Data protection policy of the NOTOS Xperts GmbH for www.notos-xperts.de

1. Name and address of the controller

The controller in the sense of the General Data Protection Regulation (GDPR), of the data protection regulations holding good in the member states of European Union and of other regulations with a legal data-protecting character is the:

NOTOS Xperts GmbH
Heidelberger Straße 6
64283 Darmstadt
Telefon: 06151-52010-0

Webseite: www.notos-xperts.de
E-Mail: info@notos-xperts.de

2. Name and address of the data protection officer

With regard to the present legal situation, according to Sec. 38 Para. 1 BDSG we are not obliged to appoint a data protection officer.

If you have any questions regarding this data protection policy or data protection related issues in general please contact our Partners Attorney at Law Jens Engelhardt or Attorney at Law Prof. Sven Kolja Braune or at info@notos-xperts.de.

3. Definitions

The data protection policy of the NOTOS Xperts GmbH is based on the definitions which have been used by the European directive and order issuing office in formulating the General Data Protection Regulation (GDPR). The data protection policy of the NOTOS Xperts GmbH should be easily read and understood not only by the general public but also by our customers and business partners. In order to ensure this, we would like to clarify in advance the definitions used.

In this data protection policy and on our website, we use - amongst others - the following terms:

3.1 Personal data

Personal data is any information relating to an identified or identifiable natural person (hereafter "data subject"). Defined as identifiable is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3.2 Data subject

Data subject is each identified or identifiable natural person, whose personal data is processed by the controller for the processing.

3.3 Processing

Processing means any operation or set of operations which is carried out in connection with personal data - whether or not by automated means - such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.4 Restricting of the processing

Restricting of the processing is the marking of personal data as stored with the objective of restricting its processing in the future.

3.5 Profiling

Profiling is each type of the automated processing of personal data, which consists of this personal data being used to permit particular personal aspects relating to a particular natural person, and here in particular aspects in respect of work performance, economic situation, health, personal likes, interests, reliability, behaviour, place of residence or change of place of residence of this natural person to be evaluated, analysed or forecast.

3.6 Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, in so far as this additional information is kept in a special way and subjected to technical and organizational measures which ensure that the personal data cannot be assigned to an identified or identifiable natural person.

3.7 Controller or party responsible for the processing

Controller or party responsible for the processing (hereafter controller) is the natural person or legal entity, authority, institution or other post, which alone or together with others decides on the purposes and means of the processing of personal data. If the purposes and means of the processing are laid down in European Union legislation or the legislation of the member states, then the controller or the particular criteria of the appointment of this controller in accordance with European Union legislation or the legislation of the member states can be provided.

3.8 Processor

Processor is a natural person or legal entity, authority, institution or other post, which processes the personal data on the instructions of the controller.

3.9 Recipient

Recipient is a natural person or legal entity, authority, institution or other post to which personal data are disclosed regardless of whether this is a third party or not. However, authorities, which receive within the framework of a particular investigation order in accordance with European Union legislation or the legislation of the member states data which possibly may be/contain personal data, do not hold good as recipients.

3.10 Third party

Third party is a natural person or legal entity, authority, institution or other post with the exception of the data subject, the controller, the order processor and those persons which are authorized under the direct responsibility of the controller or of the order processor to process the personal data.

3.11 Consent

Consent is each declaration of will given voluntarily by the data subject for the definite case in an informed and unambiguous manner in the form of a declaration or other unambiguous confirmatory action, with which the data subject makes clear that he/she agrees to the processing of personal data relating to himself/herself.

 

4. General information on data processing; legal basis, purposes of processing, duration of storage, objection and possibility of erasure

4.1 General information on the legal basis

Where we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

Art. 6 para. 1 lit. b GDPR serves as the legal basis for the processing of personal data required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

Art. 6 para. 1 lit. d GDPR serves as a legal basis in the event that vital interests of the data subject or another natural person necessitate the processing of personal data.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

4.2 General information on data erasure and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. In addition, the data may be stored if the European or national legislator has provided for this in EU regulations, laws or other provisions to which the person responsible is subject. The data shall also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless it is necessary for further storage of the data for the conclusion or performance of a contract.

4.3 General information on processing on our website

Data protection, data security and data secrecy hold high priority for NOTOS Xperts GmbH (hereinafter also referred to as NOTOS Xperts). The durable protection of your personal data, your company data and your business secrets is particularly important to us.

You can always visit our website without providing any personal information. However, if you make use of the services of our company via our website, this requires the disclosure of your personal data. In general, we use the data communicated by you and collected by the website and the data stored during use exclusively for our own purposes, namely for the implementation and provision of our website and for the initiation, implementation and processing of the services offered via the website (contract performance) and do not pass these on to outside third parties, unless there is an officially ordered obligation to do so. In all other cases, we will obtain your separate consent.

