Privacy Policy in accordance with the GDPR
I. Name and address of the controller
In accordance with the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations, the controller is:
Schramm GmbH
Flinschstrasse 18a
60388 Frankfurt am Main
Germany Tel.: +49 69 42007 0
Email: datenschutz@schramm-gmbh.de
Website: www.schramm-gmbh.de
II. Name and address of the Data Protection Officer
The Data Protection Officer of the controller is:
Aysegül Kalkan
Beauftragte Informationssicherheit & Datenschutz Master of Laws (LL.M.)
DZ CompliancePartner GmbH
Wilhelm-Haas-Platz
63263 Neu-Isenburg/Zeppelinheim-Ost
Tel: 069 6978-3324
Mobil: 0172 2677142
Fax: 069 6978-3322
E-Mail: ayseguel.kalkan(at)dz-cp.de
Web: http://www.dz-cp.de
III. General information about data processing
1. Scope of personal data processing
In general, we collect and use the personal data of our customers only to the extent necessary to provide a functional website and to provide our content and services. We only regularly collect and use the personal data of our users with their consent. An exception applies in such cases in which the data subject is not able to give prior consent for practical reasons and it is legally permissible to process the data due to statutory regulations.
2. Legal basis for personal data processing
If the data subject provides consent for the processing of their personal data, Article 6(1)(a) of the EU Data Protection Regulation (GDPR) serves as the legal basis. Article 6(1)(b) GDPR also serves as a legal basis where the processing of personal data pertaining to the contracting party, which is also the data subject, is necessary in order to fulfil a contract. This also applies to processing operations which are required to conduct any precontractual measures. Article 6(1)(c) GDPR serves as the legal basis insofar as processing personal data is required in order to fulfil a legal obligation that our company is subject to. Where the vital interests of the data subject or another natural person require personal data to be processed, Article 6(1)(f) GDPR is the legal basis. Where processing is necessary for the purpose of a legitimate interest pursued by our company or by a third party and this interest is not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR provides the legal basis for the processing.
3. Data erasure and retention period
The personal data of the data subject shall be deleted or blocked as soon as the purpose for storage ceases to apply. In addition, data may be stored if the European or national legislator has stipulated this in EU regulations, laws or other provisions, which apply to the controller. Data shall also be blocked or deleted if the retention period prescribed through the abovementioned rules expires, unless the data must be stored for a longer period for the purpose of concluding or fulfilling a contract.
IV. Provision of the website and creation of log files
1. Description and scope of data processing
Each time our website is accessed, our system provider, DomainFactory, automatically collects data and information from the computer system of the calling computer. The following data is collected here:
- Information about the browser type and version used
- The internet service provider of the user
- The IP address of the user
- Date and time of access
- Information about the access rate, page views and sessions
- Websites from which the user’s system accesses our website
The data is stored in log files. The data is not stored with other personal data of the user.
2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article (6)(1)(f) GDPR.
3. Purpose of data processing
It is necessary for the system to store the IP address temporarily to allow time for the website to be delivered to the user’s computer. For this reason, the user’s IP address must be stored for at least the duration of the session.
In addition, the data is intended to optimise the website and to ensure IT systems remain secure. The data is not evaluated for marketing purposes in this context.
For this purpose, our legitimate interest also lies in data processing in accordance with Article 6(1)(f) GDPR.
4. Data retention period
The data shall be deleted as soon as they are no longer required for the purpose for which they are being collected. The data may be stored in log files for a maximum of seven days. It is possible to extend the retention period. In this case, the user’s IP addresses are deleted or distorted, so that they can no longer be allocated to the calling client.
5. Objection and disposal
Collecting data for the provision of the website and the retention of data in log files is imperative for the operation and security of the website. It is therefore not possible for the user to object.
V. Contact form and email contact
1. Description and scope of data processing
Contact can be made via the email address provided. When submitting data via email, the personal data of the user is stored.
In this context, data shall not be disclosed to third parties. The data is used exclusively for processing the conversation. Please note that in the case of email correspondence, ordinary emails sent via the Internet are neither confidential nor secure, and can be viewed, intercepted, altered or even lost by third parties. For these reasons, personal or confidential information should never be sent in ordinary emails. If in doubt, please contact us by post or call us.
2. Legal basis for data processing
The legal basis for data processing with the consent of the user is of Article 6(1)(a) GDPR. The legal basis for the processing of data transmitted by email is Article 6(1)(f) GDPR. If the aim of the email is to conclude a contract, then the additional basis for the processing is Article 6(1)(b) GDPR.
3. Purpose of data processing
In the event of making contact via email, the necessary legitimate interest in the processing of data also applies.
