Privacy Policy according to the GDPR

Privacy Policy according to the GDPR

I. Name and address of the controller

The controller in terms of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is the

Treuhand Weser-Ems GmbH Wirtschaftsprüfungsgesellschaft
Langenweg 55
26125 Oldenburg · Germany
Telefon: +49 (0) 441 9710-0
E-Mail: info@treuhand.de

Treuhand Rechtsberatung Hochhäusler · Wurthmann & Partner Partnerschaft von Rechtsanwälten mbB
Langenweg 55
26125 Oldenburg · Germany
Telefon: +49 (0) 441 9710-200
E-Mail: info@treuhand-recht.de

einfach.effizient. Treuhand Unternehmensberatung GmbH & Co. KG
Langenweg 55
26125 Oldenburg · Germany
Telefon: +49 (0) 441 9710-254
E-Mail: beratung@treuhand.de

hereinafter collectively referred to as the person responsible. The aforementioned are solely responsible for the other processing of personal data.

II. Name and address of the Data Security Officer

The controller’s Data Security Officer is:

Dipl.-Jurist Hendrik Sünkler
Treuhand Weser-Ems GmbH Wirtschaftsprüfungsgesellschaft
Langenweg 55
26125 Oldenburg · Germany
Telefon: +49 (0) 441 9710-328
E-Mail: suenkler@treuhand.de

III. Supervisory authority – German State’s Data Protection Commissioners

The task of the German State’s Data Protection Commissioners (LfD) is to monitor compliance with data protection regulations both by the authorities and other public authorities as well as by commercial enterprises and other non-public bodies in Lower Saxony, thus ensuring the right to informational self-determination.

Responsible authority in Lower Saxony:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover · Germany
Telefon +49 (0) 511 120-45 00
Fax +49 (0) 511 120-4599
www.lfd.niedersachsen.de

IV. General information about data processing

V. Data subject’s rights

If you your personal data/information is processed, you are a data subject in terms of the GDPR and you are entitled to the following rights vis-á-vis the controller:

You can request a confirmation from the controller on whether or not we have processed your personal data.

If your personal data has been processed, you can request to be informed of the following:

  • the purposes for wich the personal data is processed;
  • the categories of personal data, wich are processed;
  • the recipients or categories of recipients, to whom your personal data was disclosed or will be disclosed;
  • the planned duration of the storage of your personal data or, if specific information is not available here, criteria for determining the duration of storage;
  • the existence of a right to rectification or erasure of your personal data, a right to the restriction of processing by the controller or a right to object to such processing;
  • the existence of the right to lodge a complaint with a supervisory authority;
  • all available information on the source of the data if the personal data is not collected from the data subject;
  • the existence of automated decision-making including profiling according to art. 22 sec. 1 and 4 of the GDPR and - at least in These cases - conclusive information

the logic involved as well as the scope and intended effects of such processing for the data subject.

You have the right to request information on whether or not your personal data is transmitted to a third country or an international organisation. In this context, you can request being informed about the appropriate guarantees in accordance with art. 46 of the GDPR in connection with the transmission.

This right of access can, insofar, be limited to the extent it is likely to render impossible or seriously affect the realisation of research or statistical purposes and the restriction is required to fulfil the research or statistical purposes.

You have a right to rectification and/or completion vis-á-vis the controller if your processed personal data is incorrect or incomplete. The controller must make the correction without delay.

Your right to rectification can, insofar, be limited to the extent it is likely to render impossible or seriously affect the realisation of research or statistical purposes and the restriction is required to fulfil the research or statistical purposes.

You can request a restriction of the processing of your personal data under the following conditions:

  • if you contest the accuracy of your personal information for a period of time, which allows the controller to review the accuracy of the personal data;
  • the processing is illegal and you object to the erasure of the personal data and instead, request the restriction of the use of the personal data;
  • the controller no longer requires the personal data for the purpose of processing however, you require it to assert, exercise or defend legal claims or
  • if you objected to processing pursuant to art. 21 sec. 1 of the GDPR and it is not yet determined whether the controller's legitimate reasons override your reasons.

