Our Data Protection Officer can be contacted using the following details:
HEC Harald Eul Consulting GmbH
Datenschutz + Datensicherheit
Auf der Höhe 34
Telephone: +49 (2232) 1885211
Fax: +49 (2232) 200884
2. Purposes and legal basis for processing your data
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act [Bundesdatenschutzgesetz – BDSG] and other applicable data protection laws and regulations (as explained in more detail below). The specific types of data we process and how they are used depends mainly on the specific services applied for or agreed in each individual case. For further details or additional information on data processing by CONREN Land, please refer to the relevant contract documents, forms, declaration of consent and/or other information provided to you (e.g. in the context of your use of our website or as part of our General Terms and Conditions). Moreover, this Privacy Notice may be updated from time to time. To review the most current version of this Privacy Notice, please visit our website www.conrenland.com.
2.1. Processing for the performance of a contract or in order to take steps prior to entering into a contract (Art. 6(1)(b) GDPR)
Personal data are processed for the purposes of performing contracts we have with you, fulfilling your orders and taking steps and actions which form part of pre-contractual relations, e.g. with prospective customers. The primary purpose of processing is therefore to fulfil our obligations to fulfil your orders and requests and includes the services, steps and actions required. This includes first and foremost communicating with you in relation to a contract, the associated billing and payment transactions, the traceability of transactions, orders and other agreements as well as quality control through appropriate documentation, goodwill procedures, measures to control and improve business processes and to fulfil general duties of care, control and supervision by affiliates (e.g. a parent); statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, accounting for company benefits and their valuation for tax purposes, risk management, assertion of legal claims and defence in legal disputes; ensuring IT security (including system and plausibility tests) and general safety, including building and plant safety, protection and exercise of domiciliary rights (e.g. through access controls); ensuring the integrity, authenticity and availability of data, prevention and investigation of criminal offences; control by supervisory bodies or control bodies (e.g. auditing).
2.2. Processing for the purposes of the legitimate interests pursued by CONREN Land or by a third party (Art. 6(1)(f) GDPR)
Beyond the actual performance of the contract or preliminary contract, we may also process your data where such processing is necessary for the purposes of the legitimate interests pursued by CONREN Land or by a third party, in particular for the following purposes:
• Advertising or market research and opinion polling, unless you have objected to the use of your data;
• Obtaining information and exchanging data with credit agencies about matters beyond our financial risk;
• Reviewing and improving requirement analysis processes;
• Development of services and products and of existing systems and processes;
• Disclosure of personal data as part of the due diligence process in the negotiations for the sale of a business;
• Performing checks of European and international terrorism lists that go beyond our statutory obligations;
• Enhancement of our data, including by using or searching publicly available data;
• Statistical evaluations or market analysis;
• Asserting legal claims and defence in legal disputes not directly associated with the contractual relationship;
• Restricted storage of data if erasure is not possible or only possible at disproportionate expense due to the particular manner of storage;
• Developing scoring systems or automated decision-making processes;
• Preventing and investigating criminal offences beyond what is required to comply with legal obligations;
• Ensuring building and plant safety (e.g. through access controls and video surveillance), beyond complying with our general duty of care;
• Conducting internal and external investigations, safety reviews;
• Monitoring or recording of telephone calls for quality control and training purposes;
• Obtaining and maintaining certifications (e.g. ISO certifications) of a private-law or official nature;
• Protecting and exercising domiciliary rights through appropriate measures, including video surveillance, to protect our customers and staff and to capture evidence of and prevent criminal activity.
2.3. Processing based on your consent (Article 6(1)(a) GDPR)
For certain purposes, your personal data may also be processed on the basis of your consent. As a rule, you can withdraw your consent at any time. This also applies to withdrawing declarations of consent that were given to us before the GDPR came into force, i.e. before 25 May 2018. Information about the purposes and consequences of withdrawing or not granting consent will be provided separately in the wording of the consent form.
A withdrawal of consent generally applies only to future processing of your data and does not affect the legality of processing carried out prior to withdrawal.
2.4. Processing for compliance with a legal obligation (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR)
Like all business players, we are subject to a range of legal obligations. These are mostly statutory requirements (e.g. trade and tax laws) but also regulatory or other authority requirements, if applicable. The purposes of such processing may include identity and age verification, fraud and money laundering prevention, preventing, combating and investigating terrorist financing and property offences, checks of European and international terrorism lists, compliance with monitoring and reporting obligations under tax law and archiving of data for purposes of data security and data protection as well as audits by tax and other authorities. Personal data may also have to be disclosed in the context of authority/judicial measures to take evidence, prosecute criminal activity or enforce civil law claims.
