Data Protection Legislation

The ‘Bundesverband Holzpackmittel, Paletten, Exportverpackung (HPE) e.V.’

(the ‘HPE’ – German Federal Timber Packaging Materials, Palettes and Export Crates Association, Reg.),

Rhoendorfer Strasse 85,

D-53604 Bad Honnef, Germany.

Tel.: +49 (0) 2224 96 9150

Email address: office@hpe.de

Website URL: www.hpe.de

 

Additional Details: ‘Imprint and Disclaimer’

 

Visiting and using the website pages of the ‘Bundesverband Holzpackmittel, Paletten, Exportverpackung e.V.’ (the ‘HPE’ – German Federal Timber Packaging Materials, Palettes and Export Crates Association, Reg.), (hereinafter referred to as the ‘HPE’), is essentially always possible without the necessity of indicating any personally referred data. Should however affected persons require to use the services of ‘HPE’ via its website pages, the processing of personally referred data could become necessary. Whenever the processing of personally referred data is requisite and when such processing is not based upon any legislation, we generally ask the permission of the person affected. The processing of personally referred data, for example the name, postal address, email address, telephone number or any other details of affected persons, is always undertaken commensurate with the ‘GDPR’-General Data Protection Regulation of the European Union, and also in accordance with German National Data Protection statutory requirements. The purpose of this ‘Data Protection Declaration’ is for ‘HPE’ to inform the public at large, the supervisory authorities, tax consultants, services’ providers, its members and cooperating partners, and also its business partners; of the type, extent and purpose of the personally referred data raised, exploited and processed. In addition, all affected persons are advised on their statutory rights by means of this Data Protection Declaration.

 

 

‘HPE’ has, as the responsible data processor, implemented various technical and organisational measures, in order to provide the best possible ‘watertight’ protection to ensure the best possible safety for the personally referred data processed via our website. However, data transmissions through the internet can essentially have safety loopholes, so that absolute protection cannot be entirely guaranteed. For this reason, all affected persons are at liberty to communicate their personally referred data to us by alternative means, for example via the telephone.

 

1. ‘Terminology’

The ‘HPE’ Data Protection Declaration employs the terminology stated in the European Union ‘GDPR-General Data Protection Regulation 2016/679’ upon issue. The ‘HPE’ Data Protection Declaration should also be easily readable and understandable by the public at large, the supervisory authorities, tax consultants, services’ providers, its members and cooperation partners, and also its business partners. For this reason, we are therefore explaining the terminology in advance of the giving of the Declaration.

This ‘Data Protection Declaration’ thus employs the following terminology:

 

a) ‘Personally referred data’

Personally referred data includes all information, which refers to an identified or identifiable natural person (hereinafter referred to as ‘affected persons’). A natural person is deemed identifiable, who can be identified directly or indirectly, and in particular by recognition through the allocation of characteristics, such as the name, an identity number, location details, online recognition, or by one or more particular characteristics, which express the physical-, physiological-, genetic-, psychic-, economic-, cultural- or social -identity of such a natural person.

 

b) ‘Affected persons’

Affected persons are every identified or identifiable person, whose personally referred data are processed by the agency responsible for the processing.

 

c) ‘Data processing’

Data processing means any procedure, with or without the assistance of automated processes, or any procedural series for the raising, registering, organising, filing, saving, storing, adjusting or altering of personally referred data. It can also include the selection, querying, exploitation, and revelation by transmission, dissemination, or any other form of preparation, comparison or linking, together with the actions of restricting, erasing or destruction.

 

d) ‘Restrictions on data processing’

Restrictions on data processing can be effected by ‘marking’ saved and stored personally referred data for the purpose of restricting future processing.

 

e) ‘Profiling’

Profiling is any form of the automated processing of personally referred data, which is destined to exploit such personally referred data for purposes of evaluating certain personal aspects referable to natural persons. Profiling is especially employed for evaluating aspects, such as work performance, the economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location, and to analyse or predict such aspects.

 

f) ‘Pseudonymisation’

Pseudonymisation is the processing of personally referred data by means of which the personally referred data can no longer be allocated to specific affected persons, without the addition of extra information. Such extra information should then be separately archived and be subject to certain technical and organisational measures, which ensure that the personally referred data cannot be allocated to an identified or identifiable natural person.

 

g) ‘The responsible agency or the agency responsible for the data processing’

The responsible agency or the agency responsible for the data processing are the natural or legal persons, authority, institution or any other agency, who or which alone, or mutually with others take decisions on the purpose and means for the processing of personally referred data. When the purpose and means for the data processing are provided for under the legislations of the European Union or its member states, then the responsible agency or the agency responsible and/or certain criterions of his, her, its nomination can also be provided for under the legislations of the European Union or its member states.

 

h) ‘Subcontracted data processors’

Subcontracted data processors are natural or legal persons, authorities, institutions or other agencies, who or which process personally referred data under contract to others.

 

i) ‘Recipients’

A recipient is a natural or legal person, or an authority or institution or any other agency, to whom personal referred data are revealed, independent of whether the recipient is a third party or not. Those authorities however, which possibly obtain personally referred data within the scope of any investigatory mandate, are not ‘recipients’ within the meaning of the legislations of the European Union or its member states.