Your personal data will be processed in accordance with the requirements of the General Data Protection Regulation and in accordance with the country-specific data protection regulations applicable to Katadyn. By means of this data protection note, we would like to inform you about the type, scope and purpose of the personal data processed by us. In addition, we will inform you of your rights by means of this data protection notice.

Katadyn has implemented technical and organizational measures to ensure adequate protection of personal data processed via this website. Nevertheless, Internet-based data transmissions can in principle have security gaps, so that absolute protection cannot be guaranteed.

5. Collecting of general data and information

The website of NOTOS Xperts GmbH collects a range of general data and information each time the website is called by a data subject or an automated system. This general data and information is stored in the log files of the server. Able to be collected are: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website, from which an accessing system reaches our website (so-called referrer), (4) the sub-websites, which are steered to on our website via an accessing system, (5) the date and time of an access to the website, (6) an Internet-protocol-address (IP-address), (7) the Internet service provider of the accessing system and (8) other similar data and information, which serve the warding off of hazards in the case of attacks to our IT systems.

In using this general data and information NOTOS Xperts GmbH draws no conclusions about the data subject. Much more is this information needed (1) to be able to deliver out the content of our website correctly, (2) to permit the optimization of the content of our website and of the advertising for this, (3) to ensure the durable functionality of our IT systems and of the technology of our website and (4) to be able to make available to the law enforcement authorities the information necessary for criminal prosecution in the case of a cyber attack. This anonymously collected data and information is evaluated by NOTOS Xperts GmbH on the one hand statistically and on the other hand with the objective of increasing the data protection and the data security in our company in order finally to ensure an optimal level of protection for the personal data processed by ourselves. The anonymous data of the server-logfiles are stored separately from all the personal data stated by a data subject.

Legal foundation

Storage purpose

Storage duration

Objection / opportunity for elimination

Article 6 Para. 1 lit. f GDPR

(legitimate interest)

The temporary storing of the IP-address by the system is necessary to permit the delivery of the website to the computer of the user. For this the IP-address of the user must remain stored for the duration of the session.

The data is deleted as soon as it is no longer necessary for achieving the purpose of their collection. This is the case when the particular session has ended in situations where the data is collected for making the website available.

This is the case at the latest seven days after the time when the data was stored in log files. More extensive storing is possible. In this case the IP-addresses of the users are deleted or distorted so that an assignment of the client calling in is no longer possible.

No because the data is essential for operating of the website

 

 

6. Contact form, e-mail contact, telefax or telephone contact

Provided on our website is a contact form which can be used for making contact electronically. If a user makes use of this opportunity, the data entered in the input mask is transmitted to and will be stored by ourselves. This data may be (for example):

  • First name*
  • Last name*
  • Company
  • Address
  • Post Code
  • City
  • Country
  • Telephone number
  • E-Mail address*
  • Message*

At the time of the transmission of the message the following data will also be stored:

  • IP-address of the user
  • Date and time of the transmission

In addition, contact information is available on our website. It is possible to contact us via the provided e-mail address, fax or telephone number. If you contact us via one of these options, the personal data you send us will be stored automatically (e-mail, fax) or collected by us and stored manually.

In this connection no data is passed on to third parties. The data is used exclusively for the processing of the conversation and will immediately be deleted if it is no longer needed.

Legal foundation

Storage purpose

Storage duration

Objection / opportunity for elimination

Legal foundation for the processing of the data is as a rule Article 6 Para. 1 lit. b. GDPR in the case of enquiries via the contact form and/or e-mails.

(contract fulfilment; pre-contractual measures);

Article 6 Para. 1 lit. c. GDPR (fulfilment of a legal obligation, e.g. answering of questions on data protection) and

in addition, Article 6 Para. 1 lit. f GDPR

(legitimate interest).

 

The processing of the personal data from the input mask / e-mail serves us solely for the processing of the contact. This is also the necessary legitimate interest in the processing of the data.

The other personal data processed during the sending-off process serve to prevent misuse of the contact form and to ensure the security of our IT systems.

 

 

The data is deleted as soon as it is no longer needed for achieving the purpose of their collection. This is the case for the personal data from the input mask of the contact form and those which are sent by e-mail when the particular conversation with the user has ended.

The conversation has ended when the circumstances allow the conclusion to be drawn that the matter in question has been finally clarified.

 

The above does not hold good if the correspondence is subject to a retention obligation under commercial law

 

The additional personal data collected during the sending-off process is deleted at the latest after a period of seven days.

The user has the opportunity to object at any time to the storing of his personal data. In such a case the conversation cannot be continued.

 

7. Newsletter

7.1 Newsletter

The newsletter is sent on the basis of your application at the website in the modus of the double-opt-in process whereby at the time of the application for the newsletter the following data from the input mask is transmitted to us:

  • Your e-mail address
  • At this point concrete naming of the data collected should take place. In the minimum situation this will be the e-mail address of the user.

