Data protection statement for customers and other data subjects
We wish to inform you about the processing of your personal data and give you an overview of your rights under the European General Data Protection Regulation (GDPR). Please note that some information detailed below may not apply in your case. How your data is processed and used will depend in large part on the selected services.
I. Who is responsible for data processing and who is the data protection officer?
Data controller name and contact details:
Appointed data protection officer:
Hanauer Landstraße 151-153
60314 Frankfurt am Main
Tel.: +49 699 043 7965
II. Which personal information is used and how is it collected?
We process the following customer data:
- Personal data (name, address and other contact details, date and place of birth, nationality),
- E-mail address,
- Advertising and sales data (incl. advertising scores),
- Documentation data (e.g. consultation transcript),
- Other data similar to the above categories.
We generally receive the aforementioned data directly from you, as our customer, within the scope of our business relationship. In addition, we process – when necessary for the provision of our services – personal data which we obtain from publicly available sources (e.g. land registers, commercial and association registries, press, Internet) or which are transmitted to us by other companies in the group or by other third parties.
III. Why do we process your data (i.e. purpose of processing) and on what legal basis?
We process personal data in accordance with the requirements of the European General Data Protection Regulation (GDPR) and the revised German Federal Data Protection Act from 25 May 2018 (BDSG 2018).
1. Fulfilment of contractual obligations (Article 6(1)(b) GDPR)
The processing of your data takes place for the rendering of our services as a full-service agency for the performance of customer contracts or for the fulfilment of pre-contractual requests.
2. Consent (Article 6(1)(a) GDPR)
If you have given us permission to process personal data for one or more specific purposes, the lawfulness of processing is grounded in your consent. You may withdraw your consent at any time. This also applies if you consented to data processing before the GDPR came into effect, i.e. before 25 May 2018. Please note that your consent can only be withdrawn with immediate and future effect; the lawfulness of past data processing remains unaffected by this action.
3. Balancing of interests (Article 6(1)(f) GDPR)
In certain cases, we may process your data beyond the actual performance of the contract in order to protect our legitimate interests or those of third parties. Such cases may include:
- Reviewing and optimising our needs analysis methods for direct marketing,
- Advertising or market and opinion research (provided that consent has been granted),
- Enforcing legal claims or presenting a defence in legal disputes,
- Developing measures needed for business management and optimising services and products.
4. Legal requirements (Article 6(1)(c) GDPR) or the public interest (Article 6(1)(e) GDPR)
As a company, we also have statutory obligations; in other words, we are subject to legal requirements.
IV. Data access: who can access my data?
Within our company, your data will be provided to the departments that need it to fulfil our contractual and legal obligations. Our service providers and subcontractors may also receive your data for the same purposes. This includes providers of IT services, logistics, printing services, proofreading/translation services, and subcontractors/freelancers.
We will only pass on your data to third parties if said transfer satisfies relevant legal provisions, if you have provided your consent, or if we identify a legitimate need.
Recipients of your personal data may include:
- Companies to which we transfer personal data in order to fulfil our contractual relationship with you,
- Service providers with whom we collaborate for the performance of tasks.
Other data recipients may be those entities for which you have consented to the transmission of your data or for which you have released us from the obligation of confidentiality or to which we are authorised to transmit personal data based on a legitimate interest assessment.
V. Data transfer to a third country or to an international organisation
A data transfer to locations in countries outside the European Union (so-called third countries) will occur to the extent that
- It is necessary to perform our contracts with you,
- It is required by law (e.g. reporting obligations under tax law) or
- You have given us your consent.
There are also provisions for data transfer to entities in third countries in the following cases:
- Where necessary in individual cases, your personal data may be transferred to an IT service provider in the USA or to another third country in order to maintain the company’s IT operations in compliance with European data protection standards.
- With the consent of the data subject or based on legal regulations to combat money laundering, terrorism financing and other criminal activities, and/or given a legitimate need, personal data (e.g. authentication data) may be transferred in individual cases in compliance with EU data protection laws.
VI. How long will my data be stored?
We process and store your personal data for the duration of our contractual and legal obligations.
If the data are no longer required to fulfil our contractual or legal obligations, they are routinely deleted, unless further processing – within a restricted time frame – is necessary for the following purposes:
- Recordkeeping obligations outlined in business and tax codes, for example, the German Commercial Code (HGB) or German Tax Code (AO). Mandatory retention requirements generally range from two to ten years.
- Preservation of evidence as per the legal statute of limitations. According to Sections 195 and following of the German Civil Code (BGB), these statutes of limitations may extend up to 30 years, whereby the regular statute of limitations is three years.
VII. What are my data protection rights?
As a data subject you have the following rights:
- Right to access (“right to be informed”) under Article 15 GDPR,
- Right to rectification under Article 16 GDPR,
- Right to erasure (“right to be forgotten”) under Article 17 GDPR,
- Right to restriction of processing under Article 18 GDPR,
- Right to data portability under Article 20 GDPR.
- Right to object under Article 21 GDPR,
Some restrictions apply to the right to access and the right to erasure in accordance with Sections 34 and 35 of the BDSG 2018.
Data subjects also have the right to lodge a complaint with a supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG 2018).
You may withdraw your consent for the processing of personal data at any time. This also applies to consent granted prior to the GDPR, i.e. before 25 May 2018. Please note that consent can only be withdrawn with immediate and future effect; the lawfulness of past data processing will remain unaffected by this action.
VIII. Is there an obligation to provide data?
In the context of our business relationship, you are obligated to supply person-related data that is required to establish, conduct and terminate such a relationship and to fulfil the associated contractual obligations, or to supply data which we are legally bound to collect. Please be aware that we will generally not be able to enter into a contractual relationship with you without the provision of such data.
IX. Do we use automated decision-making?
We generally do not use automated processing when making the decision to enter into or perform a contract (Art. 22 GDPR). Should we employ such procedures in individual cases, we will inform you of this decision and of your rights in this regard, to the extent required by law.
X. Do we use profiling?
We do not use automated profiling within the context of our business relationships.
XI. Information about your rights to object pursuant to Article 21 GDPR
1. Right to object on a case-by-case basis
You have the right, for reasons arising from your individual circumstances, to object at any time to the processing of your personal data carried out in accordance with Article 6(1)(e) GDPR (data processing in the public interest) and Article 6(1)(f) GDPR (data processing based on legitimate interests); this also applies to profiling as defined in Article 4(4) GDPR.
If you file an objection, we will no longer process your personal data unless we can prove compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or unless the processing serves the enforcement, exercise or defence of legal claims.
2. Right to object to data processing for direct marketing purposes
In individual cases we may process your personal data for direct marketing purposes. You have the right at any time to object to the processing of your personal data for the purpose of such advertising; this also applies to profiling when connected with direct advertising. Once the objection has been raised, no further data processing will take place for direct marketing purposes.
3. Contact details for filing an objection
You may send your written objection to the following address. No formal requirements apply; a simple letter will suffice.
Panama Werbeagentur GmbH