Privacy statement

Data privacy statements in accordance with the EU General Data Protection Regulation
February 2018
The following information provides you with an overview of how we process your personal data and your rights pursuant to data protection law. Essentially, which data in particular are processed and how they are used depends on the respective services agreed on or products used.
1.    Party responsible (controller) for the data processing, data protection officer
The controller is:
PERNUMA MarkingSystems GmbH
Bergmannstraße 10
88471 Laupheim
Tel.: +49 – 73 92 – 97 25 - 0
Fax +49 – 73 92 – 97 25 -11
info@pernuma.de
www.pernuma.de
2.    Data protection officer [appointed pursuant to article 37 GDPR]
You can contact our company data protection officer at
DATA-S
Mendelstraße 13
89081 Ulm
+49 731 8023688
datenschutz@data-s.de
www.data-s.de
3.    Purpose and legal basis for processing
We process the aforementioned personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Law (BDSG)
3.1.    On the basis of your consent (article 6 paragraph 1a GDPR)
If you have given your consent for us to process personal data for specific purposes, the lawfulness of the processing is based on your consent. You can withdraw your consent at any time. This also applies to withdrawal of a declaration of consent given to us before the GDPR enters into force, i.e. before 25th May 2018. Please note that the withdrawal of consent is only effective for the future. Processing that has taken place before the consent was withdrawn is not affected by this. You can request a status overview from us at any time.
3.2.    In order to comply with contractual obligations (article 6 paragraph 1 b GDPR)
Personal data are processed in the context of performance of our contracts with our customers and suppliers and also for the performance of measures prior to entering into a contract which ensue from your request, as well as for all activities necessary for the operation and administration of our company. The purposes of the data processing are primarily determined by the specific product and/or service involved.
[Description of the processing activity and of the specific purposes of processing, describe as needed]
3.3.    For compliance with legal obligations (article 6 paragraph 1c GDPR) or in the public interest (article 6 paragraph 1e GDPR)
In addition we are subject to legal obligations and legislative requirements such as [enumerate and describe requirements for special obligations]
3.4.    In the context of overriding interests (article 6 paragraph 1f GDPR9)
If necessary, we process your data other than for actual performance of the contract, in order to protect our own legitimate interests or those of third parties. Examples:

    Consultation of and data exchange with  credit agencies (e.g. Schufa) in order to determine credit or default risks
    Inspection and optimisation of procedure for analysis of demand and for direct customer approach including customer segmentation and calculation of probabilities of closure
    Advertising or market research and opinion surveys, if you have not objected to the use of your data
    Enforcement of legal claims and defence in legal disputes
    Guaranteeing IT security
    Prevention of offences
    Video surveillance for protection of householder’s rights and in order to gather evidence in the event of offences, and building and complex security measures (e.g. entrance controls)
    Measures to aid business management and further development of services and products

[Note: In cases in which legitimate interests are pursued in accordance with article 6 paragraph 1 lit. e and f GDPR, the obligation to inform the data subject on the right to object pursuant to article 21 paragraph 4 GDPR must be complied with. The notice must be understandable and given separately from the other information. As a result separate information is given at the end of the model]
4    Data transfer
Within our company, your data are transferred to the people and departments who need them to perform our contractual and legal obligations. Service providers and vicarious agents whom we employ may also receive data for these purposes, if they adhere to our written data protection terms or are bound by professional secrecy. They are essentially companies from the categories listed below:
[List relevant recipients or categories of recipients]
    Public bodies and institutions (e.g. [list correspondingly]) when there is a legal or official obligation
    Commissioned data processors or service providers to whom we transfer personal data for the performance of our business contract with you. Specifically:
[Processing activities of list of commissioned (data processing) service providers]
Support/maintenance of EDP / IT applications, archiving, document processing, call centre services, compliance services, (risk) controlling, data screening, data destruction, purchase/acquisition, space management, debt collection, customer administration, letter shops, marketing, media technology, system of registration, research, expense account, telephony, video legitimation, website management, audit services.

