Disclaimer

Privacy policy statement of eggheads GmbH pursuant to EU–GDPR

Privacy policy

We, the eggheads GmbH, welcome you on our website. As the provider of this website, the protection of your personal data is of central concern to us. For this reason, we manage your personal data confidentially pursuant to the official data protection laws as well as our following privacy policy statement.

In general, you can browse our website without providing personal data. To the extent that personal data is processed by us (e.g. name, address, or e-mail), it is always, where feasible, done so on the basis of data you have voluntarily provided to us. Without your explicit consent, this data is not disclosed to third parties. However, it should be noted that data transmission via internet (e.g. communication via e-mail) may in principle have security vulnerabilities. Therefore, an absolute protection from unauthorized access by third parties cannot be accounted for.

The processing of your or another data subject’s personal data — in particular name, address, telephone or mobile phone number, e-mail, and bank information — is always and under all circumstances handled in strict accordance with the EU’s General Data Protection Regulation as well as the country-specific data protection laws.

With this privacy policy statement, we inform you — as a data subject — about your rights. Furthermore, we — as the data controller — adhere to a strict code of conduct with regards to our organization and use of technologies in order to protect the personal data processed on this website as much as is within our powers. As stated before, despite all of our efforts, internet-based data transmission may in principle have security vulnerabilities so that an absolute protection cannot be accounted for. For this reason, any data subject is free to communicate personal data to us via alternative channels, e.g. via telephone.

Name and address of the data controllers

Pursuant to the General Data Protection Regulation as well as every other data regulation law and legal document relevant to data protection that is valid for the member states of the European Union, the data controllers are:

eggheads GmbH

Wolfgang Wichert und Christiane Weidenbach

Alte Wittener Str. 50

44803 Bochum

Telephone: +49 (0) 234 893970

Telefax: +49 (0) 234 8939728

E-Mail: eggsite@eggheads.de

Website: www.eggheads.de

Data protection officer

You can contact our data protection officer under the following address:

P2Consult

Herr Jürgen Golda

Wilhelm-Bläser-Str. 3c

59174 Kamen

E-Mail: datenschutzbeauftragter@eggheads.de

Tel: +49 234 893970

Consent to the processing of personal data

With the voluntary use of our website and our scope of services, the user consents to the processing of personal data required for one of the following purposes:

eggheads GmbH offers services that are of interest to its clients, namely sales, installation, support, service and consulting concerning eggheads Suite, a standard software in the field of Product Information Management.

The user consents that eggheads GmbH collects the data necessary to realize and provide all of the above-stated services. For this purpose, the user also gives consent that data may, where necessary, be shared with partner companies of eggheads GmbH, with whom it has entered into a legal data processing contract pursuant to GDPR.

Personal data — in particular name, address, telephone or mobile phone number, e-mail, and bank information — is only necessary and required for the purpose of service provisions or potential contractual relationships, and is only collected on the grounds of legal authorization. For every use of personal data that is not part of the above-stated services as well as for the collection of additional information, the data subject is to give consent regularly.

With regards to this, further aspects — in particular the right to object — are elaborated in the following paragraphs.

1. Definitions

This privacy policy statement is based on the concepts of the General Data Protection Regulation law of the European Union (EU–GDPR, Article 4) and the new German Bundesdatenschutzgesetz or federal data protection law (BDSG–neu; formerly: EU – DSAnpUG-EU). We intend that our privacy policy statement is exact yet easily comprehensible to both the public as well as for our customers and business partners. In order to guarantee this, we want to clarify some of the actively used concepts beforehand.

2. Cookies

Our website utilizes cookies. Cookies are small data files exchanged between the server of the website and the browser of the visitor. When you visit our website, cookies are automatically stored on your device (computer, laptop, tablet, smartphone etc.). Cookies are not harmful to your device, in particular they do not contain viruses or other malicious software.

In a cookie, information is stored related to the specific device utilized to access our website. However, this does not mean that we gain immediate knowledge of your identity. Cookies serve the purpose of making our services more ergonomic for you. In relation to this, we utilize so-called ‘session cookies’ in order to recognize which webpages of our website you have already visited as part of the current session. Session cookies are automatically deleted after closing our website.