4. Data retention period
The data is deleted as soon as it is no longer required for the purpose for which it is being collected. This applies to personal data sent via email if the conversation with the user has come to an end. The conversation is deemed to have come to an end if the circumstances indicate that the relevant issues have been clarified.
5. Objection and disposal
The user can revoke their consent to the processing of personal data at any time. If the user contacts us by email, they may object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.
VI. Rights of the data subject
If your personal data is processed, you are deemed to be the data subject under the terms of GDPR and you are entitled to the following rights in respect of the controller:
1. Right to be informed
You may ask the controller to confirm whether we process any personal data relating to you. If your data is being processed, you can request the information from the controller regarding the following points:
- the purposes for the processing of the personal data;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom the personal data relating to you has been disclosed or will be disclosed;
- the planned retention period for the personal data relating to you, or, if specific information is not available, criteria for determining the duration of its retention;
- the existence of a right to rectification or erasure of personal data relating to you, a right to obtain restriction of processing from the controller or a right to object to such processing;
- the existence of a right to appeal to a supervisory authority;
- all information available regarding the source from which the data originates, if the data is not collected from the data subject;
- the existence of automated decision-making including profiling under Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, as well as the scope and the intended consequences of such processing for the data subject.
You have the right to request information as to whether any personal data relating you is transmitted to a third party country or to an international organisation. In this context, you can request to be informed regarding the relevant safeguards pursuant to Article 46 GDPR in respect of the transfer.
2. Right to rectification
You have the right to obtain rectification and/or completion from the controller, if the personal data processed and relating to you is incorrect or incomplete. The controller must make any necessary corrections without delay.
3. Right to restrict processing
You may request the restriction of the processing of your personal data under the following conditions:
- if you contest the accuracy of the personal data subject for a period of time which would enable the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but you require them for the assertion, exercise or defence of legal claims, or
- if you objected to the processing pursuant to Article 21(1) GDPR and it is not yet certain whether the legitimate grounds of the controller override yours.
Where processing of your personal data has been restricted, such personal data shall, with the exception of their storage, only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in respect of the Union or of a Member State.
Where the limitation of the processing has been restricted in accordance with the abovementioned conditions, you shall be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Obligation to erase
You shall have the right to request from the controller that the personal data relating to you be erased without undue delay and the controller shall be obliged to erase the personal data when one of the following grounds applies:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- You revoke your consent, upon which processing had been based in accordance with Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal ground for the processing.
- You object to processing in accordance with Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to processing in accordance with Article 21(2) GDPR.
- The personal data relating to you has been processed unlawfully.
- The personal data relating to you must be erased for compliance with a legal obligation arising from European Union law or the law of the Member State which applies to the controller.
- The personal data relating to you has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
b) Information to third parties
Where the controller has made the personal data relating to you public and is required to erase them in accordance with Article 17(1) GDPR, they shall take appropriate measures, including those of a technical nature, taking into account the technology available and the implementation costs, to inform those responsible for processing the personal data that you, as a data subject, have requested that all the links to such personal data or copies or replications of such personal data be erased.
c) Exceptions
The right to erasure does not apply insofar as processing is necessary
- to exercise the right to freedom of expression and information;
- to fulfil a legal obligation required under European Union law or the law of the Member State which applies to the controller, or to carry out a task in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in relation to public health in accordance with Article 9(2)(h) and Article 9(3)(i) GDPR;
- for archiving purposes, scientific or historical research purposes or for statistical purposes of public interest in accordance with Article 89(1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously affect the realisation of the objectives of such processing, or
- to assert, exercise or defend legal claims.
5. Right to notification
Where you have exercised your right to rectification, erasure or restriction of processing in respect of the controller, they are obliged to notify all recipients to whom your personal data has been disclosed of the correction or erasure of the data or the restriction of processing, unless this proves to be impossible or entails a disproportionate effort.
You have the right to be informed about these recipients by the controller.
6. Right to data portability
You have the right to receive the personal data relating to you which you have provided to a controller, in a structured, commonly used and machine-readable format. In addition, you have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where
- the processing is based on consent in accordance with Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, or on a contract in accordance with Article 6(1)(b) GDPR and
- the processing is carried out by automated means.
In exercising this right, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, at any time, to the processing of personal data relating to you which is based on Article 6(1)(e) or (f) GDPR, on grounds relating to your particular situation. This includes profiling based on those provisions.
The controller shall no longer process the personal data relating to you unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the assertion, exercise or defence of legal claims.
Where personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data relating to you for such marketing purposes, which includes profiling insofar as it is related to this direct marketing.
Where you object to processing for direct marketing purposes, the personal data relating to you shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to revoke consent to data protection
You have the right to revoke your consent to data protection at any time. Revoking your consent will not affect the legality of the processing carried out prior to consent being revoked.
