Articles 13, 14 EU-General Data Protection Regulation (GDPR)
Data protection is very important to us.
Since 25 May 2018, new EU-wide Data protection laws apply (i.e. EU-General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and other relevant data protection regulations), which are also binding for our firm. We would like to inform you how we process your data and what rights you have.
1. Who is responsible for the data processing and who can you contact?
Tractebel Engineering GmbH
Friedberger Strasse 173
61118 Bad Vilbel Germany
Tel.: +49 6101 55-0
Fax: +49 6101 55-1692
E-Mail: info-de@tractebel.engie.com
Internet: www.tractebel-engie.com
2. Contact details of the data protection officer
You can contact our data protection officer using the following e-mail address: datenschutz-de@tractebel.engie.com
3. Purposes of processing and legal basis
Your personal data are processed in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and other relevant data protection regulations.
The processing and use of the individual data depend on the agreed or requested service. Our contractual documents, forms, declarations of consent and other information provided to you (e.g. on the website, in our terms and conditions of business) contain further details and additional information on the purposes of processing.
3.1 Consent (Article 6(1)(a) GDPR)
If you have given us your consent to the processing of personal data, such consent constitutes the legal basis for the processing stated therein. You may withdraw your consent at any time with effect for the future.
3.2 Fulfilment of contractual obligations (Article 6(1)(b) GDPR)
Provided that the business relationship exists directly with you, we process your personal data in order to execute our contracts with you, in particular in the context of our order processing and the use of our services. Your personal data are also processed in order to take steps and carry out activities prior to entering into a contract with you.
3.3 Fulfilment of legal obligations (Article 6(1)(c) GDPR)
We process your personal data if this is necessary to fulfil legal obligations (e.g. pursuant to trade and tax laws). Furthermore, we process your data in order to fulfil control and reporting obligations under tax law as well as archive your data for the purposes of data protection and data security as well as examination by tax and other authorities. In addition, the disclosure of personal data may become necessary within the framework of official/judicial measures for the purposes of taking evidence, prosecution or the enforcement of civil law claims.
3.4 Legitimate interests pursued by us or third parties (Article 6(1)(f) GDPR)
We may also use your personal data based on a weighing of interests in order to protect the legitimate interests pursued by us or third parties. This is done for the following purposes:
- if necessary, to carry out our business relationship with your employer, if the business relationship exists with the latter.
- for advertising in accordance with applicable law, if you have not objected to the use of your data.
- for obtaining information and exchanging data with credit agencies, insofar as this is necessary to assess what financial risks entering into a business relationship with you poses for us.
- for setting up a service (commissioning, programming, for wind measurements, etc.) by third parties.
- for the limited storage of your data, if deletion is not possible or is only possible with disproportionate effort and expense due to the special type of storage.
- for the further development of the services we offer as well as existing systems and processes.
- for the disclosure of personal data in the context of a due diligence, e.g. where a company is sold, or for our own due diligence procedures with data from public sources.
- for the enhancement of our data through the use or searching of publicly accessible data.
- for statistical evaluations or market analyses.
- for benchmarking.
- for the assertion of legal claims and defences in legal disputes which are not directly attributable to the contractual relationship.
- for internal and external investigations and/or security reviews.
- for certification or notarization of official matters or matters under private law (if explicitly required by a client or authority).
- for securing and safeguarding our domiciliary rights through appropriate measures (e.g. video surveillance, entrance and access controls.)
4. Categories of personal data processed by us
The following data are processed:
- Identification data (name, nationality, occupation/sector and comparable data)
- Contact details (address, e-mail address, telephone number and comparable data)
- Confirmation of payment/cover for bank and credit cards
- Information about your financial situation (creditworthiness, i.e. data to assess the financial risk)
- Supplier history (only from suppliers)
As a rule, we collect this data directly from you. However, we also process personal data from public sources (e.g. the internet, media, press, trade and association registers, residents registers, debtor registers, land registers).
If necessary for the provision of our services, we process personal data that we have legally received from third parties (e.g. publishers of address databases, credit agencies, or to be able to perform services for a project of a partner or client for this project).
5. Who receives your data?
We pass on your personal data within our company to those departments that require such data to fulfil contractual and legal obligations or to safeguard our legitimate interests.