To optimize the usability of our website, we also utilize temporary cookies that are stored on your device for a predefined time. In case you visit our website again in order to make use of our services, your system automatically recognizes that you have already visited our website and which settings or inputs you have entered so that you do not need to enter them again.

Among other things, we utilize cookies to statistically evaluate how our website is utilized in order to optimize it. Accordingly, these cookies recognize that you have visited our website before, and are automatically deleted after a predefined time.

The data processed by cookies is necessary for the above-stated purposes to preserve our legitimate interests or that of a third party pursuant to GDPR, point (f) of Article 6 (1).

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your device or that you are to be notified before a cookie is created.

3. Server log files

When our website is visited by a data subject or an automated system, the provider of the website collects a set of general data. This set is then automatically saved into a server log file, which is automatically transmitted to us via your browser. Accordingly, this set of general data consists of:

  • Browser type and browser version
  • Operating system
  • HTTP referrer ID (previously visited website)
  • Host name of device (IP address)
  • Date and time of server request
  • Related data that is relevant for guaranteeing the security of our information technology systems against cyberattacks etc.

The anonymous data stored in the server log file cannot be linked to any individual and is not merged with other data sources. Consequently, it is saved separately from all personal data provided by a data subject. We reserve the right to analyze this data after its initial processing should we become aware of or have justified reasons to suspect illegal use.

4. Registration on our website

As a data subject, you can register on the data controller’s website, providing personal data as may be required. Consequently, the respective input mask for registration determines what personal data is transmitted to the data controller. To this extent, the data processing pursuant to GDPR, point (a) Article 6 (1) is carried out only with your consent. The personal data inserted by the data subject is exclusively collected and saved by the collector for internal use only. The collector may — where valid reasons can be provided — disclose this data to individual or multiple processors, who may also only utilize this data for an internal use that is to be communicated to the collector.

Furthermore, when registering on the data controller’s website, the following data is also saved:  the data subject’s IP address as communicated by the internet service provider (ISP) as well as the date and time of registration. The reason as to why this data is saved is that we can only prevent the misuse of our services by following this procedure. Where necessary, the data is also utilized for the detection and prosecution of criminal offences. To this extent, saving this data is required for the legal protection of the collector. In principle, this data is not disclosed to third parties unless there are legal obligations to disclose it or it is required for legal prosecution.

The personal data provided by the data subject for registration on a voluntary basis serves the purpose of allowing the data controller to provide the respective data subject with content and services which may only be accessible for registered users due to the nature of this content and services. Registered users are free to change their personal data they submitted for registration or to completely erase it from the data controller’s database.

At any time, the data subject can submit a request to the data controller in order to gain insight into the respective data subject’s personal data stored in the data controller’s database. Accordingly, the data controller is to rectify or erase the subject’s personal data on the behalf of her request to the extent that there are no legal obligations for data retention in play.

5. Subscription and newsletters

Customers and partner companies of eggheads can subscribe to the newsletter of our company. The respective data subject’s subscription request that is sent via e-mail determines what personal data is transmitted to the data controller. On a regular basis, we inform our customers and business partners via newsletter about the services of our company. Our company’s newsletter can, in principle, only be received by the data person where the following two conditions are met:

  • The data subject has a valid e-mail address
  • The data subject has subscribed to our newsletter

The corresponding data collection is required to detect (potential) misuse of the data subject’s e-mail address after its initial processing and is, consequently, required for the legal protection of the collector.

The personal data collected as part of the subscription to our newsletter is exclusively utilized to send newsletters on a regular basis. Furthermore, subscribers to our newsletter may receive e-mails containing relevant information concerning our newsletter service. For example, this may be the case if changes are made to our regular newsletter service. No personal data is disclosed to third parties as part of the newsletter service. The subscription to our newsletter may be canceled at any time by the data subject. At any time, the data subject may withdraw her consent to the storage of personal data which was collected as part of the subscription to the newsletter. Our newsletter readers can exercise their right to withdraw consent by clicking the respective link provided in any of our newsletters. Additionally, newsletter readers can also unsubscribe via the data controller’s website or by communicating a request directly to the data controller via any other viable channel.

6. Newsletter tracking

Our newsletters contain so-called web beacons. A web beacon is a pixel-sized graphic that is embedded in HTML-formatted e-mails, allowing for log data tracking and log data analysis. On the basis of this, a statistical evaluation of the success of our online marketing campaigns can be carried out: By utilizing web beacons, we can track whether and when an e-mail was read and which links contained in the e-mail have been opened by the data subject.

