Data Privacy Statement for www.profitbricks.de in line with GDPR

I. Validity of this Data Privacy Statement

These data privacy statements also apply to the following web sites:

II. Name and address of the controller

The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is:
 
ProfitBricks GmbH
Greifswalder Str. 207
10405 Berlin
Telefon: +49 30 57700-850
Telefax: +49 30 57700-8598
Email: info@profitbricks.de
 
Name and address of the Data Protection Officer
The Data Protection Officer of the controller is:

datarea GmbH
Mr Mike Rasch
Meißner Straße 103
01445 Radebeul
Germany
Tel.: 0351 20 25 14 26
Email: info@datarea.de
Website: www.datarea.de
 

III. General information about data processing

1. Scope of personal data processing

We process personal data of our users only to the extent necessary to provide a functioning website and our content and services. Our users' personal data are processed regularly only with the consent of the user. An exception to this is in cases in which prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as legal basis provided that we have obtained consent from the data subject. Article 6(1)(b) of the GDPR serves as the legal basis for the processing of personal data if it is necessary for the performance of a contract to which the data subject is a party. This also applies to processing operations required to carry out pre-contractual actions. Article 6(1)(c) of the GDPR serves as the legal basis for the processing of personal data if it is necessary for the performance of a contract to which our company is a party. Article 6(1)(d) of the GDPR serves as the legal basis in the event that the data subject's vital interests or that of another natural person require the processing of personal data. Article 6(1)(f) of the GDPR serves as the legal basis if the processing is necessary to safeguard the interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the controller's interest.

3. Data deletion and retention duration

The data subject's personal data shall be deleted or blocked as soon as the purpose of the retention ceases to apply. In addition, storage may be provided for by the European or national legislatives in EU regulations, laws or other regulations to which the controller is subject. The data shall also be blocked or deleted when a storage period prescribed by the specified standards expires, unless there is a need for further storage of the data for conclusion of a contract or performance of the contract.
 

IV. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the visiting computer. The following data are collected:
  1. Information on the browser type and the version used
  2. The user's operating system
  3. The user’s Internet Service Provider
  4. The user's IP address
  5. Date and time of access
  6. Websites from which the user's system accesses our website
  7. Websites that the user's system access through our website
  8. Name and URL of the accessed file
  9. Message if the access was successful
The data are also stored in the log files of our system. These data are not stored with the user's other personal data.

2. Legal basis for data processing

Article 6(1)(f) of the GDPR is the legal basis for the temporary storage of the data and the log files.

3. Purpose of data processing

Temporary storage of the IP address by the system is necessary.to allow delivery of the website to the user's computer. The user's IP address must be kept for the duration of the session for this. Storage of the data in log files is done to ensure the functionality of the website. The data are also used to optimize the website and to ensure the security of our IT systems. The data are not used for marketing purposes in this context. These purposes also constitute our legitimate interest in the processing of the data pursuant to Article 6(1)(f) of the GDPR.

4. Retention duration

The data will be deleted as soon as they are no longer necessary for the purpose of its collection. In the case of collecting the data to provide the website, this is the case when the respective session has ended. In the case of storing the data in log files, this is the case after no more than seven days. Retention beyond that period is possible. In this case, the users' IP addresses are deleted or distorted so that an assignment of the visiting client is no longer possible.

5. Opt-out and removal option

The collection of data for provision of the website and retention of the data in log files is essential for the web site's operation. The user therefore does not have the option to opt out.
 

V. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that allows the browser to be uniquely identified when the website is revisited.

We use cookies to make our website more user-friendly. Some elements of our Internet pages require that the visiting browser can be identified even after a move to a different page. The following data are stored and transmitted in the cookies:
  1. Language settings
  2. Log in information
  3. Browser type/browser version
  4. Operating system used
  5. Referrer URL
  6. Host name of the visiting computer
  7. Time of the server request

2. Legal basis for data processing

The legal basis for processing personal data while using cookies is Article 6(1)(f) of the GDPR.
 
3. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some features of our website cannot be offered without the use of cookies. In this case, it is necessary that the browser is recognized again even after going to another page.

For the following applications we require cookies:
  1. Contact
  2. Log in information
  3. Product and support inquiries
  4. Information request
  5. Transfer of language settings
  6. Remembering keywords

The user data gathered by means of technically essential cookies are not used to create user profiles.
These purposes also constitute our legitimate interest in the processing of the personal data pursuant to Article 6(1)(f) of the GDPR.

4. Retention duration, opt-out and erasure options

Cookies are stored on the user’s computer and transmitted to us by the computer. Therefore, as the user you also have full control of the use of cookies. You can disable or restrict the transmission of cookies by changing the settings in your browser. You can delete any already stored cookies at any time. This can also be automated. If cookies are disabled for our website, you may not be able to use all the functions of the website to the fullest extent.
 

VI. Registration

1. Description and scope of data processing

On our website we offer users the option to register by entering personal data. The data are entered into an input mask and then transmitted to us and stored. We will not disclose this data to third parties. The following data are collected during the registration process:
 
The following data are stored at the time of registration:
  1. Salutation
  2. First name, last name / company name (if necessary, note on representation),
  3. Address (street, house number, post code, city and state),
  4. E-mail address, telephone and fax number
  5. Date of birth
  6. Bank connection (IBAN, sort code account number, account holder / issuing organization and credit card number)
  7. Sales tax identification number
  8. Access identifier (password)

The user's consent to processing of these data is obtained in the registration process.

2. Legal basis for data processing

The legal basis for processing the data is the existence of the user's consent pursuant to Article 6(1)(a) of the GDPR. If the purpose of registration is to perform a contract to which the user is party or take steps prior to entering into a contract, an additional legal basis for processing of the data is point b) of Article 6(1) GDPR.

3. Purpose of data processing

Registration of the user is required for maintaining certain content on services on our website.
This relates particularly to concluding a contract for our products and services. It is also necessary to meet contractual obligations and to be able to perform services you order.

4. Retention duration

The data will be deleted as soon as they are no longer necessary for the purpose of its collection. This is the case during the registration process for performing a contract or for implementing pre-contractual measures if the data are no longer required for implementing the contract. Concluding an agreement may also result in the necessity to store personal data in order to meet contractual or statutory obligations.

This relates particularly to the statutory retention periods for tax, trading, company and civil law requirements. Also and in particular in the context of warranty periods

5. Opt-out and removal option

As user you have the option to cancel your registration at any time. You can request modification of the data stored about you at any time. If the data are necessary to meet an agreement or implement pre-contractual measures, then early erasure of data is possible only to the extent that this is not opposed by contractual or statutory obligations.
 

VII. Contact form and e-mail contact

1. Description and scope of data processing

A contact form that can be used to make contact electronically is available on our website. If a user makes use of this option, the data entered in the input screen are sent to us and stored. The following data are also stored at the time the message is sent:
  1. The user's IP address
  2. Date and time of the contact
  3. Name
  4. E-mail and telephone
  5. Message
  6. Company
  7. Description

During the sending process your consent to the processing of the data is granted and reference is made to this privacy policy. Alternatively you can contact us via the provided e-mail address. In this case, the user's personal data that are transmitted by e-mail will be stored.
 
The data in this context will not be disclosed to third parties. The data are used exclusively for processing the communication.

2. Legal basis for data processing

The legal basis for processing the data is the existence of the user's consent pursuant to Article 6(1)(a) of the GDPR. The legal basis for processing the data that are transmitted when an e-mail is sent is Article 6(1)(f) of the GDPR. If the e-mail contact is intended to conclude a contract, an additional legal basis for processing is point b) of Article 6(1)(b) GDPR.

