DATA PROTECTION

Data protection declaration

We are very pleased about your interest in our company. Data protection is of high significance for the Management of PID – test & engineering GmbH. In principle it is possible to use the websites of PID – test & engineering GmbH without providing any personal data. In as far as someone wants to use special services provided by our company via our website, the processing of personal data could, however, be required. If the processing of personal data is required and if there is no statutory basis for such processing, we generally obtain the consent of the person concerned.

The processing of personal data, such as the name, address, e-mail address or phone number of a Person concerned is always effected in accordance with the EU General Data Protection Regulation and in compliance with the state-specific data protection provisions applying to PID – test & engineering GmbH. Through this Data protection declaration our company wishes to inform the public about the nature, extent and purpose of the collection, processing and use of personal data by us. Furthermore this Data protection declaration makes Persons concerned aware of their rights in this context.

As the Controller responsible for the processing, PID – test & engineering GmbH has implemented numerous technical and organizational measures in order to ensure protection as complete as possible of the personal data processed via this website. Nevertheless, Internet-based data transfers can in principle be subject to security risks, so that absolute protection cannot be guaranteed. For this reason each and every person concerned has the right to also submit personal data to us through alternative means, such as by phone.

  1. Definitions

The Data protection declaration of PID – test & engineering GmbH is based on the concepts that were used by the European authority for legislating directives and regulations when issuing the General Data Protection Regulation (GDPR). Our Data protection declaration should be easy to read and understand both for the general public and for our customers and business partners. In order to ensure this we wish to first explain the terms used.

We use, amongst others, the following terms in this Data protection declaration:

  1. a) Personal data

Personal data means any and all information relating to an identified or identifiable natural person (“Person concerned” in the following). A natural person is considered to be identifiable if they can be identified, directly or indirectly, in particular by means of assignment of an identifier, such as a name, to an identification number, to location data, to an online identifier, or to one or more particular factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.

  1. b) Person concerned

A Person concerned is any and every identified or identifiable natural person whose personal data are processed by the Controller.

  1. c) Processing

Processing is any operation or set of operations which is performed upon personal data, whether or not by automated means, such as the collection, the recording, the organization, the arrangement, the storage, the alteration or modification, the reading out, the sampling or querying, the use, the disclosure through transfer, dissemination or any other form of provision, the comparison or the linking, the restriction, the deleting or the destruction.

  1. d) Restriction of the processing

Restriction of the processing is the marking of stored personal data with the purpose of restricting their future processing.

  1. e) Profiling

Profiling is any and every type of automatic processing of personal data that consists of using these personal data to evaluate specific personal aspects that relate to a natural person, in particular in order to analyze or predict aspects regarding work performance, financial situation, health, personal preferences, interests, reliability, behavior, location or change of location of this natural person.

  1. f) Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be assigned to a specific person concerned without the usage of additional information, in as far as this additional information is kept separately and is subject to technical and organizational measures which ensure that the personal data cannot be assigned to an identified or identifiable natural person.

  1. g) Controller or Controller responsible for processing

The Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. If the purposes and means of this processing are specified by European Union law or the law of the Member States, the Controller or respectively the specific criteria of the Controller’s appointment can be provided for in accordance with European Union law or the law of the Member State.

  1. h) Processor

The Processor is a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the Controller,

  1. i) Recipient

The Recipient is a natural or legal person, public authority, agency or any other body to whom the data are disclosed, irrespective of whether this is a Third party or not. Public authorities who possibly receive personal data in the framework of a specific investigation mandate in accordance with European Union law or the law of the Member States are not deemed to be Recipients.

  1. j) Third party

The Third party is a natural or legal person, public authority, agency or any other body with the exception of the Person concerned, the Controller, the Processor and those persons who are authorized to process the personal data under the direct responsibility of the Controller or the Processor.

  1. k) Consent

Consent means any freely given specific and informed indication of the Person concerned’s wishes by which the Person concerned signifies their agreement to personal data relating to them being processed.

