With the following data protection declaration, we would like to inform you which types of your personal data (hereinafter also referred to as “data”) we process for which purposes and to what extent. The data protection declaration applies to the processing of personal data carried out by us, both within the framework of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).
Status: August 16, 2019
Person in charge
Brose AUNDE Fahrzeugsitze GmbH
Authorized representatives: Managing Directors: Markus Kussmaul, Daniel Geist
Contact information data protection officer
Data protection officer: by post at the above address
Overview of processing operations
Die nachfolgende Übersicht fasst die Arten der verarbeiteten Daten und die Zwecke ihrer Verarbeitung zusammen und verweist auf die betroffenen Personen.
Types of data processed
- user-related data (for example, names, addresses).
- Content data (e.g. text entries, photographs, videos).
- Contact data (e.g. e-mail, telephone numbers).
- Meta/communication data (e.g. device information, IP addresses).
- Usage data (e.g. websites visited, interest in content, access times).
Kategorien betroffener Personen
- Employees (e.g. salaried employees, applicants, former employees).
- Interested parties.
- Communication partners.
- Users (e.g. website visitors, users of online services)
Purposes of processing
- Provision of our online services and user friendliness.
- Office and organizational procedures.
- Contractual services and service.
Applicable legal bases
In the following we inform you about the legal basis of the Data Protection Ordinance (DSGVO), based on which we process personal data. Please note that, in addition to the provisions of the DSGVO, the national data protection regulations in your or our country of residence and domicile may also apply.
- Consent (Art. 6 para. 1 sentence 1 lit. a DSGVO) – The data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes.
- Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b. DSGVO) – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures at the request of the data subject.
- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. DSGVO) – Processing is necessary to safeguard the legitimate interests of the data controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail.
National data protection regulations in Germany: In addition to the data protection regulations of the Basic Data Protection Regulation, national regulations apply to data protection in Germany. These include the German Data Protection Act (Bundesdatenschutzgesetz – BDSG). In particular, the BDSG contains special provisions on the right of information, the right of deletion, the right of objection, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for the purposes of the employment relationship (§ 26 BDSG), about the establishment, execution or termination of employment relationships as well as the consent of employees. Furthermore, state data protection laws of the individual federal states may apply.
We shall take appropriate technical and organizational measures in accordance with the statutory requirements, taking into account the state of the art, the implementation costs and the nature, extent, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
Such measures shall include the confidentiality, integrity and availability of data by controlling physical and electronic access to, and access to, input, transmission, securing and separation of data. In addition, we have established procedures to ensure the exercise of data subjects’ rights, the deletion of data and responses to data threats. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.
Shorten the IP address: If it is possible for us or a storage of the IP address is not necessary, we shorten or let shorten your IP address. If the IP address is shortened, also known as “IP masking”, the last octet, i.e. the last two digits of an IP address, is deleted (in this context, the IP address is an identifier individually assigned to an Internet connection by the online access provider). By shortening the IP address, the identification of a person on the basis of their IP address is to be prevented or made considerably more difficult.
SSL encryption (https): We use SSL encryption to protect your data transmitted via our online service. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.
Cookies” are files that are stored on the user’s devices. Cookies can be used to store various data. This information can include, for example, the language settings on a website, the login status, a shopping basket or the location where a video was viewed.
As a rule, cookies are also used if a user’s interests or behavior (e.g. viewing of certain content, use of functions, etc.) on individual websites are stored in a user profile. Such profiles are used, for example, to display content to users that corresponds to their potential interests. This procedure is also referred to as “tracking”, i.e. tracking the potential interests of users. The term cookies also include other technologies that perform the same functions as cookies (e.g. when user information is stored using pseudonymous online identifiers, also referred to as “user IDs”).
Revocation and objection (opt-out): Irrespective of whether processing is based on consent or legal permission, you have the option at any time to revoke a consent given or to object to the processing of your data using cookie technologies (collectively referred to as “opt-out”).
- Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Data subjects: Users (e.g. website visitors, users of online services).
- Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a DSGVO), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. DSGVO).
We use software services (“Cloud Services”, also referred to as “Software as a Service”) that are accessible over the Internet and executed on the servers of its providers for the following purposes: document storage and administration, calendar management, e-mail delivery, spreadsheets and presentations, exchange of documents, content and information with specific recipients or publication of websites, forms or other content and information as well as chats and participation in audio and video conferences.
