Data Privacy Statement

Data protection is a top priority for our company. The use of our website is possible without any indication of personal data. However, if a person concerned wants to use certain services online, the processing of personal data could become necessary. If the processing of personal data is necessary and if there is no legal basis for such processing, we will generally obtain the consent of the person concerned.

The processing of personal data, such as the name, address, e-mail address or telephone number of a person concerned shall always be in line with the GDPR (General Data Protection Regulation), and in accordance with applicable laws. With this data protection regulation in mind, our company would like to inform you about the type, scope and purpose of the personal data we process and inform persons concerned about their rights.

As the responsible party, our enterprise has implemented numerous technical and organisational measures to ensure the most complete protection of personal data processed. Nevertheless, internet-based data transmissions may be subject to security vulnerabilities so absolute protection cannot be guaranteed.

1 Definitions

Our company’s data protection regulation is based on the GDPR. Our data protection regulation should be easy to read and understand. To ensure this, we first explain the terms of use:

1.1 Personal data

Personal data is “any information relating to an identified or identifiable natural person (hereinafter ‘person concerned’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (GDPR Art. 4(1)).

1.2 Person concerned

Person concerned is any identified or identifiable natural person whose personal data are processed by the responsible party.

1.3 Processing

Processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.4 Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

1.5 Profiling

Profiling is any form of automated processing of personal data which involves the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location.

1.6 Pseudonymisation

Pseudonymisation is the processing of personal data where the personal data can no longer be attributed to a specific person concerned without the addition of further information. This additional information is kept separately and is subject to technical and organisational measures, thus ensuring that the personal data cannot be attributed to an identified or identifiable natural person.

1.7 Responsible party or person responsible for processing

Responsible party or person responsible for processing is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

1.8 Processor

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the responsible party.

1.9 Recipient

Recipient is a natural or legal person, public authority, agency or other body whose personal data are disclosed, regardless of being a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients.

1.10 Third party

Third party means any natural or legal person, public authority, agency or other body other than the person concerned, the responsible party, the processor and the persons who, under the direct authority of the responsible party or processor, are authorised to process the personal data.

1.11 Consent

Consent is any freely given specific and informed indication of his or her wishes, in the form of a statement or other unambiguous affirmative act, by which the person concerned signifies his or her agreement to personal data relating to him or her being processed.

2 Name and address of the party responsible for processing

The responsible party within the meaning of the GDPR is:

Caramba Chemie GmbH & Co. KG
Wanheimer Str. 334-336
D-47055 Duisburg

Phone: +49 (0) 203 7786-0
Emails:
WIGO: dpc[a]wigo.de
Bremen and Duisburg: dpc[a]caramba.de
Holding: dpc[a]caramba-group.com

With regard to processing operations within the scope of intra-group administration and division of labour by means of centralised systems, we and the group companies of the Berner Group are joint responsible parties. The joint processes relate in particular to the operation and use of jointly used databases, platforms and IT systems. In this respect, we and the respective group companies jointly determine the purposes and means of processing personal data.

This means that your data is not only processed by us, but also within the Berner Group within the framework of the defined purpose. Being your business partner enables us to respond to you and to your needs even better.

The exchange of personal data between us and group companies as joint responsible parties is usually based on Art. 6 (1) lit. f GDPR, as we have a legitimate interest in the effective performance of the above processing operations.

We have stipulated with the group companies on an agreement on joint responsibility pursuant to Art. 26 GDPR which fulfils our obligation of the GDPR, in particular with regard to the exercise of your person concerned rights, and who fulfils the information obligations pursuant to Art. 13, 14 GDPR.

We are available to you as a central point of contact. However, you can also assert your rights in relation to processing operations under joint responsibility against a jointly responsible group company.

If you contact us, we will coordinate with the relevant group companies about the agreement referred to in order to answer your inquiry and ensure your rights as the person concerned. You can request further information on this agreement via the contact option below.

Attached you will find an overview of the Berner Group companies with which we have entered into a joint responsibility agreement.

