Responsible body
for processing according to GDPR
The person
responsible for privacy policy within the meaning of the General Data
Protection Regulation and other data protection laws in the member states of
the European Union and other provisions of a data protection nature is:
Spang &
Brands GmbH
Max-Planck-Str.
25
61381
Friedrichsdorf
Tel: +49 6172
9570-0
www.spang-brands.de
Privacy Policy
We welcome you on
our web pages and appreciate your interest. The protection of your personal
data is very important to us. Therefore, we conduct our activities in
accordance with applicable personal data protection and data security
legislation. Therefore, we act in accordance with the laws concerning personal
data and data security. We would like to inform you below which data of your
visit is used for which purpose. Should there be any further questions concerning
the handling of your personal data, you are welcome to contact our data
protection supervisor:
Nils Möllers
Keyed GmbH
info@keyed.de
https://www.keyed.de
1. What is
personal data?
The concept of
personal data is defined in the Bundesdatenschutzgesetz and in the EU GDPR.
Accordingly, these are individual details about personal or material
circumstances of a specific or identifiable natural person. This includes, for
example, your civil name, your address, your telephone number or your date of
birth.
2. Scope of
anonymous data collection and data processing
Unless otherwise
stated in the following sections, no personal data is collected, processed or
used when using our websites. However, we find out through the use of analysis
and tracking tools certain technical information based on the data transmitted
by your browser (for example, browser type/version, operating system used, our
visited websites including length of stay, previously visited website). We only
evaluate this information for statistical purposes.
3. Legal basis
for the processing of personal data
Insofar as we
obtain the consent of the data subject for processing of personal data, Art. 6
para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal
basis for the processing of personal data.
In the processing
of personal data necessary for the performance of a contract to which the data
subject is a part of, art. 6 para. 1 lit. b GDPR serves as the legal basis.
This also applies to processing operations required to carry out precontractual
actions.
Insofar as
processing of personal data is required to fulfill a legal obligation that is
subject to our company, art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that
vital interests of the data subject or another natural person require the
processing of personal data, art. 6 para. 1 lit. d GDPR serves as the legal
basis.
If processing is
necessary to safeguard the legitimate interests of our company or a third
party, and if the interests, fundamental rights and fundamental freedoms of the
person concerned do not outweigh the former interest, art. 6 para. 1 lit. f
GDPR serves as the legal basis for processing.
4. Use of cookies
The websites of Spang
& Brands GmbH use cookies. Cookies
are data stored by the Internet browser on the user's computer system. The
cookies can be transmitted to a page when they are accessed and thus allow an
assignment of the user. Cookies help to simplify the use of websites for users.
It is always
possible to turn off the setting of cookies by changing the option in the
Internet browser. The Cookies set can be deleted. It should be noted that
disabling cookies may not fully exploit all features of our website. The data
of the users collected in this way are pseudonymized by technical precautions.
Therefore, an assignment of the data to the calling user is no longer possible.
The data will not be stored together with other personal data of the users.
When accessing
our website, users are informed by an information banner about the use of
cookies for analysis purposes and referred to this privacy policy. In this
context, there is also an indication of how the storage of cookies in the
browser settings can be prevented.
The legal basis
for the processing of personal data using technically necessary cookies is
article 6 (1) lit. f GDPR. The legal basis for the processing of personal data
using cookies for analysis purposes is provided after the user has consented to
this art. 6 para. 1 lit. a GDPR.
5. Creation of
log files
Each time the
website is accessed, the Spang & Brands GmbH records data and information
through an automated system. These are stored in the log files of the server.
The data is also stored in the log files of our system. A storage of this data
together with other personal data of the user does not take place.
The following
data can be collected here:
(1) Information
about the browser type and version used
(2) The operating
system of the user
(3) The Internet
service provider of the user
(4) The IP
address of the user
(5) Date and time
of access
(6) Websites from
which the system of the user reaches our website (referrer)
(7) Web pages
accessed by the user's system through our website
6. Ways to
contact
On the websites
of Spang & Brands GmbH there is a contact form that can be used for
electronic contact. Alternatively, contact via the provided e-mail address is
possible. If the data subject contacts the controller through one of these
channels, the personal data transmitted by the data subject will be
automatically stored. The storage serves solely for purposes of processing or
contacting the person concerned. A transfer of data to third parties does not
take place. Legal basis for the processing of the data is in the presence of
the consent of the user art. 6 para. 1 lit. a GDPR.
The legal basis
for the processing of the data transmitted in the course of sending an e-mail
is article 6 (1) lit. f GDPR. If the e-mail contact aims to conclude a
contract, then additional legal basis for the processing is art. 6 para. 1 lit.
b GDPR.