 

j) ‘Third parties’

Third parties are natural or legal persons, authorities, institutions or other agencies apart from the affected persons, who are authorised to process personally referred data. These may also be the responsible person itself, a subcontractor and other persons, who act under the immediate authority of a responsible person or subcontractor.

 

k) ‘Permission’

Permission is meant to mean an approval given voluntarily and unmistakeably by affected persons in certain cases, in the informative form of a declaration or by means of any other certain confirmatory act, under which affected persons indicate, that they agrees to the processing of their personally referred data.

 

2. ‘The name and postal address of the agency responsible for the data processing of the personally referred data’

The agency responsible for the processing of the personally referred data, pursuant to the legislations of the European Union (‘GDPR’-General Data Protection Regulation) and its member states, and other statutory requirements with data-protection character, is:

 

The ‘Bundesverband Holzpackmittel, Paletten, Exportverpackung (HPE) e.V.’

(the ‘HPE’ – German Federal Timber Packaging Materials, Palettes and Export Crates Association, Reg.),

Rhoendorfer Strasse 85,

D-53604 Bad Honnef, Germany.

Tel.: +49 (0) 2224 96 9150

Email address: office@hpe.de

Website URL: www.hpe.de

 

3. ‘Cookies’

The website pages of ‘HPE’ employ so-called ‘Cookies’. These are text files, which are downloaded via the internet browser program of the visitor from the ‘HPE’ website onto the computer PC system of the visitor and saved and stored there.

Numerous websites employ cookies. Many cookies contain so-called ‘Cookie IDs’. A cookie ID is an explicit recognition of a cookie. It comprises a character string, by means of which the website and its server can allocate the specific visitor internet browser program where the downloaded cookie is saved and stored. This enables the visited website and its server to differentiate between the individual internet browser program and the affected persons from others, which also contain cookies. Any internet browser program can therefore be recognised and re-identified via the explicit cookie ID.

As a result of the employment of cookies, ‘HPE’ can provide visitors to- and users of -the website with user-friendly services, which otherwise would not be possible without the setting of the relative cookies.

By means of such cookies, information and our offerings can be optimised for the benefit of the user of the ‘HPE’ website. The cookies enable the returning visitor to the ‘HPE’ website to be recognised again. This function serves the purpose of facilitating the enjoyment of the ‘HPE’ website for the users. A user revisiting a website, which employs cookies, need not for example have to repeat his or her access data every time, because these have been adopted by the cookie on the website and correspond with the cookie downloaded onto the computer PC system of the user. A further example is the cookie of a shopping basket at the cashpoint outlet of the online shop. The online shop makes a note of the article purchased, which the customer virtually lays in the shopping basket, via a cookie.

All affected persons can however prevent the downloading of cookies onto their PC computer systems at all times by making an appropriate setting in their internet browser program. This setting counteracts the setting of cookies. Furthermore, all already set cookies on an internet browser program can be erased at any time by a setting on the internet browser program or by external erasing software. Such settings are normal functions in all internet browser programs. When affected persons make such settings in their internet browser programs, then under circumstances not all functions on the ‘HPE’ website can be fully enjoyed.

 

4. The registering of general data and information

The ‘HPE’ website registers and collects a series of general data and information every time a visitor or user connects to the website. Such general data and information are saved and stored in the log files of the ‘HPE’ server. What is registered, saved and stored are: (1) the type of internet browser program of the visitor or user and its version, (2) the operating system of the visiting computer PC system, (3) the internet website from which an accessing computer PC system originates to the ‘HPE’ server (the so-called ‘referrer’), (4) the sub websites through which the accessing computer PC system is routed to the ‘HPE’ website, (5) the date and time of day of any access to the ‘HPE’ website, (6) the internet protocol address (the so-called ‘IP address’), (7) the ‘ISP’ – internet service provider of the accessing computer PC system, and (8) similar sundry data and information which serve the activation of countermeasures against hazards in cases of cyber-attacks to the information technological systems.

In the exploitation of such general data and information, ‘HPE’ draws no conclusions as to the identity of the affected accessing person. Such data and information are rather more employed for (1) to display the content of the pages of the ‘HPE’ website correctly, (2) to optimise the display of the pages of the ‘HPE’ website as well as its advertising items, (3) to ensure the ongoing functionality of the information technological systems and the construction technique of the ‘HPE’ website, as well as (4) to provide the law enforcement agencies with the requisite information in cases of a cyber-attack. Such anonymously raised data and information are exploited by ‘HPE’ statistically and also with the intention of enhancing data protection and data security at ‘HPE’, in order in the last resort to ensure an optimum level of protection for the processed personally referred data. Such anonymous data on the ‘HPE’ server log files are however kept separate from all other data saved and stored concerning affected persons at ‘HPE’.

 

5. Registrations on the ‘HPE’ website

All affected persons visiting the ‘HPE’ website have the possibility of registering themselves by indicating their personally referred details, either direct on the website or with the persons responsible for the data processing. The details of the personally referred data required for registration on the website or with the persons responsible for the data processing, is indicated in the ‘registration view’. The details of the personally referred data entered by the affected persons, will only be raised for internal exploitation by the persons responsible for the data processing and for their own purposes, and then duly saved and stored. The persons responsible for processing the data can pass the personally referred data to one or more subcontractors, for example to a ‘parcel service’, which will also only exploit the data for internal purposes, but the data relayed will remain attributable to the responsibility of the ‘HPE’ persons responsible for the data processing.

