Privacy Statement according to the General Data Protection Regulation (GDPR)
Name and Address of the Data Controller
The data controller in line with the General Data Protection Regulation and other national data protection laws of other Member States as well as any other legal data protection regulations is:
B & W Handelsgesellschaft mbH
D - 01877 Bischofswerda
Name and Address of the Data Protection Supervisor
The Data Protection Supervisor of the data controller named above is:
Rechtsanwalt Wolfgang Wentzel
Fachkraft für Verwaltung und Wirtschaft der Diakonie (IHK)
Blasewitzer Str. 41
General Information about Data Processing
Scope of Personal Data Processing
We fundamentally only collect and use the personal data of our users as is necessary to provide a functional website as well as content and services. The collection and use of the personal data of our users occurs on a regular basis but only with consent from our users. Exceptions may be made if it is not possible for practical reasons to obtain the permission and if the processing of the data is permitted by legal regulations.
Legal basis of Processing Personal Data
Provided that we obtain consent from the individual concerned (data subject) to process their personal data, Art. 6 Para.1 lit. a) of the General Data Protection Regulation (GDPR) serves as a legal basis for processing personal data.
With regard to the processing of personal data which is necessary for fulfiling a contract to which the contractual party is the data subject, Art. 6 Para.1 lit.b) of the GDPR serves as a legal basis. This is also valid for processing operations which are necessary for the execution of precontractual measures.
Provided that processing personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 Para. 1 lit. c) of the GDPR serves as a legal basis.
In the event that vital interests of the data subject or of another natural person require the processing of personal information, Art. 6 Para. 1 lit. d) of the GDPR serves as a legal basis.
If the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not override the legitimie interests first mentioned, Art. 6 Para.1 lit. f) of the GDPR serves as a legal basis for the processing operation.
Deletion of Data and Duration of Storage
Personal data of the data subject will be deleted or suspended as soon as there is no longer a suitable purpose for its storage. Furthermore, storage can then occur if this has been stipulated by the european or national legislator in Union regulations, laws or other legislations which the responsible party is subject to. A suspension or deletion of the data can be carried out if the storage period expires through the mandatory norms mentioned, unless there is a necessity for further data storage for a conclusion of a contract or fulfilment of a contract.
Contact Form and E-mail Contact
Description and Extent of Data Processing
If there is a contact form available, it can be used for contacting us electronically. If a user decides to use this option, all information which is entered into the form will be submitted to us and saved.
Alternatively, it is also possible to contact us using the e-mail address provided. In this case, all information which is submitted to us via e-mail by the user will be saved.
In this context, no data will be forwarded to third parties. The information will exclusively be used for processing the conversation.
Legal Basis for Processing Data
Processing of data shall be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes in Art. 6 Para.1 lit.a) of the GDPR.
The legal basis for the processing of data which has been submitted in the course of sending an e-mail is Art. 6 Para.1 lit. f) of the GDPR. If the e-mail contact is targeted at concluding a contract, the additional legal basis for processing is Art. 6 Para.1 lit.b) of the GDPR.
Purposes of the Processing
We only process personal data from the input fields in order to process establishing contact. The interest in processing data is also necessary and applicable in cases where contact is established via e-mail.
The other processed personal information which is processed when the form is sent is there to prevent the contact forms from being misused and to guarantee safety in our information technology systems.
Duration of Storage
Information is deleted as soon as it is no longer necessary for achieveing the purpose of its collection. For personal data from input fields of the contact forms and those forms which have been sent via e-mail, this is then the case when the respective conversation with the user ends. The conversation is then only ended when it is clear from the circumstances that the data subject has conclusively resolved.
The additional personal data acquired in the sending process will be deleted after a period of seven days at the latest.
Opt-Out Option and Withdrawal Possibility
The data subject always has the opportunity to withdraw his or her consent for personal data to be processed. If the data subject gets in contact with us via e-mail, they can also object to their personal data being stored at any time. In such a case, the conversation cannot be continued.
The following is a description of how the revocation of consent and the objection of storage can be carried out.
All personal data which has been stored upon establishing contact will be deleted in this case.
Rights of the Data Subject
If your personal data is being processed, you are the data subject in line with GDPR and you have the following rights against the person or organisation (data controller) accountable:
Right of Access
You have the right to obtain a confirmation from the data controller as to whether or not personal data concerning yourself is being processed.
