Tietosuojaseloste CRM
Henkilötietojen käsittely asiakkuudenhallintajärjestelmässä
Tietosuojaseloste, CRM
Data privacy notice
Preface
The following information is intended to provide you with an overview of how we process your personal data, and of your rights under data privacy law. The specific data processed and how we use that data is generally determined based on the services you request or agree to receive. Therefore, not all of this information will apply to you.
Who is responsible for data processing and whom can I contact?
The data controller for your personal data in the sense of data privacy law is always the DEKRA group company that makes a decision on the purpose and means of processing your personal data, either alone or alongside others. Typically, this is / these are the DEKRA group company / companies that has / have performed services for you, or that will perform services in the future.
Therefore, the responsible group parent company is
DEKRA SE,
headquartered in Stuttgart,
entered into the commercial register
of the District court of Stuttgart under HRB 734316.
Handwerkstr. 15, 70565 Stuttgart
headquartered in Stuttgart,
entered into the commercial register
of the District court of Stuttgart under HRB 734316.
Handwerkstr. 15, 70565 Stuttgart
You can contact our Group Data Protection Officer at:
What sources do we use?
We process personal data we receive from our customers or other data subjects in the course of our business relationships. In addition – if necessary to provide our services – we process personal data we obtain from publicly accessible sources [e.g. Debtors’ records, the press, the internet etc.] in a permitted manner or data transmitted to us lawfully by other DEKRA group companies or other third parties (e.g. credit bureaus). Relevant personal data may include: Personal details (name, address, and other contact data), data used to authenticate your identity (such as ID information and signatures). Furthermore, this data may also include order data and data related to the fulfillment of our contractual obligations [e.g. service documentation], advertising and sales data (incl. ad scores), documentation data (e.g. meeting notes) and other data comparable to the above categories.
For what purpose do we process your data (purpose of processing) and on what legal basis?
We process your personal data in accordance with the provisions of the EU GDPR (General Data Privacy Regulation), the Federal Data Protection Act (BDSG), and all other relevant laws.
a. to fulfill contractual obligations (Art. 6 para. 1 b GDPR)
Data is processed to provide our services and carry out our agreements with our customers or to carry out pre-contractual measures upon request. The purposes of data processing are generally determined by the specific product [e.g. primary inspection, preparing expert opinions, performing other inspection services]. Further details on the purposes of data processing are available in the relevant contractual documents.
If necessary, we process your data to safeguard either our own legitimate interests or those of third parties beyond the scope of fulfilling our own contract. Examples:
- Consulting and exchanging data with agencies to determine credit standing and default risks,
- Reviewing and optimizing requirements analysis processes for the purpose of directly addressing customers,
- Advertising or market and opinion research if you have not objected to the use of your data,
- Asserting legal claims and defending against legal disputes,
- Ensuring IT security and IT operations,
- Preventing and clarifying criminal deeds,
- Video monitoring for ensuring domiciliary rights, collecting proof in case of robberies and fraud,
- Measures for building and equipment security (e.g. access control), measures to ensure domiciliary rights,
- Measures related to business management and further developing services and products,
- Risk controlling in the DEKRA Group.
c. based on your consent (Art. 6 para. 1 a GDPR)
If you have consented for us to process your personal data for specific purposes (e.g. transmission of data within the DEKRA group, evaluation of data for the purpose of a meeting, photos during events, sending a newsletter), the legality of this data processing is based on your consent. You may revoke any consent you have granted at any time. This also applies to revocations of declarations of consent granted to us before the GDPR came into effect on May 25th, 2018. Any revocations of consent shall have future effect and shall not affect the legality of data processed before the revocation.
d. based on legal specifications (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)
In addition, we are also subject to a variety of legal obligations or statutory requirements (such as the Money Laundering Act, tax laws). The purposes of processing include, for instance [a credit worthiness review, identity check, prevention of fraud and money laundering, fulfilling tax law controlling and reporting obligations and assessing and controlling risks in the DEKRA Group.
Who will receive my data?
Within the DEKRA Group, the entities that require your data to fulfill our legal and contractual obligations will receive it. In the DEKRA Group, in addition to a computing center operated at the central DEKRA SE headquarters (Stuttgart), there are a number of local or regionally operated computing centers at which the responsible DEKRA group company processes your data. Service providers and agents employed by us may also receive data if they fulfill specific confidentiality and data privacy law requirements. These companies fall under the categories of IT services, logistics, printing services, telecommunications, debt collection, consulting, and marketing. With respect to providing data to recipients outside of the DEKRA Group, we provide information on our customers only if legal regulations require us to do so, the customer has consented to such provision, or this is necessary to initiate, carry out, or end a contractual relationship with you or if the DEKRA Group has a legitimate interest in doing so. Recipients of personal data under such requirements may include, for instance:
- Public agencies and institutions (e.g. social security, financial agencies, prosecuting authorities, accreditation agencies) if there are legal or official obligations (e.g. under the statutory notification obligation of the Social Security Statutes Book),
- other companies within the DEKRA Group for risk controlling based on legal or official obligations,
- service providers we hire as part of a contract data processing relationship.
