The requirements of the EU General Data Protection Regulation (hereinafter: GDPR) have been applicable in Europe since 25 May 2018. We want to inform you of the processing of personal data carried out by TBi Industries GmbH (hereinafter: TBi) in accordance with this new regulation (in line with Article 13 of the GDPR) below.
Table of contents
- Name and contact details for the controller responsible for processing and the data protection officer
Purposes of data processing, legal bases and legitimate interests pursued by TBi or a third party, and categories of recipients
- 3.1. Accessing our website
- 3.2. Concluding, executing or terminating a contract
- 3.3. Data processing for the purposes of marketing
- 3.4. Processing applications
- 3.5. Processing requests
- Your rights
- Data security measures
The following data protection notice informs you of the type and scope of the processing of personal data by TBi. Personal data is any data that can be used to personally identify you.
Data processing by TBi can generally be split into four categories:
- When accessing TBi’s website, various information is exchanged between your end device and our server and is automatically collected. This may include personal data. Among other things, the information collected in such a way is used to ensure that our website is provided without errors.
- Any data required for the purposes of processing requests, preparing to conclude contracts and executing contracts with TBi is processed. If external service providers are also involved in the processing of a contract, e.g. logistics companies or credit agencies, your data will be shared with them to the extent required.
- We use data collected from you as part of contract processing for the purpose of informing you of products, offers and campaigns from time to time.
- To be able to processes applications sent to us, we process any data required for this and, if necessary, get in touch with you using the available channels.
In accordance with GDPR requirements, you have various rights that you are able to exercise against us. This includes, but is not limited to, the right to object to selected data processing, with particular reference to data processing for the purposes of marketing.
If you have any questions about our data protection notice, please contact our data protection officer at any time. You can find contact details below.
2. Name and contact details for the controller responsible for processing and the data protection officer
This data protection notice applies to data processing by TBi Industries GmbH, Ruhberg 14, 35463 Fernwald-Steinbach (‘controller’). The data protection officer for TBi Industries GmbH can be contacted at the above-mentioned address, ‘Datenschutz/Data Protection department’, and at DSB@datadepot.de.
3. Purposes of data processing, legal bases and legitimate interests pursued by TBi or a third party, and categories of recipients
3.1. Accessing our website
When accessing our website, information is automatically sent to our website’s server by the browser used on your end device and temporarily stored in ‘log files’. The following data is also collected without any action on your part and is stored until it is automatically erased:
- the IP address of the web-enabled device accessing the website;
- the date and time of access;
- the name of the domain accessed;
- the name and URL of the file accessed;
- the status code (data delivery success);
- the website from which access has been requested (referrer URL); and
- the browser you use and possibly also the operating system of the web-enabled device as well as the name of your access provider.
The legal basis for processing the IP address is point f) of Article 6 (1) of the GDPR. Our legitimate interests are based on the list of purposes for collecting data below. We are unable to directly identify you from the data collected.
We use your end device’s IP address and other data listed above for the following purposes:
- to ensure a smooth connection is established;
- to ensure that the use of our website is convenient;
- to optimise the development of our website’s content;
- to ensure system security and stability; and
- to prosecute misuse, illegal or criminal activity.
Data is only stored for as long as it is required to fulfil the purpose for which it was stored. It is then erased, generally no later than after 30 days.
3.2. Concluding, executing or terminating a contract
3.2.1. Data processing in connection with contract conclusion
TBi’s business activities are developing, manufacturing, trading and selling goods included in its range. In this regard, we process data required to conclude, execute and terminate the contract with you. This includes:
- salutation, title, first name, surname;
- billing and delivery address;
- contact details (e.g. e-mail address, telephone number);
- billing and payment details;
- order history; and
- possibly also other data provided by you that is relevant for the contract.
The legal basis for this is point b) of Article 6 (1) of the GDPR (i.e. you provide us with the data on the basis of the contractual relationship between you and us or implement pre-contractual measures) or point c) of Article 6 (1) (processing is required for compliance with a legal obligation to which the controller is subject). We may also process personal data concerning you if this is required to safeguard against legal claims exercised against us. The legal basis for this is point f) of Article 6 (1) of the GDPR; the legitimate interest could, for example, be the burden of proof in proceedings. If you do not provide the necessary data we require to draft or execute the contract, we will be unable to enter into or execute a contractual relationship with you.
We store the data collected for contract processing at least until legal or potentially contractual warranty or guarantee rights expire or for as long as we require the data for our legitimate interests. Further legal retention periods remain unaffected, i.e. we will store your data for the longest of the above-mentioned time frames.
