Data Processing Principles of FELIX KOCH OFFENBACH

You have come to this page via a link because you want to inform yourself about how we treat (your) personal data. We at FELIX KOCH take the protection of your personal data very seriously. We apply the best possible care to all of your data and strictly adhere to the statutory requirements of the European General Data Protection Regulation (EU-GDPR) as well as to the Federal Data Protection Act (BDSG) of 25 May 2018.

To meet our information duty according to section 13 (collection of personal data from the person concerned), section 14 (if the personal data were not gathered from the person concerned) and section 21 (right of revocation) we would like to present our data protection information in the following.

Parties responsible for the processing of data

The authorized officer within the meaning of GDPR, other data protection acts applicable in the member states of the European Union and other data protection provisions of legal quality is:

FELIX KOCH OFFENBACH Couleur und Karamel GmbH
Business management
Lindenstrasse 70

63071 Offenbach am Main

Telephone: 069-98 54 20 0
E-mail: office@koch-felix.de

You will find further information on our company, details on the persons entitled to represent the company and additional ways to get in contact with us in the legal notices of our website under
https://www.koch-felix.com.

Your trust is fundamental for our business relationship. Therefore, we are at your service at any time to give you information on the processing of your personal data. If you have any questions left unanswered by this privacy statement, or if you wish to receive more detailed information on a certain issue, please address our Data Protection Officer.

Contact details of our Data Protection Officer

Data Protection Officer
c/o FELIX KOCH OFFENBACH Couleur und Karamel GmbH
Lindenstrasse 70

63071 Offenbach am Main

E-mail: dsb@koch-felix.de

The data categories we process about yo

If you are our customer or business partner, we process the following data categories:

• master and process data required to perform and deliver our services (e. g. name and address, e-mail address, telephone number, contact history, deadlines, contract data)
• correspondence (e.g. mail or e-mail exchange with you)
• promotional and sales information (e. g. about how you benefit from cooperating with us)
• payment information (e. g. bank coordinates, payment history).

If you are a potential customer or partner, we process the following data categories:

• master data required for the presentation of our portfolio (e.g. name and address, e-mail address, telephone number)
• correspondence (e.g. mail or e-mail exchange with you)
• promotional and sales information (e. g. about how you benefit from cooperating with us).

If you are one of our suppliers or service providers or our supplier’s or service provider’s contact partner, we process the following data categories:

• personal master data (e.g. name and address, e-mail address, telephone number)
• contract data (e.g. services used, contractual contents, agreed communication, names of contact persons)
• correspondence (e.g. mail or e-mail exchange with you)
• payment information (e. g. bank coordinates, payment history).

The purposes, legal bases and duration of processing your personal data

We collect and process your personal data for the purposes set forth in the following:

Winning customers and partners / Meeting contractual obligations with customers and partners

We collect and process personal data to win customers and partners as well as for meeting contractual obligations with our customers and partners. Here, data processing is based on Article 6 paragraph 1 lit. b GDPR allowing data processing (including transfer) for the performance of contractual or pre-contractual services.

Your personal data will only be stored as long as it is required to have knowledge of it for the purposes of the contractual relationship or for the purposes it has been collected for, or if statutory or contractual regulations exist requiring its storage. Statutory storage periods may also result from social legislation and tax law regulations and extend to a period of up to ten years for records and statements relevant under tax law.

Advertising by letter post

For advertising by letter post such as sending brochures, catalogues and similar material we may use addresses of interested persons, established customers and partners; this processing is based on Article 6 paragraph 1 lit. f GDPR. Here, our legitimate interest lies in personal direct advertising. You have the right to object to the use of your data for the purposes of direct advertising at any time.

Newsletter

If you subscribe to our newsletter we need your e-mail address. Additional data will not be collected or may be given voluntarily. The information will only be used for the distribution of the newsletter. We will not pass this information on without your consent.

Therefore, only when you will have given your consent we will process the data entered in the registration form (Article 6 paragraph 1 lit. a GDPR). You may revoke your consent at any time. All you need to do is send an informal e-mail to us, or click on the “unsubscribe” link in the newsletter. The revocation shall not affect the legitimacy of data processing up to the time of your revocation.

 

The details entered in the subscription form remain with us until you request their erasure, revoke your consent to their retention, or the purpose for keeping the data has ceased to exist (e.g. when the distribution of the newsletter will be stopped). Mandatory legal provisions – in particular retention times – remain unaffected.

Getting in touch

When you get in touch with us (e. g. by e-mail, business card, business correspondence, contact form on our website, telephone, or via social media) the information collected or provided will be processed to handle your enquiry and for follow-up issues according to Article 6 paragraph 1 lit. b GDPR. Your details may be stored in a customer relationship management system (“CRM system”) or in a comparable system used for managing enquiries.

We will delete any enquiries made by interested persons when they are not needed any more. Enquiries made by customers and partners will be stored for documentary purposes in your customer or partner profile as long as this information is needed for the purposes of the contractual relationship, or statutory or contractual regulations exist requiring their storage. As a matter of principle, we will check the data with regard to the requirement of further processing towards the end of each calendar year. Furthermore, the statutory obligations for keeping records shall apply.

