PRIVACY STATEMENT

As at: 1 September 2018

 

We take the protection of your personal data very seriously. Accordingly, we keep your personal data confidential and handle them in accordance with the statutory data protection regulations and this privacy statement.

In accordance with the EU General Data Protection Regulation (GDPR), we provide you with detailed information about the personal data that we collect from you and store when you visit our website, contact us or make use of our service here. We also draw your attention to your rights and how you can exercise these (right to information).

It is possible, in principle, to use the web pages of PREDICTA|ME GmbH (hereinafter PREDICTA|ME) without disclosing any personal data. If, however a data subject would like to use particular services provided by our company via our web pages, personal data might need to be processed. If personal data have to be processed and there is no legal basis for such processing, we generally obtain the data subject’s consent.

Personal data, such as the name, address, email address or telephone number of a data subject, are always processed in accordance with the General Data Protection Regulation and in compliance with the country-specific data protection regulations applicable to PREDICTA|ME. We would like to inform the public of the type, scope and purpose of the personal data collected, used and processed by us through this privacy statement. This privacy statement also explains the rights to which data subjects are entitled.

As the entity responsible for processing (controller), PREDICTA|ME has implemented numerous technical and organisational measures to ensure that the personal data processed via this website are protected as completely as possible. Nevertheless, Internet-based data transmissions may be subject to security vulnerabilities meaning that absolute protection cannot be guaranteed. This is why each data subject has the option of transmitting personal data to us by alternative routes, such as by phone.

This Data Protection Directive applies to the web pages of PREDICTA|ME (http://www.predictame.com /de /net), as well as other websites linked to PREDICTA|ME, apps, communication facilities and services, including offsite services such as advertisement services but excludes services which state that another Data Protection Directive applies to them.

1 Definitions

The PREDICTA|ME privacy statement is based on the terms used by the European regulators for issuing the General Data Protection Regulation (GDPR). We aim to make our privacy statement easy to read and to understand by both the public and our clients and business partners. To guarantee this, we would like to explain the terms used in advance.

Among others, we use the following terms in this privacy statement:

1.1. Personal data

Personal data are all information that relates to an identified or identifiable natural person (hereinafter “data subject”). A natural person, who can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of this natural person, is seen as identifiable.

1.2. Data subject

Data subject is each identified or identifiable natural person whose personal data are processed by the person responsible for processing (controller).

 

1.3. Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.4. Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future

1.5. Controller or person responsible for processing

Controller or person responsible for processing means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

 

1.6. Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

 

1.7. Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

 

1.8. Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data

 

1.9. Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

 

2. Name and address of the controller

The controller for the purposes of the General Data Protection Regulation, other data protection legislation applicable in the Member States of the European Union and other data protection-related provisions is:

PREDICTA|ME GmbH

Pfarrgasse 20

55268 Nieder-Olm

Germany

Tel.: +49 6136 7888935

info@predictame.com

www.predictame.com

 

3. Aptitude diagnostics tools

Our online-based personality analyses and surveys must normally be answered by both the commissioning company and by the candidate or employee. The following personal data are needed to send the candidate or employee the link needed for this purpose:

  • Address

  • First name, surname, title

  • Email address

 

In this connection, the commissioning company is obliged to obtain the consent of the candidate or employee to these data being collected and processed. The data are subsequently stored in the client area of the commissioning company. The personal data of the candidate or employee will be erased permanently when they are erased in the client area. Data are only collected and stored in anonymised form through the analyses and surveys. As a result, once the personal data are erased in the client area, a link to a person can only be re-established with a disproportionate effort.

PREDICTA|ME also reserves the right to process the anonymised data collected further for development and research purposes.

 

4. Sub-accounts

A sub-account can be created for the commissioning company to give a third party access to results of analyses. The following personal data on the third party are collected for this purpose:

  • Name

  • Email address

In this connection, the commissioning company is obliged to obtain the agreement of the third party to these data being collected and processed.

 

5. Purpose of collecting and processing your personal data

PREDICTA|ME collects and processes your personal data and analysis data for various purposes:

 

5.1. To prepare a report, which the commissioning company may use to select employees and/or plan development measures.

If you agree to an analysis in conjunction with a selection process or a development measure, a report is prepared, which will contain the results of your analysis. The commissioning company can see the results of your analysis and use them for personnel selection purposes or for employee development measures.

 

5.2. For research purposes aimed at ensuring that the quality of analyses and questionnaires is maintained, for benchmarking and statistical analyses.