If the processing of your personal data has been restricted, this data can only be processed - with the exception of its storage - with your consent and for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural person or legal entity or for reasons of a significant public interest of the Union or of a Member State.

If processing was restricted according to the preceding conditions, you will be informed by the controller before the restriction is lifted.

Your right to restriction of processing can, insofar, be limited to the extent it is likely to render impossible or seriously affect the realisation of research or statistical purposes and the restriction is required to fulfil the research or statistical purposes.

a)     Obligation to erase

You can request the controller to immediately erase your personal data and the controller is obligated to immediately erase said data, provided that one of the following reasons applies:

  • Your personal data is no longer required for the purpose, for wich it was collected or otherwise processed.
  • You revoke your consent, wich was based on processing in accordance with art. 6 sec. 1 lit. a or 9 sec. 2 lit. a of theGDPR and there is no other legal basis for processing.
  • You object to processing in accordance with art. 21 sec. 1 of the GDPR and there are no overriding legitimate reasons for said processing or you object to processing in accordance with art. 21 sec. 2 of the GDPR.
  • Your personal data was processed illegally .
  • The erasure of your personal data is required to fulfill a legal Obligation under European Union law or the law of the Member States, wich the controller is subject to.
  • Your personal data was collected with regard to the offers of information society services in accordance with art. 8 sec. 1 of the GDPR.

b)     Information to third parties

If the controller publicised your personal data and is obligated to erase it in accordance with art. 17 sec. 1 of the GDPR, the controller will take appropriate measures taking the available technology and implementation costs into account, including technical means, to inform data controllers, which process the personal data, that you have requested them to erase all links pertaining to this personal data or copies or replications of this person data.

c)     Exceptions

There is no right to erasure if the processing is required

  • to exercise the right to freedom of expression and information;
  • to fulfill a legal obligation required by the law of the European Union or the Member States, which the controller is subject to or to carry out a task in the public interest or is carried out in exercising official authority, which was delegated to the controller;
  • for reasons of public interest in the field of public health in accordance with art. 9 sec. 2 lit. h and i as well as art. 9 sec. 3 of the GDPR;
  • for archival purposes of public interest, scientific or historical research purposes or for statistical purposes in accordance with article 89 sec. 1 of the GDPR, to the extent that the law referred to in section a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
  • to assert, exercise or defend legal claims.

If you asserted the right to rectification, erasure or restriction of processing vis-á-vis the controller, the controller is obligated to notify all recipients, to which your personal data was disclosed, of this correction or erasure of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.

You have the right to request the controller to inform you of these recipients.

You have the right to receive the personal data you provided to the controller in a structured, prevalent and machine-readable format. You also have the right to transfer this data to another controller without any hindrance by the controller the personal data was made available to, provided that

  • the processing is based on consent in accordance with art. 6 Abs. 1 lit. a GDPR or art. 9 sec. 2 lit. a of the GDPR or on a contract in accordance with art. 6 sec. 1 lit. b of the GDPR and
  • processing is conducted using automated procedures.

In exercising this right, you also have the right to initiate that your personal data is directly transmitted to another controller by a controller, insofar as this is technically feasible. The freedoms and rights of other persons can not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or which takes place in exercising official authority, which was delegated to the controller.

You have the right to object to the processing of your personal data at any time for reasons that arise from your particular situation and which is carried out in accordance with art. 6 sec. 1 lit. e or f of the GDPR; this also applies to a profiling based on these provisions.

The controller will no longer process your personal data unless it can verify compelling grounds for processing worthy of protection, which override your interests, rights and freedoms or processing serves asserting, exercising or defending legal claims.

If your personal data is processed to engage in direct advertising, you have the right to object to this processing of your personal data for the purpose of such advertising at any time; this also applies to profiling, insofar as it is associated with such direct advertising.

If you object to processing for the purpose of direct advertising, your personal data will no longer be processed for these purposes.

