Data privacy information for the CRM system in accordance with Art. 13 GDPR
Preface
This information is intended to provide you with an overview of how we process your personal data, and of your rights under data privacy law.
Who is responsible for data processing, and who do I call if I have questions or concerns?
The controller, who is responsible for your personal data under data privacy law, is always the respective DEKRA group company that makes the decision, either alone or with other companies, regarding the purposes and means of processing your personal data. Generally, this is the DEKRA group company or companies that has performed, is performing, will perform, or should perform services for you or your employer.
Therefore, the responsible group parent company is:
DEKRA SE,
headquartered in Stuttgart,
entered into the commercial register of the District court of Stuttgart under HRB 734316,
Handwerkstr. 15, 70565 Stuttgart
headquartered in Stuttgart,
entered into the commercial register of the District court of Stuttgart under HRB 734316,
Handwerkstr. 15, 70565 Stuttgart
What sources and data do we use?
We process personal data that we receive from our customers or other data subjects in the context of our business relationship. In some cases, we process personal data that you have provided to us via a business card or another medium for the purposes of getting in contact with you. In addition, we process personal data that we obtain from publicly accessible sources (such as industry directories, contact information on websites or professional networks) in a permitted manner, or that is transmitted to us from other DEKRA group companies or other third parties who are authorized to do so.
Relevant personal data could include: Personal details (such as a salutation, first name, last name), company contact information (such as an e-mail address, mailing address, telephone number), information on your employment relationship (such as your employer, department/area, position in the company). Furthermore, this could also include advertising and sales data (including ad scores), documentation data (such as meeting notes) and other data comparable with the categories indicated.
For what purpose do we process your data (purpose of data processing), and on what legal basis do we do so?
We process your personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and all other applicable laws.
Regardless of this, there may always be contexts in which we process personal data from you that is not listed here. In these cases, you will receive separate data protection information relevant to the individual context, if this is required by law.
A. Inclusion in a Customer Relationship Management System (CRM)
We process your personal data for the purpose of inclusion in our customer relationship management system (CRM).
This data includes, primarily, personal details, company address data, company communication data, and information about your employment relationship and position in your company.
As the first step, the data is collected and recorded in our CRM based on our legitimate interest. During ongoing communication, and beginning with the welcome journey, you can provide us with declarations of consent for different optional kinds of processing, which are also stored in our CRM Tool.
Our legitimate interest in this case is that we want to remain in contact with you and communicate with you as a customer or the contact person for a customer for the purpose of initiating a contract or carrying out contracts. The purpose of this is to ensure services are performed smoothly and for customer service.
Legal basis
Art. 6 para. 1 lit. b and f GDPR
B. Sending the newsletter and/or direct advertisement in the form of e-mails
We process your personal data for the purpose of providing personalized (you can indicate your interests in our Preference Center) information on services and offers from our portfolio via newsletter, and/or direct advertisement via e-mail.
This primarily includes personal details, information on your selected topics and company communication data.
If you have granted us your consent for data processing, you can revoke this consent at any time with future effect. If you do revoke this consent, you will not receive any further marketing information from us via e-mail.
Legal basis
Art. 6 para. 1 lit. a GDPR.
C. Analysis of user behavior upon receipt of the newsletter
We can analyze your interactions with our newsletter and associate these with you personally for the purposes of market research (analysis of opening and reading behavior of the newsletter recipient).
This primarily includes personal details, information on your user behavior when you receive our newsletter, and company communication data.
If you have granted us your consent for data processing, you can revoke this consent at any time with future effect. If you revoke your consent, we will no longer record and analyze your user behavior when receiving our newsletter.
Legal basis
Art. 6 para. 1 lit. a GDPR.
D. Customer satisfaction surveys
We process your personal data with your consent in the framework of surveys on customer satisfaction, for the purpose of improving our products and services. Participation in the survey is voluntary.
This primarily includes personal details, your answers to the customer satisfaction surveys, and company communication data.
In the case of personalised customer satisfaction surveys, the data collected is merged with your personal data in our customer database to create a profile. You can terminate the profiling in connection with the use of your data for the customer satisfaction survey and its use for marketing purposes at any time for the future by withdrawing your consent.
If you have granted us your consent for data processing, you can revoke this consent at any time with future effect. If you revoke your consent, we will no longer send you further requests to take part in customer satisfaction surveys.
Legal basis
Art. 6 para. 1 lit. a GDPR.
Who will receive my data?
Within the DEKRA Group, the entities who require your data to fulfill our contractual and statutory obligations will receive it. Within the DEKRA Group, this includes both a computing center operated by the central headquarters of DEKRA SE (Stuttgart), as well as numerous locally and regionally operated computing centers in which the respective controllers of DEKRA group companies process your data.
Our service providers and agents can also receive data for this purpose, if they comply in particular with confidentiality and data protection law requirements. These are companies in the categories of IT services, telecommunication, consulting, and sales and marketing.
With respect to transmitting data to recipients outside of the DEKRA Group, we only disclose information about our customers if statutory regulations require us to do so, if the customer has consented to this, or if this is necessary to initiate, carry out, or end a contractual relationship with them, or if the DEKRA group has a legitimate interest in doing so. Under these requirements, the recipients of personal data could include, for instance:
- public entities and institutions (such as tax authorities, criminal prosecutors), if there is a statutory or official obligation (such as statutory disclosure obligations),
- other companies within the DEKRA group for risk controlling due to a statutory or official obligation,
- service providers whose services we make use of under a contract processing relationship.
