Our handling of your data and your rights – Information under articles 13, 14 and 21 of the General Data Protection Regulation (GDPR) –
Hereinafter we are providing you with information on how we process your personal data, as well as the claims and the rights you are entitled to, in accordance with the data protection regulations.
Which data are processed in detail and how they are used depends on which services have been requested or agreed.
1. Who is responsible for data processing and whom can I contact?
The responsible body is:
Genthiner Strasse 48
Tel: +49 30 29 02 82 53-0
Fax: +49 30 29 02 82 53-26
Email: [email protected]
You can contact our company data protection officer at:
datenschutz nord GmbH
E-Mail-Adresse: [email protected]
2. Which sources and data do we use?
We process personal data that we receive from you within the framework of our business relations (e.g. from application procedures, newsletters, petitions, surveys, member registrations). In addition, to the extent necessary for the provision of our services, we process personal data that we have received from other companies (such as SCHUFA) in a permissible manner (for example to execute orders, to fulfil contracts or on the basis of your consent). On the other hand, we process personal data that we have legitimately obtained and are able to process from publicly available sources (for example, trade and association registers, press, media).
Relevant personal data are personal details (name, address and other contact details, date and place of birth and nationality). In addition, this may also include transaction data (e.g. order details), data from the fulfilment of our contractual obligations (e.g. execution of a licence agreement, deliveries), data from your membership relationship, documentation data (e.g. call logs), survey data, data about your use of our offered telemedia (e.g. time of calling our websites, apps or newsletters, our clicked pages or entries) as well as other data comparable with the categories mentioned.
3. For what reason do we process your data (purpose of the processing) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG):
3.1 For the fulfilment of contractual obligations (Article 6 (1b) GDPR)
The processing of personal data (Article 4 No. 2 GDPR) is for the provision and delivery of our service (e.g. as part of membership, subscriptions or competitions), in particular for the execution of our contracts or pre-contractual actions with you and the execution of your orders, as well as all the activities necessary for the operation and administration of an organization.
The purposes of data processing are based primarily on the specific product or order (e.g. to handle the membership relationships in our organisation, to fulfil our statutory, charitable purposes) and can include analysis, advice and conducting transactions, among other needs.
Further details on the purpose of data processing can be found in either the contract documents or the terms and conditions of business.
3.2 In the context of the balance of interests (Article 6 para. 1f GDPR)
If necessary, we process your data by actually fulfilling our charitable statutory purposes, in order to process membership relationships in our organisation and to fulfil contracts for the protection of our legitimate interests or those of third parties, such as in the following cases:
- ensuring IT security and IT operations;
- examining and optimising procedures for needs analysis and direct contact with prospects and customers;
- advertising or market and opinion research, as long as you have not objected to the use of your data;
- asserting legal claims and defence in legal disputes;
- measures for building and plant safety (e.g. control of access);
- measures to ensure house rules;
- business management and service development measures.
3.3 On the basis of your consent (Article 6 para. 1a GDPR)
If you have given us your consent to the processing of personal data for specific purposes (such as disclosure of data, evaluation of user data for marketing purposes), the lawfulness of this processing is based on your consent. Given consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent – such as the SCHUFA-clause – from before the entry into force of the GDPR, i.e. before 25 May 2018, that have been issued to us. Please note that the withdrawal only works for the future. Processing that occurred before the revocation is not affected.
4. Who obtains my data?
Within our organisation, the entities that gain access to your data are the ones that need to do so in order to fulfil our contractual and legal obligations. Our processors (Article 28 GDPR) may also obtain data for these purposes. These are companies in the categories of IT services, printing services, telecommunications, debt collection, advice and consulting, as well as sales and marketing including companies for carrying out audits.
With regard to the transfer of data to recipients outside of our company, it should be noted that we only pass on information about you if statutory provisions require it, if you have given your consent, or if we are authorised to provide information.
Under these conditions, recipients of personal data, can be, for example:
- Public bodies and institutions (such as public authorities) in the presence of a legal or regulatory obligation.
- Other entities to which we provide personal information to conduct the business relationship or membership relationship with you, such as: collection agencies or credit bureaus.
- Other data recipients may be those to whom you have given us your consent to submit your data (for further details, please always refer to the conditions of participation in the respective competitions).
Other data recipients may be those to whom you have given us your consent to submit your data.
5. For how long will my data be stored?
If necessary, we process and store your personal data for the duration of our business relationship, which includes, for example, the initiation and execution of a contract.
In addition, we are subject to various storage and documentation obligations that result, inter alia, from the German Commercial Code (HGB) and the Tax Code (AO). The periods for storage and documentation are two to ten years.
Finally, the storage period is also judged by the statutory limitation periods, which can be, for example, in accordance with §§ 195 ff. of the Civil Code (BGB), usually three years in some cases, but can also be up to thirty years.
6. Are data transmitted to a third country or to an international organisation?
A transfer of data to third countries (states outside the European Economic Area – EEA) only takes place if this is necessary for the execution of your contract, if required by law, or if you have given us your consent. Details will be provided to you separately, if required by law.
7. What privacy rights do I have?
Each data subject has the right to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restrict processing under Article 18 GDPR, and the right to data portability under Article 20 GDPR. With regard to the right to information and the right to erasure, the restrictions under §§ 34 and 35 BDSG apply. In addition, there is a right of appeal to a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 of the German Federal Data Protection Act [BDSG]).
8. Is there a duty to provide data?
As part of our business relationship, you only need to provide the personal information that is required to establish, conduct and terminate a business relationship or that we are required to collect by law. Without such data, we will generally have to refuse to conclude the contract or to execute the order or to be unable to complete an existing contract and possibly terminate it.
9. To what extent is there automated decision-making in individual cases?
In principle, we do not use fully automated decision-making, in accordance with Article 22 of the GDPR, to justify and implement a business relationship. If we do use such procedures in individual cases, we will inform you about this separately, if this is required by law.
10. To what extent are my data used for profiling (scoring)?
In principle, we do not use profiling, in accordance with Article 22 GDPR. If we do use this procedure in individual cases, we will inform you about this separately, if this is prescribed by law.