Controller and data protection officer
AUMA Riester GmbH & Co.KG, Aumastr. 1, 79379 Müllheim
Phone: +49 7631 809 1250
Should you have any questions or comments regards data protection (for example on access to and updating of your personal data), you may contact our data protection officer.
Data protection officer:
Scope of processing
Source and origin of data collection
We process personal data which we have directly collected from you.
To the extent necessary for the performance of our services, we will process personal data lawfully obtain from other companies or other third parties. Furthermore, we process personal data which we have lawfully retrieved, received or acquired from publicly accessible sources (such as telephone directories, trade and associations register, residential register, debtors lists, land charges registers, press, internet and other media).
Relevant personal data categories might among others include:
- Personal details (name, date of birth, nationality, personal status, occupation/industry and similar data)
- Contact details (address, e-mail address, phone number and similar data)
- Payment/coverage confirmation for bank and credit cards customer history
- Data on your usage of the telecommunications and electronic media (e.g. at the time of access to our websites, Apps or newsletters, clicked pages/links by us or entries and similar data
Purposes and legal basis of the processed data.
We will process your personal data while respecting the provisions of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act [Bundesdatenschutzgesetzes-Neu (BDSG-Neu)] as well as further data protection regulations (for details see below). Which data is processed and in which way depends predominantly on the requested or agreed services. For further details or amendments for the purpose of data processing, please refer to the respective contractual documents, forms, a declaration of consent and/or other information provided (e.g. within the framework of using our website or our General Terms and Conditions of Delivery).
Purpose of the performance of a contract or steps prior to entering a contract (Art. 6(1) point b GDPR)
Personal data is processed for the performance of our contracts with you and the execution of your orders as well as for the performance of steps and activities within the framework of relationships prior to entering a contract, e.g. with interested parties. This mainly includes contract-related communication with you, the pertaining settlement and payment transactions, the traceability of orders and other agreements as well as quality control by the respective documentation, good will procedures, actions for control and optimisation of business processes as well as for meeting the general duties of care, control and supervision by affiliated companies, cost input and controlling, reporting system, internal and external communication, emergency management, settlement and fiscal assessment of operational performances, risk management, establishment of rights and defence in case of legal disputes; safeguarding of IT security (among others system and plausibility tests) and the general security, safeguarding and exercise of the domestic authority (e.g. by access controls); safeguarding of integrity, authenticity and availability of data, prevention and investigation of criminal offences as well as supervision by supervisory boards or bodies (such as internal auditors).
Purposes within the framework of a legitimate interest by us or a third party (Art. 6(1) point f GDPR)
We will process your data beyond the actual performance of the contract or the preliminary contract should it be required to safeguard our legitimate interests or those of third parties, in particular for purposes of
- marketing or market and public opinion research unless you have objected to the use of your data;
- review and optimisation of procedures for requirement analysis;
- further development of services and products as well as existing systems and processes;
- establishment of rights and defence in case of legal disputes which cannot
- directly be attributed to the contract;
- restricted storage of data should erasure of the data prove to be impossible or would involve a disproportionate effort due to the special type of storage;
- prevention, investigation of criminal offences unless exclusively for the fulfilment of statutory requirements;
- building and plant safety (e.g. by access controls) going beyond the general duties of care;
- obtainment and retention of certifications by private bodies or authorities;
- safeguarding and performance of domestic authority by appropriate action (such as CCTV) as well as for safeguarding of judicial evidence in case of criminal offences and their prevention.
Purposes within the framework of your consent (Art. 6(1) point a GDPR)
Processing of your personal data for specific purposes (e.g. use of your e-mail address for marketing purposes) can also be made on the basis of your consent. Usually, you may withdraw your consent at any time. This shall also apply to the withdrawal of declarations of consent which had been granted prior to the entering into force of the GDPR, i.e. prior to 25 May 2018. You will be separately informed on the purposes and on the consequences of the withdrawal or refusal of a consent in the respective text of the declaration of consent. In general, the withdrawal of the consent shall have future effect. Processing prior to the withdrawal shall not be affected and remain lawful.
Purposes for the compliance with legal obligations (Art. 6(1) point c GDPR) or in the public legal interest (Art. 6(1) point e GDPR)
Like any party involved in economic actions, we are also subject to a multitude of legal obligations. They include primarily legal requirements (e.g. commercial and tax laws) but might also include supervisory and other regulatory requirements. The purposes of processing include, if applicable, the performance of fiscal control and reporting requirements as well as data archiving for purposes of data protection and data security as well as auditing by tax and other authorities. Furthermore, the disclosure of personal data may be required within the framework of official/ judicial actions for the purposes of taking of evidence, prosecution or enforcement of civil rights.
Furthermore, due to the European Regulations with a view to combating terrorism CR 2580/2001 and CR 881/2002, we are obliged to match your data against so called "terror lists" to ensure that no funds or other economic resources are provided for terrorist purposes.
Scope of your obligation to provide us with data
You only have to provide the data required for entering into and performing a business relationship or steps prior to entering into a contract with us or which we have to collect on the basis of legal requirements. Without this data, we will generally not be in a position to conclude or execute the contract. This may also refer to data required at a later date within the framework of the business relationship. Should we request further data beyond these obligations, you will be informed separately on the discretionary nature of the data.
