We greatly appreciate your interest in our company. The management of Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology attaches particular importance to data privacy. In principle, the websites operated by Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology can be used without providing personal data. However, if a data subject wishes to use special services provided by our company through our website, we may have to process their personal data. If personal data has to be processed and there is no legal basis for this processing, we generally obtain the data subject's consent first.
As the data controller, Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology has implemented numerous technical and organizational measures to ensure that the personal data processed through this website is protected as comprehensively as possible. Nevertheless, web-based data transmission is not 100% secure, which means that absolute protection cannot be guaranteed. For this reason, all data subjects are free to communicate their personal data to us through other channels, e.g. by phone.
a) Personal data
’Personal data’ means any information relating to an identified or identifiable natural person (henceforth referred to as the ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
b) Data subject
A ‘data subject’ is any identified or identifiable natural person whose personal data is processed by the data controller.
’Processing’ means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
d) Restriction of processing
’Restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future.
’Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
’Pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
The ‘controller’ is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
The ‘processor’ is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
The ‘recipient’ is a natural or legal person, public authority, agency, or another body to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third party
A ‘third party’ is a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
’Consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his/her personal data.
2. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation, other data protection legislation enforced in the European Union Member States, and other provisions with the character of data protection legislation is:
Dr. Brill + Partner GmbH Institut für Hygiene und Mikrobiologie
Tel. +49 40 557631-0
Using cookies enables Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology to provide the users of this website with more user-friendly services that would not be possible without these cookies.
The data subject can prevent our website from setting cookies at any time by configuring his/her web browser accordingly; this will permanently deny the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via the web browser or other software programs. This is possible in all commonly used web browsers. If the data subject disables the setting of cookies in the web browser he/she is using, it may not be possible to use all of the functions on our website in full.
4. Collection of general data and information
The website of Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology collects a quantity of general data and information whenever a data subject or an automated system accesses it. These data and general information are stored in the server log files. The following information can be collected: (1) the browser types and versions used, (2) the operating system used by the accessing computer, (3) the website from which an accessing computer accesses our website (the 'referrer'), (4) the subpages that the accessing computer accesses on our website, (5) the date and time at which the website is accessed, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing computer, and (8) other similar data and information required to avert threats in the event of attacks on our information technology systems.
Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology does not draw any conclusions about the data subject when using these general data and information. Rather, this information is required (1) to deliver the content of our website correctly, (2) to optimize the content of our website and its advertising, (3) to safeguard the long-term operability of our IT systems and website technology, and (4) to provide law enforcement authorities with the information they need to take legal action in the event of a cyber attack. Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology therefore uses these anonymously collected data and information for statistical purposes and to improve data privacy and data security in our company, the ultimate goal being to achieve the best possible level of protection for the personal data we process. The anonymous data in the server log files are stored separately from all personal data provided by a data subject.
5. Registration on our website
The data subject has the option of registering on the controller's website by entering his/her personal data. The personal data transmitted to the controller depend on the input mask used for registration purposes. The personal data entered by the data subject are collected and stored solely for company purposes and for internal use by the controller. The controller may have the personal data transferred to one or more processors, e.g. a parcel service, which will also use them solely for internal purposes on the controller's behalf.
When the data subject registers on the controller’s website, the IP address assigned by his/her internet service provider (ISP) and the date and time of registration will also be stored. Storing this data is the only way in which we can prevent our services from being improperly used; these data are required to take legal action if crimes are committed. The data therefore have to be stored in order to protect the controller. The data are never transferred to third parties unless there is a legal obligation to do so or this is necessary for purposes of legal action.
The data subject's registration and voluntary provision of personal data enable the controller to offer the data subject content or services that by their nature can only be offered to registered users. Registered persons are free to amend the data they provided on registration or completely remove them from the controller’s database.
The controller will provide every data subject with information about the personal data stored at any time on being requested to do so. The controller will also amend or erase personal data at the data subject's instruction or request insofar as the controller is not legally obliged to retain the data. The data subject may contact any of the controller’s employees for this purpose.
6. Newsletter subscription
The website of Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology offers users the opportunity to subscribe to the company newsletter. The personal data transmitted to the controller when subscribing to the newsletter depend on the input mask used.
Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology informs its customers and business partners of company offers by means of a regular newsletter. In principle, the data subject can only receive our company newsletter if (1) he/she has a valid email address, and (2) he/she registers to receive the newsletter. For legal reasons, a confirmation mail will be sent to the email address used when subscribing to the newsletter in order to complete the double opt-in procedure. This confirmation mail serves to check whether the owner of the email address, i.e. the data subject, authorized the receipt of the newsletter.
When a data subject subscribes to the newsletter, we also store the IP address assigned by the data subject’s internet service provider (ISP) at the time he/she subscribed along with the data and time of subscription. These data have to be collected in order to be able to trace any (possible) misuse of the data subject's email address at a later date; the collection therefore serves the purpose of providing legal protection for the controller.
The personal data collected when subscribing to the newsletter are used solely for the purpose of delivering our newsletter. Newsletter subscribers may also receive information by email if this is necessary for registration purposes or for the provision of the newsletter service, for example if the newsletter service is modified or if technical requirements change. The personal data collected in connection with the newsletter service are not transferred to any third party. The data subject may unsubscribe from the newsletter at any time. The data subject may withdraw his/her consent to the storage of personal data in connection with the delivery of the newsletter at any time. Each newsletter contains a link that the data subject may use for this purpose. Newsletter recipients may also unsubscribe from the newsletter directly on the controller's website or use any other means to inform the controller of their intention to unsubscribe.
7. Newsletter tracking
The newsletters sent by Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology contain so-called ‘web beacons.’ A web beacon is a miniature graphic that is embedded in emails sent in HTML format for the purpose of recording and analyzing log files. These can be used to perform statistical analyses of the success or failure of marketing campaigns. The embedded web beacon enables Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology to determine if and when an email was opened by a data subject and which links in the email were accessed.
The personal data collected by the web beacons in the newsletter are stored and analyzed by the controller in order to optimize the delivery of the newsletter and align the content of future newsletters even more closely with the recipients’ interests. These personal data are not transferred to third parties. Data subjects have the right to withdraw any consent given separately using the double opt-in procedure at any time. The controller will erase these personal data following the withdrawal of the data subject's consent. If a newsletter recipient unsubscribes from the newsletter, Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology will automatically interpret this as a withdrawal of consent.
8. Contact through the website
In compliance with legal regulations, the website of Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology contains information that enables visitors to contact our company quickly by electronic means and to communicate with us directly; this information also encompasses an electronic mail (email) address. If a data subject contacts the controller by email or using a contact form, the personal data provided by the data subject will be stored automatically. Personal data sent voluntarily by the data subject to the controller are stored for the purpose of contacting or responding to the data subject. This personal data will not be transferred to third parties.
9. Routine erasure and blocking of personal data
The controller will only store and processes the data subject’s personal data for as long as is necessary to fulfill the purpose for which they were stored or if the European legislator or other legislative bodies specify this in laws and regulations to which the controller is subject.
If the purpose for which the data were stored ceases to apply, or if the storage period specified by the European legislator or another competent legislative body expires, the personal data will be routinely erased or blocked as set out in the respective legislation.
10. Rights of the data subject
a) Right of access
The European legislator has granted every data subject the right to obtain confirmation from the controller as to whether or not his/her personal data are being processed. Data subjects wishing to exercise this right of access may contact any of the controller's employees at any time for this purpose.
b) Right to information
The European legislator has granted every data subject the right to obtain information free of charge from the controller regarding the personal data being processed, and the right to receive a copy of these data. Furthermore, the European legislator has granted every data subject the right to access the following information:
the purposes of the processing,
the categories of personal data being processed,
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations,
where possible, the envisaged period for which the personal data will be stored, or, if this is not possible, the criteria used to determine that period,
the existence of a right to request from the controller the rectification or erasure of the personal data or the restriction of processing of the personal data and the right to object to such processing,
the existence of a right to lodge a complaint with a supervisory authority,
if the personal data were not collected from the data subject: any available information as to their source,
the existence of automated decision-making, including profiling, as set out in Article 22(1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
The data subject also has the right to information as to whether his/her personal data have been transferred to a third country or an international organization. If this is the case, the data subject also has the right to information regarding the safeguards put in place in connection with the transfer.
