Data Protection Policy

I. Name and address of the Data Controller

The Data Controller within the meaning of the General Data Protection Regulation and other national data protection laws of the EU Member States, as well as other data protection provisions, is:

Baierl & Demmelhuber Innenausbau GmbH

Cranachstraße 5
84513 Töging
Deutschland
Tel. +49 8631 9001-0
Fax +49 8631 9001-300
info (at) demmelhuber (punkt) de
www.demmelhuber.de

 

II. Name and address of Data Protection Officer

The Data Controller's Data Protection Officer is:

Karl Licht

Cranachstraße 5
84513 Töging
Deutschland
Tel. +49 8631 9001-0
Fax +49 8631 9001-300
datenschutzbeauftragter (at) demmelhuber (punkt) de

 

III. General information on data processing

1. Scope of personal data processing

We collect and utilise our users' personal data only insofar as this is necessary to provide an operational site and to supply our content and services. Collection and utilisation of our users' personal data is only carried out periodically with the user's consent. An exception applies in those cases where prior consent cannot be obtained for legal or circumstantial reasons and the processing of the data is permitted by law.

 

2. Legal basis for the processing of personal data

Whenever we obtain the consent of the Data Subject to the processing of his or her personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the requisite legal basis.

Where the processing of personal data is necessary to perform a contract to which the Data Subject is a party, Art. 6 para. 1 lit. b GDPDR serves as the requisite legal basis. This also applies to processing operations required to carry out pre-contractual actions.

Insofar as processing of personal data is required to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPDR serves as the requisite legal basis.
In the event that the vital interests of the Data Subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPDR as the requisite legal basis.

If processing is necessary to safeguard the legitimate interests of our company or of a third party, and if the interests, fundamental rights and freedoms of the Data Subject do not prevail over the interests first mentioned, Art. 6 para. 1 lit. f GDPDR serves as the legal basis for processing.

 

3. Deletion of data and length of storage

The personal data of a Data Subject will be deleted or blocked as soon as the purpose for the storage of the data ceases to exist. Furthermore, data may be stored if this has been stipulated by the European or national legislation in EU regulations, laws or other provisions to which the Data Controller is subject. Blocking or deletion of data is also carried out whenever a storage period stipulated by the rules mentioned expires, unless there is a need for further storage of the data in order to conclude or perform a contract.


IV. Provision of the website and creation of log files

1. Type and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the visiting computer.

During this process, the following information is collected:

  • (1) Information about the type of browser and version used
  • (2) The user’s operating system
  • (3) The user's Internet service provider
  • (4) The user's IP address (encrypted)
  • (5) Date and time of access
  • (6) Websites from which the user's system accesses our website
  • (7) Websites accessed by the user's system via our website

 

Data is also stored in our system's log files. None of this data or any other personal data of the user is stored.

 

2. Principles governing data processing

The legal basis for the temporary storage of data and log files is constituted by Art. 6 para. 1 lit. f GDPDR.

 

3. Purpose of data processing

Temporary storage of the IP address by the system is necessary to enable the website to be served to the computer of the user. To do this, the user's IP address must be stored for the duration of the session.

Storage in log files takes place, so as to ensure the functionality of the website. In addition, data is used to optimize the website and to ensure the security of our information technology systems. No evaluation of data for marketing purposes is carried out in this context. For these purposes, our legitimate interest in the processing of data exists pursuant to Art. 6 para. 1 lit. f GDPDR.

 

4. Duration of storage, objection and removal options

Data will be deleted as soon as it is no longer needed to achieve the purpose for which it was collected. In the case of data collected in order to serve the website, this will be undertaken once the respective session has ended.

If the data is stored in log files, this will be undertaken after 90 days at the latest. Storage beyond this period as possible. In this case, the user's IP addresses will be deleted or distorted so that assignment to the accessing client is no longer possible.

Collection of data for provision of the website and storage of data in log files is absolutely necessary for website operation. For this reason, users have no right of objection.

