Data protection notices pursuant to Article 13/14 GDPR

Dear Sir or Madam,

The purpose of this data protection notices is to inform you about the processing of your personal data by Sternico GmbH and your rights as a data subject pursuant to the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) that have been in place since 25 May 2018.
Controller responsible for the processing of your personal data

Sternico GmbH
Dreimännerstraße 5
38176 Wendeburg

Telephone: 05303 9794 0
Fax: 05303 9794 220

Email: mail@sternico.com

Data protection officer

You can contact our data protection officer by email at:

datenschutz@sternico.com

Information for business partners (customers, suppliers, service providers etc.)
Data source

Generally you provide us with your personal data as part of your order and/or within the framework of our business relationship. This means that we collect your personal data directly from you.

Where applicable, we also process other personal data, however, which has not been collected by us. In such cases, the data source may be public sources. These include:

  • the results of internet research
  • commercial and association register

Furthermore, in certain cases, we may receive your personal data from third parties, which do not constitute public sources. These include:

Authorities:

Occasionally, authorities pass on your personal data to us in order to enable us to carry out your orders and provide the associated service.

Our business partners:

Occasionally, companies affiliated with us within the framework of a business relationship pass on your personal data to us in order to enable us to process your enquiries and provide the associated service.

Purposes and legal basis of data processing

We exclusively process your personal data in accordance with the legal requirements set out in the GDPR, the BDSG and any relevant field-specific laws. Therefore, we process your personal data insofar as there is a contractual basis for this, in order to protect our legitimate interests, insofar as you have provided us with your consent to data processing or a law allows the processing of your data and/or obliges us to process your data.

1. Data processing for the purposes of contract performance or the implementation of pre-contractual measures

We process your personal data insofar as this is necessary for the implementation of pre-contractual measures, for contract conclusion, contract performance and the termination of the contractual relationship. In addition to the data concerning the services you have commissioned and/or goods you have ordered, this includes your first name, your surname, your customer number, your business address, your business bank details, your role in the company and your details on the supplier datasheet. In order to ensure and maintain the seamless operation of our business relationship and access to our systems, we will continue to process your personal access data and your email correspondence with us.

In order to facilitate proper contract processing and be able to contact you, for example, as quickly as possible in the event of any queries or issues, we also process your address, your telephone and/or mobile number and your email address insofar as you have provided this information for this purpose.

The legal basis for data processing for contract performance and the implementation of pre-contractual measures is generally Article 6 (1) lit. b GDPR.

2. Data processing for the purpose of protecting the legitimate interests of the controller or a third party

Furthermore, we process your data insofar as this is necessary in order to protect our legitimate interests or the legitimate interests of a third party. The processing we carry out on the basis of a legitimate interest regularly includes the investigation of crimes and defence of legal claims, measures for ensuring proper operation of our IT infrastructure and the transmission of your personal data to credit agencies to check your creditworthiness.

The legal basis for data processing for protecting the legitimate interests of the controller or a third party is Article 6 (1) lit. f GDPR.

3. Data processing for compliance with a legal obligation

We process your data insofar as this is necessary for compliance with a legal obligation to which we are subject. In this regard, the legal obligations to which we are subject include, in particular, retention obligations under tax law and commercial law and the obligations set out in the regulations on combating terrorism (EC) 2580/2001 and No. 881/2002.

The legal basis for processing for compliance with a legal obligation is Article 6 (1) lit. c GDPR in connection with the respective applicable legal standard.

4. Data processing on the basis of consent and for other purposes

We may process your personal data insofar as you have provided us with your express consent to do so (see Article 6 (1) lit. a GDPR). In this case, we provide you with additional information on data protection separately within the framework of the consent process. You may withdraw consent you have provided at any time by using the above contact data.

If you have provided us with your consent to receive our newsletter, your personal data shall only be processed for the purpose of sending the newsletter on the basis of this consent.

Insofar as we process your personal data in the future for other purposes not set out within the framework of this data protection notices, we shall inform you of this separately in accordance with the statutory provisions.