Personal data collected via web beacons that are contained in our newsletters are saved and evaluated by the collector in order to optimize our newsletter service and to further adjust the content of our future news letters on the basis of the data subjects’ interests. This personal data is not disclosed to third parties. At any time, a data subject may withdraw consent. Where a data subject exercises her right to withdraw consent, the collector is to erase the respective personal data. Unsubscribing from our newsletter is regarded as a withdrawal of consent.

7. Contact via website

Due to legal regulations, our website allows for a quick electronic communication with our company via contact formula as well as immediate communication via e-mail. To the extent that a data subject communicates with the collector via contact formula or e-mail, the personal data provided by the data subject is saved automatically. This personal data, provided to the collector by the data subject on a voluntary basis, is saved for the purpose of processing and communication. It is not disclosed to third parties.

When you contact us via e-mail, there is no guarantee that third parties may gain access to or falsify the content of the e-mail on the transmission path. Accordingly, you should only send messages containing confidential content to us via our contact form or in encrypted form.

8. Analysis tool: Google Analytics

As part of the demand-actuated design and continuous optimization of our website, we utilize Google Analytics, a web analysis service developed by Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA; hereafter ‘Google’): https://www.google.de/intl/de/about/ In this context, pseudonymized user profiles are created and are utilized cookies (for our use of cookies, please refer to point 2 of our privacy policy statement). Google Analytics is utilized as part of the order processing pursuant to GDPR, Article 28.

The cookies collect information about your use of our website, such as:

  • Browser type and browser version
  • Operating system
  • HTTP referrer ID (previously visited website)
  • Host name of device (IP address)
  • Date and time of server request

This information is then gathered and stored on a Google server. The information is utilized to evaluate the use of our website, to create reports on website activities, and to offer services related to market research and demand-actuated design. As circumstances may require, this information may also be distributed to third parties, to the extent that this is legally required or is part of the order processing. On no account, your IP address is merged with other data of Google to the extent that we can influence this process. The IP addresses are anonymized so that a clear mapping is not possible (IP masking).

You can disable cookies by configuring your browser accordingly. Please note, however, that you may not be able to use all functions of our website if required cookies are blocked.

Furthermore, you can prevent that data generated by cookies and your use of our website is collected (including your IP address) as well as processed by Google by downloading and installing a browser addon: https://tools.google.com/dlpage/gaoptout?hl=de

An alternative to the browser addon, in particular for mobile devices, is to disable the processing by Google Analytics by clicking on following link: Deactivate Google Analytics

When you click on this link, an opt-out cookie is created that blocks the future processing of your data when visiting our website. This opt-out cookie is only valid for the respective browser and only for our website, and is stored on your device. If you delete the cookies of this browser, you have to create the opt-out cookie again.

For further information concerning data protection related to Google Analytics, please refer to the Google Analytics help: https://support.google.com/analytics/answer/6004245?hl=de

9. Social Plugin: facebook

Our website features so-called social media plugins (hereafter ‘plugins’) from the social network facebook in order to personalize the experience of our website. The address of the company in response is Facebook Inc. (1601 South California Avenue, Palo Alto, CA 94304, USA; hereafter ‘facebook’). A facebook plugin is represented by the facebook logo displayed on our website.

An overview over all facebook plugins can be found here: http://developers.facebook.com/docs/plugins/

When you open a webpage of our website that contains a feature of this kind, your browser establishes a direct connection to the facebook servers. The content of the plugin is directly transmitted to your browser by facebook and integrated into the webpage.

When you open a webpage of our website that contains a feature of this kind, your browser establishes a direct connect to the facebook servers. The content of the plugin is directly transmitted to your browser by facebook and integrated into the webpage.

By implementing the plugin, facebook receives the information that your browser has accessed the respective webpage of our website, even if you do not have a facebook account or are currently not logged into facebook. This information (including your IP address) is directly transmitted to a facebook server by your browser.

If you are currently logged into facebook, facebook can directly map your visit to our website with your facebook account. When you interact with plugins, such as clicking on the ‘Like’ or ‘Share’ button, corresponding information is also directly transmitted to and saved by a facebook server. The information is also published on facebook and visible to your facebook friends.

