Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Obligation to inform

Data protection information pursuant to Art. 12-19, 21 GDPR towards data subjects



This document provides you with information about the collection and processing of your personal data and your rights under data protection law.

 

 

Data controller

Victor Stahl Malermeister GmbH, Hopfenhof 7, 37434 Rüdershausen, Tel. 05529 91997-0, Fax 05529 91997-19, info@victor-stahl.de

 

 

Data Protection Officer

Mr Andreas Sorge, DatCon GmbH | Engineering Office for Data Protection

Coburger Straße 130, 96479 Weitramsdorf, Tel. 0170 8162619, Email sorge@datcon.de

 

 

Scope of processing

  • Categories of personal data processed
  • Job applicants/unsolicited applicants: Master data (e.g. CV content, contact details, family circumstances, health, knowledge, skills)
  • Employees: Master data (e.g. CV content, contact details, family circumstances, health, knowledge, skills), contract and payroll data, IT system log data (e.g. firewall, server logs), personal image/video data in company presentations, payroll data, health data, other data within the context of an employment relationship (e.g. working conditions, working hours)
  • Customers: Contract data, master data, invoicing data, services or products ordered
  • Prospective customers: Contact details, communication content
  • Suppliers: Contract data, contact details, communication content
  • Participants in a video conference (e.g. ‘MS Teams’): first name, surname, email address, subject (if applicable), participants’ IP addresses, MP4 file of video, audio and presentation recordings (for optional recordings), details of incoming and outgoing phone numbers (for dial-in calls), content of chat histories
  • Purposes for which the personal data is to be processed
  • Applicants/unsolicited applicants: Review of the application
  • Employees: Handling of all necessary and required measures within an employment relationship (e.g. maintenance of your personnel file; payroll accounting; analysis and assessment of your work performance and results, as well as the preparation of references; conducting staff training; conducting disciplinary proceedings); Ensuring operations run as smoothly as possible, marketing (image/video data on the website and/or other online platforms, employee motivation when introducing new staff on, for example, the ‘notice board’)
  • Customers: Fulfilment of contract
  • Prospective customers: Exchange of information
  • Suppliers: Services, orders
  • Participants in a video conference (e.g. ‘MS Teams’): Online meetings, telephone conferences, video conferences
  • Legal basis for processing pursuant to Art. 6(1) GDPR

(Depending on the type of data processing, different legal bases apply to the respective groups.) Contract duration, statutory time limits, withdrawal of consent (where necessary), objection to data processing, duration of the online meeting

  • Job applicants/unsolicited applicants:
    • Fulfilment of a contract or to take steps prior to entering into a contract
    • Where applicable, consent (e.g. disclosure of the relevant data)
    • Employees:
    • Fulfilment of a contract or to take steps prior to entering into a contract
    • Where applicable, consent (e.g. photos on websites)
    • Fulfilment of a legal obligation (e.g. requirements imposed by tax legislation)
    • Protection of legitimate interests (e.g. logging for the purpose of cyber risk mitigation)
    • Customers:
    • Performance of a contract or to take steps prior to entering into a contract
    • Compliance with a legal obligation (e.g. requirements imposed by tax authorities)
    • Protection of legitimate interests (e.g. logging for the purpose of cyber risk mitigation)
    • Prospective customers:
    • Performance of a contract or to take steps prior to entering into a contract
    • Protection of legitimate interests (e.g. logging as part of cyber risk mitigation)
    • Suppliers:
    • Performance of a contract or to take steps prior to entering into a contract
    • Fulfilment of a legal obligation (e.g. requirements imposed by tax authorities)
    • Participants in a video conference (e.g. ‘MS Teams’):
    • Protection of legitimate interests (e.g. logging for the purpose of cyber risk mitigation)
    • Consent to processing (for further information, see below under “Participation in an online meeting”)
    • Duration for which personal data is stored (depending on the purpose, type of data and target group)
    • There is no automated decision-making, including profiling, in accordance with Article 22(1) and (4) of the GDPR

 

Disclosure, source and international aspects In principle, no data processing takes place outside the European Union (EU), as we have restricted our primary storage location to data centres within the European Union. However, we cannot rule out the possibility that data from some applications may be routed via internet servers located outside the EU. This may be the case in particular if, for example, participants in “online meetings” are located in a country outside the EU.

    • Recipients or categories of recipients of the personal data (depending on the target group)
    • General recipients
    • Tax advisors, internal use (e.g. HR, IT), public authorities (e.g. tax authorities), banks, insurance companies (e.g. in the context of accidents or insurance claims), external service providers (support as data processors)
    • Other recipients (depending on the target group):
    • Our own employees: for image data (provider, marketing agency, photographer)
    • Customers: subcontractors and cooperation partners (where contractually regulated or clarified), suppliers (where applicable, manufacturers directly) for materials (contact details), freight forwarders and parcel delivery services
    • Participants in a video conference: participants, provider
    • Source of collection: direct
    • Data processing outside the European Union

There is also a potential risk that, due to foreign legislation, authorities may access and process your data for monitoring or surveillance purposes. This may occur even without further legal recourse.

 

 

Participation in an online meeting

Participation in such an event is voluntary. By registering, you consent to data processing (including data transfer to the US). You may decide at any time whether you wish to transmit your image and/or audio during the event. If and to the extent that you actively choose to do so, this consent also covers the transmission and processing of any special categories of personal data (e.g. wearing glasses, stiff limbs, speech impediments, wearing religious symbols). By participating, you also consent to the possible recording and, where applicable, distribution of the event. Both will, of course, be communicated in advance.

 

Microsoft Teams

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. For details on data processing, please refer to the Microsoft Teams privacy policy:

https://privacy.microsoft.com/de-de/privacystatement.

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA designed to ensure compliance with European data protection standards when data is processed in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this is available from the provider via the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-etail?contact=true&id=a2zt0000000KzNaAAK&status=Active

 

Zoom

We use Zoom. The provider of this service is Zoom Communications Inc., San Jose, 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA. For details on data processing, please refer to Zoom’s privacy policy: https://zoom.us/de-de/privacy.html. Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://zoom.us/de-de/privacy.html.

 

Data processing (use of tools in the context of online meetings)

We have entered into a data processing agreement (DPA) for the use of the aforementioned service. This is a contract required under data protection law, which ensures that the service provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

 

Legal basis for data processing in the context of online meetings:

    • Where personal data of company employees is processed, Section 26 of the German Federal Data Protection Act (BDSG) forms the legal basis for data processing.
    • Should personal data be processed in connection with the use of the video conferencing software which is not necessary for the establishment, performance or termination of the employment relationship, but is nevertheless an essential component of the use of the video conferencing software, then Article 6(1)(f) of the GDPR is the legal basis for the data processing. In such cases, our interest lies in the effective conduct of “online meetings”.
    • Furthermore, the legal basis for data processing when conducting “online meetings” is Article 6(1)(b) of the GDPR, insofar as the meetings are held within the framework of contractual relationships.
    • If no contractual relationship exists, the legal basis is Article 6(1)(f) of the GDPR. Here too, our interest lies in the effective conduct of “online meetings”.

Data subject rights Where your personal data is processed on the basis of Article 6(1)(e) or (f) of the GDPR, you have the right, pursuant to Article 21 of the GDPR, to object to the processing of your personal data, provided there are grounds arising from your particular situation. Lower Saxony Supervisory Authority

    • You have the right, pursuant to Article 7(3) of the GDPR, to withdraw your consent at any time. As a result, we may no longer continue the data processing that was based on this consent;
    • You have the right, pursuant to Article 15 of the GDPR, to request information about your personal data processed by us.
    • You have the right, pursuant to Article 16 of the GDPR, to request the correction of inaccurate personal data or the completion of your personal data stored by us without delay;
    • You have the right, pursuant to Article 17 of the GDPR, to request the erasure of your personal data stored by us, provided that there are no other grounds, such as the fulfilment of a legal obligation or the defence of legal claims, that preclude this.
    • You have the right, pursuant to Article 18 of the GDPR, to request the restriction of the processing of your personal data.
    • The controller shall, pursuant to Article 19 of the GDPR, notify all recipients to whom personal data has been disclosed of any rectification or erasure of the personal data or any restriction of processing.
    • You have the right, pursuant to Article 20 of the GDPR, to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, or to request that it be transferred to another controller.
    • You have the right, pursuant to Article 22, not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.
    • You have the right, pursuant to Article 77 of the GDPR, to lodge a complaint with a supervisory authority.

Prinzenstraße 5, 30159 Hanover, Telephone: 05 11/120-45 00, Fax: 05 11/120-45 99, Email: poststelle@lfd.niedersachsen.de, Website: http://www.lfd.niedersachsen.de

Supervisory authorities in all federal states:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html