In addition, the following data will be collected at registration:

The additional data actually collected must be stated. For example this can be:

  • IP address of the calling computer
  • Date and time of the registration

For the processing of the data your consent will be obtained within the framework of the registration process by way of the Double-Opt-In procedure whereby reference is made to this data protection policy.

Legal foundation

Storage purpose

Storage duration

Objection / opportunity for elimination

Legal foundation for the processing of the data following the user requesting sending of the newsletter is - when the consent of the user is held - Article 6 Para. 1 lit. a GDPR.

(consent)

 

The collection of the e-mail serves to permit the newsletter to be sent.

The collection of other personal data within the framework of the application process serves to prevent misuse of the services or of the e-mail used. The collection of other personal data within the framework of the application process serves to prevent abuse of the services or of the e-mail address used.  

 

The date is deleted as soon as it is no longer necessary for achieving the purpose of their collection. Accordingly, the e-mail address of the user is kept stored for as long as the subscription for the newsletter is active.

The other personal data collected within the framework of the application process is deleted as a rule after a period of seven days.

 

 

The subscription for the newsletter can be terminated at any time by the relevant user. For this purpose, there is an appropriate deactivation link in each issue of the newsletter.

Terminating the subscription represents at the same time a revocation of the consent to the storing of personal data collected during the application process.

 

 

 7.2 RSS Feed

Our website uses an RSS reader to generate an RSS feed for its users. RSS stands for Rich Site Summary and is a file format for web feeds. After subscribing, an RSS feed provides its users with an information service that updates itself at regular intervals, similar to a news ticker. The contributions are displayed in the form of an information block so that they have a title or a headline with a text breakdown and a link to the original website under which the original contribution can be viewed. The title or the headline itself can also represent the link.

On our website, users can subscribe to the RSS service either with dynamic bookmarks or with a suitable application. The following data is collected with the subscription:

  • IP address of the calling computer
  • browser information
  • Date and time of the subscription

 Users have the possibility to unsubscribe from the RSS feed at any time.

7.3 No passing on of data

No passing on of data to third parties takes place in connection with the data processing for the sending of newsletters and advertising. The data is used exclusively for the sending of the newsletter.

7.4 Right of objection and right of revocation

We draw explicit attention to your right of revocation (newsletter) in accordance with section 11.8 of this data protection policy.

8. Data protection with applications and application processes

We collect and process the personal data of applicants for the purpose of progressing the application process. The processing can also be carried out electronically. This is in particular the case when an applicant sends to us relevant application documents by an electronic route, e.g. per e-mail. If we conclude a contract of employment with yourself as applicant, the data transmitted will be stored for purposes of progressing the employment relationship subject to observation of the legal regulations. If a contract of employment is not concluded by the party responsible for the processing with the applicant, then the application documents will be automatically deleted six months after notification of the rejection in so far as there is no other legitimate interest of the party responsible for the processing against deletion. Another legitimate interest in this sense is, for example, an obligation of proof in a process in accordance with the German General Equal Treatment Act.

Legal foundation

Storage purpose

Storage duration

Objection / opportunity for elimination

Legal foundation for the processing of the data is as a rule Article 6 Para. 1 lit. b. GDPR with job applications submitted via the contact form and/or e-mail.

(fulfilment of the employment contract; measures prior to the concluding of an employment contract);

Article 6 Para. 1 lit. c. GDPR (Fulfilment of a legal obligation, e.g. answering of questions in connection with the job-application process) and

apart from this Article 6 Para. 1 lit. f GDPR

(legitimate interest) and

special legal authorization rules such as a collective agreement, company agreement, income tax law etc. A supplementary reference is made to the Personnel / HR processing file.

 

If we conclude an employment contract with you as job applicant, the data transmitted for the purpose of progressing the employment relationship will be stored whereby the legal obligations will be observed.

 

 

 

If no employment contract is concluded between the party responsible for the processing and the job applicant, then the job-application documents will be automatically deleted six months after the notification of rejection has been sent in so far as no other legitimate interest of the party responsible for the processing conflicts with the deletion.

A legitimate interest in this connection could be - for example - a proof obligation in a process in accordance with the German General Equal Treatment Act).

Only general objection and elimination opportunities.

 

9. Cookies

9.1 Description and scope of the data processing

Our website uses cookies. Cookies are text files which are stored in the Internet browser or, as the case may be, in the Internet browser on the computer system of the user. If a user calls a website, then a cookie may be stored on the operating system of the user. Such a cookie contains a characteristic string which permits unambiguous identification of the browser if the website is called again.

We employ cookies in order to arrange our website in a more user-friendly manner. Certain elements of our website require that the calling browser can also be identified after a page change.

