Duty to inform

Required data protection information

We, the CDS Gruppe (R+F Beteiligungs GmbH, CDS Service GmbH, CDS IT-Systeme GmbH as well as CDS Business Services GmbH, Edisonstraße 11/19, 32791 Lage, +49 5232 9554-525, , as the data controller, would like to explain below what data from you we process and how. For questions on data protection, our data protection officer is available to you at  and at the following address. 

Peter Seidel - Marienstr. 27 - 70178 Stuttgart 
- +49 711 89217-902

With this required data protection information, we as the data controller are fulfilling our duty to inform pursuant to Art. 12-14 GDPR.

 

Information on data collection and processing

You will find information below about what personal data we process. Personal data means all data that identify you or make you identifiable as a natural person (hereinafter “data subject”). This includes, for example

  • Customer master data for contract execution/service performance, name, address, email address, data in connection with payment processing, correspondence (e.g. communications with you by letter or email), advertising and sales data (e.g. on information about new potentially interesting offers by mail or, after appropriate consent, by email as well) 
  • Data from initiation of contact, like name, telephone number, email address
  • Supplier data like name, telephone number, email address
  • Employee data like name, address, banking information, religious affiliation,
    personnel number, social security number, log data generated when IT systems are used, as well as other and special categories of personal data
  • Applicant data like name, address, email address, civil status, religious affiliation
  • Data from video surveillance

 

Right to legal remedy

If you believe that the processing of your personal data violates the General Data Protection Regulation, you have a right to legal remedy through the data protection supervisory authority with jurisdiction over us, the data protection officer of the state of North Rhine-Westphalia (https://www.ldi.nrw.de/), as well as through any other data protection supervisory authority. 


Purpose of processing

 

Customer data/interested parties

Purpose of processing

We process data that we receive in the course of our business transactions with you. We receive the data directly from you, either from inquiries made to express interest or establish contact or when issuing or processing orders (see section on “Information on data collection and processing”). 

Legal basis: Data collection and processing is necessary for execution of the contract and is based on Article 6(1)(b) GDPR. Use for direct advertising is based on Article 6(1)(f) GDPR. We have a justified interest, as part of our direct advertising, in drawing your attention to special offers. The data will not be disclosed to third parties unless legally required, for example to the tax authorities due to tax-law requirements. The data will be deleted when no longer needed for processing purposes or once the statutory retention periods have ended, for example: accounting documents that are relevant for reasons related to tax and commercial law: 10 years; commercial and business correspondence: 6 years; records about suppliers, type, volume, acquisition, transfer: 3 years).

You have the right to object at any time to the use of your data for the purpose of direct advertising. You are also entitled to request information about data about you that are stored here as well as to demand rectification in the event of inaccurate data or erasure of data in the event of impermissible data storage. You also have a right to file a complaint with a supervisory authority (see section on the right to legal remedy). 

Duration of data storage

After the contractually owed service has been provided, your personal data will be stored as follows: for 2 years for the purpose of statutory guarantees, for 3 years to fulfil warranty conditions, for 10 years for the purpose of executing subsequent orders (requested at the time the contract is concluded or at a later point in time), and for 6 years for tax-law purposes.

Erasure of data

After the end of the periods indicated above, your personal data will be erased.

 

Suppliers

Purpose of processing

We process data that we receive in the course of our business transactions with you. We receive the data directly from you when orders are issued or processed (see section on “Information on data collection and processing”). 

Legal basis: Data collection and processing is necessary for execution of the contract and is based on Article 6(1)(b) GDPR. The data will not be disclosed to third parties unless legally required, for example to the tax authorities due to tax-law requirements. The data will be deleted when no longer needed for processing purposes or once the statutory retention periods have ended, for example: accounting documents that are relevant for reasons related to tax and commercial law: 10 years; commercial and business correspondence: 6 years; records about suppliers, type, volume, acquisition, transfer: 3 years).

You are entitled to request information about data about you that are stored here as well as to demand rectification in the event of inaccurate data or erasure of data in the event of impermissible data storage. You also have a right to file a complaint with a supervisory authority (see section on the right to legal remedy). 

 

Employee data

See separate template to be provided to employees.

 

Newsletter

Purpose of processing

If you wish to receive the newsletter offered on the website, we need an email address from you. Subscribing to the newsletter involves a double opt-in procedure, meaning you will receive an email after subscribing, instructing you to confirm your subscription. This procedure rules out the possibility of someone else using your email address to subscribe without your permission. Information about your subscription to the newsletter will be logged (subscription and confirmation times and IP address will be stored). The log is used to demonstrate completion of the subscription process in accordance with the legal requirements. 

You may revoke your consent at any time to storage of the email address (and optional first and last name for the purpose of addressing you personally) as well as to use thereof for newsletter mailing and associated performance metrics. There is a cancellation link at the end of every newsletter. In order to be able to prove that consent was previously granted for delivery to a particular email address, we may store that consent for up to 2 years before we delete it. 

Legal basis for sending of newsletter and associated performance metrics: This is based on consent by recipients pursuant to Art. 6(1)(a) GDPR, Art. 7 GDPR in conjunction with Section 7(2)(3) UWG [Gesetz gegen den unlauteren Wettbewerb, German Act Against Unfair Competition] or on statutory permission pursuant to Section 7(3) UWG. 

Art 6(1)(f) GDPR also provides a legal basis: Our justified interest in performance metrics arises from our need to recognize our users’ reading habits based on newsletter opening, times when opening occurs and links that are clicked, so that we are thereby able to create and send them interest-based, useful content.                               