Automated decision-making for individual cases (including profiling)
We do not use any automated decision-making procedures in compliance with Article 22 GDPR. Should we use such a procedure in the future in individual cases, we will inform you separately and accordingly if legally required. To some extent, we might process your data with the objective of assessing certain personal aspects (profiling).
Consequences of failure to provide data
Within the framework of the business relationship, you have to provide the personal data required for conclusion, performance and termination of the legal transaction and the performance of the pertaining contractual obligation, or which we have to collect by legal requirement. Without this data, we will not be in a position to perform the legal transaction with you.
Data recipients within the EU
Within our company, only those internal departments or organisational units requiring the information for meeting our contractual and statutory obligations or within the framework of processing and performing our legitimate interest will receive your data.
Your data will exclusively be transferred to external bodies
- within the context of the settlement of the contract;
- for purposes of meeting legal requirements according to which we are required to inform, notify or transfer data or the transfer of data is in the public interest (refer to section 2.4);
- to the extent external service providers are processing data by order as processors or function providers (e.g. data processing centres, support/maintenance of EDP/ IT applications, archiving, receipt processing, call centre services, compliance services, controlling, data validation or plausibility tests, data erasure, purchasing/procurement, customer management, letter shops, marketing, media technology, research, risk management, settlement, telephone system. website management, auditing services, banks, printing houses or companies for data disposal, courier services, logistics);
- due to our legitimate interest or the legitimate interest of a third party within the framework of the mentioned purposes (e.g. to authorities, credit agencies, debt collection, lawyers, courts, technical experts, subsidiaries and supervisory boards and bodies);
- if you have given your consent to transfer to third parties.
We will not transfer your data for other purposes to third parties. Should we commission service provides within the framework of processing an order, your data will be handled according to the same safety standards as ours. In all other cases, the recipients may only use the data for the purposes for which it was transferred.
Data recipients outside the EU
When transferring personal data to a member of the AUMA Group outside of the EU or the EEA (so called third countries), we shall provide an adequate level of data protection by means of contractual agreements.
Transfer of personal data to companies based in countries outside the EU or the EEA not being part of the AUMA Group will not be performed.
We will process and store your data for the duration of our business relationship. This includes the steps taken prior to entering into a contract (pre-contractual legal relationship) and the performance of a contract.
Furthermore, we are subject to various storage and documentation obligations derived among others from the German commercial code (HGB) and the German tax code (AO). The periods for storage and documentation stipulated there amount to up to ten years to the end of calendar year beyond the termination of the business relationship or the pre-contractual legal relationship.
Furthermore, special legal provisions might require a longer storage periods such as the retention of judicial evidence within the framework of legal regulations on the statute of limitation. In accordance with articles 195 et seqq. of the German civil code (BGB), the regular statute of limitation is three years; however statutes of limitation of up to 30 years may apply.
Should the data no longer be required for fulfilling contractual or legal obligations or rights, the data is lawfully erased, unless limited further processing of the data should be required to meet requirements of a predominantly legitimate interest. A predominantly legitimate interest shall also apply should erasure of the data prove to be impossible or would involve a disproportionate effort due to the special type of storage and if processing for other purposes can be excluded by applying suitable technical and organisational measures.
Under specific conditions, you may exercise your privacy rights towards us:
- You have to the right to obtain information on your data stored with us in compliance with the rules of Art. 15 GDPR (if applicable with restrictions in compliance with § 34 BDSG-Neu).
- On your application, we will inform you about the personal data stored in compliance with Art. 16 GDPR, should the data be inapplicable or inaccurate.
- If you wish, we will erase your data in accordance with the principles of Art. 17 GDPR unless this should not be excluded by other legal regulations (e.g. statutory retention obligations or the restrictions in compliance with § 35 BDSG-Neu) or a prevailing interest on our side (e.g. for defence of our rights and claims).
- Considering the conditions of Art. 18 GDPR, you have the right to obtain the restriction of processing of your data from us.
- Furthermore, you may object to the processing of your data in compliance with Art. 21 GDPR, due to which we will have to stop processing your data. However, the right to object only applies on grounds relating to his or her particular situation, whereas rights of our company might contradict your right to objection.
- You also have the right to receive your personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to third party on the grounds of Art. 20 GDPR.
- Furthermore, you have the right to withdraw consent to the processing of personal data at any time from us with future effect (refer to section 2.3).
- In addition, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). However, we recommend directing a complaint to our data protection officer first.
- Your applications on exercising your rights should be sent in writing or via e-mail to the address above or directly addressed in writing or via e-mail to our data protection officer.
Particular note on your right to objection in compliance with Art. 21 GDPR
You have the right to object any time to the processing of your data performed on the grounds of Art. 6(1) point f GDPR (data processing weighing all interests) or Art. 6(1) point e GDPR (data processing in the public interest) on grounds relating to your particular situation.
This shall also apply to profiling within the sense of Art. 4 point 4 GDPR based on this provision. Should you object, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
We might also process your personal data for direct marketing. Should you not wish to receive marketing, you have the right to object at any time, which includes profiling to the extent that it is related to such direct marketing. We will heed this objection for future marketing. Your data will no longer be processed for the purposes of direct marketing if you object to the processing for this purpose.
The objection can be sent informally to the aforementioned address.
Furthermore, you have the right to lodge a complaint with the aforementioned data protection officers or a supervisory authority.