DEKRA Certification GmbH
Information obligations customers and suppliers
1 General
DEKRA Certification GmbH takes the protection of your personal data very seriously. Your privacy is important to us. We process your personal data in accordance with the applicable statutory data protection requirements for the following purposes. Personal data in the sense of this data protection information is all information that relates to you as an individual.
In the following we explain how we handle this data. For a clearer overview, we have divided our data protection information into chapters.
Controller of the data processing is
DEKRA Certification GmbH
Handwerkstraße 15
70565 Stuttgart
Germany
Handwerkstraße 15
70565 Stuttgart
Germany
Telephone: +49.711.78 61-25 66
Fax: +49.711.78 61-26 15
E-Mail: certification.de@dekra.com
Fax: +49.711.78 61-26 15
E-Mail: certification.de@dekra.com
If you have any questions or comments about privacy (such as information and updates of your personal information), you may also contact our Privacy Officer.
Irina Weiß Deutsche Datenschutzkanzlei Dr.-Klein-Straße 29 88069 Tettnang Datenschutz.certification@dekra.com
2 Processing framework
2.1 Source of data collection
We process personal data that we have collected directly from you.
Insofar as this is necessary for the provision of our services, we process personal data that has been legitimately obtained from other companies or other third parties (e.g. credit agencies, address publishers). In addition, we process personal data that we have legitimately collected, received or acquired from publicly available sources and are entitled to process (such as telephone directories, trade and association registers, population registers, debtor registers, land registers, press, Internet and other media).
2.2 Data categories
Relevant categories of personal data may include, in particular:
- Personal data (name, date of birth, place of birth, nationality, occupation/industry and similar data)
- Contact information (address, e-mail address, telephone number and similar data)
- Payment/coverage confirmation for bank cards and credit cards, customer history
- Data about your use of the telemedia offered by us (e.g. time of visiting our websites, apps or newsletters, our pages/links clicked on or entries and similar data)
- Video and image recordings
- Creditworthiness data
2.3 Purposes and legal basis of the processed data
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the new version of the Federal Data Protection Act (BDSG-neu) and other applicable data protection regulations (details below). Which data are processed in detail and how they are used depends largely on the services requested or agreed in each case. Further details or additions for the purposes of data processing can be found in the respective contractual documents, forms, a declaration of consent and/or other information provided to you (e.g. in the context of the use of our website or our general terms and conditions).
Purposes for the performance of a contract or pre-contractual measures (Art. 6 (1) b GDPR)
The processing of personal data takes place to carry out our contracts with you and the execution of your orders as well as to carry out measures and activities in the context of pre-contractual relationships, e.g. with interested parties. This essentially includes: contract-related communication with you, the corresponding billing and associated payment transactions, the traceability of orders and other agreements as well as quality control through appropriate documentation, goodwill procedures, measures to monitor and optimize business processes and to fulfill general duties of care, control and monitoring by affiliated companies; statistical evaluations for corporate control, cost recording and controlling, reporting, internal and external communication, emergency management, accounting and tax assessment of operational services, risk management, assertion of legal claims and defence in the event of legal disputes; guarantee of IT security (e.g. system or plausibility tests) and general security, securing and exercising the right of admission (e.g. through access controls); guaranteeing the integrity, authenticity and availability of data, prevention and investigation of criminal offences and monitoring by supervisory bodies or control bodies (e.g. auditors).
Purposes within the scope of a legitimate interest for us or third parties (Art. 6 (1) f GDPR)
Beyond the actual performance of the contract or preliminary contract we process your data if necessary to pursue a legitimate interest of us or a third party, in particular for purposes of
- advertising or market and opinion research, provided that you have not objected to the use of your data;
- the testing and optimisation of needs analysis procedures;
- the further development of services and products as well as existing systems and processes;
- the enhancement of our data, including through the use or researching of publicly accessible data;
- statistical evaluations or market analysis; benchmarking;
- the assertion of legal claims and defence in legal disputes which are not
- directly attributable to the contractual relationship;
- the limited storage of data, if deletion is not possible or is only possible with a disproportionate amount of effort due to the special nature of the storage;
- the development of scoring systems or automated decision-making processes;
- the prevention and investigation of criminal offences, if not exclusively for the fulfilment of legal requirements;
- building and system security (e.g. through access controls), if this goes beyond the general duty of care;
- internal and external investigations as well as security checks;
- the preservation and maintenance of certifications of a private-law or official nature;
- securing and exercising the right of admission through appropriate measures (such as video surveillance) and to secure evidence of criminal offences and to prevent such.