3. Purpose of data processing

The processing of personal data from the input mask is only used to process the contact. In the case of contact via e-mail, this also includes the required legitimate interest in the processing of the data. The other personal data processed during the sending process are intended to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Retention duration

The data will be deleted as soon as they are no longer necessary for the purpose of its collection. For the personal data from the input screen of the contact form and the personal data sent by e-mail, this is the case when the respective conversation with the user is ended. The conversation is ended when it is apparent from the context that the matter concerned has been definitively resolved. The personal data additionally gathered during the sending process are erased after a period of seven days at the latest.

5. Opt-out and removal option

The user has the option of revoking their consent to the processing of the personal data at any time. If the user contacts us by e-mail, they may object to the storage of their personal data at any time. In this case, we will be unable to continue the conversation.
 
ProfitBricks GmbH
Greifswalder Str. 207
10405 Berlin
Tel.: +49 30 57700-850
Fax: +49 30 57700-8598
E-mail: info@profitbricks.de
 
This can be done by post or by e-mail. All personal data stored in the course of establishing contact will be deleted in this case
 

VIII. Web analysis by Matomo (formerly PIWIK)

1. Scope of personal data processing

On our website, we use the open-source software tool Matomo (formerly PIWIK) to analyze our users' surfing behavior. The software deposits a cookie on the user's computer (see above for details of cookies). If individual pages of our website are called up, the following data are stored:
  1. Two bytes of the IP address of the user's accessing system
  2. The accessed website
  3. The website from which the user reached the accessed website (referrer)
  4. The subpages accessed from the accessed website
  5. The time spent on the website
  6. The frequency of access to the website

The software only runs on the servers of our website. The users' personal data are only stored there. No forwarding of the to third parties is performed.
 
The software is configured in such a way that the IP addresses are not fully stored; instead, 2 bytes of the IP address are concealed (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to associate the abbreviated IP address with the accessing computer.

2. Legal basis for the processing of personal data

Article 6(1)(f) of the GDPR is the legal basis for processing the user’s personal data.

3. Purpose of data processing

Processing the user’s personal data allows an analysis of the surfer behavior of our users. Evaluating the extracted data allows us to compile information on the use of individual components of our website. This helps us to constantly improve our website and make it more user-friendly. These purposes also constitute our legitimate interest in the processing of the data pursuant to Article 6(1)(f) of the GDPR. The users' interest in protection of their personal data is sufficiently taken into account through anonymization of the IP address.

4. Retention duration

The data will be deleted as soon as they are no longer necessary for our recording purposes. In our case this occurs at the latest after twelve months.

5. Opt-out and removal option

Cookies are stored on the user’s computer and transmitted to us by the computer. Therefore, as the user you also have full control of the use of cookies. You can disable or restrict the transmission of cookies by changing the settings in your browser. You can delete any already stored cookies at any time. This can also be automated. If cookies are disabled for our website, you may not be able to use all the functions of the website to the fullest extent.

On our website, we give our users the opportunity to opt out of the analysis process. To do this, they must follow the relevant link. In this way, a further cookie is deposited on their system, telling our system not to store the user's data. If the user erases the corresponding cookie from their own system in the meantime, they must redeposit the opt-out cookie.

Further information on the privacy settings of the Matomo software can be found via the following link.
 

IX. Transfer of personal data to third parties

1. For contract performance

a) Logistics and transportation companies

In the context of contract performance, your personal data are transfered to logistics and transportation companies.
  • aa) Legal basis for processing personal data: The legal basis for processing and transferring personal data to logistics and transportation companies is Article 6(1)(f) of the GDPR.
  • bb) Purpose for processing and transferring personal data: Purpose of processing or transferring your personal data is performance of the contractual obligation Delivery of performance from agreement.

b) Banks, payment service providers and settlement companies (e.g. Paypal, credit card companies, collection service providers)
  • aa) Legal basis for processing personal data: The legal basis for processing and transferring personal data to logistics and transportation companies is Article 6(1)(b) of the GDPR and for enforcement of past due claims Article 6(1)(f) of the GDPR.
  • bb) Purpose for processing and transferring personal data: Purpose of processing and transferring is settlement and debiting of contractual claims and invoices to perform contractual relationships.

c) Retention duration for a) and b)

Data collected are generally deleted if they are no longer needed. Thus erasure is possible at the latest with the expiry of the relevant statutory retention periods. These are generally between three and ten years. 

d) Opt-out and removal option

As user you have the option to cancel your application at any time. Your stored personal data may be changed at any time.
If the data are necessary to meet an agreement or implement pre-contractual measures, then an early erasure of data is possible only to the extent that this is not opposed by contractual or statutory obligations.