Categories of recipients of personal data

1. External service providers and affiliated companies

Our external service providers and our affiliated companies which carry out data processing on our behalf, insofar as legally required, are contractually obliged within the meaning of Article 28 GDPR to handle the personal data in accordance with the valid provisions. Insofar as these companies come into contact with your personal data, we have ensured that they comply with the provisions of data protection laws by means of legal, technical and organisational measures, as well as regular monitoring.

2. Third parties

We may provide your personal data to the authorities if this is necessary within the framework of our statutory notification obligations. Furthermore, your personal data will be passed on to our tax consultants and auditors, as well as banks for the authentication of account authorisations and within the framework of the Money Laundering Act (GwG), insofar as this data transmission is necessary for the commissioned activity.

3. Data transmission to a third country

In principle, we do not transmit your personal data to a third country or an international organisation outside the European Economic Area (EEA). Should such transmission take place in individual cases, this only takes place to third countries for which suitability arrangements of the European Commission are provided or the appropriate level of data protection has been ensured by means of suitable or appropriate guarantees (e.g. binding corporate rules or EU standard contractual clauses).

Duration of data processing

We only store your personal data for the period for which the data is necessary within the framework of the abovementioned purposes and for the period in which we may potentially expect the assertion of legal claims against us. The statutory limitation period for such claims may be between three and thirty years in individual cases.

Furthermore, we store your personal data insofar as we are obliged to do so within the framework of the statutory proof and retention obligations (e.g. according to the Commercial Code, Revenue Code or Money Laundering Act). The statutory retention periods may be up to ten years. Further, in exceptional cases there may be particular proof obligations which make the retention of your personal data necessary over a longer period of time.

Information for applicants
Data source

Generally you provide us with your personal data as part of your application. This means that we collect your personal data directly from you.

Where applicable, we also process other personal data, however, which has not been collected by us. In certain cases, we may receive your personal data from third parties, which do not constitute public sources. These include:

  • HR service providers:

We sometimes use HR service providers to find suitable personnel to fill vacancies. As part of this process, your application documents are forwarded to us to continue the application process.

  • Professional social networks

We use professional social networks, such as XING or LinkedIn, to find suitable personnel to fill vacancies and potentially to contact these individuals.

  • Employment Agency

We may receive your application and thus your personal data from the Employment Agency in order to fill vacancies at our company advertised there.

  • Universities/higher education institutions

We may receive your application documents and thus your personal data from your university/higher education institution in order to fill a vacancy at our company.

Purposes and legal basis of data processing

We exclusively process your personal data in accordance with the legal requirements set out in the GDPR, the BDSG and any relevant field-specific laws. Therefore, we process your data for the purpose of carrying out the application process or if you provide us with your consent to process the data.

1. Data processing for the purpose of carrying out the application process

We process your personal data insofar as this is necessary for the implementation of the application process. This includes your contact data (surname, first name, postal address, telephone number, email address), all your application documents (e.g. image, CV, certificates, references) and all data which you disclose to us in the course of the application process. The legal basis for data processing for the purpose of establishing an employment relationship is generally Article 6 (1) lit. b GDPR, Article 88 GDPR in connection with Section 26 BDSG.

2. Data processing for compliance with a legal obligation

We process your data insofar as this is necessary for compliance with a legal obligation to which we are subject. In this regard, the obligations to which we are subject include, in particular, the fulfilment of our obligations arising from the regulations on combating terrorism (EC) 2580/2001 and No. 881/2002. For the purpose of compliance with this legal obligation to which we are subject we will compare your data with the so-called “EU terror lists”.

The legal basis for processing for compliance with a legal obligation is Article 6 (1) lit. c GDPR in connection with the respective applicable legal standard.

3. Data processing on the basis of consent

We may process your personal data insofar as you have provided us with your express consent to do so (see Article 6 (1) lit. a GDPR). In this case, we provide you with additional information on data protection separately within the framework of the consent process. You may withdraw consent you have provided at any time by using the above contact data.

Insofar as we process your personal data in the future for other purposes not set out within the framework of this data protection notices, we shall inform you of this separately in accordance with the statutory provisions.