  1. Name and address of the Controller in charge of the processing

The Controller in the sense of the General Data Protection Regulation, other data protection laws applying in the Member States of the European Union and other provisions with a data protection character, is:

PID – test & engineering GmbH

Obere Länge 26

97522 Sand am Main

Germany

Phone: +49 9524 2961-0

E-mail: info@pid-gmbh.de

Website: www.pid-gmbh.de

  1. Collection of general data and information

The website of PID – test & engineering GmbH gathers a number of general data and information whenever the website is called up by a Person concerned or by an automatic system. These general data and information are saved in the log files of the server. The following can be gathered: (1) The browser types used and versions, (2) The operating system used by the accessing system. (3) The website from which accessing to our website took place (the so-called Referrer), (4) The sub-websites that are accessed on our website via an accessing system, (5) The date and time of an access to our website, (6) An Internet Protocol address (IP address), (7) The Internet service provider of the accessing system and (8) Other similar data and information that serve the prevention of danger in the case of attacks on our information technology systems.

When using these general data and information PID – test & engineering GmbH does not draw any conclusion on the Person concerned. This information is rather required to (1) Provide the contents of our Internet correctly, (2) To optimize the contents of our website as well as the advertising for it, (3) To ensure the continuous and permanent operability of our information technology systems and the technology of our website as well as (4) To provide the information required to law enforcement authorities for criminal proceedings in the case of a cyber attack. These anonymously acquired data and information are therefore evaluated by PID – test & engineering GmbH on the one hand statistically and furthermore with the aim of increasing the data protection and data security in our company in order to ultimately ensure an optimal level of protection for the personal data protected by us. The anonymous data of the server log files are stored separately from all other personal data provided by a Person concerned.

  1. Routine erasure and blocking of personal data

The Controller processes and stores personal data of the Person concerned only for that period which is required to achieve the purpose of storing the data, or in as far as this was provided for by the European authority for legislating directives and regulations or by another legislature in such laws or regulations to which the Controller is subject.

If the purpose of storing the data no longer exists, or if a data retention period stipulated by the European authority for legislating directives and regulations or by another competent legislature expires, the personal data are routinely blocked or erased in accordance with the statutory regulations.

  1. Rights of the Person concerned
  2. a) Right to obtain confirmation

Every Person concerned has the right granted by the European authority for legislating directives and regulations to demand a confirmation from the Controller whether personal data concerning them are processed. If a Person concerned wants to make use of this right to confirmation, they can contact an employee of the Controller at any time.

  1. b) Right of information

Every Person concerned affected by the processing of personal data has the right granted by the European authority for legislating directives and regulations to request information, free of charge, at any time regarding the personal data related to their person from the Controller and to obtain a copy of this information. In addition, the European authority for legislating directives and regulations has given the Person concerned the right to information regarding the following facts:

The purpose of processing
The categories of personal data that are processed
The Recipients or categories of Recipients towards whom the personal data have been disclosed or will still be disclosed, in particular in the case of third states or international bodies
If possible, the planned duration for which the personal data are stored, or if this is not possible, the criteria used to specify this duration
The existence of a right to correction or erasure of the personal data pertaining to them or to restriction of the processing by the Controller or of a right of objection to this processing
The existence of a right of complaint to a supervisory body
If the personal data were not collected from the Person concerned: All available information about the origin of the data
The existence of the process of an automated individual decision finding including profiling in accordance with Article 22(1) and (4) GPDR and — at least in these cases — meaningful information about the logic involved as well as the implications and the intended consequences of such a processing for the Person concerned
In addition the Person concerned has a right to information whether personal data have been transmitted to a third state or an international body. In as far as this is the case, the Person concerned has the right to information about the appropriate guarantees in connection with the transfer.

If a Person concerned wants to make use of this right to information, they can contact an employee of the Controller at any time.

  1. c) Right of rectification

Every Person concerned affected by the processing of personal data has the right granted by the European authority for legislating directives and regulations to demand the rectification without delay of personal data pertaining to them. In addition the Person concerned has the right, under consideration of the purposes of the processing, to demand the completion of incomplete personal data — also by means of a supplemental declaration.

If a Person concerned wants to make use of this right to rectification, they can contact an employee of the Controller at any time.