The data will be
deleted as soon as it is no longer necessary for the purpose of its collection.
For the personal data from the input mask of the contact form and those sent by
e-mail, this is the case when the respective conversation with the user has
ended. The conversation is ended when it can be inferred from the circumstances
that the relevant facts have been finally clarified.
7. Routine deletion and blocking of personal data
The controller
will only process and store personal data of the data subject for as long as
necessary to achieve the purpose of the storage. In addition, such storage may
take place if provided for by the European or national legislator in EU
regulations, laws or other regulations to which the person responsible for
processing is subject.
As soon as the
storage purpose is removed or a storage period prescribed by the aforementioned
regulations expires, the personal data is routinely blocked or deleted.
8. Rights of the
data subject
If your personal
data has been processed, you are affected in the sense of the GDPR and you have
the following rights to the responsible person:
8.1 Right of
access
You may ask the
person in charge to confirm if personal data concerning you is processed by us.
If such
processing is available, you can request information from the person
responsible about the following information:
a. the purposes
for which the personal data are processed;
b. the categories
of personal data that are processed;
c. the recipients
or the categories of recipients to whom the personal data relating to you have
been disclosed or are still being disclosed;
d. the planned
duration of the storage of your personal data or criteria for determining the
duration of storage if specific information is not available;
e. the existence
of a right to rectification or deletion of personal data concerning you, a
right to restriction of processing by the controller or a right to object to
such processing;
f. the existence
of a right of appeal to a supervisory authority;
g. all available
information about the source of the data if the personal data are not collected
from the data subject;
h. the existence
of automated decision-making including profiling under article 22 (1) and (4)
GDPR and - at least in these cases - meaningful information about the logic
involved and the scope and intended impact of such processing on the data
subject.
You have the
right to request information about whether the personal data relating to you is
transferred to a third country or to an international organization. In this
connection, you can request the appropriate guarantees in accordance with art.
46 GDPR in connection with the transmission of information.
8.2 Right of
rectification
You have a right
to rectification and/or completion to the controller, if the processed personal
data concerning you is incorrect or incomplete. The responsible person must
make the correction without delay.
8.3 Right of
restriction of processing
You may request
the restriction of the processing of your personal data under the following
conditions:
a. if you contest
the accuracy of your personal information for a period of time that enables the
controller to verify the accuracy of your personal information;
b. the processing
is unlawful and you refuse to delete the personal data and instead request the
restriction of the use of the personal data;
c. the controller
no longer requires personal data for the purposes of processing, but you need
them to assert, exercise or defend legal claims, or
d. if you
objected to the processing pursuant to art. 21 (1) GDPR and have not yet
determined whether the legitimate reasons of the person responsible outweighed
your reasons.
If the processing
of personal data concerning you has been restricted, this data – except for
your storage – may only be used with your consent or for the purpose of
asserting, exercising or defending legal claims or protecting the rights of
another natural or legal person or for reasons of important public interest of
the Union or a member State.
If the limitation
of the processing under the conditions mentioned above are restricted, you will
be informed by the person in charge before the restriction is lifted.
8.4 Right of
cancellation
8.4.1 You may require
the controller to delete your personal information without delay, and the
controller shall promptly delete that information if any of the following is
true:
a. Your personal
data is no longer necessary for the purposes for which it was collected or
otherwise processed.
b. You revoke
your consent to the processing pursuant to art. 6 para. 1 lit. a or Art. 9
para. 2 lit. a GDPR and there is no other legal basis for processing.
c. Pursuant to
art. 21 para. 1 GDPR you give objection to the processing and there are no
prior justifiable reasons for the processing, or pursuant to art. 21 (2) GDPR
you give objection to the processing.
d. Your personal
data has been processed unlawfully.
e. The deletion
of personal data concerning you is required to fulfill a legal obligation under
Union law or the law of the member States to which the controller is subject.
f. The personal
data concerning you was collected in relation to information society services
offered pursuant to art. 8 para. 1 GDPR.
8.4.2 If the person in charge
has made the personal data concerning you public and pursuant to article 17 (1)
of the GDPR is required to delete it, is taking due account of the technology
available and the costs of implementation, including appropriate technical
measures, to inform data controllers who process the personal data that you
have requested the deletion of any links to such personal data or copies or
replications of such personal data.