As a result of the act of registration on the ‘HPE’ website, for the purposes of the persons responsible for the data processing, the ‘IP Address’ of the ‘ISP’ – internet service provider and the date and time of day of the registration, will also be saved and stored. The saving and storing of such data is effected against the background, that misuse of the ‘HPE’ website services can only be prevented in this manner, and that such data will enable the investigatory agencies to pursue criminal offences. In this regard therefore, the saving and storing of such data is necessary for purposes of safeguarding the persons responsible for processing the data. None of this data is essentially passed to third parties, unless statutory requirements require the reporting of the data, or these are also required for investigatory purposes.

The registration of affected persons, who voluntarily submit details of their personally referred data enables ‘HPE’ to offer such affected persons content and services, which in the nature of things ‘HPE’ can only provide for registered visitors and/or users. Registered persons are however at liberty to alter the personally referred details indicated upon registration at all times, or to have these erased from the database of the party responsible for their processing.

The party responsible for the processing of personally referred data will inform all affected persons at any time upon enquiry what data concerning the affected persons is being saved and stored. Moreover, a party responsible for the data processing will correct or erase such data upon the request of any affected persons, provided that no statutorily required archiving time periods are involved. ‘HPE’, as the party responsible for the processing of the personally referred data is available at all times to respond to any affected persons in this connection with any information requested.

 

6. Contact possibilities via the ‘HPE’ Website

The ‘HPE’ internet website includes details required by statutory requirements, which enable a rapid electronic contact to be made as well as immediate communication, and which also include a general so-called ‘electronic mail’ address (email address). Whenever affected persons make contact with the party responsible for the processing of personally referred data, either by email or via the contact form, the personally referred data of the affected persons will be automatically saved and stored in the ‘HPE’ system database. Such personally referred data communicated on a voluntary basis to the party responsible for the data processing, will be exploited for purposes of the processing itself, or for the making of contact. None of such personally referred data will be transmitted to third parties.

 

7. Commentary function via ‘blogs’ on the ‘HPE’ internet website

‘HPE’ provides visitors and users on its website with a ‘blog’ for the possibility of leaving individual commentaries concerning the various ‘blog’ contributions. A ‘blog’ is generally a public ‘portal’ on a website, which can be read openly by all visitors and users, and in which one or more persons – which are called ‘bloggers’ or ‘web bloggers’ - can post articles or give vent to their thoughts via so-called ‘blog posts’. Comments on such blog posts can as a rule also be left by third parties. When affected persons leave comments in a blog published on the ‘HPE’ website, details of the commentary will be recorded and published, as well as information on the date and time of day of the posting of the comment, and also the user name (pseudonym) selected by the affected persons. Furthermore, the ‘IP Address’ of the ‘ISP’ – internet service provider of the affected persons will also be registered and recorded. The saving and storage of the IP Address is made for security reasons, as well as in the event, that the affected persons infringe the rights of third parties in a posted commentary or posts illegal content in a comment. The saving and storage of such personally referred data is undertaken in the own interests of the party responsible for the processing so that it can exculpate itself in case of any legal or statutory infringement. None of such personally referred data will be transmitted to third parties, provided that a transmission is not statutorily required, or such information serves the judicial defence of the party responsible for the processing.

 

8. The routine erasing or blocking of personally referred data

‘HPE’, as the party responsible for the processing of personally referred data, processes, saves and stores personally referred data of affected persons only for that period of time, which is necessary for achieving the purpose of the recording, or when such is foreseen under the European Union ‘GDPR’-General Data Protection Regulation or under any other legislation or ordinances, to which the party responsible for the data processing, is subject.

When the purpose for the recording of the personally referred data- or the time period of recording –expires, then such personally referred data will be routinely blocked and erased in accordance with statutory requirements.

 

9. The statutory rights of affected persons

 

a) Right of confirmation

All affected persons are entitled under the European Union ‘GDPR’-General Data Protection Regulation, to demand a confirmation from the party responsible for processing the personally referred data, as to whether the personally referred data are actually processed, or not. When any affected persons desire to obtain such a confirmation, then they can demand such at any time of ‘HPE’ as the party responsible for processing the personally referred data.

 

b) Right to information

All persons affected by the processing of their personally referred data are statutorily entitled, under the European Union ‘GDPR’-General Data Protection Regulation, to obtain at any time details free of charge of the personally referred data saved and stored, and to receive a copy of this information. Furthermore, the forementioned ‘GDPR’-General Data Protection Regulation also entitles affected persons to obtain the following information from the party responsible for the processing of the personally referred data:

o the purpose of the processing;

o the categories of personally referred data, which are processed;

o the recipient or categories of recipients, to whom the personally referred data are revealed, or to whom they will be revealed, in particular in foreign countries or to international organisations;

o when possible, the intended duration, for which the personally referred data are saved and stored, or when possible, the criterions for the determination of such duration;

o the existence of- an entitlement to correction or erasure of the relative personally referred data, or -a right to a restriction on the processing by the party responsible, or -contradictive objection against such processing;

o the existence of a right of complaint to the supervisory authority;

o when the personally referred data are not raised on the affected persons: then, all available information on the origin of the data;

o the existence of an automatic decision-taking mechanism, to include profiling, pursuant to Art. 22, Paras. 1 and 4 of the forementioned ‘GDPR’-General Data Protection Regulation, and – at least in such cases – meaningful information on the logic involved, as well as the extent and the envisaged effects of such dissemination for the persons affected.