3. Categories of data processed and their origin in the case of data not received directly from you
Where necessary for the provision of our services, we process personal data lawfully obtained from other companies or other third parties (e.g. credit agencies). Furthermore, we process personal data we lawfully obtain, receive or purchase from public sources (e.g. telephone directories, commercial registers and registers of associations, registers of residents, records of debtors, land registers, the press, the Internet and other media) and which we are allowed to process.
Relevant categories of personal data may include, but are not limited to
• Personal details (name, date and place of birth, nationality, marital status, profession/industry and similar information)
• Contact details (address, email address, telephone number and similar information)
• Address details (resident registration data and similar information)
• Confirmations of payment/account coverage for debit and credit cards
• Information about your financial standing (credit data including credit scoring, i.e. data to assess financial risk)
• Customer history
• Data about your use of telemedia we offer (e.g. when you access our websites, apps or newsletters, which of our pages/links or entries you clicked on, and similar information)
• Video data
4. Recipients or categories of recipients of your data
Within our company, your data are shared with those internal departments or organisational units that have a need to know to fulfil our contractual or legal obligations or for processing and to pursue our legitimate interests. We only disclose your data to third parties in the following circumstances:
• in connection with the performance of the contract;
• In order to comply with legal obligations which require us to provide information or notifications or to share data, or under which the sharing of data is in the public interest (cf. clause 2.4 above);
• If third-party service providers process data on our behalf as commissioned processors or function-holders (e.g. external data centres, support/maintenance of data processing and computer applications, archiving, document processing, compliance services, controlling, AML data screening, data validation and plausibility checking, data destruction, purchasing/procurement, client management, letter shops, marketing, media technology, research, risk controlling, billing, telephony, website management, auditing services, financial institutions, print shops or providers of data destruction, courier and logistics services);
• Based on legitimate interests pursued by CONREN Land or by a third party for the purposes referred to in clause 2.2 (e.g. to public authorities, credit agencies, debt collection agencies, lawyers, courts, appraisers and experts, companies and bodies forming part of the CONRENLAND Group and control bodies);
• If you have given us your consent to transfer your data to third parties.
We will never pass on your data to third parties in any other circumstances. If we instruct service providers to undertake commissioned data processing on our behalf, your data will be protected by the same security standards as with us. In all other cases, recipients may use your data only for the purposes for which they were transmitted.
5. Period for which your data will be stored
We process and store your data for the duration of our business relationship. This also includes the pre-contract negotiation phase (pre-contractual legal relationship) and the performance of a contract.
Moreover, we are subject to various retention and documentation obligations which arise, for example, under the German Commercial Code [Handelsgesetzbuch –HGB] or the German Tax Code [Abgabenordnung –AO]. These laws provide for retention and documentation periods of up to ten years beyond the end of a business relationship or pre-contractual legal relationship.
Furthermore, longer retention periods may apply due to special statutory requirements, e.g. in relation to the preservation of evidence in accordance with statutory limitation periods. Pursuant to Secs. 195 et seq. of the German Civil Code [Bürgerliches Gesetzbuch – BGB], the general limitation period is three years, however, in certain circumstances, limitation periods of up to 30 years may apply.
If we no longer need your data t perform our contractual or legal obligations, they will usually deleted, unless further processing is necessary – for a limited time – for the purposes referred to in clause 2.2 above based on an overriding legitimate interest. Such an overriding legitimate interest is deemed to exist, for example, if erasure is not possible or only possible at disproportionate expense due to the particular manner of storage and processing for other purposes is excluded by appropriate technical and organisational measures.
6. Processing of your data in a third country or by an international organisation
Data will be transferred to countries outside the European Union (EU) or the European Economic Area (EEA) (known as “third countries”) if it is necessary to do so for the purpose of completing an order from you or performing a contract with you, if required by law (e.g. to comply with reporting obligations under tax law), for the purposes of the legitimate interests pursued by CONREN Land or by a third party or on the basis of your consent.
