Information obligations according to Article 13 and Article 14 GDPR

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

The following information gives you a simple overview of what happens to your personal data when you visit this website and use our services.

Detailed information on data recording on our website can be found in our UTSCH | Privacy Policy | UTSCH

Your personal data will not be passed on to third parties. In particular, the data will not be transferred to a third country or an international organization. However, as your data is provided via a web application on the Internet, the confidentiality, integrity (inviolability), authenticity (genuineness) and availability of personal data cannot be fully guaranteed.

General notes and information requirements

Contact details of the controller responsible for processing

Rights of the data subjects

Art. 15 GDPR - Right to information

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.

Art. 16 GDPR - Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement

Art. 17 GDPR - Right to deletion

The data subject has the right to obtain from the controller the deletion of personal data concerning him or her without undue delay. However, this is only possible if the personal data is no longer necessary, there are no statutory retention periods, the data is being processed unlawfully or consent has been withdrawn.

Art. 18 GDPR - Right to restriction of processing

The data subject has the right to obtain from the controller restriction of processing. The right to restriction of processing includes the possibility for the data subject to prevent further processing of the personal data concerning them for the time being. A restriction occurs above all in the review phase of the legal situation of processing by the data subject.

Art. 19 GDPR - Right to notification

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject of these recipients if the data subject so requests.

Art. 20 GDPR - Right to data portability

The right to data portability includes the possibility for the data subject to receive the personal data concerning him/her from the controller in a commonly used, machine-readable format in order to have it forwarded to another controller if necessary.

Art. 21 GDPR - Right to object

The right to object includes the possibility for data subjects to object to the further processing of their personal data in a particular situation, insofar as this is justified by the performance of public tasks or public and private interests.

Art. 22 GDPR - Right to automated individual decision-making, including profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling.

Art. 77 GDPR - Right to lodge a complaint with a supervisory authority

In the event of breaches of data protection law, the data subject has the right to lodge a complaint with the competent supervisory authority.

The supervisory authority responsible for the controller is:

In the event of breaches of data protection law, you have the right to appeal (Art. 77 GDPR) to the competent supervisory authority. The competent supervisory authority for data protection issues is the state data protection officer of the federal state in which our company is based.

Contact details can be found at the following https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

BfDI - Homepage (bund.de)

All other data protection authorities in the respective EU member states can be found under the following link:

http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

Data processing – Customer/supplier relationship

If you contact us by e-mail, telephone or fax, we will store and process your enquiry, including all resulting personal data, for the purpose of processing your request. We will not pass on this data without your consent.

Categories of personal data:

We collect the personal data transmitted by you; these include, but are not limited to:

- First name - Surname - Company

- Street - house number - postcode

- Telephone number - E-mail - Correspondence

Origin of the personal data:

We process personal data that we receive from you in the context of contacting you or establishing a contractual relationship or in the context of pre-contractual measures.

Recipient of the data:

We only pass on your personal data within our company to those areas and persons who require this data to fulfil contractual and legal obligations or to implement our legitimate interest.

Legal basis for data processing

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your enquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the e-mail or similar sent to us (Art. 6 para. 1 lit. f GDPR), to fulfil a legal obligation to which we are subject (Art. 6 para. 1 lit. c GDPR), or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested and given by you.

Duration of storage

Your personal data will remain with us until you ask us to erase it, revoke your consent to its

revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been

your request has been processed).

Mandatory statutory provisions - in particular retention periods - remain unaffected.

Data processing – Contact form

We offer a contact form on our website that you can use to request information about our products or services or to contact us in general. We have marked the data that you must provide in order to respond to an enquiry as mandatory fields. Information on other data fields is voluntary.

We need this information in order to process your enquiry, address you correctly and send you an answer. Data processing is carried out for specific enquiries to fulfil a contract or to initiate a contract. In the case of general enquiries, processing takes place on the basis of a weighing of interests.

Categories of personal data:

Mandatory fields:

- First name - Surname - Email

- Information provided to us via the free text field.

Origin of the personal data:

Your personal data is collected directly from you.

Legal basis for data processing

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your enquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested and granted by you.

Duration of storage

The data you enter in the contact form will be stored until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your enquiry has been processed).

Mandatory statutory provisions - in particular retention periods - remain unaffected.

Data processing – Online-Shop

We use your personal information to take and process orders, deliver products and services, process payments and communicate with you about orders, products, services and promotional offers.

Categories of personal data:

- Master data (such as first name, surname, name affixes)

- Contact details (such as private address, e-mail, telephone number)

- payment information

- bank details

Origin of the personal data:

Your personal data is collected directly from you.

Legal basis for data processing

The order and the entry of the e-mail address represent the legal basis on which we process the personal data (consent pursuant to Art. 6 para. 1 letter a GDPR and fulfilment of contract pursuant to Art. 6 para. 1 letter b).