If that is the case, you have the right to obtain access to the personal data and the following information from the data controller:
(1) the purposes of the processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipients to whom the personal data has been or will be disclosed
(4) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request rectification or deletion of personal data or restriction of processing of personal data from the data controller concerning the data subject or to object to such processing;
(6) the right to file a complaint with a supervisory authority;
(7) where personal data is not collected from the data subject, any available information as to its source;
(8) the existence of automated decision-making, including profiling, referred to in Art. 22 Para. 1 and 4 in the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data is transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
Right to Correction
You have the right to obtain the correction of inaccurate personal data concerning yourself from the data controller, who must carry out these changes without undue delay You also have the right to have incomplete personal data completed.
Right to Restriction of Processing
Under the following circumstances, you have the right to obtain a restriction on the processing of personal data concerning yourself from the data controller
(1) If you contest the accuracy of the personal data for a period, enabling the controller to verify the accuracy of the personal data;
(2) If the processing is unlawful and you oppose the deletion of the personal data and request the restriction of its use instead;
(3) The controller no longer needs the personal data for the purposes of the processing, but you still require them for the establishment, exercise or defence of legal claims, or
(4) If you have objected to processing pursuant to Art.21 Para.1 in the GDPR pending the verification whether the legitimate grounds of the data controller override your legitimate grounds.
Where processing of personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained a restriction of processing personal data persuant to the conditions mentioned above, you shall be informed by the data controller before the restriction of processing is lifted.
Right to Deletion
a) Deletion Liability
You have the right to obtain the deletion of personal data concerning yourself without undue delay from the data controller, and the controller has an obligation to erase personal data without undue delay where one of the following reasons applies:
(1) The personal data concerning yourself is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) You withdraw consent on which the processing is based according to Art. 6 Para 1 lit a) or Art. 9 Para 2 lit. a) in the GDPR, and where there is no other legal ground for the processing;
(3) You object to the processing pursuant to Art. 21Para 1 and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 Para. 2 in the GDPR;
(4) The personal data concerning yourself has been unlawfully processed
(5) The personal data concerning yourself has to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject
(6) The personal data concerning yourself has been collected in relation to the offer of information society services referred to in Art. 8 Para. 1 in the GDPR.
b) Information to Third Parties
If the controller has made the personal data public, they are obliged pursuant to Art. 17 Para. 1 in the GDPR to delete the personal data. Thereby the controller must take account of available technology and the cost of implementation in order to take reasonable steps, including technical measures, to inform data controllers which are processing the personal data that you, as the data subject, have requested the deletion of any links to, or copies or replications of, such personal data by such controllers.
The right to deletion does not apply if the processing is necessary
(1) Exercising the right of freedom of expression and information;
(2) For compliance with a legal obligation which requires processing by Union or Member State law to which the data controller is subject or for the performance of a task carried out in public interest or in the exercise of official authority vested in the controller
(3) For reasons of public interest in the area of public health in accordance with Art. 9 Para. 2 lit. h) and i) as well as Art. 9 Para. 3 in the GDPR.
(4) For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 Para 1 in the GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) For the establishment, exercise or defence of legal claims.
Right to Information
If you have claimed the right to access, delete or restrict information by the data controller, they are obliged to inform all recipients of the personal data about the rectification or deletion of personal data or the restriction of the processing, unless this proves impossibe or would involve disproportionate efforts.
You have the right to request the responsible party to inform you about such recipients.
Right to Data Portability
You have the right to receive the personal data concerning yourself, which you have provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from the controller to which the personal data has already been provided, where:
(1) the processing is based on consent pursuant to Art. 6 Para 1 lit. a) of the GDPR or Art. 9 Para 2 lit. a) of the GDPR or on a contract pursuant to Art. 6 Para 1 lit. b) of the GDPR and
(2) the processing is carried out by automated means.
In exercising this right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.The rights referred to here should not adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing personal data necessary for the performance of a task carried out in public interest or in the exercise of official authority vested in the controller.
Right to Object
You have the right to object at any time on grounds relating to your particular situation to the processing of personal data concerning yourself based on Art. 6 Para 1. lit. e) or f) of the GDPR, including profiling based on those provisions.
The data controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the processing serves for the establishment, exercise or defence of legal claims.
Where personal data concerning yourself is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning yourself shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Right to Withdraw the Declaration of Consent
You have the right to withdraw your declaration of consent at any time. The withdrawal of consent shall not affect the llegal basis of processing based on consent before its withdrawal.
Automated Individual Decision-Making, including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between you and a data controller;
(2) is authorised by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
Decisions referred to shall not be based on special categories of personal data referred to in Art. 9 Para 1 of the GDPR, unless Art. 9 Para (2) lit. a) or g) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Right to File a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to yourself infringes the General Data Protection Regulation.
The supervisory authority with which the complaint has been filed shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.