Data Protection and Privacy Statement

Dussmann Group

A. General provisions

Dussmann Stiftung & Co. KGaA and its affiliates (hereinafter “Dussmann”) take protecting your personal data very seriously and comply with the provisions of the laws on data protection and privacy. Personal data are processed only within the scope necessary for the specific purpose. Our employees have undertaken an obligation to maintain confidentiality and secrecy and to comply with the provisions of data protection and privacy law in accordance with the statutory provisions.

This text explains what information we collect and how this information is used. The text that follows is intended to provide you with information on the purposes for which your data are processed and how you can exercise your rights. You can access and print the Data Protection and Privacy Statement at any time via the “Data Protection” tab at the bottom of each page.

1. Controller

The controller responsible for data processing is

Dussmann Stiftung & Co. KGaA
Friedrichstraße 90, 10117 Berlin, Germany

A list of affiliates is available here. To the extent that you contact our affiliates directly, via the website or otherwise, this company is the controller.

Contact details for our data protection officer:

Dussmann Stiftung & Co. KGaA,
Data Protection Officer
Friedrichstraße 90, 10117 Berlin, Germany
datenschutzbeauftragter @remove-this.dussmann.de
Phone +49 30 2025-0

2. Personal data

“Personal data” means any information relating to an identified or identifiable natural person (for example, your real name, address, or phone number).

“Special categories of personal data” are a specially protected subgroup of personal data described in Article 9 of the General Data Protection Regulation (GDPR). These include data concerning health and biometric data.

In principle, we collect personal data from you directly unless you grant your consent in another way. We process the personal data transmitted electronically by you as well as information that we collect in writing or electronically during your use of our website or during phone conversations with our employees. This takes place only within the scope of performing and managing our services and based on the contact forms filled out by you or other correspondence.

3. Access by third parties to your personal data

We process personal data ourselves and, unless we have expressly ruled this out, also through other affiliates of the Dussmann Group or service provider companies we have commissioned. In the latter two cases, we will ensure that affiliates and/or service provider companies comply with the relevant statutory provisions on data protection and privacy and the obligations arising from this Data Protection and Privacy Statement.

We do not disclose personal data without your consent except to government agencies that are entitled to information and if we are obligated by law or under a court order to do so (point (c) of Article 6(1) GDPR).

Disclosure may also take place pursuant to point (f) of Article 6(1) GDPR where this is necessary for the establishment, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data.

Your data are also disclosed to third parties to the extent that this is permissible by law and necessary pursuant to point (b) of Article 6(1) GDPR for the performance of contracts with you.

4. Recipients of the personal data

Within the scope of the statutory authorities, your personal data may be disclosed in particular to the following categories of recipients:

  • Web analytics service providers
  • IT service providers that process data within the scope of provision of services (for example, for IT maintenance activities, hosting service providers)
  • Document and data destruction service providers, printing service providers
  • Marketing and sales service providers
  • Newsletter and logistics service providers
  • Suppliers of things like materials and services
  • Cooperation partners
  • Payment service providers
  • Credit bureaus and collection agencies
  • Authorized dealers
  • Certified accountants and auditors, tax advisors, advising and consulting firms, insurance companies
  • Other Dussmann companies, if this is necessary in conjunction with an offer, a call for tenders, or preparations for, implementation or finalization of the business relationship
  • Courts, government agencies, legal advisors or arbitral tribunals, to the extent that this is necessary in order to comply with applicable law or for the establishment, exercise or defense of legal claims

Some internal recipients within the group of companies are based in third countries (non-EU countries). Within the group of companies, Dussmann ensures, within the scope of contracts under the law of data protection and privacy based on the standard EU data protection clauses, that your personal data are adequately protected on the recipient’s end as well.

The legal basis for the transfer of data within the group of companies is point (f) of Article 6(1) GDPR. The sharing of data within the group for internal administrative purposes constitutes a legitimate interest (recital 48 of the GDPR). 

Before we transfer your information to third parties, we take suitable measures to ensure that recipients undertake an obligation to comply with applicable data protection and privacy laws and maintain the secrecy of personal data. Where necessary, transmission of data takes place within the scope of an agreement on the processing of data on behalf of another party in order to ensure that data are processed only for the intended purpose and adequate security measures are ensured.  

