Information to data protection

 

 

in accordance with Article 13, 14 of the General Data Protection Regulation (GDPR)

 

We, SCHOELLERSHAMMER GmbH, attach particular high priority to the protection of your personal data. The responsible handling of your personal data is a matter of course for us. We process your data exclusively in accordance with the applicable data protection laws, ensuring the confidentiality, security, and integrity of this data.

 

 

1 Scope

 

This privacy notice provides you with an overview of how and for what purposes your personal data is processed when you use this website and our social media pages on LinkedIn, Instagram or YouTube, and what rights you have. In addition, we provide applicants and business partners with a detailed overview of how their personal data is processed at SCHOELLERSHAMMER GmbH.

 

Personal data is any information relating to an identified or identifiable natural person (“data subjects”). Personal data includes, for example, your name, address, email address, IP address, but also, for example, the content of correspondence with you. With regard to the other terms used in this privacy policy, e.g., “controller” or “processing,” we refer to the definitions in Article 4 of the European General Data Protection Regulation (“GDPR”).

 

Please note that this privacy notice does not apply to websites or Internet offerings of other providers that are merely referred to via a corresponding link. We recommend that you observe the privacy notices on the respective websites of these other providers.

 

 

2 Controller and company data protection officer

 

We, SCHOELLERSHAMMER GmbH, are the “controller” within the meaning of Article 4 No. 7 GDPR for the processing of your personal data by us to the extent described below. Our contact details are:

 

SCHOELLERSHAMMER GmbH

Commercial register number HRB No. 8595, Düren Local Court

+49 (0)2421/557-0

+49 (0)2421/557-111

info@schoellershammer.de

 

You can contact our company data protection officer, Kathrin Köller, at privacy@schoellershammer.de or at our postal address with the addition “For the attention of the data protection officer.”

 

 

3 Data processing when using this website

 

When you use our website, we process your personal data for various purposes, depending on the type of applications, services, and contact options provided on our website.

 

Below, we provide an overview of how and for what purposes your personal data is processed when you use this website.

 

3.1 Informational visit to the website / access data

 

When you visit our website www.schoellershammer.de, the browser used on your device automatically sends information to our website’s server. This information is temporarily stored in a so-called log file.

 

a) Types of data

The following data is collected and stored when you visit our website:

• • Date and time of access,
  • access status/HTTP status code,
  • Amount of data transferred in each case,
  • Website from which the request originates,
  • Browser software and software version,
  • Operating system and version,
  • IP address (anonymized),
  • randomly generated key number of the cookie or session

 

b) Processing purposes

We process the aforementioned data for the purpose of ensuring the smooth delivery and functionality of our website. In addition, the data is used to ensure and evaluate the security and stability of our systems. The data is not evaluated, except in anonymized form for statistical purposes.

 

c) Legal basis

The legal basis for data processing is Article 6(1)(f) GDPR. Our legitimate interest arises from the purposes mentioned above.

 

d) Storage period

The aforementioned information is stored for a maximum of 7 days for security reasons (e.g., to investigate misuse or fraud) and then deleted. Data that must be retained for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

 

e) Recipients

We have commissioned an external service provider, NetCologne Gesellschaft für Telekommunikation mbH, to host the personal data collected on our website. NetCologne Gesellschaft für Telekommunikation mbH receives the above-mentioned data for this purpose as a processor. NetCologne Gesellschaft für Telekommunikation mbH was carefully selected by us and is contractually bound to strictly follow our instructions. It is equally subject to data protection regulations and is obliged to maintain confidentiality.

 

3.2 Contacting us

You can communicate with us using the contact details provided on our website under “Contact.”

 

a) Types of data

In this case, we process the information you provide us with when you contact us, such as your name, your (business) contact details, information about your company, and your request. We receive this information directly from you when you contact us.

 

b) Processing purposes

We only process this data for the purpose of handling your request and communicating with you.

 

c) Legal basis

If we have a contractual relationship with you or if the purpose of contacting you is to initiate such a contractual relationship, your data will be processed on the basis of Art. 6 (1) (b) GDPR. Otherwise, the legal basis is Art. 6 (1) (f) GDPR. We have a legitimate interest in enabling you to contact us quickly and easily and in processing your inquiries to your satisfaction (for information on your right to object, see section 10).

 

d) Obligation to provide data

The provision of your personal data is necessary so that we can process your request and communicate with you. Unfortunately, this is not possible without the provision of this data.

