Data protection declaration for the “WorkFlow” Module in the Customer Portal on aliaxis.de and for the “WorkFlow” App
A. Preface
We, Aliaxis Deutschland in conjunction with our subsidiaries (hereinafter jointly referred to as: "the company", "we" or "us") always take the protection of your personal data seriously and would like to inform you, at this point, about data protection in our company.
Supplementary obligations have been imposed on us, within the scope of our responsibility under data protection law, by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter referred to as: "GDPR") in order to ensure the protection of personal data of the person affected by a processing operation (we also refer to you hereinafter in this context as the data subject as "customer", "user", "you", "they" or "data subject").
Insofar as we have to decide either alone or jointly with others regarding the purposes and means of data processing, then this includes above all the obligation to inform you transparently about the nature, scope, purpose, duration and legal basis of the processing (compare with Art. 13 and Art. 14 GDPR). With this declaration (hereinafter referred to as: "data protection information"), we will inform you about the manner in which your personal data is processed by our company.
B. General Points
1. Definitions for terminology
In accordance with the model of Art. 4 GDPR, this data protection notice will be based on the following definitions:
– "Personal Data" (Art. 4 No. 1 GDPR) means any information which relates to an identified or identifiable natural person ("data subject"). A person is considered to be identifiable when they can be identified, directly or indirectly, in particular by reference to an identifier or characteristic such as a name, an identification number, an online identifier, location data or by means of information regarding their physical, physiological, genetic, mental, economic, cultural or social identity characteristics. The identifiability can also be provided by means of a link for such information or other additional knowledge. The origin, form or embodiment of the information is not considered to be relevant (photographs, video or audio recordings can also contain personal data).
– "Processing" (Art. 4 No. 2 GDPR) means any operation or procedure which involves the handling of personal data, whether or not by automated (i.e. technology-based) means. This comprises, in particular, the collection (i.e. acquisition), recording, organisation, storage, adaptation or alteration, retrieval, consultation, utilisation, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, as well as the alteration to a purpose or intended purpose on which a data processing was originally founded.
– "Responsible Person or Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which alone, or also jointly with others, will determine the purposes and means of the processing the personal data.
– "Third party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or other body other than the data subject, the responsible person or controller, the processor and the people who, under the direct authority of the controller or processor, are authorised to process the personal data; this also includes other group-affiliated legal entities.
– "Processor" (Art. 4 No. 8 GDPR) means the natural or legal person, public authority, agency, institution or other body which processes personal data on behalf of the responsible person or controller, in particular in accordance with the controller's instructions (e.g. IT service provider). In the sense of data protection law, a processor is in particular not considered to be a third party.
- "Consent" (Art. 4 No. 11 GDPR) of the data subject designates any freely provided, specific, informed and unambiguous indication of the wishes of the data subject in the form of a declaration, statement or other unambiguous affirmative act by which they thereby signify their agreement to the processing of personal data which relates to the data subject.
2. Amending the data protection notice
(1) Within the context of the ongoing development of data protection law as well as technological alterations or organisational amendments, our data protection notice is regularly reviewed for any requirement to adapt or supplement it. You will always be notified about any amendments.
(2) This current data protection notice is valid as of August 2021.
3. No obligation to provide personal data
We do not make the conclusion of contracts with our company dependent on you providing us with personal data in advance. In your role as a customer, you are not fundamentally placed under any legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all when you do not provide the required data. Insofar as this should exceptionally be the case within the context of the products we offer, then you will be informed of this separately.
Information regarding the processing of your data
1. Collecting personal data which concerns or affects you
(1) When you use our app, then we will collect personal data about you.
(2) Personal data is considered to be all data which relates to your person (refer to above under General Points). For example, your name, location data, IP address, device ID, SIM card number, postal address as well as email address are all personal data, your fingerprint, pictures, photographs, images, films, audio recordings, but also your user behaviour falls into this category.