The following data processing is also required to process purchase agreements:
We share delivery address details with logistics companies contracted by us for the purposes of processing the purchase agreement. If necessary, we also send your e-mail address and/or telephone number to the logistics company contracted by us to ensure that goods are delivered as you wish. The logistics company may contact you before the delivery to inform you of the delivery time or to agree specifics with you with respect to the delivery. Data is only transmitted for this purpose.
3.2.2. Identity, creditworthiness and contracting service providers
If necessary, we check the sales tax ID number you provide and the company’s identity through the Federal Office for Taxes (Bundeszentralamt für Steuern). We transmit the following types of data for this purpose: sales tax ID number, country of company head office, company name, company address. Sometimes, this may be personal data. The legal bases for this are points b) and f) of Article 6 (1) of the GDPR. Permission for this is based on the avoidance of attempted fraud to our detriment. The outcome of our request shall be stored for the period of the contractual relationship.
As part of the ordering process, we check your creditworthiness if the ‘on account’ payment method is to be agreed. We transmit the following types of data to ‘credit agencies’ for this purpose: company name, company address, where this may sometimes be personal data. The legal basis for this is point f) of Article 6 (1) of the GDPR. The legitimate interest required under this is based on our interest in minimising the credit risk associated with these payment methods. The outcome of our request shall be stored for the period in which the contract is executed.
If there is a delay in payment, we reserve the right to transmit the required data to a company contracted to enforce the receivable if other legal requirements are present. The legal bases for this are points b) and f) of Article 6 (1) of the GDPR. The enforcement of a contractual receivable is considered to be a legitimate interest within the meaning of the second provision.
3.3. Data processing for the purposes of marketing
The explanations below relate to the processing of personal data for the purposes of marketing. The GDPR declares that such data processing is entirely feasible and a legitimate interest on the basis of point f) of Article 6 (1) of the GDPR. The data storage period for the purposes of marketing does not follow any fixed principles and is based on whether storage is required to address recipients for marketing purposes. As is the case if you object, please refer to point 3.3.2.
3.3.1. Marketing for existing customers
If you have concluded a contract with us, we manage you as a customer. In this case, we process your contact details, e.g. postal address, e-mail address or telephone number, beyond the existence of specific consent, for you to receive information about our products and services this way.
3.3.2. Advertising based on your consent
If you have given us consent, we process your contact details, which you have shared with us, e.g. postal address, telephone number or e-mail address, to contact you or to provide you with information about our products or services.
3.3.3. Right to object
You may lodge an objection to data processing for the purposes of marketing at any time for free, for each communication channel individually and with future effect. To do so, simply send an e-mail or a letter to the contact details set out in 2.
If you lodge an objection, the contact address will be suppressed for further data processing for marketing. Please note that in exceptional cases, you may temporarily receive marketing material after we have received your objection. This is for technical reasons, caused by the lead time for advertisements, and does not mean that we have not actioned your objection. Thank you for your understanding.
3.4. Processing applications
3.4.1. What personal data do we process, for what purposes and on what legal basis?
If you send an application to us, we process the information we receive as part of the application process, e.g. through application letters, CVs, certificates, correspondence, and information communicated by phone or verbally. In addition to your contact details, we particularly find details regarding your education, qualifications, work experience and skills to be relevant.
Your data is initially exclusively processed to carry out the application process. If your application is successful, it will be used as part of your HR file and to implement and terminate the employment relationship. Our HR department initially has access to your data, but also the specific department with the position to which you have applied, and, if necessary, management, accounting and the company doctor.
The legal bases for data processing in the application process and as a part of the HR file are sentence 1 of Section 26 (1) in connection with sentence 2 of Section 26 (8) of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and point b) of Article 6 (1) of the GDPR and, if you have given your consent, for example by sending information not required for the application process, point a) of Article 6 (1) of the GDPR. The legal basis for data processing is point f) of Article 6 (1) of the GDPR. The legal basis for storage under tax law is point c) of Article 6 (1) of the GDPR in connection with Section 147 of the Tax Code (Abgabenordnung, AO). The legitimate interest for processing based on point f) of Article 6 (1) of the GDPR is defence of any legal claims, particularly as a result of an alleged disadvantage in the application process.
