I. Name and address of the entity responsible for data processing (the “Data Controller” or “Controller”)
The Controller, as defined by the General Data Protection Regulation, other national data protection laws of Member States and other provisions of data protection law, is:
Flachglas Nord-Ost GmbH
Managing Director: Achim Haag
Am Schaugraben 139606 Osterburg
Phone +49 (0) 39 37 22 22-0
Fax +49 (0) 39 37 22 22-30
II. Name and address of the data protection officer
Name and address of the data protection officer:
Lawyer specialising in information technology law
Dr. Christian Rauda
GRAEF Rechtsanwälte Digital PartG mbB
III. General information on data processing
1. Scope of personal data processing
As a rule, we collect and use our users’ personal data only to the extent necessary to provide a functioning website, our content and services. Our users’ personal data are normally collected and used only with their consent. An exception is made in cases where obtaining consent in advance is impossible for factual reasons and processing of the data is permitted by provisions of law. The types of data that are processed are:
- User-related data (e.g., names, addresses).
- Contact data (e.g., email, telephone numbers).
- Content data (e.g., text entries, photographs, videos).
- Use data (e.g., web pages visited, interest in contents, access times).
- Meta/communication data (e.g., device information, IP addresses).
2. Legal basis for the processing of personal data
Where we obtain the consent of data subjects for processing operations concerning personal data, these operations are based on Art. 6(1)(a) of the EU General Data Protecting Regulation (GPDR). Any processing of personal data that is necessary for the performance of a contract to which the relevant data subject is a party is based on Art. 6(1)(b) GPDR. This also applies to processing operations that are required to take steps prior to entering into a contract. Where the processing of personal data is necessary to comply with a legal obligation to which our company is subject, processing is based on Art. 6(1)(c) GPDR. Where the processing is necessary for the purposes of legitimate interests pursued by our company or a third party, and where the data subject's interests, fundamental rights or freedoms do not override such interests, processing is based on Art. 6 (1)(f) GPDR.
3. Data deletion and duration of storage
The data subject’s personal data are deleted or blocked once the purpose of the storage no longer applies. The data may remain in storage thereafter if the European or national legislators have so provided in Union regulations, laws, or other rules to which the Controller is subject. The data are blocked or deleted also when a storage time limit prescribed by the aforementioned rules or regulations expires, unless further storage of the data is required for entry into or performance of a contract.
4. Performance of contractual services
We process user-related data (e.g. names and addresses along with users’ contact data) and contract data (e.g. services used, names of contacts, payment information) for the purpose of performing contractual obligations and services in accordance with Art. 6(1) lit b GDPR. The entries marked on online forms as mandatory are required for entry into a contract.
When our online services are used, we store the user’s IP address and the time of the user’s action. These data are stored on the basis of our legitimate interests and of the user’s interest in protection from misuse and other unauthorised use. These data are never disclosed to third parties unless such disclosure is necessary for the pursuit of our claims or we are obliged by law to make such disclosure as provided in Art. 6(1) lit. c GDPR.
We process user data (e.g. the web pages visited on our online site, interest in our products) and content data (e.g. entries in the contact form such as a name, telephone number, email address) in order to offer contract proposals to the user.
The data are deleted once statutory warranty periods and comparable duties expire. In the case of statutory archiving duties, the data are deleted after those duties expire. If the customer has a customer account, the data it contains remain until the account is deleted.
5. Transfers to third countries
If we process data in a “third country” (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or such processing takes place in connection with the use of third-party services or the disclosure or transfer of data to third parties, we do so only to perform our contractual or pre-contractual duties, on the basis of your consent, owing to a legal obligation, or on the basis of our legitimate interests. Subject to statutory or contractual permissions, we process the data, or have them processed, in a third country only if the special conditions provided in Art. 44 et seqq. GDPR are present. I.e., the processing is performed, for example, on the basis of special guarantees such as an officially recognised finding of a level of data protection that conforms to EU standards (for the U.S.A., for example, through the “Privacy Shield”) or observance of officially recognised special contractual obligations (referred to as “standard contract clauses”).
IV. Provision of the website and creation of log files
When our website is visited, our system automatically collects data and information from the accessing computer system.