Furthermore, affected persons are also entitled to obtain information, as to whether the personally referred data are being passed to foreign countries or to an international organisation. If this is the case, affected persons also have a right to obtain information concerning suitable guarantees in connection with such a transmission abroad.

When affected persons seek to take advantage of such right to information, they can refer at all times to ‘HPE’ as well as to the party responsible for the data processing.

 

c) Right of correction

All persons affected by the raising of personally referred data have a statutory right under the ‘GDPR’-General Data Protection Regulation, to demand the correction of their personally referred data. In addition, affected persons are also entitled to require the completion of any incomplete personally referred data, under due consideration of the purpose for their processing, even on the basis of a supplementary declaration on the part of the date processor.

When any affected persons seek to take advantage of such right to correction, they can refer at all times to ‘HPE’ as well as to the party responsible for the data processing.

 

d) Right of erasure (right of being forgotten)

All persons affected by the processing of their personally referred data are entitled under the forementioned ‘GDPR’-General Data Protection Regulation, to require the person processing the data, that the personally referred data specifically referring to them personally will be immediately erased, once one of the following situations occurs, or when the processing is no longer necessary:

• the personally referred data was raised for certain purposes, or processed by certain ways and means, where such is no longer necessary;

• an effected person withdraws his-, her-, its –permission, on which the processing of personally referred data is based, pursuant to Art. 6, Para. 1, lit. a of the forementioned ‘GDPR’-General Data Protection Regulation , or pursuant to Art. 9, Para. 2, lit. a thereof, and the application of any other legislative basis is missing;

• affected persons raise a contradictive objection against the data processing under Art. 21, Para. 1 of the forementioned ‘GDPR’-General Data Protection Regulation, and no prior justified grounds exist for the data processing, or affected persons raise a contradictive objection pursuant to Art. 21, Para. 2 of the forementioned ‘GDPR’-General Data Protection Regulation, against such data processing;

• the personally referred data was illegally processed;

• the erasure of the personally referred data is statutorily required under the European Union ‘GDPR’-General Data Protection Regulation or under any other legislation or ordinances, to which the party responsible for the data processing, is subject;

• the personally referred data was raised on the basis of services offered by the ‘information corporate entity’, under Art. 8, Para. 1 of the forementioned ‘GDPR’-General Data Protection Regulation.

Whenever any one of the foregoing situations arise, and affected persons desire the erasure of any personally referred data, which is saved and stored at ‘HPE’, they can apply at all times, either to ‘HPE’ or to the party responsible for the processing of the data. ‘HPE’ will ensure, that the request for erasure is immediately respected.

Should however the personally referred data have been openly published by ‘HPE’, and when ‘HPE’ is statutorily required to effect an erasure of personally referred data under Art. 17, Para. 1 of the forementioned ‘GDPR’-General Data Protection Regulation, then ‘HPE’ will introduce commensurate countermeasures together with all available techniques and pay the outlay of all implementation costs, to include those of a technical nature, so as to inform the other parties, who are responsible for the processing of the personally referred data, that the persons affected have demanded the erasure of all links to such personally referred data, or copies or replicas thereof, once the processing is no longer necessary. ‘HPE’ will undertake all requisite countermeasures in individual cases, as required.

 

e) The entitlement to a restriction in the processing of personally referred data

All persons affected by the processing of personally referred data are entitled under the forementioned ‘GDPR’-General Data Protection Regulation, to require a restriction in the processing of their personally referred data, once any of the following prerequisites occur:

o the correctness of the personally referred data is disputed by any affected persons, and in particular for the duration of the time period necessary for the verification of the correctness to be undertaken by the party responsible for the data processing;

o the data processing is illegal and affected persons reject the erasure of the personally referred data, and requires instead a restriction in the exploitation of the personally referred data;

o the party responsible for the data processing no longer requires the data for purposes of processing, but the affected persons require these for purposes of enforcements, or for the assertion or defence of legal claims;

o affected persons have raised a contradictive objection to the processing of personally referred data, under Art. 21, Para. 1 of the forementioned ‘GDPR’-General Data Protection Regulation, and it is still unclear as to whether the party responsible for the data processing has justified grounds which override the objection of any affected persons.

Once any of the foregoing prerequisites applies, and any affected persons seek to restrict the personally referred data saved and stored at ‘HPE’, he-, she- it can apply to ‘HPE’ as the party responsible for processing the data. Then, ‘HPE’ will introduce such a restriction in the data processing.

 

f) The entitlement to the transferability of personally referred data

All affected persons are entitled under the forementioned ‘GDPR’-General Data Protection Regulation, to obtain their personally referred data in a structured, commonplace and machine-readable form from the party responsible for processing and preparing such data. Affected persons are also entitled under the law, to have the personally referred data transmitted without any hindrance by the party responsible for their processing, to another responsible data processor. The prerequisite is, that the processing of such personally referred data was subject to permission granted pursuant to Art. 6, Para. 1, lit. a of the forementioned ‘GDPR’-General Data Protection Regulation, or under Art. 9, Para. 2, lit. a thereof, or on the basis of a contract as foreseen under Art. 6, Para. 1, lit. b thereof, and the data processing was undertaken by means of an automated process. A further proviso is, that the data processing is not for the purpose of addressing matters of public interest, or the processing is not undertaken for purposes of meeting assignments imposed on the data-processing responsible person by the authorities.