If you are our supplier, service provider, organiser or otherwise our business partner or if you are our contact partner at a supplier, service provider, organiser or other business partner we will keep your information on the grounds of our commercial interest, e. g. with a view to get in touch with you at a later time. We will principally keep this predominantly company-related data permanently.

E-mails

All e-mails that we will send to you (e. g. confirmations, bills, queries) can include your address data, telephone number(s), and company information. They will not include any of your payment information such as credit card numbers or bank account details.

Performances under a contract with suppliers, service providers, organisers, or other business partners

We process the data of our suppliers, service providers, organisers or other business partners in accordance with Article 6 paragraph 1 lit. b GDPR in order to provide our contractual or pre-contractual services to them. The data processed in this context, the type, scope and purpose and the necessity to process it is governed by the relevant contractual relationship.

The data will be deleted when it will no longer be needed for meeting contractual or statutory diligence duties as well as dealing with possible warranty and comparable obligations. The necessity of data retention is reviewed every three years. In all other respects, statutory retention obligations shall apply which result among other things from social legislation and tax law regulations and extend to a period of ten years for records and statements relevant under tax law.

Applicant data

We collect and process data of applicants for employment for the purpose of carrying out recruitment procedures insofar as this is required for the decision-making on establishing an employment with us. Here, the legal basis is Article 88 GDPR in connection with section 26 paragraph 1 in connection with paragraph 8 sentence 2 German Federal Data Protection Act (BDSG).

When it comes to an employment we can continue to process the candidates’ personal data which we have already received in accordance with section 26 paragraph 1 BDSG for employment-related purposes.

We will keep the data of rejected applicants for up to 6 months after receipt of the rejection in text form following Article 6 paragraph 1 lit. f GDPR to defend possible legal claims raised under the recruitment procedure. Here, our legitimate interest is to satisfy a potential burden of proof in a proceeding under the German General Equal Treatment Act (AGG). Any data retention going beyond these purposes requires the explicit consent of the candidate.

Protection of vital interests

In rare cases the processing of your data could become necessary to protect interests which are essential for your life or for the life of another natural person.  This would typically be the case if you were injured while visiting us, and your name, age, health insurance information or other vital information would have to be given to a physician, hospital or other third party. The processing would then be based on Article 6 paragraph 1 lit. d GDPR.

Other purposes

If necessary, we process your data beyond the actual performance of the contract or preliminary contract, if this is necessary to protect legitimate interests pursued by us or third parties. In this case the processing follows Article 6 paragraph 1 lit. f GDPR. Our legitimate interests or the legitimate interests of third parties are of commercial nature (efficient fulfilment of tasks, sales, avoidance of legal risks) such as

• supporting our sales structures in providing advice and service;
• further development of services and add-on products;
• preventing and resolving of criminal offences unless to fulfil legal requirements exclusively;
• asserting legal claims and defending disputes which are not directly attributable to the contractual relationship;
• restricted retention of data if erasure is not possible given the special type of retention or if a disproportionately high effort is required;
• maintaining and continuance of certifications under private law and of official nature;
• warranting of IT security and operational availability.

To the extent permitted by the specific purpose we process your data in pseudonymised or anonymised form.

In addition, we are subject to different statutory obligations and legal requirements (e. g. Civil Code (BGB), Commercial Code (HGB), generally accepted accounting principles (GoB), tax laws of the Federal Republic of Germany). The purposes of processing include fraud prevention, compliance with the monitoring and reporting obligations under tax law as well as risk evaluation and control. Furthermore, the disclosure of personal data may become necessary in connection with authoritative/judicial measures for the purposes of evidence taking, public prosecution or enforcement of civil claims. In these matters the processing follows Article 6 paragraph 1 lit. c GDPR.

The sources we get your personal data from

We exclusively process data which is freely available (e. g. on the Internet) or which we receive while doing business with you. We receive this data directly from you or from another person involved in issuing an order.

The recipients to whom your data is disclosed

In our company only those employees who are responsible for processing personal data relevant to the respective task or who need such data to fulfil our contractual and statutory obligations or to safeguard our interests are granted access to this data.

Apart from that we make use of service and supplier companies in the context of data processing (e. g. for IT maintenance) to fulfil our contractual and statutory obligations.

In addition, we can transfer your personal data to other recipients outside the company insofar as this is required to fulfil our contractual and statutory obligations (e. g. authorities or tax consultant).

Data transfer to a third party

Your personal data will only be disclosed to a third party if this is necessary to perform the contract entered into with you. Here, the transfer is based on Article 6 paragraph 1 lit. b GDPR allowing data processing for the performance of a contract or pre-contractual measures.

The transfer of your data to a third country without appropriate safeguards is based on Article 49 paragraph 1 lit. b GDPR which allows the transfer for the performance of a contract.

Any other transfer of data will only be made if you explicitly consented to the transfer or if we are statutorily or officially obliged to do so.

