The following information provides you with an overview of the processing of your personal data by us and your rights under data protection law. Which individual data is processed and how it is used depends largely on the agreed services. As such, not all of this information will apply to you.
1. Who is the controller responsible for data processing?
The controller is:
Our data protection officer is Ivan Bornatico. You can reach Mr Bornatico at: firstname.lastname@example.org
2. Which sources and data do we use?
We process personal data that we receive from our customers or other data subjects as part of our business relationship. In addition, we process – as far as necessary for the provision of our services – personal data that we legitimately gain from publicly available sources (e.g. debtor directories, land registers, trade and association registers, press, internet) or which is transmitted to us by other third parties.
Relevant personal data includes personal information (name, address and other contact information such as email address, date and place of birth and nationality), credentials (e.g. ID data) and authentication data (e.g. specimen signature). In addition, this may include order data, data from the fulfilment of our contractual obligations, documentation data and other data similar to the categories mentioned.
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA).
a. for the fulfilment of contractual obligations (Article 6 (1) (b) GDPR
Data is processed to provide our services in the context of the performance of our contracts with our customers or to carry out pre-contractual measures, which are made on request. The purposes of the data processing depend primarily on the specific product or service. In particular, the data processing takes place:
- to identify you as our customer
- to be able to advise you in a suitable manner
- for correspondence with you
- for invoicing
b. as part of the weighing of interests (Article 6 (1) f GDPR
If necessary, we process your data beyond the actual performance of the contract for the protection of legitimate interests of ours or third parties. Examples:
- advertising provided that you have not objected to the use of your data,
- asserting legal claims and defence in legal disputes,
- ensuring IT security and IT operations,
- preventing and investigating criminal offences,
- measures for building and plant safety (e.g. access controls),
- measures for the assertion of the right to prevent trespass, measures for business management and further development of services and products, risk management in our company.
c. based on your consent (Article 6 (1) a GDPR)
Insofar as you have given us consent for the processing of personal data for specific purposes, the legality of this processing is based on that consent. Consent given may be revoked at any time. This also applies to the revocation of declarations of consent issued to us before the validity of the GDPR, i.e. before 25 May 2018. The revocation of consent is only effective for the future and does not affect the legality of the data processed before the revocation.
d. due to legal requirements (Article 6 (1) c GDPR) or in the public interest (Article 6 (1) e GDPR)
In addition, as a company we are subject to various legal obligations, i.e. statutory requirements (e.g. tax laws). The purposes of processing include, but are not limited to, the fulfilment of tax reporting obligations and the assessment and management of risks within our company.
3. Who gets my data?
In principle, we only pass on information about our customers if statutory provisions require us to do so and the customer has given their consent. Under these conditions, recipients of personal data may include:
- public bodies and institutions,
- service providers and companies we use for order processing.
- Haas Automation Inc.
- Tornos SA
- SHW Werkzeugmaschinen
Other data recipients may include those entities for which you have given us your consent to the transmission of the data or exempted us from consent, or to whom we are authorised to transmit personal data on the basis of a weighing of interests.
4. Is data transmitted to a third country or international organisation?
A transmission of data to entities in countries outside the European Union (so-called third countries) takes place to the extent.
- it is necessary to carry out your orders,
- it is required by law (e.g. tax reporting obligations) or
- you have given us your consent.
Furthermore, a transfer to entities in third countries is provided in the following cases:
- If necessary in individual cases, your personal data may be transmitted to an IT service provider in the United States or another third country to ensure the IT operation of our company, in compliance with European data protection standards.
- In individual cases, personal data will be transmitted in compliance with the data protection standards of the European Union, with the consent of the data subject or on the basis of legal provisions to combat money laundering, terrorist financing and other criminal acts as well as in the context of a weighing of interests.
5. How long will my data be stored?
We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. It should be noted that our business relationship is usually a continuing obligation, which is conceived to last for years.
If the data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted, unless its temporary processing is necessary for the following purposes:
- fulfilment of commercial and tax retention requirements that may arise from, among other things: Commercial Code (HGB), Tax Code (AO). The deadlines for retention and documentation specified there are usually six to ten years.
- preservation of evidence in accordance with the statutory limitation provisions. According to §§195 et seq. of the Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular period of limitation is 3 years.
6. What data protection rights do I have?
You have the right:
- in accordance with Article 7 (3) GDPR, to revoke your consent given to us at any time. As a result, we will no longer be allowed to continue data processing based on this consent in the future;
- in accordance with Article 15 GDPR, to demand information about your personal data processed by us. In particular, you can provide information on the processing purposes, the category of personal data, the categories of recipients to whom your data has been or is being disclosed, the planned retention period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right of complaint, the source of the data, if not collected by us, and the existence of automated decision-making, including profiling and, where appropriate, meaningful information about its details;
- in accordance with Article 16 GDPR, to immediately demand the correction or completion of personal data stored by us;
- in accordance with Article 17 GDPR, to demand the deletion of your personal data stored by us, unless the processing is required for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation, for reasons of public interest or to assertion, exercise or defence against legal claims;
- in accordance with Article 18 GDPR, to demand the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you reject its deletion and we no longer need the data, but you require it to assert, exercise or defend against legal claims, or you have objected to the processing in accordance with Article 21 GDPR;
- in accordance with Article 20 GDPR, to receive your personal data that you have provided us in a structured, common and machine-readable format or to request its transfer to another controller and
- in accordance with Article 77 GDPR, to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace, or our registered office.
Information about your right of objection under Article 21 GDPR
Case-specific right of objection
You have the right at any time, for reasons arising out of your particular situation, to object to the processing of personal data concerning you that takes place in accordance with Article 6 (1) e GDPR (data processing in the public interest) and Article 6 (1) f GDPR (data processing on the basis of a weighing of interests).
Right to object to the processing of data for direct marketing purposes
In individual cases, we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising insofar as it relates to such direct marketing.
If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.
Recipient of an objection
The objection may be made in any form. It should contain the subject line ‘objection’, indicate your name and address and be addressed to:
Mr. Ivan Bornatico