Furthermore, affected persons, in the exercise of their statutory right to data transferability, under Art. 20, Para. 1 of the forementioned ‘GDPR’-General Data Protection Regulation, have the entitlement to insist, that the personally referred data is  transmitted direct from the one party responsible for the processing to the other party to become responsible for the processing, provided that this is technically possible, and provided that the rights and freedoms of other persons are not infringed.

Affected persons can assert these rights to the transferability of personally referred data at any time by application to ‘HPE’.

 

g) The entitlement to contradictive opposition

All affected persons are entitled by the forementioned ‘GDPR’-General Data Protection Regulation, on grounds of their particular situation, to assert contradictive opposition against the processing of their personally referred data, which are raised pursuant to Art. 6, Para. 1, lit. e or f of the forementioned ‘GDPR’-General Data Protection Regulation. The same applies to any form of ‘profiling’ undertaken on the basis of such statutory requirements.

In the event of any contradictive opposition, ‘HPE’ will no longer process the relevant personally referred data, unless mandatory and protection-worthy grounds exist for such processing, which predominate over the interests, rights and freedoms of affected persons, or the processing serves the assertion, exercise or defence of statutory or legal claims.

When ‘HPE’ processes personally referred data for purposes of direct canvassing-/ advertising, then affected persons are entitled under the statute law at any time to assert contradictive opposition against the exploitation of their personally referred data for such purposes. This also applies for the so-called ‘profiling’ activities when in connection with such direct advertising. Should affected persons contradictorily object to the exploitation of their personally referred data for such advertising purposes, then ‘HPE’ will desist from doing so.

In addition, all affected persons are entitled, on the grounds of their particular situation, to assert contradictive opposition against the processing of their personally referred data, which is raised by ‘HPE’ for economic or historical research purposes, or for statistical purposes under Art. 89, Para. 1 of the forementioned ‘GDPR’-General Data Protection Regulation, unless such processing is an assignment imposed by the authorities as necessary in the public interest.

For the exercise of the statutory entitlements, it is sufficient for affected persons to apply direct to ‘HPE’. Affected persons are also at liberty, in connection with the services of the information corporate entity, notwithstanding the Directive of the European Communities: ‘2002/58/EC’ to exercise their contradictive opposition by mans of automated procedures, where technical specifications are employed.

 

h) Automated decisions in individual data processing cases including so-called ‘profiling’

Any persons affected by the processing of their personally referred data are entitled under the forementioned ‘GDPR’-General Data Protection Regulation, not to be solely subjected to an automated decision, including so-called ‘profiling’, which involves them in a statutory or legal effect, or which considerably encroaches upon them by any other means, provided such decision is (1) not for the conclusion- or the execution -of a contract between the affected persons and the party responsible for the data processing, or (2) because such are permissible under the statutory requirements of the European Union or its member states, to which the party responsible for the data processing is subject; and such statutory requirements include reasonable measures for upholding the rights and freedoms of the justified interests of the affected persons, or (3) the data processing is undertaken with the express permission of the affected persons.

When such a decision is necessary (1) for the conclusion- or the execution –of a contract between affected persons and the party responsible for the processing of the personally referred data, or when (2) a decision is taken with the express permission of any affected persons, then ‘HPE’ will adopt suitable measures to ensure the rights and freedoms as well as the interests of all such affected persons, whereby at least a right shall exist for an intervention by the party responsible for the data processing for purposes of explaining its standpoint and the challenging of any such decision.

When any affected persons desire to assert their statutory objection to automated decisions, then they should contact ‘HPE’ at any time.

 

i) The right of revocation of statutory data-protection permissions

All persons affected by the processing of their personally referred data are entitled under the forementioned ‘GDPR’-General Data Protection Regulation, to revoke their permission to the processing of their personally referred data, at all times.

When any affected persons desire to assert their statutory right to revoking their permission, then they should contact ‘HPE’ at any time.

 