2. Google Analytics

a) Scope of personal data processing

This website uses Google Analytics, a Google web analysis service (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics uses cookies saved on your computer, allowing an analysis of use. These are cookies from Google itself and so-called third-party cookies. The information generated by the cookies on the use of this website are generally transferred to a Google server in the USA and saved there. For processing compliant with data protection, we deploy the ”gat._anonymizeIp();” code to ensure anonymized recording of IP addresses (so-called IP masking).

b) Legal basis for processing personal data

The legal basis for processing personal data for using Google Analytics is Article 6(1)(f) of the GDPR. The legal basis for processing the data is the existence of the user's consent pursuant to Article 6(1)(a) of the GDPR.

c) Purpose of data processing

This website uses Google Analytics to allow an analysis of use Processing the user’s personal data allows an analysis of the surfer behavior of our users. Evaluating the extracted data allows us to compile information on the use of individual components of our website. This helps us to constantly improve our website and make it more user-friendly. These purposes also constitute our legitimate interest in the processing of the data pursuant to Article 6(1)(f) of the GDPR. The users' interest in protection of their personal data is sufficiently taken into account through anonymization of the IP address.

d) Retention duration

Data collected are generally deleted if they are no longer needed. Thus erasure is possible at the latest with the expiry of the relevant statutory retention periods. These are generally between three and ten years. 

e) Opt-out and removal option

The data subject's personal data shall be deleted or blocked as soon as the purpose of the retention ceases to apply. In addition, storage may be provided for by the European or national legislatives in EU regulations, laws or other regulations to which the controller is subject. The data shall also be blocked or deleted when a storage period prescribed by the specified standards expires, unless there is a need for further storage of the data for conclusion of a contract or performance of the contract.
 
Please address your withdrawal and erasure inquiry to:
 
ProfitBricks GmbH
Greifswalder Str. 207
10405 Berlin
Tel.: +49 30 57700-850
Fax: +49 30 57700-8598
E-mail: info@profitbricks.de
 
This can be done in writing or also by e-mail.
 
In this case, all personal data stored in the course of the contract will be deleted. As far as this possible and not of the above conditions oppose this.

3. Presence of third parties (Google Maps, YouTube, etc.)

In the context of our online offer, it is possible that our web page integrates contents of third parties, such as YouTube, Google Maps or graphics. Here it is normal that the IP address is transferred to third parties to use the services (e.g. display in the browser). In principle we have no influence on how the third party operates with the data.
 
Please refer to the relevant data protection information of the browser plug-ins from the providers:
4. Plugins

a) Facebook-Plugins (Like-Button)

Our pages integrate plugins of the Facebook social network operated by Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. You recognize the Facebook plugins with the Facebook logo or the “Like” button on our page. You can find an overview on the Facebook plugins here: https://developers.facebook.com/docs/plugins.

If you visit our website, a direct connection between your browser and the Facebook server is established using the plugin. As a result, Facebook receives the information that you have visited our page with your IP address. If you click on the Facebook “Like” button while you are logged into your Facebook account, you can link the contents of our pages to your Facebook profile. As a result, Facebook can allocate the visit on our pages to your user account. Please note that as provider of the pages we have no knowledge of the contents of the data transferred or their use by Facebook. You can find more information on this in Facebook’s privacy policy at https://de-de.facebook.com/policy.php. If you do not want Facebook to assign the visit of our pages to your Facebook user account,
please log out of your Facebook user account.