 

e) Storage period

Data that we collect in connection with your contact request will be deleted as soon as your request has been fully and finally processed and no further communication with you is necessary or desired by you. If your contact request results in the initiation of a business relationship or a contractual relationship, this information will generally be stored until the contractual relationship has been fully processed. Longer storage may be necessary if there are legal retention obligations (e.g., under Section 147 of the German Fiscal Code (AO) or Section 257 of the German Commercial Code (HGB)). The data will then be stored for the duration of the legally prescribed retention period.

 

f) Recipients

Your data will not be passed on unless this is necessary to process your request.

 

 

3.3 Videos / Links to YouTube

 

The videos embedded on our website are provided both via our own web server and via YouTube links. If you visit a subpage of our website on which a video is embedded or play such a video, no data will be transmitted to a third-party provider.

 

However, our website also contains links to the video portal “YouTube” provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), which you can use to access further informational videos about our company. We deliberately do not use the plugin offered by Google, but instead use a simple link to the YouTube website. Therefore, simply visiting our website does not result in any user data being transmitted to Google’s servers. Only when you click on the “Link to video” link will a connection be established between your browser and Google’s server, and you will be redirected to a subpage of https://www.youtube.com/. Please note that this triggers data processing operations by Google that are beyond our control. In this respect, Google is solely responsible for data protection within the meaning of Article 4 No. 7 GDPR. For more information on the purpose and scope of data processing by Google, please refer to Google’s privacy policy. There you will also find further information on your rights in this regard and settings options for protecting your privacy.

 

 

3.4 Link to Google Maps

 

To make it easier for you to find our location, we provide a link to the map service “Google Maps” from the provider, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) under “Contact.” This allows you to conveniently use the map and route planner function of Google Maps.

 

We deliberately do not use the plugin offered by Google, but instead a simple link to the Google Maps website. This means that no user data is transmitted to Google’s servers simply by visiting our website. Only when you click on the “Calculate route” link is a connection established between your browser and Google’s server, and you are redirected to a subpage of https://www.google.de/maps/. Please note that this triggers data processing operations by Google that are beyond our control. In this respect, Google is solely responsible for data protection within the meaning of Article 4 No. 7 GDPR. For more information on the purpose and scope of data processing by Google, please refer to Google’s privacy policy. There you will also find further information on your rights in this regard and setting options for protecting your privacy.

 

 

3.5 Social media links

 

On our website, we offer you the option of being redirected directly to our company page on social media platforms (e.g., LinkedIn, Instagram, YouTube) via corresponding buttons.

 

We deliberately do not use the plugins offered by these social media services, but instead use links developed specifically for our website. Therefore, simply visiting our website does not transmit any user data to the servers of the social media providers. Only when you click on a social media button on our website will a connection be established between your browser and the server of the respective social media service, and you will be redirected to the websites of these services. We do not collect any personal data on our website via these buttons and therefore do not transmit any data to the social media providers.

 

Please note, however, that when you use the button to access the websites or apps of the respective social media service, this triggers data processing operations by the respective provider (e.g., Google, Meta) that are beyond our control. In this respect, the respective provider is solely responsible for data protection within the meaning of Article 4 No. 7 GDPR. For more information on the purpose and scope of data processing, please refer to the privacy policy of the respective social media service. There you will also find further information on your rights in this regard and setting options for protecting your privacy.

 

 

3.6 SOCIAL MEDIA PROFILES

 

We maintain publicly accessible profiles on various social networks (LinkedIn, Instagram, YouTube) in order to report on current developments in our company and to be able to contact customers and other interested parties. We are currently present on the following social media platforms:

 

• LinkedIn:  linkedin.com/company/papierfabrik-schoellershammer
• Instagram: instagram.com/schoellershammer/
• YouTube: youtube.com/@schoellershammer1738

 

Your visit to these profiles triggers a variety of data processing operations. Below, we provide an overview of which of your personal data we collect, use, and store when you visit our profiles.

When you visit our profiles, your personal data is collected, used, and stored not only by us, but also by the operators of the respective social network (“provider”). This also happens if you do not have a profile on the respective social network yourself. For details on the collection and storage of your personal data, as well as the nature, scope, and purpose of its use by the provider, please refer to the privacy policies of the respective provider:

 

• The privacy policy for LinkedIn, which is operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, can be viewed at: http://www.linkedin.com/legal/privacy-policy.

 

• The privacy policy for Instagram, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Dublin, can be viewed at https://de-de.facebook.com/help/instagram/155833707900388.

 

• You can view the privacy policy for YouTube, which is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, at https://policies.google.com/privacy?hl=de&gl=en#intro.