B. Data processing as a result of visiting our Web pages

1. Categories of data; purposes of and legal bases for data processing

When you visit our Web pages and/or enter into a contract with us via the website, we process your personal data. This processing may include the following data:

  • Last name, first name
  • Address
  • Company name
  • e-mail address
  • Phone/fax number
  • Date and time of inquiry
  • Content of request (specific page)
  • Access status / http status code
  • Volume of data transferred in each case
  • Website from which the request originates
  • Browser type and version
  • Language and version of the browser software
  • IP address and Internet service provider
  • Operating system
  • In the case of mobile devices, possibly the manufacturer/type designation
  • Good/service
  • Bank and credit card information
  • Message/information in the text field

We process these data in order to operate the Web pages (points (b) and (f) of Article 6(1) GDPR), to perform and finalize the contract (point (b) of Article 6(1) GDPR), and for our own advertising purposes (if you grant your consent pursuant to point (a) of Article 6(1) GDPR or on the basis of our legitimate interests pursuant to point (f) of Article 6(1) GDPR). Furthermore, we use these data to fulfill our statutory obligations toward the German state and federal authorities (such as the Finanzamt (Revenue Office) (point (c) of Article 6(1) GDPR). To enter into a contract with you, we require at least your last name and first name and possibly your address in order to identify you uniquely. We are unable to perform the contracts in question without this information. If you voluntarily provide us with additional information at your own request, we process this information on the basis of point (f) of Article 6(1) GDPR.

2. Log files

When you visit our pages, we temporarily store the connection data by default for purposes of system security and stability, to ensure smooth establishment of connections by the website, and for further administrative purposes.

The access logs of the Web servers log which pages have been accessed at what times. They contain the following data: IP address, date, time, pages accessed, logs, status code, data volume, referrer, user agent, host name accessed. The IP addresses are truncated before storage. The truncated IP addresses are erased after 60 days.

Error logs, which log errors that have occurred when pages are accessed, include not only the error messages, but also the IP address accessing the page and, depending on the error, the website accessed. Error logs, which log errors that have occurred when pages are accessed, are erased after seven days.

Access via FTP is logged with pseudonymized information on the user name and IP address. These data are erased after 60 days.

The mail logs for sending e-mails from the Web environment are anonymized after one day. During anonymization, all data on the sender/recipient, etc., are removed. All that remains are the data on the time of sending and the information on how the e-mail was processed (queue ID or not sent). These data are erased after 60 days.

The IP address is used exclusively to the extent that this is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Legitimate interests include the analysis of the data on the use of our website, pursuit of legal claims, investigation of criminal acts, and maintenance of our IT security systems.

The processing takes place on the basis of point (f) of Article 6(1) GDPR. Our legitimate interest arises from the above-listed purposes of collection of data.

3. Contact forms

When you use a contact form on our Web pages, the information you provide (including sex, name, company name, address, e-mail, phone, question or comment) is processed so that we can contact you accordingly, your message can be forwarded to the correct contact person at Dussmann, and you can be contacted by this person.

The legal basis for the processing is point (f) of Article 6(1) GDPR, and to the extent that your inquiry concerns entry into a contract, the legal basis for the processing of the data necessary to this end is point (b) of Article 6(1) GDPR. Our legitimate interest consists in responding to your inquiry.

4. News Alert / Job Alert

Our News Alert or Job Alert automatically notifies you as soon as new posts or new jobs in the business segments and/or companies you have selected that fit your filter criteria are available or posted. All we need from you is a valid e-mail address. When you register to receive the News Alert or Job Alert, your IP address is stored, along with the date and time of registration and your filter criteria. In the case of the Job Alert, the page on which the registration takes place is also stored. These data are used exclusively to send out the messages. This processing takes place on the legal basis of point (a) of Article 6(1) GDPR. You can withdraw your consent at any time with effect for the future by using the contact information stated in the Data Protection and Privacy Statement or via the unsubscribe link contained in every News Alert or Job Alert.

We will store the data we have on file for you for the purpose of receiving the News Alert or Job Alert until you unsubscribe from the News Alert / Job Alert and erase them after that. This does not affect any data that we have stored for other purposes.

5. Cookies, tracking pixels and similar technologies

“Cookies” are small text files, and tracking pixels are small image files, that make it possible to store specific information on your device (PC, laptop, tablet, smartphone or similar) while you visit one of our websites (hereinafter collectively referred to as “cookies”). Cookies help us determine how frequently our websites are used and by what number of users and to make our offerings as comfortable, convenient, and efficient as possible for you. We use both session cookies and persistent cookies on our websites.