 

V. Use of social media plug-ins

1. Type and scope of data processing

We currently use the following social media plug-ins:

  • - Facebook
  • - Twitter

 

We use the so-called two-click solution. This means that whenever you visit our website, initially no personal data is passed on to the providers of the plug-ins. You can recognize the provider of the plug-in by the marking on the box above its initial letter or the logo. We offer you the possibility to communicate directly with the provider of the plug-in via the button. Only if you click on the marked field and thereby activate it, will the plug-in provider receive the information that you have accessed the corresponding website forming part of our online offering. In addition, the data mentioned under section § 1 of this declaration will be transmitted. In the case of Facebook, according to the provider in Germany, the IP address is anonymized immediately after collection. By activating the plug-in, data is automatically transmitted to the respective plug-in provider and stored there (and in the case of US providers, in the USA).

We have no influence over the data collected and the actual data processing processes, nor are we aware of the full extent of data collection, the purposes of any processing or of the actual storage periods. Nor do we have any information on deletion of the data collected by the plug-in provider.

The data is passed on regardless of whether you have an account with the plug-in provider and are logged in there. If the user is logged in to the plug-in provider, the data submitted will be associated directly with the existing account at the plug-in provider. If the user clicks the activation button and creates a link to a page, for example, the plug-in provider will also store this information in the user account and will share it publicly with the user's contacts. We therefore recommend that you regularly log out after using a social network, but especially before clicking on the button; because this way, any assignment to the user's profile by the plug-in provider can be avoided.

 

2. Principles governing data processing

The transmission of the user's data described above takes place only after the user has clicked on the corresponding button of the plug-in. No data is transmitted automatically. By clicking on the button, the user explicitly agrees to data transmission. The legal basis for processing the data is Art. 6 para. 1 lit. a GDPR.

 

3. Purpose of data processing

By means of the plug-ins we offer you the opportunity to interact with social networks and other users, so that we can improve our service and make it more interesting for you as a user. This is our legitimate interest under Art. 6 para. 1 lit. f GDPDR.

 

4. Duration of storage, objection and removal options

We do not store personal data when using social media plug-ins. Since the plug-in provider mainly collects data via cookies, we recommend that you delete all cookies before clicking on the greyed-out box, using your browser's security settings.

The user is entitled to a right of objection to the formation of user profiles, whereby the user will need to contact the respective plug-in provider in order to exercise that right. Further information on the relevant rights and setting options for the protection of privacy can be found at the addresses of the plug-in providers:

Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; For more information about data collection: http://www.facebook.com/help/186325668085084

Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland; for more information about data collection: https://twitter.com/en/privacy

 

VI. E-mail contact

1. Type and scope of data processing

You can contact us via the e-mail addresses provided. In this case, the user's personal data that is transmitted together with the email will be stored.

This data will not be disclosed to third parties in this context. The data is used exclusively for processing the conversation.

 

2. Principles governing data processing

The legal basis for the processing of the data transmitted in the course of sending an e-mail is Article 6 (1) lit. f GDPDR. If the e-mail contact intends to conclude a contract, then an additional legal basis for the processing is Art. 6 para. 1 lit. b GDPDR.

 

3. Purpose of data processing

The processing of the personal data transmitted in the context of the contact is only used by us to process the contact. This also includes the required legitimate interest in processing the data.

 

4. Duration of storage

Data will be deleted as soon as it is no longer needed to achieve the purpose for which it was collected. For personal data sent by e-mail, this is the case when the respective conversation with the user has been completed. The conversation will have ended once it is evident from the circumstances that the matter at hand has been conclusively resolved. In addition, storage is possible if there is a legal basis for doing so. This can be the case, among other things, if data processing is necessary to fulfil the terms of a contract.


5. Objection and removal options

A user who has contacted us by e-mail can object at any time to the storage of his or her personal data. In such a case, the conversation cannot be continued. All personal data stored in the course of contacting us will be deleted as a result.