b) Twitter

Our pages use features of the Twitter service. These features are offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. By using Twitter and the “Re-Tweet” feature the pages you visited are linked to your Twitter account and notified to other users. In doing do, data is also transferred to Twitter. Please note that as provider of the pages we have no knowledge of the contents of the data transferred or their use by Twitter. You can find more information on this in Twitter’s privacy policy at https://twitter.com/privacy.
You can change your Twitter privacy settings in the account settings at: https://twitter.com/account/settings.

c) Google+

Our pages use features of Google+. The provider is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Recording and transferring information: Using the Google+ button you can publish information worldwide. Using the Google+ button, you and other users can obtain personalized contents from Google and our partners. Google stores both the information that you have provided for content +1 and the information on the page you have viewed when clicking +1. Your +1 can be shown as information together with your profile name and your photo in Google services, such as search results or in your Google profile, or at other places on websites and displays in Internet.

Google records information on your +1 activities to improve Google services for you and others. In order to use the Google+ button, you need to have a globally visible public Google profile which must contain at least the name selected for the profile. This name is used in all Google services. In some cases, this name may also replace another name which you have used when sharing contents using your Google account. The identity of your Google profile can be shown to users who know your e-mail address or have other identifying information about you.

Use of the recorded information: In addition to the above purposes, the information provided by you is used in line with the currently valid Google data privacy regulations. Google may publish combined statistics on the +1 activities of users and transfers these to users and partners, such as publishers, advertisers or associated websites.

d) LinkedIn

Our website uses features of the LinkedIn network. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA. Every time someone opens one of our pages that includes LinkedIn features, this establishes a connection to LinkedIn's servers. LinkedIn is notified that you have used your IP address to visit our website.

If you click the LinkedIn “Recommend” button and are logged into your LinkedIn account, this allows LinkedIn to associate your visit to our website with you and your user account. Please note that as provider of the pages we have no knowledge of the contents of the data transferred or their use by LinkedIn. You can find more information on this in LinkedIn’s privacy policy at: https://www.linkedin.com/legal/privacy-policy

e) XING

Our website uses features of the XING network. The provider is XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. Every time someone opens one of our pages that includes XING features, a connection to XING's servers is established. According to our knowledge, there is no storage of personal data here. In particular no IP addresses are stored or user behavior analyzed. For further information on data protection and the XING Share button, refer to XING’s data protection declaration at:
https://www.xing.com/app/share?op=data_protection
 

X. Rights of the data subject

If your personal data are processed, you are a data subject within the meaning of the GDPR and you have the following rights in relation to the data controller:

1. Right of access

You have the right to ask the data protection officer to confirm if we are processing your personal data. If this is the case, you have the right to ask the data controller for information about the following information:
  1. the purposes for which the personal data are processed;
  2. the categories of personal data that are being processed;
  3. the recipients or categories of recipients of the personal data to whom your personal data was or will be disclosed;
  4. he envisaged period in which your personal data will be stored or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. any available information as to the source of the data if the personal data are not collected from the data subject;
  8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to obtain information as to whether your personal data will be transferred to a third country or international organization. In this context, you have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

2. Right to rectification

You have the right to ask the controller to rectify and/or complete your personal data if the processed personal data are incorrect or incomplete. The controller is obligated to rectify the data without undue delay.

3. Right to restriction of processing

Subject to the following conditions, you can request restriction of processing of your personal data:

(1) If you contest the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal data;
(2) The processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead;
(3) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
(4) If you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override your grounds.

If processing of your personal data has been restricted, this personal data shall (with the exception of storage) only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing is restricted under the above conditions, you will be notified by the data controller before the restriction is lifted.

4. Right to erasure

a) Obligation to delete

You have the right to request from the controller the erasure of your personal data without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
  1. Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. You withdraw your consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
  3. You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2);
  4. Your personal data have been unlawfully processed;
  5. Your personal data have to be deleted for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. Your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

b) Information to third parties

Where the controller has made your personal data public and is obliged pursuant to Article 17(1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions

There is no right to erasure of the personal data if the processing is necessary.
  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in paragraph (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defense of legal claims.