2. Legal basis for data processing
(1) In principle, any processing of personal data is prohibited by law and only therefore permitted when the data processing falls under one of the following justifications:
- Art. 6 (1) S. 1 lit. a GDPR ("Consent"): Where the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous affirmative act that they consent to the processing of personal data which therefore relates to them for one or more specific purposes;
- Art. 6 (1) S. 1 lit. b GDPR: When the processing is required for the fulfilment of a contract to which the data subject is party to or for the performance of pre-contractual measures which have to be executed at the data subject's request;
- Art. 6 (1) S. 1 lit. c GDPR: When the processing is required for fulfilling a legal obligation to which the responsible person or controller is subjected to (e.g. a legal obligation to retain records);
- Art. 5 (1) S. 1 lit. d GDPR: When the processing is required to protect the vital interests of the data subject or another natural person;
- Art. 6 (1) S. 1 lit. e GDPR: When the processing is required for the performance of a task which has to be carried out in the public interest or executed in the exercise of official authority which is vested in the responsible person or controller or
- Art. 6 (1) S. 1 lit. f GDPR ("Legitimate Interests"): When the processing is deemed to be necessary in order to protect legitimate (in particular legal or economic) interests of the responsible person, controller or a third party, unless the conflicting interests or rights of the data subject override this (in particular when the data subject is hereby considered to be a minor).
(2) We have indicated below the applicable legal basis in each case for the processing operations or procedures implemented by our company. Processing can also be based on several legal principles.
3. Data collected during a download
(1) When downloading this app, certain personal data which is required for this purpose will be transmitted to the corresponding app store (e.g. Apple App Store or Google Play).
(2) In particular, the email address, the user name, the customer number of the downloading account, the individual device identification number, payment information as well as the time of the download will be transmitted to the App Store during the download.
(3) We do not have any influence on the collection and processing of this data, which is executed exclusively by the App Store which you have selected for this purpose. Accordingly, we cannot therefore be held responsible for this collection and processing; the responsibility for this lies solely with the App Store.
4. Data collected during use
(1) We can only permanently provide you with the benefits of our app when we collect certain personal data relating to you which is required for the operation of the app when you use it.
(2) We only collect this data when it is required for fulfilling the contract which has been concluded between you and us (Art. 6 (1) lit. b GDPR). Furthermore, we will collect this data when it is required for the functionality of the app and your interest in the protection of your personal data does not outweigh this (Art. 6 (1) lit. f GDPR).
(3) We will collect and process the following data from you:
- Device information: Access data in this case includes the IP address, device ID, type of device, device-specific settings and app settings as well as app characteristics and their properties, the date and time of the retrieval, time zone, the amount of data transferred and the message whether the data exchange was complete, any app crash, browser type and operating system. This access data will be processed in order to enable the technical operation of the app.
- Data which you make available to us: You need to create a user account in order to utilise the app. You must enter your login name as a minimum requirement for this purpose.
Moreover, an essential part of the app is the transmission of photographs for the documentation of fusion procedure. You can always determine the content of the transmitted photographs; we never have any influence on them. In principle, these photographs can also contain personal data which relates to you. We will store and process the transmitted photographs within the framework of the user agreement on your behalf/on behalf of your company on the basis of an order data processing agreement.
- Information with your consent: We will process miscellaneous information (e.g. GPS location data) when you permit us to do so.
- Contact form data: If contact forms are used, then the data which is transmitted through them will be processed (e.g. gender, surname and first name, postal address, company, email address and the time of transmission).
5. Utilising cookies
1) We use cookies when operating our app. Cookies are considered to be small text files which are stored on the device memory of your mobile end device and assigned from there to the mobile app which you are currently utilising and, through which, certain information can flow to the facility which has set the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage to it. They are only intended to make our app more user-friendly and effective overall, i.e. more pleasant for you.
(2) Cookies can contain data which make it possible to recognise the device that is being used. In some cases, however, cookies only contain information on certain settings which are not personally identifiable. Cookies cannot directly identify a user.