Within the meaning of Article 9 of the GDPR, we generally don’t require special categories of personal data for the application process. We kindly ask you not to provide such information. If, in exceptional cases, such information is relevant for the application process, we process it together with your applicant data. As an example, this may relate to details concerning a severe disability which you provide us with on a voluntary basis and which we are then obliged to process to comply with our specific obligations with respect to severely disabled people. In these cases, processing serves to exercise rights or to comply with legal obligations under labour law, social security law and social protection law. The legal bases for data processing are then point b) of Article 9 (2) of the GDPR, Section 26 (3) of the BDSG and Section 164 of the German Code of Social Law IX (Sozialgesetzbuch IX, SGB IX). In exceptional cases, it may be necessary to provide information concerning your health or a disability or details from the Federal Central Register (Bundeszentralregister), i.e. concerning previous convictions, for us to be able to assess whether you are suitable for the intended tasks. The legal basis for this is Section 26 of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).
3.4.2. Requirement for providing personal data
You are not obliged to provide us with personal data. However, we are only able to assess your suitability for the position if we have received information, particularly concerning your education, work experience and skills. The provision of personal data is also required to conclude a contract relating to an employment relationship with us. This means that if you don’t provide us with any personal data in an application, we will not enter into an employment relationship with you and we will be unable to contact you in the application process if you do not provide us with your contact details.
3.4.3. How long is your data stored for?
If your application is successful, your data will be used as part of your HR file and to implement and terminate the employment relationship, and erased in accordance with the regulations applicable to HR files. If we are unable to offer you employment at present, we store and process your data for up to six months of informing you of the rejection for the defence of legal claims against us, particularly as a result of an alleged disadvantage in the application process. Data no longer required is then erased. If you are reimbursed for costs or if other transactions happen that are relevant for tax reasons, the corresponding accounting documents are stored at least for the prescribed period to comply with retention requirements under tax law.
3.4.4. Recommendations for securing your data
We are aware that applications contain sensitive personal data. We therefore ask that you send applications by post for the attention of ‘Personalabteilung/HR department’ and to only send applications by e-mail to the address especially set up for this purpose (firstname.lastname@example.org).
3.5. Processing general requests
Generally, an undefined group of people, e.g. interested parties or providers, have the option of approaching us by e-mail, letter, fax, in person or by phone. We exclusively use the information you send in such a way for the purpose of processing your request. This takes place on the basis of point f) of Article 6 (1) of the GDPR. The proper processing of your request is considered to be a legitimate interest within the meaning of the GDPR. If you contact us in connection with a contractual relationship between you and us, section 3.2. also applies. The data provided will be erased as soon as the purpose for which it was collected no longer applies, unless there are legal retention periods or further legitimate interests on our part. It is not used for any other purpose.
4. Your rights
You have the following rights if the respective legal conditions have been met:
- Right to withdraw consent you have given to us; if processing is based on consent, you have the right to withdraw your consent at any time without this affecting the lawfulness of processing based on consent before its withdrawal. You may contact us or our data protection officer regarding this at any time, using the details set out in section 2.
- Right of access to your personal data stored by us pursuant to Article 15 of the GDPR; in particular, you can request information about the purposes of processing, the categories of personal data, the categories of recipients to whom the data has been or is being disclosed, the intended storage period and the origin of your data if it was not collected directly from you.
- Right to rectification of inaccurate or incomplete data pursuant to Article 16 of the GDPR.
- Right to erasure of your data stored by us pursuant to Article 17 of the GDPR provided that no legal or contractual retention periods or other legal obligations or rights for further storage must be complied with.
- Right to restriction of processing your data pursuant to Article 18 of the GDPR if the accuracy of the data is disputed by you, processing is unlawful, but you have objected to such data being erased; the controller of the data no longer requires the data, but you require it for the establishment, exercise or defence of legal claims, or you have objected to processing pursuant to Article 21 of the GDPR.
- Right to data portability pursuant to Article 20 of the GDPR, i.e. the right to receive selected data stored by us in a commonly used and machine-readable format or to request that it is transmitted to another controller.
- Right to lodge a complaint with a supervisory authority. Generally, you can contact a supervisory authority where you have your habitual residence, place of work or where our head office is based.
4.2. Right to object
In accordance with the conditions of Article 21 (1) of the GDPR, an objection may be lodged for data processing for reasons based on the specific situation of the data subject.
This general right to object applies to all processing purposes outlined in this data protection notice that are based on point f) of Article 6 (1) of the GDPR. There is also the option of contacting a supervisory authority or a competent body if you have cause for complaint.
5. Data security measures
Please note that the security of data submission via the internet (e.g. e-mail communication) may be compromised, even if the latest technology is used. It is not possible to completely secure data against third-party access.
We also take appropriate technical and organisational security measures to protect your data which we store from manipulation, partial or total loss or unauthorised access by third parties. We endeavour to continually improve our security measures in line with technological developments.