5. Right to reporting

If you have asserted your right of rectification, erasure or restriction of processing to the controller, he/she is obliged to notify all of the recipients to whom your personal data have been disclosed of the correction or erasure of the data or restriction of processing, unless it proves to be impossible or involves a disproportionate effort. You have the right to be informed by the controller about these recipients.

6. Right to data portability

You have the right to receive the personal data you provide to the controller in a structured, common and machine-readable format. You also have the right to transmit that data to another controller without hindrance by the controller to which the personal data have been provided, where:
  1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) and
  2. the processing is carried out by automated means.

In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other people may not be affected.

The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object, on grounds relating to his or her particular situation, at any time to the processing of your personal data which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.

The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. If your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of the personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services (notwithstanding Directive 2002/58/EC), you may exercise his or her right to object by automated means using technical specifications.

8. Right to withdraw consent

You have the right to withdraw your declaration of consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision
  1. is necessary for entering into, or performance of, a contract between you and the data controller;
  2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  3. you have given your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

With regard to the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you violates the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

The supervisory authority responsible for us is:

Berlin Officer for Data Privacy and Freedom of Information
Maja Smoltczyk
An der Urania 4-10
10787 Berlin
Tel.: 030/138 89-0
Fax: 030/215 50 50
E-mail: mailbox@datenschutz-berlin.de

Data Protection Notice for Customers and Other Parties


On the basis of the following information, we would like to provide you an overview on our processing of your personal data and your rights from data protection legislation.

Who is responsible for data processing and who should I address?

Responsible:

ProfitBricks GmbH
Greifswalder Str. 207
10405 Berlin
Tel.: +49 30 57700-850
Fax: +49 30 57700-8598
E-mail: info@profitbricks.de


You can reach our company Data Protection Office at:
datarea GmbH
Meißner Straße 103, 01445 Radebeul
Tel.: +49 351 20 25 14 26
E-mail: info@datarea.de

What sources and data do we use?

We process personal data which we receive from our customers and our business partners in the context of our business relationships. In addition - to the extent necessary for providing our service – we process personal data permissibly obtained from publicly accessible sources (e.g. debtor records, land registers, trading or association registers, press, Internet) or legitimately transferred to us from other companies or third parties (e.g. credit agencies).

Relevant personal data are personal details (name, address and other contact data, date and place of birth and nationality), identification data (e.g. personal document data, tax identification number, pension insurance number, etc.) and order data (e.g. payment order). In addition, this can also be data from the performance of our contractual obligations, information on your financial situation (e.g. creditworthiness data, scoring or rating data), credit-relevant data (e.g. income and expenditure), documentation data (e.g. advice record) and other data comparable with the above categories.

Why do you process your data (purpose of processing) and on what legal basis?

We process personal data in line with the regulations of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

a) To meet contractual obligations (Article 6 (1b) GDPR)

Data is processed to perform or fulfill contractual obligations between ProfitBricks GmbH and our business partners and customers. These include logistics companies, mail order companies, credit agencies, lawyers and other business partners necessary for performing and enforcing contracts. This includes transferring personal information such as name, address, data of birth, invoices and other invoice and financial data such as tax number, commercial register number, etc.

b) In the context of balancing interests (Article 6 (1 f) GDPR)

If required, we process your data beyond the actual performance of the contract to protect our legitimate interests or those of third parties. For example, for consultation and data exchange with credit agencies, enforcing legal claims and defense of legal disputes or investigation of crimes or for measures relating to business management and the further development of services and products.

c) Due to your consent (Article 6 (1 a) GDPR)

Provided you have granted us consent for processing personal data for specific purposes (e.g. for sending information, preparation of offers, etc.), the lawfulness of this agreement is given on the basis of your consent. Consent granted can be withdrawn at any time. This also applies to withdrawing declarations of consent granted to use before GDPR applied, i.e. before May 25, 2018. The withdrawal of consent applies only for the future and does not impact the lawfulness of the data processed until its withdrawal.