10. The statutory basis for the processing of personally referred data

Art. 6 I, lit. a of the forementioned ‘GDPR’-General Data Protection Regulation provides the statutory basis for the data processing procedures, under which permission is obtained for a certain data-processing purpose. When the processing of the personally referred data is necessary for the execution of a contract, where the contractual party is the party responsible for the data processing, for example in the case of the processing of the personally referred data, which is destined for the supply of goods or the provision of any kind of services or to enable a contractual consideration, then the data-processing procedures are based upon Art. 6 I, lit. b of the forementioned ‘GDPR’-General Data Protection Regulation. The same also applies for those data-processing procedures, which become necessary for pre-contractual measures, for example in the case of enquiries for products or services. When ‘HPE’ is subject to statutory requirements, which make the data-processing of personally referred data necessary, such as for compliance with fiscal liabilities, then the data-processing is based upon Art. 6 I, lit. c of the forementioned ‘GDPR’-General Data Protection Regulation. In infrequent cases, the processing of personally referred data can become necessary, in order to protect the existential interests of affected persons or any other natural persons. Such would, for example be the case where a visitor to the offices of ‘HPE’, or to an event organised by ‘HPE’ suffered accident and injury, and thereafter the name, age, sickness-/ personal accident insurance details or any other such existential information needed to be communicated to a medical practitioner, hospital or any other third party. In such cases, the data processing would be based upon Art. 6 I, lit. d of the forementioned ‘GDPR’-General Data Protection Regulation. Ultimately, data-processing procedures could also be based upon Art. 6 I, lit. f of the forementioned ‘GDPR’-General Data Protection Regulation. This statutory basis includes data-processing procedures, which are not covered by any of the foregoing statutory requirements, where the data processing is necessary for upholding a justified interest of ‘HPE’ or a third party, provided that the interests, basic rights and basic freedoms of the affected persons do not predominate. Such data-processing procedures are statutorily permitted because the forementioned ‘GDPR’-General Data Protection Regulation foresees these. The legislative opinion was, that a justified interest can be assumed, when the affected persons are customers of the party responsible for the data processing (comp. Recital 47, Sentence 2 of the forementioned ‘GDPR’-General Data Protection Regulation).

 

11. Justified interests in data processing, which are undertaken by the party responsible for the processing of personally referred data, the subcontractor or any other third party

When the processing of personally referred data is based upon Art. 6 I, lit. f of the forementioned ‘GDPR’-General Data Protection Regulation, then this involves justified interests, provided that the interests or basic rights and basic freedoms of affected persons, who require the protection of their personally referred data, predominate. On the one hand, such would be the case where the definitive and reasonable relationship between the affected persons and ‘HPE’, as the party responsible for the data processing, also exist, for example for the servicing of- and the provision of information for –the regular members of the ‘HPE’, its partners and interested parties, representing the core business of ‘HPE’, as well as the staff- and workforce -members of ‘HPE’. All justified, reasonable and requisite measures for acquiring new members for the ‘HPE’, are also included, and for the purpose, also for example corporate names, firm’s names, contact persons, postal addresses and website- and email –addresses and telephone numbers, will all be required. On the other hand, there are justified interests for the welfare of the staff- and workforce –members as well as for the equity holders. This affects in particular, but not exhaustively, contractual and contractual-similar situations between ‘HPE’ and any affected persons. As far as that is concerned, it must be taken into consideration when ‘weighing up’ the matter of justified interests, that all affected persons possess an ongoing, comprehensive, contradictory and oppositional entitlement for the revocation of the permission for the processing of their personally referred data, by ‘HPE’. This is based upon the statutory requirements of Art. 21, Para. 2 of the forementioned ‘GDPR’-General Data Protection Regulation, to which attention is especially drawn. When any affected persons desire to assert their statutory right of revocation, then they can always contact ‘HPE’ at any time.

 

12. The actual duration, for which personally referred data may be saved, stored and archived

The criterion for the duration of storage and archiving of personally referred data is the relative statutory archiving requirements. Upon the expiry of such statutory archiving time period requirements, the relative data will be routinely erased, unless still required for contractual purposes or for prior contractual initiations.

Application documentation is archived for six months from the date of the commencement of the employment of a successful applicant.

 

13. The statutory requirements or contractual stipulations for the deployment of personally referred data - the necessity for contractual conclusions - the statutory duties of the persons affected – the deployment of the personally referred data – the possible consequences of the failure of proper deployment

‘HPE’ will here seek to explain to all affected persons, that the collection and deployment of personally referred data is partially required under the statute law (e.g. for tax collection- and rendering purposes), or to meet contractual regulations (e.g. notifications concerning a contractual party). Among other aspects, such can be necessary for concluding an agreement or contract, where affected persons make their personally referred data available to ‘HPE’, which as a consequence need to be processed. All affected persons are required, for example to reveal their personally referred data to ‘HPE’ when concluding an agreement or a contract with ‘HPE’. When affected persons refuse to reveal their personally referred data to ‘HPE’, then no contracts or agreements would be concluded, at all. Before revealing their personally referred data to ‘HPE’, all affected persons should contact ‘HPE’ in advance. ‘HPE’ is then prepared to explain to affected persons whether the deployment of their personally referred data is, in individual cases for statutory requirements of for contractual reasons, or whether these are necessary for concluding contracts or agreements, or not. It can also be explained, as to whether any sort of liability is incurred for revealing personally referred data, and what consequences follow the failure to provide that personally referred data.

 

14. The existence of automated decision-taking mechanisms

‘HPE’ is a responsible organisation and does not operate automatic decision-taking mechanisms.

 

15. Data transmission into third-party foreign countries and the upholding of a reasonable data-protection level – and Google Analytics

