Notice for data subjects in accordance with the EU General Data Protection Regulation (EU GDPR) (Art. 13, 14, and 21 GDPR)
1. Data Processor and Controller
Controller within the meaning of data protection law:
The yo company GmbH
represented by its managing director with sole representation authority Uwe Scheller
2. Scope of Processing
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection regulations.
2.1. Categories of personal data we process
We process both data you provide to us and data that we have not received directly from you.
If you contact us, we collect the following information in particular:
• Contact partner (title, forename, surname),
• Email address(es),
• Postal address,
• Telephone number (landline and/or mobile),
• Company Name,
• Delivery Address,
• Tax Number
2.2. Purpose and legal basis on which we process the data
2.2.1. Purposes of performance of a contract or steps prior to entering into a contract (Art. 6 (1) sentence 1 b) GDPR)
Personal data is processed starting from your enquiry through execution of our contracts with you and execution of your orders, as well as to carry out steps and activities prior to entering into a contract. This data is primarily collected for the following reasons:
• to be able to indentify you as our contract partner,
• to correspond with you,
• for billing purposes,
• for management and optimization of business processes,
• for transparency of transactions, orders and other agreements,
• to ensure IT security (including system and plausibility tests),
• to perform general gun diligence,
• to secure and exercise domiciliary rights (Hausrecht), e.g. through physical access control,
• for cost recording and controlling as well as reporting
2.2.2. Purposes you have consented to (Art. 6 (1) sentence 1 a) GDPR)
Your personal data can also be processed for specific purposes (e.g. use of your email address for marketing purposes) if you have given consent. As a rule, you may revoke your consent at any time. You may also revoke declarations of consent made to us before the GDPR came into force, i.e. before 25 May 2018. You will be informed of the purposes and of the consequences of revoking or not granting consent separately in the corresponding text of the consent.
As a rule, revoking consent is only effective for the future. Processing carried out before consent was revoked is not affected and remains legal.
2.2.3. Purposes related to a legitimate interest of us or a third party (Art. 6 (1) sentence 1 f) GDPR)
Beyond the actual performance of the contract or steps prior to entering into the contract, we may process your personal data if necessary to protect legitimate interests of us or a third party, in particular for the following purposes:
• sending newsletters
• marketing ( digital, Point of Sale, PR, trade fairs and events)
• social media (Facebook, Instagram, Twitter, Pinterest, Google +, etc.)
• event Invitations
2.2.4. Purposes relating to compliance with legal obligations (Art. 6 (1) sentence 1 c) GDPR) or the public interest (Art. 6 (1) sentence 1 e) GDPR)
We are subject to numerous legal obligations. These are primarily statutory requirements (e.g. trade and tax laws), as well as supervisory or other regulatory standards.
2.2.5. Duration of retention of your data
We process and retain your data for the duration of our contractual relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the implementation of a contract.
The personal data we collect will be retained until the end of the statutory retention period and then erased, unless we are obligated to retain it for longer under Art. 6 (1) sentence 1 c) GDPR because of documentation and retention obligations under tax and trade law (arising from the German Commercial Code, Criminal Code, or Tax Code) or you have consented to longer retention pursuant to Art. 6 (1) sentence 1 a) GDPR.
If the data is no longer needed to fulfil contractual or statutory obligations and rights, it is routinely erased, unless the – temporary – continued processing thereof is necessary to fulfil the purposes listed above based on a preponderant legitimate interest. Such a preponderant legitimate interest is also present if e.g. erasure is not possible or is only possible with disproportionately great effort because of the particular nature of the storage and if processing for other purposes is prevented by suitable technical and organizational measures.
3. Recipients or categories of recipients of your data
Your personal data will only be transmitted to third parties if
• You have consented to transmission to third parties,
• It is required to process contractual relationships with you pursuant to Art. 6 (1) sentence 1 b) GDPR,
• It is done to comply with legal obligations that require us to disclose, report, or forward data,
• External services providers process data on our behalf as contract processors or function transferees (e.g. external computing centers, support/ maintenance of EDP/IT applications, customer management, letter shops, marketing, auditing service, credit institutions, print shops or data disposal companies, courier services, logistic, public relations.)
We will not disclose data to third parties outside this framework. If we hire service providers for contract processing, your data will be subject to the same security standards there as with us. The third party may only use the disclosed data for the stated purposes for which it was transmitted.
4. Your data subject rights
Under certain conditions, you can claim the following data protection rights in your relationship with us.
4.1. Under Art. 7 (3) GDPR, you can revoke at any time a consent you once granted to us. The consequence of this is that we may in future no longer continue the data processing based on this consent.
4.2. Under Art. 15 GDPR, you have the right to request information about your personal data that we process (where applicable, with restrictions under Sec. 34 BDSG).
4.3. On your request, we will correct or complete data stored about you pursuant to Art. 16 GDPR if it is inaccurate or deficient.
4.4. If you wish it, we will erase your data in accordance with the principles of Art. 17 GDPR, provided that other statutory regulations (e.g. statutory retention periods or the restrictions under Sec. 35 BDSG) or a preponderant interest on our part (e.g. to defend our rights and claims) do not stand in the way.
4.5. With due consideration given to the conditions of Art. 18 GDPR, you may require that we limit the processing of your data.
4.6. You also have the right under the conditions of Art. 20 GDPR to receive your data in a structured, commonly used, and machine-readable format or to transmit it to a third party.
4.7. You can further object to the processing of your data under Art. 21 GDPR, upon which we must cease processing your data. However, the right to object only applies if your personal situation conforms to very particular circumstances, and our business may have rights that oppose your right to object.
4.8. You further have the right to revoke any consent to the processing of personal data from us at any time with effect for the future.
4.9. You further have a right to lodge a complaint with a data supervisory authority (Art. 77 GDPR). However, we recommend that a complaint always be directed to us first.
Your requests to exercise your rights should where possible be made in writing to the address given above.
5. Scope of your obligations to provide us with your data
You need only provide such data as is necessary to enter into and execute a contractual relationship or steps prior to entering into a contract with us or that we are legally obligated to collect. Without this data we will generally not be able to conclude or perform the contract. This may also apply to data needed later in the course of the business relationship. If we request additional data from you, you will be separately advised of the voluntary nature of the disclosure.
6. Information about your right to object under Art. 21 GDPR
You have the right to object to the processing of your data carried out based on Art. 6 (1) sentence 1 f) GDPR (data processing based on a weighing of interests) or Art. 6 (1) sentence 1 e) GDPR (data processing in the public interest) if there are reasons for this that arise from your particular situation. This is also true of any profiling within the meaning of Art. 4 No. 4 GDPR based on this provision.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that overrides your interests, rights, and freedoms or the processing is for the establishment, exercise or defense of legal claims.
We may also process your personal data to engage in direct marketing. If you do not wish to receive any marketing, you have the right to object to it at any time; this is also true of profiling if it is connected to such direct marketing. We will comply with this objection in the future.
We will no longer process your data for purposes of direct marketing if you object to processing for these purposes.
Such objection can be without a particular form and should if possible be directed at:
The yo company GmbH
Attn.: Uwe Scheller
Status of data protection notice: January 2019