9. Automated decision making and profiling
You have the right not to be subjected to a decision based solely on automated processing, including profiling, that has a legal effect or affects you in a similar manner. This does not apply if the decision
- is required for the conclusion or fulfilment of a contract between you and the controller,
- is permissible on the basis of the European Union or Member State legislation which applies to the controller, and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests or
- takes place with your express consent.
However, these decisions must not be based on special categories of personal data under Article 9(1) GDPR, unless Article 9(2)(a) or (g) GDPR applies and appropriate measures have been taken to protect your rights and freedoms as well as your legitimate interests.
With regard to the instances referred to in (1) and (3), the controller shall take appropriate measures to uphold your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, to present your position and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or the place of the alleged infringement if you consider that the processing of personal data relating to you infringes this Regulation.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint including the possibility of a judicial remedy in accordance with Article 78 GDPR.
Data Protection Notice
Our handling of your data and your rights
– Information pursuant to articles 13, 14 and 21 of the General Data Protection Regulation (GDPR) –
Dear Customer,
We are writing to inform you about how we process your personal data and the claims and rights you are entitled to in accordance with the data protection regulations.
Which pieces of data are processed and the way in which they are used depends largely on the services you have requested and agreed to.
1. Who is responsible for data processing and who can I contact?
Contact details for the Controller:
Schramm GmbH
Flinschstraße 18a
60388 Frankfurt am Main
Tel.: +49 69 42007 0
Email: datenschutz(at)schramm-gmbh.de
Contact details for the Data Protection Officer:
Aysegül Kalkan
Beauftragte Informationssicherheit & Datenschutz Master of Laws (LL.M.)
DZ CompliancePartner GmbH
Wilhelm-Haas-Platz
63263 Neu-Isenburg/Zeppelinheim-Ost
Tel: 069 6978-3324
Mobil: 0172 2677142
Fax: 069 6978-3322
E-Mail: ayseguel.kalkan(at)dz-cp.de
Web: http://www.dz-cp.de
2. Which sources and data do we use?
We process personal data that we receive from you in the context of our business relation. In addition, to the extent necessary for the provision of our services, we process personal data that we have obtained permissibly (e.g. for the completion of orders, fulfilment of contracts or on the basis of your consent) from other companies or from other third parties (e.g. suppliers). We also process personal data from open sources (e.g. debtor records, the German Federal Gazette, the commercial register and association register, the press, the media) that we have gained permissibly and are entitled to process.
Relevant personal data include personal details (name, address and other contact details, date and place of birth and nationality). In addition, this may also include order data (e.g. payment order), data from the fulfilment of our contractual obligations (e.g. account data, product data), information about your financial situation (e.g. Federal Gazette, information on credit reform), advertising and sales data, documentation data (e.g. record of advice), data about your use of the telemedia we offer (e.g. at what times you access our website, pages or entries you click on) as well as other data similar to the above categories.
3. Why do we process your data (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG):
3.1 For the fulfilment of contractual obligations (Article 6(1)(b) GDPR)
The main purpose for processing personal data (Article 4(2) GDPR) is providing and implementing our contracts or pre-contractual measures and processing your orders, as well as all necessary operational and administrative activities.
The purposes of data processing are primarily based on the specific product and may include, but are not limited to, consulting, needs analyses and support, as well as technical implementation.
Further details on the purpose for data processing can be found in the relevant contract documents and terms and conditions at https://www.schramm-gmbh.de/downloads.
3.2 In the context of balancing interests (Article 6(1)(f) GDPR)
If necessary, we process your data beyond fulfilling the contract in order to protect our legitimate interests or those of third parties such as in the following cases:
- Consulting and exchanging data with credit agencies (e.g. SCHUFA) to identify credit or default risks and the need for a bank account exempted from attachment or for a basic payment account;
- Reviewing and optimising needs analysis and direct customer contact procedure;
- Advertising or market and opinion research, provided that they have not objected to the use of your data;
- Asserting legal claims and defence in legal disputes;
- Safeguarding the IT security and IT operations of the company;
- Preventing and investigating criminal offences;
- Video surveillance is used to collect evidence of crime. This thereby aims to protect customers and employees as well as exercise the rights of the property owner;
- Measures for building and plant safety (e.g. access controls);
- Measures to secure the rights of the property owner;
- Measures for business management and the further development of services and products.
3.3 On the basis of your consent (Article 6(1)(a) GDPR)
If you have provided your consent to the processing of your personal data for specific purposes, the legality of this processing is based on your consent. Consent can be revoked at any time. This also applies to revoking declarations of consent which were issued to us before the GDPR came into force, i.e. before May 25, 2018.
Please note that the revocation of consent will only be effective for the future. Processing that took place before the revocation of consent is not affected by this.
