Data Protection Information in Accordance with the EU General Data Protection Regulation (GDPR)
(Last update: 05/2018)
With the following information we give you an overview of the processing of your personal data by us and your rights under data protection law. Which data is processed in detail and how it is used depends largely on the underlying business relationships.
1. Responsibilty for Data Processing
2. Data Type and Origin
We process personal data that we receive from our customers in the course of our business relationship. In addition, to the extent necessary for the provision of our services, we process personal data that we have legitimately received from other third parties (e.g. business information services) e.g. for the execution of orders, for the fulfilment of contracts or on the basis of a consent given by you.
On the other hand, we process personal data that we have legitimately obtained and may process from publicly accessible sources (e.g. trade and association registers, press, media, Internet).
Relevant personal data may be, for example: Name, address, telephone, e-mail address, vehicle license plate and vehicle type.
3. Purpose of the Processing and legal Basis
We process the aforementioned personal data in accordance with the provisions of the EU Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) for the following purposes:
3.1 For the Fulfilment of contractual Obligations
(Article 6 para.1 b GDPR)
The processing of personal data takes place in regards to the execution of our contracts with our customers or for the execution of pre-contractual measures, which take place on your request.
3.2 In the Context of weighing up Interests
(Article 6 para. 1 f GDPR)
If necessary, we process your data beyond the actual fulfilment of the contract to protect the legitimate interests of us or third parties such as, for example:
– Advertising, as long as you do not object to the use of your data
– Assertion of legal claims and defence in legal disputes
– Ensuring IT security and operation
– Prevention of criminal offences
– Video surveillance for the protection of domiciliary rights
– Measures for building and system security (e.g. access controls)
– Measures to secure the domiciliary right
– Risk management in the Train4you Group
3.3 Based on your Consent
(Article 6 para. 1 a GDPR)
3.4 Due to legal Requirements (Article 6 para. 1c GDPR) or in the public Interest
(Article 6 para.1e GDPR)
To fulfil legal obligations, i.e. legal requirements such as the documentation obligations under the German Commercial Code (HGB).
4. Authorized Persons and Data Recipients
Within our company, those departments have access to your data that are needed to fulfil our contractual and legal obligations. Service providers, sub-contractors and vicarious agents used by us may also receive data for these purposes if they comply with our instructions under data protection law in writing. These are mainly companies from the categories listed below:
– Public bodies and institutions (e.g. tax authorities, Federal Central Tax Office, Federal Railway Authority) in the event of a legal or official obligation.
Contractors to whom we transfer personal data in order to conduct the business relationship with you are, for example:
– Financial accounting service provider
– IT service provider for support/maintenance of EDP/IT applications
– Data destruction service providers
– Website companies
– accounting firms
– Service providers e.g. of:Catering, Logistics, Administration
– Communication and marketing service providers
5. Transfer to a third country or to an international organisation
Data are not transferred to countries outside the EU or the EEA (so-called third countries).
6. Retention Periods
We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. If the data are no longer required for the fulfilment of contractual or legal obligations, they are regularly deleted. With regard to the periods for storage, reference is made here to the German Commercial Code and the Tax Code, for example. The periods for storage and documentation specified there range from two to ten years. In addition, data is stored in order to obtain evidence within the limitation periods pursuant to §§ 195 ff BGB (German Civil Code). The limitation periods can be up to 30 years, whereby the regular limitation period is three years.
7. Data Protection Rights
Any person concerned shall have the right to access under Article 15 GDPR, the right to correction under Article 16 GDPR, the right to cancellation under Article 17 GDPR, the right to limitation of processing under Article 18 GDPR, the right of opposition under Article 21 GDPR and the right to data transfer under Article 20 GDPR. The restrictions according to §§ 34 and 35 BDSG apply to the right to information and the right of cancellation. In addition, there is a right of appeal to a data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG). You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the EU Data Protection Basic Regulation on from May 25th 2018. Please note that the revocation will only take effect in the future. Processing that took place before the revocation is not affected by this.
8. Obligation to provide Data
In the context of our business relationship you must provide those personal data which are necessary for the establishment and implementation of a business relationship and the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without these data we will usually have to refuse the conclusion of the contract or the execution of the order or we will no longer be able to execute an existing contract and may have to terminate it. If you do not provide the necessary information and documents, we may not establish or continue the business relationship you have requested.
9. Automated Decision making and Profiling
In principle, we do not use fully automated decision making according to Article 22 GDPR for the establishment and implementation of the business relationship. We do not process your data with the aim of evaluating certain personal aspects (profiling).
Right of Objection according to Article 21 of the EU Data Protection Basic Regulation (GDPR)
1. Right of Objection in individual Cases
You have the right to object at any time for reasons arising from your particular situation to the processing of personal data concerning you, which is based on Article 6(1)(e) GDPR (data processing in the public interest) and Article 6(1)(f) GDPR (data processing on the basis of a balance of interests). If you object, we will no longer process your personal data, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
2. The Right to object to the Processing of Data for advertising Purposes
In individual cases we process your personal data in order to send you direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. If you object to the processing for direct advertising purposes, we will no longer process your personal data for these purposes. The objection can be made form-free and should be addressed to: