Data protection policy in accordance with GDPR
The protection of your personal information is important to us. For this reason, we will treat all your personal information as confidential and in accordance with statutory data protection regulations and this data protection policy.
There are various pieces of personal information or data collected when you use this website. Personal information is any data with which you could be personally identified. This data protection policy explains which data we collect and what we use the data for. It also explains how and for what purpose this is done.
Controller
The “Controller”, as defined by the General Data Protection Regulation (GDPR) and other national Data Protection Acts of Member States as well as other provisions relevant to the protection of data, is:
Industrie- und Handelskammer Nord Westfalen (IHK NW) [Chamber of Commerce and Industry of North Westphalia]
Represented by Chief Executive Officer, Dr Fritz Jaeckel
Sentmaringer Weg 61
48151 Münster, Germany
Telephone: +49 (0) 251 707 0
Fax: +49 (0) 251 707 325
E-mail: infocenter@ihk-nordwestfalen.de
Data protection officer
Data protection officer of the controller is:
Kira Schäfer
Sentmaringer Weg 61
48151 Münster
Telefon: 0251 707 0
Fax: 0251 707 325
E-Mail: infocenter@ihk-nordwestfalen.de
I. General information about data processing
1. The extent of personal data processing
We only collect and use the personal data of users of our website insofar as this is required for the provision of a functional website including our contents and services. We only collect and use the personal data of our users after we have obtained their consent to do so. An exception to this principle applies in cases where statutory provisions permit the processing of such data or where actual circumstances make it impossible to obtain prior consent.
2. Legal basis for the processing of personal data
As far as consent has been obtained from the data subject, the lawfulness of processing personal data is based on Art. 6(1a) of the EU General Data Protection Regulation (GDPR).
Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, Art. 6(1b) GDPR serves as a legal basis. This also applies to the processing that is necessary to carry out pre-contractual measures.
Art. 6(1c) GDPR serves as the legal basis in the case of processing that is necessary to ensure compliance with the legal obligation of our company.
Where the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and if such interests or fundamental rights and freedoms of the data subject do not override the first-mentioned interests, then Art. 6(1f) GDPR serves as the legal basis for the processing of personal data.
3. Data deletion and storage period
The personal data of users are erased or barred as soon as the purpose of storage no longer applies.
II. Provision of the website and creation of log files
1. Description and scope of data processing
The online offering provided by our website is hosted by IHK Gesellschaft für Informationsverarbeitung mbH, Hörder Hafenstraße 5, 44263 Dortmund, Germany. This service provider collects and stores the following information for us, which is automatically transmitted by your computer:
Browser type and version
Used operating system
Referrer URL (the previously visited site)
The IP address of your computer
Date and time the server was accessed
2. Legal basis for data processing
The legal basis for the processing of data is Art. 6(1f) GDPR.
3. Purposes of data processing
Data processing is necessary To ensure that our website can be loaded without any problems;
To ensure that our website can be used with ease;
To evaluate the safety and stability of the system, and
other administrative purposes.
A comparison with other databases or a transfer to third parties, even in excerpts, does not take place. We reserve the right to retrospectively review such data if there is a suspicion of unlawful use of our online offering and to pass on such data to authorised third parties.
These are the purposes that constitute our legitimate interest in the data processing pursuant to Art. 6(1f) GDPR.
4. Duration of storage
The data are deleted as soon as the purpose for collection and storage no longer applies. Data is automatically deleted after 30 days at the latest.
5. Right to object and erasure
The collection of data for the provision of the website and the storage of data in log files are essential for the operation of the website. As a result, the user is unable to object.
III. Registration
1. Description and scope of data processing
Users have the option to register with their personal information with our website. To this end, data is entered in an input screen, transmitted to us, and saved. This data is not disclosed to a third party. As a result of the user’s registration, data entered by a registered user is made available to the other registered users of the database.
The user’s consent for processing these data is obtained within the scope of the registration process.
2. Legal basis for data processing
The legal basis for the processing of data is Art. 6(1a) GDPR if prior consent has been obtained from the user.
3. Purpose of data processing
The user’s registration is required for the processing of specific contents and services on our website. The entered data are processed for the purpose of publishing these in the ProtectX database for digitisation service providers and consultants.
4. Duration of storage
The data are deleted as soon as the purpose for collection and storage no longer applies. This is the case for data collected during the registration process when the registration with our website is cancelled or changed.
5. Right to object and erasure
As a user, you have the option to cancel your registration at any time. Please contact the person listed under Contact to do so. You can also change the stored content of your personal data at any time via your set-up profile.
IV. Contact via e-mail
1. Description and scope of data processing
It is possible to contact us via the e-mail address provided on the website. In this case, the user’s personal data will be stored that was transmitted via e-mail.
No data will be disclosed to a third party in this context. The data will be exclusively used for processing the correspondence.
2. Legal basis for data processing
The legal basis for the processing of data transmitted when sending an e-mail is Art. 6(1f) GDPR. If contact via e-mail is made to conclude a contract, then an additional legal basis for processing is applicable according to Art. 6(1b) GDPR.
3. Purpose of data processing
The processing of personal information serves solely the purpose of processing the correspondence. The required legitimate interest in processing the data is also evident in the case of contacting via e-mail.
4. Duration of storage
The data are deleted as soon as the purpose for collection and storage no longer applies. This is the case with personal data transmitted via e-mail when the relevant correspondence process with the user has been concluded. The correspondence process is deemed concluded if the circumstances indicate that the relevant subject or issue has been clarified or resolved.
