With the following information, we would like to give you an overview on the processing of your personal data by our company as well as your rights under data protection law.
Controller for data processing
Data Protection Officer
Our Data Protection Officer is: Mr. Sebastian Meyer; Schwanweg 1 – 90562 Heroldsberg, Germany. Please refer to our Data Protection Officer if you have any questions regarding data protection issues. You can contact him by e-mail at: firstname.lastname@example.org
General principles on data processing
Personal data is all information relating to an identified or identifiable natural person. This includes, for example, information such as your name, e-mail address, address, date of birth or your telephone number.
Processing of personal data
Processing of personal data is any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
We generally process personal data only if you provide us with this data. Apart from that, we may process personal data that we received from other sources.
Purposes and legal basis for processing personal data necessary for the performance of a contract or in order to take steps prior to entering into a contract
We process your personal data for the following purposes: handling your inquiries, performance of contracts with you, carrying out and handling your orders and complaints, customer service and support, communication with our service providers, invoicing.
The legal basis for this data processing is Article 6 (1) sentence 1 lit. b GDPR, i.e. the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering a contract.
Purposes and legal basis for processing personal data on the basis of a consent
Collecting and processing your personal data for certain purposes (ex. usage of your e-mail for marketing purposes, contact after receiving a business card) takes generally place upon your consent. Your consent may be revoked for the future at any time by any means and without any reason.
Should the data processing be based on your consent, the legal basis for this data processing is Article 6 (1) sentence 1 lit. a GDPR.
Purposes and legal basis for processing personal data necessary for compliance with a legal obligation
Your personal data may also be processed in order to comply with a legal obligation to which we are subject to, e.g.: retention periods deriving from commercial law, tax law or other statutory provisions; money laundering law and anti-terror lists screenings.
If processing your personal data is necessary for compliance with a legal obligation to which we as the controller are subject to, the legal basis for this data processing is Article 6 (1) sentence 1 lit. c GDPR.
Purposes and legal basis for processing personal data for purposes of legitimate interests pursued by our company or by a third party
Your personal data may be processed for purposes of legitimate interests pursued by our company or by a third party: e.g. sufficient participation in commercial trade / client acquisition / contact, marketing purposes, development of a client data base, statistical evaluation of client data, exchange of data within the Company Group of Schwan-STABILO for operational and administrative reasons and in order to ensure IT-safety.
If processing your personal data is necessary for the purposes of legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, the legal basis for this data processing is Article 6 (1) sentence 1 lit. f GDPR.
Categories of data which are processed
Relevant data and categories of data, which we may process are for example:
- identification data, such as name, gender, language,
- business contact data, such as company name, address, e-mail address, telephone number, function, department,
- IP address, User-ID or other technical data, when using our online-services,
- project data, including project member data,
- payment data, such as a bank account.
Categories of recipients of personal data
In order to fulfill our contractual and legal obligations we cooperate with different service providers on the basis of Processing Agreements according to Article 28 GDPR.
Schwan-STABILO Company Group
Within the Schwan-STABILO Company Group certain management and processing functions are carried out by a central company within the group. For these purposes we exchange personal data within the Company Group Schwan-STABILO on a need-to-know basis to fulfill such functions, as well as on the basis of an intercompany Group Processing Agreement.
We may transfer personal data to other recipients, such as:
- authorities, in order to fulfill certain legal notification obligations (e.g. to the tax or finance authorities),
- financial institutions and banks, in order to process payment flows,
- lawyers and experts in the event of clarifying and judicial assertation of claims.
Your data will be stored only for the period of time required by law. Your data will be erased, when you have withdrawn your consent for processing your data (in the event the processing was based on your consent and the processing cannot be based on any other legal basis) or the purposes of processing your data have been obtained or when the processing is no longer legitimate for any other legal reasons. Any retention periods required by law shall however remain unaffected. We are required therefore to observe statutory limitation periods, which lie usually between 3 and 10 years. Furthermore, due to commercial and tax law requirements, we are obliged to observe retention periods which in general amount to 6 or 10 years.
The legal basis for this storage is Article 6 (1) sentence 1 lit. c GDPR.
Transfer of data to third countries
Service providers in third countries, such as the USA and countries outside the European Economic Area are subject to data protection regulations, which do not protect personal data to the same extent as in the European Union. Should we process your personal data in countries, which do not provide such a high level of data privacy as in the European Union, then such transfer will take place on the basis of an adequacy decision of the European Commission or we will ensure by other appropriate safeguards (e.g. binding corporate rules, standard data protection clauses adopted by the European Commission, approved certification mechanism) that your personal data is safe and adequately protected.
Automated decision making
We inform that no automated decision-making, including profiling, as referred to in Article 22 (1) and (4) GDPR is applied.
From the GDPR, the following rights arise for you as an affected person for the processing of your personal data:
Right of access
According to Article 15 GDPR, you can request information about your personal data processed by us. In particular, you may request information on the source of the data, the recipients of this data or categories of recipients, as well as the processing purposes.
Right to object
According to Article 21 (1) GDPR, you can object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6 (1) sentence 1 lit. e or f of the GDPR. If your personal data are processed for direct marketing purposes, you have the right to object at any time, Article 21 (2) GDPR.
Right to rectification
In accordance with Article 16 GDPR, you can immediately request the rectification of incorrect data or the completion of your personal data stored by us.
Right to erasure or restriction
In accordance with Article 17 GDPR, you may request the deletion of your personal data stored by us. The personal data will be deleted within 7 working days from your request. Any retention periods required by law shall remain unaffected. If your data may not be deleted due to retention periods, only a restriction of processing may be applied. Upon deleting your data, no access right may be granted.
Right to data portability
According to Article 20 GDPR, you may request to receive your personal data that you have provided to us in a structured, common, and machine-read format, or you may request the transfer to another controller, insofar this is possible to due technical means.
Right of revocation
In accordance with Article 7 (3) GDPR, you can revoke your once given consent to us at any time. As a result, we are not allowed to continue the data processing based on this consent for the future (however, the processing may be based on a different legal basis). In such an event you may not access our company's online services to full extent.
Exercising your rights
To exercise the aforementioned rights, please contact us at: email@example.com or firstname.lastname@example.org or: Schwan Cosmetics International GmbH, Schwanweg 1 – 90562 Heroldsberg, Germany. Your personal data (possibly your e-mail address, name and telephone number) will be processed in order to answer your questions or respond to your concern. This data will be deleted if no longer necessary; in the event of statutory retention periods – the processing may only be limited.
Complaint to a supervisory authority
According to Article 77 GDPR, you have the right to complain to a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of stay, your workplace or our company headquarters.