Legal Notices

Directive on Data Protection

Frerk Aggregatebau GmbH (hereinafter referred to as Frerk) undertakes to comply with data protection laws within the framework of its corporate responsibility. This Data Protection Directive applies worldwide. It is based on the basic principles of data protection and is binding on Frerk employees, contractual partners and executive bodies.

§ 1 Principles of Data Collection and Data Processing

In order to fulfill the purposes and tasks of Frerk, in compliance with the statutory provisions of the Federal Data Protection Act in Germany (BDSG, Bundesdatenschutzgesetz) and the General Data Protection Regulation (GDPR), personal data relating to the personal and factual circumstances of employees and contractual partners of Frerk are collected, are processed, archived, transmitted and changed in Frerk’s data processing.
 
(1) Legality
 
The personal rights of the data subject in the processing of personal data must be preserved. Personal data must be collected and processed in a lawful manner.
 
(2) Appropriation
 
 The processing of personal data may only pursue the purposes that were determined prior to the collection of the data. Subsequent changes of purpose are only possible to a limited extent and require a justification.
 
(3) Transparency
 
The person in question must be informed about the handling of his data. In principle, personal data must be collected directly from the person concerned. When collecting the data, the data subject must be able to identify at least the following or be informed accordingly:

a) The identity of the responsible body
 
b) The purpose of the data processing
 
c) Third parties or categories of third parties to whom the data may be transmitted.

(4) Deletion
 
 Personal data which are no longer required after the expiry of legal or business-related retention periods must be deleted. If, in individual cases, there are indications of interests worthy of protection or for the historical significance of these data, the data must remain stored until the legitimate interest has been legally clarified.
 
(5) Factual accuracy of the data currency
 
 The collected personal data must be correct, complete and – as far as necessary – up-to-date. Appropriate measures must be taken to ensure that inaccurate or outdated data that is not applicable is deleted, corrected, supplemented or updated.
 
(6) Confidentiality of data security
 
Personal data is subject to data secrecy. They must be treated confidentially in personal dealings and secured by appropriate organizational and technical measures against unauthorized access, unlawful processing or disclosure, as well as accidental loss, alteration or destruction.

§ 2 Admissibility of data processing

The collection, processing and use of personal data is only permitted if one of the following authorizations is present. Such a license is also required if the purpose for the collection, processing and use of the personal data is to be changed from the original purpose.
 
(1) Customer and Partner Data
 
 Personal data of customers or partners may be used to establish, execute or terminate a contract. This also includes the care of customers and contractors, if this is in connection with the purpose of the contract. In the run-up to a contract, the processing of personal data for the preparation of offers, the preparation of purchase contracts or for the fulfillment of other wishes to conclude a contract is allowed. Interested parties may be contacted on the basis of the information provided. 
 
From customers and partners are recorded the following data:
  • First given name
  • Surname
  • Title
  • Gender
  • Address
  • Phone number
  • E-Mail
  • Date of birth
  • Bank details as well as
  • Beginning of the contractual relationship
and stored for the purpose of contract processing in the data processing. The personal data are protected against misuse by appropriate technical and organizational measures.
 
(2) Consent to data processing
 
Data may be collected if the data subject has previously given his consent. The person concerned must first be informed about this privacy policy. The declaration of consent must always be obtained as proof in writing or electronically. By telephone contact, the consent can also be given orally. It has to be documented.
 
(3) Data processing due to legitimate interest
 
 Personal data may be processed if necessary to the extent justified by Frerk. These are e.g. legal or economic interests.
 
(4) Processing of sensitive data
 
 Personal data may be processed if necessary to the extent justified by Frerk. These are e.g. legal or economic interests.
 
(5) User data and Internet
 
If personal data are collected, processed and used on websites or in apps, data subjects must be informed with data protection nots and cookie information.
 
If the user behavior of websites and apps is evaluated (tracking), the person concerned must be informed. Personal tracking is only allowed if national law permits it or if the person concerned previously consented. If the tracking takes place under a pseudonym, the person concerned should be given the opportunity to object to the privacy policy (opt-out).

§ 3 Employee data

(1) Data processing for the employment relationship

The employment relationship may be used to process the personal data necessary to establish, perform and terminate the employment relationship. When starting an employment relationship, personal data from applicants may be processed. After refusal, the data of the applicant must be deleted, unless the applicant has consented to a storage for a later selection process.

(a) Consent to data processing

Employee data may be processed if the data subject has previously given his consent.
Data can be collected if the person concerned has previously consented. The person concerned must first be informed about this privacy policy. The declaration of consent must always be obtained as proof in writing or electronically. By telephone contact, the consent can also be given orally. It has to be documented.

(b) Data processing based on legitimate interests
 
Personal data may be processed if it is in the legitimate interest of Frerk. These are e.g. legal or economic interests.

(c) Processing of sensitive data
 
Personal data that are particularly worthy of protection may only be processed if this is required by law or if the person concerned expressly consented.

(2) Telecommunications and Internet

Telephone systems, e-mail addresses, Intranet and Internet as well as internal social networks are provided solely for operational purposes.