Should the data subject wish to exercise this right of information, he/she may contact an employee of the controller for this purpose at any time.
c) Right to rectification
The European legislator has granted each data subject the right to have any incorrect personal data rectified without undue delay. Furthermore, the data subject has the right – taking into account the purposes of the processing – to have incomplete data completed, also by providing a supplementary statement.
Should the data subject wish to exercise this right to rectification, he/she may contact an employee of the controller for this purpose at any time.
d) Right to erasure (right to be forgotten)
The European legislator has granted each data subject the right to have the controller erase his/her personal data without undue delay where one of the following grounds applies and the processing is not necessary:
The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
The data subject withdraws the consent on which the processing was based pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR and there are no other legal grounds for the processing.
The data subject objects to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21(2) GDPR.
The personal data were processed unlawfully.
The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
The personal data were collected in relation to the offer of information society services pursuant to Art. 8(1) GDPR.
If one of the above-named grounds applies and the data subject wishes to have the personal data collected by Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology erased, he/she can contact an employee of the data controller for this purpose at any time. The employee of Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology will then ensure that the request for erasure is complied with without undue delay.
If Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology has made the personal data public, and if our company is obliged pursuant to Art. 17(1) GDPR to erase the personal data, Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology shall, with due consideration of the technology available and the costs of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data insofar as the processing thereof is not necessary. The employee of Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology will do what is necessary in each individual case.
e) Right to restriction of processing
The European legislator has granted every data subject the right to have the controller restrict the processing of his/her data where one of the following applies:
The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the data.
The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
The controller no longer needs the personal data for the purposes of the processing but they are required by the data subject for the establishment, exercise, or defense of legal claims.
The data subject has objected to the processing pursuant to Article 21(1) GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.
If one of the conditions mentioned above applies and the data subject wishes to have the processing of personal data stored by Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology restricted, he/she may contact an employee of the controller for this purpose at any time. The employee of Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology will then have the processing of the personal data restricted.
f) Right to data portability
The European legislator has granted every data subject the right to receive the personal data that he/she has provided to a controller in a structured, commonly used and machine-readable format. The data subject also has the right to to transmit those data to another controller without hindrance from the controller to which the personal data were provided where the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR, and the processing is carried out by automated means, provided the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising his/her right to data portability pursuant to Art. 20(1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another where technically feasible and provided this does not affect the rights and freedoms of other persons.
The data subject may contact an employee of Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology at any time in order to exercise his/her right to data portability.
g) Right to object
The European legislator has granted every data subject the right to object, on grounds relating to his/her particular situation, at any time to any processing of his/her personal data based on Article 6(1)(e) or (f) GDPR. The same applies to any profiling based on these provisions.
In the event of an objection, Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology will cease processing the personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the data processing is required to establish, exercise, or defend legal claims.
Where Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology processes the data for direct marketing purposes, the data subject has the right to object at any time to the processing of his/her personal data for such purposes. The same applies to any profiling associated with this direct marketing. If the data subject objects to the processing of his/her personal data by Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology for direct marketing purposes, Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology will cease processing the personal data for these purposes.
Furthermore, where data are processed by Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology for scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) GDPR, the data subject has the right, on grounds relating to his/her particular situation, to object to this processing unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject may contact an employee of Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology in order to exercise his/her right to object. Furthermore, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his/her right to object by automated means using technical specifications.
h) Automated individual decision-making, including profiling
The European legislator has granted every data subject the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects for him/her or which similarly significantly affects him/her. This does not apply if the decision (1) is necessary for entering into or performing a contract between the data subject and the controller, or (2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, or (3) is based on the data subject’s explicit consent.
If the decision (1) is necessary for entering into or performing a contract between the data subject and the controller, or (2) is made with the data subject’s explicit consent, Dr. Brill + Partner GmbH Institute for Hygiene and Microbiology shall implement suitable measures to safeguard the data subject's rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his/her point of view and to contest the decision.
If the data subject wishes to exercise rights relating to automated decisions, he/she may contact an employee of the controller for this purpose at any time.
i) Right to withdraw consent
The European legislator has granted each data subject the right to withdraw his/her consent to the processing of his/her personal data.
If the data subject wishes to exercise his/her right to withdraw his/her consent, he/she may contact an employee of the data controller for this purpose at any time.