Your data will not be transferred to third parties for advertising purposes.

Your obligation to provide your data

In connection with our business relationship you need to provide only the personal data which is necessary to establish, perform and terminate the business or which we are legally obliged to collect. Without this data we will usually have to decline to enter into contract with you, or to perform the order, or cannot continue to fulfil a contract in place and, in that case, have to terminate it.

Automated decision-making and profiling

There is no automated decision-making, and we will not create any profile from your personal data.

Your rights regarding the processing of your personal data

Revocation of your consent to data processing

Many data processing jobs can only be performed with your explicit consent. You may revoke your consent at any time. All you need to do is send an informal e-mail to our Data Protection Officer. The revocation shall not affect the legitimacy of data processing up to the time of your revocation.

Communication of your data

You have the right to receive information about your personal data processed by us as well as to demand a copy of this data. Elements of this information are: purposes of processing, data categories, its recipients or categories of recipients as well as, if possible, the intended data retention period or criteria for the determination of this period. If we receive a request to disclose information which is not made in written form, we kindly ask for your understanding that we may then request from you to prove that you are the person who you claim to be.

Rectification, erasure, restriction

In addition, you are entitled to request rectification if the data is incorrect or erasure if its retention is prohibited. If, for various reasons, the erasure of data is not possible you have the right to request that the processing of your data is restricted or blocked.

Right to object

Insofar as the processing of data follows Article 6 paragraph 1 lit. f GDPR (balancing of interests) you have the right pursuant to Article 21 paragraphs 1 and 2 GDPR to lodge an objection against the processing of this data at any time. We will then refrain from processing this personal data unless we can demonstrate compelling legitimate grounds which override your legitimate interests. Or, if the processing is required to assert, exercise or defend legal claims.

Right to data portability

You have the right to have data, that we process automatically with your consent or in the fulfilment of a contract, transferred to you or a third party in a common, machine-readable form. If you wish to have the data transferred directly to another controller, we will only do so if this is technically feasible.

To exercise your rights please contact our Data Protection Officer who is bound to secrecy regarding your request insofar as the processing of your data is concerned.

Right to lodge a complaint with the competent supervisory authority

Without prejudice to any other administrative or judicial remedy, you, as the affected person, have the right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR if you are of the opinion that the processing of personal data pertaining to you violates any GDPR.

The competent supervisory authority in data protection matters is the state data protection commissioner of Hessen who will inform you about the progress and outcome of the complaint including the possibility to seek judicial remedy pursuant to Article 78 GDPR.

Our social media appearances

Data processing through social networks

We maintain publicly available profiles in social networks. The individual social networks we use can be found below.

Social networks such as Facebook, Twitter etc. can generally analyze your user behavior comprehensively if you visit their website or a website with integrated social media content (e.g. like buttons or banner ads). When you visit our social media pages, numerous data protection-relevant processing operations are triggered. In detail:

If you are logged in to your social media account and visit our social media page, the operator of the social media portal can assign this visit to your user account. Under certain circumstances, your personal data may also be recorded if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies stored on your device or by recording your IP address.

Using the data collected in this way, the operators of the social media portals can create user profiles in which their preferences and interests are stored. This way you can see interest-based advertising inside and outside of your social media presence. If you have an account with the social network, interest-based advertising can be displayed on any device you are logged in to or have logged in to.

Please also note that we cannot retrace all processing operations on the social media portals. Depending on the provider, additional processing operations may therefore be carried out by the operators of the social media portals. Details can be found in the terms of use and privacy policy of the respective social media portals.

Legal basis

Our social media appearances should ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. The analysis processes initiated by the social networks may be based on divergent legal bases to be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 (1) (a) GDPR).

Responsibility and assertion of rights

If you visit one of our social media sites (e.g., Instagram), we, together with the operator of the social media platform, are responsible for the data processing operations triggered during this visit. You can in principle protect your rights (information, correction, deletion, limitation of processing, data portability and complaint) vis-à-vis us as well as vis-à-vis the operator of the respective social media portal (e.g. Facebook).

Please note that despite the shared responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are determined by the company policy of the respective provider.

Storage time

The data collected directly from us via the social media presence will be deleted from our systems as soon as the purpose for their storage lapses, you ask us to delete it, you revoke your consent to the storage or the purpose for the data storage lapses. Stored cookies remain on your device until you delete them. Mandatory statutory provisions – in particular, retention periods – remain unaffected.

We have no control over the storage duration of your data that are stored by the social network operators for their own purposes. For details, please contact the social network operators directly (e.g. in their privacy policy, see below).

Individual social networks

Instagram

We have a profile on Instagram. The provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here:

https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381.

For details on how they handle your personal information, see the Instagram Privacy Policy:

https://help.instagram.com/519522125107875.

LinkedIn

We have a LinkedIn profile. The provider is the LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you want to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

For details on how they handle your personal information, please refer to LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.

Timeliness and alteration of this information

This privacy statement shall apply as of December 2020.