Information concerning data protection
I. Definitions
The Alex Sweets GmbH data protection declaration applies the terminology used by the European regulator with the issuance of the General Data Protection Regulation (GDPR). Please refer to the definition of terms in Article 4 of GDPR. GDPR can be accessed at: https://dsgvo-gesetz.de/art-4-dsgvo/
II. Name and address of the controller and of the data protection officer
For the purposes of GDPR, other applicable regulations in member states of the European Union, and other regulations pertaining to data protection, the controller is:
Alex Sweets GmbH
Avantisallee 110
52072 Aachen
Germany
Tel.: +49 (0) 2404 95504 0
Fax: +49 (0) 2404 95504 44
E-Mail: info@alex-sweets.com
Website: www.alex-sweets.com
The address of the data protection officer for Alex Sweets GmbH is:
Data protection officer
Alex Sweets GmbH
Avantisallee 110
52072 Aachen
Germany
E-Mail: datenschutzbeauftragter@alex-sweets.com
III. General information about data processing
1. Scope of processing of personal data
We generally collect and process our business partners’ personal data only insofar as this is necessary for the purposes of entering into a contract or executing our orders and contracts. Once our contractual responsibilities have been met, we process data only after consent has been given. The exception is when consent cannot be obtained in advance for practical reasons, or when legislation permits or requires that data be processed.
2. Handling of personal data
The collection, processing, or use of personal data is generally prohibited, unless a legal standard explicitly permits such data handling. According to GDPR, personal data may generally be collected, processed or used:
- when a contractual relationship already exists with the data subject
- as part of entering into or performing a contract with the data subject
- if and to the extent that the data subject has given consent
3. Legal basis for the processing of personal data
To the extent we obtain consent from the data subject for processing their personal data, the legal basis is Article 6 Paragraph 1a of GDPR.
Whenever the processing of personal data is necessary for the performance of a contract to which the data subject is party, the legal basis is Article 6 Paragraph 1b of GDPR. This is also true for processing operations when taking steps prior to entering into a contract.
To the extent that processing is necessary for compliance with a legal obligation to which our company is subject, the legal basis is Article 6 Paragraph 1c of GDPR.
To the extent that processing is necessary for the purposes of a legitimate interest pursued by our company or by a third party, and that the interests or fundamental rights and freedoms of the data subject do not override that aforementioned interest, the legal basis for that processing is Article 6 Paragraph 1f of GDPR.
4. Categories of affected persons and their data
To carry out business activities and fulfill all related obligations, the following data categories are present to the extent necessary:
- Customer data and contacts, as well as data provided by customers on their customers to the extent necessary for order processing and customer service
- Data from service providers, suppliers, and their contacts to the extent necessary for order processing on behalf of customers, service providers and suppliers
When using personal data and determining the amount of data to collect, the following are observed: the basic principles of informational self-determination; other data protection standards, particularly the principles of preventive prohibition, of limitation of purpose, of transparency and of obligations to inform and notify; the basic principles of data avoidance and data minimization; and the rights to rectification, blocking, erasure and objection.
Personal data is collected and processed to the extent permissible under law. Account is taken on the special conditions for collecting and processing sensitive data in accordance with Article 9 Paragraph 1 of GDPR. Only such information may generally be processed and used as is necessary for performing operational tasks and is related directly to the purposes of the processing.
In the event that other parties request information concerning data subjects, this will be passed on without the data subject’s consent only when there is either a legal obligation to do so or the company has a justificatory, legitimate interest in passing the information on and the identity of the requesting party is beyond doubt.
5. Recipients of personal data
Recipients of personal data is any person or third parties who receives data, e.g. contractual partners, customers, authorities, insurance companies, personnel, order data processors (e.g. order processing).
Above all, we will not sell your personal data to third parties nor market it in any other way.
6. Data transfer to third countries
Data is transferred to third countries exclusively to fulfill order processing. Data transfer to a third country that does not have an appropriate level of data protection is permitted for the purposes of fulfilling a contract between the data subjects and the unit responsible for processing, provided the data transfer is necessary for the performance of the contract.
7. External service providers / order processing / maintenance
To the extent necessary agreements with external service providers are in place in accordance with Article 28 of GDPR or with the EU standard contractual clauses.
8. IT Security concept
In recognition of the fundamental importance of information security and besides the raft of technical and organizational measures already taken Alex Sweets GmbH has also put relevant guidelines in place.
9. Erasure of data and duration of storage
A data subject’s personal data is erased or blocked as soon as there is no longer a reason to store it. In addition, data may be stored if European or national legislators have provided for this in Union regulations, laws or other legislation to which the controller is subject. Data will also be blocked or erased once a storage period specified in the aforementioned legislation ends unless there is a need to continue to store the data in order to enter into or perform a contract.
IV. Rights of the data subject
If your personal data is processed, you are a data subject for the purposes of GDPR and you have the following rights with regard to the controller:
1. Right of access
You can obtain from the controller confirmation as to whether or not we are processing personal data concerning you.