In the cookies the following date is stored and transmitted:

  • Language settings
  • Articles in a shopping basket
  • Log-in information

 

When our website is called, the users are informed by means of an information banner provided by CookieBot about the use of cookies for analytical purposes and are referred to this data protection policy. Following in this connection is a reference to how that storing of cookies can be prevented in the browser settings.

  • Mozilla Firefox: https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
  • Chrome Browser: https://support.google.com/accounts/answer/61416?hl=en
  • Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies

 

Legal foundation

Storage purpose

Storage duration

Objection / opportunity for elimination

Article 6 Para. 1 lit. f GDPR (legitimate interests) for strictly technically essential cookies

 

The purpose behind the use of strictly technically essential cookies is that of making use of the website easier for the user. Certain functions of our website cannot be offered without the use of cookies. For these functions it is necessary that the browser is recognized even after a page change.

 

 

Cookies are stored on the user's computer and are transmitted from this to our website. Accordingly, you as user have full control over the use of cookies.

 

By carrying out a change to the settings of your browser you can deactivate cookies or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be carried out automatically. However, if cookies for our website are deactivated, it may no longer be possible to use all the functions of the website in full.

The transmission of flash cookies cannot be prevented via the browser settings but requires changes to the setting of the flash player.

 

10. Use and application of other tools

10.1 Data protection regulations on the application and use of Matomo (with anonymization function)

 

This website uses the web analytics service Matomo to analyze and regularly improve the use of our website. With the statistics obtained we can improve our offer and make it more interesting for you as a user.

Cookies are stored on your computer for this analysis. NOTOS Xperts GmbH stores the information thus collected exclusively on its server in Germany. We use Cookiebot's cookie banner to obtain your consent to process your IP address as a cookie. You can adjust the evaluation by deleting existing cookies and preventing the storage of cookies. If you prevent the storage of cookies, we would like to point out that you may not be able to use this website to its full extent.

You can prevent the storage of cookies in your cookiebot settings.

This website uses Matomo with the extension "AnonymizeIP". Thus, IP addresses are processed in a shortened form, a direct personal reference can be excluded. The IP address transmitted by your browser via Matomo is not merged with other data collected by us.

The program Matomo is an open source project. Information of the third party provider on data protection can be found at https://matomo.org/privacy-policy/.

Legal foundation

Storage purpose

Storage duration

Objection / opportunity for elimination

Article 6 Para. 1 lit. a GDPR

(Consent)

The purpose of setting third party cookies is to improve our offer for you by analyzing your user behavior. As a rule, only a pseudonymized data transfer to the third parties takes place.

790 days

You have the possibility to deactivate Matomo in your Cookiebot settings.

 

10.2 Data protection regulations on the application and use of YouTube

On this website we have integrated components from YouTube. YouTube is an Internet video portal that enables video publishers to set video clips free of charge and for other users to view, evaluate and comment on these, also free of charge. YouTube permits the publication of all types of video so that not only complete films and television programmes but also music videos, trailers and amateur videos prepared by users can be called via the Internet portal.

Operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, U.S.A.

With each call of one of the individual pages of this website, which is operated by the controller for the processing and on which a YouTube component (YouTube video) has been integrated, the Internet browser on the IT system of the data subject is caused by the particular YouTube component to download a representation of the relevant YouTube component from YouTube. Further information on YouTube can be called under https://www.youtube.com/yt/about/de/. Within the framework of this technical process YouTube and Google receive knowledge of which concrete subsite of our website has been visited by the data subject.

Existing account

In so far as the data subject is at the same time logged in at YouTube, YouTube will recognize with the calling of a subsite, which contains a YouTube video, which concrete subsite of our website the data subject has visited. This information is collected by YouTube and Google and assigned to the particular YouTube account of the data subject.

YouTube and Google will always receive via the YouTube components information that the data subject has visited our website if the data subject is logged in at our website and at the same time at YouTube; this takes place regardless of whether or not the data subject has clicked on a YouTube video. If the transmitting of this information in this way to YouTube and Google is not desired by the data subject, the latter can prevent this transmission by logging out of his/her YouTube account before calling our website.

The data protection regulations published by YouTube - these can be called down at https://policies.google.com/privacy?hl=en&gl=en - provide information on the collecting, processing and using of personal data by Google and YouTube.

10.3 Data protection regulations for the use and application of OpenStreetMap

A map with the location of our company is integrated on our website. This map uses data from OpenStreetMap, a free project with the purpose of collecting freely usable geodata and keeping it in a database for use by everyone (Open Data). In order for the map to be displayed to you, information about the use of this website, including your IP address, is forwarded to OpenStreetMap. These services are operated by the OpenStreetMap Foundation (OSMF), 132 Maney Hill Road, Sutton Coldfield, West Midlands, B72 1JU, United Kingdom, for the OSM community. In order for you to view the map, information about the use of the OSM services is forwarded to OpenStreetMap. A so-called session cookie is also stored on the visitor's computer. The data is stored exclusively on a German server. You can find more information on the OpenStreetMap privacy page.