(3) One makes a distinction between session cookies, which are deleted again as soon as you close your browser, and permanent cookies, which are stored beyond the time of the individual session. One makes a distinction between cookies with regard to their function.
- Technical cookies: These are considered to be mandatory in order to move around within the app, to use basic functions and ensure the app's security; they do not collect information about you for marketing purposes nor do they store information about which websites you have visited;
- Performance cookies: These collect information about how you use our app, which pages you visit and, for example, whether errors occur when using the app; they do not collect any information which could identify you - all the information collected is anonymous and is only utilised in order to improve our app and find out what interests our users;
- Advertising cookies, targeting cookies: These are utilised to provide the app user with tailored advertising within the app or third party offers and to measure the effectiveness of these offers; advertising and targeting cookies will be stored for a maximum of 13 months;
- Sharing cookies: These are intended to improve the interactivity of our app with other services (e.g. social networks); Sharing cookies will be stored for a maximum of 13 months.
(4) Any utilisation of cookies, which is not absolutely technically required, constitutes data processing that is only permitted with your explicit and active consent pursuant to Art. 6 (1) S. 1 lit. a GDPR. This applies in particular to the utilisation of advertising, targeting or sharing cookies. Furthermore, we will only pass on your personal data that is processed by cookies to other third parties when you have submitted your express consent to do so in accordance with Art. 6 (1) S. 1 lit. a GDPR.
6. Cookie guideline
For additional information regarding which cookies we utilise, as well as how you can manage your cookie settings and disable certain types of tracking, please refer to our cookie guideline https://www.aliaxis.de/de/metanavigation/datenschutz .
7. Integration of Google Maps (1) Our app uses the services provided by Google Maps. We can thereby show you interactive map and localisation data directly in the app and also enable you to use the map and localisation function conveniently.
(2) Google receives information about your location when you are using this function. The data additionally mentioned in Clause 3 of this declaration will be transmitted. This occurs irrespectively of whether Google provides a user account via which you are logged in, or whether no user account exists. Your data will be directly assigned to your account when you are logged in to Google. When you wish that your data will not be associated with your Google profile, then you must always log out before using the app. Google stores your data as usage profiles and utilises it for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is particularly executed (even for users who are actually not logged in) to provide needs-based advertising and to inform other social network users about your activities on our website. You retain the right to object to the creation of these user profiles, whereby you must always contact Google in order to exercise this right.
(3) For any additional information regarding the purpose and scope of data collection, as well as its processing by the plug-in provider, please refer to the provider's privacy policy. You will also find further information about your rights in this regard and setting possibilities for protecting your privacy there: http://www.google.de/intl/de/policies/privacy.
The service provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
8. Data storage period
(1) We delete your personal data as soon as it is no longer required for the purposes for which we collected or utilised it according to the data protection laws (refer to C. 4., 5., 6.). As a general rule, we store your personal data for the duration of the usage relationship and/or contractual relationship via the app. In principle, storing your data is only executed on our servers in Europe, subject to a possible transfer in accordance with the regulations listed in F. 1., 2. and 3.
(2) Storage can, however, be executed beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings.
(3) When any third parties are engaged by our company (refer to F. 1.), then will store your data on their system for as long as it is required in connection with the provision of the service for us in accordance with the respective order.
(4) Legal provisions for the storage and deletion of personal data remain unaffected by the aforementioned points )e.g. Article 257 HGB or Article 147 AO). When the storage period which is prescribed by the legal regulations expires, then the personal data will be blocked or deleted unless it is deemed that additional, ongoing storage by us is required and a legal basis for this storage therefore exists.
9. Data security
(1) We utilise appropriate technical and organisational security measures in order to protect your data against accidental or intentional manipulation, partial or complete loss, data destruction or against unauthorised access by third parties, always taking into account the state of the art, implementation costs and the nature, scope, context and purpose of the processing, as well as considering the existing risks of a data breach (including its probability and impact) for the data subject involved. Our security measures will be continuously improved in line with technological developments.