Regardless of Directive 2002/58/EC, you have the option, in connection with the use of information society services, of exercising your right to object using automated procedures, which apply technical specifications.

You also have the right, for reasons that arise from your particular situation, to object to the processing of your personal data, which takes place for scientific or historical research purposes or for statistical purposes in accordance with art. 89 sec. 1 of the GDPR.

Your right to object can, insofar, be limited to the extent it is likely to render impossible or seriously affect the realisation of research or statistical purposes and that the restriction is required to fulfil the research or statistical purposes.

You have the right to revoke your consent in line with data privacy at any time. The revocation of consent does not affect the legality of processing conducted based on consent until the revocation has been effected.

You have the right not to be subjected to a decision-making process based solely on automated processing - including profiling - which will have a legal effect on you or which will significantly affect you in a similar manner. This does not apply if the decision

  • is required for the conclusion or implementation of a contract between you and the controller,
  • is permissible based on Union or Member State legislation, which the controller is subject to and these statutory provisions contain adequate measures, to safeguard your rights and freedoms and your legitimate interests or
  • take place with your explicit consent.

However, these decisions cannot be based on special categories of personal data according to art. 9 sec. 1 of the GDPR, unless art. 9 sec. 2 lit. a or g of the GDPR applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.

Regarding the cases referred to in (1) and (3), the controller will take appropriate measures to uphold the rights and freedoms and your legitimate interests, which at least include the right to obtain the intervention of an individual on the part of controller, to express one’s own position and be heard on contesting the decision.

Regardless of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the Member State of your abode, place of work or place of alleged violation if you believe, that the processing of your personal data violates the GDPR.

The supervisory authority the complaint was lodged with must inform the complainant of the status and results of the complaint including the possibility of a judicial remedy in accordance with art. 78 of the GDPR.

VI.  Provision of the website and generation of logfiles

Our website is provided by our provider, with whom we have concluded a job processing contract. They provide us with infrastructure, storage space on the web server and technical support for the website.

Every time our website is called up our server automatically records data and information from the computer system of the computer making the call.

The following data is collected in the process:

  • The user’s IP address,
  • Date and time of the access,
  • The http request method (GET, POST etc.),
  • The transmission protocol used (http1.0, http1.1 etc.),
  • Status information of the server (call successful, redirection etc.),
  • Data quantity transmitted,
  • Websites from which the user’s system came to our website,
  • The address of the site making the call including per GET transferred data and
  • Information about the browser type, the version used and the user’s operating system.

In the case of a security-relevant incident all headers of the http communication between the browser and server, as well as the contents sent back to the server answer, will also be logged.

The data will also be stored in our system’s logfiles. This data will not be stored together with user personal data.

The legal basis for temporary storage of data and logfiles is Art. 6 (1) f of the GDPR.

It is necessary for the system to store the IP address temporarily so as to enable the website to be delivered to the user’s computer. For this purpose, the user’s IP address has to be stored for the duration of the session.

This storage is made in logfiles so as to ensure the functionality of the website. We also use the data to optimise the website and to ensure the security of our information technology systems. This data will not be evaluated for marketing purposes.

Our legitimate interest in these purposes can also be found in Art. 6 (1) f of the GDPR.

Data will be erased as soon as it is no longer required for the purpose of its collection. If data is recorded to provide the features of the website, this data be the erased once the relevant session has been ended.

If data is recorded in logfiles, this will be the case after fourteen days at the latest. Storage beyond this period is possible. In this case users’ IP addresses will be erased or masked so that no allocation to the client will be possible.

Recording data to provide the website and storing the data in logfiles is essential for operating the website. The user cannot object to this.

VII. Use of cookies

Our website uses cookies. Cookies are pieces of information transferred from our web server or third party-web servers to users’ web browsers and stored there to be called up later. Cookies may be small files or other types of information storage. Cookies contain characteristic strings that enable a clear identification of the browser.

We use so-called session cookies, which are only placed for the duration of the current visit to our website.

This is necessary in order to realise the functionality of our website. For example, this is the only way to enable your login status to be stored or the shopping basket to be provided and thus to use our online range at all.