As the privacy statement applies to several companies of the Berner Group, the respective responsible party within the meaning of the General Data Protection Regulation (GDPR) is listed in the following file:
Data Privacy Statement List of legal entities Berner Group.pdf

3 Contact details of our external data protection officer

If you have any questions regarding data protection, please feel free to contact our data protection officer:
Mr. Michael Gruber

BSP-SECURITY

Thundorferstr. 10

D-93047 Regensburg

Phone +49 (0) 941 46 29 09 29

Info[at]bsp-security.de

www.bsp-security.de

4 Order Management and Order Processing

The following chapter is designed to inform our customers (you) about the processing of your personal data in the context of our business relationships.

4.1 Personal information

We process personal data that we receive from our customers or other interested parties in the course of our business relationship in order to fulfil orders or to process after-sales activities such as returns or complaints.

The lawfulness of such processing is based on Art. 6 (1) b GDPR (contract performance) and Art. 6 (1) f GDPR (legitimate interest) for the identification and communication as well as for the execution of the order and the payment process.

For the duration of the contractual relationship, we collect and process information in both paper and digital form. Relevant data include:

  • Name
  • Address/address
  • Payment information/Bank details
  • Tariff information

In addition to personal and identification data, this may also include data from the performance of our contractual obligations, documentation data and other comparable data.

4.2 Users of the data

Your data will only be passed on to departments within the company that require this information in order for us to fulfil our contractual and legal obligations. Service providers and deputies we use may also receive data for these purposes. These are companies from areas such as IT services, Logistics or Telecommunications. When transferring data to recipients outside the company, it is important to ensure that we comply with the applicable data protection regulations. We will only disclose information about you if you have given your consent or if we are entitled to do so. Under these conditions, the following may be recipients of personal data:

  • Public bodies and institutions (e.g. government offices, tax authorities) in the event of a legal or official obligation
  • Other recipients of your data may be those for whom you have given your consent to the transfer of data.

4.3 Data retention periods

We process and store your personal data to the extent necessary to fulfil our contractual and legal obligations.

In addition, we are subject to various retention and documentation obligations, which result, among other things, from the German Commercial Code (HGB).

Finally, the retention period is also based on the statutory limitation period, which can be up to thirty years in accordance with §§ 195 et seq. of the German Civil Code, whereby the regular limitation period is three years.

As soon as the storage of the data is no longer necessary to fulfil the purpose of processing and there are no longer any statutory retention periods, your data will be deleted immediately.

5 Cookies

Our web pages use cookies. Cookies are text files that are placed and stored on a computer system via an Internet browser.

Numerous web pages and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which web pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the visited web pages and servers to distinguish the individual browser of the person concerned from other Internet browsers that contain other cookies. A specific Internet browser can be recognised and identified by the unique cookie ID. Through the use of cookies, we can provide the users of this website with more user-friendly services that would not be possible without the cookie setting.

By means of a cookie, the information and offers on our website can be optimised in the sense of the user. As already mentioned, cookies enable us to recognise the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a Web site that uses cookies does not have to re-enter his or her access data each time he or she visits the Web site, because this is handled by the Web site and the cookie stored on the user’s computer system. Another example is the cookie of a shopping cart in an online store. The online shop remembers the items that a customer has placed in the virtual shopping cart via a cookie.

The person concerned can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time using an Internet browser or other software programs. This is possible in all common Internet browsers. If the person concerned deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable.

6 Collection of general data and information

Our web server collects a series of general data and information each time the website is accessed by a person concerned or an automated system. This general data and information are stored in the server’s log files. The types and versions of browsers used, the operating system used by the accessing system, the website from which an accessing system accesses our website, the sub-websites accessed via an accessing system on our website, the date and time of access to the website, an Internet protocol address (IP address), the Internet service provider of the accessing system and other similar data and information that serve to avert danger in the event of attacks on our IT systems may be recorded.

When using these general data and information, we do not draw any conclusions about the person concerned. Rather, this information is needed to deliver the contents of our website correctly, to optimise the contents of our website as well as the advertising for it, to ensure the long-term functionality of our information technology systems and the technology of our website as well as to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber-attack. Therefore, the data and information collected anonymously is, on the one hand, statistically analysed by our enterprise and, on the other hand, it is evaluated with the aim of increasing the data protection and data security of our enterprise, and ultimately ensuring an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a person concerned.

