should data stored with us be incorrect or no longer up-to-date, you have the right to have these data corrected.
• You can also require that your data be erased. Should, in exceptional cases, such erasure not be possible due to other legal regulations, the data will be blocked, so that they are only available for this legal purpose.
• You can further have the processing of your data restricted, e.g. if you believe that the data which we have stored are not correct.
• You have the right of data portability, i.e. should you wish, we must send you a digital copy of the personal data which you have provided.
You also have the right to lodge a complaint with a data protection authority. The data protection authority for INTERSEROH Dienstleistungs GmbH is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, PO Box 20 04 44, 40102 Düsseldorf.
8. Right of withdrawal and objection
If you wish to exercise your rights of withdrawal and objection as set out below, a notification without prescribed formal requirements to the contact details set out in Section 1 will suffice.
Withdrawal of consent
Under Article 7 (2) of the GDPR, you have the right at any time to withdraw any declaration of consent which you have given us. This will result in our being unable to continue the data processing based on this consent in the future. The withdrawal of your consent will not affect the legality of the processing undertaken pursuant to the said consent up to the time of the withdrawal.
Objection to processing of data
Insofar as we process your data on the grounds of legitimate interests under Article 6 (1) (f) of the GDPR, under Article 21 of the GDPR you have the right to lodge an objection to the processing of your data, should grounds exist arising from your particular situation, or should the objection be directed towards direct marketing. In the latter case you have a general right of objection which we shall realise even if you do not state reasons.
9. Data security
We maintain technical measures adequate to guarantee data security for our online services, particularly for the protection of your data against dangers posed during data transmission and against unauthorised cognizance by third parties. These measures are constantly revised to reflect the latest state of technology. To secure the personal data which you have specified on our website, we use transport layer security (TLS), which encrypts the information which you have entered.
10. Amendments to this Data Protection Notice
We shall update this Data Protection Notice from time to time, for instance when we revise our website or if statutory rules or official regulations should change.
Version 1.0 / Status: May 2018