A randomly generated, clear identification number will be placed in a session cookie, a so-called session ID. A cookie also includes disclosures about its origin and the duration of storage. These cookies cannot store any other data. Session cookies will be erased once you end your use of our online range and e.g. log out or close the browser.

Furthermore, currently we do not use cookies on our website, e.g. to analyse the browsing behaviour of users. The analysis of visitor access based on the pages accessed and the data transmitted by your system.

The following data can be transmitted in this manner:

  • Search terms entered
  • Utilisation of website functions

The user data collected in this manner is pseudonymised through technical precautions.

The legal basis for processing personal data when using technically necessary cookies is Art. 6 (1) f of the GDPR.

The legal basis for processing personal data when using technically necessary cookies is Art. 6 (1) f of the GDPR.

Cookies are stored on the user’s computer and transmitted from it to our website. Therefore, you as the user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that are already stored can be erased at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website in full.

Many marketing companies use cookies to measure reach and for advertising purposes. You can object to the use of these cookies,

VIII. Web analysis by Matomo

On our website we use the open source software tool Matomo (formerly PIWIK) to analyze user behavior. If individual pages of our website are accessed, the following data is stored by the software:

  • the first two bytes of the IPv4 address or the first six bytes of the IPv6 address of the calling system of the user (anonymous form),
  • the website accessed,
  • the website from which the user accessed the called website (referrer),
  • the subpages that are called from the called web page,
  • the time spent on the site,
  • Frequency of a call of a site.

The software runs exclusively on the servers of our provider. A storage of the personal data of the users takes place only there. The data will not be passed on to third parties.

The software is configured so that IP addresses such as 123.456.789.123 or 2a01:4f8:191:5d00:136:243:202:140 are not stored completely, but the last two bytes of the IPv4 address or the last ten bytes of the IPv6 address are masked, so that an assignment of the shortened IP address 123.456.000.000 or 2a01:4f8:191:: to the calling computer is no longer possible.

The legal basis for processing personal data is Art. 6 (1) f of the GDPR.

Processing users’ personal data enables us to analyse the surfing behaviour of our users. By evaluating the data we have acquired, we are in a position to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user friendliness. Our legitimate interest in processing data for these purposes can also be found in Art. 6 (1) f of the GDPR. By anonymising the IP address users’ interests in protecting their personal data are sufficiently taken into account.

The data is deleted as soon as it is no longer needed for our recording purposes.

The deletion takes place monthly, i.e. after 31 days at the latest.

Cookies are stored on the user's computer and transmitted to our site by the user. Therefore, you as a user have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that all functions of the website can no longer be used to their full extent.

On our website, we offer our users the option of opting out of the analysis process. Here a cookie is set on your system, which signals to our system not to store the user's data. If the user deletes the corresponding cookie from his own system in the meantime, he must set the opt-out cookie again.

Further information on the privacy settings of the Matomo software can be found at the following link: https://matomo.org/docs/privacy/

Alternatively, users can tell us with their browser that they do not want us to perform an analysis. The do-not-track technology we use is a way for users to decide for themselves whether their behaviour is being tracked by websites, advertising networks and social networks. If users have set their browser to "I don't want to be tracked," Mamoto will not record those visits.

Instructions for Do-not-Track can be found here:

IX.  Social networks / Facebook fan page

We maintain profiles in various social networks and process your personal data in this context when you use these profiles.

We operate a fan page on the social network Facebook and access the technical platform and services of Facebook to do so.

The European Court of Justice (ECJ), in its ruling of 5 June 2018, decided that operators of a Facebook fan page are responsible for processing personal data together with Facebook. Therefore, we are responsible for our fan page together with Facebook (Article 26 of the GDPR). You will find the addendum for this purpose at:

https://www.facebook.com/legal/terms/page_controller_addendum

Information about our Facebook fan page

We must point out that you use our Facebook fan page and its functions at your own risk. This applies in particular to use of the interactive functions (e.g. commenting, sharing, rating). Alternatively, you can also call up the information offered on this site on our internet range at treuhand.de.