11. Data privacy in the case of applications and application procedures
The controller collects and processes the personal data of applicants for the purpose of executing the application procedure. The data can also be processed electronically. This is in particular the case when an applicant sends appropriate application documents to the controller by electronic means, e.g. by email or using a web form located on the website. If the controller concludes an employment contract with an applicant, the data transmitted are stored for the purpose of managing the employment relationship in compliance with the relevant legal provisions. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically erased two months after the applicant has been notified of the rejection, provided the erasure does not oppose any other of the controller’s legitimate interests. Other legitimate interests in this context may for example relate to the burden of proof in legal action taken in connection with the General Act on Equal Treatment (AGG).
12. Data privacy in connection with the use of Google AdWords
The controller has integrated Google AdWords into this website. Google AdWords is an internet advertising service that allows advertisers to run ads in Google search engine results and on the Google advertising network. Google AdWords allows the advertiser to preset keywords that will only cause an ad in Google search engine results to be displayed if the user retrieves a search engine result that is relevant to the keyword. In the Google advertising network, the ads are distributed among relevant websites using an automatic algorithm while taking the predefined keywords into account.
The Google AdWords service is provided by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, U.S.
The purpose of Google AdWords is to promote our website by displaying interest-based advertising on third-party websites and in the results generated by the Google search engine, and to display external advertising on our website.
If a data subject accesses our website through a Google ad, Google will place a so-called ‘conversion cookie’ on the data subject’s IT system. An explanation of what cookies are is provided above. A conversion cookie expires after thirty days and is not used to identify the data subject. Provided it has not yet expired, the conversion cookie is used to determine whether specific subpages have been accessed on our website, e.g. the shopping cart in an online shop system. By using a conversion cookie, both we and Google are able to track whether a data subject who accessed our website through an AdWords ad generated a sale, i.e. completed or canceled a transaction for the purchase of goods.
Google uses the data and information collected by the cookie to generate visitor statistics for our website. We in turn use these visitor statistics to determine the number of users who reached us through AdWords ads, i.e. to determine the success or failure of the respective AdWords ad and to optimize our AdWords ads for the future. Neither our company nor other Google AdWords advertising customers receive information from Google that could be used to identify the data subject.
The conversion cookie is used to store personal information such as the websites visited by the data subject. Every visit to our website causes personal data including the IP address of the internet connection used by the data subject to be transferred to Google in the United States of America. Google stores this personal data in the United States of America. In certain circumstances, Google may transfer the personal data collected by technical means to third parties.
As described above, the data subject can permanently disable the setting of cookies by our website by adjusting his/her browser settings accordingly. Configuring the internet browser in this way would also prevent Google from setting a conversion cookie on the data subject's IT system. Cookies set by Google AdWords can be deleted at any time via the web browser or other software programs.
The data subject also has the option of objecting to the display of interest-related advertising by Google. To do this, the data subject must click on the link www.google.de/settings/ads in every browser they use and adjust the settings accordingly.
13. Data privacy in connection with the use of LinkedIn
The controller has integrated components provided by the LinkedIn Corporation on this website. LinkedIn is an internet-based social network that enables users to connect with existing business contacts and make new ones. LinkedIn has over 400 million registered users in more than 200 countries. This means that LinkedIn is currently the biggest platform for business contacts and one of the most frequently visited websites in the world.
A LinkedIn component (LinkedIn plug-in) has been installed on our website. Every time a visitor accesses our website, this component causes the visitor’s browser to download a corresponding representation of the LinkedIn component. Further information about LinkedIn plug-ins is available athttps://developer.linkedin.com/plugins. During this technical procedure, LinkedIn receives information about which specific subpage on our website the data subject is visiting.
If the data subject is also logged in to LinkedIn, LinkedIn will recognize which specific subpage on our website the data subject is visiting and how long he/she spends on our website every time he/she accesses it. This information is collected by the LinkedIn component and associated by LinkedIn with the user's LinkedIn account. If the data subject activates a LinkedIn button integrated into our website, LinkedIn associates this information with the data subject’s LinkedIn user account and stores these personal data.