  1. d) Right of erasure (right to be forgotten)

Every Person concerned affected by the processing of personal data has the right granted by the European authority for legislating directives and regulations to demand the erasure without delay of personal data pertaining to them from the Controller, in particular if one of the following reasons applies and in as far as the processing is no longer required:

The personal data were collected or processed in another manner for such purposes for which they are no longer required.
The Person concerned revokes their consent on which the processing was based in accordance with Article 6 (1)(a) GDPR or Article 9(2)(a) GDPR, and no other legal basis for the processing exists.
The Person concerned objects to the processing in accordance with Article 21(1) GDPR and there are no overriding justifying reasons for the processing, or the Person concerned objects to the processing in accordance with Article 21(2) GDPR.
The personal data were unlawfully processed.
The erase of the personal data is required to fulfill a legal obligation in accordance with European Union law or the law of the Member States to which the Controller is subject.
The personal data were collected with regard to the provision of information society services in accordance with Article 8(1) GDPR.
In as far as one of the reasons mentioned above applies and a Person concerned demands the erasure of personal data that are stored at PID – test & engineering GmbH, they can contact an employee of the Controller at any time. The employee of PID – test & engineering GmbH will arrange that the request to erasure is fulfilled without delay.

If the personal data were made public by PID – test & engineering GmbH and if our company as the Controller is obliged to erase the personal data in accordance with Article 17(1) GDPR, PID – test & engineering GmbH, under consideration of the available technology and the implementation costs, takes suitable measures, also such of a technical nature, to inform other Controllers for data processing who process the published personal data that the Person concerned has demanded from these other Controllers for data processing the erasure of all the links to these personal data or of copies or replications of these personal data, in as far as the processing is not required. The employee of PID – test & engineering GmbH will take the necessary steps on a case-by-case basis.

  1. e) Right to restriction of the processing

Every Person concerned affected by the processing of personal data has the right granted by the European authority for legislating directives and regulations to demand the restriction of the processing from the Controller, if one of the following requirements applies:

The accuracy of the personal data is contested by the Person concerned, for a period enabling the Controller to verify the accuracy of the personal data.
The processing is unlawful, but the Person concerned rejects the erasure of the data and instead demands the restriction of the usage of the personal data.
The controller no longer requires the personal data for the purpose of processing, but the Person concerned needs them for the assertion, exercise or defense of legal claims.
The Person concerned has objected to the processing in accordance with Article 21(1) GDPR and it is not yet clear whether the legitimate interests of the Controller outweigh those of the Person concerned.
In as far as one of the requirements mentioned above applies and a Person concerned demands the restriction of personal data that are stored at PID – test & engineering GmbH, they can contact an employee of the Controller at any time. The employee of PID – test & engineering GmbH will initiate the restriction of the processing.

  1. f) Right of data portability

Every Person concerned affected by the processing of personal data has the right granted by the European authority for legislating directives and regulations to receive the personal data pertaining to them which were made available by the Person concerned to the Controller in a structured, common and machine-readable format. The Person concerned furthermore has the right to transfer these data to a different Controller without impeding by the Controller to whom the personal data were made available, in as far as the processing is based on the consent in accordance with Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on an agreement in accordance with Article 6(1)(b) GDPR and the processing is effected by the use of automated procedures, in as far as the processing is not required for the carrying out of a task that is in the public interest or is effected in the exercise of official authority which was conferred on the Controller.

In addition, the Person concerned has the right in exercising their right of data portability in accordance with Article 20(1) GDPR to effect that the personal data are transferred directly from one Controller to a different Controller, in as far as this is technically feasible and in as far as this does not affect the rights and freedoms of other persons.

In order to assert their right to data portability the Person concerned can contact an employee of PID – test & engineering GmbH at any time.

  1. g) Right to object

Every Person concerned affected by the processing of personal data has the right granted by the European authority for legislating directives and regulations to object, for reasons that result from their particular situation, at any time against the processing of personal data pertaining to them that is carried out in accordance with Article 6(1)(e) or (f) GDPR. This also applies to a profiling based on these provisions.

In the case of an objection, PID – test & engineering GmbH no longer processes the personal data, unless we can prove compelling legitimate reasons for the processing that outweigh the interests, rights and freedoms of the Person concerned, or the processing serves the assertion, exercise or defense of legal claims.