Categories of recipients of personal data

1. External service providers and affiliated companies

Our external service providers and our affiliated companies which carry out data processing on our behalf, insofar as legally required, are contractually obliged within the meaning of Article 28 GDPR to handle the personal data in accordance with the valid provisions. Insofar as these companies come into contact with your personal data, we have ensured that they comply with the provisions of data protection laws by means of legal, technical and organisational measures, as well as regular monitoring.

2. Third parties

We may provide your personal data to the authorities if this is necessary within the framework of our statutory notification obligations. Furthermore, we may provide your personal data in the form of your application to our customers in the event your involvement is required within the framework of the implementation of a project with our customers.

3. Data transmission to a third country

In principle, we do not transmit your personal data to a third country or an international organisation outside the European Economic Area (EEA). Should such transmission take place in individual cases, this only takes place to third countries for which suitability arrangements of the European Commission are provided or the appropriate level of data protection has been ensured by means of suitable or appropriate guarantees (e.g. binding corporate rules or EU standard contractual clauses).

Duration of data processing

We only store your personal data for the duration of the application process and for the period in which we may potentially expect the assertion of legal claims against us. Within the framework of the application process, the statutory limitation period for such claims is 6 months after the end of the application process.

Should you have provided us with your consent to the processing of your data, we will continue to process your data until you withdraw your consent.

Should an employment relationship arise from your application, the retention periods for employee data apply accordingly.

Information for employees
Data source

Generally we collect your personal data directly from you via our personnel questionnaire and/or via your application documents at the point in time your employment relationship starts.

Furthermore, in certain cases, we may receive your personal data from third parties, which do not constitute public sources. These include:

  • Insurance (e.g. pension insurance)

Where applicable, we receive personal data concerning you from your insurance providers, in particular pension insurance, in order to provide the necessary services within the framework of the employment relationship.

  • Health insurance providers

Where applicable, we receive personal data concerning you from your health insurance provider in order to provide the necessary services within the framework of the employment relationship.

Purposes and legal basis of data processing

We exclusively process your personal data in accordance with the legal requirements set out in the GDPR, the BDSG and any relevant field-specific laws. Therefore, we process your personal data insofar as there is an employment relationship, we have a legitimate interest in the processing of your data, you have provided us with your consent to data processing or a law allows the processing of your data and/or obliges us to process your data.

1. Data processing for the purpose of the employment relationship

We process your personal data insofar as this is necessary for the implementation of the employment relationship. This includes, for example, personal details (e.g. your first names and surnames, your address, your telephone/mobile number, your email address, your salary and account data, your social security number, personal details such as the number of children you have, data on serious disability, other data from the personnel questionnaire and/or from your application documents), details regarding employment (e.g. sickness data, meeting records, HR development information, employee evaluations), details regarding tax (e.g. your ID number, your tax bracket) and details regarding social security (e.g. your health insurance provider).

The legal basis for data processing for the purpose of the employment relationship is generally Article 6 (1) lit. b GDPR, Article 88 GDPR in connection with Section 26 BDSG.

2. Data processing for the purpose of protecting the legitimate interests of the controller or a third party

Furthermore, we process your data insofar as this is necessary in order to protect our legitimate interests or the legitimate interests of a third party. The processing we carry out on the basis of a legitimate interest regularly includes the preparation of internal statistics, the investigation of crimes and defence of legal claims and measures for ensuring proper operation of our IT infrastructure.

The legal basis for data processing for protecting the legitimate interests of the controller or a third party is Article 6 (1) lit. f GDPR.

3. Data processing for compliance with a legal obligation

We process your data insofar as this is necessary for compliance with a legal obligation to which we are subject. In this regard, the legal obligations to which we are subject include, in particular, retention obligations under tax law and commercial law, the obligations of the social security statute books and the obligations set out in the statutory regulations on occupational safety, fire protection, compliance and data protection.

The legal basis for processing for compliance with a legal obligation is Article 6 (1) lit. c GDPR in connection with the respective applicable legal standard.

