Principles of data processing in the EXPO-IP Ltd.

In order to fulfil our information obligations in accordance with Art. 12 et seq. of the Basic Data Protection Regulation (DSGVO), we are pleased to present our information on data protection below:

Who is responsible for data processing?

Responsible in the sense of the data protection law is

EXPO-IP GmbH
represented by the managing director Ms Barbara Tröller and Mr Martin Schulz
Robert-Bosch-Straße 7
64293 Darmstadt
Tel.: 06151 / 8002181
E-Mail: info@expo-ip.com
Web: expo-ip.com

You will find further information about our company, details of the persons authorised to represent us and also further contact details in the imprint of our website: https://expo-ip.com/impressum/

For what purposes is the processing carried out and on what legal basis is it based?

If we have received personal data (hereinafter also referred to as "data") from you, we will only process this data for the purposes for which we received or collected it.

(a) collection and processing in the course of the performance of contractual obligations

We collect and process personal data within the scope of establishing contact and for the fulfilment of our contractual obligations towards you. We process this data on the legal basis in accordance with Art. 6 Para. 1 lit. b) DSGVO and thus for the purpose of carrying out pre-contractual measures and fulfilling contracts.

(b) processing by virtue of legal obligations or in the public interest

Our company is also subject to legal and regulatory requirements and obligations which we must comply with and which make it necessary to process personal data. The fulfilment of the legal requirements arising in detail requires the processing of personal data, which is permitted under Art. 6 Para. 1 lit. c) DS-GVO to this extent. In addition, the processing of personal data may be in the public interest (Art. 6 (1) (e) DS-GVO), for example, where it is a matter of averting dangers or safeguarding public safety and health.

c) Processing on the basis of a legitimate interest

In addition, we process personal data insofar as this is necessary to safeguard our legitimate interests or the legitimate interests of a third party, unless the interests or fundamental rights and freedoms of the persons concerned outweigh the need to protect personal data (Art. 6 Par. 1 letter f) DS-GVO). Third parties are natural or legal persons, public authorities, institutions or other bodies other than you, us, our processors and persons who are authorised to process personal data under our direct responsibility or by processors. Processing of the data on the basis of a legitimate interest will take place in particular insofar as this is necessary for the assertion of legal claims and defence in legal disputes; in this respect we assume that our interests outweigh your fundamental rights and freedoms which require the protection of your data.

 

If we process data on the basis of a balancing of interests, you as the data subject have the right to object to the processing of personal data, taking into account the provisions of Art. 21 DSGVO.

d) Processing based on consent

In addition, personal data is collected and processed if this processing has been expressly agreed to in advance (consent, Art. 6 Paragraph 1 lit. a) DS-GVO). If personal data is processed on the basis of your consent, you have the right to revoke this consent at any time with effect for the future by any means of contact with us. Revocation of consent does not affect the lawfulness of the processing that has taken place on the basis of the consent until revocation.

Data processing for other purposes can only be considered if the necessary legal requirements according to Art. 6 para. 4 DSGVO are met. In this case we will of course comply with any information obligations pursuant to Art. 13 para. 3 DSGVO and Art. 14 para. 4 DSGVO.

 

How long is the data stored?

In principle, personal data are processed for as long as necessary to achieve the contractual purposes, i.e. for as long as the contractual relationship exists (Article 6(1)(b) of the DS-GVO). If the processing of personal data is based on consent, it will continue as long as you have not withdrawn your consent for the processing.

After termination of the contractual relationship, the data provided by you may be stored and thus processed in order to comply with statutory storage obligations (Art. 6 Paragraph 1 lit. c) DS-GVO) or on the basis of legitimate interests (Art. 6 Paragraph 1 lit. f) DS-GVO). Legitimate interests may arise in particular from the fact that we must legally defend ourselves against legal claims or that we must assert or wish to assert or exercise legal claims ourselves or wish to be in a position to check the existence, content and scope as well as the enforceability of such claims (in these cases the retention period is based on the longest limitation period for the respective possible claims). After expiry of the statutory retention periods and/or the loss of legitimate interests, the data provided will be deleted.

 

To which recipients will the data be forwarded?

Within the company, those departments receive their data that need them to fulfil our contractual and legal obligations. Contract processors employed by us (Art. 28 DS-GVO) may also receive data for these purposes. These are companies in the categories of IT services, logistics, printing services, telecommunications, debt collection, consulting and advisory services as well as sales and marketing and address research.