It is also possible to use our offerings without cookies. You can deactivate the storage of cookies in your browser, restrict it to certain websites, or adjust your browser settings in such a way that your browser notifies you as soon as a cookie is transmitted. If you do this, however, please note that you should expect the website to be restricted in terms of visual display and user guidance.

The data processed by cookies are necessary for the above-mentioned purposes in order to pursue our legitimate interests and those of third parties. The processing takes place on the basis of point (f) of Article 6(1) GDPR.

6. Google Analytics 

We use Google Analytics, a Web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics makes it possible to generate statistics regarding website use and the sources thereof. The cookies are stored for two years. We use Google Analytics exclusively for statistical purposes, such as to track how many users have clicked on a certain element or a certain piece of information.

The legal basis is our legitimate interests in measuring the reach of our informational offerings in cooperation with our service providers (point (f) of Article 6(1) GDPR) and creating pseudonymous use profiles regarding the use of our website by the visitors to our informational offerings.

Google Analytics is based on cookies. It collects information on your use of our website, including your IP address. To prevent website visitors from being identified based on their IP addresses, we use a special code to ensure that your IP address is disclosed only in truncated, and thus anonymized, form. It is no longer possible to identify individual users based on this truncated IP address. For further information on data protection and privacy in the case of Google Analytics, please click here: https://support.google.com/analytics/answer/2700409?hl=en&ref_topic=2611283.

You can prevent the collection and transfer of data to Google by downloading and installing the plugin available via the following link: https://tools.google.com/dlpage/gaoptout. You can also adjust the settings at https://adssettings.google.com/anonymous?hl=en-GB&sig=ACi0TCgjQOtZZmsnhor-F-jUaLKUXPozB-azrbC60G1nlIid6ZBXp9mJfsSLCyW2C06i4JsWIeRrQw2CyV7laWP2gtjISjDTv8QM7RXXbZBM5xM64a1uc or via the deactivation page operated by NAI (Network Advertising Initiative) at http://www.networkadvertising.org. Finally, you can prevent the storage of cookies via your browser’s general settings.

The term of storage of user and event data associated with cookies, user IDs, and advertising IDs that has been agreed with Google is 14 months.

General information on Google: The information collected by Google Analytics is transferred to Google LLC, which is based in the United States. Google LLC is self-certified under the Privacy Shield in order to ensure adequate protection of your personal data pursuant to EU law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI). Further information on data protection and privacy at Google is available at https://policies.google.com/privacy?hl=de.

 7. Google reCAPTCHA

We use the reCAPTCHA service from Google to determine whether a person or computer makes a particular entry in our contact or newsletter form. This is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google uses the following data to review whether you are a human or a computer: IP address of the device used, the website you visit at our end and on which the Captcha is integrated, the date and duration of your visit, the identification data of the browser and operating system type used, the Google account if you are logged in to Google, mouse movements on the reCAPTCHA areas, click and keyboard actions, and tasks in which you are required to identify pictures. In some cases, you are required to take action by clicking and selecting images (reCAPTCHA Version 2), while in others, identifying you as a human takes place solely on the basis of your prior interaction with our website (reCAPTCHA Version 3).

The legal basis for the data processing described is point (f) of Article 6(1) GDPR. We have a legitimate interest in this data processing in order to ensure the security of our website and protect ourselves from automated entries or attacks.

Within the scope of the use of Google reCAPTCHA, personal data may also be transferred to the servers of Google LLC in the United States. Google LLC is certified for the EU-U.S. “Privacy Shield” agreement on data protection and privacy (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active), which ensures compliance with the level of data protection applicable in the EU. You can view Google’s privacy policy here: https://policies.google.com/privacy

8. Use of Google Maps

This website uses Google Maps to display maps and generate driving directions. Google Maps is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Our legitimate interest in the use of Google Maps consists in providing visitors with information about our sites. The legal basis for the data processing described is point (f) of Article 6(1) GDPR.

The cooperation with Google from the standpoint of data protection and privacy law takes place on the basis of a contract entered into with regard to the parties’ joint status as controllers pursuant to Article 26 GDPR, which is accessible at the following URL: https://cloud.google.com/maps-platform/terms/maps-controller-terms/.

When subpages where Google Maps is incorporated are accessed, information on your use of our website (such as your IP address) is transferred to servers of Google and stored there.  As part of this process, personal data may also be transferred to the servers of Google LLC in the United States. In the event of transfer of personal data to Google LLC, which is based in the United States, Google LLC has obtained certification under the EU-U.S. “Privacy Shield” data protection and privacy agreement (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active), which ensures compliance with the level of data protection applicable in the EU.