5. Right to object and erasure
The user can object to the storage of his or her personal data at any time when he or she contacts us via e-mail. Correspondence cannot be continued if this is the case.
Whenever this happens, all personal data stored in the course of making contact will be deleted.
V. Rights of data subjects
Whenever your personal data are being processed, you are considered a “data subject” as defined by the GDPR and you have the rights detailed below against the controllers:
1. Right to information
You can request confirmation from the controllers whether we process personal data concerning you.
If your data are being processed, you can obtain information from the controllers about the points below:
the purposes of the processing of your personal data;
the categories of personal data which are being processed;
the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
the envisaged periods for which the personal data concerning you will be stored or if it is not possible to identify a specific period, the criteria used to determine that period;
the existence of the right to rectification or erasure of the personal data concerning you, the right to restriction of processing by the controller, or the right to object to such processing;
the existence of the right to lodge a complaint with a supervisory authority;
all available information about the source of the data, whenever the personal data have not been collected from the data subject;
the existence of automated decision-making, including profiling in accordance with Art. 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
You have the right to ask for information about whether the personal data concerning you are transferred to a third country or to an international organisation. In this context, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.
2. Right to rectification
You have the right to have inaccurate personal data concerning you that were processed, rectified, and/or, incomplete personal data concerning you that were processed, completed. The controller will make the rectification or completion without delay.
3. Right to restriction of processing
In certain circumstances, you have the right to request the restriction of the processing of personal data concerning you:
If you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
If the processing is unlawful and you object to the erasure of your personal data and request a restriction of the use of your personal data instead;
If the controller no longer needs the personal data for processing purposes, but the personal data are required by you for the establishment, exercise or defence of legal claims; or
If you have objected to the processing pursuant to Art. 21(1) GDPR and verification is pending whether your legitimate reasons override the legitimate interests of the controller.
Where the processing of the personal data concerning you has been restricted, these data may only be processed – with the exception of storage – with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the processing of personal data has been restricted in accordance with the aforementioned conditions, the controllers will inform you before the restriction is lifted.
4. Right to erasure
a) Obligation to erase
You have the right to request the erasure of the personal data concerning you without delay and the controllers are then under obligation to erase these data without delay, provided one of the reasons below apply:
The personal data concerning you are no longer required for the purposes for which the data were collected or otherwise processed.
You withdraw your consent that relates to the processing in accordance with Art. 6(1a) or Art. 9(2a) GDPR and there is no legal basis for processing otherwise.
You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate reasons for processing or you object to the processing pursuant to Art. 21(2) GDPR.
The personal data concerning you have been processed unlawfully.
The personal data concerning you have to be erased in order to comply with a legal obligation in accordance with Union or Member State law, to which the controller is subject.
The personal data concerning you were collected in reference to services offered by the information association pursuant to Art. 8(1) GDPR.
b) Information to third parties
Where the controllers have made the personal data concerning you public, and if the controllers are under obligation to erase the personal data pursuant to Art. 17(1) GDPR, the controllers will take suitable steps while taking into account available technology and the cost of implementation, including technical measures, to inform parties responsible for processing the personal data that you, as the data subject, have requested the erasure of all links to these personal data or of copies or replications of these personal data.
c) Exceptions
There is no right to erasure to the extent that the processing required for:
Exercising the right to freedom of expression and information;
For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in public interest or in the exercise of official authority vested in the controller;
Reasons of public interest in the area of public health in accordance with Art. 9(2h) and (2i) as well as Art. 9(3) GDPR;
Archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
The establishment, exercise, or defence of legal claims.
5. Right to be informed
If you have established the right to rectification, erasure or restriction of the processing against the controllers, the controllers are under obligation to communicate this rectification or erasure of data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the controllers about these recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the responsible party, in a structured, commonly used, and machine-readable format. You furthermore have the right to transmit these data to another controller without hindrance from the controllers to whom the personal data have been provided, as far as
the processing is based on consent pursuant to Art. 6(1a) GDPR or Art. 9(2a) GDPR or a contract in accordance with Art. 6(1b) GDPR, and
the processing is carried out by automated means.
In exercising this right, you furthermore have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This is not permitted should the freedoms and rights of others be adversely affected as a result.
7. Right to object
You have the right to object to the processing of the personal data concerning you, at any time, for reasons relating to your particular situation and based on Art. 6(1e) or (1f) GDPR; this also applies to the profiling based on these provisions.
The controllers will no longer process the personal data concerning you unless the controllers can provide compelling legitimate reasons for protection for the processing which override your interests, rights, and freedoms or if the processing serves the establishment, exercise or defence of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object to the processing of the personal data concerning you for such marketing, at any time; this also includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.
8. Right to withdraw the data protection declaration of consent
You have the right to withdraw your declaration of consent from the controllers at any time. Withdrawing your consent does not affect the lawfulness of prior processing with consent before its withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
is necessary for entering into, or performance of, a contract between you and the controller,
is authorised under Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
takes place with your explicit consent.
However, these decisions are not permitted to be based on special categories of personal data referred to in Art. 9(1) GDPR unless Art. 9(2a) or (2g) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), the controllers implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, if you consider the processing of personal data concerning you to violate the GDPR.
The competent supervisory authority is the
Landesbeauftragte für Datenschutz und Informationsfreiheit [State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia]
Postfach 20 04 44
40102 Düsseldorf, Germany
Telephone: +49 (0) 211 38424 0
Fax: +49 (0) 211 38424 10
E-mail: poststelle@ldi.nrw.de
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.