2.1 Personal data
“Personal data” refers to any information relating to an identified or identifiable person (Art. 4 (1) GDPR). Information about an identified person can be their name or email address, for example. However, personal data is also data from which a person’s identity is not directly discernible but which still allows an identity to be determined: personal information or external information is merged and it can thus be established who the data pertains to. For example, a person can be identified by their address or bank details, their date of birth or username, their IP address and/or their location data. Of relevance here is all information that in some way permits inference to a specific person.
Under Art. 4 (2) of the GDPR, “processing” is defined as any operation performed in connection with personal data. This refers in particular to the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, disseminating or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
The controller for this data processing is:
|Company:||NonFood Werbeagentur GmbH ("we")|
|Legal representative:||Stipo Juric, Christoph Drescher (Managing Director)|
|Address:||Tarpen 40 (ValvoPark, Haus 5b), 22419 Hamburg|
|Telephone:||+49 (0) 40 / 39 9999 0|
|Fax:||+49 (0) 40 / 39 9999 150|
4. DATA PROTECTION OFFICER
We have appointed an external data protection officer for our company. You can reach him at:
|Address:||HABEWI GmbH & Co. KG, Palmaille 96, 22767 Hamburg|
5. SCOPE OF PROCESSING: WEBSITE
Within the framework of the website with the URL www.nonfood.de , we process your personal data as outlined in detail in clauses 6-13. We only process data from you which you actively input on our website (e.g. by filling out forms) or which you automatically make available by using our content.
Your data is processed exclusively by us and in principle is never sold, distributed or passed on to third parties. If we employ external service providers to help process your personal data, this takes place as part of so-called “order processing”, during which we are entitled as the contracting authority to issue directives to our contractor. To operate our website we employ external service providers for hosting, maintenance, care and further development. If further external service providers should be employed for the specific processing activities stated in clauses 6-13, they shall be named there.
As a basic principle the transmission of data to third countries does not occur and is also not intended. We will inform you of any exceptions to this policy within the subsequent clauses describing our processing activities.
6. PROVISION OF THE WEBSITE AND SERVER LOG FILES
6.1 Description of processing activities
Every time you access the website, we automatically collect information which your browser transmits to our server. This information is also stored in the so-called log files on our server. The following data is transmitted:
- Your IP-address
- The browser software which you are using, as well as the version and language
- The operating system you are using
- The website from which you arrived at our website (so-called “referrer”)
- The subpages which you accessed on our website
- The date and time when you accessed our website
- Your internet service provider
- The volume of data transferred
It is necessary for the system to temporarily store your IP address so that we can deliver our website to the user’s end device. For this purpose, the user's IP address must be stored for the duration of the session. However, your IP address is not recorded in our log files.
Processing occurs in order to facilitate access to the website, as well as to ensure its stability and security. Furthermore, the processing aids the statistical analysis and improvement of our online content.
6.3 Legal basis
Processing is required to protect the overriding legitimate interests of the controller (Art. 6 (1) (f) GDPR). Our legitimate interest is in the purpose stated in clause 6.2.
6.4 Storage period
The data is erased as soon as it is no longer required for the purpose of its initial collection. In the event of data being collected for the provision of the website, this is the case when the respective session ends. The log files are erased after 30 days.
7. CONTACT FORM AND CONTACTING US VIA EMAIL
7.1 Description of processing activities
By providing a contact form on our website, we want to present you with a convenient option for getting in touch with us. The data transmitted with and in the contact form or your email respectively is exclusively used for the purposes of handling and responding to your request.
7.3 Legal basis
Processing is required to protect the overriding legitimate interests of the controller (Art. 6 (1) (f) GDPR). Our legitimate interest is in the purpose stated in clause 7.2. If the email is aimed at concluding or fulfilling a contract, data processing occurs for the performance of a contract (Art. 6 (1) (b) GDPR).
7.4 Storage period
We erase the data as soon as it is no longer required for the purpose of its initial collection. This is normally the case when the respective communication with you is concluded. The communication is completed when circumstances indicate that your request has been conclusively resolved. If legal retention periods prevent the erasure of data, we erase it immediately following the expiration of the legal retention period.
8. APPLICATION DOCUMENTS
We process data that is connected to your application. This can be general data pertaining to your person (such as name, address or contact details), information on your professional qualifications and school education or your professional development, or other information that you transmit to us in connection with your application. Apart from that, we can process information relating to your profession that you have made publicly accessible, such as for example a profile on professional social media networks. For this purpose you can create a profile with us using the link https://nonfood.de/de/jobs and send any data uploaded there to us directly.