Primarily, processing is carried out through our CRM by our service provider Salesforce Germany GmbH, Erika-Mann-Str. 31, 80636 Munich (Salesforce). We have concluded a contract processing agreement with Salesforce. Data can also be transmitted to Salesforce servers in the USA in the course of processing. Salesforce has enacted Binding Corporate Rules (BCR, binding internal data protection regulations) in order to facilitate the transmission of personal data out of the EU and the EEA to Salesforce locations outside of the EU And EEA. You can review the Binding Corporate Rules of Salesforce at https://compliance​.salesforce​.com/en/salesforce-bcrsor request them via an e-mail to info-de@​salesforce​.com (no formal requirements apply). You can obtain further information on how Salesforce processes the data at: https://www​.salesforce​.com/company/privacy/full_privacy/
Further data recipients could include the entities for whom you have granted us your consent to process your data, or to whom we are entitled to transmit the personal data based on a balancing of interests.
Is data transmitted to a third country or an international organization?
Data is transmitted to entities in countries outside of the European Union (called third countries):
- If necessary in an individual case, your personal data may be transmitted to an IT service provider in the USA or another third country in order to ensure the IT operations of the DEKRA group in compliance with the European level of data protection.
- Personal data from prospective buyers of DEKRA products can also be processed in a CRM system in the USA, with their consent.
With the consent of the data subject or under statutory regulations to fight money laundering, the financing of terrorism, and other criminal activities, as well as in the framework of a balancing of interests, in individual cases personal data (such as legitimation details) is transmitted in compliance with the level of data protection in the European Union.
How long will my data be stored?
We process your personal data for as long as necessary to fulfill our contractual and statutory obligations, or for as long as we can justify a legitimate interest in processing. If you have granted us your consent, we will process your data at most until you revoke your consent.
Once we can no longer justify a right to distribute your personal data, it will regularly be deleted unless continuing to process the data is necessary for a limited term and for one of the following specific purposes:
To fulfill commercial and tax law retention obligations, which for instance result from the: German Commercial Code (HGB) or Tax Code (AO). The deadlines for retention and documentation specified there are generally 6 to 10 years.
To obtain evidence in accordance with statutory regulations on limitation periods. In accordance with Sections 195 et seqq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, although the regular limitation period is 3 years.
What data protection rights do I have?
You have the following rights as a data subject, if you fulfill the requirements for these rights:
- Right of access by the data subject to the data we process in accordance with Art. 15 GDPR,
- Right to rectification of incorrect data in accordance with Art. 16 GDPR,
- Right to erasure of the data we have stored in accordance with Art. 17 GDPR,
- Right to restriction processing of the data we have stored in accordance with Art. 18 GDPR,
- Right to data portability in accordance with Art. 20 GDPR,
- Right to object in accordance with Art. 21 GDPR,
- If you have granted us your consent for data processing, you can revoke this consent at any time with future effect according to Art. 7 para. 3 GDPR,
- Right to lodge a complaint with a supervising authority in accordance with Art. 77 GDPR, if you believe that the processing of your personal data violates the regulations of the GDPR.
Am I obligated to provide data?
In the course of our business relationship, you must provide the personal data that is necessary to begin, carry out, and end a business relationship and to fulfill the associated contractual obligations, or the data that we are required by law to collect. Without this data, we may not be able to conclude a contract with you or your employer, or to carry out and end such a contract.
To what extent is automated decision-making or profiling used?
In general, we do not use fully automated decision-making in accordance with Article 22 GDPR. If we do use such processes in individual cases, we will inform you of this and of your relevant rights separately, where required by law.
In some cases, we process your data automatically with the goal of analyzing certain personal aspects (profiling). We use profiling, for instance, in the following cases:
- Under statutory and regulatory provisions, we are obligated to do so to fight money laundering, the financing of terrorism and criminal actions that endanger assets. Data analyses are also performed (for instance of payment transactions). These measures also help to protect you.
- We use analytic tools to provide you with targeted information and advising on products. These allow us to communicate with you and show you advertisements on a needs-based basis, including to conduct market and opinion research.
Information on your right to object in accordance with article 21 GDPR case-specific right to object
You have the right to object to the processing of your personal data at any time for reasons related to your specific situation that result from Article 6 para. 1 lit. e GDPR (data processing in the public interest) and Art. 6 para. 1 lit. f GDPR (data processing based on a balancing of interests). This also applies to profiling based on this provision in the sense of Art. 4 no. 4 GDPR. If you submit an objection, we will no longer process your personal data unless we can show mandatory and legitimate grounds for our processing that outweigh your interests, rights, and freedoms, or if processing serves to assert, exercise, or defend against legal claims.
Right to object to data processing for the purposes of direct advertisement
In individual cases, we process your personal data for the purpose of direct advertisement. You have the right to object to the processing of your personal data for the purpose of such advertisements without this resulting in any other costs besides the costs of transmission in accordance with base tariff rates; this also applies to profiling, if it is associated with such direct marketing. If you object to processing for the purpose of direct advertising, we will no longer process your personal data for this purpose.
Recipient of an objection or revocation
The objection or revocation can be sent to the controller or Data Protection Officer, and no formal requirements apply. We request that you use the provided
online form
for this purpose to ensure a smooth and quick process. You can also click the link provided at the end of an informational email you receive. You will not incur any transmission costs besides those in accordance with the base tariff rates.
Updates and changes to this data privacy notice
This Data Privacy Notice was last updated in October of 2022.
We reserve the right to amend this Data Privacy Notice in the future in accordance with applicable data protection laws, and to adjust it to the changing realities of data protection if necessary. We will inform you separately of significant changes to the content.