Legal foundation

Storage purpose

Storage duration

Objection / opportunity for elimination

Article 6 Para. 1 lit. f GDPR

(legitimate interest)

Our legitimate interest arises from improving and optimizing our offering and providing a function that makes it easier to locate places and our business.

The purpose of the storage is the improvement of our offer, the visual and functional optimization of the website as well as the provision of a function, which facilitates the location of places and our business.

The data will be deleted as soon as our legitimate interest no longer exists or we are obliged by law or legal orders to delete the  data.

Right of objection in accordance with clause 11.7

10.4 Data protection regulations for the use and application of Google reCAPTCHA

On this website we also use the reCAPTCHA function of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). This function is mainly used to distinguish whether an entry is made by a natural person or abusively by automatic and automated processing. The service includes sending the IP address and any other data required by Google for the reCAPTCHA service to Google and is carried out in accordance with Art. 6 Para. 1 letter f DSGVO on the basis of our legitimate interest in determining the individual willingness of actions on the Internet and avoiding misuse and spam.

Google also processes your personal data in the USA and has submitted to the standard contractual clauses of the EU Commission, thus ensuring compliance with the level of data protection applicable in the EU.

Further information about Google reCAPTCHA and Google's privacy policy can be found at: https://policies.google.com/privacy?hl=en&gl=en

Date/data

Legal foundation

Storage purpose

Storage duration

Objection / opportunity for elimination

Data from the use of Google reCAPTCHA according to clause 16.3

Article 6 Para. 1 lit. f GDPR

(legitimate interest)

Our legitimate interest arises from the determination of the individual will-basis of actions on the Internet and the avoidance of abuse and spam.

The purpose of the storage is to determine the individual will regarding to actions on the Internet and to avoid misuse and spam.

The data will be deleted as soon as our legitimate interest no longer exists or we are obliged by law or legal orders to delete the data.

Right of objection in accordance with clause 11.7

 

10.5 LinkedIn-Fanpage

We use a fanpage on the platform of the provider LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. We use this fanpage to:

  • present our company and our services
  • get and stay in contact with the community and followers
  • inform the community and followers about current developments and events in the areas of data protection, information security, cybersecurity, IT forensics and legal tech
  • handle questions and requests from customers and interested parties

During a visit to our site, LinkedIn, as the controller, collects personal data of the user, for example through the use of cookies. Such data collection by LinkedIn may also be carried out by visitors to this fanpage who are not logged in or registered with LinkedIn. Information about LinkedIn's data collection and further processing can be found in LinkedIn's privacy policy at https://www.linkedin.com/legal/privacy-policy?_l=de_DE.

What user data LinkedIn collects cannot be traced by NOTOS Xperts GmbH. NOTOS Xperts GmbH also has no full access to the data collected or your profile data. NOTOS Xperts GmbH can only view the public information in your profile. You can decide which information is involved in your LinkedIn settings.

If our fanpage provides a chat function, NOTOS Xperts GmbH will use your data when using the chat function to answer your request. The service and customer support information collected in this way is used to contact you in order to provide you with the information and offers you require.

NOTOS Xperts GmbH receives anonymous statistics on the use and utilization of the page from LinkedIn due to legitimate interests. The following information is provided:

  • Follower: Number of persons following NOTOS Xperts GmbH - including growth and development over a defined time frame.
  • Reach: Number of people who see a specific contribution. Number of interactions on a contribution. From this, it can be deduced, for example, which content is better received by the community than others.
  • Ad performance: How many people were reached by a post or paid ad and have interacted with it?

We use these statistics, from which we cannot draw any conclusions about individual users, to constantly improve our online offering on LinkedIn and to better respond to the interests of our community. We cannot link the statistical data with the profile data of our followers. You can decide in your LinkedIn settings in which form targeted advertising is displayed to you.

NOTOS Xperts GmbH receives personal data via LinkedIn if you actively communicate this data to us via a personal message on LinkedIn. We use your data (e.g. first name, surname, company and position) to respond to your request. Your data will be stored for this purpose.

Further information on the data processing of personal data by NOTOS Xperts GmbH and on your rights can be found in this data protection policy.

11. Your rights

If your personal data is processed, then you are the data subject in the sense of the GDPR and you are entitled to the following rights against the controller:

11.1 Right of access by the data subject

You can demand from the controller confirmation as to whether personal data that relates to you has been processed by us.