(2) We will be pleased to provide you with more detailed information on request. Please contact our Data Protection Officer for this purpose (refer to D. 1).
10. No automated decision making (including profiling)
We do not intend to utilise any personal data collected from you for any automated decision making process (including profiling).
11. Amending the purpose
(1) Processing your personal data for purposes other than for those which are described will only be executed when a legal provision permits this processing or when you have consented to the amended purpose of the data processing.
(2) In the event of any additional processing for purposes other than those for which the data was originally collected, we will always inform you of these other purposes prior to the additional or ongoing processing and thereby provide you with all other relevant information.
Responsibility for your data and contacts
1. Responsible body and contact data
(1) The body responsible for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is considered to be us
Aliaxis Deutschland GmbH, Steinzeugstraße 50, 68229 Mannheim, T.: +49 621 486-0; F.: +49 621 486-1279; info.de@aliaxis.com.
(2) Our Data Protection Officer is available at all times to answer any questions which you may have and to act as your contact person on the subject of data protection at our company. You can contact them at datenschutz@aliaxis.com or at our postal address with the supplementary entry for "The Data Protection Officer".
(3) Please feel free to address this point of contact, in particular when you wish to exercise the rights to which you are entitled and which are explained in Chapter G.
(4) Should you have any further questions or comments relating to the collection and processing of your personal data, please also contact the aforementioned contacts.
2. Data collection when contacting our company
(1) When you contact us by email or via a contact form, then your email address, name and all the additional personal data which you have provided in the course of contacting us will be stored by our company so that we can therefore contact you to answer your question.
(2) We will always delete this data as soon as its storage is no longer required. If there are legal retention periods in place, then the data will remain stored although we will restrict the processing.
F. Data processing by third parties
1. Order data processing
(1) It can occur that commissioned service providers are utilised for individual functions of our app. As with any other larger company, we also place orders with external domestic and foreign service providers to process our business transactions (e.g. for the areas of IT, logistics, telecommunications, sales, distribution and marketing). These service providers are only active according to our issued instructions and are always contractually obliged to comply with the provisions of data protection law within the meaning of Art. 28 GDPR.
(2) The following categories of recipients, which are generally regarded to be commissioned processors, may receive access to your personal data when applicable:
- Service providers for the operation of our app and for processing of data which is stored on and/or transmitted by the systems (e.g. for data centre services, payment processing, IT security). The legal basis for the transfer is subsequently Art. 6 (1) S. 1 lit. b or lit. f GDPR, insofar as these are not considered to be commissioned processors;
- Government agencies, bodies/local authorities, insofar as this is required for the fulfilment of a legal obligation. The legal basis for the transfer is subsequently Art. 6 (1) S. 1 lit. c from GDPR;
- People who are assigned to execute our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties which are involved in company acquisitions or the establishment of joint ventures). The legal basis for the transfer is subsequently Art. 6 (1) S. 1 lit. b or lit. f from GDPR.
(3) Furthermore, we will only pass on your personal data to other third parties when you have submitted your express consent to do so in accordance with Art. 6 (1) S. 1 lit. a GDPR.
(4) Insofar as personal data from you is transferred on by us to our subsidiaries or is transferred to us by our subsidiaries (e.g. for advertising purposes), then this will be implemented on the basis of existing order processing relationships.
2. Prerequisites for the transfer of personal data to foreign countries
(1) Within the framework of our business relationships, your personal data can be transferred or disclosed to third party companies. These companies could also be located outside the European Economic Area (EEA), i.e. in other foreign countries. Any such processing will be executed exclusively for the fulfilment of contractual and business obligations and to maintain your business relationship with our company. We will always inform you subsequently about the respective details of the transfer at the relevant time for this.