 

 

3.6.1 Joint controllership with LINKEDIN and Instagram

 

As the operator of a social media presence, we can only view the information stored in your public profile, and only if you have such a profile and are logged in to it while visiting our site. In addition, the providers of

 

• LinkedIn
• Instagram

 

provide us with anonymous usage statistics, which we use to improve the user experience when visiting our pages. We do not have access to the usage data that the providers collect to compile these statistics. Nevertheless, we and the providers, LinkedIn, Instagram, and Facebook, which compile such usage statistics, have joint controllership for the data processing operations that take place in this context in accordance with Art. 26 GDPR. As “joint controllers,” we are jointly responsible for the processing and must ensure compliance with the applicable data protection law.

 

Within this framework, we have concluded a joint controller agreement with the providers in accordance with Art. 26 (2) GDPR, and the providers have committed to us to assume primary responsibility under the GDPR for the processing of this data, to fulfill all obligations under the GDPR with regard to this data, and to make the essence of this obligation available to the data subjects.

 

You can access the agreements at the following link:

 

• LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum
• Instagram: https://www.facebook.com/legal/terms/page_controller_addendum

 

 

3.6.2 Data processing in connection with our LinkedIn page

 

User statistics

 

(a)   Categories of personal data

We receive anonymous statistics from LinkedIn on the use and utilization of our LinkedIn page (so-called page insights). For this purpose, LinkedIn processes: ·       Profile data (e.g., job title, country, industry, length of service, company size, and employment status) and ·       Information about how a visitor has interacted with our LinkedIn page (e.g., whether a member is a follower of our page).

(b)   Purposes and legal basis of data processing

LinkedIn uses this data for the purpose of compiling visitor statistics and reports on the reach of our page and ad performance, as well as demographic and geographic evaluations. We receive these statistics, reports, and evaluations from LinkedIn exclusively in anonymized form and have no access to the underlying data. The anonymous statistics enable us to continuously optimize our LinkedIn page and offer visitors an improved online experience tailored to their interests. For example, the statistics provide information about which offers and applications on our site visitors have used and been particularly interested in. We can use this information to provide visitors to our site with more relevant content and to develop features that may be of greater interest to them. Demographic and geographic analyses also enable us to place interest-based advertising without directly obtaining knowledge of the visitor’s identity. The legal basis is Art. 6 (1) (f) GDPR. We have a legitimate interest in optimizing the presentation of our company and our online offerings.

(c)    Storage period

As a rule, we do not store any personal data relating to communications and interactions with users that take place via social media platforms. Please refer to LinkedIn’s privacy policy for information on how long LinkedIn stores data.

(d)   Joint controllership

With regard to Page Insights, we are jointly responsible with LinkedIn for the processing of personal data in connection with Page Insights.

 

Communication

 

(a)   Categories of personal data

We also use our LinkedIn page to communicate with LinkedIn users and provide information about our services. In this context, we may receive additional information, e.g., from user comments, private messages, or because you follow us or share our content.

(b)   Purposes and legal basis of data processing

Processing is carried out exclusively for the purpose of communicating and interacting with you. If you provide us with personal data via a message, we process this data exclusively to respond to your inquiry and communicate with you. The legal basis is Art. 6 (1) (f) GDPR. We have a legitimate interest in responding to your messages via your chosen channel, communicating with you, and interacting with you.

(c)    Storage period

As a rule, we do not store any personal data relating to communications and interactions with users that take place via social media platforms. For information on how long the data is stored by LinkedIn, please refer to LinkedIn’s privacy policy.

 

 

Further processing

 

Please note that LinkedIn uses cookies and other similar storage technologies from both LinkedIn and certain third-party providers to collect device-specific data and information about user activities (e.g., device IDs) and to recognize users and their end devices across different services and devices. This is beyond our control. If you have a profile on LinkedIn and are logged in, the collection and evaluation of data may also be personalized and cross-device. We also have no influence over this. If you wish to avoid this, you should log out of LinkedIn or deactivate the “stay logged in” function and delete the cookies on your device.

 

Recipients and data transfers to third countries

 

We ourselves do not intend to pass on personal data of users that we receive via our LinkedIn page to third parties. LinkedIn describes in its privacy policy for what purposes and to what extent LinkedIn passes on the information collected to third parties – possibly outside the European Union and the European Economic Area (e.g., to LinkedIn Inc. based in the USA). According to LinkedIn, compliance with data protection standards and your rights is ensured by appropriate safeguards (e.g., standard data protection clauses) when data is transferred to the US and other third countries. LinkedIn Corporation is also certified under the EU-US Data Privacy Framework.