8.2 Purpose and legal basis for processing
We process your personal data for the purpose of your application for employment, so far as this is necessary to take a decision regarding the establishment of an employment relationship with us. Furthermore, we can process your personal data in so far as this is necessary to protect us against any asserted legal claims relating to the application process. The legal basis for this is Art. 6 (1) (f) of the GDPR, the legitimate interest is, for example, a burden of proof in legal proceedings pursuant to Germany’s General Equal Treatment Act (AGG). If an employment relationship should arise between our company and your person, we can continue to process the personal data which we have already obtained from you for employment-related purposes as per § 26 para. 1 BDSG, if this is necessary in order to carry out or terminate the employment relationship or to exercise or satisfy rights and obligations of employee’s representation laid down by law or by collective agreements or other agreements between the employer and staff council.
The data is not transmitted to third parties.
9.1 Description of processing activities
- Cookie name: Session Cookie
- Purpose/Function: Administration
- Storage period: These cookies expire at the end of the browser session.
9.3 Legal basis
Processing is required to protect the overriding legitimate interests of the controller (Art. 6 (1) (f) GDPR). Our legitimate interest is in the purpose stated in clause 9.2.
9.4 Storage period
10. GOOGLE WEBFONTS
10.1 Description of processing activities
Our website uses “Google Webfonts”, a font replacement service provided by the company Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google”). With Google Webfonts, when our website is displayed the standard fonts of your end device are replaced with fonts from the Google catalogue. If your browser prevents the integration of Google Webfonts, the text on our website is displayed using the standard fonts of your end device. The Google Fonts are downloaded directly from a Google server. To allow this to happen, your browser sends a request to a Google server. Consequently we send Google the address of our website, together with your IP address where necessary. However, Google Webfonts does not store any cookies on your end device. According to Google, data which is processed as part of the Google Webfonts service will be transmitted to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com. It will not be associated with data which, where applicable, is connected to the use of other Google services such as the search engine of the same name, or Gmail. Further information regarding data protection at Google Webfonts can be found here: https://developers.google.com/fonts/faq?hl=de-DE&csw=1. General information on data protection at Google can be accessed here: https://policies.google.com/privacy?hl=policies.
Processing occurs so that we can make the text on our website more readable and more aesthetically appealing for you.
10.3 Legal basis
Processing is required to protect the overriding legitimate interests of the controller (Art. 6 (1) (f) GDPR). Our legitimate interest is in the purpose stated in clause 10.2.
10.4 Recipients und transmission to third countries
Through the use of Google Webfonts, personal data is transmitted to Google where necessary. Google also processes your personal data in the USA and has committed to adhering to the EU-US Privacy Shield. Further information regarding the EU-US Privacy Shield can be found here: https://www.privacyshield.gov/EU-US-Framework.
11. ZENDRIVER VIDEOS
11.1 Description of processing activities
Our website uses services from “Zendriver”, a video service operated by Brightcove INC, 290 Congress Street, Bosten, USA (hereinafter referred to as “Zen”). We use Zen by embedding videos on our website with the help of the Zen Player, so that they can be played directly on our website. If you visit a subpage of our website which has a video embedded in it, a connection to the Zendriver servers is established and the video is thus displayed within our website. Because of this, Zendriver receives information about which website you visited. If necessary, your IP address is also transmitted to Zendriver. Further information regarding data protection at Zendriver can be found here: https://www.brightcove.com/en/legal/privacy
Processing occurs so that we can show you videos on our website.
11.3 Legal basis
Processing is required to protect the overriding legitimate interests of the controller (Art. 6 (1) (f) GDPR). Our legitimate interest is in the purpose stated in clause 11.2.
11.4 Recipients und transmission to third countries
Zendriver also processes data in the USA.
12. GOOGLE ANALYTICS
12.1 Description of processing activities
Processing occurs so that we can analyse the use of our website. The information that we gain from this processing serves the improvement and customised design of our online appearance.
12.3 Legal basis
Processing is required to protect the overriding legitimate interests of the controller (Art. 6 (1) (f) GDPR). Our legitimate interest is in the purpose stated in clause 12.2.