If such processing has taken place, you can demand information on the following from the controller:

  • The purposes for which the personal data is processed;
  • The categories of personal data which are processed;
  • The recipients or, as the case may be, the categories of recipients to which the personal data relating to you has been disclosed or will be disclosed;
  • The planned duration of the storage of the personal data relating to you or - if concrete statements on this are not possible - the criteria for the laying down of duration of storage;
  • The existence of a right to correction or deletion of the personal data relating to yourself, of a right to a restriction of the processing by the controller or of a right of objection to this processing;
  • The existence of a right of appeal at a supervisory authority;
  • All the available information on the origin of the data if the personal data was not collected at the data subject;
  • The existence of an automated decision-finding process including profiling in accordance with Article 22 Para. 1 and 4 GDPR and – at least in these cases - meaningful information on the logic involved and its scope and the effects strived for of such a processing for the data subject in question.

You are entitled to the right to demand information on whether the personal data relating to yourself is transmitted to a third country or an international organization. In this connection you can demand to be instructed on the suitable guarantees in accordance with Article 46 GDPR in connection with the transmission.

11.2 Right to rectification

You have a right to correction and/or complementing vis à vis the controller in so far as the personal data as processed and which relates to yourself is incorrect or incomplete. The controller has to carry out the correction without delay.

11.3 Right to restriction of the processing

Subject to the meeting of the following preconditions you can demand restriction of the processing of the personal data relating to you:

  • if you dispute the correctness of the personal data relating to yourself for a period which makes it possible for the controller to check the correctness of the personal data;
  • the processing is unlawful and you reject deletion of the personal data and instead demand restriction of the use of the personal data;
  • the controller no longer needs the personal data for purposes of the processing but you need the data for the advancing, exercising or defending of legal claims, or
  • if you have advanced objection to the processing in accordance with Article 21 Para. 1 GDPR but it has not yet been established whether the justified reasons of the controller outweigh your reasons.

If the processing of the personal data relating to yourself has been restricted, then this data - apart from the storing of this - may only be processed with your consent or for the assertion, exercising or defending of legal claims or for the protection of the rights of another natural person or legal entity or for reasons relating to an important public interest of the European Union or of a member state.

If the restriction of the processing has been restricted in accordance with the afore-mentioned preconditions, then you will be informed by the controller before the restriction is removed.

11.4 Right to erasure

11.4.1  Deletion obligation

You can demand from controller that the personal data relating to yourself is deleted without delay and the controller is then obliged to delete this data without delay in so far as one of the following reasons applies:

  • The personal data relating to yourself is no longer required for the purposes for which it was collected or for which it was processed.
  • You revoke your consent, on which processing in accordance with Article 6 Para. 1 lit. a or Article 9 Para.2 lit. a GDPR was based, and there is no other legal foundation for the processing.
  • You submit an objection to the processing in accordance with Article 21 Para. 1 GDPR and there are no justified reasons for the processing with a higher priority, or you submit an objection to the processing in accordance with Article 21 Para. 2 GDPR.
  • The personal data relating to you was processed in an unlawful manner.
  • The deletion of the personal data relating to you is required to fulfil a legal obligation in accordance with European Union law or the law of the member states, which laws the controller is subject to.
  • The personal data relating to you was collected in relation to services offered by the information company in accordance with Article 8 Para. 1 GDPR.
11.4.2  Information to third parties

If the controller has made the personal data relating to you public and if he/she is obliged to delete this data in accordance with Article 17 Para. 1 GDPR, then he/she shall take reasonable measures including ones of a technical nature - whereby account shall be taken of the available technology and the implementation costs - to inform the responsible parties for the data processing which process the personal data that you as data subject have demanded from them the deletion of all links to this personal data or of copies or replicates of these.

11.4.3  Exceptions

The right to deletion does not exist in so far as the processing is necessary for

  • the exercising of the right of free expression of opinion and to information;
  • for the fulfilment of a legal obligation, which requires the processing in accordance with the law of the European Union or the law of the member states, which laws the controller is subject to, or for the carrying out of a task, which lies in the public interest or which is carried out in the exercising of public authority, which authority was transferred to the controller;
  • for reasons of public interest in the field of public health in accordance with Article 9 Para. 2 lit. h and i as well as Article 9 Para. 3 GDPR;
  • for archiving purposes, scientific or historical research purposes lying in the public interest or for statistical purposes in accordance with Article 89 Para. 1 GDPR, in so far as the right named in section a) probably makes the reaching of the objectives of the processing impossible or impairs it seriously, or
  • for the advancing, exercising or defending of legal claims.

Moreover, the right to deletion does not exist in so far as the personal data has to be stored by the controller in order to fulfill legal duties to preserve records and legal retention periods. In such a case instead of deletion blockage of the personal data applies.