 

PREDICTA|ME works in accordance with the internationally applicable guidelines issued by the European Federation of Psychologists’ Associations (EFPA. For example, we investigate the reliability, significance and assessment models of analyses and check whether the analyses are suitable as a basis for setting standards. For research purposes, your analysis data are always transmitted on an anonymised basis at group level meaning that you cannot be identified from these data.

The transmission of additional background data for research purposes always takes place voluntarily. Your decision to have such data transmitted or not has no influence on the results of the analysis or other processes (such as applications). Your answers will be used solely for research purposes. Your data will only be stored as long as this is necessary for the purpose for which they were collected.

5.3. Group surveys and studies, which were commissioned by the company.

In this case, it is possible that your data will be used in a different context from that in which you provided the data. This means that under certain circumstances your data will also be “supplemented”, by service data based on experience, for example.
The company is the entity responsible for processing (controller). The company is obliged to inform you which data will be processed, the purpose for which the data will be processed and how the data will be published and transmitted. The company must first obtain your (explicit) agreement before your data can be supplemented in the manner specified and linked to other data. Your (explicit) consent is also required if the data are published in non-anonymised form.

 

6. Cookies

The PREDICTA|ME web pages use cookies. Cookies are text files, which are placed and stored on a computer system via an Internet browser.

Large numbers of websites and servers use cookies. Many cookies contain a cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string, through which websites and servers can be allocated to the specific Internet browser in which the cookie was stored. This allows it to distinguish the websites and servers visited, the data subject’s individual browser from other Internet browsers, which contain different cookies. A certain Internet browser can be recognised and identified via the unique cookie ID.

By using cookies, PREDICTA|ME can provider users of this website with more user-friendly services than would have been possible if a cookie had not been placed.

By means of cookies, the information and offers on our website can be improved in the interests of users. As already mentioned, cookies allow us recognise users of our website once again. The purpose of this recognition is to make it easier for users to use our website. For example, users of a website that uses cookies do not have to input their access data each time they visit the website because this is done by the website and the cookie stored on the user’s computer system. The shopping basket in an online shop is another example of a cookie. The online shop notes the articles which a customer has placed in his or her virtual shopping basket via a cookie.

The data subject can prevent our website from placing cookies at any time by adjusting the settings in his or her Internet browser to this effect and consequently object to the placement of cookies permanently. Cookies that have previously been placed can also be deleted at any time via an Internet browser or other software programs. This is an option on all common browsers. If the data subject deactivates the placement of cookies in his or her Internet browser, it is possible that he or she will not be able to use all the functions of our website in their entirety.

 

7. Recording general data and information

Each time the data subject or an automated system accesses the PREDICTA|ME website, the site will record a series of general data and information. These general data and information are stored in the server’s log files. It may record (1) the browser types and versions used, (2) the operating system used by the system accessing the site, (3) the website from which a system accessing the site reaches our website (known as a referrer), (4) the sub-websites which are activated via a system accessing our website, (5) the date and time at which the website is accessed, (6) an Internet protocol address (IP address), (7) the Internet service provider of the system accessing the website and (8) other similar data and information, which help avert danger in the event of attacks on our IT systems.

When using these general data and information, PREDICTA|ME does not draw any conclusions about the data subject. Rather, this information is needed to (1) supply the content of our website correctly, (2) to improve the content of our website and advertising for it, (3) to guarantee the functionality of our IT systems and technology at all times and (4) to provide prosecution authorities with the information needed for prosecution in the event of a cyber attack. These anonymously collected data and information are therefore firstly evaluated statistically by PREDICTA|ME and secondly with the aim of increasing data protection and data security in our company so that we can ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data in the server log files are stored separately from all personal data disclosed by the data subject.

 

8. Contact opportunity via the website

Legal regulations mean that the PREDICTA|ME website contains information, which allows visitors to contact our company rapidly electronically and to communicate with us directly, including a general electronic mail (email) address. If a data subject contacts the controller by email or a contact form, the personal data transmitted by the data subject are stored automatically. Such personal data transmitted voluntarily by a data subject to the controller are stored for the purposes of processing or contacting the data subject. These personal data are not transmitted to third parties.

 

9. Routine erasure and blocking of personal data

The controller only processes and stores the data subject’s personal data for the period that is required to achieve the purpose for which they are stored or if storage was envisaged by the European regulator or another legislator in laws or regulations to which

If the purpose of storage no longer applies or the storage period prescribed by the European regulator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with the legal provisions.

10 Rights of the data subject.

10.1. Right to confirmation

Each data subject has the right granted by the European regulator to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If a data subject would like to make use of this right to confirmation, he or she can contact an employee of the controller for this purpose at any time.