8.4.3 The right to
deletion does not exist if the processing is necessary
a. to exercise
the right to freedom of expression and information;
b. to fulfill a
legal obligation required by the law of the Union or of the member States to
which the controller is subject, or to perform a task of public interest or in
the exercise of official authority conferred on the controller;
c. for reasons of
public interest in the field of public health pursuant to art. 9 (2) lit. h and
i and art. 9 (3) GDPR;
d. for archival
purposes of public interest, scientific or historical research purposes or for
statistical purposes pursuant to article 89 (1) of the GDPR, in so far as the
law referred to in paragraph 1 is likely to render impossible or seriously
affect the achievement of the objectives of that processing, or
e. to assert,
exercise or defend legal claims.
8.5 Right of
information
If you have the
right of rectification, erasure or restriction of processing to the controller,
he/she is obliged to notify all recipients to whom your personal data has been
disclosed of this correction or deletion of the data or restriction of
processing, unless: this proves to be impossible or involves a disproportionate
effort.
You have a right
to the person responsible to be informed about these recipients.
8.6 Right of Data
Portability
You have the
right to receive the personal information that you provide to the controller in
a structured, common and machine-readable format. You also have the right to
transfer this data to another person without hindrance by the person
responsible for providing the personal data, provided that
a. the processing
on a consent acc. art. 6 para. 1 lit. a GDPR or art. 9 para. 2 lit. a GDPR or
on a contract acc. art. 6 para. 1 lit. b GDPR is based and
b. the processing
is done by automated means.
In exercising
this right, you also have the right to obtain the personal data concerning you
directly from one person responsible to another person responsible, as far as
technically feasible. Freedoms and rights of other persons may not be affected.
The right to data
portability does not apply to the processing of personal data necessary for the
performance of a task in the public interest or in the exercise of official
authority delegated to the controller.
8.7 Right to
object
You have the
right at any time, for reasons that arise from your particular situation, to
object against the processing of your personal data, which pursuant to art. 6
para. 1 lit. e or f GDPR takes place; this also applies to profiling based on
these provisions.
The controller
will no longer process the personal data concerning you unless he can
demonstrate compelling legitimate reasons for processing that outweigh your
interests, rights and freedoms, or the processing is intended to assert,
exercise or defend legal claims.
If the personal
data relating to you is processed for direct marketing purposes, you have the
right to object at any time to the processing of your personal data for the
purpose of such advertising; this also applies to profiling insofar as it is
associated with such direct advertising.
If you object to
processing for direct marketing purposes, your personal data will no longer be
processed for these purposes.
Regardless of
directive 2002/58/EC, you have the option, in the context of the use of
information society services, of exercising your right to object through
automated procedures that use technical specifications.
8.8 Right to
revoke the data protection consent declaration
You have the
right to revoke your data protection consent declaration at any time. The
revocation of consent does not affect the legality of the processing carried
out on the basis of the consent until the revocation.
8.9 Automated
decision on a case-by-case basis, including profiling
You have the
right not to be subject to a decision based solely on automated processing,
including profiling, which has a legal effect on you or, in a similar manner,
significantly affects it. This does not apply if the decision
a. is required
for the conclusion or performance of a contract between you and the controller,
b. is permissible
on the basis of Union or member State legislation to which the controller is
subject, and that legislation contains appropriate measures to safeguard your
rights and freedoms and your legitimate interests, or
c. with your
express consent.
However, these
decisions must not be based on special categories of personal data pursuant to
art. 9 (1) GDPR, unless art. 9 (2) lit. a or g and reasonable procedures have
been taken to protect the rights and freedoms and your legitimate interests.
Regarding the
cases mentioned in a. and c., the person responsible shall take reasonable
steps to safeguard the rights and freedoms and your legitimate interests,
including at least the right to obtain the intervention of a person by the
controller, to express his or her own position and to contest the decision.
8.10 Right to
complain to a supervisory authority
Without prejudice
to any other administrative or judicial remedy, you have the right to complain
to a supervisory authority, in particular in the member State of its place of residence,
employment or the place of the alleged infringement, if you believe that the
processing of your personal data violates against GDPR.
The supervisory
authority to which the complaint has been submitted shall inform the
complainant of the status and results of the complaint, including the
possibility of a judicial remedy under article 78 of the GDPR.
9. Disclosure of
data to third parties
9.1 e tracker
The provider of
this website uses the services of etracker GmbH from Hamburg, Germany
(www.etracker.com) to analyze usage data. Cookies are used to enable a
statistical analysis of the use of this website by its visitors and to display
usage-related content or advertising. Cookies are small text files that are
stored by the Internet browser on the user's end device. etracker cookies do
not contain any information that would allow a user to be identified.
In order to
object to the collection and storage of your visitor data in the future, you
can obtain an opt-out cookie from etracker by clicking on the following link.