7 Registration on our website

The person concerned has the option to register on the website of the responsible party by providing personal data. The personal data are transmitted to the responsible party in the process results from the respective input mask used for the registration. The personal data entered by the person concerned are collected and stored exclusively for internal use by the responsible party and for its own purposes. The responsible party may arrange for the data to be transferred to one or more processors, for example a parcel service provider, who will also use the personal data exclusively for internal use attributable to the responsible party.

By registering on the responsible party’s web page , the IP address assigned by the Internet service provider (ISP) of the person concerned, the date and the time of registration are stored. The storage of this data takes place against the background this is the only way that the misuse of our services can be prevented and, if necessary, this data makes it possible to clarify criminal offences that have been committed. In this respect, the storage of this data is necessary for the protection of the data responsible party. As a matter of principle, this data will not be disclosed to third parties unless there is a legal obligation to do so or if the disclosure is used for the purpose of criminal prosecution.

By voluntarily providing personal data, the registration by the responsible party of the person concerned offers the person concerned content or services which, due to the nature of the matter, can only be offered to registered users. Registered persons are free to modify the personal data provided during registration at any time or to have them completely deleted from the data base of the responsible party.

The party responsible for processing shall provide any person concerned at any time, upon request, with information on what personal data is stored about the person concerned. Furthermore, the responsible party shall correct or delete personal data at the request or indication of the person concerned, provided that this does not conflict with any statutory retention obligations.

8 Subscription to our newsletter

On the website of our enterprise, users are given the opportunity to subscribe to our enterprise’s newsletter. The personal data transmitted to the responsible party when the user subscribes to our newsletter will be specified in the input mask used for this purpose.

Our enterprise informs its customers and business partners at regular intervals by means of a newsletter about enterprise offers. The newsletter of our enterprise can basically only be received by the person concerned, if the person concerned has a valid e-mail address and if the person concerned registers for the newsletter mailing. For legal reasons, a confirmation e-mail will be sent to the e-mail address entered by a person concerned for the first time for the newsletter dispatch using the double opt-in procedure. This confirmation e-mail serves to verify whether the owner of the e-mail address as the person concerned has authorised the receipt of the newsletter.

When registering for the newsletter, we also store the IP address of the computer system used by the person concerned at the time of registration, as assigned by the Internet service provider (ISP), as well as the date and time of registration. The collection of this data is necessary in order to be able to trace the (possible) misuse of the e-mail address of a person concerned at a later point in time and therefore serves as the legal protection of the responsible party.

The personal data collected in the context of a registration for the newsletter are exclusively used for the sending of our newsletter. Furthermore, subscribers to the newsletter could be informed by e-mail if this is necessary for the operation of the newsletter service or a related registration, as could be the case in the event of changes to the newsletter offer or changes in the technical circumstances. No personal data collected as part of the newsletter service will be passed on to third parties. The subscription to our newsletter can be cancelled by the person concerned at any time. The consent to the storage of personal data, which the person concerned has given us for the newsletter dispatch, can be revoked at any time. For the purpose of revoking consent, a corresponding link can be found in each newsletter. Furthermore, it is also possible to unsubscribe from the newsletter mailing directly on the web page of the responsible party at any time or to inform the responsible party of this in another way.

9 Newsletter tracking

The newsletters of our company contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in such e-mails that are sent in HTML format to enable log file recording and log file analysis. This allows a statistical evaluation of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, we may see if and when an e-mail was opened by a person concerned, and which links contained in the e-mail were called up by the person concerned.

Such personal data collected via the tracking pixels contained in the newsletters are stored and evaluated by the responsible party in order to optimise the newsletter dispatch and to better tailor the content of future newsletters to the interests of the person concerned. This personal data will not be disclosed to third parties. Persons concerned are entitled to revoke the relevant separate declaration of consent given via the double opt-in procedure at any time. After a revocation, this personal data will be deleted by the data responsible party. We automatically interpret a withdrawal from the receipt of the newsletter as a revocation.

10 Tracking services

10.1 Privacy policy on the use of Google Analytics

The responsible party has integrated the Google Analytics component (with anonymisation function) on this website. Google Analytics is a web analysis service. Web analysis is the collection, collation and analysis of data about the behaviour of visitors to web pages. Among other things, a web analysis service collects data about the website visited by a person concerned (so-called “referrers”), and details which pages of the website were accessed or how often and for how long a page was viewed. A web analysis is mainly used for the optimisation of a website and for the cost-benefit analysis of Internet advertising.