 

 

3.6.3 Data processing in connection with our Instagram page

 

User statistics

 

(a)   Categories of personal data

We receive anonymous statistics from Instagram on the use and utilization of our Instagram page (so-called page insights). These contain information about the reach and interactions of our posts, about the actions of users on our page, demographic data (age, gender, location), information about visits to and interactions with our page, and about the long-term performance of our individual posts. These statistics are compiled by Instagram based on certain events that are logged by Instagram’s servers when people interact with pages and their associated content. These logs are compiled solely by Instagram. We have neither access to nor influence over this data.

(b)   Purposes and legal basis of data processing

We can use the anonymous statistics to continuously optimize our Instagram page and offer users an improved user experience tailored to their interests. It is not possible to draw conclusions about individual users or link the data to users’ profile data. The legal basis is Art. 6 (1) (f) GDPR. We have a legitimate interest in optimizing the presentation of our company and our online offerings.

(c)    Storage period

As a rule, we do not store any personal data relating to communications and interactions with users that take place via social media platforms. Please refer to Instagram’s privacy policy for information on how long the data is stored by Instagram.

(d)   Joint controllership

With regard to Page Insights, we are jointly responsible with Meta Platforms Ireland Limited for the processing of personal data in connection with Page Insights.

 

Communication

 

(a)   Categories of personal data

If you are registered with Instagram, you can send us a message using the “Message” function. Such messages are not visible to other Instagram users.

(b)   Purposes and legal basis of data processing

If you provide personal data via such a message, we will process this data exclusively to respond to your request and communicate with you. The legal basis is Art. 6 (1) (f) GDPR. We have a legitimate interest in responding to your messages via the channel you have chosen and communicating with you.

(c)    Storage period

As a rule, we do not store any personal data relating to communications and interactions with users that take place via social media platforms. Please refer to Instagram’s privacy policy for information on how long the data is stored by Instagram.

 

 

Further processing

 

In addition, when you visit the Instagram page, Instagram collects, among other things, the IP address of users and other information that is transmitted to Instagram via cookies or similar technologies on the user’s device. This information is used, among other things, to provide the operators of an Instagram page with the above-mentioned statistical information about the use of their Instagram page.

Please also note: If you have an Instagram account and are logged in, Instagram is able to track that you have visited our fan page and how you have used it. This also applies to all other Instagram pages. This data can be used to tailor content or advertising to you. If you want to avoid this, you should log out of Instagram or deactivate the “stay logged in” function and delete the cookies on your device.

Please note that as fan page operators, we have no influence or complete knowledge of how Instagram uses the data from visits to and use of Instagram pages for its own purposes, to what extent activities on Instagram pages are assigned to individual users, how long Instagram stores this data, and whether data from visits to Instagram pages is passed on to third parties.

 

Recipients and data transfers to third countries

 

Instagram describes the purposes for which and the extent to which it processes the data collected and passes it on to third parties—possibly outside the European Union and the European Economic Area—in its “Data Policy.” If personal data is transferred to Instagram’s servers in the US and stored there, the recipient is usually the American company Meta Inc. According to Instagram, compliance with data protection standards and your rights is ensured by appropriate safeguards (e.g., standard data protection clauses) when data is transferred to the US and other third countries. Meta Platforms, Inc. is also certified under the EU-U.S. Data Privacy Framework.

 

 

3.6.4 Data processing in connection with our YouTube page

 

Presentation of Schoellershammer

 

(a)   Categories of personal data

We use our channels in particular to provide active users and interested parties with interesting clips about current developments, news from our company, or our events. In this context, we may receive further information, e.g., from user comments, ratings, or because you follow us or share our content.

(b)   Purposes and legal basis of data processing

Processing is carried out exclusively for the purpose of providing videos and presenting our company. The legal basis is Art. 6 (1) (f) GDPR. We have a legitimate interest in providing videos via the aforementioned channels and interacting with users.

(c) Storage period

As a rule, we do not store any personal data ourselves that is collected via the YouTube platforms. Please refer to YouTube’s privacy policy for information on how long YouTube stores the data.

 

Anonymous user statistics

 

(a)   Categories of personal data

We also receive anonymized usage statistics from YouTube that provide us with the following information: Total number of video views and average video views per person, as well as their trend (decreasing/increasing); number of subscribers and their trend; number of visitors to the channel; viewer interactions (likes, comments, shared content); Time visitors spent on the channel, watching videos, or until they subscribed; Reach of the video; Percentage of videos that a user watches on average. The statistics are based on profile and user data that the respective providers compile using information about usage activities (through so-called “tracking”). We receive statistics from YouTube exclusively in anonymized form and have no access to the underlying data.