Duration of storage

We store your information for as long as necessary to fulfil the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.

Data processing – Video monitoring during maintenance work

For the purpose of monitoring external service providers during maintenance work on in-house systems via remote maintenance, a recording function that records all user activities is installed on the controller's secure access point. The data is processed on the basis of legitimate interest. The legal basis for processing the data is therefore Article 6(1)(f) of the General Data Protection Regulation. The legitimate interest lies in the exercise of domiciliary rights, the prevention of criminal offences (in particular (data) theft, burglary, fraud, damage to property and vandalism), the protection of property and assets, the protection of employees, customers and visitors of the controller.

Categories of personal data:

Recording of persons who enter the recording area of the system via remote maintenance. If necessary, the identity (name) of the person of employees and, if applicable, external persons by implication through indirect identifiability.

Origin of the personal data:

The data is generated exclusively by the monitoring system when a data subject enters the recording area.

Recipient of the data:

Internal departments involved in the execution of the respective business processes: IT department, management, data protection officer, data protection coordinator, service providers who are contractually bound to the controller in accordance with Art 28 GDPR. All employees of our company who maintain the system have access to this data.

External bodies: Data is only transferred to third parties if we are legally obliged to do so (e.g. to investigate criminal offences). Some of our data processing systems and our electronic communication systems are managed by our external co-operation partners for support and maintenance purposes. Contracts have been concluded with these partners in accordance with Article 28 GDPR.

Legal basis for data processing

We process personal data on the basis of consent in accordance with Article 6(1a) GDPR. In all other cases, the processing is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR).

Duration of storage

The recorded image material is automatically deleted after 64 days.

Data processing – Video monitoring on the premises of the person responsible

The use of video/camera monitoring is exclusively for operational security, access control and monitoring of the building exteriors, especially to prevent theft and criminal offences on the company premises and company car parks.

Categories of personal data:

Recording of persons moving around the company's outdoor areas (company premises/company car parks).

Origin of the personal data:

The data is generated exclusively by the surveillance system when a data subject moves into the recording area.

Recipients of the data:

Legal basis for data processing

Data processing is based on legitimate interest. The legal basis for the processing of data is therefore Article 6(1)(f) of the General Data Protection Regulation. The legitimate interest lies in the exercise of domiciliary rights, the prevention of criminal offences (in particular theft, burglary, robbery, fraud, damage to property and vandalism), the protection of property and assets, the protection of employees, customers and visitors of the controller.

Duration of storage

The recorded image material is automatically deleted after 6 working days.

Data processing – Personnel

We only process data that is related to your application or your employment relationship and that is required to fulfil contractual, accounting and tax obligations.

· The following personal data may be involved in the application process:

· Master data (such as first name, surname, name affixes, nationality)

· Contact details (such as private address, e-mail, telephone number)

· Application documents (such as certificates, CV, cover letter, university degree, vocational training, submitted documents, etc.)

· Copies of identity cards (if necessary for the fulfilment of the contract).

· Correspondence (e.g. correspondence with you)

· This may also include special categories of personal data such as health data.

In addition to the above-mentioned categories of personal data, the following data may be collected in the employment relationship:

· Log data generated when using the IT systems

· Copies of driving licences (if necessary for the fulfilment of the contract).

· Other data from the employment relationship (e.g. time recording data, holiday times, bank details, training, educational leave, unpaid leave, employee appraisals),

· Contractual provisions (such as employment contract and any amendments, documents, social data, national insurance number, pension insurance number, salary data and tax identification number, secondary activities (first aider, fire protection, safety officer, etc.), fringe benefits and allowances)

· Salary statements, income tax certificates, company pension scheme, fringe benefits.

· Health-related data (e.g. periods of incapacity for work, risk assessment, pregnancy, company reintegration management)

As part of our collaboration with companies within and outside our corporate structure, we use the name, contact details and face as a means of identification (subject to consent). In addition, we would like to address our customers and suppliers personally and, if necessary, publish images of employees on digital channels or in print media.

The digital images will only be used for one or more of the following purposes if you have given your specific consent in accordance with Art. 7 GDPR

· Publication as part of the use of Microsoft Office and the associated services (Contacts, Microsoft Teams, Microsoft Skype, Microsoft Outlook, etc.) within the Group.

· Publication on the intranet of our company

· Publication on our company's intranet, to which employees of other companies in the group of companies also have access.

· Publication on our company's website

· In the social media channels of our company (Facebook, YouTube, Twitter, etc.)

· As a presentation for trade fairs and similar events organised by our company

· As part of a report in the local press

· In publications (both online and in print) that were created as part of the project, e.g. information brochures, project reports

· After leaving the company, the images are initially blocked by blocking the account and then permanently deleted at the end of the statutory retention periods.