 

VII. Application form

1. Type and scope of data processing

On our website, the user can apply for vacancies directly. If a user makes use of this option, the data entered in the input screen will be transmitted to us and then stored. This data includes:

  • (1) First name*
  • (2) Last name*
  • (3) Gender *
  • (4) Street and house number*
  • (5) Post code + city*
  • (6) Country*
  • (7) Landline number
  • (8) Mobile number
  • (9) Email address*
  • (10) Date of birth
  • (11) Place of birth
  • (12) Citizenship
  • (13) Highest school leaving certificate
  • (14) Institute

 

All data marked with * is compulsory.

In addition, the user can submit further application documents to us.

During the transmission process, your consent is obtained for processing data and reference is made to this data protection declaration.

 

2. Principles governing data processing

The legal basis for data processing is the consent of the user under Art. 6 para. 1 lit. a GDPDR.

 

3. Purpose of data processing

The processing of personal data from the input mask as well as all other data transmitted by the user is used by us solely to process the application.

 

4. Duration of storage, objection and removal options

Data will be deleted as soon as it is no longer needed to achieve the purpose for which it was collected. For personal data from the input mask and all other data transmitted by the user, this is usually the case, once the application process has been completed. Any further storage will only take place with the consent of the applicant.

The user has the option of revoking his or her consent to the processing of personal data at any time.

Revocation of this consent and an objection to storage can be sent by e-mail to datenschutzbeauftragter (at) demmelhuber (punkt) de   .

All personal data stored in the course of the application will be deleted in this case. The application will not be followed up.

 

VIII. Rights of the Data Subject

If any personal data of yours is processed, you are the Data Subject within the meaning of the GDPDR and you have the following rights towards the Data Controller:

 

1. Right to information

You can request the Data Controller to confirm whether we will be processing personal data that concerns you.
If such processing takes place, you can request the following information from the Data Controller:

  • (1) the purposes for which the personal data is being processed;
  • (2) the categories of personal data that are being processed;
  • (3) the recipients or categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
  • (4) the planned duration of any storage of personal data concerning you or, if specific information is not available, the criteria for determining the duration of such storage;
  • (5) the existence of a right to rectification or deletion of personal data concerning you, a right to restriction of processing by the Data Controller or a right to object to such processing;
  • (6) Existence of a right of appeal to a supervisory authority
  • (7) all available information on the source of the data if the personal data is not collected from the Data Subject;
  • (8) the existence of automated decision-making, including profiling under Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on the Data Subject.

 

You have the right to request information about whether your personal information relates to a third country or an international organisation. In this connection, you can request the appropriate guarantees under Art. 46 GDPR in connection with the transfer of such data.

 

2. The right to correction of data

You have a right to correction and / or completion in relation to the Data Controller, if the personal data concerning you is being processed incorrectly or incompletely. The Data Controller must carry out this correction immediately.

 

3. The right to restricted processing

You may request that the processing of your personal data is restricted, under the following conditions:

  • (1) if you dispute the accuracy of your personal data for a period of time that enables the Data Controller to verify the accuracy of your personal data;
  • (2) the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
  • (3) the Data Controller no longer needs the personal data for processing purposes , but you need it in order to assert, exercise or defend legal claims; or
  • (4) if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the Data Controller outweigh the grounds of your objection.

 

If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of major public interest of the European Union or a Member State.

If the restriction on processing has been restricted in accordance with the above conditions, the Data Controller will inform you before the restriction is lifted.

 

4. Right to deletion

a) Duty to delete

You may require the Data Controller to delete your personal information without delay, and the Data Controller will be required to delete this information immediately, provided one of the following grounds applies:

  • (1) The personal data concerning you is no longer needed for the purposes for which it was collected or otherwise processed.
  • (2) You withdraw your consent, to which the processing pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. GDPDR and there is no other legal basis for the processing.
  • (3) You raise an objection pursuant to Art. 21 para. 1 GDPDR and there are no prior justifiable reasons for the processing, or else you raise an objection to the processing pursuant to Art. 21 para. 2 GDPDR.
  • (4) The personal data concerning you has been processed unlawfully.
  • (5) The personal data concerning you must be deleted in order to fulfill a legal obligation under European Union law or the law of the Member States to which the Data Controller is subject.
  • (6) The personal data concerning you was collected in relation to information society services offered pursuant to Article 8 (1) GDPR.