Who receives my data?

Within ProfitBricks GmbH those departments receive access to your data that need them for performing contractual obligations, and for settling and enforcing claims originating from the contractual relationship.

In addition, personal data for the purpose of the contract for performing and providing our service can be requested from business partners necessary for this purpose. Examples include suppliers, logistics companies, credit agencies, debt registers and similar. Further data recipients are those bodies for which you have granted consent to transfer data or for which we are authorized to transfer personal data on the basis of a balancing interest.
 

Are data transfered into a third country or to an international organization?

In principle there is no transmission of personal data to countries outside the European Union (so-called third states) unless it is prescribed by law (e.g. tax reporting obligations) or you have granted us consent.

How long will my data be stored?

We process and store your personal data only as long as is needed for performing our contractual and statutory obligations. If data are not longer required for performing the obligations, they are regularly erased, unless their processing is required for the following purposes for a limited period:
  • Fulfilling trade and tax law retention period obligations which could result from, for example, the German Commercial Code or the German Tax Code (AO). The periods for retaining documents prescribed there are generally between two and ten years.
  • Maintaining evidence in the context of the statutory retention periods. According to Sections 195 ff. of the German Civil Code (BGB), these retention periods can be up to 30 years, with the regular retention period being three years.

What data protection rights do I have?

Each data subject has that the right of access according to Article 15 GDPR, the right to rectification according to Article 16 GDPR, the right to erasure according to Article 17 GDPR, the right to restriction of processing according to Article 18 GDPR, the right of objection from Article 21 GDPR and the right to data portability from Article 20 GDPR. For the right to access and erasure, the restrictions in line with Sections 34 and 35 BDSG apply. There is also a right to lodge a complaint at a responsible data protection authority (Article 77 GDPR in connection with Section 19 BDSG).

You may withdraw consent granted for processing personal data at any time. This also applies to withdrawing declarations of consent granted to use before GDPR applied, i.e. before May 25, 2018. Please note that the withdrawal has effect only for the future. Processing which occurred before the withdrawal is not impacted.

Is there an obligation for me to provide data?

In the context of our business relationships you must provide the personal data required for initiation, implementation and ending of a business relationship and to perform the related contractual obligations or for whose collection we have a statutory obligation. Without these data we are not generally able to conclude an agreement with you, to implement it or terminate it.

To what extent does automated decision-making take place?

To establish and implement our business relationships, in principle we do not use fully automated decision-making processes in accordance with Article 22 GDPR. If we deploy this methodology in individual cases, you will be provided separately with information on the matter and your relevant rights to the extent this is prescribed by law.
 

Information on your right to object in accordance with Article 21 GDPR

 
Right to object in individual cases
 
You have the right to object, on grounds relating to your particular situation to the processing of personal data relating to you which is based on Article 6 (1 e) GDPR (data processing in the public interest) and Article 6 (1 f) GDPR (data processing based on a consideration of interests); this also applies to profiling based on this provision in the meaning of Article 4 (4) GDPR.

If you lodge an objection, we will no longer process your personal data, unless we can demonstrate compelling grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Recipient of the objection

The objection can be lodged without form under the heading “Objection”, stating your name, your address and your date of birth. It should be addressed to:

ProfitBricks GmbH
Greifswalder Str. 207
10405 Berlin
Tel.: +49 30 57700-850
Fax: +49 30 57700-8598
E-mail: info@profitbricks.de
 

Change of the Privacy Policy

Due to the further development of our website, sovereign requirements or the implementation of new technologies, it may be necessary to change this privacy policy. ProfitBricks reserves the right to change the Privacy Policy at any time with future effect. We recommend that you review the current privacy policy from time to time.

If you have any questions, you can also contact us under the above mentioned data.
 

Download: Privacy Policy and Transparency Declaration

pdf will follow soon


Updated on 25 May 2018