Facebook may utilize this information for the purpose of advertisement, market research, and demand-actuated design of facebook pages. For this, facebook creates use, interest, and relationship profiles (e.g. to evaluate your use of our website in relation to the advertisement displayed on facebook), inform other facebook users about your activities on our website, as well as other services related to the use of facebook.

If you do not want that facebook can map the data collected via the use of our website, you have to log out of facebook before visiting our website.

For further information concerning the purpose and scope of the data collection, further processing and use of data by facebook, as well as your relevant rights and options for the protection of your privacy, please refer to the privacy policy statement by facebook: https://www.facebook.com/about/privacy

10. Social Plugin: Google+

On our website, we feature social plugins by the social network Google+. The address of the company in response is Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). A Google+ plugin is represented in the form of the ‘G+’ button on white or colored background.

An overview of all Google+ plugins can be found here: https://developers.google.com/+/plugins

When visiting one of our webpages, a direct connection between your browser and the Google servers is established. Hereby, the content of the plugin is directly transmitted to your browser and implemented into the respective webpage of our website by Google. Google receives the information that your browser has accessed our website even if you do not have a Google+ account or are currently not logged into your Google+ account. This information (including your IP address) is directly transmitted and saved to one of the servers of Google in the US. If you are logged into your Google+ account, Google can immediately link your visit of our website to your Google+ profile.

If you interact with the plugins, e.g. press the ‘+1’ button, the corresponding information is also directly transmitted and saved on one of the servers of Google. Likewise, this information is published on Google+ and visible to your contacts.

For further information concerning the purpose and scope of the data collection, further processing and use of data by Google, as well as your relevant rights and options for the protection of your privacy, please refer to the privacy policy statement by Google: https://developers.google.com/+/web/buttons-policy

If you do not want that Google can immediately link your data gathered from your use of our website on your Google+ profile, please log out of your Google+ account before browsing our website. Also, you can deny the loading of Google plugins entirely by downloading and installing addons for your browser, e.g. by installing the ‘NoScript’ script blocker: http://noscript.net/

11. Social Plugin: Instagram

On our website, we feature so-called ‘social plugins’ (plugins) by Instagram. The address of the company in response — hereafter ‘Instagram’ — is LLC., 1601 Willow Road, Menlo Park, CA 94025, USA. The plugins are represented in the form of the Instagram logo, e.g. in the form of the ‘Instagram camera’.

An overview of all Instagram plugins can be found here: http://blog.instagram.com/post/36222022872/introducing-instagram-badges

When visiting one of our webpages, a direct connection between your browser and the Instagram servers is established. Hereby, the content of the plugin is directly transmitted to your browser and implemented into the respective webpage of our website by Instagram. Instagram receives the information that your browser has accessed our website even if you do not have an Instagram account or are currently not logged into your Instagram account. This information (including your IP address) is directly transmitted and saved to one of the servers of Instagram in the US. If you are logged into your Instagram account, Instagram can immediately link your visit of our website to your Instagram profile.

If you interact with the plugins, e.g. press the ‘Instagram’ button, the corresponding information is also directly transmitted and saved on one of the Instagram servers. Likewise, this information is published on Instagram and visible to your contacts.

For further information concerning the purpose and scope of the data collection, further processing and use of data by Instagram, as well as your relevant rights and options for the protection of your privacy, please refer to the privacy policy statement by Instagram: https://help.instagram.com/155833707900388/

If you do not want that Instagram can immediately link your data gathered from your use of our website on your Instagram profile, please log out of your Instagram account before browsing our website.

12. Social Plugin: LinkedIn

On our website, we feature so-called ‘social plugins’ (plugins) by LinkedIn. The address of the company responsible is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (LinkedIn). The plugins are represented in the form of the ‘In’ button on white or colored background.

An overview of all LinkedIn plugins can be found here: https://developer.linkedin.com/plugins

When visiting one of our webpages that features such a plugin, your browser establishes a direct connection to the LinkedIn servers. The content of the plugin is transmitted directly to your browser and implemented into the respective webpage of our website by LinkedIn. This way, LinkedIn receives the information that you have accessed our website even if you do not have a LinkedIn account or are currently not logged into your LinkedIn account. This information (including your IP address) is directly transmitted from your browser to a LinkedIn server in the US.

