(Information pursuant to Art. 13 and Art. 14 GDPR)
We process personal data of our clients and third parties. All our employees are obliged to maintain secrecy and are trained in data protection. In accordance with Art. 13 GDPR, we would like to provide you with the following information on the processing of your personal data.
Controller within the meaning of data protection law:
The entity responsible for the processing of your data is
represented by the managing director Dr Gero Ritzenhoefer
Hafenspitze, Speditionstraße 21, 40221 Düsseldorf, Germany
Telephone: +49 (0)211 8823 1555
How can you reach our data protection officer?
We have appointed a data protection officer for our company.
You can reach them using the following contact details:
By post: confidential/to the attention of the data protection officer
RPA Datenschutz + Compliance GmbH
Mr Henning Koch and Mr Ilja Borchers
By email: firstname.lastname@example.org
What data do we process?
We process your personal data. This is any information relating to an identified or identifiable natural person (Art. 4(1) GDPR). We process contact data of our clients, business partners and other third parties within the scope of the contractual relationship. We also process payment data and, where applicable, other information on personal and economic circumstances insofar as this is necessary to provide our services. We also process data that we do not receive from you directly but from our clients or other third parties. In this context, we also obtain data from publicly accessible sources, namely directories, registries and the freely accessible Internet.
What is the purpose and legal basis of data processing?
We process personal data within the scope of executing the relevant mandate and for the fulfilment of contractual obligations (Art. 6(1) b) and f) GDPR); for the provision of the service and for compliance with legal obligations (Art. 6(1) c) and f) GDPR); for safeguarding legitimate interests (Art. 6(1) f) GDPR); where processing is done on the basis of consent given in a specific individual case, if necessary also outside the client order (Art. 6(1) a), in conjunction with Art. 7 GDPR). Personal data is collected in order to be able to identify you as our client, to initiate the contractual relationship, to be able to advise you appropriately, to correspond with you, to issue invoices, to process any liability claims and to assert any claims against you.
How long is the data stored for?
The collected data is stored for as long as it is needed, i.e., for as long as it is required to achieve the purpose for which it was collected. In addition, we store personal data to meet tax and commercial law retention and documentation obligations (e.g. under the German Commercial Code, German Criminal Code or German Tax Code) that require us to store data for a longer period. The data is stored beyond this point if you have consented to this or if there is a further legitimate interest in accordance with Art. 6(1) f) GDPR.
Who receives the data? Who will your data be shared with?
Your personal data will not be transmitted to third parties for purposes other than those listed below. Your personal data will be shared with third parties wherever necessary under Art. 6(1) b) GDPR for carrying out contractual relationships with you. It may also be shared on the basis of your expressly declared consent (Art. 6(1) a) in conjunction with Art. 7 GDPR). We utilise technical support services as well as IT services/maintenance, hosting services as well as services for the disposal and destruction of files and data carriers. It is possible that data may be shared with these service providers in connection with these services. To still comply with data protection requirements, we conclude a processing agreement within the meaning of Art. 28 GDPR with any service provider whose service qualifies as commissioned processing.
Where is the data processed?
Personal data is processed in our internal systems, by the processors contracted by us and in data centres in the Federal Republic of Germany.
How is the data protected?
We have to fulfil the technical and organisational requirements of Art. 32 GDPR. In particular, we have to protect the systems that we can access from unauthorised access, storage, modification as well as other unauthorised access or attacks of any kind by employees or other third parties. To achieve this, we take appropriate measures to the necessary extent using the latest proven technology, including protecting against viruses and other malware programs or routines, as well as other measures to protect our equipment, including protecting against burglary.
Data processing during audio and video conferences
We may use online conferencing tools when communicating with our clients. The specific tools we use are listed below. If you communicate with us by video or audio conference via the Internet, your personal data will be collected and processed by us and the provider of the conferencing tool that was used in that instance.
The conferencing tools collect all the data that you provide/enter to use the tools (email address and/or your telephone number). In addition, the conferencing tools process the duration of the conference, start and end (time) of participation in the conference, number of participants and other “contextual information” in connection with the communication process (metadata).
The tool provider also processes all the technical data required to handle the online communication. This includes, without limitation, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker as well as the type of connection.
Any content that is exchanged, uploaded or otherwise made available within the tool is also stored on the servers of the tool providers. Such content includes, without limitation, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using the service. Please note that we do not have full control over the data processing operations of the tools used. Our options are largely determined by the corporate policy of the respective provider. For further information on data processing by the conferencing tools, please refer to the privacy policies for those tools, which we have listed below this text.
Purpose and legal bases of data processing for audio and video conferences
The conferencing tools are used to communicate with prospective or existing business partners or to offer certain services to our customers (Art. 6(1) b) GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our company (legitimate interest within the meaning of Art. 6(1) f) GDPR). If consent was requested, the tools are used on the basis of this consent; consent can be revoked at any time with future effect.
The data collected directly by us via the video and conferencing tools will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your terminal device till you delete them. Mandatory statutory retention periods remain unaffected.
We have no influence on how long the operators of the conferencing tools store your data for their own purposes. For details, please contact the operators of the conferencing tools directly.
Conferencing tools used
We use the following conferencing tools:
Commissioned data processing
We have concluded a commissioned data processing agreement (AVV) for the use of the above-referenced service. This is an agreement required by data protection law that ensures that this provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with GDPR.
What are your rights as a data subject?
If you have any data protection-related questions, suggestions or complaints, you are welcome to contact our data protection officer (email@example.com) at any time. All data subjects have the following rights: You have the right to obtain information about the personal data we process about you (Art. 15 GDPR). If you submit a request for information that is not made in writing, please understand that we may then require evidence from you to prove that you are the person you claim to be. You have the right to correction, erasure or restriction of processing insofar as you are entitled to this by law (Art. 16, 17, 18 GDPR). You have the right to object to processing insofar as you are entitled to do so by law (Art. 21 GDPR). You have the right to data portability insofar as you are entitled to this by law (Art. 20 GDPR). If the personal data was collected because you gave your consent, you have the right to revoke this consent at any time without giving reasons (Art. 7(3) GDPR). You have a right to lodge a complaint. It gives you the opportunity to complain to the competent supervisory authority (state data protection officer) if you believe that we are not processing your personal data correctly (Art. 77 GDPR).
The competent supervisory authority is usually the supervisory authority for your regular place of residence. The competent supervisory authority for Ritzenhoefer GmbH is:
State Commissioner for the Protection of Data and Freedom of Information in North-Rhine Westphalia, Germany (Landesbeauftragte für Datenschutz und Informationsfreiheit, Nordrhein-Westfalen)
PO Box 20 04 44
Telephone: +49 (0)211 384 240
If you wish to exercise your right to lodge a complaint with the supervisory authority, we invite you to contact us beforehand and reach out to us again (e.g. at the following email address: firstname.lastname@example.org).