10.2. Right to information

Each data subject affected by the processing of personal data has the right granted by the European regulator to obtain information free of charge from the controller about the personal data concerning him or her and to obtain a copy of this information. The European regulator has also allowed the data subject disclosure of the following information:

  • the purposes of the processing

  • the categories of personal data being processed

  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations

  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period

  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing

  • the right to lodge a complaint with a supervisory authority

  • where the personal data are not collected from the data subject, any available information as to their source

 

The data subject also has a right to information as to whether personal data are transferred to a third country or to an international organisation. If this is the case, the data subject incidentally has the right to be informed of the appropriate safeguards relating to the transfer. If a data subject would like to make use of this right to information, he or she can contact an employee of the controller for this purpose at any time.

 

10.3. Right to rectification

Each person affected by the processing of personal data has the right granted by the European regulator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject also has the right, taking into account the purposes of the processing, to have incomplete personal data completed, including by means of providing a supplementary statement

If a data subject would like to make use of this right to rectification, he or she can contact an employee of the controller for this purpose at any time.

 

10.4. Right to erasure (right to be forgotten)

Each person affected by the processing of personal information has the right granted by the European regulator to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies and if processing is not necessary:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

  • The data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1) GDPR, or point (a) of Article 9 (2) GDPR, and where there is no other legal ground for the processing.

  • the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2).

  • The personal data have been unlawfully processed.

  • The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

  • the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.

  • If one of the grounds above applies and a data subject would like to arrange for the erasure of personal data, which are stored by PREDICTA|ME, he or she can contact an employee of the controller for this purpose at any time. The PREDICTA|ME employee will arrange for the request for erasure to be met without delay.

 

If the personal data have been made public by PREDICTA|ME and our company is obliged, as controller, pursuant to Article 17 (1) GDPR, to erase the personal data, PREDICTA|ME, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data if processing is not necessary. The employees of PREDICTA|ME will do what is necessary on a case by case basis.

 

10.5. Right to restriction of processing

Each person affected by the processing of personal data has the right granted by the European regulator to obtain from the controller restriction of processing where one of the following applies:

  • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.

  • The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.

  • The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

 

The data subject has objected to processing pursuant to Article 21 (1) pending verification of whether the legitimate grounds of the controller override those of the data subject. If one of the requirements above applies and a data subject would like to obtain the restriction of personal data, which are stored by PREDICTA|ME, he or she can contact an employee of the controller for this purpose at any time. The employees of PREDICTA|ME will arrange for restriction of processing.

 

10.6. Right to data portability

Each person affected by the processing of personal data has the right granted by the European regulator to receive the personal data concerning him or her, which the data subject has provided to a controller, in a structured, commonly used and machine-readable format. He or she also has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided where the processing is based on consent pursuant to point (a) of Article 6 (1) GDPR, or point (a) of Article 9 (2) GDPR, or on a contract pursuant to point (b) 6 (1) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In exercising his or her right to data portability pursuant to paragraph 1, Article 20 GDPR, the data subject also has the right to have the personal data transmitted directly from one controller to another, where technically feasible and where this does not adversely affect the rights and freedoms of others.

The data subject may contact an employee of PREDICTA|ME at any time to enforce his or her right to data portability.

 

10.7. Right to object

Each person affected by the processing of personal data has the right granted by the European regulator to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) GDPR.

 

In the event of an objection, PREDICTA/ME will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

 

If PREDICTA|ME processes personal data for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data for the purposes of such direct marketing If the data subject objects to PREDICTA|ME processing for direct marketing purposes, PREDICTA|ME will no longer process personal data for such purposes.

The data subject also has the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, which is being processed by PREDICTA|ME for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest The data subject may contact any employee of PREDICTA|ME directly or another employee to exercise his or her right to object. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may also exercise his or her right to object by automated means using technical specifications.

 

10.8. Automated individual decision-making

Each person affected by the processing of personal data has the right granted by the European regulator not to be subject to a decision based solely on automated processing which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision (1) is necessary for entering into, or performance of, a contract between the data subject and a data controller, or (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests or (3) is based on the data subject's explicit consent.

If the decision is (1) necessary for entering into, or performance of, a contract between the data subject and the controller or (2) is based on the data subject's explicit consent, PREDICTA|ME shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision

If a data subject would like to make use of rights relating to automated decisions, he or she can contact an employee of the controller for this purpose at any time.

 

10.9. Right to withdraw consent under data protection legislation

Each person affected by the processing of personal data has the right granted by the European regulator to withdraw his or her consent to the processing of personal data at any time. If a data subject would like to make use of his or her right to withdraw consent, he or she can contact an employee of the controller for this purpose at any time.