This will ensure that no visitor data from your browser will be collected and
stored by etracker in the future: http://www.etracker.de/privacy?et=V23Jbb
Further
information on data protection in connection with e tracker can be found at:
http://www.etracker.com/de/datenschutz.html
10. Data
transmission in third countries
The controller
may transfer personal data to a third country. In principle, the controller may
provide various appropriate safeguards to ensure that an adequate level of
protection is provided for the processing operations. It is possible to
transfer data transfers on the basis of an adequacy finding, internal data
protection rules, approved codes of conduct, standard data protection clauses
or an approved certification mechanism pursuant to Art. 46 para. 2 letters a) -
f) GDPR.
If the person
responsible undertakes a transfer to a third country on the legal basis of Art.
49 para. 1 a) GDPR, you will be informed at this point about the possible risks
of a data transfer to a third country.
There is a risk
that the third country receiving your personal data may not provide an
equivalent level of protection compared to the protection of personal data in
the European Union. This may be the case, for example, if the EU Commission has
not issued an adequacy decision for the third country in question or if certain
agreements between the European Union and the third country in question are
declared invalid. Specifically, there are risks in some third countries with
regard to the effective protection of EU fundamental rights through the use of
monitoring laws (e.g. USA). In such a case, it is the responsibility of the
controller and the recipient to assess whether the rights of data subjects in
the third country enjoy a level of protection equivalent to that in the Union
and can be effectively enforced.
However, the
basic data protection regulation should not undermine the level of protection
of natural persons ensured throughout the Union when personal data are
transferred from the Union to controllers, processors or other recipients in
third countries or to international organisations, even if personal data are
further transferred from a third country or from an international organisation
to controllers or processors in the same or another third country or to the
same or another international organisation.
11. Integration
of other services and content of third parties
It may happen
that content from third parties, such as videos from YouTube, maps from Google
Maps, RSS feeds or graphics from other websites are included in this online
offer. This always presupposes that the providers of this content (hereinafter
referred to as "third party provider") perceive the IP address of the
users. Because without the IP address, they could not send the content to the
browser of the respective user. The IP address is therefore required for the
presentation of this content. We endeavor to use only content whose respective
providers use the IP address solely for the delivery of the content. However,
we do not have any influence on this if the third parties provide the IP
address e.g. to save for statistical purposes. As far as we know, we will
inform users about it.
12. Duration of
storage of personal data
Personal data is
stored for the duration of the respective legal retention period. After expiry
of the deadline, the data will be routinely deleted, unless there is a need for
a contract or fulfillment of the contract.
13. Applications
(Training & Vacancies)
By submitting
their application to us, applicants consent to the processing of their data for
the purposes of the application procedure in accordance with the type and scope
set out in this Privacy Policy.
If special
categories of personal data within the meaning of Art. 9 Para. 1 DSGVO are
voluntarily provided within the framework of the application procedure, they
will also be processed in accordance with Art. 9 Para. 2 lit. b DSGVO (e.g.
health data, such as severely disabled status or ethnic origin). Insofar as
special categories of personal data within the meaning of Art. 9 para. 1 DSGVO
are requested from applicants as part of the application procedure, their
processing will also be carried out in accordance with Art. 9 para. 2 lit. a
DSGVO (e.g. health data if they are required for the exercise of a profession).
If provided,
applicants can submit their applications via an online form on our website. The
data will be transmitted to us encrypted according to the state of the art.
Applicants can
also send us their applications by e-mail. Please note, however, that e-mails
are generally not sent in encrypted form and the applicants themselves must
ensure that they are encrypted. We therefore cannot assume any responsibility
for the transmission path of the application between the sender and the reception
on our server and therefore recommend using an online form or postal dispatch.
Instead of applying using the online form and e-mail, applicants still have the
option of sending their application by post.
In the event of a
successful application, the data provided by the applicants can be further
processed by us for the purposes of the employment relationship. Otherwise, if
the application for a job offer is not successful, the applicant's data will be
deleted. Applicant data will also be deleted if an application is withdrawn,
which applicants are entitled to do at any time.
Subject to
justified revocation by the applicants, the data will be deleted after a period
of six months so that we can answer any follow-up questions regarding the
application and meet our obligations to provide evidence under the Equal
Treatment Act. Invoices for any reimbursement of travel expenses will be
archived in accordance with the provisions of tax law.
14. Safety
We have taken
extensive technical and operational safeguards to protect your data from
accidental or intentional manipulation, loss, destruction or access by
unauthorized persons. Our security procedures are regularly reviewed and
adapted to technological progress. In addition, privacy is granted on an
ongoing basis through constant auditing and optimization of the privacy
organization.
Spang &
Brands GmbH reserves all rights to make changes and updates to this Privacy
Policy. This Privacy Policy was created on 17.09.2020 by Keyed GmbH.