The legal basis for logging is Article 6(1)(f) GDPR. Our justified interest arises from our need to utilize a secure and user-friendly newsletter system that is useful for sending out newsletters and protects newsletter subscribers’ personal data. It also permits us to provide evidence of consent.

You are entitled to request information about data about you that are stored here as well as to demand rectification in the event of inaccurate data or erasure of data in the event of impermissible data storage. You also have a right to file a complaint with a supervisory authority (see section on the right to legal remedy). 

 

Applicants

Purpose of processing

Online, email or mailed applications: If you submit an application in response to a job posting, we will collect your personal data, such as first name, last name, address, telephone number, email address, enclosures (cover letter, resume, transcripts, photo) and store them for the duration of the selection process. 

Online: By checking the box and submitting the form, you expressly consent to having us collect, process and use the data you transmit to us, in particular sensitive information about mental and physical health, race or ethnicity, political opinions, religious or philosophical convictions, memberships in a union or political party or regarding sex life, for the purpose of the application.

Your data will be used exclusively by human resources or management personnel, for processing in the context of the selection process. Your data will not be disclosed to third parties.

If the specific position for which you are applying has already been filled but your profile makes you a potential candidate for future employment or employment in a partner company or subsidiary, we will obtain your express consent before further storing or sharing the application, unless you have already consented to such storage or sharing in your application.

If you submit an unsolicited application to us and use our general contact email address for this purpose, the content of your application message may be viewed by employees not authorized to do so. Instructions are in place specifying that such application documents be forwarded immediately to the human resources department and that the message received be deleted. If you wish to rule out this possibility, we ask that you make contact by phone prior to submitting your unsolicited application so that you can be given the correct individual’s contact information. 

The legal basis is Article 6(1)(b) GDPR on the processing of pre-contractual steps.

Unless you indicate otherwise, the data will be deleted 4 months after completion of the application process or, in the case of postal applications, destroyed or returned to you. Because of the lengthy application and selection periods for students and trainees, we store their data for up to 18 months in Germany. If you consent to the talent pool, the data will be stored until you withdraw your consent or for a maximum of two years and then deleted.

You have the following rights, assuming the respective legal prerequisites have been met: Right to information about your data that is stored here; rectification, erasure, limitation or processing of your data or objection to processing, as well as to data portability. You also, of course, have the option at any time to have all of your application documents erased or destroyed by sending us an email to: .

 

Server data collection 

Please go to https://www.cds-service.com/datenschutzerklärung/ to see our privacy policy on our website. 

 

Video surveillance

Purpose of processing

We conduct video surveillance for the purpose of vandalism prevention and protection against theft and break-ins. As the data controller, we process person-based image files that we collect as part of video surveillance on company premises. The duration of storage is 48 hours. After that, the data are permanently erased.

The legal basis is Article 6(1)(f) GDPR. Our justified interest lies in securing against break-ins and protecting our property and controlling access. 

These data are shared only with investigative authorities in cases of criminal acts.

You have the right to request confirmation from us as the data controller as to whether personal data about you are being processed; if that is the case, you have a right to information about these personal data as well as to request rectification if the data are inaccurate or erasure of data if impermissible data storage has occurred. You also have a right to file a complaint with a supervisory authority (see section on the right to legal remedy). 

For questions on this topic, our data protection officer is available to you at .

 

Categories of recipients

In the context of providing service for special areas, we utilize service providers who are separately obligated to confidentiality and data protection when access to personal data cannot be ruled out.

These categories of recipients are:

  • Processors (Art. 28 EU-GDPR) that we utilize, especially in the area of IT services, taxes, logistics and print services, that process your data for us on the basis of binding instructions.
  • Public entities and institutions (tax authorities) in the case of legal or official obligations.
  • Other entities for which you have granted us your consent for data transmission.

Disclosure to authorities occurs exclusively in the event of overriding legal provisions.

 

Advertising and opting out

First and last names and addresses are also collected for advertising purposes (sending of offers, information about additional services). You may object at any time, with providing a reason, to processing for advertising purposes by sending an email to: 

 

Opting out of data storage

Company interests that are legitimate from a privacy-law perspective are involved when data is processed in order to execute subsequent orders (requested at the time the contract is concluded or at a later point in time) for a period of 10 years. You may opt out of this processing at any time by sending an email to: 

 

Obligation to provide information

As a rule, conclusion of a contract is not possible unless you provide correct information.

 

Rights of subjects

Pursuant to Art. 15 GDPR, you have the right to receive information about the personal data stored about you, including any recipients and the planned duration of storage. If any inaccurate personal data are processed, you have a right to rectification pursuant to Art. 16 GDPR. If the legal requirements have been met, you may demand erasure or restriction of the processing as well as object to the processing (Art. 17, 18 and 21 GDPR).

If you wish to have data erased but we are still legally obligated to retention, access to your data will be restricted (blocked). The same applies in the event of opting out. You may exercise your right to data portability, provided this is technically possible for both the recipient and us.

For questions on your rights as a data subject, our data protection officer is available to you at .

If you believe that the processing of your personal data violates the General Data Protection Regulation, you have a right to legal remedy through the data protection supervisory authority with jurisdiction over us, the data protection officer of the state of North Rhine-Westphalia, https://www.ldi.nrw.de/, as well as through any other data protection supervisory authority.

 

Currency of and modifications to this required information

We reserve the right to modify the content of this required information at any time. This generally occurs when the services used are developed further or legally modified. You can access the current required information via a link to our website (which is included in emails, offers, order confirmations, invoices, etc.). Effective date of this notice: 01/01/2020

You can find more information on the handling of personal data at https://www.cds-service.com/datenschutzerklärung/