12.4 Storage period and right to object
We have outlined the storage period as well as your control and settings options regarding cookies in clause 10. You can object to the processing of your data by Google Analytics at any time by downloading and installing the browser add-on provided by Google at https://tools.google.com/dlpage/gaoptout?hl=en. Alternatively you can choose to click on the following link. This will result in an opt-out cookie being stored on your end device, which prevents your data from being recorded on future visits to this website. We automatically erase the analysis data which is processed and stored by Google Analytics after 14 months.
12.5 Recipients und transmission to third countries
Google Analytics acts as a service provider for us as part of order processing. Google also processes your personal data in the USA and has committed to adhering to the EU-US Privacy Shield. Further information regarding the EU-US Privacy Shield can be found here: https://www.privacyshield.gov/EU-US-Framework.
13. GOOGLE MAPS
13.1 Description of processing activities
Our website uses “Google Maps”, a service provided by the company Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google”). We use Google Maps by integrating a map showing our business address into our website. The map is downloaded directly from a Google server. To allow this to happen, your browser sends a request to a Google server. Consequently we send Google the address of our website, together with your IP address where necessary. However, Google Maps does not store any cookies on your end device. If you are logged in to Google upon your visit to our website, Google will assign this information to your Google user account. Google stores your data as usage profiles and uses it for advertising purposes, market research, and/or to customise the design of Google websites. You have the right to object to the creation of this user profile, and you must contact Google directly to exercise this right. Further information regarding data protection at Google can be found here: https://policies.google.com/privacy?hl=policies.
Processing occurs so that we can show you an interactive map on our website.
13.3 Legal basis
Processing is required to protect the overriding legitimate interests of the controller (Art. 6 (1) (f) GDPR). Our legitimate interest is in the purpose stated in clause 13.2.
13.4 Recipients und transmission to third countries
Google also processes your personal data in the USA and has committed to adhering to the EU-US Privacy Shield. Further information regarding the EU-US Privacy Shield can be found here: https://www.privacyshield.gov/EU-US-Framework.
14. SECURITY MEASURES
In order to protect your personal data from unauthorised access, we have equipped our website with an SSL/TLS certificate. SSL stands for “Secure Sockets Layer” and TLS for “Transport Layer Security”, and they encrypt the communication of data between a website and a user’s end device. You can recognise an active SSL/TLS encryption by a small lock symbol which is displayed on the far left of the address line in the browser.
15. YOUR RIGHTS AS A DATA SUBJECT
With regards to the data processing activities carried out by our company as described above, you have the following rights as a data subject:
15.1 Access (Art. 15 GDPR)
You have the right to obtain confirmation from us as to whether or not personal data pertaining to you is being processed. If this is the case, under the conditions stated in Art. 15 of the GDPR you have a right of access to this personal data and to other information as listed in Art. 15 of the GDPR.
15.2 Rectification (Art. 16 GDPR)
You have the right to obtain from us without undue delay the rectification of inaccurate personal data and the completion of incomplete personal data pertaining to your person.
15.3 Erasure (Art. 17 GDPR)
You have the right to obtain the erasure of any personal data pertaining to you, provided that one of the individual grounds stated in Art. 17 of the GDPR applies, e.g. if we no longer need your data for the purposes for which it was collected.
15.4 Restriction of processing (Art. 18 GDPR)
You have the right to obtain from us a restriction of processing if one of the conditions stated in Art. 18 of the GDPR applies, e.g. if you contest the accuracy of your personal data, data processing will be restricted for the amount of time required for us to verify the accuracy of your data.
15.5 Data portability (Art. 20 GDPR)
Under the conditions stated in Art. 20 of the GDPR you have the right to receive any data pertaining to you in a structured, commonly used and machine-readable format.
15.6 Withdrawal of consent (Art. 7 (3) GDPR)
For any processing that is based on your consent, you have the right to withdraw your consent at any time. The withdrawal is valid from the time that you assert your right. In other words, it is effective in the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
15.7 Complaints (Art. 77 GDPR)
If you are of the view that the processing of personal data pertaining to you is in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority. You can exercise this right at a supervisory authority in the EU member state of your habitual residence, place of work or place of the alleged infringement.
15.8 Ban on automated individual decision-making/ profiling (Art. 22 GDPR)
Decisions which lead to legal repercussions for you or which significantly affect you may not be based solely on the automated processing of personal data, including profiling. We declare to you that we do not use any automated decision-making processes, including profiling, with regard to your personal data.
Date: May 2018