Data processing notice for customers as per Article 13, 14, 21 GDPR

Personal data is required for the purpose of communication, exchanging information and services, fulfilling contractual matters and other purposes associated with a new or existing business relationship.

1. Controller

The controller for data processing is BESTMINDS GmbH. The company is represented by the managing directors: Siegfried Faix and Christian Männlin. The controller and its representatives can be contacted at:

Address: Basler Str. 65, D-79100 Freiburg
Phone: +49 761 888 51 23 0
Email: info@bestminds.de
Website: www.bestminds.de/en/

2. Data protection officer

BESTMINDS GmbH has assigned the following external data protection officer:

Solicitor Marc E. Evers
DataSEKure Rechtsanwaltsgesellschaft mbH
Weilerstraße 9
79252 Stegen
Tel.: +49 7661 97 29 10
Email: datenschutz@datasekure.de

3. Categories of personal data

The following personal data of clients and employees of clients may be processed, provided the data has actually been collected:

• surname, first name, gender
• date and place of birth
• signature
• photos
• telephone number, fax number, email address
• business address and contact information
• job title, company name, department, position
• time and attendance, e.g. when attending events
• other data provided in connection with the contractual relationship

The personal data processed does not originate from public sources. The data being processed originates directly from the client's domain.

4. Legal basis for processing personal data

The legal basis is the following permission as per Article 6(1) General Data Protection Regulation (GDPR):

• Article 6(1)(a) GDPR (client's consent),
• Article 6(1)(b) GDPR (fulfilling a contract with the client),
• Article 6(1)(c) GDPR (fulfilling a legal obligation, which we are bound to),

and/or

• Article 6(1)(f) GDPR (protecting our legitimate interest or that of a third party without overriding interests of the interests and basic rights of the client).

5. Purpose of data processing and data storage

Data is collected, processed and used for the purpose of customer relationship management, billing, communicating with the client and fulfilling and maintaining the contractual relationship.

We store the collected data on our in-house IT and physically in the departments. If data is relocated, e.g. to the cloud, we will notify the respective customer separately. We use organisational and technical safeguards in compliance with the law to protect the collected personal data against unauthorised access.

6. Who receives the personal data?

Individual personal data is disclosed to the data processing companies we have contracted (e.g. IT service providers; shredders).

Apart from this, personal data will only be transmitted as required by the law.

We only disclose your personal data to third parties:

• with the customer's express consent (Article 6(1)(a) GDPR),
• where necessary to fulfil contractual relationships with the customer (Article 6(1)(b) GDPR)
• where we are legally obligated to disclose the data (Article 6(1)(c) GDPR),
• where processing is necessary to protect the vital interests of a customer's employee or other natural person (Article 6(1)(d) GDPR),
• or where disclosure is necessary to protect our legitimate interests or those of a third party except if the customer has an overriding legitimate interest not to have the data disclosed. It is our legitimate interest to maintain the performance and profitability of our company (Article 6(1)(f) GDPR).

7. Data transmission to third-party countries

We do not intend to transmit the personal data of our customers to a third-party country or international organisation.

8. Security of processing

Our company has implemented suitable technical and organisational measures to ensure data is secure, including company policies and, in the case of commissioned data processing, contract stipulations with the external service provider.

9. Retention period for personal data

The customer's stored personal data is stored for the time required to process the general contact request or the respective request for information or to fulfil the contracts with the customer. Data is only stored so long as it is required to fulfil the respective purpose. Once the processing or the contract relationship has come to an end or the customer exercises their rights below, the customer's data is handled in compliance with the exercised right and, where applicable, erased unless statutory provisions stipulate longer retention periods.

Once these retention periods, particularly retention periods under tax and commercial law, have expired, the customer's personal data is always erased.

Data is erased as part of our defined erasure routine. We have implemented an internal erasure concept.

10. Records of processing activities

The respective processing activity for personal data is logged in so-called records of processing activities.

11. The customer has the following data subject rights:

• as per Article 7(3) GDPR to at any time withdraw the consent they have given us. As a result, data processing based on this consent must be discontinued;
• as per Article 15 GDPR to request information about the personal data processed by us;
• as per Article 16 GDPR to request the prompt correction or completion of personal data we have stored;
• as per Article 17 GDPR to request the erasure of personal data we have stored unless processing is required to exercise the right to free expression and information, to fulfil a legal obligation, for reasons in the public interest, or to assert, exercise, or defend legal claims;
• as per Article 18 GDPR to request the restriction of the processing of personal data subject to the requirements specified in the article
• as per Article 20 GDPR to obtain the personal data we have been provided in a structured, common and machine-readable format or to request the transmission of the data to another controller subject to the requirements in the article
• as per Article 77 GDPR to lodge a complaint with a supervisory authority. The competent supervisory authority for us is: Landesbeauftragte für den Datenschutz Baden-Württemberg, Dr. Stefan Brink, Königstraße 10 a, 70173 Stuttgart, Phone: +49 711 615 54 10.

12. Right to object:

If processing personal data is based on a balance of interests, the customer can object to processing as per Article 21 GDPR. When objecting, please provide the reasons why we should not process the personal data as we have done. If the objection is justified, we will investigate the situation and will either stop or modify data processing or present the customer with our compelling legitimate reasons for continuing to process data.

13. Notice of automated decision-making including profiling as per Article 22 (1) and (4) GDPR

We do not use automated decision-making or profiling. In the event that these methods are used, the customer will be notified separately.

14. No obligation to provide data

Customers are not required by law to provide us with personal data. However, if the data necessary for the conclusion and fulfilment of the contract and the data which must be collected by law is not provided, we will typically not be able to enter into the contract.