The ‘HPE’ website employs the services provided by ‘Google Analytics’. The provider is: Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A.. ‘Google Analytics’ employs so-called ‘cookies’. Cookies are text files, which are downloaded onto the PC computer of the affected person as a visitor to- or user of -the ‘HPE’ website, and enable an analysis to be undertaken by ‘HPE’ of the user habits on its website by the visiting affected persons. The information collected by the cookies on the use of the ‘HPE’ website by visitors are, as a rule transmitted to a ‘Google’ server in the United States, and saved and stored there. However, ‘HPE’ has activated the function of ‘IP Anonymization’ on its website. The function abbreviates the ‘IP Address’ of those affected persons by ‘Google, Inc.’, who are resident in the member states of the European Union and the European Economic Area, by a special agreement, before transmission to the U.S.A.. Only in exceptional cases, will the ‘IP Addresses’ of affected persons be transmitted direct to the United States and then abbreviated there. The operators of the ‘HPE’ website have an agreement with ‘Google, Inc.’ for the exploitation of the personally referred data, in order to evaluate the use of the ‘HPE’ website by the effected persons as visitors and users, and for the collection and analysis of visitor website activities as well as internet use in general, and also to provide other associated services for the ‘HPE’ website operators, additionally. The ‘IP Addresses’ communicated to ‘Google, Inc.’ by the internet browser programs on the computer PCs of the affected persons, will not be mixed together with other data on the internal Google IT systems. Affected persons can also however avoid the downloading and storing of cookies on their IT systems by making relative settings in their internet browser program on their PC computers. In such cases however, affected persons should be aware, that they may not be able to enjoy all functions of the ‘HPE’ website without the function of such cookies. Affected persons can also, if desired take further preventive action against the registration of their personally referred data by cookies in reference to their use of the ‘HPE’ website (including the registration of their ‘IP Address) by ‘Google, Inc.’, as well as the processing of their personally referred data by ‘Google, Inc.’, by downloading a so-called ‘internet browser plug-in facility’ from the following link: https://tools.google.com/dlpage/gaoptout?hl=de .

All affected persons can also prevent the registration of their personally referred data by ‘Google Analytics’ by visiting the following link. From there, a so-called ‘Opt Out Cookie’ can be downloaded, which will prevent the registration of the personally referred data when visiting the ‘HPE’ website: by means of the ‘deactivate Google Analytics’ function. The data-protection declaration of ‘Google Analytics’ has more information on the deployment of user data. See:

https://support.google.com/analytics/answer/6004245?hl=de .

 

Google Maps

The ‘HPE’ website employs the ‘Google Maps API’ facility, in order to illustrate geographical information visually. When website visitors use ‘Google Maps’, Google, Inc. also raises data concerning the use of the map function by ‘HPE’ website visitors. The data is then processed and exploited. Affected persons can however obtain information on the processing of such data by Google, Inc., by consulting the Google data-protection notices. Personal data-protection settings can also be altered in the ‘data protection center’. Detailed instructions on the administration of own data in conjunction with Google products, can be found by affected persons via the following link: www.google.de/intl/de/policies/privacy.

 

YouTube Videos

YouTube Videos are also embedded in the ‘HPE’ website. The provider of the relative plug-ins is: YouTube, LLC, 901 Cherry Avenue, San Bruno, CA 94066, U.S.A.. When a website is visited where a YouTube plug-in is embedded, a connection will be made to the YouTube servers in the United States. YouTube then learns what websites the affected persons visit. When affected persons are logged on to their YouTube accounts, then the YouTube company can match their surfing habits. But, this can be avoided by logging off from the YouTube account.

Once a YouTube video is opened and running, the provider sets cookies on the visiting PC computer to collect information on the user habits of affected users. Additional information on ‘YouTube’ data protection can be obtained from the data-protection declaration of this services’ provider from link: www.google.de/intl/de/policies/privacy.

 

The use of Facebook Social plug-ins

This services’ provider employs ‘Social Plug-ins’ (hereinafter referred to as ‘plug-ins’) of the social network ‘www.facebook.com’, which operates in Europe through ‘Facebook Ireland Ltd.’, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Republic of Ireland (hereinafter referred to as ‘Facebook’). The plug-ins can be recognised by one of the Facebook Logos (a white ‘f’ on a blue tile. The terms ‘like’ or a ‘thumbs up sign’), or are denoted with the addition of ‘Facebook Social Plugin’. The list and the appearance of the Facebook Social Plug-ins can be viewed here: https://developers.facebook.com/docs/plugins/.

 

Once a visitor enters a website of this services’ provider, which contains such a plug-in, the internet browser program of the visitor communicates directly with the Facebook servers. The content of the plug-in is transmitted by Facebook directly to the browser of the visitor and then connected to the visited website. The website operator has therefore no influence on the extent of the data, which Facebook raises by means of the plug-in, and informs the user as affected persons corresponding to the state of its knowledge.

 

The connection to the plug-in gives Facebook information, that the user is using a relative page of the website offering. When the user is also logged on to Facebook, Facebook can allocate the visit to the Facebook account. When users interact with the plug-in, for example they click on the ‘like’ button or register a comment, the relative information will be transmitted by the internet browser program of the affected person direct to Facebook and saved and stored on its servers. Although the user may not be a member of the Facebook social network, the possibility nevertheless exists, that Facebook can get to know their ‘IP Address’ and saves and stores this. Facebook assures, that in Germany only an anonymized IP Address is registered and stored.

 

The data-protection notices of Facebook explain the purpose and extent of the raising of the personally referred data and their onward processing, and the exploitation of the data by the Facebook Concern, as well as the relative rights and browser-setting possibilities for the protection of the privacy of the users or affected persons. The data-protection notices are available from: https://www.facebook.com/about/privacy/.

 

If users as affected persons are also members of the Facebook social network, and desire that Facebook does not collect data on them via the ‘HPD’ website, and links up with the membership personally referred data saved and stored at Facebook, then they should log off from the Facebook social network before entering the ‘HPE’ website. Further settings and revocation possibilities can be obtained on the exploitation of data for advertising purposes, from within the Facebook profile settings, at: https://www.facebook.com/settings?tab=ads.