(b)   Purposes and legal basis of data processing

The anonymous statistics enable us to continuously optimize our channels and the videos published on them. The legal basis is Art. 6 (1) (f) GDPR. We have a legitimate interest in optimizing the presentation of our company and our online offerings.

(c) Storage period

As a rule, we do not store any personal data of the users of our YouTube channel ourselves. For information on how long the data is stored by YouTube, please refer to YouTube’s privacy policy.

(d) Separate controllership

YouTube is solely responsible for processing user and profile data, in particular information about usage activities, within the meaning of Art. 4 No. 7 GDPR. We ourselves do not process any personal data in this regard. YouTube provides information about the data processed by YouTube, including the purposes of processing and legal bases, in its privacy policy.

 

Further processing

 

When you visit YouTube pages, YouTube processes your personal data in accordance with its privacy policy. Please note that YouTube’s pages use cookies and other similar technologies from YouTube itself, but also from third-party providers ( ) to collect device-specific data and information about user activities. This data is used for the purpose of providing online services and ensuring security, as well as for analysis, advertising, and measurement purposes. This is beyond our control. If users use the services of these providers on multiple devices, the collection and evaluation of data may also take place across devices if the visitors are registered and logged into their own profiles. We also have no influence over this.

If you want to avoid this, you should log out of YouTube or deactivate the “stay logged in” function and delete the cookies on your device. You can then use YouTube pages without your profile ID being disclosed.

 

Recipients and data transfers to third countries

 

Within the European Union, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) is the provider responsible for data protection. Insofar as personal data is also transferred to Google servers in the USA and stored there, the recipient is regularly also the American company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. According to Google, compliance with data protection standards and your rights is ensured by appropriate safeguards (e.g., standard data protection clauses) when data is transferred to the USA. Google LLC is also certified under the EU-U.S. Data Privacy Framework.

 

 

3.6.5 Cookies

 

As explained in the individual sections, social media providers use cookies, which are stored on your device when you visit our social media pages, even if you do not have your own profile or are not logged in to it during your visit to our site. These cookies allow providers to create user profiles based on your preferences and interests and to display tailored advertising to you. Cookies remain on your device until you delete them. Details can be found in the providers’ privacy policies.

Further information on data processing in connection with cookies can be found in the providers’ cookie policies:

 

• LinkedIn: https://de.linkedin.com/legal/cookie-policy?_l=de_DE
• Instagram: https://privacycenter.instagram.com/policies/cookies/
• YouTube: https://policies.google.com/technologies/cookies?hl=de&gl=en

4 Processing of applicant data

 

Below, we provide an overview of how SCHOELLERSHAMMER GmbH processes your personal data when you apply for a job with us.

 

4.1 Application process

 

If you apply for a job advertisement or send us a speculative application and provide us with personal data, e.g., in your application documents, during personal interviewsor correspondence, or via a recruiter/staffing agency, we will process this data to the extent necessary to carry out the application process, make a decision about your application, and establish an employment relationship with you.

 

a) Types of data

As a rule, we process your master data, such as your first and last name, address, email address, telephone number, data from your application (e.g., your cover letter and resume, along with references, information on other professional qualifications and previous activities, language skills, any application photo you may have attached, and other information relevant to the position you are applying for), as well as communication data within the scope of the application process.

 

b) Processing purposes

We process your personal data exclusively for the purposes of conducting the application process, including checking the completeness of your application documents, checking and determining your suitability for the position to be filled, conducting interviews, making selection decisions, and communicating with you (e.g., for the purposes of scheduling appointments and providing information about the progress of the application process). In addition, processing of your data may also be necessary to assert, exercise, or defend mutual legal claims arising from the application process.

 

c) Obligation to provide data

In order to be able to decide on your application and your hiring, it is necessary that you provide us with the necessary personal data. Otherwise, we cannot enter into an employment relationship with you.

 

d) Legal basis

The legal basis for processing your personal data to the extent described is Section 26 (1) sentence 1 BDSG. Insofar as the processing of your data is necessary for the assertion, exercise, or defense of legal claims, the legal basis is Section 26 (1) sentence 1 BDSG and Article 6 (1) sentence 1 lit. f GDPR. Our legitimate interest arises from the need to be able to examine and defend against claims asserted by applicants.

 

e) Special categories of personal data

The provision of special categories of personal data within the meaning of Art. 9 (1) GDPR, such as information about your health, your religious beliefs, or your ethnic origin, is generally not required as part of the application process. However, if you nevertheless provide us with special categories of personal data within the meaning of Art. 9 (1) GDPR as part of your application, we will process this data within the scope of our legal obligations as a potential employer on the basis of Art. 9 (2) lit. b GDPR, Section 26 (3) BDSG (Federal Data Protection Act) and, insofar as this is necessary for the assessment of your ability to work as an employee with regard to any necessary occupational health and health care measures, on the basis of Art. 9 (2) lit. h GDPR.