If PID – test & engineering GmbH processes personal data to conduct direct marketing, the Person concerned has the right to object at any time to the processing of the personal data for the purpose of such marketing. This also applies to profiling, in as far as it is connected to such direct marketing. If the Person concerned objects toward PID – test & engineering GmbH to the processing for the purpose of direct marketing, PID – test & engineering GmbH will no longer process the personal data for this purpose.

In addition the Person concerned has the right, for reasons that result from their particular situation, to object to the processing affecting the Person concerned of personal data that is carried out at PID – test & engineering GmbH for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) GDPR, unless such processing is required to fulfill a task lying in the public interest.

In order to assert their right to object the Person concerned can contact an employee of PID – test & engineering GmbH at any time. The Person concerned is furthermore free to exercise their right to object by means of automated procedures, in which technical specifications are used, in connection with the usage of information society services, irrespective of Directive 2002/58/EC.

  1. h) Automated individual decisions including profiling

Every Person concerned affected by the processing of personal data has the right granted by the European authority for legislating directives and regulations not to be subjected to a decision based solely on automated processing — including profiling — that has a legal effect for the Person concerned or significantly affects them in as far as the decision (1) Is not required for the conclusion or performance of a contract between the Person concerned and the Controller, or (2) Is permissible under the legal provisions of the European Union or its Member States to which the Controller is subject, and these legal provisions contain adequate measures to safeguard the rights and freedoms as well as the legitimate interests of the Person concerned, or (3) Is effected with the express consent of the Person concerned.

If the decision (1) Is required for the conclusion or performance of a contract between the Person concerned and the Controller, or (2) Is effected with the express consent of the Person concerned, PID – test & engineering GmbH takes adequate measures to safeguard the legitimate interest of the Person concerned, which encompass at least the right to attain the intervention of a person on the part of the Controller, to exposition of their own standpoint and to challenge the decision.

If the Person concerned wants to assert their rights with regard to automated decisions, they can contact an employee of the Controller at any time.

  1. i) Right to revoke a consent related to data protection

Every Person concerned affected by the processing of personal data has the right granted by the European authority for legislating directives and regulations to revoke a consent to the processing of personal data at any time.

If the Person concerned wants to assert their right to revoke a consent, they can contact an employee of the Controller at any time.

  1. Data protection regulations with regard to the usage and application of Google Analytics (with anonymization function)

The Controller has integrated the Google Analytics component (with anonymization function) on this website. Google Analytics is a Web analysis service. Web analysis is the detection, collection and evaluation of data about the behavior of visitors to websites. A Web analysis service collects, amongst others data about the fact from which website a Person concerned accessed our website (the so-called Referrer), the sub-websites of the website that were accessed and how often or how long a sub-website was viewed. A Web analysis is used mainly to optimized a website and for cost-benefit analysis of Internet advertising.

The operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The Controller uses the extension “_gat._anonymizeIp” for the Web analysis via Google Analytics. By using this extension the IP address of the Internet connection of the Person concerned is shortened and anonymized when the access to our websites takes place from a Member State of the European Union or from another signatory state of the Agreement on the European Economic Area.

The purpose of the Google Analytics component is the analysis of the flow of visitors to our website. Among other things, Google uses the acquired data and information to evaluate the usage of our website in order to draw up online reports for us which show the activities on our websites, and to provide further services related to the usage of our website.

Google Analytics uses a cookie on the information technology system of the Person concerned. The meaning of cookies has already been explained above. The setting of Cookies makes it possible for Google to analyze the usage of our website. Through each callup of the individual pages of this website that is run by the Controller and on which a Google Analytics component was integrated, the Internet browser on the information technology system of the Person concerned is induced by the respective Google Analytics component to transfer data to Google for the purpose of online analysis. In the context of this technical procedure Google gains knowledge of personal data, such as the IP address of the Person concerned, which are used by Google, among other things, to determine the origin of the visitors and clicks and as a result allow commission invoices.

By means of cookies personal information, such as the access time, the location from which access took place and the frequency of the visits to our website by the Person concerned, is stored. At each visit to our websites these personal data, including the IP address of the Internet connection of the Person concerned, are transferred to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may pass these personal data acquired through the technical procedure to third parties.

The Person concerned can prevent the setting of cookies by our website, as already indicated above, by means of a corresponding setting of the used Internet browser and thus permanently veto the setting of cookies. Such a setting of the used Internet browser would also prevent Google Analytics from setting a cookie on the information technology system of the Person concerned. In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.