§ 4 Order processing

Order processing is when a contractor is commissioned to process personal data without being given responsibility for the associated business process. In these cases, an order processing contract must be concluded with the external contractors. The contractor may process personal data only in accordance with the instructions of Frerk. When placing the order, the following requirements must be met:

(1) The contractor shall be selected if he is fit to perform the tasks and ensures both the necessary technical and organizational safeguards.

(2) The order must be given in writing. The instructions for data processing and those responsible for Frerk and the contractor must be documented.

(3) Frerk must ensure that the contractor complies with the obligations prior to the start of data processing. The contractor can prove, for example by means of a certification, that he ensures data security. Depending on the risk of data processing, the contractor must be checked regularly during the contract period.

§ 5 Rights of the person concerned

Affected parties have the right:

  • in accordance with Art. 15 GDPR, to request information about their personal data processed by Frerk. In particular, they may provide information on the processing purposes, the category of personal data, the categories of recipients to whom their data have been disclosed, the planned retention period, the right of rectification, erasure, restriction of processing or opposition, the existence of a right to complain, the source of their data, if not collected by Frerk, and the existence of automated decision-making including profiling and, where appropriate, meaningful information about their details;
  • pursuant to Art. 16 GDPR to demand immediate correction of incorrect or completed personal data stored at Frerk;
  • in accordance with Art. 17 GDPR, to request the deletion of their personal data stored at Frerk, except where the processing is for the exercise of the right to freedom of expression and information, for the fulfillment of a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims is required;
  • in accordance with Art. 18 GDPR to require the limitation of the processing of their personal data, as far as the accuracy of the data is disputed by them, the processing is unlawful, but they reject their deletion and Frerk no longer needs the data, but they enforce, exercise or defense of legal claims or they have objected to processing in accordance with Art. 21 GDPR;
  • pursuant to Art. 20 GDPR to obtain their personal data provided by Frerk in a structured, common and machine-readable format or to request transmission to another person responsible;
  • pursuant to Art. 7 §3 GDPR, to revoke their once given consent to Frerk at any time. As a result, Frerk will not be allowed to continue the data processing based on this consent for the future, and
  • according to Art. 77 GDPR to complain to a supervisory authority. As a rule, they can contact the supervisory authority of their usual place of residence or work place.

§ 6 Confidentiality of processing

(1) Personal data

Frerk's bodies and employees are prohibited from processing, disclosing or otherwise using personal data for purposes other than those associated with the performance of their duties. 
 
(2) This obligation also continues after termination of the employment relationship.

§ 7 Security of processing

Personal data must be protected at all times against unauthorized access, unlawful processing or disclosure as well as against loss, falsification or destruction. This applies regardless of whether the data processing is done electronically or in paper form. Before new data-processing procedures are introduced, technical and organizational measures for the protection of personal data must be defined and implemented. These measures must be based on the state of the art..

§ 8 Data Protection Supervision

Compliance with the Data Protection and Federal Data Protection Act and the General Data Protection Regulation, including any superseding or supplementing provisions, is regularly reviewed by privacy audits and other controls. As far as a data protection officer is appointed, he is responsible. Otherwise, the data controller is responsible.

§ 9 Data Privacy Incidents

Each employee should report violations of this privacy policy or other privacy policy to their respective supervisor or the privacy officer. 
 
Provided
  • personenbezogene Daten unrechtmäßig an Dritte übermittelt,
  • third parties unlawfully have access to personal data or
  • personal data were lost,
this must be reported immediately and then the existing reporting obligations must be met.

§ 10 Responsibilities and sanctions

The managing directors and department heads are responsible for the data processing in their areas of responsibility..

(1) Data Protection Officer

(a) The Data Protection Officer is appointed by the Management Board. 
 
(b) Any affected party may contact the data protection officer with suggestions, inquiries, requests for information or complaints related to privacy or data security issues. Inquiries and complaints will be treated confidentially on request.

(2) Sanctions

Violations of data protection obligations of bodies or employees may result in civil claims for damages.
For employees, even a violation of employment obligations is considered.
Violations of the obligation can be punished by a fine, a financial penalty or imprisonment.

§ 11 Definitions

  • Data are anonymous if a personal reference can be made permanently or by someone or if the personal reference could only be restored with a disproportionately large effort.
  • Particularly sensitive data are racial, ethnic, political, religious or philosophical beliefs, trade union membership or the health or sexual life of the person concerned. Due to state law, further data categories may be classified as eligible for protection or the content of the data categories may be differently filled out.
  • Affected parties, as defined in the Privacy Policy, is any natural person through whom data is processed.
  • Data protection incidents are all events in which there is a reasonable suspicion that personal data has been unlawfully played, collected, altered, copied, transmitted or used.
  • A third party is any other entity outside the person concerned and the person responsible for data processing. Third party is not the processor within the EU.
  • Consent is a voluntary, legally binding declaration of consent.
  • The processing of personal data is required if the permitted purpose or the legitimate interest can not be achieved without the respective personal data or only with disproportionately high effort.
  • Personal data is all information about a specific or identifiable natural person.
  • Processing of personal data is any process carried out with or without the aid of automated procedures for the collection, storage, organization, safekeeping, modification, retrieval, use, disclosure, transfer, dissemination or combination and reconciliation of data. This includes the deletion and locking of data and data carriers.


Status: May 2018
Cookies make it easier for us to provide you with our services. With the usage of our services you permit us to use cookies.
More information Ok Decline