- Fulfillment of accountability obligations to the accreditation body
Purposes in the context of your consent (Art. 6 (1) a GDPR)
Your personal data may also be processed for certain purposes with your consent (e.g. use of your e-mail address for marketing purposes). Regularly, you can withdraw this consent at any time. This also applies to the withdrawal of consents issued to us prior to the GDPR coming into force, i.e. before May 25, 2018. You will be informed separately of the purpose and consequences of withdrawal or non-issuance of consent in the corresponding consent text. In principle, the withdrawal of consent is only effective for the future. Processing that took place before the withdrawal is not affected and remains lawful.
Purposes for the fulfilment of legal requirements (Art. 6 (1) c GDPR) or in the public interest (Art. 6 (1) e GDPR)
Like everyone who participates in economic activities, we too are subject to a large number of legal obligations. These are primarily statutory requirements (e.g. commercial and tax laws), but also, where applicable, regulatory or other official requirements. The purposes of the processing may include the fulfilment of fiscal control and reporting obligations, the archiving of data for the purposes of data protection and data security, and the examination by fiscal and other authorities. Furthermore, the disclosure of personal data within the framework of official/judicial measures may become necessary for the purpose of collecting evidence, criminal prosecution or enforcement of civil law claims.
Scope of your obligations to provide us with data
You only have to provide us with data which is necessary for the establishment and implementation of a business relationship or for a pre-contractual relationship with us or which we are legally obliged to collect. Without this data, we will generally not be able to conclude or execute the contract. This may also refer to data required later in the course of the business relationship. If we request further data from you, you will be informed of the voluntary nature of the information separately.
Existence of automated decision making in individual cases (including profiling)
We do not use sole automated decision-making procedures pursuant to Article 22 GDPR. If we should nevertheless use such a procedure in individual cases in the future, we will inform you of this separately, if this is prescribed by law.
To provide you with targeted information and advice on products, we may use evaluation tools. These enable demand-oriented product design, communication and advertising, including market and opinion research. Information on nationality and special categories of personal data pursuant to Art. 9 GDPR are not processed.
2.4 Consequences of failure to provide data
In the context of the business relationship, you must provide the necessary personal data for the establishment, execution and termination of the legal transaction and the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without this data, we will not be able to execute the legal transaction with you.
2.5 Recipients of data within the EU
Within our company, the internal departments or organisational units that receive your data are those which require these to fulfill our contractual and legal obligations or within the context of the processing and execution of our legitimate interest. Within our group, your data will be transmitted to certain companies where these companies undertake central data processing tasks (e.g. accounting, disposal of documents, IT support).
Your data will only be passed on to external bodies
- in connection with the execution of the contract;
- for the purpose of fulfilling legal requirements according to which we are obliged to provide information, to report or pass on data, or the passing on of data is in the public interest (see Section 2.4);
- if external service providers process data on our behalf as processors or function providers (e.g. data centres, support / maintenance of EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data validation or plausibility checks, data destruction, purchasing / procurement, customer administration, letter shops, marketing, media technology, research, risk controlling, billing, telephony, website management, auditing services, credit institutes, print shops or companies for data disposal, courier services, logistics);
- on the basis of our legitimate interest or the legitimate interest of the third party for the purposes mentioned (e.g. to authorities, credit agencies, debt collectors, lawyers, courts, experts, subsidiaries and bodies and control bodies);
- if you have given us your consent for transmission to third parties.
In addition, we will not share your data with third parties. If we commission service providers within the context of order processing, your data are subject to the same security standards there as they are with us. In all other cases, recipients may only use the data for the purposes for which they were provided to them.