When you click the “LinkedIn” button while you are also logged into your LinkedIn account, you can link contents from our website on your LinkedIn profile page. This way, LinkedIn can associate your visit of our website with you and your user account.

For further information concerning the purpose and scope of the data collection, further processing and use of data by LinkedIn, as well as your relevant rights and options for the protection of your privacy, please refer to the privacy policy statement by LinkedIn: http://www.linkedin.com/static?key=privacy_policy&trk=hb_ft_priv

13. Social Plugin: XING

On our website, we feature so-called ‘social plugins’ (plugins) by Instagram. The address of the company responsible is XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany (XING). The plugins are represented in the form of buttons with the ‘XING’ logo on white or colored background.

An overview of all XING plugins can be found here: https://dev.xing.com/

When visiting one of our webpages that features such a plugin, your browser establishes a direct connection to the server of XING. The content of the plugin is transmitted directly to your browser and implemented into the respective webpage of our website by XING. This way, XING receives the information that you have accessed the respective webpage of our website even if you do not have a XING account or are currently not logged into your XING account. This information (including your IP address) is directly transmitted from your browser to a server of XING in Europe or, as the circumstances require, the US.

When you click the “XING” button while you are also logged into your XING account, you can link contents from our website on your XING profile page. This way, XING can associate your visit of our website with you and your user account.

For further information concerning the purpose and scope of the data collection, further processing and use of data by XING, as well as your relevant rights and options for the protection of your privacy, please refer to the privacy policy statement by XING: https://www.xing.com/app/share?op=data_protection

14. SSL encryption

For our website, we utilize the common SSL encryption (Secure Socket Layer) in combination with the highest security level supported by your browser. In general, this is a 256-bit encryption. If your browser does not support a 256-bit encryption, we instead utilize 128-bit v3 technologies. The key or locker symbol in your browser address bar indicates that a specific webpage of our website is encrypted.

Furthermore, we utilize technical and organizational security measures to protect your data against contingent or intentional manipulation, partial or total loss, erasure, or unauthorized third-party access to the best of our abilities. Our security measures are continuously improved in accordance with state-of-the-art technologies.

15. Routine erasure of personal data and restriction of processing

The data controller processes and saves the data subject’s personal data for the envisaged period of 10 years, unless specified differently by the European directives and regulations or other relevant laws, to which the data controller is to abide.

After the 10 years have passed or after the period of data retention, as specified by European guidelines and regulations or other relevant laws, has run out, the personal data is routinely erased or access or blocked.

16. Rights of the data subject concerning access, rectification, deletion, blocking etc.

a) Right of confirmation

At any time, any data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning her is being processed and saved.

To exercise this right of confirmation, a data subject can contact our data protection officer or any other of the data controller’s employees at any time.

b) Right of access

Pursuant to GDPR, Article 15, the data subject of whom personal data is processed shall have the right, at any time, to receive from the data controller information about the personal data concerning her as well as a copy thereof. Furthermore, the data subject shall have the right of access for the following information:

  • the purposes of the processing
  • the categories of personal data being processed
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • where the personal data are not collected from the data subject, any available information as to their source
  • the existence of automated decision-making — including profiling — referred to in GDPR, Article 22 (1) and (4) and, at the very least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

Where personal data is transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

To exercise this right of access, a data subject can contact our data protection officer or any other of the data controller’s employees at any time — an e-mail to the following address is sufficient for this: datenschutzbeauftragter@eggheads.de.

c) Right to rectification

Pursuant to GDPR, Article 16, any data subject of whom personal data is processed shall have the right, at any time, to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

To exercise this right of rectification, a data subject can contact our data protection officer or any other of the data controller’s employees at any time.

d) Right to erasure (‘right to be forgotten’)

Pursuant to GDPR, Article 17 any data subject of whom personal data is processed shall have the right, at any time, to obtain from the data controller the erasure of personal data concerning her without undue delay and the data controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • The personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • The data subject withdraws consent on which the processing is based according to GDPR, point (a) of Article 6 (1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing.
  • The data subject objects to the processing pursuant to GDPR, Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2).
  • The personal data has been unlawfully processed.
  • The personal data is to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject.
  • The personal data has been collected in relation to the offer of information society services referred to in GDPR, Article 8 (1).