 

The ‘+1’ button of ‘Google’

The ‘HPE’ website also uses the services of the ‘+1’ button of the ‘Google Plus social network, which is operated by Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A. (hereinafter referred to as ‘Google’). The Button is recognisable by the sign: ‘+1’ on a white or coloured background.

 

When visitors as affected persons enter a website including such services displayed by the ‘+ 1’ button, the internet browser program of the visitor makes a direct connection with the ‘Google’ servers in the United States. The content of the ‘+ 1’ button is then returned to the internet browser program of the user as an affected person and then connected into the ‘HPE’ website. ‘HPE’ therefore has no influence on the extent of the personally referred data, which ‘Google’ raises via the Button. ‘Google’ assures, that no personally referred data will be raised without clicking on the Button. When however,’ Google Plus’ members are already logged on to ‘Google Plus’, then such personally referred data and the ‘IP Address’ of users as affected persons, will be raised and exploited.

 

The data-protection notices concerning the ‘+ 1’ Button for ‘Google’ users, explain the purpose and extent of the raising of the personally referred data and their onward processing, and the exploitation of the data by the ‘Google’, as well as on the relative rights and browser-setting possibilities for the protection of the privacy of the users or affected persons. The data-protection notices are available from: http://www.google.com/intl/de/+/policy/+1button.html and the FAQ: http://www.google.com/intl/de/+1/button/.

 

Twitter

The ‘Twitter’ services’ provider employs the button of the ‘Twitter’ services. The button is provided by Twitter, Inc., 795 Folsom Street, Suite 600, San Francisco, CA 94107, U.S.A.. The services are recognisable by the terms ‘Twitter’ or ‘Follow’, in associated with a stylised blue twittering bird. By using the button, affected persons can share a participatory comment or even a page of the ‘HPE’ website via the ‘Twitter’ social network, ‘to follow’ ‘HPE’ via the ‘Twitter’ social network.

 

When users as affected persons enter a website where such a button is set, their internet browser program connects directly to the servers of ‘Twitter’ in the United States. The content of the ‘Twitter’ button is transmitted directly from the ‘Twitter’ servers to the internet browser programs of the users as affected persons. ‘HPE’ therefore has no influence on the extent of the personally referred data, which ‘Twitter’ raises by means of this plug-in and informs the users as affected persons corresponding to the state of its knowledge. According to ‘Twitter’, the ‘IP Address’ of the users as affected persons and the ‘URL’ of the relative website, are revealed upon clicking on the button, but not any other purposes than the display of the button.

The data-protection declaration of ‘Twitter’ can be obtained from the link: http://twitter.com/privacy.

 

16. Final Concluding Declaration

This present Data-Protection Declaration was drafted and adjusted by the ‘data-protection generator’ of the ‘DGD Deutsche Gesellschaft fuer Datenschutz GmbH (Inc.)’, which is active as an external data-protection consultant in Bamberg, Germany, in collaboration with ‘RC GmbH (Inc.)’, a business recycling used computers, and the law offices of the data-protection attorneys-at-law Messrs. WILDE BEUGER SOLMECKE.

The Declaration has now been supplemented by Section 15.

 

The competent data-protection supervisory authority

The competent data-protection authority for ‘HPE’ is:

 

The ‘Landesbeauftragter für Datenschutz und Informationsfreiheit,

Nordrhein-Westfalen’

(The Authorised Agency for Data-Protection and Freedom of Information of the German Federal State of North Rhine Westphalia)

P. O. Box 20 04 44

D-40102 Düsseldorf, Germany

Tel.: +49 (0)211 38 4240

Fax: +49 (0)211 384 2410

Email address: poststelle@ldi.nrw.de

 

Liabilities’ Disclaimer

Notwithstanding careful control of the content of the ‘HPE’ website, ‘HPE’ can adopt no liability for the content of external links. Only the operators of the linked websites are responsible for the content of their websites.

 

Copyright and trademark right

‘HPE’ makes every effort to ensure, that the copyrights in all publications concerning the graphics employed, audio documentation, video sequences and texts, are observed, and that graphics, audio documentation, video sequences and texts originating from its own resources are employed, or it resorts to the employment of royalty-free graphics, audio documentation, video sequences and texts. All brand names and trademarks mentioned within the offerings on the website where these are possibly protected by third parties, are restrictedly subject to the terms and conditions of the relative registered and protected valid trademark rights and copy- and ownership -rights of the beneficial owners. Assumptions are not to be made, that trademarks are not protected by their third-party owners, solely because of the mere mention of the content. The copyrights for published materials, created by authors themselves, remain solely with authors of the relevant pages. Any duplication or exploitation of such graphics, audio documentation, video sequences and texts, into electronic- or print -publications, is not permissible without the express approval of such authors.

 

The legal effectiveness of rejections of liability

This present rejection of liability, is to be considered as an integral part of this website offering, and is also to be deemed the origin from where reference is made to these website pages. Should however, parts or individual references to the various website texts, not meet the current statutory situation, or no longer meet it, or not entirely correspond with it, then the remaining parts are to be contemplated as not being affected thereby in their content and validity.