2.6 Recipients of data outside the EU
If we transfer personal data to service providers or affiliated companies outside the European Economic Area (EEA), the transfer will only take place if we are authorised to make the transfer and the third country has been confirmed by the European Commission to have an adequate level of data protection or other appropriate data protection safeguards (e.g. binding corporate privacy rules or EU standard contractual clauses).
2.7 Storage duration
We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
In addition, we are subject to various storage and documentation obligations pursuant to, inter alia, the German Commercial Code (HGB) and the German Tax Code (AO). The deadlines for storage and / or documentation specified therein are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship to the end of the calendar year.
Furthermore, special legal regulations may require a longer storage period, e.g. the preservation of evidence within the framework of the legal statute of limitations. Pursuant to Sections 195 et seq. of the German Civil Code (BGB), the regular limitation period is three years, but limitation periods of up to 30 years may also apply.
If the data is no longer required for the fulfilment of contractual or legal obligations and rights, they are deleted on a regular basis, unless their – limited – further processing is necessary to fulfill the purposes for an overriding legitimate interest. Such an overriding legitimate interest also exists, for example, if erasure is not possible or only possible with a disproportionate amount of effort due to the special nature of the storage, and processing for other purposes by suitable technical and organizational measures is excluded.
2.8 Your rights
Under certain conditions, you can assert your data protection rights against us.
- You thus have the right to receive information from us about your data stored by us pursuant to the rules of Art. 15 GDPR (possibly with restrictions pursuant to Section 34 Federal Data Protection Act-New)
- If you so request, we will correct the data stored about you pursuant to Art. 16 GDPR if they are inaccurate or incorrect.
- If you so desire, we will erase your data pursuant to the principles of Art. 17 GDPR, provided that other legal regulations (e.g. legal storage obligations or the restrictions pursuant to Section 35 Federal Data Protection Act) or an overriding interest on our part (e.g. to defend our rights and claims) do not oppose this.
- You may ask us to restrict the processing of your data, taking into account the requirements of Art. 18 GDPR.
- Furthermore, you may object to the processing of your data pursuant to Art. 21 GDPR, which requires us to stop processing your data. However, this right to object only applies in the event of very special circumstances regarding your personal situation, whereby our company’s rights may conflict with your right to object.
- You also have the right to receive your data in a structured, common and machine-readable format under the conditions of Art. 20 GDPR or to transmit them to a third party.
- In addition, you have the right to withdraw the consent to the processing of personal data you granted at any time with future effect (see Section 2.3).
- You also have a right of appeal to a data protection supervisory authority (Art. 77 GDPR). However, we recommend that you always address a complaint to our Data Protection Officer initially.
- If possible, your applications for the exercising of your rights should be addressed in writing or by e-mail to the above address or directly in writing or by e-mail to our Data Protection Officer.
Special reference to your right of objection according to Art. 21 DSGVO
You have the right to object at any time to the processing of your data on the basis of Art. 6 (1) f GDPR (data processing on the basis of a balance of interests) or Art. 6 (1) e GDPR (data processing in the public interest), of reasons for this exist arising from your particular situation.
This also applies to profiling based on this provision as defined by Art. 4 No. 4 GDPR. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend a legal claim.
We may also process your personal data for direct advertising purposes. If you do not wish to receive advertising, you have the right to object to it at any time; this also applies to profiling, if this is associated with such direct advertising. We will take this objection into account in the future. We will no longer process your data for direct advertising purposes if you object to processing for these purposes.
The objection may be lodged informally and should be addressed to:
DEKRA Certification GmbH
Handwerkstrasse 15
70565 Stuttgart
Germany
Handwerkstrasse 15
70565 Stuttgart
Germany
You may also lodge a complaint with the above Data Protection Officer or a data protection supervisory authority.
The data protection supervisory authority with jurisdiction over us is:
State Representative for Data Protection and Freedom of Information Baden-Württemberg Königstraße 10a 70173 Stuttgart