Data Protection Information to Fulfil Transparency Obligations under the GDPR
Protecting your personal data is very important to us. We therefore process your data exclusively on the basis of statutory provisions (EU General Data Protection Regulation – GDPR – and the Federal Data Protection Act – BDSG as amended). In this data protection information we inform you about the most important aspects of data processing. Which data are processed and how they are used depends primarily on the respective contract or mandate.
Chapter I - Data Controller
§ 1 Provider and Controller
The provider and controller within the meaning of Art. 4 No. 7 GDPR is:
oose eG
Schomburgstraße 50
22767 Hamburg
E-Mail: info@oose.de
Tel.: 040 – 414250-0
GnR 1067 Amtsgericht Hamburg, USt-Id DE296653247
Board Members: Nicola Jährig, Felix Heppner, Tim Weilkiens
Chair of the Supervisory Board: Stephan Roth
§ 2 Data Protection Officer
Karsten Klug
Externer Datenschutzbeauftragter (TÜV zert.)
Klug Datenschutz-Consulting
Kaiser-Wilhelm-Str. 93
20355 Hamburg
Tel.: 040 – 4118938-28
Fax.: 040 – 4118938-37
E-Mail: mail@klug-datenschutz.de
Chapter II - Processing Framework
§ 3 Purposes and Legal Bases
(1) We process personal data in accordance with the GDPR and the BDSG:
a) For the fulfilment of contractual obligations under Art. 6 (1)(b) GDPR. Processing is carried out to provide services under the contract or to carry out pre-contractual measures at your request.
b) On the basis of a balancing of interests under Art. 6 (1)(f) GDPR. Processing is necessary to safeguard our or a third party’s legitimate interests, unless your interests or fundamental rights and freedoms requiring protection of personal data override them (e.g. if you are a child). “Third party” means any natural or legal person, authority, institution or other body other than you, the controller, the processor or persons authorised to process data under the controller’s or processor’s direct responsibility. Our legitimate interests include:
- Review and optimisation of procedures for needs analysis in direct customer approach
- Advertising or market and opinion research, unless you have objected
- Assertion and defence of legal claims
- Ensuring IT security and operations
- Prevention and investigation of criminal offences
- Building and facility security measures (e.g. access controls)
- Measures to enforce house rules
- Business management and development of services and products
c) On the basis of your consent under Art. 6 (1)(a) GDPR. Where you have consented to processing for specific purposes, the lawfulness is based on that consent. You may withdraw consent at any time, including for consents given before 25 May 2018; withdrawal does not affect processing carried out before withdrawal.
d) On the basis of legal obligations under Art. 6 (1)(c) GDPR or in the public interest under Art. 6 (1)(e) GDPR. As a company we are subject to various legal obligations (e.g. Civil Code, Commercial Code, tax laws).
§ 4 Data Sources and Categories
(1) We process personal data that we receive from our customers or prospects in the context of the contractual relationship on the basis of consent.
(2) We also process – where necessary to perform the contract – personal data lawfully obtained from public sources (e.g. debtor registers, land registers, commercial and association registers, press, internet) or lawfully provided by other third parties (e.g. registration office).
(3) Relevant categories include identity data (name, company, address), other contact data (date and place of birth, nationality), identification documents (e.g. ID data) and authentication data (e.g. signature). They may also include transaction data (e.g. payment orders), performance-related data (e.g. invoice details), financial information (e.g. creditworthiness, asset origin), marketing and sales data, documentation data and comparable information.
§ 5 Retention Period
(1) We process and store personal data as long as required to fulfil contractual and legal obligations. The usual retention period is three years, but not longer than ten years after the end of the contractual relationship.
(2) If data are no longer required for contractual or legal purposes, they are regularly deleted unless temporary further processing is necessary for reasons such as:
a) Compliance with commercial and tax retention obligations under the Commercial Code and Fiscal Code (2–10 years)
b) Preservation of evidence under statutory limitation periods (up to 30 years, regular period 3 years)
§ 6 Obligation to Provide Data
(1) Providing personal data is necessary for the conclusion and performance of the contract or mandate.
(2) Failure to provide data may prevent contract formation.
§ 7 Automated Decision-Making and Profiling
(1) We do not use fully automated decision-making under Art. 22 GDPR to conclude or perform contracts.
(2) We do not carry out profiling under Art. 4 No. 4 GDPR, except for categorising into target groups (e.g. by topic) for direct customer approach.
Chapter III - Disclosure of Data and International Transfers
§ 8 Recipients or Categories of Recipients
(1) Within our company, only those departments that need your data to fulfil contractual and legal obligations have access. Service providers and agents may receive data if they maintain confidentiality. These include IT services, logistics, printing, telecommunications, debt collection, consulting, sales and marketing.
(2) We may disclose data outside our company only if required by law, you have consented, or disclosure is necessary under the contract. Possible recipients include:
a) Other companies we cooperate with
b) Cooperation partners
c) Public authorities and institutions (e.g. government agencies)
d) Courts
e) Adversaries and their legal representatives in disputes
(3) Other recipients may be those for whom you have given consent.
§ 9 Transfers to Third Countries
We transfer data outside the EU only if required to perform the contract, mandated by law, or with your consent. For our online events we primarily use Zoom (headquartered in the USA). The legal basis for processing is Art. 6 (1)(b) GDPR for contractual meetings, or Art. 6 (1)(f) GDPR if no contract exists. Due to the invalidation of the EU–US Privacy Shield by the CJEU, data transfer to the USA relies on Art. 49 (1)(a) GDPR (your consent). Without consent to Zoom, you cannot actively participate in online events; we may provide recordings only. Note that Zoom may be compelled by US law to disclose data to authorities without a court order, and you may not fully exercise your GDPR rights against Zoom in the USA.
Chapter IV - Data Subject Rights
§ 10 Specific Data Protection Rights
(1) You have the right to access (Art. 15 GDPR), rectify (Art. 16 GDPR), erase (Art. 17 GDPR), restrict processing (Art. 18 GDPR) and data portability (Art. 20 GDPR). You also have the right to object (Art. 21 GDPR).
(2) Access and erasure rights are subject to the restrictions in §§ 34, 35 BDSG.
§ 11 Right to Lodge a Complaint
You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG).
§ 12 Withdrawal of Consent
(1) You may withdraw any consent given at any time, including consents before 25 May 2018.
(2) Withdrawal takes effect for the future; prior processing remains lawful.
Information on Your Right to Object under Art. 21 GDPR
§ 1 Case-By-Case Right to Object
(1) You have the right, for reasons arising from your particular situation, to object at any time to processing under Art. 6 (1)(e) GDPR (public interest) or Art. 6 (1)(f) GDPR (legitimate interests), including profiling under those provisions.
(2) If you object, we will cease processing unless we demonstrate compelling legitimate grounds overriding your interests or for asserting legal claims.
§ 2 Right to Object to Direct Marketing
(1) We may process your data for direct marketing; you have the right to object at any time.
(2) If you object, we will no longer process your data for such purposes.
To object, please contact:
oose eG
Schomburgstraße 50
22767 Hamburg
E-Mail: info@oose.de
Tel.: 040 – 414250-0
Stand: 17.02.2021