Privacy notice in accordance with the EU General Data Protection Regulation (GDPR)
Valid for customers, interested parties, suppliers as well as sales and cooperation partners of the AOE group of companies (hereinafter referred to as "AOE").
With the following information we give you an overview of the processing of your personal data by us and your rights from the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Which data is processed in detail and in which way it is used depends largely on the products and services requested or commissioned in each case.
1. Responsible for data processing
Phone +49 (0) 221 / 70707 - 0
Fax +49 (0) 221 / 70707 - 199
2. Data protection officer of the responsible person
Mr Arndt Halbach
Wetterauer Str. 6
Phone +49 (0) 2191 909 / 430
3. Data and services
We process personal data that we receive from you in the course of our business relationship. In addition, we process (to the extent necessary for the provision of our products and services) personal data which we have permissibly received from other companies of the AOE Group of Companies or from other third parties (e.g. for the execution of orders, for the fulfillment of contracts or based on a consent granted by you). On the other hand, we process personal data that we have permissibly obtained and are permitted to process from publicly accessible sources (e.g. commercial and association registers, press, media, Internet).
(b) Categories of personal data
When initiating a business relationship or creating master data, the following personal data may be collected, processed and stored:
Address and communication data (name, address, telephone, e-mail address, other contact data)
When using products and services within the scope of the contracts concluded with us, the following additional personal data may be collected, processed and stored in addition to the aforementioned data:
Contract master data (order data, data from the fulfilment of our contractual obligations, details of any third-party beneficiaries), billing, performance and payment data (direct debit data, tax information, other personal master data (profession, employer), documentation data (e.g. protocols), product data (e.g. services and products requested or booked) as well as the following business creditworthiness documents: income/surplus statements, balance sheets, business evaluation, type and duration of the self-employment.
c) Customer contact information
In the course of the business initiation phase and during the business relationship, in particular through personal, telephone or written contacts, by you or initiated by the AOE group of companies, further personal data is generated. This includes, for example, information on the contact channel, date, occasion and result, (electronic) copies of correspondence and information on participation in direct marketing measures.
(d) Information Society services
When processing data in the context of information society services, you will receive further information on data protection in connection with the service in question.
4. purpose and legal basis of the processing
We process the personal data mentioned under 3. in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG):
a) For the fulfilment of contractual obligations (Art. 6 (1) b) GDPR)
The processing of personal data is carried out for the purpose of establishing, implementing and terminating a contract for the provision of products or services, as well as for the implementation of pre-contractual measures for the preparation of offers, contracts or other requests directed towards the conclusion of a contract, which are made at your request.
The purposes of the data processing are primarily based on the specific products and services and may include, among other things, needs analyses, advice and support. Further details regarding the purpose of data processing can be found in the respective (also pre-contractual) contractual documents of our cooperation. Interested parties may be contacted during the contract initiation phase, taking into account any restrictions that may have been expressed, and customers, suppliers as well as sales and cooperation partners may be contacted during the business relationship using the data that they have provided.
b) On the basis of your consent (Art. 6 (1) a) GDPR)
If you have given us your consent to process personal data for specific purposes (e.g. transfer of data within the group of companies), the legality of this processing is based on your consent. Any consent granted can be revoked at any time. This also applies to the revocation of declarations of consent that were given to us before the EU General Data Protection Regulation came into force, i.e. before 25 May 2018. Please note that the revocation is only effective for the future. Processing operations that took place before the revocation are not affected by this. You can request an overview of the status of the consents you have granted from us at any time.
c) Due to legal requirements (Art. 6. (1) c) GDPR) or in the public interest (Art. 6 (1) e) GDPR)
We are subject to various legal obligations and legal requirements and process data for the following purposes, among others: identity and age verification, the fulfilment of fiscal control and reporting obligations, and the assessment and management of risks within the group of companies.
d) As part of the balancing of interests (Art. 6 (1) (f) GDPR)
If necessary, we will process your data beyond the actual fulfilment of the contract in order to protect the legitimate interests of us or third parties. Examples:
- Testing and optimisation of procedures for requirements analysis and direct customer contact; including segmentation and calculation of closing probabilities,
- advertising or market and opinion research, unless you have objected to the use of your data
- Assertion of legal claims and defence in legal disputes
- Ensuring IT security and IT operation
- Consultation of and data exchange with credit agencies to determine creditworthiness and default risks
- Prevention of criminal offences
- video surveillance for the purpose of safeguarding domestic justice, collecting evidence of criminal offences
- Measures for building and office security (e.g. access controls)
- Measures to secure the right to the house
- Measures for business management and further development of services and products
- Risk management in the Group
5. Recipients of the data
Within the AOE group of companies, access to your data is granted to those entities that require it to fulfill our contractual and legal obligations. Service providers employed by us may also receive data for these purposes, provided they comply with our written data protection instructions.