4. Data processing on the basis of consent and for other purposes

We may also process your personal data insofar as you have provided us with your express consent to do so (see Article 6 (1) lit. a GDPR). In this case, we provide you with additional information on data protection separately within the framework of the consent process. You may withdraw consent you have provided at any time by using the above contact data.

Insofar as we process your personal data in the future for other purposes not set out within the framework of this data protection notices, we shall inform you of this separately in accordance with the statutory provisions where applicable.

Categories of recipients of personal data

1. External service providers and affiliated companies

Our external service providers which carry out data processing on our behalf, insofar as legally required, are contractually obliged within the meaning of Article 28 GDPR to handle the personal data in accordance with the valid provisions. Insofar as these companies come into contact with your personal data, we have ensured that they comply with the provisions of data protection laws by means of legal, technical and organisational measures, as well as regular monitoring.

2. Third parties

We may provide your personal data to the authorities if this is necessary within the framework of our statutory notification obligations. Furthermore, we may transmit your personal data to our customers in order to be able to guarantee the implementation of the relevant projects. In addition, transmission of your personal data to our tax consultants takes place for the purpose of carrying out accounting.

The following organisations may also receive personal data concerning you:

  • Various official bodies (e.g. Integration Office, Tax Office)
  • Various insurance companies and, where applicable, consultants of MLP SE
  • Health insurance providers
  • Pension insurance
  • Various companies for which you work on projects
  • Authorities for issuing A1 certificates within the EU for business trips
  • Company physician, health and safety officer, data protection officer
  • Law firms
  • Professional society

Data transmission to a third country

In principle, we do not transmit your personal data to a third country or an international organisation outside the European Economic Area (EEA). Should such transmission take place in individual cases, this only takes place to third countries for which suitability arrangements of the European Commission are provided or the appropriate level of data protection has been ensured by means of suitable or appropriate guarantees (e.g. binding corporate rules or EU standard contractual clauses).

Duration of data processing

We only store your personal data for the period for which the processing of your data is necessary for the employment relationship and for the period in which we may potentially expect the assertion of legal claims against us. The statutory limitation period for such claims may be between three and thirty years in individual cases.

Furthermore, we store your personal data insofar as we are obliged to do so within the framework of the statutory proof and retention obligations (e.g. according to the Commercial Code, Revenue Code or Money Laundering Act). The statutory retention periods may be up to ten years. Further, in exceptional cases there may be particular proof obligations which make the retention of your personal data necessary over a longer period of time.

Rights of the data subjects

As the data subject, you have the following rights with respect to us in accordance with Article 15 et seq. GDPR. For this purpose, please send an email to datenschutz@sternico.com. Alternatively, please send us your request by post to the above address.

1. Right to information

You have the right to require information from us regarding whether we are processing personal data concerning you. If this is the case, you have the right to require information about this personal data from us.

2. Right to rectification

You have the right to require the rectification of incorrect personal data concerning you by us.

3. Right to erasure

In certain cases, you have the right to require us to erase personal data concerning you without undue delay.

4. Right to restriction of processing

In certain cases, you have the right to require the restriction of processing by us.

5. Right to data portability

You have the right to receive from us the personal data concerning you with which you have provided us in a structured, commonly used and machine-readable format.

6. Right to object to data processing

For reasons arising from your particular situation, you have the right to object to the processing of personal data concerning you which takes place on the basis of Article 6 (1) lit. e or f GDPR at any time. Insofar as we use your data for direct advertising, you may object to this at any time.

7. Right to withdrawal

Insofar as you have provided us with your consent to use personal data, you may withdraw this consent at any time.

8. Right to lodge a complaint with the data protection supervisory authority

Furthermore, you have the option of lodging a complaint regarding the processing of your personal data with the responsible data protection supervisory authority. The data protection supervisory authority responsible for us is:

The State Data Protection Officer in Lower Saxony
Prinzenstraße 5
30159 Hannover

Tel.: 0511 120-4500

Email: poststelle@lfd.niedersachsen.de

If you have any further questions or comments, please feel free to contact us or our data protection officer at any time.

Version: December 2020