Other data recipients may include entities for which you have given your consent to data transfer.
5    Data transfer to third countries or international organisations
Any transfer of data to countries outside the EU or the EEA (so-called third countries) shall take place only if necessary or the fulfilment of our business relationship or legally required, or if you have given us your consent.
If, in the context of commissioned data processing, service providers based in a third country are used, said providers shall be obliged to comply both with the written requirements arising from the use of EU standard contract clauses for data protection, and to maintain European data protection standards, if the EU commission has not issued an adequacy decision regarding the level of data protection (article 45 GDPR).
An adequacy decision means that after suitable assessment the EU commission has determined that in the third country, on the basis of its national legislation and the application thereof, the existence and functioning of one or several independent supervisory authorities and the international commitments it has entered into, there is a level of protection equivalent to the level of protection guaranteed in the GDPR (so-called secure third countries). Adequacy decisions currently exist for the countries Andorra, Argentina, Faroe Islands, Israel, the Isle of Man, Canada, Guernsey, Jersey, New Zealand, Uruguay and the USA in the context of the Privacy Shield Framework.
The EU standard contractual clauses are a standard agreement on data privacy applicable between service providers and their customers, designed ensure that personal data which leave the EEA are transferred in compliance with the European level of data protection and the requirements of the GDPR, and that enforceable rights and effective remedies are available to data subjects.
[the classic case, if necessary describe / regulate unique configuration in specific case]
6    Data storage
We process and store your personal data for as long as is necessary for the fulfilment of our contractual and legal obligations. In this context we should note that our business relationship is a continuing relationship of several years’ duration.
If the data are no longer necessary for the fulfilment of contractual or legal obligations, they will be regularly erased, unless their further – limited - processing is necessary for the following purposes:
    Compliance with retention periods relating to commercial and tax law: the commercial code and tax code should be cited, [….complete accordingly]. The periods envisaged therein for storage or documentation range from six to ten years.
    Preservation of evidence in the context of the statute of limitations: according to §§ 195 ff. of the German Civil Code (BGB) these expiry periods may last for up to 30 years, and the regular expiry period amounts to three years.

7    Your data protection rights
Every data subject has the right to information in accordance with article 15 GDPR, the right to rectification in accordance with article 16 GDPR, the right to erasure in accordance with article 17 GDPR, the right to restriction of processing in accordance with article 18 GDPR, the right to object as per article 21 GDPR and the right to data portability as per article 20 GDPR. For the right to information and erasure, the restrictions according to §§ 34 and 35 German Federal Data Protection Law BDSG apply. You also have the right to lodge a complaint with a data protection supervisory authority (article 77 GDPR in conjunction with § 19 BDSG).
You can withdraw your consent to the processing of personal data from us at any time. This also applies to withdrawal of a declaration of consent given to us before the GDPR enters into force, i.e. before 25th May 2018. Please note that the withdrawal of consent is only effective for the future. Processing that has taken place before the consent was withdrawn is not affected by this.
8    Your obligation to provide data
In the context of our business relationship, you must provide the personal data that are necessary for the acceptance and conducting of a business relationship and the fulfilment of the contractual obligations associated to it, or those we are legally obliged to collect. Without these data, in general we will have to refuse to conclude the contract or fulfil the order, or will no longer be able to carry out an existing contract and may have to terminate it.
[Provision of special data due to special legal basis as an example: In particular, in accordance with the legal provisions of [relevant law, here money laundering act]we are obliged to identify you through your identity card prior to establishing the business relationship and therefore to collect and retain your name, place and date of birth, nationality and address. In order that we may comply with this legal obligation, you must provide us with the necessary information and documents in accordance with [§ 4 paragraph 6 money laundering act] and notify us immediately of any changes that occur during the business relationship. If you do not provide us with the necessary information and documents, we may refrain from accepting or continuing the business relationship you request.
9    Automated decision-making (including profiling)
Automated decision-making
In principle we do not use any fully automated decision-making pursuant to article 22 GDPR for the establishment and conducting of the business relationship. If we should use this procedure in individual cases, we will inform you of this separately as provided by law.
Profiling
[Example for financial service providers]
We process your data in partly automated fashion for the purpose of assessing certain personal aspects (profiling). We use profiling in the following cases, for example:
    As a result of legal regulations, we are obliged to fight against money laundering and fraud. Data analysis (during payment transactions, among others) is also used for this purpose. These measures are in place to protect you as well.
    We use analysis instruments so as to be able to provide you with targeted information and advice on products. These tools enable needs-based communication and advertising including market research and opinion surveys.
    In the context of determining your credit worthiness, we use scoring. This is a calculation of the probability that a customer will fulfil his or her contractual payment obligations. Earning capacity, expenditure, existing liabilities, profession, length of employment, experiences from business relationship to date, contractual repayment of earlier loans and information from commercial credit agencies may for example influence the calculation. The score is based on a mathematically and statistically recognised and proven method. The scores calculated help us to make decisions and form part of our usual risk management procedure.