The erasure can be requested to the extent that it is not required to exercise the freedom of speech and information, to fulfill a legal obligation related to public interests or the exercise and defense of legal claims.

If one of the above-stated grounds applies and a data subject wants to exercise her right to erasure, she can contact our data protection officer or any other of the data controllers’ employees at any time. Our data protection officer or respective employee is then responsible for the due erasure of the respective personal data.

Where the data controller has made the personal data public and is obliged pursuant to GDPR, Article 17 (1) to erase the personal data, the data controller, taking account of available technologies and the cost of implementation, shall take reasonable steps, including technical measures, to inform data controllers which are processing the personal data that the data subject has requested the erasure by such data controllers of any links to, or copy or replication of, those personal data. In individual cases, our data protection officer or respective employee is to assure that the erasure of the respective personal data is carried out accordingly.

e) Right to restriction of processing

Pursuant to GDPR, Article 18 any data subject of whom personal data is processed shall have the right, at any time, to obtain from the data controller restriction of processing where one of the following applies:

  • The accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data.
  • The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
  • The data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
  • The data subject has objected to processing pursuant to GDPR, Article 21 (1) pending the verification whether the legitimate grounds of the data controller override those of the data subject.

If one of the above-stated cases applies and a data subject wants to exercise here right to restrict the processing of her personal data saved by us, she can contact our data protection officer or any other of the data controller’s employees at any time. Our data protection officer or respective employee is responsible for the due restriction of the respective personal data.

f) Right to data portability

Pursuant to GDPR, Article 20 any data subject of whom personal data is processed shall have the right, at any time, to receive the personal data concerning her, which she has provided to a data controller, in a structured, commonly used and machine-readable format and she shall have the right to transmit this data to another data controller without hindrance from the data controller to which the personal data has been provided, where:

  • the processing is based on consent pursuant to GDPR, point (a) of Article 6 (1) or point (a) of Article 9 (2) or on a contract pursuant to point (b) of Article 6 (1);
  • and the processing is carried out by automated means.

This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

In exercising her right to data portability pursuant to GDPR, Article 20 (1) as stated above, the data subject shall have the right to have the personal data transmitted directly from one data controller to another, where technically feasible and where there is no conflict with the freedom and rights of other persons.

To exercise this right to data portability, a data subject can contact our data protection officer or any other of the data controller’s employees at any time.

g) Right to object

Pursuant to GDPR, Article 21 any data subject of whom personal data is processed shall have the right, at any time, to object, on grounds relating to her particular situation, to processing of personal data concerning him or her which is based on GDPR, point (e) or (f) of Article 6 (1) — including profiling based on those provisions. The data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Where we process personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning her for such marketing — which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to GDPR, Article 89 (1), the data subject, on grounds relating to her particular situation, shall have the right to object to processing of personal data concerning her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise this right to object, a data subject can contact our data protection officer or any other of the data controllers’ employees at any time — an e-mail to the following address is sufficient for this: datenschutzbeauftragter@eggheads.de. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise her right to object by automated means using technical specifications.

h) Automated individual decision-making, including profiling

Pursuant to GDPR, Article 22 any data subject of whom personal data is processed shall have the right, at any time, not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning her or similarly significantly affects her. This shall not apply if the decision:

  • (1) is necessary for entering into or the fulfillment of a contract between the data subject and a data controller;
  • (2) is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests;
  • (3) is based on the data subject’s explicit consent.

In the cases referred to in points (1) for the making or fulfillment of a contract between the data subject and a data controller and (2) for the data subject’s explicit consent, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the data controller, to express her point of view and to contest the decision.

i) Right to withdraw consent

Pursuant to GDPR, Article 7 (3) any data subject of whom personal data is processed shall have the right, at any time, to withdraw consent to the processing of her personal data at any time.

To exercise this right to withdraw consent, a data subject can contact our data protection officer or any other of the data controller’s employees at any time — an e-mail to the following address is sufficient for this: datenschutzbeauftragter@eggheads.de.

j) Right to consult the Federal Commissioner for Data Protection and Freedom of Information

Pursuant to GDPR, Article 7 (3) any data subject of whom personal data is processed shall have the right, at any time, to consult or form a complaint and send it to the supervisory authorities. In general, you can contact the nearby supervisory authority or the supervisory authority of our company headquarters.