The following data are collected for a limited period of time:
- Information about the browser type and version used
- The user’s operating system
- The user’s Internet service provider
- The user’s IP address
- The date and time of access
- Websites from which the user’s system came to our website
The data are stored in our system’s log files. These data are needed only for analysis of any disruptions that may take place and are deleted within no more than seven days. The legal basis for temporary storage of the data and for the log files is provided in Art. 6(1) lit. f GDPR. Temporary storage of IP addresses by the system is necessary to enable delivery of the website to the user’s computer. For this purpose the user’s IP address must be stored for the duration of the session. Storage in log files serves the purpose of ensuring that the website is functional. In addition, the data enable us to optimise the website and to ensure the security of our information-related systems. No analysis of the data for marketing purposes takes place in this connection, and no conclusions are drawn as to your personal identity. It is in these purposes that our legitimate interest in data processing lies according to Art. 6(1) lit. f GDPR. Collection of the data for the purpose of providing the website and storage of the data in log files for the website’s operation are absolutely necessary. The user, consequently, has no basis on which to raise an objection.
V. Data protection as it pertains to applications and the application process
The Data Controller responsible for the processing collects and processes the personal data of applicants for the purpose of carrying out the application process. Such processing can be done also by electronic means. This is the case in particular when an applicant sends the appropriate application papers by electronic means, for example by email or through a web form located on our website, to the Data Controller responsible for processing them. If the Data Controller enters into a contract of employment with the applicant, the transferred data are saved for the purpose of establishing the employment relationship in compliance with the applicable provisions of law. If the Data Controller does not enter into a contract of employment with the applicant, then the application papers are automatically deleted once the decision to reject the applicant is made known, provided that their deletion is not prevented by any other legitimate interests of the Controller. Other legitimate interests in this sense include, for example, a burden of proof in legal proceedings according to the German General Equal Treatment Act [Gleichbehandlungsgesetz] (AGG). The statutory time limits for archiving and deletion apply.
V. Web analyses by Google services
Google is certified under the Privacy Shield framework and thereby offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to analyse the user’s use of our website, to compile reports on activities within this website, and to provide us with other services associated with the use of this website and of the Internet. Pseudonymised user profiles may be created from the processed data.
We use Google Analytics only with IP anonymisation activated. This means that the user’s IP address is truncated by Google within the Member States of the European Union or in other countries that are signatories to the Agreement on the European Economic Area. Only in exceptional cases is the entire IP address transferred to a Google server in the U.S.A. and truncated there.
The IP address transmitted by the user’s browser is not combined by Google with other data. Users may prevent cookies from being stored by making the appropriate setting in their browser software; they may in addition prevent Google from collecting and processing the data generated by the cookie and relating to their use of the website by downloading and installing the browser plug-in that is available via the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
You can find more information about how data are used by Google, setting options and means of opposition on Google’s web pages: https://www.google.com/intl/de/policies/privacy/partners (“How Google uses data when you use our partners’ websites or apps”), http://www.google.com/policies/technologies/ads (“Use of data for advertising purposes”), http://www.google.de/settings/ads (“Managing information that Google uses to display advertising to you”).
In addition, we link to the page at www.google.de so that you can set a bookmark for our homepage in your browser. This is subject to the terms of Google referred to above.
V. Online presences in social media
VIII. Rights of data subjects
If your personal data are processed, then you are a “data subject” as defined by the GDPR, and you therefore have the following rights in relation to the Controller:
1. Right of access
You may demand of the Controller confirmation as to whether personal data relating to you are processed by us.
- the purposes for which the personal data are processed;
- the categories of personal data that are processed;
- the recipients or categories of recipient to whom the personal data relating to you have been or will be disclosed;
- the planned duration of the storage of personal data relating to you or, if no concrete information is to be had in that regard, the criteria by which the duration of storage is determined;
- the existence of a right to rectification or erasure of personal data relating to you, a right to restrict processing by the Controller, or a right to object to such processing;
- the existence of a right to lodge a complaint with a supervisory authority;
- all available information about the origin of the data if the personal data were not collected from the data subject;
- you have the right to demand disclosure of whether personal data relating to you are transferred to a third country or an international organisation. In this connection, you may demand to be instructed as to the appropriate safeguards according to Art. 46 GDPR in connection with the transfer of personal data.
2. Right to rectification
You have a right to rectification and/or completion by the Controller if the processed personal data relating to you are inaccurate or incomplete. The Controller must make the rectification without delay.
3. Right to restriction of processing
Subject to the following conditions, you may demand that the processing of personal data relating to you be restricted:
- if you dispute the personal data relating to you for a period of time that enables the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests that their use be restricted instead;
- the Controller no longer needs the personal data for the purposes of their processing but you need them to assert, exercise or defend legal claims; or
- if you have objected to processing pursuant to Article 21(1) GDPR and it has not yet been established whether the legitimate grounds of the controller outweigh your grounds.
If processing of personal data relating to you has been restricted, then those data may be processed, apart from their storage, only with your consent, to assert, exercise or defend legal claims, to protect the rights of another natural or legal person, or on grounds of a substantial public interest of the Union or of a Member State.
