1. Who is responsible for data protection?
CKL Software GmbH, Luruper Chaussee 125, Haus 6 links, 22761 Hamburg, Germany, represented by the Managing Directors Thorsten Behrens, Dirk Kleiner, Tel: +49 (0)40 / 533 00 999-0, Email: firstname.lastname@example.org
2. How can you contact our data protection officer?
Mr. Marcel Erntges, email@example.com
3. What data do we process and where does it come from?
We process the personal data that we receive in the context of a business transaction (e.g., inquiry, initial consultation, telephone or email contact, quotation) or from our business relationship with you. In particular, we process the following data: Master data (e.g., name, address and contact details, bank details), tax (tax number) or correspondence data (e.g., correspondence with you, advisory reports, matters relating to current projects or inquiries).
4. Why do we process your data (purpose of processing) and on what legal basis?
a) On the basis of your consent to data processing (Art. 6 (1) (a) GDPR)
If and insofar as you have consented to the processing of personal data, the respective consent is the legal basis for the processing specified therein. This concerns, for example, receiving electronic customer information. You can revoke this consent at any time with future effect. This also applies to consent you granted to us before the validity GDPR, i.e. before 25 May 2018.
b) For the fulfilment of contractual obligations (pursuant to Art. 6 (1) (b) GDPR.
Your data will be processed to initiate or execute our contracts with you, for instance, for the provision of our services (e.g., maintenance and support, the sale of products via the shop, etc.). The specific purposes of data processing are determined in detail according to the respective service and product descriptions as well as the associated contract documents.
c) For the weighing of interests (pursuant to Art. 6 (1) (f) GDPR)
Your data may also be used on the basis of a weighing of interests to protect our or third parties’ legitimate interests. Data may be used, for example, to further develop our services or systems and products, to ensure IT security and operation, for advertising, market and opinion research, for the assertion legal claims and defence of legal disputes, for the prevention and clarification of legal offences as well as for risk management and fraud prevention.
d) On the basis of legal requirements (pursuant to Art. 6 (1) (c) GDPR)
We are subject to various legal obligations that involve data processing. These include, for example, tax laws, statutory accounting requirements, the fulfilment of inquiries and requirements from national or foreign regulatory or law enforcement authorities as well as the fulfilment of tax control and reporting obligations.
5. To whom do we transfer data?
We only transfer your data to those departments within the organisation who need it to fulfil their contractual and regulatory obligations or to perform their respective tasks (such as customer service, IT, sales, and marketing). In addition, external agencies will only and without exception receive your data if they have been contractually obliged by us to fulfil their obligations as data processors (Art. 28 GDPR) and ensure that they process your data in accordance with our instructions. These include, for example, service providers in the field of customer service, billing, IT and logistics. Other data recipients may include those bodies to whom we transmit data based on your consent.
6. Do we transmit data to third countries?
Your data is only processed within the European Union and within the European Economic Area (EEA). Should this not be the case, you will always be informed separately in advance regarding such data transmission, with the inclusion of a right to object at any time.
7. How long do we store your data?
We only store your personal data for the period necessary to provide the associated contractual services. This not only includes the duration of the actual business relationship but also the processing of data as part of the initiation and execution of contracts. In addition, we are subject to various storage and documentation obligations, which stem from the German Commercial Code (HGB) and tax regulations (German Tax Code – AO) among others. The deadlines for retention or documentation stipulated there are five to ten years. Lastly, the storage period is also judged according to statutory limitation periods that can, for example, usually be three years in some cases, but also up to 30 years pursuant to Sections 195 et seq. of the German Civil Code (BGB).
8. Is there an obligation to provide data?
For the purposes of our business relationship, you must provide only the personal data necessary to begin, conduct and terminate the business relationship. Otherwise, it is not possible to conclude or perform a contract.
9. To what extent is automated decision-making carried out?
Essentially, we do not use automated decision-making pursuant to Art. 22 GDPR to establish and conduct a business relationship. If we use these procedures in individual cases, we will inform you about this separately.
10. To what extent do we use your data for profiling?
We process your data automatically in part, with the aim of evaluating certain personal aspects (so-called profiling pursuant to Art. 4 (4) GDPR). Profiling is used, for example, to identify potential interest on your part in our products and services. This evaluation is carried out, for example, with statistical methods that use current and past customer data The results enable us to address you in a more needs-based and targeted manner.
11. What data protection rights do you have?
Under the respective legal requirements, you have at any time the right to request confirmation as to whether we process personal data and the right to obtain information (Art. 15 GDPR, Sections 34 German Federal Data Protection Act (FDPA)) regarding such personal data. In addition, you have the right to rectification (Art. 16 GDPR), to deletion (Art. 17 GDPR, Section 35 BDSG) and to limitation of data processing (Art. 18 GDPR), as well as the right to object at any time to the processing of the personal data (Art. 21 GDPR), or at any time revoke the consent to data processing or request the transfer of data (Art. 20 GDPR). In cases of data protection violations, you also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR, Section 19 FDPA)
12. Special information regarding your right to object
1. Case-specific right to object
You have the right, for reasons stemming from your particular situation, to object at any time to the processing of your personal data pursuant to Art. 6 (1) (f) GDPR (data processing on the basis of a weighing of interests). This also applies to profiling based on this provision within the meaning of Art. 4 (4) GDPR, which can be carried out for the purposes of customer advice and customer service. If you object, your personal data will no longer be processed unless CKL can establish compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or unless the processing is for the purposes of asserting, exercising or defending against legal claims.
2. Right to object to the processing of data for direct marketing purposes
CKL can also process your data for direct advertising in line with legal provisions. You have the right to object at any time to the processing of your personal data for the purposes of such advertising, without incurring other than the transmission costs under the basic rates. This also applies to profiling if it is associated with this direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes. The objection can be made in any form. The contact details can be found in Section 1.