Data protection policy of the REFA Bundesverband e.V. dated 25th May 2018
We at REFA take the protection of your personal data very seriously and process them only in accordance with the respective statutory data protection requirements. Personal data, for the purpose of this information is all data which relate to you personally. On the basis of the following information we would like to explain the processing of your personal data by us. Furthermore we would like to give an overview of your rights according to the data protection law. Which data exactly is processed and how it is used in detail depends primarily upon services requested and agreed.
1. Responsible body
REFA Bundesverband e.V.
This is how to reach our Privacy officer
REFA Bundesverband e.V.
Frau Tanja Weiss
2. Source of the personal data
We process personal data which we acquire during our business relationship from our customers and interested counterparties. In addition we process personal data , should this be necessary in order to provide our services, which we legally acquired from publicly accessible sources, or such which were transmitted to us by other companies within the REFA Group or by other third parties (such as credit agencies).
3. Categories of personal data which are being processed
We process the following categories of personal data:
- Core data (Names, addresses, date of birth and contact details)
- Job data (addresses and contact details)
- Data which is necessary to fulfill our contractual obligations (turnover, structural and quantity data)
- Information about your correspondence (correspondence with you), advertising and sales data (potentially interesting products for you) as well as other with the categories comparable data
4. Purposes, for which the personal data is being processed and the legal basis for the processing
We process your personal data under abidance to the relevant legal data protection requirements. The processing of the data is legal if at least one of the following prerequisites are given:
- Consent (Art. 6 Abs. 1 a DSGVO): The lawfulness of the processing of personal data is given if consent is given for processing the data for the defined purposes (e.g. transfer of data within the group, use of data for marketing purposes). A once given consent can be revoked at any time with effect for the future. This applies as well for the revocation of declaration of consent which had been given to us prior to the commencement of the DSGVO, i.e., before the 25th May 2018.
- To fulfil our contractual obligations and to conduct pre-contractual activities (Art. 6 Abs.1 b DSGVO): We process data in order to fulfil our contractual obligation or to conduct pre-contractual activities when asked to do so. The purpose of processing data results primarily from the actual product concerned and may, amongst other things, include requirement analyses and consultations. You can find further details about the purposes for data processing in the respective contract and business terms and conditions.
- Due to legal requirements (Art.6 Abs.1c DSGVO) or in public interest (Art.6 Abs.1e DSGVO): REFA is bound by differing legal obligations meaning legal requirements (e.g. commercial and tax retention regulations in accordance with the German Commercial Code and the German Tax Code). We process data in order to fulfil our control and reporting obligations under tax law as well as risk assessment and control within the company and the REFA Group.
- As part of the balancing of interests (Art. 6 Abs. 1f DSGVO): If necessary we do process your data over and above the scope which would be necessary to fulfil our contractual obligations in order to protect our interests or those of third parties involved. Examples of this:
- Revision and enhancement of business procedures for general business management and further development of products and services
- Marketing and market and opinion research provided you did not object to the use of your data
- Enforcement of legal claims and defense in case of legal disputes
- Prevention and clarification of criminal offences
- Ensuring IT security and IT operations
5. Categories of recipients of the personal data
Within the company, the departments entitled to access data, are those, needing them to fulfil our contractual and legal obligations. Within the company the departments that require personal data to fulfil our contractual and legal obligations are entitled to access this data. REFA assigns specified of the aforementioned processes and services to carefully selected service providers, which are eased within the EU. These are companies in the categories of IT services, payment transactions, print service providers, billing, collection and consulting as well as sales and marketing and service providers that we use in the context of order processing relationships. With regard to passing on data to other recipients we are only allowed to do so if legal regulations require us to do so, you agreed or we are otherwise authorized to disclose this information. Given these legal preconditions recipients of personal data may be amongst others:
- Public bodies and institutions (e.g. tax authorities, Federal Network Agency) in the event of a legal or official obligation.