When visiting our Facebook page, Facebook will record your IP address and additional information that is available on your PC in the form of cookies. This information is used to provide us statistical information about the utilisation of the fan page. Facebook provides more detailed information about this matter at the following link: facebook.com/help/pages/insights

We process Facebook Insights data in our Facebook presence. This is statistical data such as the total number of calls of the site, "likes", site activities, contribution interactions, video views, contribution reach, comments, shared contents, answers, the proportion of men and women, origin related to country, town/city and language. We do not have any influence on the data provided.

We use the data provided by Facebook to make our contributions more attractive, to address target groups directly and to find the right point in time for publication.

We use Facebook Insights data as per Article 6 (1) f of the GPDR.

The data collected about you when using our fan page is processed by Facebook Ltd. and may be transmitted to countries outside the European Union. It has to be assumed that Facebook uses the data for advertising purposes, to generate user profiles and for market research purposes. Facebook describes which information it processes in a general form in its data use policies. You will also find information there about the possibility to contact Facebook and about possible settings for advertising. The data use policies are available at the following link: facebook.com/about/privacy

You will find the full Facebook data use policy here: facebook.com/full_data_use_policy

You will find additional information in the privacy information from Facebook at facebook.com/help/568137493302217

and information about page insights data at facebook.com/legal/terms/information_about_page_insights_data.

The manner in which Facebook uses data from visits to Facebook pages for its own purposes, the scope with which activities on Facebook can be attributed to individual users, how long Facebook stores this data and whether data from a visit to Facebook is transferred to third parties has not been clearly and conclusively specified by Facebook and is not known to us.

When accessing a Facebook page, the IP address allocated to your terminal will be transmitted to Facebook. According to information from Facebook, these IP addresses will be anonymised and erased after 90 days. Facebook also stores data about its users’ terminal (e.g. using the function "Login alerts"); this may make it possible for Facebook to attribute IP addresses to individual users.

If you are currently logged in to Facebook as a user, there will be a cookie on your terminal with your Facebook identifier. This puts Facebook in a position to trace that you have visited this page and how you used it. This also applies to all other Facebook pages. Advertising and content tailored to you can be offered on the basis of this data.

If you want to prevent this, you should log out of Facebook or deactivate the function "stay logged in", erase the cookies on your terminal, close your browser and restart. In this manner Facebook will erase information that can be used to identify you directly. So you can use our Facebook page without your Facebook identifier being disclosed. If you access interactive functions of the page (like, comment, share, news etc.), a Facebook login screen will appear. After logging in you will once again be recognisable to Facebook as an identifiable person.

You will find information about how you can administer or erase available information on the following Facebook support pages: facebook.com/about/privacy#.php.

X. Contact form and email contact

There is a contact form on our website that can be used to make contact electronically. If the user makes use of this possibility, all the data entered in the relevant screen will be transmitted to us and stored.

The following data will also be stored at the time of sending the message:

  • The user’s IP address,
  • Date and time of registration

Your consent will be obtained to process the data during the sending procedure and you will be referred to this Privacy Policy.

Alternatively, it is possible to make contact using the email address provided. In this case the user’s personal data transmitted with the email will be stored.

No data will be transferred to third parties in this connection. The data will be used exclusively to process the conversation.

The legal basis for processing this data is the existence of the user’s consent as per Art. 6 (1) a of the GDPR.

The legal basis for processing the data transmitted when sending an email is Art. 6 (1) f of the GDPR. If the aim of the email contact is to conclude a contract, an additional legal basis for this processing is Art. 6 (1) b of the GDPR.

The collection of the user’s email address is intended to deliver the newsletter.

The collection of any other personal data as part of the login procedure is intended to prevent any misuse of the services or the email address used and as proof that you have subscribed to the newsletter.

Data will be erased as soon as it is no longer required for the purpose of its collection. Accordingly, the user's email address will be stored for as long as the newsletter subscription is active. Due to the burden of proof this also applies to any other personal data collected as part of the login procedure.