Furthermore the Person concerned has the possibility to counter the acquisition of the data about the usage of this website generated by Google Analytics as well as the processing of these data by Google and to prevent such. To this purpose the Person concerned must download a browser add-on under the link https://tools.google.com/dlpage/gaoptout and install it. This browser add-on informs Google Analytics via JavaScript that no data and information about the visits to websites may be transferred to Google Analytics. The installation of the browser add-on is evaluated by Google as an objection. If the information technology system of the Person concerned is deleted, formatted or reinstalled at a later time, the Person concerned must again carry out an installation of the browser add-on in order to deactivate Google Analytics. In as far as the browser add-on is removed or deactivated by the Person concerned or by a person within their sphere of influence, it is possible to re-install or re-activate the browser add-on.

Further information and the applicable data protection regulations of Google can be called up under the address https://policies.google.com/privacy?hl=en&gl=en and under https://www.google.com/analytics/terms/us.html. Google Analytics is explained in more detail in this link https://marketingplatform.google.com/about.

  1. Legal basis of the processing operation

Art. 6 I lit. a GDPR serves our company as the legal basis of processing procedures where we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contact of which the Person concerned is a party, as is for example the case for processing procedures that are required for the delivery of good or the provision or services or other return services, processing is based on Article 6 I lit. b GDPR. The same applies to such processing procedures that are necessary to carry out pre-contractual measures, for example in the case of queries about our products or services. If our company is subject to a statutory obligation through which processing of personal data becomes necessary, for example to fulfill tax submission obligations, the processing is based on Article Art. 6 I lit. c GDPR. In rare cases the processing of personal data can become necessary to protect the vital interests of the Person concerned or of another natural person. This would be the case, for example, if a visitor were injured on our premises and their name, age, medical coverage data or other vital information subsequently had to be passed on to a doctor, a hospital, or other involved third parties. Processing would in this case be based on Article Art. 6 I lit. d GDPR. Finally, processing procedures could be based on Article Art. 6 I lit. f GDPR. This legal basis applies for processing procedures that are not covered by any of previously specified legal bases, if the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Person concerned. Such processing procedures are in particular permitted because they were particularly mentioned by the European legislator. The legislator was of the opinion that a legitimate interest could be assumed if the Person concerned is a customer of the Controller (Recital 47, Sentence 2 GDPR).

  1. Legitimate interests in the processing that are pursued by the Controller or a third party

If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is the pursuance of our business activities to the benefit of the prosperity of all our employees and our shareholders.

  1. Duration for which the personal data are stored

The criterion for the duration of the storage of personal data is the respective legal retention period. After expiry of the period, the corresponding data are erased routinely, in as far as they are no longer required for contract performance or contract initiation.

  1. Statutory or contractual regulations on the provision of personal data; Necessity for the contract conclusion; Obligation of the Person concerned to provide personal data; Possible consequences of non-provision

We inform you that the provision of personal data is in part stipulated by law (such as tax regulations) or are the result of contractual regulations (such as information about the contractual party). At times it may be necessary for the conclusion of a contract that a Person concerned provides us with personal data that subsequently have to be processed by us. The Person concerned is, for example, obliged to provide personal data to us when our company concludes a contract with them. A non-provision of the personal data would have the consequence that the contract could not be concluded with the Person concerned. Before the provision of the personal data by the Person concerned, the Person concerned must contact one of our employees. Our employee provides information on the specific individual case to the Person concerned about whether the provision of the personal data is stipulated by law or by the contract, or is necessary for the contractual conclusion, whether an obligation exists to provide the personal data, and which consequences the non-provision of the personal data would have.

  1. Existence of an automated decision-making

As a responsible-minded company we do without automatic decision making or profiling.

This Data protection declaration was drawn up by the data protection declaration generator of the company DGD Deutsche Gesellschaft für Datenschutz GmbH, that acts as the external data protection officer Bamberg, in cooperation Christian Solmecke, a lawyer specialized in IT and data protection law.

PID - test & engineering GmbH · Obere Länge 26 · D-97522 Sand am Main · Tel.: +49 9524 2961-0 · E-Mail: info@pid-gmbh.de