 

b) Passing information to third parties

If the Data Controller has rendered the personal data concerning you public and pursuant to Article 17 (1) of the GDPR is subject to a duty to delete it, it shall, taking into account the available technology and implementation costs, take appropriate steps, including the relevant technical methods, to inform the Data Controllers who process the personal data that you have been identified as being the Data Subject and have requested deletion of all the links to such personal data or the deletion of all copies or replications of such personal data.

 

c) Exceptions

The right to deletion does not exist if the processing is required

  • (1) in order to exercise the right to freedom of expression and information;
  • (2) in order to fulfill a legal obligation that requires processing under European Union or Member State law to which the Data Controller is subject or for the performance of a public-interest or public-authority task transferred to the Data Controller;
  • (3) for reasons of public interest in the field of public health pursuant to Article 9 (2) lit. h and i and Art. 9 (3) GDPR;
  • (4) for archival purposes of public interest, for scientific or historical research purposes or for statistical purposes assume pursuant to Article 89 (1) GDPR, insofar as the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
  • (5) in order to assert, exercise or defend legal claims.

 

5. Right to information

If you have the right to correction, deletion or restriction of data processing as against the Data Controller, he / she is obliged to notify all recipients to whom your personal data has been disclosed of this correction or deletion of the data or restriction of processing, except where this proves to be impossible or involves a disproportionate amount of effort.

In relation to the Data Controller, you have the right to be informed about these recipients.

 

6. Right to data portability

You have the right to receive personally identifiable information you provide to the Data Controller in a structured, commonly-used and machine-readable format. In addition, you have the right to transfer this data to another Data Controller without hindrance by the existing Data Controller, whereby the said data must be supplied to the former, provided that

  • (1) the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
  • (2) the processing is carried out using automated procedures.

 

In exercising this right, you also have the right to ensure that the personal data relating to you is transmitted directly from one Data Controller to another, insofar as this is technically feasible. The freedoms and rights of other persons may not be affected thereby, however.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or for the exercise of official authority delegated to the Data Controller.

 

7. Right to object

You have the right at any time, for reasons that arise from your particular situation, to raise an objection against the processing of your personal data, which takes place pursuant to Art. 6 para. 1 lit. e or f GDPDR; this also applies to profiling based on these provisions.

The Data Controller will no longer process personal data concerning you unless it can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of enforcing, exercising or defending legal claims.

If the personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

Regardless of Directive 2002/58/EC, you have the option, in the context of the use of information society services, to exercise your right to object through automated procedures that follow certain technical specifications.

 

8. Right to withdraw data protection declaration

You have the right to revoke your data protection declaration at any time. The withdrawal of consent will not affect the lawfulness of the processing based on consent prior to the withdrawal.

 

9. Automated decision on an individual basis including profiling

You have the right not to be subjected to a decision based solely on automated processing - including profiling - that would have some legal effect or would significantly affect you in a similar manner. This does not apply if the decision

  • (1) is necessary for the conclusion or performance of a contract between you and the     Data Controller,
  • (2) is permitted by European Union or Member State legislation to which the Data Controller is subject, and where such legislation contains appropriate measures to safeguard your rights and freedoms and legitimate interests, or
  • (3) is carried out with your express consent.

 

However, these decisions must not be based on special categories of personal data under Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g and reasonable measures have been taken to protect rights and freedoms and your legitimate interests.

In the cases referred to in (1) and (3), the Data Controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person on the part of the Data Controller, to state his or her own position and to challenge the decision.

 

10. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you believe that the processing of the personal data concerning you breaches the GDPR.

The supervisory authority to which the complaint has been submitted must inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.