Such processing of your data in a third country may also occur if service providers are engaged to perform data processing on our behalf. If the country concerned is not subject to an adequacy decision by the EU Commission finding it to provide an adequate level of protection of personal data, we will ensure by means of appropriate contracts that your rights and freedoms are adequately protected and safeguarded in accordance with EU data protection requirements.
Information about the suitable or adequate safeguards and about whether, how and where it is possible to obtain a copy for you can be requested from the company data protection officer or from the personnel department competent for you.
7. Your data protection rights
Under certain circumstances, you have the following rights towards us under data protection laws:
• For example, you have a right of access to the information we store about you in accordance with Art. 15 GDPR (if applicable, subject to the restrictions of Sec. 34 BDSG).
• At your request, we will rectify the data we store about you in accordance with Art. 16 GDPR if they are incorrect or inaccurate.
• If you wish we will erase your data in accordance with the provisions of Art. 17 GDOR, unless there are other statutory provisions (e.g. statutory retention requirements or the restrictions under Sec. 35 BDSG) or an overriding interest on our part (e.g. in defending our rights and claims) preventing this.
• Subject to the conditions of Art. 18 GDPR, you have the right to request that we restrict the processing of your data.
• Furthermore, you have the right to object to the processing of your data in accordance with Art. 21 GDPR. We will then no longer be allowed to process your data. However, this right of objection applies only if certain grounds relating to your personal situation exist and subject to the proviso that CONREN Land may have rights that override your right to object.
• Subject to the conditions of Art. 20 GDPR, you also have the right to receive your data in a structured, commonly used and machine-readable format or to transmit them to a third party.
• Furthermore, you have the right to withdraw the consent you have given to us to process your personal data at any time with effect for any further processing.
• You also have a right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). However, we recommend that you raise any complaints with our data protection officer in the first instance.
All requests to exercise your rights should wherever possible be sent in writing to the address specified above or directly to our data protection officer.
8. Scope of your obligations to provide data
You only have to provide the data required to establish and maintain a business relationship or for a pre-contractual relationship with us, or data we are required by law to collect. Without these data, we will generally not be able to enter into or perform a contract with you. This may also apply to data needed at a later point of our business relationship. If we ask you to provide further data beyond those referred to above, we will specifically indicate that the provision of those data is voluntary.
9. Automated individual decision-making (including profiling)
We do not use decision-making processes that are based solely on automated processing pursuant to Article 22 GDPR. If we were to use any such processes in isolated cases in the future, we would specifically inform you if we are required to do so by law.
In certain circumstances, we may process some of your data with the aim of evaluating certain personal aspects (profiling).
We may use analysis tools to provide you with targeted product information and advice. This helps us tailor our products, communication and advertising to demand and to carry out market research and opinion polls.
Such methods may also be used to assess your credit history and credit standing and for combating money laundering and fraud. We may also use scoring methods to assess your credit history and credit standing. Scoring models use mathematical techniques to calculate the probability that a customer will comply with his or her payment obligations as agreed by contract. Scoring helps us, for example, evaluate customers’ credit-worthiness and make decisions in the context of product sales and is a tool we use in our risk management.
The calculation is based on acknowledged and proven methods of mathematical statistics and your data, including, but not limited to, your income, spending, existing liabilities, profession, employer, duration of employment, the experience gathered so far in the business relationship between us, your repayment of credits in the past and information from credit agencies.
Information about your nationality and special categories of personal data pursuant to Art. 9 GDPR will not be processed in this context.
Information about your right to object pursuant to Art. 21 GDPR
- You have the right to object, on grounds relating to your particular situation, at any time to processing of your data on the basis of Art. 6(1)(f) GDPR (processing for the purposes of the legitimate interests pursued by the Controller or by a third party) or (Art. 6(1)(e) GDPR (processing for the performance of a task carried out in the public interest). This also applies to profiling as defined in Art. 4(4) GDPR on the basis of this provision.If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
- We may also process your personal data for direct marketing purposes. If you do not wish to receive marketing communications from us, you have the right to object to this at any time; this also applies to profiling related to direct marketing. We will then observe your objection with respect to all further processing.If you object to processing for direct marketing purposes, we will stop processing your personal data for this purpose.
Your objection may be made informally and should be directed, if possible, to the following address:
CONREN Land AG
Bockenheimer Anlage 2
D-60327 Frankfurt am Main
Telephone: +49 (69) 69766430-0
Fax: +49 (69) 69766430-90