This data protection statement provides you with information on the type, scope and purpose of the personal data we gather and process and describes the corresponding legal basis for data processing. In addition, we explain the legal rights of those individuals affected.
This data protection statement is based on the terminology of the General Data Protection Regulation (GDPR). To enable straightforward readability and comprehensibilty the terminology used will be explained at the outset. For the purpose of theGDPRthe following terms mean:
„“personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
- „“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- “pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- „“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- “enterprise” means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
- “supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51;
- “international organisation”means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Scope of personal data processing
Accessing our website means that we only ever process personal data if the user has first authorized the processing, or if the processing of the data is allowed by legal provisions (e.g. if this is necessary to enable our website to function and to maintain our contents and services).
Data processing under the Data Protection Laws
SGDPR Article 6 § 1,point a., provides the legal basis for the processing of personal data once the prior permission of the individual concerned has been obtained. In the case of processing personal data required for the fulfilment of a contract of which one of the parties is the individual concerned, or for the implementation of pre-contractual measures as requested by the person concerned, then the legal basis is provided for by Article 6 § 1,point b. of the GDPR. If the processing of personal data is required in order to fulfil a legal duty to which our company is subject, then the legal basis is provided for by GDPR Article 6 § 1,point c. If the processing of personal data is required to protect the vital interests of the person concerned or those of another natural person, then the legal basis is provided for by GDPR Article 6 § 1, point. d. If the processing of personal data is required for the safeguarding of the legitimate interests of our company or those of a third party, and if the interests, fundamental rights and freedoms of the person concerned do not predominate over those of the first-mentioned, then the legal basis is provided for by Article 6 § 1, point f. of the GDPR. In the following, the concrete legal basis with respect to each kind of data processing carried out by our company will be named.
Transfer of data to third parties
We only transfer your personal data to third parties for the purposes named in this Data Protection Statementand only if:
- you have previously given your permission for us to do so according to GDPR Article 6 § 1,point a.,
- it is legally permissible and according toGDPR Article 6 § 1, point b., necessary for the completion of a contractual relationship with you,
- if according to GDPR Article 6 § 1, point. c. there is a legal obligation to transfer the data, or,
- dif the transfer, according to GDPR Article 6 § 1, point f., is necessary in order for the enforcement, exercise or defence of legal rights and if there is no reason to believe that you have an overriding interest worthy of protection in the non-disclosure of your data.
In as far as the processing of personal data is carried out by a third party on our behalf, (by a sub-processor), this will be carried out on the basis of a job processing contract with the respective subcontracted sub-processorpursuant to GDPR Article 28 § 3. The transfer personal data for processing to a third country, i.e. to a state which belongs neither to the European Union nor to the European Economic Area, will only take place if legally permissible and with due consideration to the regulations laid down in GDPR Article 44 ff.
Duration of processing, erasure or blocking of personal data
We only ever process and retain the personal data of the person concerned for the period required necessary to achieve the respective aim of the saving of the data or if we are required to do so by law. The personal data of the person concerned are erased or blocked as soon as the aim of the saving of the data has been achieved or as soon as a legal data-retention period limit has been reached. In this context, we explicitly refer to the German Commercial Code obligations (§ 257 HGB) to retain documents over a period of 6 or 10 years.
Name and contact details of the person responsible for data processing
UBA Uwe Bischoff Analysentechnik GmbH
Telefon: 06081 9444070
Data processing when our website is accessed
Each time our website is accessed, the browser on the user’s terminal device automatically sends the following information to our website server, which temporarily saves it in a server log file until it is automatically erased:
- Browser type and version used and your terminal device operating system;
- the name of your access provider;
- date and time of access;
- name and URL of the website from which the access took place (referrer URL);
- name and URL of the website opened;
- IP address of the requesting terminal device.