3.4 Due to legal requirements (Article 6(1)(c) GDPR) or in the public interest (Article 6(1)(e) GDPR)
In addition, as a company we are subject to various legal obligations, i.e. legal requirements (e.g. foreign trade law, tax laws, trade laws). The purposes of processing include, but are not limited to, the fulfilment of fiscal inspection and reporting duties, the assessment and management of risks, and credit assessment.
4. Who receives my data?
Within the organisation, the entities which have access to your data are those who need this to fulfil our contractual and legal obligations. Processors employed by us (Article 28 GDPR) may also receive data for these purposes. These include companies in IT services, logistics, printing services, telecommunications, debt collection, sales and marketing, and possibly in advice and consultation.
With regard to the transfer of data to recipients outside of the company, it should first be noted that we are bound to maintain confidentiality regarding all customer-related facts and assessments of which we become aware, in accordance with the general terms and conditions agreed between you and us.
We may only disclose information about you if we are legally required to do so, if you have given your consent or if we are authorised to provide information. Under these conditions, recipients of personal data may be, for example:
- Public bodies and institutions (e.g. fiscal authorities, tax authorities, customs authorities) in the case of legal or regulatory obligations.
- Other entities to which we provide personal information in order to conduct the business relationship with you (for example, suppliers, depending on the contract).
5. How long will my data be stored?
If necessary, we process and store your personal data for the duration of our business relationship, which includes, for example, the initiation and execution of a contract. It should be noted that our business relationship is a continuing obligation which will last for years.
In addition, we are subject to various storage and documentation obligations, which emerge, inter alia, from the German Commercial Code (HGB) and the German Tax Code (AO). The set periods for storage and documentation are two to ten years.
Finally, the retention period is also judged according to the statutory limitation periods, which, for example, according to Section 195 seq. of the German Civil Code (BGB), can normally be three years, but in some cases, can also be up to thirty years.
6. Will data be transmitted to a third party country or international organisation?
The transfer of data to third party countries (states outside the European Economic Area – EEA) only takes place if this is necessary for the fulfilment of your orders, is required by law, or you have provided your consent. We will provide details to you separately, if required by law.
7. Which privacy rights do I have?
Each data subject has the right to be informed under Article 15 GDPR, the right to correction under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR and the right to data portability under Article 20 GDPR. With regard to the right to be informed and the right to erasure, the restrictions under Sections 34 and 35 BDSG apply. In addition, there is a right to file a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).
8. Is there an obligation to provide data?
Within the context of our business relationship, you only need to provide the personal data that are required in order to establish, conduct and terminate a business relationship, or that we are required to collect by law. Without this data, we will generally have to refuse to conclude the contract or to fulfil the order, or we will be unable to complete an existing contract and possibly be obliged to terminate it.
9. To what extent does automated decision-making take place in individual cases?
In principle, we do not use fully automated decision-making pursuant to Article 22 GDPR to establish and implement the business relationship. Should we use these procedures in individual cases, we shall inform you about this separately, if this is required by law.
10. To what extent is my data used for profiling (scoring)?
In order to be able to provide you with information and advice on products in a personalised manner, we reserve the right to use evaluation tools in the future in order to facilitate needs-based communication and advertising, including marketing and opinion research.
Information regarding your Right to Object
in accordance with Article 21 of the General Data Protection Regulation (GDPR)
- On grounds relating to your particular situation, you have the right, at any time, to oppose the processing of personal data relating to you pursuant to Article 6(1)(e) GDPR (data processing in the public interest) and Article 6(1)(f) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision as set out in Article 4(4) GDPR, which we use for rating purposes or for advertising purposes.
If you object, we will no longer process your personal information unless we can prove compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing takes place for the purposes of asserting, exercising or defending legal claims.
- In individual cases, we process your personal data in order to operate direct advertising. You have the right to object at any time to the processing of personal data relating to you for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to processing for direct advertising purposes, we will no longer process your personal data for these purposes.
The objection may be confirmed informally and where possible, should be addressed to:
Contact details for the Collector:
Schramm GmbH
Flinschstraße 18a
60388 Frankfurt am Main
el.: +49 69 42007 0
Email: datenschutz@schramm-gmbh.de
Contact details for the Data Protection Officer:
Aysegül Kalkan
Beauftragte Informationssicherheit & Datenschutz Master of Laws (LL.M.)
DZ CompliancePartner GmbH
Wilhelm-Haas-Platz
63263 Neu-Isenburg/Zeppelinheim-Ost
Tel: 069 6978-3324
Mobil: 0172 2677142
Fax: 069 6978-3322
E-Mail: ayseguel.kalkan@dz-cp.de
Web: www.dz-cp.de