With regard to the transfer of data to recipients outside the company, it should be noted that we only pass on your data if this is permitted or required by law, if you have given your consent or if we are authorised to provide information. Under these conditions, recipients of personal data may be, for example

  • Public bodies and institutions (e.g. public prosecutor's office, police, supervisory authorities) if there is a legal or official obligation. 
  • Other companies to which we transfer personal data in order to carry out the business relationship with you (depending on the contract: e.g. banks, credit agencies, suppliers, sales representatives). 

Other data recipients may be those entities for which you have given us your consent to transfer data.

Where is the data processed?

Your personal data will be processed by us exclusively in computer centres in the Federal Republic of Germany.

Automated decision making

An automated decision in the sense of Art. 22 DSGVO does not take place.

Your rights as a "data subject

Any identified or identifiable natural person to whom the data processed by us relates ("data subject") has the following rights:

a) Right to information in accordance with Art. 15 DS-GVO:

Upon request, you have the right to receive information free of charge, in particular whether and what data about you is stored and for what purpose it is stored, to which categories of recipients your personal data has been or will be disclosed and the planned duration for which your personal data is stored.

b) Right of rectification in accordance with Art. 16 DS-GVO:

You have the right to request that your incorrect personal data be corrected immediately. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

c) Right of deletion ("right to be forgotten") in accordance with Art. 17 DS-GVO:

You have the right to demand that your data be deleted immediately. We are obliged to delete personal data immediately if one of the following reasons applies:

  1. The purposes for which the personal data were collected are no longer applicable.
  2. You revoke your consent to the processing and there is no other legal basis for the processing.
  3. You object to the processing and there is no other legal basis for the processing.
  4. The personal data were processed unlawfully.
  5. The deletion of personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which I am subject.
  6. The personal data were collected in relation to information society services offered in accordance with Article 8 (1) of the DS-GVO.

d) Right to restrict processing in accordance with Art. 18 DS-GVO, § 35 BDSG:

You have the right to request the restriction of the processing if one of the following conditions is met:

  1. The correctness of the personal data is doubted by you.
  2. The processing is unlawful, but you refuse to delete it.
  3. The personal data are no longer needed for the purposes of the processing, but you need the data for the assertion, exercise or defence of legal claims.
  4. They have lodged an objection to the processing under Article 21(1) of the DPA. As long as it has not yet been established whether my legitimate reasons outweigh the reasons given to you, the processing will be restricted.

e) Right to data transferability according to Art. 20 DS-GVO:

You have the right to receive the data provided by you in a structured, common and machine-readable format. A forwarding to another responsible person may not be hindered by me.

f) Right of objection according to Art. 21 DS-GVO:

You have the right to object to the processing of personal data concerning you, which is carried out pursuant to Art. 6 Paragraph 1 letter e) or letter f) of the DS-GVO, in conjunction with Art. 9 Paragraph 2 letter f) DS-GVO for reasons arising from your particular situation. The processing of personal data will be discontinued unless there are compelling reasons worthy of protection for further processing or the processing serves to assert, exercise or defend legal claims. In the case of direct marketing, in the event of an objection to this, the personal data shall not be further processed for these purposes.

g) Right of appeal to the supervisory authority pursuant to Art. 13 para. 2 lit. d), Art. 77 DS-GVO in conjunction with Art. 19 BDSG:

If you believe that the processing of your data violates the DS Block Exemption Regulation, you have the right to lodge a complaint with the supervisory authority. To do so, please contact the competent supervisory authority.

The
Hessian Commissioner for Data Protection and Freedom of Information,
Gustav-Stresemann-Ring 1,
65189 Wiesbaden,
Tel.: 0611 / 1408 0, Fax: 0611 / 1408 611,
E-Mail: poststelle@datenschutz.hessen.de
is responsible for us.

h) Revocation of consent in accordance with Art. 7 (3) DS-GVO:

If the processing is based on your consent pursuant to Art. 6 Para. 1 letter a) DS-GVO or Art. 9 Para. 2 letter a) DS-GVO (processing of special categories of personal data), you are entitled at any time to revoke the purpose-bound consent without affecting the lawfulness of the processing carried out on the basis of the consent until revocation. You will not suffer any further disadvantages from the declaration of revocation.

Our data protection officer

We have appointed a data protection officer in our company. You can reach him or her at the following contact details:

Mr. Sascha Weller, Attorney at Law, IDR - Institute for Data Protection Law
Brick Brewing Street 7
85049 Ingolstadt
Phone: 0841 - 885 167 15
Fax: 0841 - 885 167 22
e-mail: ra-weller@idr-datenschutz.de
Web: www.idr-datenschutz.de

Status: February 2020