 

f) Data origin

As a rule, we collect data about you directly from you. If contact is made through a recruitment agency or consultancy to which you have provided your personal data, or if career-related information about you is publicly available on the internet (e.g. via career-related networks such as Xing and LinkedIn or via the website of your current employer), data about you may also be collected from such sources, insofar as this is necessary for the recruitment decision. The legal basis for the processing of your personal data is also Section 26 (1) sentence 1 BDSG.

 

g) Storage period

In the event of rejection, we will store your application documents and the personal data they contain for a maximum of six months after sending the rejection notice. After this period, we will destroy or delete your application documents and data, unless longer storage is necessary to defend legal claims, statutory provisions prevent deletion in exceptional cases, or you have expressly consented to longer storage (see section 4.2 “Applicant pool”). If your application is successful, we will store your data for the subsequent employment relationship within our employee management system.

 

h) Recipients

We do not pass on your personal data collected during the application process to third parties or other external recipients. Your data will only be transferred if you have consented to this or explicitly requested it, or if we are obliged to do so due to legal regulations or official orders. Within the company, recipients of your application documents and data may include the managing directors, the relevant HR managers, the respective potential supervisors, and the works council.

 

4.2 Applicant pool

 

a) Types of data

If your application is not successful for the position you have applied for, or if your application cannot be considered for other reasons, we may add your applicant data specified in section 4.1 to our applicant pool for future job postings and vacancies. This also includes data that you have provided to us during a personal interview and that we record during the course of this interview.

 

b) Processing purposes

The data stored in the applicant pool will be stored and processed exclusively for the purpose of later consideration in the context of a further application process and for the purpose of contacting you to invite you to a personal interview or to offer you a specific job, including mutual correspondence.

 

c) Legal basis

However, we require your express consent in this regard. In this case, we will obtain your consent separately. If you give us your consent, the legal basis for the further storage and processing of your data is Art. 6 (1) (a) GDPR, § 26 (2) BDSG.

 

d) Storage period

We store your data until you revoke your consent, but for a maximum of 3 years from the date you gave your consent. After you revoke your consent, but no later than after the storage period of 3 years has expired, we will delete your application documents and data from the applicant pool.

 

e) Revocation of consent

In accordance with Art. 7 (3) GDPR, you are entitled to revoke your consent at any time. As a result, we will no longer be permitted to continue processing data based on this consent in the future.

 

If you wish to exercise the above rights, please contact jobs@schoellershammer.de or send your request to the postal address given in section 2, marked “For the attention of the Human Resources Department.”

 

f) Recipients

Apart from the recipients mentioned in section 4.1, we do not intend to pass on your data.

 

 

5 PROCESSING OF PERSONAL DATA OF BUSINESS PARTNERS

 

The following data protection information provides an overview of the processing of personal data by SCHOELLERSHAMMER GmbH within the framework of its business relationships with customers, suppliers, and other business contacts (e.g., other contractual partners, service providers, visitors to our company premises (hereinafter referred to as “business partners”).

 

a) Types of data

We process personal data provided to us by our business partners or their respective representatives, contact persons, or employees within the scope of the business relationship, in particular within the scope of contract processing, pre-contractual contact, or other inquiries. This usually involves the following data or categories of personal data:

 

• Business master data and contact details of the business partner or its legal representatives, contact persons, and other employees (in particular, title, name, function/position/department, business address, business telephone number, and email address)
• Business-related communication with the business partner or its contact persons and other parties involved (in particular, the content of personal, telephone, or written communication)
• Contract, order, and billing data (in particular, data on contractual content, the persons concluding the contract, the start/end of the contract, tax ID/tax number, accounting, bank, and invoice data, insurance data, creditworthiness data, if applicable, and other information necessary for processing the inquiry or order), insofar as this data relates to a natural person;
• Business-related communication with business partners or their contact persons and other parties involved (e.g., inquiries, business letters, emails, telephone notes, etc.)
• Identification and access data, e.g., of visitors or access or entry to our company premises for delivery, collection, or provision of services;
• Other personal data related to the establishment and execution of the contractual relationship, if applicable.

 

The scope of the data processed for a person varies depending on the function in which the person acts towards us, for example, what position they hold with the respective business partner.