Where that is the case, you can obtain access to information from the controller about the following:
- the purposes of the processing of the personal data
- the categories of personal data being processed
- the recipients or categories of recipient to whom the personal data concerning you have been or will be disclosed
- the envisaged period for which the personal data concerning you will be stored or if it is not possible to provide specific information, the criteria used to determine that period
- the existence of the right to request from the controller rectification or erasure of personal data concerning you and of the right to request restriction of processing of personal data concerning you or to object such processing
- the right to lodge a complaint with a supervisory authority
- any available information as to the source of the data, where the personal data is not collected from the data subject
- the existence or automated decision-making, including profiling, referred to in Article 22 Paragraphs 1 and 4 of GDPR and at least in those cases meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
You have the right to know whether personal data concerning you is transferred to a third country or to an international organization. In this context you can obtain information on the appropriate safeguards in accordance with Article 46 relating to the transfer.
2. Right to rectification
To the extent that personal data concerning you is incorrect or incomplete, you have the right to obtain rectification or completion of the data from the controller. The controller must rectify the data without undue delay.
3. Right to restriction of processing
Where the following conditions apply you can obtain restriction of processing of personal data concerning you from the controller:
- you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
- the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defense of legal claims;
- you have objected to processing in accordance with Article 21 Paragraph 1 of GDPR pending verification whether the legitimate grounds of the controller override yours.
Where processing of personal data concerning you has been restricted, this data may with the exception of storage be processed only with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a member state.
If data processing was restricted in line with the abovementioned conditions you will be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
a. Duty to erase
You can demand that the controller erases personal data concerning you without undue delay and the controller is obligated to erase this data without undue delay where one of the following grounds applies:
- the personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed
- you withdraw your consent on which the processing is based in accordance with Article 6 Paragraph 1a or Article 9 Paragraph 2a of GDPR and there is no other legal ground for the processing;
- you object to the processing in accordance with Article 21 Paragraph 1 of GDPR and there a no overriding legitimate grounds for the processing or you object to the processing in accordance with Article 21 Paragraph 2 of GDPR;
- the personal data concerning you has been unlawfully processed;
- the personal data concerning you has to be erased for compliance with a legal obligation in Union or member state law to which the controller is subject;
- the personal data concerning you was collected in relation to the offer of information society services referred to in Article 8 Paragraph 1 of GDPR
b. Informing third parties
Where the controller has made the personal data concerning you public and is obligated in accordance with Article 17 Paragraph 1 of GDPR to erase that data, the controller taking account of available technology and the cost of implementation will take reasonable steps including technical measures to inform controllers processing the personal data that as the data subject you have requested the erasure by such controller of any links to or copy or replication of that personal data.
c. Exceptions
There is no right to erasure to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation that requires processing by Union or member state law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with Article 9 Paragraph 2h and 2i as well as Article 9 Paragraph 3 of GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 Paragraph 1 of GDPR insofar as the right referred to on section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing;
- for the establishment, exercise or defense of legal claims
5. Right to be informed
If you have exercised your right to rectification erasure or restriction of processing with regard to the controller he is obligated to communicate any rectification or erasure of personal data concerning you or restriction of its processing to each recipient to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to request information about the recipients from the controller.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller in a structured commonly used and machine-readable format. You also have the right to transmit that data to another controller without hindrance from the controller to which the personal data was provided where:
- the processing is based on consent in accordance with Article 6 Paragraph 1a of GDPR or Article 9 Paragraph 2a of GDPR or on a contract in accordance with Article 6 Paragraph 1b of GDPR;
- the processing is carried out by automated means
In exercising this right you also have the right to have the personal data concerning you transmitted directly from one controller to another where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object on grounds relating to your particular situation at any time to processing of personal data concerning you that is based on Article 6 Paragraph 1e or 1f of GDPR including profiling based on those provisions. The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing that override your interests rights and freedoms or the processing is for the establishment exercise or defense of legal claims.
Where personal data concerning you is processed for direct marketing purposes you have the right to object at any time to the processing of personal data concerning you for such marketing which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes the personal data concerning you will no longer be processed for such purposes. In the context of the use of information society services and notwithstanding Directive 2002/58/EC you can exercise your right to object by automated means using technical specifications.
8. Right to withdraw data protection declaration of consent
You have the right to withdraw your data protection declaration of consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated individual decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- is necessary for entering into or performance of a contract between you and the controller
- is authorized by Union or member state law to which the controller is subject and that also lays down suitable measures to safeguard your rights and freedoms and your legitimate interests
- or is based on you explicit consent
However these decisions may not be based on special categories of personal data referred to in Article 9 Paragraph 1 of GDPR unless Article 9 Paragraph 2a or 2g GDPR applies and suitable measures to safeguard your rights and freedoms and your legitimate interests are in place.
In relation to the cases referred to in points (1) and (3) the data controller will implement suitable measures to safeguard your rights and freedoms and your legitimate interests at least the right to obtain human intervention on the part of the controller to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy you have the right to lodge a complaint with a supervisory authority in particular in the member state of your habitual residence, your workplace or the place of the alleged infringement if you consider that the processing of personal data concerning you infringes GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy in accordance with Article 78 of GDPR.