Other data recipients might include entities for which you have granted consent for data transmission or entities to whom we are authorized to transmit personal data under a proper weighing of interests
Will data be transmitted to a third country or international organization?
Data may be transmitted to entities in states outside of the European Union (so-called third states) if
- this is necessary to carry out your order (e.g. to provide services based on a framework agreement fulfilled by multiple group companies),
- this is prescribed by law (e.g. Tax law reporting obligations), or
- you have granted us your consent to do so
Furthermore, data may be transmitted to third states in the following cases:
- necessary in an individual case, your personal data may be transmitted to an IT service provider in the USA or in another third state to ensure the IT operations of the DEKRA Group in compliance with the European standard of data protection.
- personal data of persons interested in DEKRA products may be processed in a CRM system in the USA with their consent.
In individual cases, personal data (e.g. identifying data) may be transmitted in compliance with the standard of data privacy in the European Union with the consent of the data subject or based on legal regulations in order to fight money laundering, the financing of terrorism, or other punishable actions, or under a proper weighing of interests.
How long will my data be saved?
We process and save your personal data for as long as necessary to fulfill our contractual and legal obligations. Please note that our services may be of an official nature or may deal with accreditation law, and that there are, therefore, a large number of applicable special legal regulations on retention periods, storage, and usage. Further details on these matters are available in the relevant contractual documents, General Terms and Conditions and the expanded DEKRA data privacy notice at https://www.dekra.de/de/datenschutz-informationen. When data is no longer required to fulfill contractual or legal obligations, it will be deleted regularly unless its - limited term - further processing is necessary for the following purposes:
- to fulfill commercial and tax law retention periods, which may result, for instance, from: The Commercial Code (HGB) or Tax Code (AO). The terms for retention and documentation provided there are typically 6 to ten years.
- to retain proof under statutory limitation period regulations. Under Sections 195 et seqq. Of the Civil Code (BGB), these limitation periods may be up to 30 years, although the regular limitation period is 3 years.
What data privacy rights do I have?
All data subjects have the right to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to deletion under Article 17 GDPR, the right to restrict processing under Article 18 GDPR, the right to object under Article 21 GDPR, and the right to data portability under Article 20 GDPR. The restrictions of Sections 34 and 35 BDSG apply to the rights of information and deletion. Furthermore, you have the right to submit complaints with a responsible data privacy supervisory authority (Article 77 GDPR in conjunction with Sec. 19 BDSG). You may revoke any consent you have granted to process your personal data at any time. This also applies to revocations of declarations of consent granted to us before the GDPR came into effect on May 25th, 2018. Please note that the revocation is only valid with future effect. Processing completed before the revocation will not be affected.
Am I obligated to provide data?
In the course of our business relationship, you must provide us personal data necessary to initiate, carry out, and end the business relationship and to fulfill associated contractual obligations, or data we are legally required to collect. Without this data we will typically not be able to conclude, carry out, or end a contract with you.
To what extent are automated decision-making processes used?
We typically do not use fully automatic decision-making processes in accordance with Article 22 GDPR to initiate and carry out business relationships. If we do use such processes in individual cases, we will inform you of your relevant rights separately if required by law.
Do you use profiling?
In some cases, we process your data via automatic means with the goal of assessing certain personal aspects (profiling). We use profiling, for instance, in the following cases:
- Under legal and regulatory requirements, we are obligated to fight money laundering, the financing of terrorism, and criminal deeds which endanger company assets. Data is also evaluated in this respect (e.g. during payment processes). These measures are also intended to protect you.
- We use evaluation instruments so we can inform and advise you fully on products. This allows us to communicate with you and provide you with advertisements, including market and opinion research, according to your needs.
Information on your right to object under Article 21 GDPR Individual right to object
You have the right to object to the processing of your personal data at any time under Article 6 paragraph 1 letter e GDPR (data processing in the public interest) and Article 6 paragraph 1 letter f GDPR (data processing based on a weighing of interests) for reasons resulting from your specific personal situation. This also applies to profiling based on this provision in the sense of Article 4 no. 4 GDPR. If you submit an objection, we will no longer process your personal information unless we can show urgent legitimate grounds for processing that outweigh your interests, rights, and freedoms, or if processing serves to assert, exercise, or defend against legal claims.
Right to object against data processing for the purpose of direct advertisement
In some cases, we process your personal data to carry out direct advertising. You have the right to object to this processing of your personal data for the purpose of such advertisements; this also applies to profiling, insofar as this is associated with such direct advertising. If you object to processing for the purpose of direct advertising, your personal information will no longer be processed for this purpose. For the exercise of the objection there are no other costs than the transmission costs according to the basic tariff.
Recipient of an objection
You may object without observing any formal requirements by providing your name and address and using the subject “Objection.” To do so, please send an e-mail to [zentraleseinwilligungsmanagement@dekra.com] or to the contact information indicated in the DEKRA legal notice (e.g. DEKRA SE, Handwerkstr. 15, 70565 Stuttgart, Phone: +49711/7861-0) or click the link at the end of any informational e-mail you receive. You will not be charged any further costs besides transmission costs in accordance with basic tariffs.