 

b) Processing purposes and legal basis

Contractual purposes:

The aforementioned data is processed primarily for the initiation, execution, and management of (contractual) business relationships, including the fulfillment of our contractual and legal obligations arising from the respective initiated or concluded contractual relationship and business contact. This includes, in particular, the following contractual purposes:

 

• Planning, implementation, and management of contractual relationships, including general contract management and administrative contract execution (e.g., contact and contract management, preparation of quotations, processing and review of (contract) inquiries, authentication of contractual partners, preparation and signing of contract documents, planning and processing of deliveries as well as warehousing and logistics services, implementation of control and monitoring measures, quality testing, invoicing, payment processing, receivables management)
• Business correspondence with our business partners or their authorized representatives (e.g., in the context of contract processing, inquiries, and exchange of information on products, services, etc.)
• Seeking legal advice and asserting, exercising, or defending mutual legal claims

 

Data processing is necessary for the purposes mentioned in accordance with Art. 6 (1) (b) GDPR. If you are not SCHOELLERSHAMMER’s (potential) contractual partner, but rather your employer or client is, the processing of your (contact) data is based on Art. 6 (1) (f) GDPR. Our legitimate interest arises from the necessity of processing this data for the purposes of contract execution and communication, including the provision of pre-contractual measures.

 

Compliance with legal requirements

In addition, it may be necessary for us to process personal data in order to comply with legal requirements, in particular to comply with legal storage, recording, collection, and reporting obligations, which generally serve the control purposes of the respective competent public authorities (e.g., commercial and tax law storage obligations). Furthermore, the disclosure of personal

for official or judicial measures for the purposes of evidence gathering or

prosecution. The legal basis for this is then Art. 6 (1) (c) GDPR in conjunction with the respective legal provision.

 

Safeguarding legitimate interests

In addition, we process personal data of our business partners and their representatives, contact persons, and other employees within our business relationships, insofar as this is necessary to safeguard our legitimate interests or those of a third party and does not outweigh the interests or fundamental rights and freedoms of the data subject that require the protection of personal data. These are, in particular, the following purposes:

 

• Measures to control and optimize our business processes (e.g., quality control, measures to improve our logistics processes, needs analysis)
• Customer and contact management and maintenance, such as recording and managing contacts in our contact database, customer service, maintaining contact after business contact/customer loyalty measures
• Measures to ensure operational safety and to protect our property rights and property (e.g., visitor registration, access/entry/goods control on the company premises during delivery/collection, etc.)
• Cost management, internal controlling, and accounting
• Direct marketing to business partners (e.g., information about products)
• Payment and receivables management (e.g., debt collection, factoring)
• Identification and mitigation of economic risks such as payment defaults (e.g., through credit checks with credit agencies)
• Reporting and investigating suspected compliance violations, preventing and
• investigation of criminal offenses, and assertion of and defense against legal claims.

 

The legal basis is Art. 6 (1) (f) GDPR, whereby our legitimate interests arise from the aforementioned purposes (information on your right to object can be found in section 10).

 

c) Storage period

We only store personal data for as long as is necessary to achieve the aforementioned purposes and to fulfill our legal obligations. We store the personal data collected in the context of establishing and executing the contract until the contract has been fully processed, i.e., until the end of the contract and until all mutual claims have been settled. We then delete your data, unless deletion is prevented by statutory retention obligations (in particular 6 or 10 years’ retention in accordance with Section 257 (4) of the German Commercial Code (HGB) and Section 147 (3) of the German Fiscal Code (AO)) or unless longer storage is necessary in individual cases for the purposes of legal prosecution.

 

We generally store the business contact details of business partners for the duration of the respective business relationship and ongoing contact, unless you wish your contact details to be deleted earlier (for information on your right to object, see section 10).

 

d) Data origin

As a matter of principle, we receive personal data directly from our business partners or their respective representatives. In addition, your data may also be provided to us by third parties, e.g., your employer or client or other business partners. These parties are themselves responsible for data protection. In some cases, we also process personal data that we have obtained from publicly accessible sources, e.g., commercial and company registers, Internet sources, credit agencies, industry directories, trade fairs, etc., in accordance with the applicable data protection laws.

 

e) Data transfer/recipients

In accordance with the statutory provisions, the data required for the respective purpose may be transferred to other internal and external bodies, e.g. to

 

• external companies, other cooperation partners, and external service providers that we involve for operational purposes in the course of our business activities (e.g., logistics companies, IT service providers, lawyers, auditors, tax consulting firms, financial institutions, credit agencies);
• authorities, courts, and other government agencies for the fulfillment of reporting and information obligations;
• Legal advisors, law enforcement agencies, and, if applicable, injured third parties for the investigation or prosecution of illegal or abusive incidents

 

In the course of conducting business relationships, it may be necessary to transfer personal data to locations outside the European Economic Area (EEA). Such transfers will only take place to the extent necessary for this purpose and only in compliance with data protection regulations. In the absence of an adequacy decision by the European Commission for the recipient country, an adequate level of data protection is ensured by appropriate safeguards (e.g., in the form of EU standard contractual clauses pursuant to Art. 46 (2) (c) GDPR, which are agreed with the respective recipient).