In the event that you do not agree to the future transfer of your data to Google, you can entirely deactivate the Google Maps Web service by turning off the JavaScript application in your browser. It will then no longer be possible to use Google Maps, and thus the map display feature on our website.

C. Data processing in interaction with business partners

The processing of data in the context of interaction with business partners is subject to the Dussmann Group data protection statement for business partners. A list of affiliates is available here.

D. Data processing during the application process

The application processes is subject to the data protection statement for applications. A list of affiliates is available here.

E. Further information

1. Duration of storage of data

Where no express duration of storage is stated when the data are collected (for example within the scope of a declaration of consent) or within this Data Protection and Privacy Statement, personal data are erased to the extent that they are no longer necessary in order to fulfill the purpose for which they are stored, except where statutory storage obligations (such as obligations of storage under commercial and tax law) conflict with the erasure thereof.

To the extent that we store personal data exclusively to fulfill storage obligations, these data are typically blocked, with the result that access thereto is possible only if it is necessary with an eye to the purpose of the obligation of storage.

2. Security

We take all necessary technical and organizational security measures to protect your personal data from loss and abuse. Your data are stored in a secure operational environment that is not accessible to the public. SSL or TLS encryption is used on all websites. Your data are encrypted directly during transfer. For security reasons, we will refrain from providing any further information here.

3. Rights of data subjects

Withdrawal of consent

To the extent that you have granted your consent to the processing of personal data, you can withdraw it at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of withdrawal of consent, we will erase the data in question without delay to the extent that there is no legal basis for processing thereof that does not require consent that can be used as the basis for further processing. You can send your withdrawal to hotline @remove-this.dussmann.de or datenschutzbeauftragter @remove-this.dussmann.de, or, alternatively, by mail to Dussmann Stiftung & Co. KGaA, Friedrichstraße 90, 10117 Berlin, Germany.

Further rights

You can assert your rights toward the national branch of the Dussmann Group in your country in each case. For the names and addresses of the controller responsible in each case, please see the list of affiliates at https://www.dussmanngroup.com/verbundene-unternehmen/ or the legal notice of the relevant national branch.

You have the right to obtain from the relevant controller within the Dussmann Group confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to these personal data and the specific information enumerated in Article 15 GDPR.

You have the right to obtain from the relevant controller without undue delay the rectification of inaccurate personal data concerning you and, where applicable, to have incomplete personal data completed (Article 16 GDPR).

You have the right to obtain from the relevant controller the erasure of personal data concerning you without undue delay where one of the specific grounds enumerated in Article 17 GDPR applies, for example if the data are no longer needed for the purposes pursued (right to erasure).

You have the right to obtain from the relevant controller restriction of processing where one of the prerequisites enumerated in Article 18 GDPR applies, for example if you have lodged an objection to the processing.

You have the right to receive the personal data concerning you that you have provided to us in a commonly used and machine-readable format and the right to have the relevant controller transmit those data to another controller (right to data portability, Article 20 GDPR) to the extent that this is feasible in technical terms.

If your personal data have been transferred to a country outside the EU that does not provide an appropriate level of protection, we typically enter into a contract that ensures appropriate protection of personal data. If certification under the EU-US Privacy Shield serves as a guarantee of an appropriate level of protection, a link to prove certification is already indicated above in the case of each service provider. In addition, we use standard data protection clauses accessible via the following URL: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. The controller will then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims (Article 21 GDPR).

You can object to the use of your data for direct marketing purposes at any time without any further considerations.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Article 77 GDPR). You can exercise this right with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement. For example, the supervisory authority with jurisdiction over Dussmann Stiftung & Co. KGaA in Berlin is the Berlin State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit Berlin), Friedrichstr. 219, 10969 Berlin, Germany. You can also contact a different supervisory authority at any time. For the relevant controllers responsible in your Member State outside Germany, you can contact the authority with jurisdiction there.

An overview of further national and international data protection authorities is available here.

4. Changes to this Data Protection and Privacy Statement

To ensure that the information we provide on data protection and privacy is always in keeping with the current statutory specifications, we reserve the right to make changes at any time. This also applies in the event that the information on data protection and privacy requires adjustment due to new or revised offerings or services.

Should you have any questions or suggestions concerning this Data Protection and Privacy Statement, please feel free to contact us. We are delighted that you entrust your data to us.
Last updated: January 16, 2020