Origin of personal data:

As a rule, your personal data is collected directly from you as part of the application/hiring process or during the employment relationship. In certain constellations, your personal data is also collected from other sources due to legal regulations. This includes, in particular, event-related queries of tax-relevant information from the responsible tax office and information on periods of incapacity for work from the respective health insurance company. We may also have received data from third parties (e.g. recruitment agencies).

Recipients of the data:

We only pass on your personal data within our company to those areas and persons who need this data to fulfil contractual and legal obligations or to implement our legitimate interest.

We may transfer your personal data to companies affiliated with us in accordance with Recital 48 GDPR, insofar as this is permitted within the scope of the purposes and legal bases set out in Section 3 of this data protection information sheet.

To fulfil our contractual and legal obligations, we also use various external service providers for the processing, support and maintenance of our data processing systems and electronic communication systems. Contracts have been concluded with these service providers in accordance with Article 28 GDPR.

In addition, we may transfer your personal data to other recipients outside the company if this is necessary to fulfil our contractual and legal obligations as an employer. These may be, for example

· Public authorities (e.g. pension insurance providers, professional pension schemes, social insurance providers, tax authorities, courts)

· Employee's bank (SEPA payment institution)

· Health insurance funds

· Authorities to guarantee claims from the company pension scheme

· Authorities in order to be able to pay out the benefits affecting assets

· Third-party debtors in the event of wage and salary garnishment

· Insolvency administrator in the event of personal insolvency

Legal basis for data processing

We process your personal data in compliance with the provisions of the GDPR, the BDSG and all other relevant laws (e.g. BetrVG, ArbZG, etc.). The primary purpose of data processing is to establish, implement and terminate the employment relationship. The primary legal basis for this is Art. 6 para. 1 b) GDPR in conjunction with Section 26 para. 1 BDSG. In addition, collective agreements (group, overall and works agreements as well as collective bargaining agreements) pursuant to Art. 6 para. 1 b) in conjunction with Art. 88 para. 1 GDPR in conjunction with Section 26 para. 4 BDSG and, if applicable, your separate consent pursuant to Art. 6 para. 1 a), Art. 7 GDPR in conjunction with Section 26 para. 2 BDSG (e.g. in the case of video recordings) may be used as a data protection authorisation provision. We also process your data in order to fulfil our legal obligations as an employer, particularly in the area of tax and social security law. This is done on the basis of Art. 6 para. 1 c) GDPR in conjunction with. § SECTION 26 BDSG. If necessary, we also process your data on the basis of Art. 6 para. 1 f GDPR in order to protect our legitimate interests or those of third parties. This applies in particular to the investigation of criminal offences (legal basis § 26 para. 1 sentence 2 BDSG) or employee appreciation measures.

Insofar as special categories of personal data are processed in accordance with Art. 9 para. 1 GDPR, this serves the exercise of rights or the fulfilment of legal obligations arising from labour law, social security law and social protection (e.g. disclosure of health data to the health insurance company, recording of severe disability due to additional leave and determination of the severely disabled levy) within the scope of the employment relationship. This is done on the basis of Art. 9 Para. 2 b) GDPR in conjunction with Section 26 Para. 3 BDSG. In addition, the processing of health data for the assessment of your ability to work in accordance with Art. 9 para. 2 h) in conjunction with § 22 para. 1 b) BDSG may be necessary. In addition, the processing of special categories of personal data may be based on consent in accordance with Art. 9 para. 2 a GDPR in conjunction with Section 26 para. 2 BDSG (e.g. company health management).

Duration of storage

We delete your personal data as soon as it is no longer required for the above-mentioned purposes. In the event that you have consented to your personal data being stored for a longer period, we will store it in accordance with your declaration of consent.

If no employment, training or internship relationship is established, your application documents will be deleted no later than six months after the end of the application process (e.g. notification of the rejection decision), unless longer storage is legally required or permitted. We only store your personal data beyond this if this is required by law or in a specific case for the assertion, exercise or defence of legal claims for the duration of a legal dispute.

If an employment, training or internship relationship does not materialise, you may receive an invitation to join our talent pool following the application process. This allows us to consider you for suitable vacancies in our applicant selection process in the future. If we have your consent to do so, we will store your application data in our talent pool in accordance with your consent or any future consents.

If an employment, training or internship relationship is established, we will process your personal data for as long as this is necessary for the establishment, implementation or handling of the employment relationship or for the exercise or fulfilment of the rights and obligations arising from the employment contract or for the exercise or fulfilment of the rights and obligations of the employee representative body arising from a law or a collective agreement, a works or service agreement (collective agreement).

In addition, we are subject to various retention and documentation obligations, including those arising from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention and documentation periods stipulated there are two to ten years.

Finally, the storage period also depends on the statutory limitation periods, which, for example, according to §§ 195 ff. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.