- Companies or similar institutions to which we transfer personal data in order to carry out the business relationship with you (e.g. credit agencies) and other companies within the REFA Group.
Furthermore other parties can be the recipients of your data, as long as you have given us your consent for the transfer of data.
6. Intent to transfer personal data to a third country or an international organisation
There is no active transfer of personal data to a third country or international organisation.
7. Criteria to determine the duration for which personal data will be stored
The criteria to determine the duration of storage is dependent upon the end of the purpose and the subsequent legal storage periods. If the data is no longer necessary to fulfil our contractual or legal duties the data is deleted regularly unless their further processing –potentially limited in time and content, -is necessary for the following purposes:
- Compliance with all commercial and tax retention obligations: namely Handelsgesetzbuch (GB), the Abgabenordnung (AO) and the principles necessary for proper accountancy and retention of accounting records, the records and documents in electronic form as well as for the purpose of data access. According to this the retention and documentation periods are set to be up to 10 years.
- Preservation of evidences for the legal period of limitation. According to §§195 ff of the BGB the ordinary period of limitation is set to be 3 years, under special circumstances however it can be up to 30 years.
- Compliance with the storage obligations under telecommunication law in accordance with the current telecommunication act (TKG) and other laws.
8. Data protection rights
Every affected person has the right to access according to article 5 DSGVO, the right to correction according to article 16 DSGVO, the right to cancellation according to article 17 DSGVO, the right to limit the processing of the data according to article 18 DDSGVO, the right to object from article 21 DSGVO as well as the right to data transferability from article 20 DSGVO. The limitations according to §§34 and 35 BDSG apply to the right of information and the right to cancellation. In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 DSGVO in conjunction with § 19 BDSG).
A once given consent to the processing of personal data can be revoked to us at any time for the future. This also applies to consent given to us before the DSGVO came into effect, as such before the 25th of Mai 2018. Further information can be found in the section on the right of withdrawal of this declaration.
9. Obligation to provide and possible consequences for not providing data
As part of our business relation you are obliged to provide such data that is necessary to establish and implement a business relationship, which is necessary to fulfill all connected contractual obligation, as well as those we are legally obliged to gather. Without this data we would generally not be able to enter into or fulfil a contract with you.
10. Existence of an automated decision making including profiling
We generally do not use automated decision making in accordance to article 22 DSGVO to establish and implement business relations. Should we use these methods in individual cases we will inform you separately when we are legally obliged to do so. We partially process your data automatically in order to evaluate some personal aspects of the data (profiling).We use profiling in order to evaluate your solvency and to improve our sales and marketing activities allowing us to address you in a more purposeful and demand oriented manner.
11. Tracking data
Tracking data that is collected through use of respective offers on our website (IP address (temporary), date and time our web site was visited, internet address accessed, type of browser) is stored in order to identify and eliminate any potential technical faults and the misuse of our website and services. An evaluation of this data to create personal user profiles does not take place. This kind of logged data is deleted automatically after 180 days.
We use so-called Cookies on our website. They are used to make our offer more user-friendly, more effective and more secure. Cookies are small text files which are stored on your computer and are saved by your browser. Most of the cookies we use are so-called “session-Cookies”. They are deleted automatically after you leave our website. Cookies do not cause damage on your computer and do not contain any viruses. You can block the installation of cookies at any time by selecting respective settings in your browser. However, in this case you might not be able to use all features of our website.
You can also prevent Google from collecting the data generated by the cookie and related to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the Browser-Add-on. Opt-out cookies prevent the future collection of your data when you visit this website. To prevent Universal Analytics from collecting your data across multiple devices, you must opt-out on all systems you use. If you click here, the opt-out cookie will be set: Disable Google Analytics
13. Third party services
- Links to other websites: Our website contains as well links to other websites which are not operated by us. If you visit these websites you should observe the applicable data protection regulation and other notifications on these websites. We do not take any responsibility of the standard of data protection and the use of personal data by other companies.