 

f) Obligation to provide

There is generally no contractual or legal obligation to provide personal data. However, without processing your personal data, we are unable to carry out any necessary pre-contractual measures or enter into a contractual relationship with you or your employer/client.

 

6 Data security

 

In order to ensure the security, stability, integrity, and functionality of our IT systems and IT operations, as well as the security of the stored data and data processing operations at SCHOELLERSHAMMER, it may be necessary to process the personal data stored in SCHOELLERSHAMMER’s IT systems (e.g., through the use of spam filters). The legal basis for this processing is Art. 6 (1) (f) GDPR. The legitimate interest arises from the aforementioned purposes.

 

7 Rights of data subjects

 

As a data subject, you have various rights under the GDPR in connection with the processing of your data, which we will inform you about below. If you wish to exercise your rights, you can contact us using the contact details above (see section 2).

 

7.1 Right of access

 

In accordance with Art. 15 GDPR, you have the right to request information about your personal data processed by us. In particular, you can obtain information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right of appeal, the origin of your data if it was not collected by us, and the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details. As part of your right to information, you can request a copy of your personal data. We generally provide data copies in electronic form, unless you have specified otherwise. The exceptions under Art. 15 (4) GDPR, § 34 BDSG must be observed.

 

 

7.2 Right to rectification

 

In accordance with Art. 16 GDPR, you have the right to request the immediate rectification of inaccurate data concerning you or the completion of data concerning you.

 

 

7.3 Right to erasure

 

In accordance with Art. 17 GDPR, you have the right to request the erasure of your personal data stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims. The further exceptions under Section 35 BDSG must be observed.

 

 

7.4 Right to restriction of processing

 

According to Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful but you oppose its erasure, we no longer need the data, but you need it to assert, exercise, or defend legal claims, or you have objected to the processing pursuant to Art. 21 GDPR.

 

 

7.5 Right to data portability

 

Under the conditions of Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format or to request its transfer to another controller.

 

 

7.6 Right to withdraw consent

 

In accordance with Art. 7 (3) GDPR, you have the right to withdraw your consent at any time. As a result, we will no longer be allowed to continue processing data based on this consent in the future. The lawfulness of the processing carried out on the basis of your consent until withdrawal remains unaffected by your withdrawal.

 

8 Right to object

 

You may object to the use of your data for direct marketing purposes at any time with effect for the future. In the event of an objection, we must refrain from any further processing of your data for direct marketing purposes.

 

You may also object to the processing of your data for reasons arising from your particular situation, insofar as we process it to pursue legitimate interests (Article 6(1)(f) GDPR) or tasks in the public interest (Article 6(1)(e) GDPR). In the event of an objection, we must refrain from any further processing of your data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims. The right to object is subject to the restrictions of Section 36 of the German Federal Data Protection Act (BDSG).

 

If you wish to exercise your right to object, please contact our company data protection officer. The contact details can be found in section 2 of this information.

 

9 Right to lodge a complaint

 

If you believe that our processing of your personal data violates data protection regulations, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work, or the place of the alleged violation, in accordance with Article 77 of the GDPR. The supervisory authority responsible for us is:

 

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia

P.O. Box 200444, 40102 Düsseldorf, Germany

Phone: 0211/38424-0

Email: posstsstelle@ldi.nrw.de

https://www.ldi.nrw.de/

 

10 Technical security measures

 

We use appropriate technical and organizational security measures to protect your personal data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties, taking into account the state of the art, implementation costs, and the nature, scope, context, and purpose of processing, as well as the existing risks of a data breach (including its likelihood and impact) for the data subject. Our security measures are continuously updated to keep them state-of-the-art.

 

To protect your data transmitted via our online offering, we use SSL encryption, for example, to prevent unauthorized access to your personal data by third parties. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

 

We will be happy to provide you with more detailed information about our protective measures on request.

 

 

11 Further inquiries

 

If you have any questions regarding the processing of your personal data by us and your rights in this regard, as well as other data protection information and suggestions, you can contact our company data protection officer at any time in confidence. The contact details of our company data protection officer can be found in section 2 of this statement. All inquiries to our company data protection officer will of course be treated as strictly confidential.

 

***