The LinkedIn component always notifies LinkedIn that the data subject has visited our website if he/she is logged in to LinkedIn at the time he/she visits our website; this happens regardless of whether or not the data subject activates the LinkedIn component. If the data subject does not wish this information to be transmitted to LinkedIn, he/she can prevent it by logging out of his/her LinkedIn account before accessing our website.
14. Privacy terms relating to the use of Xing
The controller has installed components provided by Xing on this website. Xing is an internet-based social network that enables users to connect with existing business contacts and make new ones. Each user can create a personal profile on Xing. Companies can for example create company profiles or post job advertisements on Xing.
Xing is operated by New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany.
The controller that operates this website has integrated a Xing component (Xing plug-in) into the website. Every time one of the subpages on this website is accessed, the web browser in the data subject’s information technology system automatically causes a representation of the corresponding Xing component to be downloaded. Further information about Xing plug-ins is available at https://dev.xing.com/plugins. During this technical procedure, Xing receives information about which specific subpage on our website the data subject is visiting.
If the data subject is also logged in to Xing, Xing will recognize which specific subpage on our website the data subject is visiting and how long he/she spends on our website every time he/she accesses it. This information is collected by the Xing component and associated by Xing with the user's Xing account. If the data subject activates a Xing button integrated into our website, for example the ‘Share’ button, Xing associates this information with the data subject’s Xing user account and stores these personal data.
The Xing component always notifies Xing that the data subject has visited our website if he/she is logged in to Xing at the time he/she visits our website; this happens regardless of whether or not the data subject activates the Xing component. If the data subject does not wish this information to be transmitted to Xing, he/she can prevent it by logging out of his/her Xing account before accessing our website.
15. Legal basis of processing
Art. (6)(a) GDPR serves our company as the legal basis when we require the data subject’s consent to the processing for a specific purpose. If the processing is necessary for the performance of a contract to which the data subject is party, e.g. processing necessary for the supply of goods or the provision of another service or return service, the legal basis of the processing is Art. 6(1)(b) GDPR. The same applies to processing that is necessary to take steps prior to entering into a contract, e.g. in the case of queries relating to our products or services. If our company is subject to a legal obligation that requires the processing of personal data, e.g. to fulfill fiscal obligations, the basis of the processing is Art. 6(1)(c) GDPR. In rare cases, it may become necessary to process personal data in order to protect the vital interests of the data subject or another natural person. This would for example be the case if a visitor to our company was injured and their name, age, health insurance data, and other vital information had to be given to a doctor, hospital, or other third party. In this case, the legal basis for the processing would be Art. 6(1)(d) GDPR. Finally, data may be processed on the basis of Art. 6(1)(f) GDPR. This is the legal basis for processing that is not covered by any of the other legal bases mentioned above when the processing is necessary to protect the legitimate interests pursued by our company or a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject. These processing operations are permitted in particular because special mention of these was made by the European legislator. This body was of the opinion that a legitimate interest could exist if the data subject is one of the controller's customers (Recital 47 sentence 2 GDPR).
16. Legitimate interests in the processing pursued by the controller or a third party
If the processing is based on Article 6(1)(f) GDPR, our legitimate interest lies in transacting business to the benefit of all our employees and shareholders.
17. Period for which the personal data are stored
The criterion determining the period for which the personal data must be stored is the applicable statutory retention period. Once this period has expired, the corresponding data is routinely erased provided they are no longer required to initiate or fulfill a contract.
18. Legal or contractual provisions regarding the provision of personal data; requirement for conclusion of contract; data subject's obligation to provide the personal data; possible consequences of withholding the personal data
We herewith inform you that the provision of personal data is in part prescribed by law (e.g. tax regulations) or may be contractually regulated (e.g. information about the contracting partner). When concluding a contract, it may at times be necessary for a data subject to provide us with personal data that we will then process. The data subject is for example obliged to furnish us with personal data when our company concludes a sales contract with him/her. It would not be possible to conclude a contract with the data subject without these data. The data subject must contact one of our employees before providing personal data. Our employee will then inform the data subject individually whether legal or contractual provisions require him/her to provide the data, or whether the data must be provided to conclude a contract, whether the data subject is under an obligation to provide the data, and what the consequences would be if the data subject did not provide the data.
19. Existence of automated decision-making
As a responsible company, we dispense with automated decision-making or profiling.