14. Use of Salesviewer®-Technology
On this website we collect and retain data pertaining to marketing-, market research- and optimisation purposes via the SalesViewer® technology of the SalesViewer® GmbH due to the justified interests of the website operator (Art 6 Abs.1 lit. f DSGVO.). For this purpose a java script based code is used for the elicitation of company related data and the respective usage of such data. The data elicitated via this technology is enciphered by hashing, a non-traceable one-way function. The data is immediately pseudonymised and is not used to identify the user of the website personally.
The collection and storage of data can be revoked at any time for the future by clicking on this link, therefore preventing the capture of data by SalesViewer Technology® on this website in the future. A so called opt-out cookie for this website is installed on your computer. If you delete cookies in your browser you will have to click this link again.
15. Use of the Chat software from Userlike
Our website uses Userlike, a live chat software by the company Userlike UG (limited liability). No Cookies or your IP address is stored. Only a chat protocol is stored. The data available within this, is neither used to personally identify the user of this website, nor used for other purposes, especially advertisement purposes. The chat protocol is deleted after one working day.
16. Newsletter subscription
If you would like to receive the newsletter offered on our website we will need an e-mail address from you which will allow us to verify that you are the owner of the provided email address and that you agree to the receipt of the newsletter.
To ensure that the newsletter is send out in mutual agreement we use the so called double-opt-in method. For this, the potential recipient can be placed on a distribution list. Subsequently the user receives a confirmation e-mail in which the possibility is given to legally confirm the registration. Only if the confirmation is given will the e-mail address be placed actively on the distribution list.
We use this information exclusively for the sending of the requested information and offers. Newslatter2Go is used as the newsletter software. Your data is transmitted to Newsletter2Go GmbH. Newsletter2Go is not allowed to sell your data or use it for any other purposes than the sending of a newsletter. Newsletter2Go is a German, certified provider which was selected in accordance with the requirements of the General Data Protection Regulation and the Federal Data Protection Act.
Your right to objection
Following below we provide you with the necessary information regarding your right to object in accordance with Article 21 of the Datenschutz-Grundverordnung (DSGVO). The objection is not subject to any condition regarding form and should be addressed to:
REFA Bundesverband e.V.
1. Right of objection in individual cases
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you on the basis of Article 6 Absatz 1 letter e DSGVO (processing of data in the public interest) and Article 6 Absatz 1 letter f DSGVO (processing of data on the basis of a balancing of interests). This also applies to profiling based on this provision with regards to Article 4 No. 4 DSGVO. If you file an objection, we will no longer process your personal data unless we can prove compelling grounds for processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
2. The right of objection to the processing of data for direct marketing purposes
In some individual cases we process your personal data in order to conduct direct marketing. You have the right to object to the processing of your personal data for the purpose of such marketing activities at any time. This also applies to profiling , as far as it is connected to such direct marketing. If you file an objection to the processing of your data for this purpose, we will no longer process your data for this purpose.
3. Right to information
You may ask the person responsible for a confirmation, if data concerning you is being processed. In the event of such processing taking place you can demand of the person responsible to provide you with the following information:
- The purposes for which the personal data is being processed
- The categories of personal data that are processed
- The recipients, or categories of recipients to whom your personal data is being disclosed to or will be disclosed to
- The planned duration of storage of your personal data or, if it is not possible to provide specific information on this, the criteria to determining the storage duration
- The existence of the right to correct or delete your personal data, the existence of the right to restrict the processing by the person responsible or the right to object to the processing
- The existence of the right to appeal to a regulator
- All available information about the origin of the data if the personal data is not collected from the person concerned
- the existence of an automated decision-making including profiling in accordance with Article 22 Absatz 1 and 4 DSGVO and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing on the person concerned
You have the right to request the information whether your personal data will be transferred to a third country or to an international organisation. In this context you can demand to be informed about the appropriate guarantees according to Article 46 DSGVO in connection with the transfer.