11.5 Right to information

If you have advanced the right to the correcting, deleting or restricting of the processing vis à vis the controller, then the latter is obliged to inform all recipients, to which the personal data relating to you was disclosed, of this correction or deletion of the data or of the restricting of the processing, unless this proves itself to be impossible or linked with unreasonable expenditure.

You are entitled to the right vis à vis the controller to be informed about these recipients.

11.6 Right to data portability

You have the right to receive the personal data relating to you, which you made available to the controller, in a structured, conventional and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance by the controller to whom the personal data was made available, in so far as

  • the processing is based on a consent in accordance with Article 6 Para. 1 lit. a GDPR or Article 9 Para. 2 lit. a GDPR or on a contract in accordance with Article 6 Para. 1 lit. b GDPR and
  • the processing is carried out with the aid of automated processes.

In exercising this right, you have in addition the right to bring about the situation that the personal data relating to you is transferred directly from one controller to another controller in so far as this is technically possible. The freedoms and rights of other persons may not be impaired thereby.

The right to data portability does not hold good for the processing of personal data, which is necessary for the carrying out of a task, which lies in the public interest or in the exercising of public authority and which task was transferred to the controller.

11.7 Right to object

For reasons which result from your particular situation you have the right to advance at any time objection to the processing of the personal data relating to you, which processing is carried out on the basis of Article 6 Para. 1 lit. e or f GDPR; this right also holds good for profiling based on these provisions.

The controller shall then no longer process the personal data relating to you, unless he/she can demonstrate compelling reasons worthy of protection, which reasons overweigh your interests, rights and freedoms or where the processing serves the advancing, exercising or defending of legal claims.

If the personal data relating to you is processed for the carrying out of direct advertising, then you have the right to advance at any time objection to the processing of the personal data relating to you for purposes of such advertising; this holds good too for profiling in so far as this is carried out in connection with such direct advertising.

If you object to the processing for purposes of direct advertising, then the personal data relating to you will no longer be processed for these purposes.

You have the opportunity - in connection with the use of services of the information company and regardless of directive 2002/58/EC – to exercise your right of objection with the aid of automated processes in which technical specifications are used.

11.8 Right to withdraw from the declaration of consent under data protection law

You have the right to withdraw your consent at any time and without giving reasons. In the event of withdrawal we immediately will delete your personal data and no longer process it. The legality of the processing carried out on the basis of your given consent and carried out prior to your withdrawal is not affected by you withdrawal.

11.9 Automated decision-making in individual cases including profiling

You have the right to not subject yourself to a decision based solely on an automated processing process - including profiling - which unfolds a legal effect vis à vis yourself or which impairs you significantly in a similar way. This does not hold good if the decision

  • is necessary for the concluding or fulfilment of a contract between you and the controller,
  • is permissible on the basis of legal regulations of the European Union or of its member states, which the controller is subject to, and these regulations contain reasonable measures for the maintenance of your rights and freedoms as well as for your legitimate interests or
  • is carried out with your explicit consent.

However, these decisions may not be based on particular categories of personal data in accordance with Article 9 Para. 1 GDPR, in so far as Article 9 Para. 2 lit. a or g does not hold good and reasonable measures have been taken for the protection of the rights and freedoms as well as of your legitimate interests.

In respect of the cases named in (1) and (3) above the controller shall take reasonable measures to ensure the rights and freedoms as well as your legitimate interests, whereby belonging thereto is at the least the right to the affecting of the intervention of a person on the side of the controller for the representation of the controller’s standpoint and to the challenging of the decision.

11.10  Right to complain at a supervisory authority

Regardless of another regulatory or judicial remedy, you are entitled to the right to lodge a complaint at a supervisory authority and here in particular at a supervisory authority in the member state of your place of residence, of your place of work or of the place where the suspected infringement took place when you are of the opinion that the processing of the personal data relating to you infringes the GDPR.

In this situation the supervisory authority, at which the complaint was lodged, shall inform the complainant on the status and the results of the complaint including the possibility of a judicial remedy in accordance with Article 78 GDPR.

Status: 18. January 2020

Controller: NOTOS Xperts GmbH

 

 

Client, Customer and Supplier information, simultaneously information on data processing in accordance with Article 12 f. and 21 GDPR

 

Dear Client, Customer, Supplier (m/f/d),

due to the legal provisions of the General Data Protection Regulation (GDPR), we are obliged to provide you with comprehensive information (Article 13 GDPR) on the processing of your personal data, for which we are pleased to do so. Data protection and the handling of your personal data are very important to us, so that we always pay attention to a proper processing of your personal data. If you have any questions about the processing of your data, both we and our data protection officer are available to answer them. Furthermore, the data protection officer is not subject to any instructions, is independent in his position and legally obliged to maintain secrecy and confidentiality (Article 38 GDPR, Section 38 BDSG), so that you can turn to him in confidence. With regard to the processing of your personal data, we inform you of the following:

 

1. Name of the controller

The controller of your personal data is NOTOS Xperts GmbH

 

2. Executive director

2.1  Power of representation

Jens Engelhardt, Managing Director
Erdem Durmus LL.M., CIPP/E, authorized signatory
Dr. Julia Voegeli-Wenzl, authorized signatory
Prof. Sven Kolja Braune, authorized signatory
Eckart Haag, LL.M., authorized signatory
Daniel Hövel, LL.M., authorized signatory

2.2 Data protection officer

In our opinion, there is currently no legal requirement to appoint a data protection officer.