(2) The European Commission certifies data protection, which is considered comparable to the EEA standard, in some other foreign countries by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be obtained here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). However, in these other foreign countries to which personal data can be transferred to when applicable, there may not be a consistently high level of data protection in certain circumstances due to a lack of legal provisions. If this should be the case, then we always ensure that data protection is sufficiently guaranteed. This is always possible by utilising the binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognised codes of conduct. Please contact our Data Protection Officer (refer to D. 1.) when you would like to receive more detailed information about this.
3. Statutory obligation to transfer certain data
We can, under certain circumstances, be subjected to a specific legal or statutory obligation to provide lawfully processed personal data to third parties, in particular to public bodies (Art. 6 (1) S. 1 lit. c GDPR).
G. Your rights
1. Right to information
(1) You retain the right vis-à-vis our company within the scope of Art. 15 GDPR to receive information about the personal data which concerns you.
(2) This right therefore requires that you submit a request, which must be sent either by email or by post to the addresses stated above (refer to D. 1.).
2. Right to object to data processing and to revoke the provided consent
(1) In accordance with Art. 21 GDPR, you retain the right to object at any time to the processing of any personal data which concerns you. Our company will refrain from processing your personal data unless we can clearly demonstrate compelling legitimate grounds for processing the data which will outweigh your interests, rights and freedoms, or when the processing serves to assert, exercise or defend legal claims.
(2) In accordance with Art. 7(3) of the GDPR, you retain the right to revoke your consent - i.e. your voluntary will, made clear in an informed and unambiguous manner by a statement or other unambiguous affirmative act, that you agree to the processing of the personal data concerned for one or more specific purposes - which had been submitted once (including before the GDPR applies, i.e. before 25.5.2018) to us at any time. This will have the consequence that we may no longer continue the data processing based on this consent in the future.
(3) In this regard, please contact the contact point which has been entered above (refer to D. 1).
3. Right to rectification and deletion
1) Insofar as personal data which concerns you is deemed to be incorrect, then you retain the right pursuant to Art. 16 GDPR to demand that we rectify this without delay. In regard to this request, please contact the contact point which has been entered above (refer to D. 1).
(2) Under the prerequisites which have been stated in Article 17 of the GDPR, you retain the right to request the deletion of personal data relating to you. In regard to this request, please contact the contact point which has been entered above (refer to D. 1). In particular, you retain the right to deletion when the data in question is deemed to be no longer necessary for the purpose of collection or processing purposes, when the data storage duration (refer to C. 7.) has elapsed, when an objection has been submitted (refer to G. 2.), or when unlawful processing exists.
4. Right to restriction of processing
(1) In accordance with Art. 18 GDPR, you retain the right to demand that our company restricts the processing of your personal data.
(2) In regard to this request, please contact the contact point which has been entered above (refer to D. 1).
(3) You retain the right to restrict processing in particular when the accuracy of the personal data is disputed between you and our company; in this case, you will retain the right for a period of time which is required to verify the accuracy. The same is considered to be valid when the successful exercise of a right of objection (refer to G. 2.) is still disputed between you and our company. You also particularly retain this right when you have a right to deletion (refer to G. 3.) and you have demanded restricted processing instead of deletion.
5. Right to data transferability
(1) In accordance with Art. 20 GDPR, you retain the right to receive from our company any of the personal data relating to you which you have provided to us in a structured, commonly used, machine-readable format as specified.
(2) In regard to this request, please contact the contact point which has been entered above (refer to D. 1).
6. Right to file a complaint with a supervisory authority
(1) In accordance with Art. 77 GDPR, you retain the right to complain about the collection and processing of your personal data to the competent supervisory authority.
(2) You can reach the competent supervisory authority by using the following contact details:
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg.
Address: Lautenschlagerstraße 20, D-70173 Stuttgart, postal address: P.O. Box 10 29 32, 70025 Stuttgart, switchboard:+49 711/61 55 41-0, Email: poststelle@lfdi.bwl.de