Within this framework, personal data may be processed and stored on the servers of the providers, insofar as these are part of communication processes with us or are otherwise processed by us as set out in this data protection declaration. This data may include, in particular, master data and contact data of users, data on processes, contracts, other processes and their contents. The providers of cloud services also process usage data and metadata that they use for security purposes and to optimise services.
If we use cloud services to provide other users or publicly accessible websites with forms or other documents and content, providers may store cookies on users’ devices for the purpose of web analysis or to remember users’ settings (e.g. in the case of media control).
- Notes on legal bases: If we ask for consent to the use of cloud services, the legal basis for processing is consent. Furthermore, their use may be a component of our (pre)contractual services, provided that the use of the cloud services has been agreed within this framework. Otherwise, user data will be processed because of our legitimate interests (i.e. interest in efficient and secure administrative and collaboration processes).
- Processed data types: user-related data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text input, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Data subjects: Customers, employees (e.g. employees, applicants, former employees), interested parties, communication partners.
- Purposes of processing: Office and organizational procedures.
- Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a DSGVO), performance of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b DSGVO), legitimate interests (Art. 6 para. 1 sentence 1 lit. f DSGVO).
Services and service providers used:
Microsoft cloud services: cloud storage services; service providers: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Web site: https://microsoft.com/de-de; Privacy Statement: https://privacy.microsoft.com/de-de/privacystatement; Security Notices: https://www.microsoft.com/de-de/trustcenter; Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active.
Plugins and embedded functions and content
We include in our online offer functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may be, for example, graphics, videos or social media buttons as well as contributions (hereinafter uniformly referred to as “content”).
The integration always presupposes that the third-party providers of these contents process the IP address of the users, since they could not send the contents to their browsers without the IP address. The IP address is therefore required for the presentation of these contents or functions. We endeavor to use only those contents whose respective providers only use the IP address to deliver the contents. Third party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain technical information on the browser and operating system, websites to be referred to, visiting times and other information on the use of our online services as well as may be linked to such information from other sources.
- Processed data types: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of processing: Provision of our online services and user friendliness, contractual services and service.
- Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f. DSGVO).
Services and service providers used:
Deletion of data
The data processed by us will be deleted in accordance with the statutory provisions as soon as their consent permitted for processing is revoked or other permissions lapse (e.g. if the purpose of processing this data has lapsed or it is not necessary for the purpose).
If the data are not deleted because they are required for other and legally permissible purposes, their processing will be limited to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.
Further information on the deletion of personal data can also be found in the individual data protection notices of this data protection declaration.
Modification and updating of the data protection declaration
We ask you to inform yourself regularly about the content of our data protection declaration. We will adapt the data protection declaration as soon as the changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
Rights of data subjects
Under the DSGVO, they are entitled to various rights as affected parties, which result from Articles 15 to 18 and 21 of the DSGVO:
- Right of objection: You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you on the basis of Art. 6 para. 1 lit. e or f DSGVO; this also applies to profiling based on these provisions. If the personal data concerning you are processed for the purpose of direct advertising, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct advertising.
- Right of withdrawal for consents: You have the right to revoke your consent at any time.
- Right to information: You have the right to request confirmation as to whether the data concerned will be processed and to request information about this data as well as further information and a copy of the data in accordance with the legal requirements.
- Right of rectification: You have the right, in accordance with the provisions of the law, to request the completion of the data concerning you or the rectification of inaccurate data concerning you.
- Right to cancellation and limitation of processing: You have the right, in accordance with the statutory provisions, to demand that the data relating to you be deleted immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.
- Right to data transfer: You have the right to receive data concerning you which you have made available to us in a structured, common and machine-readable format in accordance with the legal requirements or to demand its transfer to another responsible person.
- Complaint to supervisory authority: You also have the right, in accordance with the statutory provisions, to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work or the place of the presumed infringement, if you are of the opinion that the processing of your personal data violates the DSGVO.
The supervisory authority responsible for us:
Bayerisches Landesamt für Datenschutzaufsicht
Definitions of terms
This section provides an overview of the terms used in this privacy statement. Many of the terms are taken from the law and defined above all in Art. 4 DSGVO. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to help you understand them. The terms are sorted alphabetically.
- Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more specific characteristics that are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
- Data controller: a “data controller” is a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
- Processing: “processing” means any operation or set of operations which is carried out with or without the aid of automated processes and which is linked to personal data. The term is broad and covers practically all handling of data, be it collection, analysis, storage, transmission or erasure.