 

3. Adress of the controller

Notos Xperts GmbH
Heidelberger Straße 6
D-64283 Darmstadt

 

4. Purpose of data processing

Notos Xperts GmbH is specialized in the provision of IP and IT services. In addition to IT security and IT forensics, as well as legal tech and legal support services, its core competence lies above all in data protection and the associated areas of responsibility such as the position of external data protection officer and data protection compliance.

Your personal data will be processed for the purpose of establishing, implementing and terminating a contractual relationship with you.

 

5. Data categories

In this context, we process the following personal data or categories of data from you and the persons contractually associated with you, in particular:

  • Company and business information
  • Name and Surname of contact persons
  • Adress data
  • Bank details (if applicable)
  • Content data
  • Usage data
  • Data from employees and other data subjects

 

6. Legal foundation for the purpose of data processing

The legal foundation for the proccessing of personal data are:

  • Contract in accordance with Article 6 Para. 1 lit. b) GDPR
  • Consent in accordance with Article 6 Para. 1 lit a), 7 GDPR
  • Fulfilment of a legal obligation in accordance with Article 6 Para. 1 lit. c) GDPR
  • Our legitimate interests, provided that your legitimate interest in the exclusion of the processing does not outweigh, this can be in particular the case if you have objected to a processing for certain.

 

7. Recipient or category of recipients

In order to fulfil our contracted and legal obligations, your data will be forwarded to the following recipients or categories of recipients:

  • Offices
  • Adversary
  • Parties
  • Tax Offices
  • Bank institutions
  • Insurance companies
  • External service provider
    • Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, but with locations exclusively in the EU (Ireland, Austria and/or Finland) for email hosting and hosting attorney software;
    • Legalsense B.V., Oorsprongpark 1 (3581 ES) in Utrecht, Netherlands for hosting billing software;
    • Tax consultant: MuP STEUERBERATUNGSGESELLSCHAFT DARMSTADT GMBH, Herdweg 72, 64285 Darmstadt for financial and payroll accounting;
    • Byon GmbH, Solmsstraße 71, 60486 Frankfurt am Main for telecommunications
    • REISSWOLF Akten- und Datenvernichtung GmbH, Schmickstrasse 33, 60314 Frankfurt am Main for document destruction;
    • Logistics company;
    • Controlling/Revision.

 

8. Transfer to a third country

In principle, your data will not be transferred to a third country within the meaning of the GDPR without your knowledge. However, if we manage or coordinate an international data protection mandate for you, e.g. within the framework of an international group, your name and, if applicable, contact data as well as data protection content data (factual data) will be transmitted to the foreign counterpart in accordance with the regulations.

 

9. Duration of the storage, delation of personal data

In order to fulfil our contractual and legal obligations, we store the data for the following periods, unless there is a legitimate interest within the meaning of Article 6 Para. I lit. f) GDPR, which would justify longer storage:

  • Contracts: 10 years, according to Sec. 147 Para. I Nr. 4,5 in connection with Para. III AO; Sec. 257 Para. I Nr. 1, 4 in connection with Sec. 238 Para. I HGB
  • Documents for invoices: 10 years, Sec. 147 Para. I Nr. 4,5 in connection with Para. III AO; Sec. 257 Para. I Nr. 1, 4 in connection with Sec 238 Para. I HGB
  • Judgments and enforceable titles in the original: usually issued to client, otherwise 30 years

 

10. Existence of a right to access, rectification, etc.

You have the following rights towards us with regard to personal data concerning:

  • Right to access;
  • Right to rectification or to obtain the erasure;
  • Right to restriction of processing;
  • Right to data portability;
  • Right to lodge a complain to a data protection supervisory authority about our processing of your personal data if you do not agree to the handling of your data and
  • Right to withdraw: You have the right to withdraw your data protection declaration of consent at any time. The withdrawal of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation;
  • Right to object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you under Article 6 Para.(1) lit. (e) or (f) of the GDPR; this also applies to profiling based on these provisions:
    • The data controller no longer processes the personal data concerning you, unless he can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims;
    • If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing;
    • If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes;
    • You have the possibility to exercise your right of objection in connection with the use of Information Society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.

 

Status: 01. January 2020