Data protection information pursuant to Art. 12-19, 21 GDPR towards data subjects
This document provides you with information about the collection and processing of your personal data and your rights under data protection law.
Data processing centre and contact person in the area of data protection
MEINEWAND, Sebastian Stahl e.K., Zur Akelei 1, D-37077 Göttingen, FON +49(0)5529 - 91 99 720, Email: info@meinewand.com
Processing framework
Categories of personal data that are processed
- Applicants/initiative applicants: master data (e.g. CV content, contact, family circumstances, health, knowledge, skills)
- Employees: Master data (e.g. CV content, contact, family circumstances, health, knowledge, skills), contract and billing data, log data of IT systems (e.g. firewall, server logs), personal image/video data on company presentations, data for payroll accounting, health data, other data in the context of an employment relationship (e.g. working conditions, working hours)
- Customers: Contract data, master data, invoice data, services or products ordered
- Interested parties: Contact data, communication content
- Suppliers: Contract data, contact data, communication content
- Participants in a video conference (e.g. "MS Teams"): First name, surname, email address, topic if applicable, participant IP addresses, MP4 file of video, audio and presentation recordings (for optional recordings), details of incoming and outgoing telephone number (for telephone dial-in), contents of chat histories
Purposes for which the personal data is to be processed
- Applicants/initiative applicants: Examination of the application
- Employees: Processing of all necessary and required measures in an employment relationship (e.g. maintaining your personnel file; payroll accounting; analysing and assessing your work performance and results and preparing references; conducting employee training; conducting disciplinary proceedings); ensuring that operations run as smoothly as possible, marketing (image/video data on website and/or other online platforms, employee motivation when introducing new employees on e.g. "notice board")
- Customers: Contract fulfilment
- Interested parties: Exchange of information
- Suppliers: Services, orders
- Participants in a video conference (e.g. "MS Teams"): Online meetings, telephone conferences, video conferences
Legal basis of the processing pursuant to Art. 6 para. 1 GDPR
(Depending on the type of data processing, different legal bases apply to the respective groups)
Applicants/initiative applicants:
- Fulfilment of a contract or for the implementation of pre-contractual measures
- Consent if necessary (e.g. transfer of the respective data)
Employees:
- Fulfilment of a contract or for the implementation of pre-contractual measures
- Consent, if applicable (e.g. photos on websites)
- Fulfilment of a legal obligation (e.g. requirements by the tax authorities)
- Protection of legitimate interests (e.g. logging in the context of defence against cyber risks)
- Customers:
- Fulfilment of a contract or for the implementation of pre-contractual measures
- Fulfilment of a legal obligation (e.g. requirements by the tax authorities)
- Protection of legitimate interests (e.g. logging in the context of defence against cyber risks)
- Interested parties:
- Fulfilment of a contract or for the implementation of pre-contractual measures
- Protection of legitimate interests (e.g. logging in the context of defence against cyber risks)
- Suppliers:
- Fulfilment of a contract or for the implementation of pre-contractual measures
- Fulfilment of a legal obligation (e.g. requirements by the tax authorities)
- Participants in a video conference (e.g. "MS Teams"):
- Protection of legitimate interests (e.g. logging in the context of defence against cyber risks)
- Consent to processing (for more information, see "Participation in an online meeting" below)
- Duration for which the personal data is stored (depending on the purpose, data type and target group)
Duration of the contract, legal deadlines, withdrawal of consent (if necessary), objection to data processing, duration of the online meeting
- There is no automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR
Disclosure, source and foreign reference
Recipients or categories of recipients of the personal data (depending on the target group)
o Basic recipients
Tax consultants, internal utilisation (e.g. HR, IT), authorities (e.g. tax authorities), banks, insurance companies (e.g. in the context of accidents or insurance claims), external service providers (support as processors)
- Other recipients (depending on the target group):
- Own employees: for image data (provider, marketing agency, photographer)
- Customers: Subcontractors and cooperation partners (if contractually regulated or clarified), suppliers (possibly directly manufacturers) for material (contact details), freight forwarders and parcel service providers
- Participants in a video conference: participants, providers
- Source of data collection: direct
- Data processing outside the European Union
Data processing outside the European Union (EU) does not take place as we have limited our primary storage location to data centres in the European Union. However, we cannot rule out the possibility that data from some applications may be routed via internet servers located outside the EU. This may be the case in particular if, for example, participants in "online meetings" are located in a country outside the EU.
There is also a possible risk that authorities may view and process your data for control or monitoring purposes due to a foreign jurisdiction. This may also occur without any further legal remedies.
Participation in an online meeting
Participation in such an event is voluntary. By registering, you consent to data processing (including US data transfer). You can decide at any time whether you wish to transmit images and/or sound during the event. If and insofar as you actively decide in favour of this, this consent also includes the transfer and processing of special categories of personal data (e.g. wearers of glasses, stiff limbs, speech impediments, wearers of religious symbols). By participating, you also consent to a possible recording and, if applicable, dissemination of the event. Both will of course be communicated in advance.
Microsoft Teams
We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Details on data processing can be found in the Microsoft Teams privacy policy: https://privacy.microsoft.com/de-de/privacystatement.
The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-etail?contact=true&id=a2zt0000000KzNaAAK&status=Active
Zoom
We use Zoom. The provider of this service is Zoom Communications Inc, San Jose, 55 Almaden oulevard, 6th Floor, San Jose, CA 95113, USA. Details on data processing can be found in Zoom's privacy policy: https://explore.zoom.us/en/privacy/ Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://explore.zoom.us/en/privacy/
Order processing (use of tools in the context of online meetings)
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which ensures that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
Legal basis for data processing in the context of online meetings:
- Insofar as personal data of employees of the company is processed, Section 26 BDSG is the legal basis for data processing.
- If, in connection with the use of the video conferencing software, personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component of the use of the video conferencing software, Art. 6 para. 1 lit. f) GDPR is the legal basis for data processing. In these cases, our interest lies in the effective organisation of "online meetings".
- Otherwise, the legal basis for data processing when organising "online meetings" is Art. 6 para. 1 lit. b) GDPR, insofar as the meetings are held within the framework of contractual relationships.
- If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f) GDPR. Here too, we are interested in the effective organisation of online meetings.
Rights of data subjects
- You have the right to revoke your consent to us at any time in accordance with Art. 7 para. 3 GDPR. The consequence is that we may no longer continue the data processing that was based on this consent in the future;
- You have the right pursuant to Art. 15 GDPR to request information about your personal data processed by us.
- In accordance with Art. 16 GDPR, you have the right to demand the immediate correction of incorrect or incomplete personal data stored by us;
- In accordance with Art. 17 GDPR, you have the right to request the deletion of your personal data stored by us, provided that there are no other reasons, such as fulfilment of a legal obligation or defence of legal claims, to the contrary.
- You have the right to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR.
If your personal data is processed on the basis of Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR on grounds relating to your particular situation.
- The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Art. 19 GDPR to each recipient to whom the personal data have been disclosed.
- In accordance with Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller.
- In accordance with Art. 22, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
- You have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.
Supervisory authority of Lower Saxony
Prinzenstraße 5, 30159 Hanover, telephone: 05 11/120-45 00, fax: 05 11/120-45 99, e-mail: poststelle@lfd.niedersachsen.de, homepage: http://www.lfd.niedersachsen.de
Supervisory authorities of all federal states:
https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html