The operating company of the Google Analytics component is Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The responsible party uses the addition “gat._anonymizeIp” for web analysis via Google Analytics. By means of this addition, the IP address of the Internet connection of the person concerned is shortened and anonymised by Google if access to our website is from a member state of the European Union or from another state party to the Agreement on the European Economic Area.

The purpose of the Google Analytics component is to analyse the flow of visitors to our website. Google uses the data and information obtained, among other things, to evaluate the use of our website, to compile online reports for us showing the activities on our website, and to provide other services in connection with the use of our website.

Google Analytics sets a cookie on the information technology system of the person concerned. What these cookies are has already been explained above. The placement of the cookie enables Google to analyse the use of our website. Each time one of the individual pages of this website which is operated by the data responsible party is called upon and where a Google Analytics component has been integrated, the Internet browser on the information technology system of the person concerned is automatically caused by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. As part of this technical procedure, Google obtains knowledge of personal data, such as the IP address of the person concerned, which Google uses, among other things, to track the origin of visitors and clicks and subsequently to enable commission settlements.

By means of the cookie, personal information such as the time of access, the location from which access originated and the frequency of visits to our website by the person concerned are stored. Each time the person concerned visits our website, this personal data, including the IP address of the Internet connection used by the person concerned, is transmitted to Google in the USA. This personal data is stored by Google in the USA. Google may pass on this personal data collected via the technical procedure to third parties.

The person concerned can prevent the setting of cookies by our website, as already described above, at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the IT system of the person concerned. In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.

Furthermore, the person concerned has the possibility to object to the collection of data generated by Google Analytics and related to the use of this website as well as to the processing of such data by Google and to prevent such processing. For this purpose, the person concerned must download and install a browser add-on under the link https://tools.google.com/dlpage/gaoptout. This browser add-on informs Google Analytics via JavaScript that no data and information on visits to web pages may be transmitted to Google Analytics. The installation of the browser add-on is considered by Google as an objection. If the information technology system of the person concerned is deleted, formatted or reinstalled at a later point in time, the person concerned must reinstall the browser add-on in order to deactivate Google Analytics. If the browser add-on is uninstalled or deactivated by the person concerned or another person within his or her sphere of control, there is the option of reinstalling or reactivating the browser add-on.

Further information and Google’s applicable privacy policy can be found at https://www.google.de/intl/de/policies/privacy/ and at http://www.google.com/analytics/terms/de.html. Google Analytics is explained in more detail at this link https://www.google.com/intl/de_de/analytics/.

10.2 Google Tag Manager

Google Tag Manager is a system that allows marketers to manage web page tags through an interface. The Tag Manager tool that implements the tags is a cookie-free domain and does not collect any personal data itself. The tool allows sharing of other tags that may be able to collect data themselves. Google Tag Manager does not access this data. If a disablement is made at the domain or cookie level, it remains in effect for all tracking tags implemented with Google Tag Manager.

http://www.google.com/tagmanager/use-policy.html

10.3 Privacy policy on the use and application of YouTube

The responsible party has integrated components of YouTube on this website. YouTube is an Internet video portal that allows video publishers to post video clips free of charge and other users to view, rate and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete film and television programmes, music videos, trailers or videos made by users themselves can be accessed via the Internet portal.
The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. By each call of one of the individual pages of this website, which is operated by the responsible party and on which a YouTube component (YouTube video) has been integrated, the Internet browser on the information technology system of the person concerned is automatically caused by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. Further information on YouTube can be found at https://www.youtube.com/yt/about/de/. Within the scope of this technical procedure, YouTube and Google receive information about which specific sub-page of our website is visited by the person concerned.
If the person concerned is logged into YouTube at the same time, YouTube recognises which specific sub-page of our website the person concerned is visiting when a sub-page containing a YouTube video is called up. This information is collected by YouTube and Google and assigned to the respective YouTube account of the person concerned.
YouTube and Google always receive information via the YouTube component that the person concerned has visited our website if the person concerned is logged into YouTube at the same time as calling up our website; this takes place regardless of whether the person concerned clicks on a YouTube video or not. If the person concerned does not want this information to be transmitted to YouTube and Google, he or she can prevent the transmission by logging out of his or her YouTube account before accessing our website.
The data protection provisions published by YouTube, which can be accessed at https://www.google.de/intl/de/policies/privacy/, provide information on the collection, processing and use of personal data by YouTube and Google.