The temporary storage of the aforementioned information is carried out in order to transmit the contents of our website to the user’s terminal device and to enable it to be displayed correctly, to optimise both the contents of our website and the advertising for it and to guarantee the lasting functionality of our information technology systems and of our website technology as well as to, in case of a cyberattack, to be able to provide the prosecution authorities with the information necessary for a criminal prosecutionand also to fulfil our own standards. The aforementioned aims are in our valid interest in data processing. The legal basis for data processing is provided for by GDPR Article 6 § 1, point f. This data is not aggregated with other personal data of the user. The collection as well as the temporary recording of the data in server logfiles is absolutely necessary for the operation of our website; this means that the user does not have the right of appeal. The personal data temporarily saved in the server log files (notably IP address) are automatically, at latest after 7 days, erased or distorted so that, the client accessing the site can no longer be matched and identified; if the data must be saved for purposes of evidence, then it will be erased only after clarification of the respective legal dispute.
Contactforms and emails
When you send us questions via email or our contactform, the personal data you have sent to us (title, family name, given names, email address, postal address) will be only used to process your request and stored by us in case you contact us again. The data will be used solely for the processing of the conversation. The processing of the data entered on the contactform will be carried out on the basis of your consent and thus on the basis of the legal provisions made in GDPR Article 6 § 1 point a. You can revoke your permission at any time. An informal email addressed to us is sufficient. The lawfulness of the data processing activities carried out on the basis of prior consent up to the point of revocation is not affected by the revocation. If the email contact us aimed at the execution of a contract, then in addition, Article 6 §1, point b of the GDPR provides the legal basis for the processing of data. In addition, for technical reasons, your IP address is recorded, along with date and time of transmission. Your IP address is saved for technical reasons and also to prevent misuse and also to ensure the security of our informationtechnology systems. This lies in our rightful interests. Legal provision for the saving of your IP address is made in GDPR Article 6 § 1, point f. This data is processed and stored only for the period required for the respective purpose or if required by law. The personal data of the individuals concerned are deleted or blocked as soon as the purpose of the storage becomes obsolete or when a statutory data retention period expires.
Third party content
On our website we integrate third party services in order to analyse and optimise our website, to guarantee a needs-based design, to enhance user-friendliness and to enable optimised access to the address entered. These aims are behind our rightful interest in the integration of the services of third party providers pursuant to GDPR Article 6 § 1, point f. So that the contents of the third party service providers can be displayed in the browser of the user’s terminal device, it is at all times necessary to transmit the user’s IP address to the respective service provider. Otherwise, the contents cannot be sent to the user’s browser. Below you will find an overview of the service providers we use and of their contents, as well as references to their data protection statements which contain further information on data processing:
On our website we use the map service “Google Maps” which is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter“Google”). Whenever you access our internet site which is equipped with Google Maps, your browser will set up a connection to Google It is a technical requirement for using the “Google Maps” maps function that the IP address of the browser used by your terminal device be transmitted to Google. In addition, Google receives information as to which of our internet pages you have visited. Whenever you access such a website in your user account and you are logged in to Google, Google is able to collate your surfing behaviour. You can prevent this by logging out of your Google use account.
If you do not want Google to be able to collect and use your data, you can forbid it: https://www.google.com/settings/ads.
You can find further information on the reasons for and scope of data gathering and on how Google uses your data on the Google website.You can find out about your rights and possible settings to protect your privacy in Google’s data protection statement: https://www.google.com/policies/privacy.GGoogle is subject to the Data Protection Agreement, the Privacy Shield Agreement, between the European Union and the USA, whereby Google is obliged to abide by the requirements and provisions of European data protection law. You can find further information on this on: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Transfer of data to payment and shipping service providers
The transfer your personal data to either or both payment and shipping service providers only ever takes place if you have prior to this given us permission to do so according to GDPR Article 6,§ 1, point a., or to fulfil a contract with you according to GDPR Article 6 § 1, point b., or in order to protect our legitimate interest in the commercially efficient and effective operation of our company according to GDPR Article 6 § 1, point f.
ights of the data subject
If your personal data are processed, you are a data subject pursuant to the GDPRand you have the following rights:
Right to access and confirmation
JEvery individual affected by the processing of personal data, according to GDPR Article 15, has the right to receive, at no cost, from the controller information on which of his or her personal data are being saved and to receive a copy of this information containing the following details:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22 § 1 and § 4; and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Furthermore, the person affected has the right to informationas to whether the personal data have been transferred to a third country or to an international organisation. If this should be the case, the person affected also has the right to information on suitable safeguards with respect to the transfer. In addition, every person affected by the processing of personal data has the right to demand confirmation from the controller responsible for the processing as to whether the personal data in question will or have been processed.