In addition, your data may be transferred to:
- processors used by us (Article 28 GDPR) especially in the area of (IT services, logistics and printing services, external computer centres, archiving, document processing, call centre services, compliance services, controlling, data screening for anti-money laundering and anti-terrorism purposes, data validation and plausibility checking, data destruction, purchasing/procurement, customer management, lettershops, marketing, media technology, research, risk controlling, accounting, telephony, website management, auditing services, credit institutions, courier services);
- public authorities and institutions where there is a legal or official obligation according to which we are obliged to provide information, report or transfer data or the transfer of data at the request of the authorities is in our legitimate interest;
- bodies and institutions on the basis of our legitimate interest or the legitimate interest of the recipient e.g. to obtain the respective specialized services of the recipient or, if applicable, judicial assistance (e.g. to authorities, credit agencies, debt collection agencies, lawyers, courts, experts, group companies and committees and supervisory bodies);
- other bodies for which you have given us your consent to the transfer of data.
Moreover, the nature of our business operations as an engineering firm makes it necessary for us to send CVs of the engineers offered, as well as of other experts in special cases, although not of suppliers, to potential customers and partners all over the world, since this is necessary for participating in international invitations to tender. These CVs only contain the last name, first name and date of birth, as well as data on training and work experience.
The legal basis for sending these biographies is Article 6(1b) GDPRand, insofar as the customers process this data in countries outside of the EU and the European Economic Area, in conjunction with Article 49(1b) GDPR.
6. Transfer of your data to a third country or an international organisation
Data is processed outside of the EU and/or the EEA in the course of the necessary business operations of Tractebel Engineering GmbH in non-EU countries for the purpose of participating in invitations to tender as described above or in order to fulfil a project contract.
No personal data of suppliers are processed outside of the EU or the EEA, nor are there any plans to do so.
7. How long do we store your data?
Where necessary, we will process your personal data for the duration of our business relationship with you or your employer.
Beyond that, we are subject to various retention and documentation obligations which derive from the German Commercial Code and the German Fiscal Code. The time periods for retention and documentation which are stipulated therein are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship.
Ultimately, the duration of the storage is also assessed based on the statutory limitation periods which, for example, are usually three years pursuant to section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), but in certain cases can also be up to thirty years.
Otherwise, we will delete your personal data as soon as it is no longer necessary for the aforementioned purposes of processing.
8. Is there automated individual decision-making (including profiling)?
We do not implement a purely automated decision-making procedure pursuant to Article 22 GDPR. If we should implement this procedure in individual cases, we will inform you thereof separately where this is required by law.
9. Your data protection rights
You have the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, as well as the right to data portability under Article 20 GDPR. Additionally, there is a right to lodge a complaint with a supervisory authority (Article 77 GDPR). Generally, subject to the prerequisites set out in Article 21 GDPR, you have the right to object to our processing of personal data. However, this right to object applies only if there are grounds for this relating to your particular personal situation; if our company has compelling legitimate grounds for the processing, these may override your right to object. If you would like to assert one of these rights, please contact our data protection officer (datenschutz-de@tractebel.engie.com).
10. Scope of your obligations to provide us with your data
You only need to provide data which are necessary for entering into and carrying out a business relationship or for a precontractual relationship with us or which we are obliged by law to collect. As a rule, without such data we will not be in a position to conclude or perform the contract. This can also pertain to data which become necessary in the course of the business relationship. If we request additional data from you, you will be informed separately of the fact that the provision of such data is on a voluntary basis.
11. Information on your right to object pursuant to Article 21 GDPR
You have the right to lodge an objection at any time to the processing of your data which is carried out on the basis of Article 6(1)(f) GDPR (data processing on the basis of a weighing of interests), if there are grounds for doing so relating to your particular situation. This also applies to profiling based on this provision within the meaning of Article 4, no. 4 GDPR.
If you do lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
The objection can be sent in any form to the address given in point 1.
12. Your right to lodge a complaint with the competent supervisory authority
You have the right to lodge a complaint with the data protection supervisory authority (Article 77 GDPR). The competent supervisory authority is:
The Hesse Commissioner for Data Protection and Freedom of Information (Hessischer Beauftragter für Datenschutz und Informationsfreiheit)
Hessischer Beauftragter für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Telephone: 0611-1408 0
Telefax: 0611-1408 611
https://datenschutz.hessen.de.