11 Contact option via the website

Due to legal requirements, the website of our enterprise contains data that enables a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a person concerned contacts the responsible party by e-mail or by using a contact form, the personal data transmitted by the person concerned will be stored automatically. Such personal data transmitted on a voluntary basis by a person concerned to the responsible party will be stored for the purposes of processing or contacting the person concerned. No disclosure of such personal data to third parties will take place.

12 Routine erasure and blocking of personal data

The responsible party processes and stores personal data of the person concerned only for the period necessary to achieve the purpose of the processing or where provided for by law in laws or regulations to which the responsible party is subject. If the storage purpose ceases to apply or if a storage period prescribed by law expires, the personal data shall be routinely blocked or deleted in accordance with the statutory provisions.

13 Rights of the person concerned

13.1 Right to confirmation

Every person concerned has the right to obtain confirmation from the responsible party as to whether personal data concerning him or her are being processed. If a person concerned wishes to exercise this right of confirmation, he or she may, at any time, contact our Data Protection Officer or another employee of the responsible party.

13.2 Right of access

Any person concerned by the processing of personal data has the right to obtain from the responsible party, free of charge, information about the personal data stored about him or her and a copy of that information, together with the information specified here:

  • the purposes of the processing
  • the categories of personal data processed
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations
  • if possible, the planned duration for which the personal data will be stored, or, if this is not possible, the criteria for determining that period
  • the existence of a right to rectify or erase the personal data concerning them or to obtain the restriction of processing by the responsible party or a right to object to such processing
  • the existence of a right of appeal to a supervisory authority
  • if the personal data are not collected from the person concerned: All available information about the origin of the data
  • the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the person concerned

Furthermore, the person concerned shall have a right of access to whether personal data have been transferred to a third country or to an international organisation. If this is the case, the person concerned also has the right to be informed about the appropriate safeguards in relation to the transfer. If a person concerned wishes to exercise this right of access, he or she may, at any time, contact our data protection officer or another employee of the responsible party.

13.3 Right of rectification

Any person concerned worried by the processing of personal data has the right to obtain the rectification without delay of personal data relating to him or her which are inaccurate. Furthermore, the person concerned shall have the right to obtain, taking into account the purposes of the processing, the completion of any incomplete personal data, including by means of a supplementary declaration. If a person concerned wishes to exercise this right of rectification, he or she may, at any time, contact our Data Protection Officer or another employee of the responsible party.

13.4 Right to erasure (right to be forgotten)

Any person concerned who is concerned by the processing of personal data has the right to obtain from the responsible party the erasure without delay of personal data concerning him or her, where one of the following grounds applies and insofar as the processing is no longer necessary:

  • The personal data were collected or otherwise processed for such purposes for which they are no longer necessary.
  • The person concerned revokes the consent on which the processing was based pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
  • The person concerned objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the person concerned objects to the processing pursuant to Article 21(2) GDPR.
  • The personal data have been processed unlawfully.
  • The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the responsible party is subject.
  • The personal data have been collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.

If one of the aforementioned reasons applies, and a person concerned wishes to arrange for the erasure of personal data stored by our enterprise, he or she may, at any time, contact our Data Protection Officer or another employee of the responsible party. The data protection officer of our enterprise or another employee will arrange for the erasure request to be complied with immediately.

If the personal data have been made public by our company and our company as the responsible party is obliged to erase the personal data pursuant to Article 17 (1) of the General Data Protection Regulation, our company shall implement reasonable measures, including those of a technical nature, taking into account the available technology and the cost of implementation, in order to inform other data controllers which process the published personal data, that the person concerned has requested from those other data controllers the erasure of all links to the personal data or copies or replications of the personal data, unless the processing is necessary. Our data protection officer or another employee will arrange the necessary in individual cases.