Right to rectification
Every person affected by the processing of personal data has, according to GDPR Article 16, the right to demand that the controller corrects any incorrect personal details without delay.Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to restriction of processing
According to Article 16, the data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
dthe controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, or,
the data subject has objected to processing pursuant to Article 21pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to erasure
JAccording to Article 17, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies and as long as the processing of the data is not necessary:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
he data subject withdraws consent on which the processing is based according to point a. of Article 6, § 1 or point a. of Article 9, § 2 of the GDPR and where there is no other legal ground for the processing;
the data subject objects to the processing pursuant to Article 21 §1 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 § 2;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services referred to in GDPR Article 8,§ 1.
Where the controller has made the personal data public and is obliged pursuant to GDPR Article 17, § 1, to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers who are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure and our duty to inform those controllers responsible for data processing of the request for erasure on the part of the subject, shall not apply to the extent that processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with Article 9 § 2 points h. and i. and Article 9 § 3;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89, § 1 in so far as the right referred to in § 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or,
for the establishment, exercise or defence of legal claims.
Right to data portability
personal data concerning himself or herself, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, provided that:
- the processing is based on consent pursuant to point a. of Article 6, § 1 or point a. of Article 9, § 2 or on a contract pursuant to point b. of Article 6, § 1; and
- the processing is carried out by automated means.
This right does not apply to data processing which is required in order to carry out a task which is either in the public interest or is carried out within the exercise of public authority which has been conferred upon the controller. Furthermore, the subject has, pursuant to the right to data portability according to GDPR Article 20 § 1, the right to effect the transfer of the data directly from one controller to another, as far as this is technically possible and in so far as the rights and liberties of other individuals are not affected.
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point e. or f. of Article 6, § 1, including profiling based on those provisions. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, or for exercise or defence of legal claims. Where we process personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. Furthermore, where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89, §1, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning himself or herself, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
If you would like to make use of your right to object, an email sent to our email address as stated under point 2 of this data protection statement will suffice.
Right to withdraw consent with respect to consent given with respect to data protection law
Many data processing procedures may only be carried out with the express approval of the subject. The data subject shall have the right pursuant to Article 7 § 3 GDPR to withdraw his or her consent at any time. If you would like to make use of your right to object, an email sent to firstname.lastname@example.org will suffice. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint with a supervisory authority
Pursuant to Article 77 of the GDPR, in case of violation of data protection laws, every data subject shall have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for data protection issues is the data protection office for the federal state in which our company is located. A list of data protection offices and the respective contact details can be found under the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
As the controller responsible for data processing, we implement many technical and organisational tools on our website to ensure the most complete protection of the personal data processed on our website possible and to therefore protect your data from random or wilful manipulation, from partial or total loss or destruction or from unauthorized access on the part of third parties. For security reasons and to protect the transmission of confidential contents, our website uses SSL- (Secure Socket Layer) and TLS- (Transport Layer Security) encryption. You can recognise the encrypted transmission of contents on our website by the “padlock” symbol in front of our domain on your browser address bar. However, we must point out that data transmission on the internet (e.g. when communicating via email) may have gaps in security. Total protection from access by third parties is not possible.
Status, amendments and up-to-dateness of data
The status of this data protection statement is as of May 2018. It is currently valid. The further development of our website and of our offers, or amendments to legal or official stipulations can make it necessary to make changes to this data protection statement. The data protection statement which is currently valid, can be accessed on our website on https://www.batgmbh.de/datenschutz and printed out at all times.