 

11. Data protection in relation to recruitment and application processes

The controller collects and processes candidates’ personal data for the purposes of completing the application process. Data may also be processed electronically. This is particularly the case if a candidate transmits application documents to the controller by electronic channels, such as by email or on a web form located on the website. If the controller concludes a contract of employment with a candidate, the transmitted data are stored in accordance with the legal provisions for the purposes of processing the employment relationship. If the controller does not conclude a contract of employment with the candidate, the application documents will be automatically erased two months after the decision to reject the candidate is announced unless other legitimate interests on the part of the controller preclude erasure. For these purposes, other legitimate interest is, for example, a burden of proof in proceedings under the General Law on Equal treatment (Allgemeine Gleichbehandlungsgesetz - AGG).

 

12. Data protection regulations on the use and application of Google Analytics (with anonymisation function)

The controller has embedded the Google Analytics component (with anonymisation function) on this website. Google Analytics is a web analysis service. Web analysis is the collection, accumulation and evaluation of data about the conduct of website visitors. Among other things, a web analysis service records data about the website from which a data subject came to the website (known as a referrer), which sub-sites of the website were accessed or how often and for how long a period a sub-site was viewed. A web analysis is mainly used to improve a website and to analyse the costs and benefits of Internet advertising. Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA is the operating company of the Google Analytics component.

The controller uses the suffix "_gat._anonymizeIp” for its web analysis via Google Analytics. This suffix abbreviates and anonymises the IP address of the data subject’s Internet connection if our web pages are accessed from a Member State of the European Union or another State party to the Agreement on the European Economic Area. The purpose of the Google Analytics component is to analyse flows of visitors to our website. Google uses the data and information acquired to evaluate use of our website, among other things, to put together online reports for us, which show activities on our web pages and to provide other services associated with use of our website.

Google Analytics places a cookie on the data subject’s IT system. The function of cookies has been explained above. Placement of the cookie allows Google to analyse use of our website. Each time one of the individual pages of this website, which is operated by the controller and on which a Google Analytics component has been embedded, is accessed, the Internet browser on the data subject’s IT system will be instructed by the respective Google Analytics component to transmit data to Google for the purposes of online analysis. Within this technical process, Google obtains details of personal data, such as the data subject’s IP address, which help Google, among other things, to trace the origin of visitors and clicks and consequently to charge commission.

The cookie allows personal information, such as the time of access, the location from which the website was accessed and the frequency of visits to our website by the data subject to be stored. With each visit to our web pages, these personal data, including the IP address of the Internet connection used by the data subject, are transferred to Google in the United States of America. These personal data are stored by Google in the United States of America. Under certain circumstances, Google will pass the personal data collected via this technical process to third parties.

As explained above, the data subject can prevent our website from placing cookies at any time by adjusting the settings in his or her Internet browser to this effect and consequently object to the placement of cookies permanently. By adjusting the settings on his or her Internet browser in this way, the data subject would also prevent Google from placing a cookie on his or her IT system. A cookie already placed by Google Analytics can be erased at any time via the Internet browser or other software programs.

The data subject also has the option of objecting to the data regarding use of this website generated by Google Analytics being recorded and to these data being processed by Google and preventing such use. To do so, the data subject must download a browser add-on from the link https://tools.google.com/dlpage/gaoptout and install it. This browser informs Google via JavaScript that data and information about visitors to web pages may not be transmitted to Google Analytics. Google classifies the installation of the browser add-on as an objection. If the data subject’s IT system is erased, formatted or reinstalled at a later date, the data subject must reinstall the browser add-on to deactivate Google Analytics. If the browser add-on is uninstalled or deactivated by the data subject or another person who is attributable to his or her sphere of influence, there is the option of reinstalling or reactivating the browser add-on.

More information and Google’s applicable data protection regulations can be downloaded from https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html. Google Analytics is explained in more detail via this link https://www.google.com/intl/de_de/analytics/.

13. Data protection regulations on the use and application of Google AdWords

The controller has embedded Google AdWords on this website. Google AdWords is an Internet advertising service, which allows advertisers to place advertisements in both Google’s search engine results and in the Google advertising network. Google AdWords allows an advertiser to specify certain key words in advance, by means of which an advertisement will only be displayed in Google’s search engine results if the user calls up a key word-relevant search result with the search engine. Advertisements are placed in the Google advertising network by means of an automatic algorithm and distributed to subject-relevant websites in compliance with the previously specified key words. Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA is the operating company of the Google AdWords services.