13.5 Right to restriction of processing

Any person concerned by the processing of personal data has the right, granted by the European Directives and Regulations, to obtain from the responsible party the restriction of processing where one of the following conditions is met:

  • The accuracy of the personal data is contested by the person concerned for a period enabling the responsible party to verify the accuracy of the personal data.
  • The processing is unlawful, the person concerned objects to the erasure of the personal data and requests instead the restriction of the use of the personal data.
  • The responsible party no longer needs the personal data for the purposes of the processing, but the person concerned needs it for the establishment, exercise or defence of legal claims.
  • The person concerned has objected to the processing pursuant to Article 21 (1) of the GDPR and it is not yet clear whether the legitimate grounds of the responsible party override those of the person concerned.

If one of the aforementioned conditions is met, and a person concerned wishes to request the restriction of personal data stored by our enterprise, he or she may, at any time, contact our data protection officer or another employee of the responsible party. The data protection officer of our enterprise or another employee will arrange the restriction of the processing.

13.6 Right to data portability

Every person concerned who is concerned by the processing of personal data has the right to obtain personal data concerning him or her, which has been provided by the person concerned to a responsible party, in a structured, commonly used and machine-readable format. He or she also has the right to transmit this data to another responsible party without hindrance from the responsible party to whom the personal data was provided, provided that the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the responsible party.

Furthermore, when exercising the right to data portability pursuant to Article 20(1) of the GDPR, the person concerned has the right to obtain that the personal data be transferred directly from one responsible party to another responsible party where technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals.

In order to assert the right to data portability, the person concerned may at any time contact the data protection officer appointed by our enterprise or another employee.

13.7 Right to object

Any person concerned who is concerned by the processing of personal data has the right, on grounds relating to his or her particular situation, to object at any time to processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f) of the GDPR. This also applies to profiling based on these provisions.

Our enterprise shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the person concerned, or for the assertion, exercise or defence of legal claims.

If our enterprise processes personal data for direct marketing purposes, the person concerned shall have the right to object at any time to processing of personal data processed for such marketing. This also applies to the profiling, insofar as it is related to such direct marketing. If the person concerned objects to our enterprise to the processing for direct marketing purposes, we will no longer process the personal data for these purposes.

In addition, the person concerned has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her which is carried out by us for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless such processing is necessary for the performance of a task carried out for reasons of public interest.

In order to exercise the right to object, the person concerned may directly contact the Data Protection Officer of our enterprise or another employee.

13.8 Automated decisions on a case-by-case basis, including profiling

Every person concerned who is concerned by the processing of personal data has the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision is necessary for entering into, or the performance of, a contract between the person concerned and the responsible party, or is permitted by Union or Member State law to which the responsible party is subject, and that law contains suitable measures to safeguard the person concerned’s rights and freedoms and legitimate interests, or is based on the person concerned’s explicit consent.

If the decision is necessary for entering into, or the performance of, a contract between the person concerned and the responsible party, or if it is made with the person concerned’s explicit consent, our enterprise will implement suitable measures to safeguard the person concerned’s rights and freedoms and legitimate interests, including at least the right to obtain the person concerned’s involvement on the part of the responsible party, to express his or her point of view and contest the decision.

If the person concerned wishes to exercise the rights concerning automated decisions, he or she may, at any time, contact our Data Protection Officer or another employee of the responsible party.

13.9 Right to withdraw consent under data protection law

Any person concerned who is concerned by the processing of personal data has the right to withdraw consent to the processing of personal data at any time. If the person concerned wishes to exercise the right to withdraw consent, he or she may, at any time, contact our Data Protection Officer or another employee of the responsible party.

14 Data protection during applications and the application procedure

The responsible party collects and processes the personal data of applicants for the purpose of handling the application procedure. The processing may also be carried out by electronic means. This is in particular the case when an applicant submits relevant application documents to the responsible party by electronic means, for example by e-mail or via a web form located on the website. If the responsible party concludes an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the responsible party does not conclude an employment contract with the applicant, the application documents will be automatically deleted 2 months after notification of the rejection decision, provided that no other legitimate interests of the responsible party conflict with such deletion. Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

15 Responsible data protection supervisory authority

Since the data protection declaration applies to several companies of the Berner Group, the respective responsible data protection authority within the meaning of the Data Protection Regulation (GDPR) is listed in the following file: European Data Protection Authorities.pdf

16 Changes to the data protection provisions

We reserve the right to change our security and data protection provisions, insofar as this becomes necessary due to technical developments. In these cases, we will also adapt our data protection information accordingly. Please refer to the current version of our privacy policy.

June 2021 – The Berner Group