With regard to the transfer of data to recipients outside the AOE group of companies, it should first be noted that we are obligated to maintain secrecy about all customer-related information of which we become aware. We may only pass on information about you if this is required by law, if you have given your consent and/or if processors commissioned by us guarantee the requirements of the EU data protection regulations and the Federal Data Protection Act.
Under these conditions, recipients of personal data may be, for example
- Public bodies and institutions where there is a legal or official obligation
- Order processors to whom we transfer personal data in order to carry out the business relationship with you. In detail: Archiving, document processing, controlling, data destruction, purchasing/procurement, , collection, customer administration, lettershops, marketing, media technology, reporting, risk controlling, expense accounting, telephony, video legitimation, website management, auditing services, payment transactions.
Other data recipients may be those entities for which you have given your consent to the transfer of data.
6. Transfer of data to third countries or to an international organisation
Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the execution of your orders, if it is legally required (e.g. tax reporting obligations), if you have given us your consent or if it is part of an order processing. If service providers are used in the third country, they are obliged to comply with the level of data protection in Europe in addition to written instructions by the agreement of the EU standard contract clauses.
7. Duration of data storage
We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. If the data are no longer required for the fulfilment of contractual or legal obligations, they are regularly deleted, unless their (temporary) further processing is necessary for the following purposes:
- Fulfilment of commercial and tax law retention periods in accordance with §257 of the German Commercial Code (HGB) and the German Fiscal Code with the retention and documentation periods of two to ten years specified therein.
- Preservation of evidence under the statute of limitations rules. According to §§ 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.
8. Data protection rights of the data subject
Every data subject has the right of access under Art. 15 GDPR. the right of rectification under Art. 16 GDPR, the right of deletion under Art. 17 GDPR, the right to restrict processing under Art. 18 GDPR, the right of objection under Art. 21 GDPR and the right of data transferability under Art. 20 GDPR. As regards the right of information and the right of deletion, the restrictions under Sections 34 and 35 of the Federal Data Protection Act apply. In addition, there is a right of appeal to a data protection supervisory authority (Art. 77 GDPR in conjunction with Art. 19 BDSG). You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were given to us before the EU General Data Protection Regulation came into force, i.e. before 25 May 2018. The revocation of consent does not affect the lawfulness of the processing that took place on the basis of the consent until the revocation.
9. Obligation to provide data
Within the scope of our business relationship, you must provide us with the personal data that is necessary for the establishment and execution of a business relationship and the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract, provide products or services or be unable to perform an existing contract and may have to terminate it.
10. Automated decision-making (including profiling)
As a matter of principle, we do not use fully automated decision making (including profiling) in accordance with Art. 22 of the GDPR to establish and implement the business relationship. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law.
11 . Profiling
We process your data partly automatically with the aim of evaluating certain personal aspects (profiling). We use profiling, for example, to provide you with targeted information and advice on products with the help of evaluation tools. These enable communication and advertising to be tailored to your needs, including market and opinion research.
1. Right of objection on a case-by-case basis
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6 (1) e) of the GDPR (data processing in the public interest) and Art. 6 (1) f) of the GDPR (data processing based on a balancing of interests); this also applies to profiling based on this provision within the meaning of
of Art. 4 (4) GDPR. If you object, we will no longer process your personal data unless we can prove compelling reasons for processing that are worthy of protection and outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims.
2. Right to object to the processing of data for advertising purposes
In individual cases, we process your personal data in order to carry out direct advertising. You have the right to object, at any time, to the processing of personal data concerning you for the purpose of such direct marketing, including profiling, to the extent that it relates to such direct marketing. If you object to processing for the purposes of direct marketing, we will no longer process your personal data for those purposes. The objection can be addressed to the person responsible without any formality.