The purpose of Google AdWords is to advertise our website by inserting relevant advertising on third companies’ websites and in the search engine results generated by the Google search engine and to insert third party advertising on our website.

If a data subject reaches our website via a Google advertisement, a conversion cookie will be placed on the data subject's IT system by Google. The function of cookies has been explained above. A conversion cookie loses its validity after 30 days and does not identify the data subject. A conversion cookie will, assuming it has not yet expired, allow us to trace whether certain sub-sites, such as the shopping basket in an online shop system, were called on our website. Through the conversion cookie, both we and Google can trace whether a data subject reached our website via an AdWords advertisement, generated sales, i.e. completed or broke off a purchase.

The data and information collected through the use of the conversion cookie are used by Google to prepare visitor statistics for our website. These visitor statistics are used by us in turn to determine the total number of users, which were put through to us via AdWords advertisements, in other words to determine the success or failure of the respective AdWords advertisement and to improve our AdWords advertisements for the future. Neither our company nor other advertising clients receive information from Google by which the data subject could be identified.

Conversion cookies are used to store personal information, such as the websites visited by the data subject. Accordingly, with each visit to our web pages, personal data, including the IP address of the Internet connection used by the data subject, are transferred to Google in the United States of America. These personal data are stored by Google in the United States of America. Under certain circumstances, Google will pass the personal data collected via this technical process to third parties.

As explained above, the data subject can prevent our website from placing cookies at any time by adjusting the settings in his or her Internet browser to this effect and consequently object to the placement of cookies permanently. By adjusting the settings on his or her Internet browser in this way, the data subject would also prevent Google from placing a conversion cookie on his or her IT system. A cookie already placed by Google AdWords can be erased at any time via the Internet browser or other software programs.

The data subject also has the option of objecting to interest-based advertising by Google. To do so, the data subject must call up the link www.google.de/settings/ads from each of the Internet browsers he or she uses and adjust the settings to reflect his or her preferences there. More information and Google’s applicable data protection regulations can be downloaded from https://www.google.de/intl/de/policies/privacy/.

14. Legal basis for processing

Article 6 I a) GDPR provides our company with the legal basis for processing where we obtain consent for processing for a specific purpose. If processing is necessary for the performance of a contract to which the data subject is party, as is the case, for example, for processing that is required for the delivery or goods or the supply of another service or return service, processing is based on point (b) of Article 6 I GDPR. The same is true for processing that is required to carry out pre-contractual measures, such as in cases of inquiries for our products or services. If our company is subject to a legal obligation through which processing of personal data is necessary for compliance, such as to comply with fiscal obligations, processing is based on point (c) of Article 6 I GDPR. In rare cases, the processing of personal data might be necessary to protect vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our business were injured and subsequently his name, his age, his health insurance details or other vital information had to be given to a doctor, a hospital or other third parties. Processing would then be based on point (d) of Article 6 I GDPR. Finally, processing might be based on point (f) of Article 6 I GDPR. Processing, which is not covered by any of the above-mentioned legal bases, is based on this, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. We are permitted to carry out such processing, in particular, because it is specially mentioned by the European legislator. In this respect, he took the view that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 sentence 2 GDPR).

 

15. Legitimate interests in the processing, which are pursued by the controller or a third party

If the processing of personal data is based on point (f) of Article 6 I, our legitimate interest is the execution of our business activity for the benefit of all our employees and our shareholders.

 

16. Period for which personal data are stored

The criterion for the period in which personal data are stored is the respective statutory storage period. Once the period expires, the data in question are routinely erased unless they are required to fulfil a contract or initiate a contract.

 

17. Statutory or contractual regulations on the provision of personal data; required for the conclusion of a contract; obligation of the data subject to provide personal data; possible consequences of not providing them

We clarify the fact that the provision of personal data is prescribed by law in part (e.g. tax regulations) or may result from contractual regulations (e.g. disclosures regarding the contracting party). Sometimes a data subject will have to provide personal data to conclude a contract, which we subsequently have to process. The data subject is, for example, obliged to provide personal data if our company concludes a contract with him or her. The failure to provide personal data would result in our being unable to conclude the contract with the data subject. The data subject must contact one of our employees before he or she provides personal data. Our employee shall advise the data subject on a case-by-case basis whether the provision of personal data is prescribed by law or contract or is required to conclude the contract, whether there is an obligation to provide personal data and what the consequences of a failure to provide personal data would be.

 

18. Existence of automated decision-making

As a responsible company, we do not make any decisions on an automated basis.