17. Data protection for applications and application processes

The data controller collects and processes the personal data of applicants for the purpose of the application process. The processing can also be carried out via electronic means. In particular, this may be the case where an applicant sends his application files to the data controller via electronic means of communication, e.g. via e-mail.

Where the controller makes an employment contract with the applicant, the transmitted data may be saved for the purpose of establishing an employment relationship pursuant to legal requirements.

Where the controller does not make an employment contract with the applicant, the application files are automatically erased six months after the job application refusal — to the extent that the erasure does not stand in conflict with other legitimate interests pursued by the data controller.

Other legitimate interests in this sense may, for example, be the burden of proof in a legal procedure in accordance with the German Sex Discrimination Act (Allgemeines Gleichbehandlungsgesetz AGG).

18. Lawfulness of processing

Pursuant to GDPR, point (a) Article 6 (1), the lawfulness of processing procedures is provided where the data subject has given consent to the processing of her data for a specific purpose.

Pursuant to GDPR, point (b) Article 6 (1), the lawfulness of processing procedures is provided where the processing is necessary for the performance of a contract to which the data subject is party (e.g. processing for the supply of products and services and to provide services in return) or in order to take steps at the request of the data subject prior to entering into a contract (e.g. all cases that concern requests for our products and services).

Pursuant to GDPR, point (c) Article 6 (1), the lawfulness of processing procedures is provided where the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. tax obligation).

Pursuant to GDPR, point (d) Article 6 (1), the lawfulness of processing procedures is provided in rare cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person. This may be the case if a visitor of our company is injured and is to provide her name, age, medical records, as well as other vital information to doctors, hospitals or other third parties. The processing is lawful if the processing is required to preserve our legitimate interests or that of a third party, to the extent that the data subject’s interests, basic rights, and fundamental liberties are not violated.

Where the processing is pursuant to GDPR, point (f) of Article 6 (1), our legitimate interests pursued lie in our business activities in support of all of our employees as well as our shareholders.

Pursuant to GDPR, point (f) Article 6 (1), the lawfulness of processing procedures is provided in cases that are not governed by the aforementioned types of lawfulness and where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller — to the extent that this does not outweigh the rights of the individual data subject. In particular, this is justified by Union law to the extent that legitimate interests may be pursued in cases where the data subject is one of the controller’s customer (GDPR, Recital 47: Overriding legitimate interest).

19. Period of data retention

The criterium for our company’s period of data retention is the respective legal retention period for personal data. With the end of this period, the respective data is routinely erased, to the extent that it is no longer required for the performance or initiation of a contract.

20. Recipients of personal data / third country disclosure

Pursuant to GDPR, point (9) Article 4, recipients of personal data are limited to our company and, in individual cases as circumstances may require, legal recipients such as public authorities, partner companies or suppliers (e.g. our website operator).

Personal data is not disclosed to companies in third countries — with the exception of the companies explicitly stated in our privacy policy statement, point 8–13: “Google Analytics”, “facebook”, “Instagram”, “Google+”, “XING”, and “LinkedIn”.

21. Legal or contractual requirements for the provision of personal data; necessity for initiation of contract; obligations of the data subject to provide the respective personal data; possible consequences in case of failure to provide such data

We inform you that the provision of personal data is in part legally required (e.g. tax regulations) or contractually required (e.g. contract partners). Among other cases, it may be required that a data subject is to provide personal data to us as part of entering into a contract, which is then processed by us. Accordingly, the data subject is required to provide the respective personal data necessary; failure to provide such data results in failure to enter into the respective contract. Prior to the provision of personal data by the data subject, she may contact our data protection officer. For each individual case, our data protection officer informs the data subject whether the provision of data is legally or contractually required, or necessary for entering into a contract, or whether there is a legal obligation. Furthermore, information concerning the consequences in case of failure to provide such data is also provided.

22. Automated operational decision management

As a company with ethical responsibilities, we do not utilize automated operational decision management or profiling.

 

German-into-English translation of the official privacy policy statement of eggheads GmbH, version: 05.06.2018. If any issue should arise, please consult the original German statement.

 

Sources:

German Society for Data Protection (Deutsche Gesellschaft für Datenschutz DGD): https://dg-datenschutz.de/?lang=en

eRecht24: www.e-recht24.de

intersoft consulting services AG: https://gdpr-info.eu/