XI. Newsletter

You can subscribe to a free newsletter on our website. When registering for the newsletter, the data from the input mask is transmitted to us.

In addition, the following data is collected during registration:

  • The user’s IP address,
  • Date and time of registration/activation of the suscription

Your consent will be obtained for the processing of your data during the registration process and reference will be made to this data protection declaration.

No data will be passed on to third parties in connection with data processing for the dispatch of newsletters. The data will be used exclusively for sending the newsletter.

The legal basis for processing this data is the existence of the user’s consent as per Art. 6 (1) a of the GDPR.

The collection of the user’s email address is intended to deliver the newsletter.

The collection of any other personal data as part of the login procedure is intended to prevent any misuse of the services or the email address used and as proof that you have subscribed to the newsletter.

Data will be erased as soon as it is no longer required for the purpose of its collection. Accordingly, the user's email address will be stored for as long as the newsletter subscription is active. Due to the burden of proof this also applies to any other personal data collected as part of the login procedure.

Data subjects can cancel a subscription to the newsletter at any time. There is a link for this purpose in every newsletter. This also withdraws consent to the storage of personal data collected during the login procedure.

XII. Inclusion of third-party contents and services

Within our online range we use third-party provider offers so as to include their contents and services, such as fonts, graphics, videos, maps, information etc. When calling up our website your browser will make a direct connection with the third-party provider’s servers so as to display the necessary contents. As a result, the corresponding third-party provider will receive information about the time and contents of use of this website, including users’ IP addresses. Depending on the service, additional information (e.g. geo-data for a route planner) may also be transmitted to the third-party provider.

We do not have any influence over the scope, further processing or use of data collected by third-party providers.

Third-party providers frequently use cookies so as to analyse user behaviour across different websites and to combine this information with other sources. This also applies to the use of so-called web beacons, small invisible graphics used for statistical or marketing purposes.

We refer to the third-party provider privacy policies for the concrete scope of data processing.

The legal basis for processing this data is Art. 6 (1) f of the GDPR. Third-party providers that process data outside the EU, process it in accordance with the Privacy Shield Framework.

The purpose of data collection and further processing of the data can be taken from the third-party providers’ privacy policies.

The duration of storage of the data can be taken from the third-party providers’ privacy policies.

You can generally prevent the integration of contents and services from third parties on our website by deactivating the use of Javascript in your browser. If the use of Javascript is deactivated for our website, it may no longer be possible to use all the functions of the website in full.

We refer to the third-party providers’ privacy policies for the possibility to object and for rectification.

We have integrated the following third-party contents and services:

ContentThird-Party supplier

Maps from OpenStreetMap (via proxy so the user’s IP address is not transmitted to the third-party provider)

Openstreetmap Foundation
132 Maney Hill Road
Sutton Coldfield
West Midlands B72 1JU
United Kingdom

Data protection: https://wiki.openstreetmap.org/wiki/Privacy_Policy.

XIII. Access via mobile application

We offer an application called "TREUHAND WESER-EMS" in the Apple App Store. The application is a webbrowser extended by additional functions, which initially serves the access of our website alt.treuhand.de. In this respect, the above data protection notices apply.
Third-party websites can also be accessed via the web browser, for example if you follow links on our website. Since we are not the data protection law responsible for these offers of third parties, in these cases the data protection notices of the respective providers apply.
If you give your consent to the delivery of push notifications when setting up the application, we will use the Amazon Simple Notification Service (SNS) to send you these push notifications to your device. The Amazon Simple Notification Service is a service provided by Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226, USA. To do this, an identification number that uniquely identifies your device is transmitted to Amazon's servers. In addition to this identification number, the version of the operating system you are using and the date of your consent will also be collected and stored.

The legal basis for processing is Art. 6 sec. 1 lit. a GDPR (consent).

The data is processed for the purpose of sending you push notifications to your terminal device.

The storage takes place as long as you use our mobile application.

You can revoke or give your consent to the delivery of push notifications at any time in the settings of your device (settings => TREUHAND => notifications).