If data processing has been restricted in accordance with the aforementioned conditions, you will be informed by the Controller before the restriction is lifted.
4. Right to erasure
a) Duty to erase
You may demand of the Controller that the personal data relating to you be erased without delay, and the Controller is obliged to erase those data without delay if any of the following grounds apply:
- The personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed.
- You withdraw your consent which provided the legal basis for the processing according to Art. 6(1) lit. a or Art. 9(2) lit. a GDPR, and there is no other legal basis for the processing.
- You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
- The personal data relating to you have been processed unlawfully.
- Erasure of the personal data relating to you is required for compliance with a legal obligation in Union or Member State law to which the Controller is subject.
- The personal data relating to you were collected in reference to offered information society services according to Article 8(1) GDPR.
b) Information to third parties
If the Controller has made the personal data relating to you public and is obliged according to Art. 17(1) GDPR to erase them, the Controller, taking into account the available technology and the cost of implementation, will take appropriate steps, including those of a technical nature, to inform controllers that are processing the personal data that you, as a data subject, have requested of them the erasure of all links to, or copies or replications of, those personal data.
The right to erasure does not apply if the processing is necessary
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation that requires processing according to Union or Member State law to which the controller is subject, or to perform a task that is in the public interest or that is performed in exercise of official authority that has been vested in the Controller;
- for reasons of public interest in the area of public health in accordance with points Art. 9(2) lit. h and i along with Art. 9(3) GDPR;
- to assert, exercise or defend legal claims.
5. Right to notification
If you have asserted to the Controller your right to rectification, erasure or restriction of processing, then the Controller is obliged to make such rectification, deletion, or restriction of data known to all recipients to whom the personal data relating to you have been disclosed, unless doing so proves impossible or would entail a disproportionate cost.
You have a right to be informed of those recipients by the Controller.
6. Right to data portability
You have the right to receive in a structured, commonly-used and machine-readable format, the personal data relating to you which you have provided to the Controller. Furthermore, you have the right to transfer those data to another controller, without hindrance from the Controller that has been provided with those data, if
- the processing is carried out by automated means.
- the processing is based on consent according to Art. 6(1) lit. a GDPR or Art. 9(2) lit. a GDPR or on a contract according to Art. 6(1) lit. b GDPR and
In exercising this right, you have, further, the right to have the personal data relating to you transferred directly from one Controller to another, if this is technically feasible. The rights and freedoms of other persons must not be infringed thereby.
The right to data portability does not apply to processing of personal data necessary for performance of a task that is in the public interest or that is performed in exercise of official authority that has been vested in the Controller.
7. Right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you that is performed on the basis of Art. 6(1) lit. e or f GDPR; this applies also to profiling that is based on those provisions.
The Controller will no longer process the personal data relating to you unless the Controller can show compelling grounds for the processing that are worthy of protection and which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
If the personal data relating to you are processed for direct marketing purposes, then you have the right to object at any time to the processing of personal data relating to you for the purposes of such marketing; this applies also to profiling when it is related to such direct marketing.
If you object to processing for direct marketing purposes, then the personal data relating to you will no longer be processed for such purposes.
In connection with the use of information society services - notwithstanding Directive 2002/58/EC - you have the option of exercising your right to object by automated means for which technical specifications are used. For this purpose you can send an email message to our data protection officer.
8. Right to withdraw a declaration of consent made pursuant to data protection law
You have the right to withdraw, at any time, a declaration of consent that has been made pursuant to data protection law. Withdrawal of your consent will not affect the lawfulness of such processing as was performed with your consent before the withdrawal of your consent.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision that is based solely on automated processing, including profiling, that has a legal effect upon you or in a similar way significantly prejudices you. This does not apply if the decision
- is authorised by provisions of Union or Member State law to which the Controller is subject and such legal provisions contain suitable measures for safeguarding your rights and freedoms and your legitimate interests; or
- is made with your express consent.
- is necessary for entry into, or performance of, a contract between you and the Controller;
These decisions must not, however, be based on special categories of personal data according to Art. 9(1) GDPR, unless Art. 9(2) lit. a or g GDPR applies and suitable measures have been taken to safeguard your rights and freedoms and your legitimate interests.
In respect of the cases mentioned in (1) and (3), the Controller will take suitable measures to safeguard your rights and freedoms and your legitimate interests, among which are, at a minimum, the right to bring about human intervention on the part of the Controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or place of the alleged infringement if you are of the opinion that the processing of personal data relating to you violates the GDPR.
The supervisory authority to which the complaint is submitted will inform the complainant of the status and the results of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.